MANAJEMEN RISIKO

SESSION 3
 Training Aim
To present a brief introduction to risk management that
will give you an initial understanding of:

1.The meaning of risk.

2.The risk management process.

3.Enterprise risk management.

4.The internal audit role.

YOUR CHOICE ANSWERED

The word risk is taken from the early Italian

risicare which means:

1. To dare.

2. To take care.

3. To beware.
Laporan Turnbull
Laporan dari manajemen kepada dewan pengurus harus,
sehubungan dengan wilayah yang dicakup olehnya, memberikan
penilaian yang seimbang mengenai risiko signifikan dan efektivitas
sistem pengendalian internal dalam mengelola risiko tersebut.
Setiap kegagalan atau kelemahan pengendalian yang signifikan
yang diidentifikasi harus didiskusikan dalam laporan, termasuk
dampak yang dimilikinya, dapat dimiliki, atau dimiliki, terhadap
perusahaan dan tindakan yang diambil untuk memperbaikinya.
Adalah penting bahwa ada keterbukaan komunikasi oleh
manajemen dengan dewan mengenai hal-hal yang berkaitan
dengan risiko dan pengendalian.
 RISKS

IIA mendefinisikan risiko

sebagai: 'ketidakpastian suatu
peristiwa yang terjadi yang
dapat berdampak pada
pencapaian tujuan. Risiko
diukur dalam hal konsekuensi
dan kemungkinan. '

IMPACT
Bernstein on Risk

But if men and women were not at the mercy of

impersonal deities and random chance, they could no
longer remain passive in the face of an unknown future.
They had no choice but to begin making decisions over a
far wider range of circumstances and over far longer
periods of time than ever before.
 RISKS

Threats OBJECTIVES Opportunities

Model baru kami

mempertimbangkan risiko,
dalam rangka mencapai
tujuan. Ini memiliki sisi positif
dan kelemahan yang
IMPACT
menghadirkan baik ancaman
dan peluang
 RISKS

Threats OBJECTIVES Opportunities

high
med
IMPACT low
low med high
LIKELIHOOD
 Narrative Your Choice the answer
Essentials Companion KHS Pickett 2011
Training Slides

Item three is
least appropriate Which is the least appropriate
because it is not
always possible
attributes of effective risk
to be certain that management?
objectives will be 1.Promotes an assessment of risks to
achieved. Risks achieving objectives.
by definition 2.Ensures controls will be reviewed in
entail some
degree of
response to identified risks.
uncertainty. 3.Allows management to be certain that
they will achieve all their goals.
 Narrative
Benefits of systematic risk management:
Essentials Companion KHS Pickett 2011
Training Slides
More realistic business and project planning.
Before we go
Actions implemented in time to be effective.
further into our
Greater certainty of achieving business goals
model lets look at
and project objectives.
the benefits
Appreciation of, and readiness to exploit, all
related to
beneficial opportunities.
effective risk
Improved loss control.
management. In
Improved control of project and business costs.
this case the
Increased flexibility as a result of understanding
benefits relate to
all options and associated risks.
business projects
Fewer costly surprises through effective and
which is
transparent contingency planning.
explained on
 Board
Sponsor

Narrative
Essentials Companion KHS Pickett 2011 RISKS

The new bits to the

model in Figure 3.3 Identificati
are very important. Review on
That is a systematic
process of OBJECTIVES
Threats
Strategy & KPIs
identification,
assessment, Assessmen
management and t
review is Manageme
nt hig
fundamental to
h
effective risk
management. We IMPACT me
d low med
will look at each one
in turn. low high
LIKELIHOOD
 Narrative
Identification
First find out what is
out there that can The risk management process starts
impact your with a method for identifying all risks
objectives.
that face an organization. This should
involve all parties who have expertise,
responsibility and influence over the
area affected by the risks in question.
All imaginable risks should be
identified and recorded and scenario
planning may be used here.
 Narrative
Assessment
Then work out how
big the risk is and
hoe likely it is to
The next stage is to assess the
materialise. significance of the risks that have
Management need
to be careful in the
been identified. This should
way they assess risk revolve around the two-
and there has been
some criticism of
dimensional Impact, Likelihood
overly optimistic considerations that we have
positions that has
been criticized by
already described earlier.
some.
 Narrative Management Armed with the knowledge of what
risks are significant and which are less so, the
The next two stages process requires the development of strategies for
are to manage the managing significant risks. This ensures that all key
big risks and review risks are tackled and that resources are channeled
your efforts. into areas of most concern, which have been
identified through a structured methodology.

Review The entire risk management process and

outputs should be reviewed and revisited on a
continual basis. This should involve updating the
risk management strategy and reviewing the
validity of the process that is being applied across
the organization.
 Narrative
Essentials Companion KHS Pickett 2011
Training Slides An Exercise
Have a go at
listing as many
measures as you
can think of.

In terms of managing risk. What sort

of measures could you take to
mitigate large levels of unacceptable
risk?
 Narrative
Essentials Companion KHS Pickett 2011 RISKS

Figure 3,4 of the

Essential Guide Identificati
contains the term Review on
Risk Strategy and
these are the OBJECTIVES Opportunities
Threats
Strategy & KPIs
measures you can
use to take care of TAKING CARE OF RISK: Assessmen
risk on the left - 1Terminate 2 Controls t
which are explained Manageme
3Transfer 4 Contingency
nt hig
in the book. 5Take more 6 Communicate h
7Tolerate 8 Commission
IMPACT me
research
d low med
9 Tell 10 Check
someone compliance low high
LIKELIHOOD
 Narrative TAKING CARE OF RISK:
Essentials Companion KHS Pickett 2011
Training Slides

Page 66 to 69 deal
with each of these
measures.

1 Terminate 2 Controls
3 Transfer 4 Contingency
5 Take more 6 Communicate
7 Tolerate 8 Commission research
9 Tell someone 10 Check compliance
 RISK REGISTER (summary)
Narrative
Essentials Companion KHS Objectives...
Pickett 2011 RISKS
risk impact % existing risk man
Figure 3.5 owner controls strategy

explains that way Identificati

Review on
risks can be RISK BASED
captured in a Risk OBJECTIVES Opportunities
Threats
Register which Strategy & KPIs

can then be used TAKING CARE OF RISK: DECISION MAKING

Assessmen
to drive Risk 1Terminate 2 Controls t
Manageme
Based Decision 3Transfer 4 Contingency
nt high
Making. 5Take more 6 Communicate
med
7Tolerate 8 Commission
research IMPACT low
High low med
9 Tell 10 Check
high
LIKELIHOOD
someone compliance
 Narrative Risk Appetite
Essentials Companion KHS Pickett 2011
Training Slides

The key to
effective risk
management is
defining what is
and what is not
acceptable and What is acceptable risk?
that depends on
the risk appetite.
What is your I.e. what is your
understanding on
this concept? understanding of the concept of
risk appetite?
 Narrative
Essentials Companion KHS Pickett 2011
Training Slides
Lets go for the simple INHERENT RISK
answer in Figure 3.5.
The risk appetite
defines how inherent RISK MANAGEMENT STRATEGY
risk is perceived and AND CONTROLS
whether there is an
aggressive or more
RESIDUAL RISK
passive growth
strategy in place. Risk
tolerance is what is
acceptable after MORE RISK ACCEPT RISK MORE
appropriate controls CONTROLS
have been put in place
to mitigate risk,
 Board
Sponsor

RISK REGISTER (summary)

Narrative Risk
Essentials Companion KHS Objectives...
Pickett 2011 RISKS
risk impact % existing risk man Policy
Lets get back to out owner controls strategy CRO
People
risk management Identificati Buy-In
model, this time Review on
with the risk policy RISK BASED

added into Figure OBJECTIVES Opportunities

Threats
Strategy & KPIs
3.7.
TAKING CARE OF RISK: DECISION MAKING
Assessmen
The board sponsor, 1Terminate 2 Controls t
CRO and people Manageme
3Transfer 4 Contingency
nt hig
buy-in are explained 5Take more 6 Communicate h
in pages 75 to 77. 7Tolerate 8 Commission
IMPACT me
research
d low med
9 Tell 10 Check
someone compliance low high
LIKELIHOOD
 Narrative
Essentials Companion KHS Pickett 2011
Training Slides An Exercise
Make a list and
explain why you
have included the
item in your risk
policy.
What would you include in your Risk
Policy?
 The organizations risk management policy may include:
Narrative governance, outlining how risk management is governed;
policy scope, describing the purpose of the policy and who it is aimed at;
describing the high level principles and the benefits of implementing risk
Each risk policy management; setting out the objectives, including legal and regulatory
will be different requirements, and what it intends to achieve; and providing an explanation of
the relationship with other policies;
and one version Policy applicability, setting out to whom and to what the policy applies;
appears here. Risk management process, providing a high level overview and description of
Pages 74 to 79 the risk management process adopted by the organization;
Risk appetite, outlining the organizations risk appetite, thresholds and
cover this topic. escalation procedure;
Reporting, describing the purpose, frequency and scope of reporting;
Roles, accountabilities and responsibilities, describing the high level roles,
accountabilities and responsibilities in respect of risk management; and
Variations and dispensations, stating whether variations or dispensations
from the policy are allowed and, if they are allowed, describing the process for
requests for this.
 Board
S.I.C. ERM Process Sponsor

RISK REGISTER (summary)

Narrative Risk
Essentials Companion KHS Objectives...
Pickett 2011 RISKS
risk impact % existing risk man Policy
We can complete owner controls strategy CRO
People
our risk Identificati Buy-In
Review on
management RISK BASED
model by adding OBJECTIVES Opportunities
Threats
in The ERM Strategy & KPIs

(enterprise risk TAKING CARE OF RISK: DECISION MAKING

Assessmen
management) 1Terminate 2 Controls t
Manageme
Process and S.I.C. 3Transfer 4 Contingency
nt hig
(statement on 5Take more 6 Communicate h
internal control. 7Tolerate 8 Commission
IMPACT me
research
This appears as d low med
9 Tell 10 Check
Figure 3.8 in the someone compliance low high
LIKELIHOOD
 Narrative
Essentials Companion KHS Pickett 2011
Training Slides COSO ERM
ERM is fully
defined by the A process, effected by an entitys board
Committee of
of directors, management and other
Sponsoring
Organzations personnel, applied in strategy setting
(COSO) in their and across the enterprise, designed to
ERM framework identify potential events that may affect
that was the entity, and manage risk to be within
published in its risk appetite, to provide reasonable
September 2004, assurance regarding the achievement of
which can be
entity objectives.
viewed in full at
 Narrative
Essentials Companion KHS Pickett 2011
Training Slides
What is ERM?
We are saying
here that ERM The idea is that the risk management
fits into the process is spread across the entire
business and is organization and follows a structured
not added on a a approach that is integrated within the
stand alone way the business operates.
process.
 Narrative
Linking risk
Essentials Companion KHS Pickett 2011

We need to outline
the link between
corporate
management,
governance codes,
risk management
governance and control
and internal
control. Have a Risk Internal
look at the next Manageme
slide for our
Controls
approach to this nt
task.
 Narrative
Essentials Companion KHS Pickett 2011 Corporate Governance Codes
Corporate governance codes,
corporate structures and
disclosure arrangements will
help promote good
Internal Corporate Structures
accountability. Within the
context of the control
Control
framework, the organization
should employ a process for FrameworDisclosure Arrangements
identifying, assessing and
managing risk. After having k
assessed key risk, they will
need to be managed in line
with a defined risk
Risk Internal
management strategy.
Internal controls will seek to Manageme Controls
mitigate unacceptable levels
of risk. The strategy for nt Corporate
managing risk and ensuring Strategies &
controls do the job in hand Review
should then be incorporated
 Narrative Where does Internal Auditing fit into
To answer this the risk management equation?
question we need
to return to the
definition of Internal auditing is an independent, objective
internal auditing. assurance and consulting activity designed to
The final part add value and improve an organizations
makes clear we operations. It helps an organization accomplish
are concerned its objectives by bringing a systematic,
with risk disciplined approach to evaluate and improve
management, the effectiveness of risk management, control
control and and governance processes.
governance
processes.
 Narrative
Essentials Companion KHS Pickett 2011
Training Slides

Before we go Where does Internal Auditing fit into

further lets issue
a warning about the risk management equation?
some of the
limitations of the Internal auditors must be alert to the significant
internal audit risks that might affect objectives, operations, or
review process resources. However, assurance procedures alone,
per IIA Attribute even when performed with due professional care,
standard do not guarantee that all significant risks will be
1220.A3. Note identified.
that pages 82 to
85 deal with the
 Narrative
Where does Internal Auditing fit into
Essentials Companion KHS Pickett 2011
Training Slides

IIA Performance the risk management equation?

Standard 2120
makes clear the
audit role in risk The internal audit activity must evaluate the
management. effectiveness and contribute to the improvement
of risk management processes.
 Narrative
Essentials Companion KHS Pickett 2011
Where does Internal Auditing fit
Training Slides

IIA Practice into the risk management

Advisory 2120-1 equation?
on Assessing the
Adequacy of Risk Determining whether risk management processes are
Management effective is a judgment resulting from internal auditors
assessment that:
Processes gives Organizational objectives support and align with the
an interpretation organizations mission.
of standard 2120. Significant risks are identified and assessed.
Appropriate risk responses are selected that align risks with
the organizations risk appetite.
Relevant risk information is captured and communicated in
a timely manner across the organization,
Enabling staff, management, and the board to carry out
their responsibilities.
 Narrative Risk Management Practices
Training Slides

To close note that

The report should provide a brief description of how risk is
the 2009 Walker managed in the business, ideally using examples of material risks
review of corporate that arose in the previous reporting period. In particular this
governance in the should focus on the role of the Committee in the management of
UK made clear that that risk. In addition the report should provide a brief statement
risk management on the number of meetings in the reporting period, an attendance
should assume a record and whether any votes were taken. The report should cover
the key responsibilities of the board risk committee and whether
higher profile in the these have changed in the reporting period. Finally the report
wake of the 2008 should briefly record the key areas that the committee has
Credit Crunch. And considered in the reporting period.
internal audits role
will be crucial to this
 Narrative
Essentials Companion KHS Pickett 2011
Structuring Risk
Training Slides

There are many way

of categorizing risks strategic risk
across an
organization and
each executive team programme risk
will have their own
way of defining
different types of project risk
risk. The British risk
standard provides financial risk; and
the following
categories that are
in general usage. operational risk.
 MANAJEMEN RISIKO
Manajemen resiko adalah suatu bidang ilmu yang membahas tentang bagaimana sebuah organisasai
menerapkan ukuran dalam memetakan berbagai permasalahan yang ada dengan menempatkan berbagai
pendekatan manajemen secara komprehensif dan sistematis.
Tahap Tahap Melaksanakan Manajemen Risiko
Identifikasi risiko
Mengidentifikasi bentuk bentuk resiko
Menempatkan ukuran ukuan resiko
Menempatkan altenatif alternative
Menganalisis setiap alternative
Memutuskan satu alternative
Melaksanakan alternative yang di pilih
Mengontrol alternative yang di pilih
Mengevaluasi alternatife yang di pilih
PERAN MANAJEMEN RISIKO
Resiko dapat dikurangi dan bahkan dihilangkan melalui
manajemen resiko.
Peran dari manajemen resiko diharapkan dapat mengantisipasi
lingkungan cepat berubah,
1. mengembangkan corporate governance,
2. mengoptimalkan strategic management,
3. mengamankan sumber daya dan asset yang dimiliki organisasi,
dan
4. mengurangi reactive decision making dari manajemen puncak.
 Cara Melakukan Manajemen Risiko
dengan Efektif
Untuk melakukan manajemen risiko kita perlu melelui beberapa proses.
COSO atau Committee of Sponsoring Organizations of the Treadway Commission menyebutkan
ada delapan kerangka yang berkaitan dalam Manajemen Risiko Korporasi (MRK) yaitu:

Lingkungan internal (internal environment)

Penentuan sasaran (objective setting)
Identifikasi peristiwa (event identification)
Penilaian risiko (risk assessment)
Tanggapan risiko (risk response)
Aktivitas pengendalian (control activities)
Informasi dan komunikasi (information and communication)
Pemantauan (monitoring)
AUDIT INTERNAL DAN MANAJEMEN
RISIKO
Tugas auditor internal antara lain adalah meng-audit risiko; melakukan
evaluasi risiko, mengusulkan pendirian manajemen risiko sambil menjelaskan
manfaat manajemen risiko, atau menyatakan dukungan atas program
manajemen risiko.
Auditor internal menerima instruksi & bagian peran audit internal dalam
manajemen risiko dari Dewan Audit atau Komite Audit, agar
secara independen auditor mengevaluasi manajemen risiko dan program
memerangi risiko.
Auditor internal pada umumnya bersikap abstain untuk manajemen risiko
departemen auditor internal sendiri, kecuali diminta Dewan Audit untuk
melakukan self-assessment.
RISIKO AUDIT LAPORAN KEUANGAN
Persoalan auditor eksternal sebagai berikut berlaku bagi auditor internal yang
mengaudit Laporan Keuangan; bahwa risiko auditor terbesar adalah tak mengetahui
(gagal untuk mengetahui) hal-hal yang seharusnya mengubah opini auditor terhadap
Laporan Keuangan yang mengandung salah-saji secara material. Auditor harus
memertimbangkan sifat & kualitas manajemen, sifat industri, sifat operasi, dan bentuk
atau sifat penugasan auditor eksternal.
 RISIKO INHEREN
Risiko salah saji laporan keuangan terkait risiko bawaan karena jenis bisnis, jenis industri, jenis operasi
khas industri tersebut dan risiko salah saji karena pengendalian internal lemah atau tidak ada.
Sebagai contoh:
Valuasi piutang dagang, asersi keberadaan piutang dagang oleh manajemen, terkait kecemasan
auditor tentang going concern.
Kalkulasi beban pensiun, metode penyusutan aset tetap dan kalkulasi beban penyusutan aset tetap
Kas lebih rentan pencurian dibanding persediaan.
Perubahan teknologi menyebabkan aset tetap padat teknologi harus di hapus-buku lebih cepat
lantaran ketinggaalan teknologi.
Lapping banyak terjadi pada industri perbankan, dana pensiun, asuransi. KKN pada akun tabungan
berjangka lebih banyak terjadi pada demand deposit.
Berbagai perusahaan memilih tak menggunakan pedoman sistem & prosedur (tertulis & kaku) untuk
meningkatkan kreativitas dan layanan pelanggan.
Moral, standar etika, misalnya uang tip boleh diterima, itu rezeki anda, merupakan risiko budaya.
RISIKO PENGENDALIAN
Risiko peengendalian mencakupi risiko salah saji laporan keuangan tak
tercegah atau tak tertemukan pada bingkai waktu tertentu oleh struktur
pengendalian internal, kebijakan atau prosedur. Berbagai control risk selalu
ada karena keterbatasan inheren dari struktur pengendalian internal. Bila
kebijakan dan prosedur tak berjalan efektif, maka auditor melakukan
penilaian control risk sebanyak mungkin, dengan catatan bahwa biaya
pengendalian risiko harus lebih kecil dari manfaat pengendalian risiko.
Pada umumnya, pengendalian inheren tak mampu membuat risiko menjadi
0%, diperangi atau dikurangi dengan strategi-sistem-prosedur terkait control
risk. Control risk dirancang utk menekan risiko-residual tersebut sedapat-
dapatnya, lalu sisa risiko selanjutnya menjadi tugas strategi deteksi, sistem-
prosedur deteksi penyimpangan, KKN dan salah saji material.
RISIKO DETEKSI
Risiko deteksi berbentuk risiko auditor tak mampu mendeteksi
salah-saji-material yang sebetulnya ada.
Risiko deteksi muncul karena
Auditor tak memeriksa 100% saldo akun-akun.
Ketidakpastian, kesalahan merancang prosedur audit, salah
terap prosedur audit, salah tafsir terhadap hasil audit.
THX