Risk Management | HITS

Risk Management


The Board of Directors establishes the Risk Management Policy as a reference in achieving the Company's Long Term Objectives and Risk Management Manual as a commitment to the wide and integrated implementation of risk management throughout the organization, in order to support the certainty of achieving the Company's long-term objectives and provide a systematic application of risk management framework and scalable according to international requirements.


The Company's Risk Management Policy refers to the COSO-ERM Integrated Framework. COSO-ERM organizes all the activities that exist in all levels of management from the top to the business units of the Company. The Company's Risk Management Policy is contained in the Decree of the Board of Directors of the Company which was signed on December 15, 2016 regarding Risk Management Guideline.


The signing of the Risk Management Policy by the Board of Commissioners and the Board of Directors which demonstrates the commitment, seriousness and concern of the Board of Directors on the importance of risk management in sustainability and safeguarding the Company's objectives.


The Company's Risk Management Policy is as follows:

1.   Risk Statement is a statement of the Board of Directors on the importance of risk management in the Company, among others regulate:

a. Decision-making should be based on risk considerations to provide certainty.

b. Understanding the risks for the overall level of the Company.

c.  Every decision and decision-making must be reviewed and managed by the COSO-based framework.

d. Risk management must be implemented on all business systems and processes as part of GCG implementation.

e. Each level in the Company must make improvements on the implementation of risk management in a sustainable manner.

f.  SOP availability consistently implemented.

g. Risk management is done with the principle of effectiveness and efficiency

i. Decision-making related to resource allocation is done by taking into account the results of risk assessment.

j. Company risk management is an integral part of the overall management of the Company.


2.    Corporate Risk Management Vision.

3.    Company Risk Management Mission.

4.    Risk Management Framework.

5.    Risk Assessment Criteria.


The objectives of the implementation of risk management in the Company are:


1. As a guideline for all levels of management within the Company to understand business processes, identifying, analyzing and knowing risk handling in the decision-making process in order to control all potential risks that will arise.

2. Equate perceptions of the concept of enterprise risk management for all levels of management.

3. Standardize the risk management implementation framework so that its implementation can be done in a coordinated and integrated manner. 



The Company is aware that risk management must be implemented on all fronts. Therefore, a Risk Management Governance Structure is created, in which everyone has a role in developing, managing and ensuring the application of risk management.


The structure of Corporate Risk Management in the Company is as follows:

  1. The Board of Commissioners.
  2. The Board of Directors.
  3. Risk Owner (Head of Bureau/Unit/Division/Branch/Unit).
  4. Risk Officer (as a facilitator in the assessment).
  5. Risk Assessor (who conducts assessment in each work unit).



The Company's risk management framework is the development of risk management principles that provide the foundation and organization of the organization that covers all activities at all levels of the Company. The Company's risk management framework scheme is as follows:


1.    Mandate and commitment.

2.    Risk Management Planning Framework includes:

  1. understanding of the organization and its context.
  2. risk management policies.
  3. integration into the company's business processes.
  4. risk takers.
  5. resource.
  6. the creation of reporting and communication mechanisms.

3.    Preparation of risk management.

4.    Monitoring and review.

5.    Continuous improvement.




Based on the review conducted during the period of 2017, the main risks faced by the Company include:

  • Interest Rate Risk - Changes in the market interest rate will result in fluctuating cash flows, and put risks on bank lending positions, either by the Company or its subsidiaries.
  • Exchange Rate Risk - In addition to US dollar loans, the bulk of the operating income and expenses of the subsidiaries are denominated in US dollars, which indirectly represents a natural hedge against exposure to foreign exchange fluctuations.
  • Credit Risk - The risk that the Company and its subsidiaries will incur losses arising from customers or counter parties that fail to fulfill their contractual obligations.
  • Liquidity Risk - The risk when the cash flow position of the Company and its subsidiaries shows that short-term income is not sufficient to cover short-term expenses.
  • Operational Risk - Risks caused by non-functioning of internal processes, human error, system failure or external problems affecting the operations of the Company. The biggest potential risks are ship damage, accidents at sea, and dependence on government contracts and projects.
  • Legal Risk - The risk of uncertainty from legal action resulting from lawsuits and/or weakness of juridical aspects.
  • Compliance Risk - Risks arising from the Company's failure to comply with or not enforce applicable laws and regulations.




Risk management strategy is formulated according to overall business strategy with respect to the level of risk to be taken and risk tolerance. The objective of establishing a risk management strategy is to ensure that the risk exposure has been managed in a controlled manner in accordance with internal policies and procedures as well as legislation and other applicable provisions.


Risk management strategies are structured to cover several principles:

1.    Long-term oriented to ensure business continuity.

2.    Comprehensive, able to control and manage risk either individually or consolidated with Subsidiaries.


In preparing a risk management strategy, consider the following:

1.    Economic and industrial developments and their impact on corporate exposure.

2.    Company organization including adequate human capitals and supporting infrastructure.

3.    Financial conditions including the ability to generate profits, and the Company's ability to manage risks arising as a result of changes in external and internal factors.


The Risk Management Strategy is communicated by the Board of Directors to the Division/Unit/Work Unit and is reviewed periodically in line with changes in business strategy, with due regard to economic conditions, regulatory changes and the impact on the company's financial performance.




To anticipate the above risks, the Company identifies, measures, prioritizes, and manages risks through risk mitigation of financial and operational risks.

  • Interest Rate Risk - There is no formal policy to protect value with respect to interest rate exposure. Exposure to interest rate risk is monitored on an ongoing basis.
  • Exchange Rate Risk - Bank loans, accounts payable and accrued expenses in Rupiah currency, including foreign currency operating revenues that may pose a risk to foreign exchange rates.
  • Credit Risk - The Company and its subsidiaries manage and control credit risk by setting acceptable limits on the amount of risk for individual customers and monitoring the risks associated with these limitations.
  • Liquidity Risk - The Company and its subsidiaries regularly evaluate the projected actual cash flow and cash flows and continuously maintain the stability of the day of debt payments and receipt of receivables
  • Operational Risk - To carry out Ship Management Guidance as an integral part of the Quality, Health, Safety and Environment Management System established by the Company, with the Master as the person in charge of the vessel.
  • Legal Risk - Corporate Legal is responsible for providing legal advice in accordance with requests from both corporate and litigation work units, in accordance with applicable laws and regulations, which are deemed to have legal impacts against the Company and its subsidiaries.
  • Compliance Risk - As a Public Company, compliance risks are attached to all capital market rules, both OJK rules and stock regulations.




In supporting the implementation of an effective and sustainable risk management process, the Company needs to build infrastructure as a supporting infrastructure that can support the risk management process for all internal Stakeholders of the Company.


The current infrastructure in the Company includes, among others, web-based risk management application and the procedures governing risk management in the form of Risk Management Procedures.




One form of implementation of integrated risk management, the Company uses the concept of "Three Lines of Defense" or three layers of risk management defense. The scheme of internal risk management system (Three Lines Of Defenses).


1. First Layer Defense

The first layer of defense is carried out by all operations management by identifying and controlling risk by applying soft control and hard control in every operational activity. Soft control ie the placement of people according to competence, implementation of corporate culture, strong leadership and adherence to ethical standards. Hard controls include implementation of work guidelines (Policies, Procedures, Work Instructions) and organizational structures.

This first layer of defense is a risk owner in charge of managing risk in each unit, maintaining a conducive control, applying effective internal controls and consistently implementing risk management policies and procedures.

2. Second Layer Defense

Second Layer Defense has roles and responsibilities in designing and developing risk management frameworks, controlling the implementation of risk management and evaluating compliance with applicable regulations.The second layer of defense is done by Management Control, among others:

a. The work unit responsible for controlling the realization of budget usage.

b.   The work unit responsible for ensuring the security of the Company.

c. The work unit responsible for designing and developing a risk management framework and controlling its implementation.

d. The work unit responsible for the quality control of the Company's services.

e.    The work unit responsible for ensuring compliance of the company's activities in accordance with applicable regulations from both the Government, OJK and BEI.

f.    The responsible work unit designs the organizational structure.

3. Third Layer Defense

a.  The third layer of defense is carried out by the Internal Audit Unit which has the role and responsibility to conduct independent and objective testing to ensure the effectiveness and efficiency of business processes.

b. The Board of Directors has the role and responsibility to supervise and direct the implementation of the internal control system (set the tone from the top). The Board of Directors implements the internal control system through the establishment of corporate management policy, strategic plan and organizational structure consistently and compliance with applicable regulations.

c. The Board of Commissioners has the roles and responsibilities of overseeing the management of the company by the Board of Directors and providing advice to the Board of Directors, including overseeing the implementation of the Company's Long Term Plan (RJPP), Work Plan and Budget (RKAP), the Articles of Association and the General Meeting of Shareholders RUPS), and applicable laws and regulations, the interests of the Company and in accordance with the intent and purpose of the company. In performing these duties, the Board of Commissioners shall establish a Board of Commissioners Committees, the Audit Committee, the Nomination and Remuneration Committee, the Risk Monitoring Committee and GCG & CSR Committee.




The effectiveness of risk management is performed by the Risk Management Division. The effectiveness of risk management is assessed on how much mitigation can reduce risk. Evaluations are conducted quarterly which are subsequently imposed by the Risk Management Division.


Risk mitigation that is considered effective will be collected and recorded by DVMR to become a data bank/risk library. Risk libraries will be provided to all risk owners, as a guideline for the preparation of subsequent risk profiles.


To assess the implementation of the overall risk management of the Company, then in the next work program of the Risk Management Division maturity assessment will be conducted. In the maturity assessment, the Risk Management Division will know the lack of implementation of risk management in the enterprise as a basis for improving.