RISK MANAGEMENT POLICY
The Board of Directors establishes the Risk Management Policy as a reference in achieving the Company's Long Term Objectives and Risk Management Manual as a commitment to the wide and integrated implementation of risk management throughout the organization, in order to support the certainty of achieving the Company's long-term objectives and provide a systematic application of risk management framework and scalable according to international requirements.
The Company's Risk Management Policy refers to the COSO-ERM Integrated Framework. COSO-ERM organizes all the activities that exist in all levels of management from the top to the business units of the Company. The Company's Risk Management Policy is contained in the Decree of the Board of Directors of the Company which was signed on December 15, 2016 regarding Risk Management Guideline.
The signing of the Risk Management Policy by the Board of Commissioners and the Board of Directors which demonstrates the commitment, seriousness and concern of the Board of Directors on the importance of risk management in sustainability and safeguarding the Company's objectives.
The Company's Risk Management Policy is as follows:
1. Risk Statement is a statement of the Board of Directors on the importance of risk management in the Company, among others regulate:
a. Decision-making should be based on risk considerations to provide certainty.
b. Understanding the risks for the overall level of the Company.
c. Every decision and decision-making must be reviewed and managed by the COSO-based framework.
d. Risk management must be implemented on all business systems and processes as part of GCG implementation.
e. Each level in the Company must make improvements on the implementation of risk management in a sustainable manner.
f. SOP availability consistently implemented.
g. Risk management is done with the principle of effectiveness and efficiency
i. Decision-making related to resource allocation is done by taking into account the results of risk assessment.
j. Company risk management is an integral part of the overall management of the Company.
2. Corporate Risk Management Vision.
3. Company Risk Management Mission.
4. Risk Management Framework.
5. Risk Assessment Criteria.
The objectives of the implementation of risk management in the Company are:
1. As a guideline for all levels of management within the Company to understand business processes, identifying, analyzing and knowing risk handling in the decision-making process in order to control all potential risks that will arise.
2. Equate perceptions of the concept of enterprise risk management for all levels of management.
3. Standardize the risk management implementation framework so that its implementation can be done in a coordinated and integrated manner.
ORGANIZATIONAL STRUCTURE OF RISK MANAGEMENT DIVISION
The Company is aware that risk management must be implemented on all fronts. Therefore, a Risk Management Governance Structure is created, in which everyone has a role in developing, managing and ensuring the application of risk management.
The structure of Corporate Risk Management in the Company is as follows:
RISK MANAGEMENT FRAMEWORK
The Company's risk management framework is the development of risk management principles that provide the foundation and organization of the organization that covers all activities at all levels of the Company. The Company's risk management framework scheme is as follows:
1. Mandate and commitment.
2. Risk Management Planning Framework includes:
3. Preparation of risk management.
4. Monitoring and review.
5. Continuous improvement.
RISK PROFILE AND RISK MITIGATION
Based on the review conducted during the period of 2017, the main risks faced by the Company include:
RISK MANAGEMENT STRATEGY
Risk management strategy is formulated according to overall business strategy with respect to the level of risk to be taken and risk tolerance. The objective of establishing a risk management strategy is to ensure that the risk exposure has been managed in a controlled manner in accordance with internal policies and procedures as well as legislation and other applicable provisions.
Risk management strategies are structured to cover several principles:
1. Long-term oriented to ensure business continuity.
2. Comprehensive, able to control and manage risk either individually or consolidated with Subsidiaries.
In preparing a risk management strategy, consider the following:
1. Economic and industrial developments and their impact on corporate exposure.
2. Company organization including adequate human capitals and supporting infrastructure.
3. Financial conditions including the ability to generate profits, and the Company's ability to manage risks arising as a result of changes in external and internal factors.
The Risk Management Strategy is communicated by the Board of Directors to the Division/Unit/Work Unit and is reviewed periodically in line with changes in business strategy, with due regard to economic conditions, regulatory changes and the impact on the company's financial performance.
IMPLEMENTATION OF RISK MANAGEMENT
To anticipate the above risks, the Company identifies, measures, prioritizes, and manages risks through risk mitigation of financial and operational risks.
RISK MANAGEMENT INFRASTRUCTURE
In supporting the implementation of an effective and sustainable risk management process, the Company needs to build infrastructure as a supporting infrastructure that can support the risk management process for all internal Stakeholders of the Company.
The current infrastructure in the Company includes, among others, web-based risk management application and the procedures governing risk management in the form of Risk Management Procedures.
WORK RELATION WITH RISK MONITORING
One form of implementation of integrated risk management, the Company uses the concept of "Three Lines of Defense" or three layers of risk management defense. The scheme of internal risk management system (Three Lines Of Defenses).
1. First Layer Defense
The first layer of defense is carried out by all operations management by identifying and controlling risk by applying soft control and hard control in every operational activity. Soft control ie the placement of people according to competence, implementation of corporate culture, strong leadership and adherence to ethical standards. Hard controls include implementation of work guidelines (Policies, Procedures, Work Instructions) and organizational structures.
This first layer of defense is a risk owner in charge of managing risk in each unit, maintaining a conducive control, applying effective internal controls and consistently implementing risk management policies and procedures.
2. Second Layer Defense
Second Layer Defense has roles and responsibilities in designing and developing risk management frameworks, controlling the implementation of risk management and evaluating compliance with applicable regulations.The second layer of defense is done by Management Control, among others:
a. The work unit responsible for controlling the realization of budget usage.
b. The work unit responsible for ensuring the security of the Company.
c. The work unit responsible for designing and developing a risk management framework and controlling its implementation.
d. The work unit responsible for the quality control of the Company's services.
e. The work unit responsible for ensuring compliance of the company's activities in accordance with applicable regulations from both the Government, OJK and BEI.
f. The responsible work unit designs the organizational structure.
3. Third Layer Defense
a. The third layer of defense is carried out by the Internal Audit Unit which has the role and responsibility to conduct independent and objective testing to ensure the effectiveness and efficiency of business processes.
b. The Board of Directors has the role and responsibility to supervise and direct the implementation of the internal control system (set the tone from the top). The Board of Directors implements the internal control system through the establishment of corporate management policy, strategic plan and organizational structure consistently and compliance with applicable regulations.
c. The Board of Commissioners has the roles and responsibilities of overseeing the management of the company by the Board of Directors and providing advice to the Board of Directors, including overseeing the implementation of the Company's Long Term Plan (RJPP), Work Plan and Budget (RKAP), the Articles of Association and the General Meeting of Shareholders RUPS), and applicable laws and regulations, the interests of the Company and in accordance with the intent and purpose of the company. In performing these duties, the Board of Commissioners shall establish a Board of Commissioners Committees, the Audit Committee, the Nomination and Remuneration Committee, the Risk Monitoring Committee and GCG & CSR Committee.
EVALUATION OF EFFECTIVENESS OF RISK MANAGEMENT
The effectiveness of risk management is performed by the Risk Management Division. The effectiveness of risk management is assessed on how much mitigation can reduce risk. Evaluations are conducted quarterly which are subsequently imposed by the Risk Management Division.
Risk mitigation that is considered effective will be collected and recorded by DVMR to become a data bank/risk library. Risk libraries will be provided to all risk owners, as a guideline for the preparation of subsequent risk profiles.
To assess the implementation of the overall risk management of the Company, then in the next work program of the Risk Management Division maturity assessment will be conducted. In the maturity assessment, the Risk Management Division will know the lack of implementation of risk management in the enterprise as a basis for improving.