methoDs/ tools
D. Issue and Action Management (IAM):
IAM merupakan perangkat untuk memasukkan issue atau permasalahan terkait risiko operasional. Dari issue atau permasalahan tersebut dianalisa penyebabnya dan ditetapkan action plan serta dilakukan pemantauan pelaksanaan action plan oleh satuan kerja terkait.
Dalam hal pengelolaan risiko operasional, SKRM berperan sebagai second line of defense dan SKAI sebagai third line of defense. Sedangkan satuan kerja sebagai risk owner merupakan first line of defense yang bertanggung jawab terhadap pengelolaan risiko operasional dari masing-masing satuan kerja Bank.
Sebagai output dari proses pengelolaan risiko operasional, satuan kerja terkait menyiapkan checklist profil risiko operasional yang menggambarkan eksposur risiko operasional di aktivitas fungsionalnya yang nantinya akan dijadikan dasar dalam pembuatan profil risiko operasional Bank. Laporan profil risiko operasional tingkat korporasi (bankwide) yang sudah direview oleh SKAI dipresentasikan kepada Direksi dan dilaporkan kepada Bank Indonesia secara periodik.
Untuk pelaporan kecukupan modal risiko operasional ke Bank Indonesia, Bank menggunakan Pendekatan Indikator Dasar, seperti terlihat dalam tabel-tabel berikut:
ORM Tools used for the ORM implementation is as follows: A. Operational Risk Control Self Assessment (ORCSA):
Operational Risk Control Self Assessment (ORCSA) used to identify and asses inherent risk in the activity and assess control quality in respective business lines. B. Loss Event Management (LEM):
The Bank starts to implement policy that requires all work units to record losses in respective functional activities as an impact of operational risks occurred in respective work functions.
C. Key Risk Indicators (KRIs):
KRIs is a simple quantitative indicator which functions to indicate risk level inherent in key process within one business unit phase/supporting or end-to-end processing.
D. Issue and Action Management (IAM):
IAM is a tool to contain issue or problems related to operational risk. The issue or problem is analyzed to find out the cause and set the action plan as well as monitor the implementation of action plan by the related work unit.
In terms of operational risk management, SKRM serves as the second line of defense and SKAI as the third line of defense. Meanwhile, the task force as risk owner is the first line of defense which is responsible for operational risk management from the Bank’s respective work unit.
As an output from operational risk management process, related work unit prepares operational risk profile checklist which illustrates operational risk exposures as the foundation in operational risk profile establishment. Operational risk profile report of corporate level (bankwide) which has been evaluated by SKAI, is presented to the Board of Directors and reported to Bank Indonesia periodically.
For reporting operational risk capital adequacy to Bank Indonesia, Bank Hana utilizes Basic Indicator Approach, as seen in the following tables:
ManageMenT Discussion anD anaLysis ManageMenT Discussion anD anaLysis
AnAlisis dAn PembAhAsAn mAnAjemen AnAlisis dAn PembAhAsAn mAnAjemen
(3) Investigasi, Pelaporan dan Sanksi; serta
(4) Pemantauan, Evaluasi dan Tindak Lanjut, di mana dalam implementasinya melibatkan seluruh line of defense.
Untuk mendukung implementasi strategi anti fraud, khususnya dalam pilar deteksi, telah dikembangkan early detection system yang dapat mendeteksi secara dini transaksi, proses, dan aplikasi yang bersifat anomali dan memiliki potensi fraud risk. Sistem tersebut secara otomatis akan memberikan alert terhadap transaksi yang memiliki risiko fraud. Tindak lanjutnya adalah proses investigasi data alert, baik secara on-desk maupun onsite review, untuk memastikan apakah benar telah terjadi kejadian fraud sehingga Bank dapat dengan cepat melakukan langkah mitigasi dan penanganan yang cepat, akurat, dan terencana (fraud response plan).
Anti Pencucian Uang dan Pencegahan Pendanaan Terorisme
Untuk mencegah dan memitigasi risiko akibat transaksi pencucian uang dan pendanaan terorisme, Bank telah menerapkan proses due diligence dan pengelolaan risiko terhadap nasabah mengacu kepada ketentuan Bank Indonesia mengenai Anti Pencucian Uang dan Pencegahan Pendanaan Terorisme. Proses due diligence dan pengelolaan risiko ini didasarkan pada prinsip risk-based approach yang mengidentifikasi, mengklasifikasi, memantau, dan mengelola risiko transaksi oleh nasabah atas dasar karateristik produk, nasabah dan geografis (negara, cross-border).
Business Continuity Management
Untuk menjamin kelangsungan operasional Bank dalam kondisi bencana, Bank memiliki suatu rencana komprehensif secara terdokumentasi dan teruji, yang berisi langkah-langkah yang harus diambil sebelum, selama dan setelah terjadinya suatu keadaan bencana. Kebijakan dan prosedur Bank dalam menjamin kelangsungan operasional bisnis diatur dalam Business Continuity Management (BCM) yang mencakup Emergency Response Plan (ERP), Disaster Recovery Plan (DRP), dan Business Continuity Plan (BCP). ERP adalah panduan yang digunakan untuk menjamin keamanan dan keselamatan jiwa pegawai dalam kondisi bencana. DRP adalah rencana kerja untuk persiapan dan pemulihan dari bencana yang berdampak kepada layanan teknologi informasi, sedangkan BCP adalah prosedur dan informasi yang dibuat untuk menjaga kelangsungan operasional
(3) Investigation, Reporting and Sanctions; as well as (4) Monitoring, Evaluation and Follow-up, in which the
implementation involves the entire line of defense.
To support the implementation of anti fraud strategies, particularly in detection pillar, the Bank has developed early detection system which can detect transaction, process, and applications with anomalies and has the potential of fraud risk. The system will automatically deliver alerts on transactions with fraud risks. The follow-up is investigation process of alert data, both on-desk and onsite review, to ensure if there is any fraud thus the Bank can directly mitigate and take fast, accurate, and planned (fraud response plan).
anti money laundering and terrorism funding Prevention
To prevent and mitigate risks as an impact of money laundering and terrorism funding transactions, the Bank has implemented due diligence process and risk management towards customers by referring to Bank Indonesia’s stipulation concerning Anti Money Laundering and Terrorism Funding Prevention. The due diligence process and risk management is based on the risk-based approach which identify, classify, monitor, and manage transaction risks by customers on the basis of product, customers and geographic characteristic (country, cross-border).
business continuity management
To ensure operational continuity in case of disaster, the Bank has a comprehensive plan which documented and tested, containing the steps to be taken before, during, and after the disaster. The policy and procedures of the Bank in ensuring the business continuity are regulated in Business Continuity Management (BCM) which consists of Emergency Response Plan (ERP), Disaster Recovery Plan (DRP), and Business Continuity Plan (BCP). ERP is a guidance to ensure safety and life of employees in disaster conditions. DRP is a work plan for preparation and recovery from disasters that affect the information technology services while BCP is the procedure and information to maintain the continuity of the operations of a work unit.
tabel 23. PengungKaPan KuantItatIf rIsIKo oPerasIonal banK
tABle 23. quAntItAtIVe DIsclosuRes of opeRAtIonAl RIsk
Pendapatan bruto (rata-rata 3 tahun terakhir) gross revenues (average in last 3 years) no. Jenis risiko
Posisi tanggal laporan 2014 reporting position as of 2014 beban modal Capital Charge Pendekatan Indikator Dasar Total 1 367.967 367.967 156.567 156.567 689.937 689.937 293.564 293.564 55.195 55.195 23.485 23.485 atmr rWa Basic Indicator Approach Total
Posisi tanggal laporan 2013 reporting position as of 2013 risk Type Pendapatan bruto (rata-rata 3 tahun terakhir) gross revenues (average in last 3 years) beban modal Capital Charge atmr rWa (2) (3) (4) (5) (6) (7) (8) (2) (1)
(in million Rupiah)
(dalam jutaan Rupiah)
Implementasi Manajemen Risiko Operasional
Strategi kunci yang dipedomani dalam manajemen risiko operasional terkait Risk Management, Audit & Compliance adalah ”Melanjutkan Program-program untuk antisipasi Fraud, termasuk mengoptimalkan First Defense, Second Defense dan Third Defense”. Adapun Implementasi Manajemen risiko difokuskan pada 3 (tiga) aspek penguatan yaitu:
• Program Risk Awareness, yakni program budaya spesifik yang dimiliki setiap unit terkait terkait dengan pengenalan, pemahaman, dan mitigasi risiko operasional.
• Laporan Profil Risiko, yakni laporan wajib dari satuan pengelola risiko operasional kepada SKMR secara rutin, minimal secara triwulanan atau dengan frekuensi yang lebih pendek jika diperlukan (ad-hoc). Penyusunan Laporan Profil Risiko secara rutin dimaksudkan agar profil risiko operasional disetiap satuan kerja pengelola risiko operasional selalu ter-update dan terjaga.
• Data Quality pada ORM Tools, berupa pengelolaan dan pengkinian data/informasi yang ada pada ORM Tools meliputi ORCSA, LEM, KRIs, dan IAM.
Strategi Anti Fraud, Sistem Pemantauan Fraud, dan Fraud Respond Plan
Sejalan dengan SE BI No.13/28/DPNP mengenai Penerapan Strategi Anti Fraud bagi Bank Umum, Bank telah melakukan berbagai upaya untuk memantau dan memitigasi risiko fraud melalui penerapan 4 (empat) pilar yaitu:
(1) Pencegahan; (2) Deteksi;
Implementation of operational risk management Key strategies used as reference in operational risk management related to Risk Management, Audit, & Compliance is “Continuing Programs for anticipating Fraud including optimizing the First Defense, Second Defense, and Third Defense”. The implementation of risk management is focused on 3 (three) strengthening aspects as follow: • Risk Awareness Program, which is a specific culture
program concerning introduction, understanding, and mitigation of operational risk
• Risk Profile Report which is a mandatory report from operational risk management task force to SKMR routinely, at least quarterly or on ad-hoc basis. The regular formulation of Risk Profile Report is aimed to keep the operational risk profile in every operational risk management task force updated.
• Data Quality on ORM Tools which is the management and update on data/information in the ORM Tools including ORCSA, LEM, KRIs, and IAM.
anti fraud strategy, fraud monitoring system, and fraud respond Plan
In line with SE BI No.13/28/DPNP on the Implementation of Anti Fraud Strategy for Commercial Bank, the Bank has taken various actions to monitor and mitigate fraud risk through the implementation of 4 (four) pillars as follow:
(1) Prevention; (2) Detection;
130
Laporan Tahunan 2014 AnnuAl RepoRt131
Laporan Tahunan 2014 AnnuAl RepoRtPT Bank kEB Hana IndonEsIa PT Bank kEB Hana IndonEsIa
ManageMenT Discussion anD anaLysis ManageMenT Discussion anD anaLysis
AnAlisis dAn PembAhAsAn mAnAjemen AnAlisis dAn PembAhAsAn mAnAjemen
5. RISIKO LAIN
Di samping risiko-risiko utama, Bank juga memahami adanya risiko-risiko lain yang harus dikelola, antara lain risiko kepatuhan, hukum, reputasi, stratejik, teknologi informasi, dan human resource. Keseluruhan risiko tersebut bersama dengan risiko-risiko utama setiap tahunnya dinilai dan diukur secara top-down oleh Manajemen Bank melalui enterprise risk assessment. Secara bottom-up juga dilakukan pengukuran melalui Profil Risiko setiap triwulanan. Pengelolaan risiko-risko lain dilakukan melalui SKMR, serta dilakukan secara langsung oleh satuan kerja pendukung, antara lain Compliance, Corporate Legal Unit, Corporate Communication, Human Resource, dan Information Technology.
Dalam hal risiko hukum, Bank terus berusaha meningkatkan pengendalian risiko hukum, antara lain dengan menempatkan Legal Officers di Kantor Cabang Utama yang berkewajiban untuk memastikan setiap kegiatan/transaksi telah mendapat kajian dari sisi hukum. Dalam hal risiko stratejik, Bank melakukan review kinerja dan evaluasi kebijakan penyusunan target bisnis dan melakukan langkah-langkah perbaikan dalam rencana strategi dan target bisnis dengan mempertimbangkan kondisi internal dan eksternal, apabila diperlukan. Bank juga terus mengupayakan penguatan implementasi program pendukung pengelolaan kinerja keuangan melalui pengembangan budgeting, fund transfer payment, dan pengembangan management information system (MIS) yang terkait dengan performa keuangan per masing-masing kantor cabang.
Dalam hal risiko kepatuhan, Bank memiliki Code of Conduct sebagai pedoman berperilaku dan merupakan bagian budaya perusahaan (corporate culture). Dalam tahap perencanaan strategis, Bank selalu menilai kecukupan kepatuhan terhadap peraturan dan perundang-undangan yang berlaku. Bank juga telah menerapkan sistem rotasi dan mutasi kepada sebagian karyawan, serta Pejabat Bank secara konsisten dan komprehensif, terutama yang menduduki posisi strategis.
Dalam hal risiko reputasi, Bank telah memiliki standar layanan nasabah yang dimonitor secara berkala dan dijadikan sebagai bagian KPI Cabang. Bank memiliki Help Desk, sehingga nasabah dapat langsung menyampaikan
5. other rIsKs
In addition to the primary risks, the Bank also understands the other risks which have to be maintained, such as compliance risk, reputation law, strategic, information technology, and human resource. All of these risks with primary risks are assessed and measured every year by top-down method by the Bank’s management through enterprise risk assessment. Bottom-up assessment and measurement is also implemented quarterly to measure the Risk Profile. Other risks management is implemented through SKMR, and implemented directly by supporting work unit, among others are Compliance, Corporate Legal Unit, Corporate Communication, Human Resource, and Information Technology.
In terms of legal risk, the Bank continues to improve the control of legal risks, among others are by assigning Legal Officers in Main Branch Office which responsible to ensure every activity/transaction is legally reviewed.
In terms of strategic risk, the Bank conducts review on performance and evaluation on the formulation policy of business targets and performed corrective measures in strategy plan and business target by considering internal and external condition, if needed. The Bank also continues to strengthen the implementation of financial performance management supporting program through the development of budgeting, fund transfer payment, and management information system (MIS) which are related to financial performance of each branch office.
In terms of compliance risks, the Bank has code of conduct as a behavioral guideline and as a part of corporate culture. In the stage of strategic planning, the Bank always assess the compliance adequacy towards the prevailing laws and regulation. The Bank has also implemented job rotation and transfer system to several employees, as well as the Bank’s Executives consistently and comprehensively, particularly for those with strategic positions.
In terms of reputation risk, the Bank has had customer service standard which is monitored periodically and established as a part of KPI in branch offices. The Bank has Help Desk, thus the customers can directly submit complaints and inquiry on
keluhan dan inquiry mengenai produk dan layanan Bank. Selain itu, Bank juga secara aktif melakukan Corporate Social Responsibility yang dilaksanakan di bidang pendidikan, kesehatan, budaya, olahraga, lingkungan hidup, sarana ibadah, dan bantuan korban bencana alam. Bank melakukan pengelolaan risiko secara bankwide, sebagaimana yang telah diatur dalam ketentuan Bank Indonesia terkait dengan Penerapan Manajemen Risiko Bagi Bank Umum. Berdasarkan posisi Desember 2014, Bank melakukan self assessment profil risiko secara bankwide dan telah divalidasi oleh Otoritas Jasa Keuangan, dengan hasil yang ditunjukkan oleh tabel berikut:
Secara bankwide, Bank memiliki hasil akhir Peringkat Komposit 2. Sesuai SE BI No.13/24/DPNP tanggal 25 Oktober 2011, profil risiko Bank yang termasuk dalam peringkat tersebut mencerminkan kondisi Bank yang secara umum sehat, sehingga dinilai mampu menghadapi pengaruh negatif yang signifikan dari perubahan kondisi bisnis dan faktor eksternal lainnya.
the Bank’s product and services. In addition, the Bank also actively carries out Corporate Social Responsibility in aspect of education, health, culture, sports, environment, places of worship, and donation to natural disaster victims.
The Bank implemented bankwide risk management, as stipulated in Bank Indonesia regulation related to Management Risk Implementation for Commercial Bank. Based on the position of December 2014, the Bank has conducted bank-wide self-assessment on risk profiles which has been validated by Financial Services Authority, with the results in the following table:
In terms of bank-wide, the Bank obtained final result of Composite Rating 2. With reference to BI Circular Letter No.13/24/DPNP dated October 25, 2011, the Bank’s risk profile with such rating reflects that the Bank’s condition is generally healthy, thus considered to be able to overcome significant negative impact from business condition changes and other external factors.
Jenis risiko risk Type
Peringkat tingkat risiko risk rate level Peringkat Kualitas Penerapan
manajemen risiko rating Quality of risk management implementation Peringkat risiko Inheren
inherent risk rating
Risiko Kredit Credit Risk Risiko Pasar Market Risk Risiko Likuiditas Liquidity Risk Risiko Operasional Operational Risk Risiko Hukum Legal Risk Risiko Stratejik Strategic Risk Risiko Kepatuhan Compliance Risk Risiko Reputasi Reputation Risk Peringkat Komposit Composite Rating Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Low to Moderate Satisfactory Satisfactory Satisfactory Satisfactory Satisfactory Satisfactory Satisfactory Satisfactory Satisfactory
tabel 24. PenguKuran ProfIl rIsIKo banK PosIsI 31 Desember 2014
ManageMenT Discussion anD anaLysis ManageMenT Discussion anD anaLysis
AnAlisis dAn PembAhAsAn mAnAjemen AnAlisis dAn PembAhAsAn mAnAjemen
Hasil penilaian profil risiko tersebut menunjukkan bahwa kualitas penerapan manajemen risiko Bank secara bankwide telah dilakukan dengan baik, tanpa menunjukkan perbedaan signifikan dalam aktivitas pengelolaan risiko, sehingga secara komposit menunjukkan peringkat risiko yang rendah dan penerapan manajemen risiko yang baik.
strategI Dan rencana KerJa 2016
Dalam rangka mendukung pertumbuhan bisnis dan mengantisipasi perubahan kondisi makroekonomi serta penerapan regulasi baru, Bank secara berkelanjutan akan mengembangkan infrastruktur dan kapabilitas manajemen risiko, antara lain mencakup hal-hal sebagai berikut:
1. Penerapan ketentuan perhitungan rasio likuiditas dan permodalan sesuai basel iii
Bank akan terus mengembangkan model dan sistem yang dibutuhkan untuk melakukan simulasi perhitungan modal berbasis risiko berdasarkan Basel III.
2. Branch Risk Scoring
Untuk mengintegrasikan proses pengukuran risiko dalam hal pemantauan di tingkat masing-masing kantor cabang, Bank sedang dalam tahap finalisasi pengembangan metode Branch Risk Scoring. Tujuan dilakukannya Branch Risk Scoring tersebut adalah untuk memetakan kantor cabang mana yang memiliki tingkat risiko dengan klasifikasi ‘High Risk’ agar dilakukan pemantauan secara berkala oleh satuan kerja terkait. Penilaian kantor cabang yang berbasis risiko tersebut juga nantinya digunakan untuk Audit Plan oleh SKAI, serta sebagai salah satu parameter penilaian kinerja bagi Kepala Operasional dan Kepala Cabang pada kantor cabang yang bersangkutan.
3. pengembangan stress testing dan optimalisasi
contingency plan
Dengan perkiraan masih adanya ketidakpastian secara global dan domestik di tahun 2015, maka Bank akan mengembangkan berbagai metode stress testing, termasuk integrated stress testing process, dan memperbaiki proses bisnis secara end-to-end. Selain itu, Bank akan mengoptimalkan proses pemantauan risiko dan contingency plan apabila terjadi perubahan situasi ekonomi dan perbankan yang mengarah kepada kondisi krisis.
4. Penerapan metodologi dan alat ukur risiko serta sistem
teknologi pendukung sesuai best practices
Penerapan metodologi dan alat ukur risiko disempurnakan secara continue mengacu kepada ketentuan Bank Indonesia, Basel, maupun international best practices. Penyempurnaan rating, scoring, watchlist, dan portfolio guideline dilakukan secara periodik, agar tetap terjaga akurasinya dan sesuai dengan perkembangan bisnis per masing-masing segmen. Dari sisi sistem dan tekonologi, Bank akan mulai mengimplementasikan sistem yang akan mendukung pengelolaan eksposur dan limit kredit secara terintegrasi (integrated central liability system). Sejalan dengan arah perkembangan best practice dalam mengintegrasikan pengelolaan risiko dan pengendalian internal, Bank mulai mengkaji kemungkinan penerapan kerangka kerja Governance, Risk & Compliance (GRC). Apabila diterapkan, GRC akan mengintegrasikan seluruh aktivitas governance, pengelolaan risiko dan mitigasi, serta kepatuhan dan pengendalian internal dalam suatu sinergi dan keseimbangan. The result of risk profile assessment indicates that the Bank’s
bankwide risk management implementation has carried out well, without showing significant diversification in risk management activities, this compositely showing low risk rating and good risk management.
2016 sTRaTEGy and woRk Plan
In order to support business growth and anticipate changes in macroeconomic conditions and the implementation of new regulations, the Bank will continuously develop infrastructure and capability of risk management which include the following aspects:
1. Implementation of capital calculation provision in accordance to Basel III
The Bank will continue to develop required model and system to conduct simulation of risk-based capital calculation based on Basel III.
2. Branch Risk Scoring
To integrate the risk measuring process in terms of monitoring the level of each branch office, the Bank is finalizing the development of Branch Risk Scoring methods. The purpose of the Branch Risk Scoring is to map the branch