chapter 2 theoretical foundation 2.1 the concept of...
TRANSCRIPT
9
CHAPTER 2
THEORETICAL FOUNDATION
2.1 The Concept of Audit
2.1.1 Definition of Audit
Arens and Loebbecke (1995, p. 1) define audit as a process taken by
competent and independent personnel in order to gather and evaluate evidence
related to information assessed in an entity to measure and report the level of
conformity of the existing information with the available standards.
This definition is also supported by Arens, Elder, and Beasley
(2003 p. 11). They define audit as the accumulation and evaluation of evidence
about information to determine and report on the degree of correspondence
between the information and established criteria, and should be done by a
competent, independent person.
2.1.2 External Audit vs. Internal Audit
Audit can be conducted both externally and internally. The similarities of
both are not many compared to the differences because of the different objective
that each of them has. According to Sawyer et al. (2005, p. 7), the main
responsibility of external auditor is to make opinion regarding the financial
report of the company being aud ited. The objective of external auditor (financial
statement auditor) is to determine the appropriateness of the presentation of a
company’s financial report and the results of the efforts for the period.
10
Furthermore, they are also required to assure that the financial statements are
prepared in accordance with the Generally Accepted Accounting Principles
(GAAP) and to assure that it is applied consistently from previous years, and to
ensure that assets are safeguarded appropriately.
On the other hand, internal auditors provide information needed by the
management in running their responsibilities effectively. Internal auditors act as
an independent evaluator to assess the company’s operation by measuring and
evaluating the appropriateness of control as well as the efficiency and
effectiveness of the company’s operation. Internal auditors have a very important
role in every matters related to the company’s management and the risks
involved in running the business. Referring to the professional standards of the
Institute of Internal Auditors (IIA), internal auditing is defined as:
“Internal Auditing is an independent, objective assurance and consulting
activity designed to add value and improve an organization's
operations . It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.”
The definition of internal auditing above highlights the importance of
internal audit, which includes adding value and improving an organization’s
operations. When interviewed June 26, 2006, Tampubolon argued that the
current internal audit that focuses on internal control, does not contribute to the
efficiency of internal audit function. Instead, most of the time, unnecessary
controls are implemented, which contributed to higher cost of audit.
11
As a result, Tampubolon suggested Risk-Based Audit (RBA) to be implemented
in every organization. RBA is a type of audit that is focused and prioritized by
business risks and its process as well as control over risks that would occur.
2.1.3 Risk-Based Audit (RBA)
As stated before, RBA is a type of audit that focuses on business risks
and its process as well as control over risks that would occur (Dunil, 2005, p.
18). This is also supported by Samosir (2005, p. 16), who states that RBA
comprises techniques and procedures in supervising a particular division by
focusing on risks that are attached to the bank’s activities. The concept of RBA
is that the higher the risk, the more attention should be placed. In identifying a
business risk, auditors should distinguish the control aspects of associated
business. Understanding towards the business process includes recognition of
risks and controls of the system in achieving organization’s objectives. In RBA,
testing is not only done on past events, it involves anticipation towards the
probabilities that will happen whose risks affect the financial statement.
According to Dunil (2005, p. 18), RBA conducted by external auditors is
different than RBA conducted by internal auditors.
1. RBA by external auditor (public accountant) – audit conducted by public
accountant or other external auditors are aimed to provide opinion
towards financial reports prepared by the company. As a result, one of the
risks that they have to be aware of is the probability of material
misstatement to be present in the financial statements being audited.
12
Thus, the purpose of RBA by external auditors is to identify, calculate,
and minimize the risks of the probability of material misstatement to exist
in the financial statements being audited.
2. RBA by internal auditors – Risk-Based Internal Audit undertakes an
independent risk assessment solely for the purpose of formulating the risk
based audit plan keeping in view the inherent business risks of an
activity/location and the effectiveness of the control systems for
monitoring the inherent risks of the business activity (Ernst & Young,
2004). RBIA is explicitly explained in the next heading.
2.2 The Concept of Risk-Based Internal Audit (RBIA)
According to Kannan (2004), RBIA involves an evaluation of the risk
management systems and control procedures applied in several areas of the bank’s
operations. In RBIA, an internal auditor’s focus is primarily placed on how risks
would be mitigated as well as how to anticipate potential risks and how to control the
bank from various risks.
Instead of focusing on the present system of full-scale transaction testing,
RBIA concentrates on the risk identification, prioritization of audit areas, and
allocation of audit resources in accordance with the risk assessment. Therefore,
banks are required to develop a well-defined policy of RBIA, which is approved by
the Board. The policy should include the risk assessment methodology for
identifying the risk areas based on the audit plan that would be formulated.
Furthermore, it should also include the maximum time period, which even the low
risk business activities should not remain unaudited.
13
Just like other types of audit, RBIA is conducted by the Internal Audit Unit
or Satuan Kerja Audit Intern (SKAI), with procedures stated in Internal Audit
Charter and internal audit guidelines or known as Standar Pelaksanaan Fungsi Audit
Intern Bank (SPFAIB) as commanded in Article 9 of PBI No. 1/6/PBI/1999.
According to Samosir (2006, p. 20), internal auditors should have a good
understanding towards risk management process, techniques, and basic internal
auditing qualifications in terms of communication, interviews, and analysis.
According to the Position Statement of the Institute of Internal Auditors of
UK and Ireland (2003), internal auditors might say that they have always focused
their efforts on the riskier areas of the organization. However, this approach has
historically been directed by internal audit’s own assessment of risk. In RBIA, the
focus should be to recognize and evaluate management’s assessment of risk and to
base audit efforts around that process.
Figure 2.1 What is Risk-Based Internal Auditing?
Source: Griffiths, 2006, p. 5
Risk Appetite
RR
IR
C
RBIA provides assurance that these
controls are operating effectively
14
Table 2.1 RBIA vs. Traditional Internal Auditing
Characteristic Old Paradigm
(Traditional Internal Auditing)
New Paradigm
(RBIA)
Internal Audit Focus Internal Control Business Risk
Internal Audit Response Reactive, after-the-fact,
discontinuous, observers of strategic
planning initiatives
Coactive, real-time, continuous
monitoring, participants in strategic
plans
Risk Assessment Risk Factors Scenario Planning
Internal Audit Tests Important Controls Important Risks
Internal Audit Methods Emphasis on the Completeness of
Detail Controls Testing
Emphasis on the Significance of
Broad Business Risks Covered
Internal Audit
Recommendations
Internal Control:
Strengthened
Cost-Benefit
Efficient/Effective
Risk Management:
Avoid/Diversify Risk
Share/Transfer Risk
Control/Accept Risk
Internal Audit Reports Addressing the Functional Controls Addressing the Process Risks
Internal Audit Role in the
Organization
Independent Appraisal Function Integrated Risk Management and
Corporate Governance
Source: McNamee & Selim, Changing the Paradigm, 1998
2.2.1 Objectives of RBIA
Tampubolon (2005, p. 17) implies that the aim of RBIA is to assure that
identified risks are mitigated to an acceptable level. When interviewed on April 20,
2006, he added that RBIA makes auditors’ requirements more real by seeing
controls more objectively.
15
According to Samosir (2006, p. 20), RBIA enhances the effectiveness of
a bank’s supervision by establishing a sound banking system and focusing on high-
risk activities and consistent supervision. Furthermore, Samosir also describes the
main objectives of RBIA, which include more accurate inherent risk assessment
and risk management process, cost effective as well as continuous and timely risk
evaluation. The aims of RBIA according to Samosir involve:
1. To direct and specific focus towards functional activity that possesses
high risks.
2. To prevent problems to arise in high-risk business unit.
3. To serve high-quality supervision that are consistent in case the bank
develops and experience a changing risk profile.
According to Dunil (2005, p. 19), RBA provides companies with value-
added functions as follows:
1. Assigns direction towards risks that would affect the financial position of
a company.
2. Assists banks in managing their business risks.
3. Enhances communication between auditors and management about the
important issues of risks.
4. Increases the level of risk identification of risks that might be
disregarded.
5. Increases the level of identification of fraud and other types of
manipulation.
6. Improves the quality and the timeliness of reporting.
16
Referring to the Position Statement of the Institute of Internal Auditors of
UK and Ireland (2003), the objectives of RBIA are to assure:
1. The risk management processes, which management put in place within
the organization are operating as intended.
2. The risk management processes are of sound operating design.
3. The responses which management has made to risks, which they decide
to treat, are both adequate and effective in reducing those risks to level
acceptable to the board.
4. A sound framework of controls is in place to sufficiently mitigate those
risks which management attempts to treat.
Griffiths (2006, p. 6) mentions that:
“RBIA directs scarce internal audit resources at checking the responses
to the risks that present a serious threat to an organization and regulations
are now requiring directors to ensure that these risk are properly
managed. RBIA thus provides directors with assurance that this is
happening, or a warning that it isn’t”.
Griffith’s statement is also supported by McNamee and Selim (1999,
p.1), who argue that RBIA enhances internal audit performance and
organizational risk management. It allocates controls in an effective way. They
imply that:
“Evaluating controls without first examining the purpose of the business
process and its risks provides no context for the results. How can the
internal auditor know which control systems are most important, which
are out of proportion to their risk, and which are missing? Even the
staunchest advocates of control-based auditing must admit to its
limitations”.
17
2.2.2 Scope of RBIA
According to Kannan, (2004), the primary focus of RBIA will be to
provide reasonable assurance to the Board and top management about the
adequacy and effectiveness of the risk management and control framework in the
banks' operations.
Furthermore, Kannan (2004) also implied that the precise scope of RBIA
must be determined by each bank for low, medium, high, very high, and extremely
high-risk areas.
The scope of RBIA should include:
1. Review of the systems in place for ensuring compliance
2. Identifying potential inherent business risks and control risks, if any
3. Suggesting various corrective measures and undertaking follow up
reviews to monitor the action taken thereon.
2.2.3 Risk Assessment
The Performance Standards of the IIA number 2010.A1 states: “The
internal audit activity’s plan of engagements should be based on a risk assessment,
undertaken at least annually. The input of senior management and the board should
be considered in this process”. Federal banking regulators encourages risk
assessment and RBIA to be applied in all banks.
18
Risk assessment is a process by which an auditor identifies and evaluates
the quantity of the bank’s risks and the quality of its controls over those risks. Risk
assessments should document the bank’s significant business activities and their
associated risks. It is used in identifying, measuring, and determining risk
priorities, so that most audit resource is focused on an auditable area that possesses
a high risk-score or -rate. Results of these risk assessments guide the development
of an audit plan and audit cycle and the scope and objectives of individual audit
programs. Through RBIA, the board and auditors use the results of the risk
assessments to focus on the areas of greatest risk and to set priorities for audit
work. An audit department cannot lose sight of or ignore areas that are rated low
risk. An effective RBA program will ensure adequate audit coverage for all of a
bank’s auditable activities. (Controller of the Currency Administrator National
Banks, 2003, pp. 14 & 18 and Tampubolon, 2005, pp. 91-99).
2.2.4 Internal Control
As discussed before, one of the elements in internal aud it is internal
control. Principle 4 of the Framework of Internal Control Systems in Banking
Organizations (Basel Committee on Banking Supervision, 1998) states that:
“an effective internal control system requires that the material risks
that could adversely affect the achievement of the bank’s goals are being
recognized and continually assessed. This assessment should cover all
risks facing the bank and the consolidated banking organization (that is,
credit risk, country and transfer risk, market risk, interest rate risk,
liquidity risk, operational risk, legal risk and reputational risk). Internal
controls may need to be revised to appropriately address any new or
previously uncontrolled risks.”
19
Additionally, Principle 10 requires the effectiveness of the bank’s internal
controls should be monitored on an ongoing basis. Monitoring of key risks should
be part of the daily activities of the bank as well as periodic evaluations by the
business lines and internal audit.
2.2.5 ORCA (Objective, Risks, Controls, and Audit Procedures)
When interviewed on June 26, 2006, Tampubolon confirmed that RBIA
Approach includes determination of objectives, risk assessment, control, and audit
procedures. Whereas in the traditional audit, audit procedures are determined at the
very first stage, then continued on with the determination of audit objectives,
control, and risk. This statement is supported by Baraba (2006), the Senior
Manager Business Risk Services of Ernst and Young. He suggested that the initial
stage in RBIA is to determine company’s objectives, continued on identifying the
risk, internal control, and audit approach.
Figure 2.2 Transformation of Traditional Audit Approach to Risk-Based Audit Approach
Traditional Approach Risk-Based Audit Approach
Source: Tampubolon, 2006
A
O
C
R
O
R
C
A
20
2.2.6 The Seven Step Approach to RBIA
Besides ORCA, RBIA can be implemented using the Seven Step
Approach according to the FSA Times of the Institute of Internal Auditors (2006).
These steps are listed as follow:
1. Understanding the Business Environment
Besides planning the process, understanding the business process is a critical
initial key to effective RBIA. In this step, auditors are expected to attain
feedback from management and audit committee, review business objectives,
and identify specific risks that could cause management not to meet the
company’s business objectives, and evaluate controls established by
management to mitigate these risks. A comprehensive understanding of risk -
such as credit risk, interest rate risk, operational risk, and so on - allows
auditors to concentrate on risk factors.
2. Preliminary Risk Assessment
In the preliminary risk assessment, the level of risk and adequacy of controls
in the various functional processes if a business unit is determined. In doing
so, it focuses on the business profile, management structure, organizational
changes, and specific concerns of management and the audit committee.
Furthermore, the preliminary risk assessment assists auditors in evaluating
the control design to determine the desired audit scope. In this stage, the
ability of each function’s control design in mitigating its inherent risk is
assessed. In the end of the assessment, risk rating – low, moderate, or high –
is assigned.
21
3. Develop a Three-year Audit Plan
Referring to the preliminary risk assessment that has been applied, a three-
year audit plan is created. With input from the management, audit committee,
or even regulatory requirements, low-risk areas would be audited every three
years, moderate-risk areas audited every other year, and high-risk areas
audited every year. This three-year audit plan should be updated each year
and changes should be made based on new or adjusted risk factors. As a
result, this will allow internal auditors to be flexible in a dynamic risk
environment.
Table 2.2 Example of a Three-Year Audit Plan for Bank
Using the Seven Step Approach
Audit Cycle/Area
Aggregate Risk from Risk
Assessment Matrix
Audit Frequency (1, 2, or 3 year
rotation) Year 2003
Year 2004
Year 2005
LENDING OPERATIONS
Commercial Loans M 2 X X
Consumer Loans M 2 X
Real Estate Loans M 2 X X
Credit Administration H 1 X X X
Secondary Marketing L 3 X
TREASURY MANAGEMENT
Securities M 2 X X
Cash Management L 3 X
Asset/Liquidity Management M 2 X X
22
Wire Transfer H 1 X X X
Automated Clearing House H 1 X X X
Borrowings and Repurchase Agreements L 3 X
ACCOUNTING AND FINANCIAL REPORTING
General Accounting M 2 X X
Financial Reporting M 2 X
DEPOSIT OPERATIONS M 2 X
BRANCH OPERATIONS M 2 X X
BANK ADMINISTRATION
Human Resources M 2 X X
Payroll L 3 X
Purchasing L 3 X
Insurance Coverage M 2 X X
High (H); Medium (M); Low (L)
Source: The FSA Times Second Quarter 2006, Vol. 5, No. 2
4. Complete the Secondary Risk Assessment
This stage involves evaluating whether the effectiveness of the control design
are operating as required to. In doing so, internal auditors are required to
perform observations such as in-depth interviews and walk-throughs.
Furthermore, this stage allows internal auditors to alter the audit plan by
matching the audit approach to current risks.
23
5. Execution of the Internal Audit Program
Following the alteration of audit plan based on the secondary risk
assessment, the audit plan is completed and auditors are ready to begin the
audit fieldwork. A standard audit program steers the audit process and
determines which audit procedures should be implemented based on the
secondary risk assessment. Logically, the higher the risk assessment, the
more detailed the audit procedures that should be implemented.
6. Conduct a Formal Exit Meeting
Before leaving the audit field, auditors are required to conduct a formal exit
meeting. The objective of a formal exit meeting is to present both operating
and senior management, issues noted during the audit, as well as best practice
suggestions for improving controls, efficiency, and operational performance.
A formal exit meeting is also useful for the internal auditors and management
to discuss recommendations for improvement and to answer issues that are
still in question.
7. Reporting and Communication
Following the formal exit meeting, a report draft is distributed to the
operating management to seek corrective action plans. The report draft
should list all findings and recommendations, and are ranked as high,
moderate, or low risk.
24
Initially, the report is issued in draft in order to allow a continued
communication between internal auditors and operating management. In this
final stage, there should be no incongruities, as every fact should be agreed to
during the fieldwork and the formal exit meeting. Management action plans
should be prepared listing specific actions focusing on the findings and
recommendations, with management assignments of who is responsible for the
plan and a date which actions should be completed. For the purpose of evaluating
the management action plans, internal auditors should assess whether the
identified risk will be adequately addressed and the implementation schedule is
reasonable.
A final report is issued to all related operating, senior, and executive
management, as well as to members of the audit committee. This final report
includes all findings and recommendations prepared by the internal auditors as
well as management’s action plans. In discussing the audit reports and propose
any crucial feedback, meetings between internal auditors and the audit committee
should be arranged periodically.
The internal auditors will regularly provide a monitoring report that
management and the audit committee can make use of in order to track crucial
internal audit findings, follow up on the results, and review at a glimpse the
effectiveness of risk management and the resolve of all significant findings.
Follow-up reporting should continue until the concern is acceptably resolved.
25
2.3 The Concept of Risk Management
According to Article 1 of Peraturan Bank Indonesia (PBI) No. 5/8/PBI/2003,
risk is defined as ‘the potential for the occurrence of an event that may incur losses
for the Bank’. While risk management is defined as ‘a set of procedures and
methodologies that is used in identifying, measuring, examining, and controlling
risks that results from banks’ operational activities’.
Based on those definitions, risk is actually a potential failure in the future.
Consequently, risk should be properly considered and measured. Tampubolon (2005,
p. 4) defines risk as events or situations that prevent and cause an organization to fail
in achieving its objectives. This definition is similar to what Griffiths (2006, p. 2) set
in his paper. According to him, a definition of risk requires objectives to be present;
otherwise it cannot be categorized as risks.
The Association of Chartered Certified Accountants (ACCA, 2003) classifies
the nature of responses towards identified risks, which should be taken by
management:
1. Treat
2. Terminate
3. Transfer, or
4. Tolerate
Referring to Article 2 of PBI No. 5/8/PBI/2003, risk management should
cover:
1. Active supervision by the Board of Commissioners (BoC) and Board of
Directors (BoD).
2. Adequacy of policy, procedure, and establishment of limits.
26
3. Adequacy of processes of identification, measurement, monitoring, and
control of Risks and the Risk Management information system.
4. Comprehensive internal control system.
2.3.1 The Relationship Between Internal Audit and Risk Management
As stated before, managers are risk owners, and they are responsible to
control the risks arise from their activities. Internal auditors are responsible in
assuring the management that existing risks are controlled in an appropriate
manner (Tampubolon, 2005, pp. 28-29). According to Samosir (2006, p. 30), risk
management is a systematical and logical method to identify, analyze, evaluate,
treat, monitor and communicate every risk that is associated to an activity,
function, or process that lead to an organization minimizes its risks and maximizes
its opportunities.
The function of an internal auditor in risk management is different for
every organization depending on the organization’s complexity, and it will be
constantly changing as the complexity of risk management implemented in the
organization changes (Samosir, 2005, p. 30). Tampubolon (2004, pp. 201 and 202)
states that the audit process generally involves assessing the adequacy and
effectiveness of internal control systems, as well as to review the adequacy of the
application and effectiveness of the risk management and risk assessment
technique.
27
Figure 2.3 Relationship Between Internal Auditors and Management
Source: Tampubolon, 2005, p. 29
Environment (Objectives, strategy, risk appetite,
implementation plan)
Internal Audit
Function
Risk Identification According to the existing objective, strategy, and plan
Risk and Control Assessment Quantify the probabilities of events, their impacts, and existing control
Response Towards Risks Accept Prevent Mitigate Risk Risk Risk
Mitigation Program
Internal Audit Function
Active Monitoring by the Management Decisions related to the determination of objective, strategy, and observation as well as the corrective actions to be taken towards deviations
28
Samosir (2006, p. 30) states that audit conducted by internal auditors does
not only focus on the weaknesses of internal control, but also the weaknesses exist
in the risk management system. Internal auditor ensures the Executives that all
staff and employee have the same definition regarding risk. Samosir also states the
internal audit function in the risk management, which include:
1. Focuses on internal audit activity towards important and primary risks, as
identified by the management.
2. Audits risk management process in the organization.
3. Provides assurance towards risk management.
4. Provides supports and active involvement in the risk management
process.
5. Facilitates risk assessment and identification in the risk management
process.
6. Coordinates risk reporting to the Board of Commissioners and
Executives, as well as Audit Committee and other related parties.
According to Griffiths (2006, p. 5), in order for RBIA to be effective,
directors need to ensure that the risk management framework include:
1. Risks threatening the organization’s objectives are identified and assessed
by directors and managers, and internal control of suitable response are
developed to reduce the threats to below the risk appetite, or report to the
Board where this is not possible.
2. Inherent risks are recorded and assessed in an organized manner
according to its threats.
29
3. The presence of risk appetite that is approved by the Board for the
organization on such basis in order for risks to be easily identified (above,
or below, the risk appetite).
4. The risk management framework defines the responsibilities of functions
that provide assurance - such as internal auditors, management, external
auditors - are defined.
2.3.2 Risks in the Banking Industry
According to Bank Indonesia (Regulation No. 5/8/PBI/2003 Article 4
(1)), risks are classified into various categories based on the origin and their nature.
The most prominent financial risks to which the banks are exposed to include:
1. Market Risk - risk arising from adverse movement in the market
variables (interest rates and exchange rates) of the portfolios held by the
bank that may incur losses for the Bank.
2. Liquidity Risk - risk including but not limited to risk caused by default
of the Bank on liabilities at due date.
3. Operational Risk - risk including but not limited to Risk caused by
inadequacy or dysfunction in internal processes, human error, system
failure, or existence of external problems affecting the operations of the
bank.
4. Legal Risk - risk caused by weaknesses in juridical matters, such as legal
claims, absence of legal framework, or contractual weaknesses such as
failure to meet the requirements for legality of contracts and loopholes in
the binding of collateral.
30
5. Reputational Risks - risk including but not limited to risks caused by
negative publicity pertaining to the business operations of the bank or
negative perceptions of the Bank.
6. Strategic Risks - risk including but not limited to risks caused by
adoption and implementation of an inappropriate strategy for the bank,
inappropriate decision making in the business affairs of the bank, or lack
of responsiveness of the bank to external change.
7. Compliance Risk - risk caused by failure of the Bank to comply with or
implement preva iling laws and regulations and other legal provisions.
2.4 The Concept of Credit
2.4.1 Definition of Credit
Credit is one of productive assets in a bank’s account. This implies that
credit contains risk in rupiah as well as in foreign currency owned by the bank, in
order to obtain income in accordance with its function. Undang-undang Republik
Indonesia No. 10 tahun 1998 pasal 1 article 11 defines credit as a supply of money
or collection that could be generalized, based on agreement or treaty of lending
between bank and another party that requires the lender to complete his payment in
a certain agreed period of time with certain agreed percentage of interest (Dunil,
2005, p. 165).
RBA towards credit is initially commenced by inherent risk identification
towards every credit being assessed. For every credit risks, the possibilities that the
bank will encounter if the risk is realized should be determined. Then, the
connection between risks and the factors that causes risks to arise should be
31
observed and separated between manageable and unmanageable risks. SKAI is
only functional for manageable risks. Thus, the object of an audit is only the
manageable risks of the credit (Dunil, 2005, p. 166). This statement is supported
by The Association of Chartered Certified Accountants (ACCA) (2003), which
clearly determines that the work of internal audit only includes how the risks can
be mitigated by certain internal control and governance processes.
2.4.2 Risk Management Implementation in Credit Sector
According to Peraturan Bank Indonesia (PBI) No. 5/8/PBI/2003 and
Surat Edaran Bank Indonesia (SEBI) No. 5/21/DPNP, risk management is very
important to be implemented by all commercial banks. The application of risk
management should be based on the bank’s specific needs, which depends on the
bank’s internal factors. According to Dunil (2005, p. 171), issues that should be
taken into account in implementing risk management include: the bank’s vision,
size, main business, scope of work, and the human resource availability and
capacity.
a. Review of Credit Procedure
Banks’ credit process should be in accordance with the principles of
credit risk management. The fundamental aspects that should be
considered include:
1. The credit process is categorized based on the risks, other
than the amount of credit. This begins with assessing credit
risk, and continues with setting the acceptable risk for the
bank. Based on that, the bank is able to determine which
32
credit proposal should be approved and which should be
rejected.
2. The flow of work is mostly automated. This means that the
assessment of credit approval is based on a clear and mutual
standard. Thus, subjective judgment is limited. As a result,
whoever analysts that review a credit proposal, their decision
will be based on the same standard.
3. Risk strategy should be in accordance with business strategy.
By implementing a risk management, banks should
harmonize their business strategy with their acceptable risk.
Therefore, banks will not enter a new business in which its
risk is outside the bank’s existing risk strategy. On one hand,
this approach seems to limit the bank’s operational scope.
However, from the risk strategy, the bank will be more
secure, and in a longer period of time, the bank will have a
strong core business that will be the area of expertise of the
bank.
4. Active credit portfolio management. By applying risk
management, credit portfolio is no longer a result of end
result that is formed unintentionally. It is the aggregate result
from planned credit based on the industry sector, risk
approximation and composition, which has been planned and
organized its strategies from the beginning.
33
Risk Management Policy as referred to in Article 2 paragraph (2) of PBI
No. 5/8/PBI/2003 shall state at least the following:
a. Determination of Risks related to banking products and transactions
b. Determination of the methods to be employed for measurement and the
Risk Management information system
c. Establishment of limits and determination of risk tolerances
d. Establishment of risk rating
e. Formulation of contingency plan in worst-case scenario
f. Establishment of internal control system for application of risk
management