9

CHAPTER 2

THEORETICAL FOUNDATION

2.1 The Concept of Audit

2.1.1 Definition of Audit

Arens and Loebbecke (1995, p. 1) define audit as a process taken by

competent and independent personnel in order to gather and evaluate evidence

related to information assessed in an entity to measure and report the level of

conformity of the existing information with the available standards.

This definition is also supported by Arens, Elder, and Beasley

(2003 p. 11). They define audit as the accumulation and evaluation of evidence

about information to determine and report on the degree of correspondence

between the information and established criteria, and should be done by a

competent, independent person.

2.1.2 External Audit vs. Internal Audit

Audit can be conducted both externally and internally. The similarities of

both are not many compared to the differences because of the different objective

that each of them has. According to Sawyer et al. (2005, p. 7), the main

responsibility of external auditor is to make opinion regarding the financial

report of the company being aud ited. The objective of external auditor (financial

statement auditor) is to determine the appropriateness of the presentation of a

company’s financial report and the results of the efforts for the period.

10

Furthermore, they are also required to assure that the financial statements are

prepared in accordance with the Generally Accepted Accounting Principles

(GAAP) and to assure that it is applied consistently from previous years, and to

ensure that assets are safeguarded appropriately.

On the other hand, internal auditors provide information needed by the

management in running their responsibilities effectively. Internal auditors act as

an independent evaluator to assess the company’s operation by measuring and

evaluating the appropriateness of control as well as the efficiency and

effectiveness of the company’s operation. Internal auditors have a very important

role in every matters related to the company’s management and the risks

involved in running the business. Referring to the professional standards of the

Institute of Internal Auditors (IIA), internal auditing is defined as:

“Internal Auditing is an independent, objective assurance and consulting

activity designed to add value and improve an organization's

operations . It helps an organization accomplish its objectives by

bringing a systematic, disciplined approach to evaluate and improve the

effectiveness of risk management, control, and governance processes.”

The definition of internal auditing above highlights the importance of

internal audit, which includes adding value and improving an organization’s

operations. When interviewed June 26, 2006, Tampubolon argued that the

current internal audit that focuses on internal control, does not contribute to the

efficiency of internal audit function. Instead, most of the time, unnecessary

controls are implemented, which contributed to higher cost of audit.

11

As a result, Tampubolon suggested Risk-Based Audit (RBA) to be implemented

in every organization. RBA is a type of audit that is focused and prioritized by

business risks and its process as well as control over risks that would occur.

2.1.3 Risk-Based Audit (RBA)

As stated before, RBA is a type of audit that focuses on business risks

and its process as well as control over risks that would occur (Dunil, 2005, p.

18). This is also supported by Samosir (2005, p. 16), who states that RBA

comprises techniques and procedures in supervising a particular division by

focusing on risks that are attached to the bank’s activities. The concept of RBA

is that the higher the risk, the more attention should be placed. In identifying a

business risk, auditors should distinguish the control aspects of associated

business. Understanding towards the business process includes recognition of

risks and controls of the system in achieving organization’s objectives. In RBA,

testing is not only done on past events, it involves anticipation towards the

probabilities that will happen whose risks affect the financial statement.

According to Dunil (2005, p. 18), RBA conducted by external auditors is

different than RBA conducted by internal auditors.

1. RBA by external auditor (public accountant) – audit conducted by public

accountant or other external auditors are aimed to provide opinion

towards financial reports prepared by the company. As a result, one of the

risks that they have to be aware of is the probability of material

misstatement to be present in the financial statements being audited.

12

Thus, the purpose of RBA by external auditors is to identify, calculate,

and minimize the risks of the probability of material misstatement to exist

in the financial statements being audited.

2. RBA by internal auditors – Risk-Based Internal Audit undertakes an

independent risk assessment solely for the purpose of formulating the risk

based audit plan keeping in view the inherent business risks of an

activity/location and the effectiveness of the control systems for

monitoring the inherent risks of the business activity (Ernst & Young,

2004). RBIA is explicitly explained in the next heading.

2.2 The Concept of Risk-Based Internal Audit (RBIA)

According to Kannan (2004), RBIA involves an evaluation of the risk

management systems and control procedures applied in several areas of the bank’s

operations. In RBIA, an internal auditor’s focus is primarily placed on how risks

would be mitigated as well as how to anticipate potential risks and how to control the

bank from various risks.

Instead of focusing on the present system of full-scale transaction testing,

RBIA concentrates on the risk identification, prioritization of audit areas, and

allocation of audit resources in accordance with the risk assessment. Therefore,

banks are required to develop a well-defined policy of RBIA, which is approved by

the Board. The policy should include the risk assessment methodology for

identifying the risk areas based on the audit plan that would be formulated.

Furthermore, it should also include the maximum time period, which even the low

risk business activities should not remain unaudited.

13

Just like other types of audit, RBIA is conducted by the Internal Audit Unit

or Satuan Kerja Audit Intern (SKAI), with procedures stated in Internal Audit

Charter and internal audit guidelines or known as Standar Pelaksanaan Fungsi Audit

Intern Bank (SPFAIB) as commanded in Article 9 of PBI No. 1/6/PBI/1999.

According to Samosir (2006, p. 20), internal auditors should have a good

understanding towards risk management process, techniques, and basic internal

auditing qualifications in terms of communication, interviews, and analysis.

According to the Position Statement of the Institute of Internal Auditors of

UK and Ireland (2003), internal auditors might say that they have always focused

their efforts on the riskier areas of the organization. However, this approach has

historically been directed by internal audit’s own assessment of risk. In RBIA, the

focus should be to recognize and evaluate management’s assessment of risk and to

base audit efforts around that process.

Figure 2.1 What is Risk-Based Internal Auditing?

Source: Griffiths, 2006, p. 5

Risk Appetite

RR

IR

C

RBIA provides assurance that these

controls are operating effectively

14

Table 2.1 RBIA vs. Traditional Internal Auditing

Characteristic Old Paradigm

(Traditional Internal Auditing)

New Paradigm

(RBIA)

Internal Audit Focus Internal Control Business Risk

Internal Audit Response Reactive, after-the-fact,

discontinuous, observers of strategic

planning initiatives

Coactive, real-time, continuous

monitoring, participants in strategic

plans

Risk Assessment Risk Factors Scenario Planning

Internal Audit Tests Important Controls Important Risks

Internal Audit Methods Emphasis on the Completeness of

Detail Controls Testing

Emphasis on the Significance of

Broad Business Risks Covered

Internal Audit

Recommendations

Internal Control:

Strengthened

Cost-Benefit

Efficient/Effective

Risk Management:

Avoid/Diversify Risk

Share/Transfer Risk

Control/Accept Risk

Internal Audit Reports Addressing the Functional Controls Addressing the Process Risks

Internal Audit Role in the

Organization

Independent Appraisal Function Integrated Risk Management and

Corporate Governance

Source: McNamee & Selim, Changing the Paradigm, 1998

2.2.1 Objectives of RBIA

Tampubolon (2005, p. 17) implies that the aim of RBIA is to assure that

identified risks are mitigated to an acceptable level. When interviewed on April 20,

2006, he added that RBIA makes auditors’ requirements more real by seeing

controls more objectively.

15

According to Samosir (2006, p. 20), RBIA enhances the effectiveness of

a bank’s supervision by establishing a sound banking system and focusing on high-

risk activities and consistent supervision. Furthermore, Samosir also describes the

main objectives of RBIA, which include more accurate inherent risk assessment

and risk management process, cost effective as well as continuous and timely risk

evaluation. The aims of RBIA according to Samosir involve:

1. To direct and specific focus towards functional activity that possesses

high risks.

2. To prevent problems to arise in high-risk business unit.

3. To serve high-quality supervision that are consistent in case the bank

develops and experience a changing risk profile.

According to Dunil (2005, p. 19), RBA provides companies with value-

added functions as follows:

1. Assigns direction towards risks that would affect the financial position of

a company.

2. Assists banks in managing their business risks.

3. Enhances communication between auditors and management about the

important issues of risks.

4. Increases the level of risk identification of risks that might be

disregarded.

5. Increases the level of identification of fraud and other types of

manipulation.

6. Improves the quality and the timeliness of reporting.

16

Referring to the Position Statement of the Institute of Internal Auditors of

UK and Ireland (2003), the objectives of RBIA are to assure:

1. The risk management processes, which management put in place within

the organization are operating as intended.

2. The risk management processes are of sound operating design.

3. The responses which management has made to risks, which they decide

to treat, are both adequate and effective in reducing those risks to level

acceptable to the board.

4. A sound framework of controls is in place to sufficiently mitigate those

risks which management attempts to treat.

Griffiths (2006, p. 6) mentions that:

“RBIA directs scarce internal audit resources at checking the responses

to the risks that present a serious threat to an organization and regulations

are now requiring directors to ensure that these risk are properly

managed. RBIA thus provides directors with assurance that this is

happening, or a warning that it isn’t”.

Griffith’s statement is also supported by McNamee and Selim (1999,

p.1), who argue that RBIA enhances internal audit performance and

organizational risk management. It allocates controls in an effective way. They

imply that:

“Evaluating controls without first examining the purpose of the business

process and its risks provides no context for the results. How can the

internal auditor know which control systems are most important, which

are out of proportion to their risk, and which are missing? Even the

staunchest advocates of control-based auditing must admit to its

limitations”.

17

2.2.2 Scope of RBIA

According to Kannan, (2004), the primary focus of RBIA will be to

provide reasonable assurance to the Board and top management about the

adequacy and effectiveness of the risk management and control framework in the

banks' operations.

Furthermore, Kannan (2004) also implied that the precise scope of RBIA

must be determined by each bank for low, medium, high, very high, and extremely

high-risk areas.

The scope of RBIA should include:

1. Review of the systems in place for ensuring compliance

2. Identifying potential inherent business risks and control risks, if any

3. Suggesting various corrective measures and undertaking follow up

reviews to monitor the action taken thereon.

2.2.3 Risk Assessment

The Performance Standards of the IIA number 2010.A1 states: “The

internal audit activity’s plan of engagements should be based on a risk assessment,

undertaken at least annually. The input of senior management and the board should

be considered in this process”. Federal banking regulators encourages risk

assessment and RBIA to be applied in all banks.

18

Risk assessment is a process by which an auditor identifies and evaluates

the quantity of the bank’s risks and the quality of its controls over those risks. Risk

assessments should document the bank’s significant business activities and their

associated risks. It is used in identifying, measuring, and determining risk

priorities, so that most audit resource is focused on an auditable area that possesses

a high risk-score or -rate. Results of these risk assessments guide the development

of an audit plan and audit cycle and the scope and objectives of individual audit

programs. Through RBIA, the board and auditors use the results of the risk

assessments to focus on the areas of greatest risk and to set priorities for audit

work. An audit department cannot lose sight of or ignore areas that are rated low

risk. An effective RBA program will ensure adequate audit coverage for all of a

bank’s auditable activities. (Controller of the Currency Administrator National

Banks, 2003, pp. 14 & 18 and Tampubolon, 2005, pp. 91-99).

2.2.4 Internal Control

As discussed before, one of the elements in internal aud it is internal

control. Principle 4 of the Framework of Internal Control Systems in Banking

Organizations (Basel Committee on Banking Supervision, 1998) states that:

“an effective internal control system requires that the material risks

that could adversely affect the achievement of the bank’s goals are being

recognized and continually assessed. This assessment should cover all

risks facing the bank and the consolidated banking organization (that is,

credit risk, country and transfer risk, market risk, interest rate risk,

liquidity risk, operational risk, legal risk and reputational risk). Internal

controls may need to be revised to appropriately address any new or

previously uncontrolled risks.”

19

Additionally, Principle 10 requires the effectiveness of the bank’s internal

controls should be monitored on an ongoing basis. Monitoring of key risks should

be part of the daily activities of the bank as well as periodic evaluations by the

business lines and internal audit.

2.2.5 ORCA (Objective, Risks, Controls, and Audit Procedures)

When interviewed on June 26, 2006, Tampubolon confirmed that RBIA

Approach includes determination of objectives, risk assessment, control, and audit

procedures. Whereas in the traditional audit, audit procedures are determined at the

very first stage, then continued on with the determination of audit objectives,

control, and risk. This statement is supported by Baraba (2006), the Senior

Manager Business Risk Services of Ernst and Young. He suggested that the initial

stage in RBIA is to determine company’s objectives, continued on identifying the

risk, internal control, and audit approach.

Figure 2.2 Transformation of Traditional Audit Approach to Risk-Based Audit Approach

Traditional Approach Risk-Based Audit Approach

Source: Tampubolon, 2006

A

O

C

R

O

R

C

A

20

2.2.6 The Seven Step Approach to RBIA

Besides ORCA, RBIA can be implemented using the Seven Step

Approach according to the FSA Times of the Institute of Internal Auditors (2006).

These steps are listed as follow:

1. Understanding the Business Environment

Besides planning the process, understanding the business process is a critical

initial key to effective RBIA. In this step, auditors are expected to attain

feedback from management and audit committee, review business objectives,

and identify specific risks that could cause management not to meet the

company’s business objectives, and evaluate controls established by

management to mitigate these risks. A comprehensive understanding of risk -

such as credit risk, interest rate risk, operational risk, and so on - allows

auditors to concentrate on risk factors.

2. Preliminary Risk Assessment

In the preliminary risk assessment, the level of risk and adequacy of controls

in the various functional processes if a business unit is determined. In doing

so, it focuses on the business profile, management structure, organizational

changes, and specific concerns of management and the audit committee.

Furthermore, the preliminary risk assessment assists auditors in evaluating

the control design to determine the desired audit scope. In this stage, the

ability of each function’s control design in mitigating its inherent risk is

assessed. In the end of the assessment, risk rating – low, moderate, or high –

is assigned.

21

3. Develop a Three-year Audit Plan

Referring to the preliminary risk assessment that has been applied, a three-

year audit plan is created. With input from the management, audit committee,

or even regulatory requirements, low-risk areas would be audited every three

years, moderate-risk areas audited every other year, and high-risk areas

audited every year. This three-year audit plan should be updated each year

and changes should be made based on new or adjusted risk factors. As a

result, this will allow internal auditors to be flexible in a dynamic risk

environment.

Table 2.2 Example of a Three-Year Audit Plan for Bank

Using the Seven Step Approach

Audit Cycle/Area

Aggregate Risk from Risk

Assessment Matrix

Audit Frequency (1, 2, or 3 year

rotation) Year 2003

Year 2004

Year 2005

LENDING OPERATIONS

Commercial Loans M 2 X X

Consumer Loans M 2 X

Real Estate Loans M 2 X X

Credit Administration H 1 X X X

Secondary Marketing L 3 X

TREASURY MANAGEMENT

Securities M 2 X X

Cash Management L 3 X

Asset/Liquidity Management M 2 X X

22

Wire Transfer H 1 X X X

Automated Clearing House H 1 X X X

Borrowings and Repurchase Agreements L 3 X

ACCOUNTING AND FINANCIAL REPORTING

General Accounting M 2 X X

Financial Reporting M 2 X

DEPOSIT OPERATIONS M 2 X

BRANCH OPERATIONS M 2 X X

BANK ADMINISTRATION

Human Resources M 2 X X

Payroll L 3 X

Purchasing L 3 X

Insurance Coverage M 2 X X

High (H); Medium (M); Low (L)

Source: The FSA Times Second Quarter 2006, Vol. 5, No. 2

4. Complete the Secondary Risk Assessment

This stage involves evaluating whether the effectiveness of the control design

are operating as required to. In doing so, internal auditors are required to

perform observations such as in-depth interviews and walk-throughs.

Furthermore, this stage allows internal auditors to alter the audit plan by

matching the audit approach to current risks.

23

5. Execution of the Internal Audit Program

Following the alteration of audit plan based on the secondary risk

assessment, the audit plan is completed and auditors are ready to begin the

audit fieldwork. A standard audit program steers the audit process and

determines which audit procedures should be implemented based on the

secondary risk assessment. Logically, the higher the risk assessment, the

more detailed the audit procedures that should be implemented.

6. Conduct a Formal Exit Meeting

Before leaving the audit field, auditors are required to conduct a formal exit

meeting. The objective of a formal exit meeting is to present both operating

and senior management, issues noted during the audit, as well as best practice

suggestions for improving controls, efficiency, and operational performance.

A formal exit meeting is also useful for the internal auditors and management

to discuss recommendations for improvement and to answer issues that are

still in question.

7. Reporting and Communication

Following the formal exit meeting, a report draft is distributed to the

operating management to seek corrective action plans. The report draft

should list all findings and recommendations, and are ranked as high,

moderate, or low risk.

24

Initially, the report is issued in draft in order to allow a continued

communication between internal auditors and operating management. In this

final stage, there should be no incongruities, as every fact should be agreed to

during the fieldwork and the formal exit meeting. Management action plans

should be prepared listing specific actions focusing on the findings and

recommendations, with management assignments of who is responsible for the

plan and a date which actions should be completed. For the purpose of evaluating

the management action plans, internal auditors should assess whether the

identified risk will be adequately addressed and the implementation schedule is

reasonable.

A final report is issued to all related operating, senior, and executive

management, as well as to members of the audit committee. This final report

includes all findings and recommendations prepared by the internal auditors as

well as management’s action plans. In discussing the audit reports and propose

any crucial feedback, meetings between internal auditors and the audit committee

should be arranged periodically.

The internal auditors will regularly provide a monitoring report that

management and the audit committee can make use of in order to track crucial

internal audit findings, follow up on the results, and review at a glimpse the

effectiveness of risk management and the resolve of all significant findings.

Follow-up reporting should continue until the concern is acceptably resolved.

25

2.3 The Concept of Risk Management

According to Article 1 of Peraturan Bank Indonesia (PBI) No. 5/8/PBI/2003,

risk is defined as ‘the potential for the occurrence of an event that may incur losses

for the Bank’. While risk management is defined as ‘a set of procedures and

methodologies that is used in identifying, measuring, examining, and controlling

risks that results from banks’ operational activities’.

Based on those definitions, risk is actually a potential failure in the future.

Consequently, risk should be properly considered and measured. Tampubolon (2005,

p. 4) defines risk as events or situations that prevent and cause an organization to fail

in achieving its objectives. This definition is similar to what Griffiths (2006, p. 2) set

in his paper. According to him, a definition of risk requires objectives to be present;

otherwise it cannot be categorized as risks.

The Association of Chartered Certified Accountants (ACCA, 2003) classifies

the nature of responses towards identified risks, which should be taken by

management:

1. Treat

2. Terminate

3. Transfer, or

4. Tolerate

Referring to Article 2 of PBI No. 5/8/PBI/2003, risk management should

cover:

1. Active supervision by the Board of Commissioners (BoC) and Board of

Directors (BoD).

2. Adequacy of policy, procedure, and establishment of limits.

26

3. Adequacy of processes of identification, measurement, monitoring, and

control of Risks and the Risk Management information system.

4. Comprehensive internal control system.

2.3.1 The Relationship Between Internal Audit and Risk Management

As stated before, managers are risk owners, and they are responsible to

control the risks arise from their activities. Internal auditors are responsible in

assuring the management that existing risks are controlled in an appropriate

manner (Tampubolon, 2005, pp. 28-29). According to Samosir (2006, p. 30), risk

management is a systematical and logical method to identify, analyze, evaluate,

treat, monitor and communicate every risk that is associated to an activity,

function, or process that lead to an organization minimizes its risks and maximizes

its opportunities.

The function of an internal auditor in risk management is different for

every organization depending on the organization’s complexity, and it will be

constantly changing as the complexity of risk management implemented in the

organization changes (Samosir, 2005, p. 30). Tampubolon (2004, pp. 201 and 202)

states that the audit process generally involves assessing the adequacy and

effectiveness of internal control systems, as well as to review the adequacy of the

application and effectiveness of the risk management and risk assessment

technique.

27

Figure 2.3 Relationship Between Internal Auditors and Management

Source: Tampubolon, 2005, p. 29

Environment (Objectives, strategy, risk appetite,

implementation plan)

Internal Audit

Function

Risk Identification According to the existing objective, strategy, and plan

Risk and Control Assessment Quantify the probabilities of events, their impacts, and existing control

Response Towards Risks Accept Prevent Mitigate Risk Risk Risk

Mitigation Program

Internal Audit Function

Active Monitoring by the Management Decisions related to the determination of objective, strategy, and observation as well as the corrective actions to be taken towards deviations

28

Samosir (2006, p. 30) states that audit conducted by internal auditors does

not only focus on the weaknesses of internal control, but also the weaknesses exist

in the risk management system. Internal auditor ensures the Executives that all

staff and employee have the same definition regarding risk. Samosir also states the

internal audit function in the risk management, which include:

1. Focuses on internal audit activity towards important and primary risks, as

identified by the management.

2. Audits risk management process in the organization.

3. Provides assurance towards risk management.

4. Provides supports and active involvement in the risk management

process.

5. Facilitates risk assessment and identification in the risk management

process.

6. Coordinates risk reporting to the Board of Commissioners and

Executives, as well as Audit Committee and other related parties.

According to Griffiths (2006, p. 5), in order for RBIA to be effective,

directors need to ensure that the risk management framework include:

1. Risks threatening the organization’s objectives are identified and assessed

by directors and managers, and internal control of suitable response are

developed to reduce the threats to below the risk appetite, or report to the

Board where this is not possible.

2. Inherent risks are recorded and assessed in an organized manner

according to its threats.

29

3. The presence of risk appetite that is approved by the Board for the

organization on such basis in order for risks to be easily identified (above,

or below, the risk appetite).

4. The risk management framework defines the responsibilities of functions

that provide assurance - such as internal auditors, management, external

auditors - are defined.

2.3.2 Risks in the Banking Industry

According to Bank Indonesia (Regulation No. 5/8/PBI/2003 Article 4

(1)), risks are classified into various categories based on the origin and their nature.

The most prominent financial risks to which the banks are exposed to include:

1. Market Risk - risk arising from adverse movement in the market

variables (interest rates and exchange rates) of the portfolios held by the

bank that may incur losses for the Bank.

2. Liquidity Risk - risk including but not limited to risk caused by default

of the Bank on liabilities at due date.

3. Operational Risk - risk including but not limited to Risk caused by

inadequacy or dysfunction in internal processes, human error, system

failure, or existence of external problems affecting the operations of the

bank.

4. Legal Risk - risk caused by weaknesses in juridical matters, such as legal

claims, absence of legal framework, or contractual weaknesses such as

failure to meet the requirements for legality of contracts and loopholes in

the binding of collateral.

30

5. Reputational Risks - risk including but not limited to risks caused by

negative publicity pertaining to the business operations of the bank or

negative perceptions of the Bank.

6. Strategic Risks - risk including but not limited to risks caused by

adoption and implementation of an inappropriate strategy for the bank,

inappropriate decision making in the business affairs of the bank, or lack

of responsiveness of the bank to external change.

7. Compliance Risk - risk caused by failure of the Bank to comply with or

implement preva iling laws and regulations and other legal provisions.

2.4 The Concept of Credit

2.4.1 Definition of Credit

Credit is one of productive assets in a bank’s account. This implies that

credit contains risk in rupiah as well as in foreign currency owned by the bank, in

order to obtain income in accordance with its function. Undang-undang Republik

Indonesia No. 10 tahun 1998 pasal 1 article 11 defines credit as a supply of money

or collection that could be generalized, based on agreement or treaty of lending

between bank and another party that requires the lender to complete his payment in

a certain agreed period of time with certain agreed percentage of interest (Dunil,

2005, p. 165).

RBA towards credit is initially commenced by inherent risk identification

towards every credit being assessed. For every credit risks, the possibilities that the

bank will encounter if the risk is realized should be determined. Then, the

connection between risks and the factors that causes risks to arise should be

31

observed and separated between manageable and unmanageable risks. SKAI is

only functional for manageable risks. Thus, the object of an audit is only the

manageable risks of the credit (Dunil, 2005, p. 166). This statement is supported

by The Association of Chartered Certified Accountants (ACCA) (2003), which

clearly determines that the work of internal audit only includes how the risks can

be mitigated by certain internal control and governance processes.

2.4.2 Risk Management Implementation in Credit Sector

According to Peraturan Bank Indonesia (PBI) No. 5/8/PBI/2003 and

Surat Edaran Bank Indonesia (SEBI) No. 5/21/DPNP, risk management is very

important to be implemented by all commercial banks. The application of risk

management should be based on the bank’s specific needs, which depends on the

bank’s internal factors. According to Dunil (2005, p. 171), issues that should be

taken into account in implementing risk management include: the bank’s vision,

size, main business, scope of work, and the human resource availability and

capacity.

a. Review of Credit Procedure

Banks’ credit process should be in accordance with the principles of

credit risk management. The fundamental aspects that should be

considered include:

1. The credit process is categorized based on the risks, other

than the amount of credit. This begins with assessing credit

risk, and continues with setting the acceptable risk for the

bank. Based on that, the bank is able to determine which

32

credit proposal should be approved and which should be

rejected.

2. The flow of work is mostly automated. This means that the

assessment of credit approval is based on a clear and mutual

standard. Thus, subjective judgment is limited. As a result,

whoever analysts that review a credit proposal, their decision

will be based on the same standard.

3. Risk strategy should be in accordance with business strategy.

By implementing a risk management, banks should

harmonize their business strategy with their acceptable risk.

Therefore, banks will not enter a new business in which its

risk is outside the bank’s existing risk strategy. On one hand,

this approach seems to limit the bank’s operational scope.

However, from the risk strategy, the bank will be more

secure, and in a longer period of time, the bank will have a

strong core business that will be the area of expertise of the

bank.

4. Active credit portfolio management. By applying risk

management, credit portfolio is no longer a result of end

result that is formed unintentionally. It is the aggregate result

from planned credit based on the industry sector, risk

approximation and composition, which has been planned and

organized its strategies from the beginning.

33

Risk Management Policy as referred to in Article 2 paragraph (2) of PBI

No. 5/8/PBI/2003 shall state at least the following:

a. Determination of Risks related to banking products and transactions

b. Determination of the methods to be employed for measurement and the

Risk Management information system

c. Establishment of limits and determination of risk tolerances

d. Establishment of risk rating

e. Formulation of contingency plan in worst-case scenario

f. Establishment of internal control system for application of risk

management