Decision Support System in Determination Risk Management System Model in State Universities Public Service Agency
—Case Study at the Universitas Pembangunan Nasional Veteran Yogyakarta ()
1. Introduction
The main objective of the SU PSA institution which carries out risk management was to safeguard the SU PSA institution and its ability to accomplish organization’s targets. Risk management entails very broad application techniques, it is very well applicable in the field of information technology, education, trade, law, health, and so on. Therefore, to focus the scope of this research, we will put an emphasis on the risk management applied at SU PSA.
SU PSA are state universities established by the government which operate under the limitation of flexibility in managing the organization, especially in terms of budget and financial management. SU PSA is an institution that is at level two in terms of autonomy. The PTN-BLU determination is carried out by Decree of the Minister of Finance at the suggestion of the Kemdikbudristek. All non-tax revenues are managed autonomously and reported to the state. References for management of SU PSA are regulated under the Law Number 12 of 2012 concerning Higher Education , Government Regulation (Peraturan Pemerintah/PP) Number 74 of 2012 in conjunction with PP Number 23 of 2005 with technical guidelines for the Minister of Finance in regards to the status of BLU at the PTN concerned, The government has so far designated 84 universities as SU PSA.
On the Decree of the Minister of Finance Number: 209/KMK.05/2021 dated 31 May 2021, it has been determined:
1) Universitas Pembangunan Nasional Veteran Jakarta
2) Universitas Pembangunan Nasional Veteran Yogyakarta
3) Politeknik Negeri Bali and
4) Politeknik Negeri Jakarta.
As an agent of the government that operates under by the fiscal managerial model of the Public Service Bodies, it provides financial management flexibility in abidance to the Government Regulation Number 23 of 2005 concerning Financial Management of Public Service Bodies as amended by Government Regulation Number 74 of 2012 concerning Financial Management of Public Service Bodies and its subsequent complementary regulations.
SU PSA are obliged to implement risk management due to at least three factors. First, government regulations that require its implementation. Second, the implementation of risk management will help SU PSA in attaining organizational targets. Third, the change in higher education management status from PTN as a government work unit to PTN with the Public Service Agency Financial Management Pattern (PTN PPK BLU) and currently as SU PSA creates risks that need to be managed. The government requires SU PSA establish risk management in accordance with the provisions stated under the Government Internal Control System (Sistem Pengendalian Intern/SPIP) elaborated under PP Number 60 of 2008 concerning SPIP. PP Number 60 of 2008 Article 1, Number 2 states, “The government’s internal control system, hereinafter abbreviated as SPIP, is an internal control system that is implemented comprehensively within the central government and regional governments.”
SU PSA is a vertical agency, under the central government, that is the Ministry of Education, Culture, Research and Technology (Kemendikbudristek). SPIP consists of five elements including: 1) control environment, 2) risk assessment, 3) control activities, 4) information and communication, and 5) monitoring. Components of risk assessment encompass activities such as identifying and analyzing risks the risk assessment element is also known as risk management.
Risk management would result in a positive effect for SU PSA such as helping in the identification of probable future or present risk. The management of these risks would help SU PSA in achieving Key Performance Indicators (KPI) (Helsloot & Jong, 2006; Tufano, P. 2011) .
Implementation of risk management would prevent the occurrence of undesirable events and/or outcomes. Furthermore, risk management can improveSU PSA management’s awareness of risks in making strategic and operational decisions (Hoyt & Liebenberg, 2010) .
The fundamentals of risk management such as: risk identification, risk assessment, risk prioritization, response planning, and risk monitoring, would be vital in supporting the effort of achieving organizational goals of SU PSA (Moeller, 2011) .
Change in management status Working Unit State Universities becoming Public Service Agency State Universities, especially UPNYK, poses risks that need to be managed. UPNYK itself received the designation of SU PSA in the Decree of the Minister of Finance Number: 209/KMK.05/2021 dated 31 May 2021. However, UPNYK has not implemented risk management which covers all work units and activities at the university. Based on the things above, this research question is:
1) Who should be involved in the UPNYK risk management system and what are the functions of each party?
2) What risk management process should UPNYK carry out?
3) What risk management procedures should UPNYK carry out?
2. Literature Review
2.1. Risk
According to Griffiths (2005) , risk is the possibility that an occurrence and/or incident may occur that would adversely impact an organization in putting its winning plans into practice and accomplishing its objectives.
According to The Institute of Risk Management & The Association of Insurance and Risk Managers (2002) , risk is characterized as the possibility of an event taking place that would be impactful on an objectives.
According to the Joint Australian New Zealand International Standard (AS/NZS ISO 31,000:2009) risk is "the effect of uncertainty on objectives", there are three key words from the definition, namely effect, uncertainty and objectives. These three can be explained as follows:
1) Effects are deviations from expectations—these deviations can be positive or negative.
2) Objectives can have several different aspects and levels, for example: financial, health, education, safety, and strategic levels, whole organizations, projects, products, and processes.
3) Uncertainty is a condition where the information needed to make a decision is not sufficiently available.
In general, risk can be expressed as a combination of the consequences of an event with the probability of that event. So that the greater the consequence and or probability, the greater the risk.
2.2. Risk Management
Risk management is a concerted effort with the purpose to steer and control an organization’s risk exposure. Risk management includes embodying principles, developing frameworks and implementing processes.
According to Ariff et al. (2014) , risk management is a system or process carried out by personnel at every level of the organization to identify and manage risks to ensure the achievement of organizational goals.
According to Hanafi (2006) , risk management would function as a mapping of problems and facilitating a solution that arises inside a company organization, family, and/or community.
Based on Government Regulation Number 60 Year 2008 concerning the Government Internal Control System. (GICS or SPIP), one of the five components of the Government Internal Control System is risk management, namely the risk assessment element. Government Regulation No. 60 Year 2008 established the Financial and Development Supervisory Agency (FDSA or BPKP) as the supervisor in charge of the Government Internal Control System implementation.
According to Tufano, P. (2011) the implementation of risk management is recommended in dealing with and reducing the increasing risks in higher education. Risk management can be directly applied to higher education institutions as an organisation, because all components that are part of the institution, including staff and leaders, risk management makes it a new culture in their environment to minimise potential losses from the onset of risk.
2.3. Risk Management Process
According to National Standardisation Agency SNI ISO 31000:2018. (2018) . The Risk Management Process consists of "Context Establishment", "Risk Assessment", and "Risk Treatment" supported by the "Communication and Consultation" and "Monitoring and Review" processes. These three parts of SNI ISO 31000-based risk management are the strengths of SNI ISO 31000 as a reference for best practices in risk management for business actors in various industries, including for organisations in the public sector, government agencies, and even non-profit organisations,
According to AH Cebba (2020) . The stages of risk management implementation refer to the implementation of risk management in ISO 31000: 2018 where this stage is an overview of the organisation's risk management process.
2.3.1. Risk Assesment
First step of Risk Management is Risk Assessment. Here we study the components that are important for formulating a risk, including: system characteristics, threat, vulnerability, control, likelihood, and impact. These components are needed to estimate the magnitude of risk which is expressed in risk levels. To overcome this risk, it is necessary to install safeguards or controls.
The system referred to in system characteristics is an information technology system whose risk is assessed. This includes both hardware, software, and the environment. The characteristics of the system under normal conditions need to be known first as reference values or comparison factors, so that if performance deviations occur they can be immediately identified. Threats that may disrupt the system can generally come from three sources, namely: nature, humans, and the environment. Natural disturbances such as floods, earthquakes, landslides, and so on. Interference from humans can change the direction of events that could result in damage to the system as a result of intentional or unintentional actions. Disturbances from the environment can be in the form of power outages for long periods of time, air pollution, radioactive pollution, and so on.
Vulnerability is a system vulnerability or weakness, both in terms of system design or implementation and in terms of operational procedures or internal controls. Weaknesses in this system can be exploited by threat sources to break into the system using unauthorized means and disrupt the system.
Control is a safeguard that protects the system from threats. Apart from that, control also functions as a solution to existing vulnerabilities. Control methods that can be used can be grouped as technical control, management control, or operational control.
Impact is the result of a disruption to the system. Or from a risk management perspective it can be said to be a result of risks that actually occur. This impact can also be seen as the loss or disruption of system or data integrity, disruption of system readiness, and system and data confidentiality.
All of the risk components mentioned above are used to estimate the magnitude of risk that a system may face. The magnitude of this risk is known as the risk level.
The definition of risk itself varies among scholars. According to Griffiths (2005) , risk is the potential happenings of an unwanted/undesirable event that will impair the successful implementation of an effective strategy. According to The Institute of Risk Management & The Association of Insurance and Risk Managers (2002) , risk entails the potential occurrence of an event that could influence the achievement of objectives. Meanwhile, the SNI ISO 31000:2009 and technical guidelines for Government Internal Control System (GICS or SPIP), would interpret risk as the probability of occurrences threatening the attainment of government agencies’ goals and objectives is referred to as risk. It is reasonable to conclude that risk is an occurrence that, if it occurs, will impede the attainment of corporate goals.
The risk management process has four fundamental steps (Moeller, 2007) , consisting of 1) risk identification, 2) risk assessment, 3) risk prioritization and response planning, and 4) risk monitoring. The output of risk identification would be a draft of probable cracks and/or faults. Risk measurement will provide information regarding likelihoods of adverse events as well as the consequences should the risk really happen. On the other hand, risk prioritization and response planning are the follow-up steps that management must perform in order to take a formulated decision in regard to its priorities and risk appetite.
2.3.2. Risk Mitigation
The second process would be Risk Mitigation. This process follows up on data, findings, and recommendations from the risk assessment process. In general, risk mitigation consists of: the process of prioritizing risks, selecting appropriate controls, and implementing controls. Risk prioritization is intended to determine the sequence of risks that might disrupt the system, starting from the largest to the smallest. The biggest risks must be addressed first before addressing smaller risks. Not all controls proposed to be installed suit actual needs, therefore it is necessary to choose controls that suit organizational needs and desires. After obtaining appropriate control, the next process is to implement it by first making a plan which is outlined in the safeguard implementation plan.
2.3.3. Risk Management in Government Agencies
Regulated and elaborated under Government Regulation Number 60 Year 2008 concerning the Government Internal Control System. (GICS or SPIP), Risk Management constitutes as one of the five components within the framework of SPIP, namely the risk assessment element. PP Number 60 Year 2008 established the Financial and Development Supervisory Agency (FDSA or BPKP) as the supervisor for executing the procedure of Government Internal Control System.
The application of SPIP and risk management is greatly encouraged in the operations of governmental instances, an example of it would be The Ministry of Finance (Menkeu). The Menkeu has successfully implemented SPIP in a structured and systematic manner. It is said to be structured because it has organized the organizational structure by carrying out management. It is said to be systematic because it uses a risk management process framework. Menkeu issued Minister of Finance Regulation Number 191/PMK.09/2008 concerning the Implementation of Risk Management within the Menkeu. Menkeu version of Risk Management comprises 5 main elements, 1) risk management charter, 2) risk management structure, 3) risk management implementation strategy, 4) risk management process, and 5) risk reporting.
Their risk management system adopts a three-level control model, consisting of policy level control, operational level control, and supervisory control. Policy level control envisions the organizing, facilitating, and monitoring of the risk management processes efficacy and integrity. Policy level control is delegated to the risk management committee. Operational level controls which have the duty of implementing the Risk Management on a day-to-day basis. Operational level control which was delegated to the head of risk management and the risk owner unit. The control supervision level functions to provide an independent assessment of the efficacy of the implementation at all echelon I levels to relevant stakeholders, carried out by the Inspectorate General and external auditors.
Menkeu incorporated a risk management process which derived from the Joint Australian New Zealand International Standard (AS/NZS ISO 31,000:2009) framework, a risk management model published by the Australia and New Zealand, which comprises a total of 7 components, namely: establishing context, risk identification, risk analysis, risk evaluation, risk management, monitoring and review, communication and counseling.
Echelon I units make risk profile reports and risk maps, containing levels and trends of all relevant risk exposures, are presented together with risk profiles and maps in the previous semester so that they can be compared. The report is submitted periodically per semester to the Menkeu. As such, information systems and technologies used by echelon I units are designed in such a way that they can provide information on the implementation of risk management.
2.3.4. Risk Mitigation Case Study
This case study is conducted to provide an understanding of risk mitigation by providing assistance in the form of a Table 1 safeguard implementation plan. An example of Table 1. Safeguard Implementation Plan is shown below.
2.3.5. Scope of Risk Mitigation
In carrying out risk mitigation that needs to be recorded in the supervision instrument, it includes 4 aspects, namely:
1) Policies and Programs.
2) Finance Sourced from the State Budget (Anggaran Pendapatan dan Belanja Negara/APBN), loans/grants, cooperation and non-tax state revenue (Penerimaan Negara Bukan Pajak/PNBP)).
3) Human Resources.
4) State Property (land, buildings, machine equipment, stationery, maintenance, etc.)
![]()
Table 1. Safeguard implementation plan table.
1) Risk is the output of the risk assessment process. All risks that have been conveyed in the Report are written in this column. 2) Risk Level is the output of the risk assessment process for each risk. 3) Control Recommendations are the output of the risk assessment process. It is hoped that for each risk more than one control is recommended as an alternative solution. 4) Priorities are set based on the level of risk and availability of infrastructure, including experts, funds, and technology. 5) Controls are selected from control recommendations resulting from the risk assessment process. More than one can be selected. 6) The infrastructure required to implement the selected controls.
3. Research Methods
The research presented utilizes a qualitative descriptive approach alongside a case study of UPNYK as a SU PSA. The research discusses and examines the design of risk management methods that UPNYK should implement.
The information gathered was in both primary and secondary forms. Interview results that would act as the primary data and the secondary data which were derived from relevant laws and regulations, such as UPNYK Chancellor’s regulations or decrees, circulars, and other relevant documents.
To obtain an overview of the ideal risk management processes to be implemented in UPNYK, researchers utilize interview and documentation techniques. The interviews took the form of semi-structured interviews with 6 structural officials, namely; 1) Deputy Chancellor for General and Financial Affairs, 2) Deputy Chancellor for Cooperation and Planning, 3) Head of General and Financial Bureau, 4) Financial Coordinator 5) Coordinator for Management and BMN Affairs, and 6) Deputy Dean for Affairs Finance and Faculty Collaboration. The sample was selected by considering the representation of leadership elements, academic implementing elements, as well as administrative and development implementing elements.
The documentation required in this research includes information related to the UPNYK profile, regulations and information related to risk management. UPNYK profile data includes brief history, vision, mission, goals, objectives, tasks, functions and organizational structure. Regulatory data and related information include government regulations, ministerial regulations, chancellor regulations, books and guidelines, as well as other relevant documentation. Risk management data includes Strategic Plans (Rencana Strategis/Renstra), Operational Plans (Rencana Operasional/Renop), performance contracts between UPNYK and the Kemendikbudristek, performance contracts between UPNYK and third parties, and other relevant data, as in Figure 1(a) framework for managing risk, and Figure 1(b) process for managing risk, in Conceptual Model Design of Risk Management Based on SNI ISO 31000:2018.
![]()
Figure 1. Conceptual model design of risk management based on SNI ISO 31000:2018. (a) Framework for managing risk; (b) Process for managing risk.
The method of interview data analyzation was done using an interactive model. In this sense, it comprises 4 different components, namely: 1) data collection, 2) data reduction, 3) data presentation, and 4) conclusion or verification (Miles & Huberman, 1984; Sugiyono, 2007) .
The information utilized was obtained via interviews and documentation. Direct encounters were used as the means to conduct the interviews, specifically, direct discussion with the select few (Jogiyanto, 2004) . The interviews were recorded on tape and subsequently transcribed into written form.
Data reduction was done through coding and axial coding of interview results. The records containing information gathered from the interviews were examined and differentiated by assigning special codes to each phrase, paragraph, or sentence in line with the reticent context. The coded data is classified into various groupings and classifications. From that, the interrelation of each categoryis looked for (axial coding). The data reduction procedure was followed consistently throughout the duration of the research endeavor.
Data presentation is carried out using narratives and flowcharts as the media of interpretation. The data which has been condensed, presented using the media of narratives and/or flowcharts, describes the risk management process at UPNYK. By presenting data with narratives and flow diagrams, the data will be organized, arranged in a relationship pattern, as to help with intelligibility.
Conclusions and validation are established through the process of reducing and presenting data. The findings are substantiated by empirical evidence that were proven consistent, throughout the length of the research procedure, ultimately addressing the issues stated on the problem statement.
4. Results and Discussion
Related to the status of PTN BLU presented in Table 2, each PTN BLU has the same organs and work units in the context of risk management. All PTN BLUs have a Board of Supervisors (Dewas), Rector, and SPI organ. All PTN BLUs also have audit committees, which are part of the Dewas’ tools in conducting supervision in the non-academic field. All PTN BLU established a work unit responsible for conducting internal audit or supervision and a work unit that acts as quality assurance for academic functions.
The Articles of Association of each SU PSA have stipulated the duties of the Supervisory Board, Risk Management Unit and Internal Audit Unit in relation to risk management.
Ongoing Risk Management Condition at PTN BLU
Risk management is in process at PTN BLU, this can be seen from the awareness of looking at risks in decision making and system design, although it is not yet structured and systematic.
1) Condition of Risk Management currently running at UPNYK
Risk management has been running and is embedded in UPNYK’s business processes, this can be seen from the awareness of risk in decision making and system design. Apart from that, the risk management process has been running at UPNYK, and several work units even carry out the risk management process, although it is not yet structured and systematic.
2) Risk Management System that Should Be Implemented at UPNYK
The risk management system that should be implemented at UPNYK includes a) risk management organizational structure, b) risk management process, and c) risk management procedures.
4.1. UPNYK Risk Management Structure
In carrying out the risk management process, an organization of implementing personnel is needed, reflected in the risk management structure. UPNYK’s risk management structure should adopt a control model with three level of stratification, in accordance with the organizational structure contained in the Regulation of the Minister of Research, Technology and Higher Education of the Republic of Indonesia Number 85 of 2017 concerning the Statutes of Universitas Pembangunan Nasional Veteran Yogyakarta and Regulation of the Minister of National Education (2009) of the Republic of Indonesia Number 33 of 2009 Regarding Guidelines for the Appointment of Supervisory Boards in State Universities within the Department of National Education which implements Public Service Agency Financial Management, consisting of 1) policy level control, 2) operational level control, and 3) supervisory control. The design of the Risk Management Unit Structure to be established uses the existing UPNYK organizational structure by looking at the main tasks and functions of each organization and work unit (Figure 2).
* Risk Management Unit (UMR), a work unit that carries out risk management functions; ** SPI, work unit that carries out internal supervision and audit functions; *** Risk Owner Unit, work unit that carries out academic quality assurance functions.
![]()
Figure 2. Conceptual model design of risk management based on SNI ISO 31000:2018.
Operational level control was one of the duty and prerogative of the Chancellor, which in performing that duty, was helped by the Risk Management Unit (Unit Manajemen Resiko/UMR) and the Risk Owner Unit (Unit Pemilik Resiko/UPR). UMR is a unit that functions to carry out coordination and risk management processes at the university level, while UPR functions to carry out risk management processes at the faculty and institutional work unit level. UMR’s task is to create policies and procedures as well as necessary risk management guidelines, implement risk management processes, and review the risk management processes carried out by UPR and harmonize risks between UPRs. UPR’s task is to carry out the risk management process in work units including units under it and report the results to UMR.
The UMR function is also carried out by SPI and the KJM with the consideration that the main tasks and functions of these two units intersect with risk management. The UPR function is carried out by work units other than SPI and KJM.
Supervisory level control functions to provide an independent assessment in regard to the efficacy of UPNYK’s risk management implementation, which was done by the KA. In carrying out supervision, KA can assign a competent public accounting firm or consulting firm to carry out an independent assessment of the same matter which has been carried out by KJM and SPI. AC can also assign SPI, especially the SPI audit function, and to evaluate the optimality of the implementations of the risk management for SPI and KJM, can be done by paying attention that internal auditors involved in UMR and UPR cannot be assigned to carry out assessments in order to maintain the independence of SPI auditors.
Policy level control, usually called the risk committee, is carried out by the Dewas through the KA. KA is relevant to the role of the risk committee because one of its duties overlaps with the function of the risk committee, namely carrying out risk management analysis as a consideration for the Dewas in providing approval or ratification of agreements regarding the utilization of UPNYK’s wealth resources. KA’s duties as a risk committee includes examining and endorsing the organization’s risk management processes and policies, supervising the activities of the risk management unit, monitoring, and reviewing the accuracy of risk information received from management.
4.2. Risk Management Process UPNYK
UPNYK’s risk management goes in accordance with the AS/NZS 31,000:2009 risk management standards. The AS/NZS 31,000:2009 framework is used with the following considerations:
Provide a systematic approach in managing risk to achieve organizational goals.
Can be applied to all types of organizations.
BPKP as the supervisor of SPIP implementation recommends using the AS/NZS 31,000:2009 standards.
It has been used by government agencies, namely Menkeu.
4.3. Risk Management Procedures
UPNYK’s objectives have three different periods, so UPNYK risk management needs to be carried out in three periods based on these objectives. UPNYK has at least three different goals based on the time duration of the goal; namely five years, one year, and a certain time. The goal with a duration of five years is the goal stated in UPNYK’s Renstra. The Strategic Plan is prepared every five years by the new Chancellor of UPNYK and is valid for his term of office. Goals with a duration of one year are the goals stated in the performance contract between UPNYK and the Ministry of Research, Technology and Higher Education (Ristekdikti), the performance contract is renewed every year. A specific time goal is a program goal mandated by the government and/or partners to UPNYK with a certain time duration in accordance with provisions or agreements. Therefore, the periodization of UPNYK risk management needs to be differentiated into the following 3 things.
• Five-year period risk management procedures.
• Risk management procedures for one year period.
• Risk management procedures for a specific time period.
Each procedure risk management is prepared in line with the AS/NZS 31,000:2009 risk management processes as described above.
4.4. Five Year Period Risk Management Procedures
The five-year risk management procedure is the risk management implementation period carried out for five years after Dewas determines the new strategic plan. Efforts to achieve the goals stated in the strategic plan will face various risks. Hence, it is imperative to implement risk management to ensure the attainment of these objectives. Risk management steps undertaken in this period include the following below.
1) Preparation and Determination of Regulations
The Risk Management Unit drafted risk management regulations that contain a set of policies, procedures and guidelines for implementing risk management. This regulation became the basis and guideline for UMR and UPR in carrying out their processes. The material provided in the draft regulation consists of:
a) Risk management structure;
b) Risk management process;
c) Scale of probability;
d) Scale of risk impact/consequences;
e) Risk acceptance criteria.
Risk Management Unit submitted a draft regulation to the Chancellor to be studied further. If the Chancellor does not approve the draft regulation, the Risk Management Unit will revise it according to the Chancellor’s direction. On the other hand, if the Chancellor has approved the draft, the Chancellor will submit it to the Audit Committee (AC).
After receiving the draft risk management regulations from the Chancellor, KA reviewed and determined the draft to become the UPNYK risk management regulations. If the AC has not approved it, then the AC returns it to the UMR through the chancellor to be revised and submitted back to the AC for further review and approval. KA submits the approved risk management regulations to the Chancellor. The Chancellor handed over risk management regulations to UMR and UPR for implementation.
2) Risk Management Process
UMR initiates and coordinates the risk management procedure executed by UPR. UPR establishes the risk management context for its work units, identifies risks, analyzes risks and evaluates risks to produce a draft UPR risk profile.
3) Review and Alignment of Risks between Work Units
UPR submits the draft UPR risk profile to UMR for the risk profile compilation, review and synchronization process. UMR compiles all draft UPR risk profiles and reviews the completeness of risk information from each UPR. UMR examines the relationship of a risk with other risks in a UMP, the relationship of a risk in a UPR with risks in another UPR, and a UPR risk with business processes and regulations in other work units. This risk relationship review was carried out to synchronize risks to produce a comprehensive UPNYK risk profile draft. UMR submits a draft UPNYK risk profile to the Chancellor for review and approval, then the draft risk profile is submitted to KA.
4) Determination of Risk Profile
The Audit Committee reviews and determines UPNYK’s risk profile. One of KA’s duties is: “Monitor and review the accuracy of risk information received from management.” Therefore, AC needs to review the UPNYK risk profile draft (in which there is a work unit risk draft proposed by the Chancellor and UMR). KA reviews the accuracy of the draft risk profile based on the risk management policy established by KA. KA determines the draft UPNYK risk profile to be the UPNYK risk profile for a five year period and distributes it to the Chancellor and UMR. UMR sorts the risk profile data of each UPR and distributes it to the UPR.
5) Determination of Risk Management Policies
Based on the UPNYK risk profile, the KA develops a UPNYK risk management policy which becomes the basis for the UMR and UPR in carrying out risk management. KA submits risk management policies to the Chancellor and UMR.
6) Implementation of Risk Management
In accordance with the regulatory framework for risk management, UMR prepares and implements a risk management program for the university level. In addition, UMR manages the risk management procedure conducted by UPR. Details of the risk handlings are reviewed in the UPNYK Risk Management Process sub-chapter.
7) Reporting on the Implementation of Risk Management
After carrying out the risk management process for five years, at the end of the strategic plan’s validity period, UMR prepared a draft risk management implementation report. This draft report is a compilation of implementation reports carried out by UMR and UPR after being reviewed and synchronized so that it becomes a comprehensive risk management report. UMR submitted a draft risk management report to the Chancellor. If the Chancellor approves, the draft will be submitted to the AC. On the other hand, if the Chancellor does not approve, it will be returned to the UMR for revision and submitted back to the Chancellor for approval.
8) Monitoring and reviewing
UMR carries out monitoring and review of risks and risk management programs at the end of each fiscal year to guarantee that risks and management are up to code with the changes in the UPNYK environment. Monitoring and review is carried out, both by UMR and UPR, by repeating the risk management procedure steps as explained above. The results of monitoring and review implementation are reported by UMR to KA through the Chancellor.
4.5. Risk Management Procedures for One Annual Period
The one-year period risk management procedure is the risk management implementation period carried out to manage risks on engagements for a period of one budget year. This discussion focuses on the performance contract between UPNYK and the Ristekdikti. There may be several agreements between UPNYK and other parties that last for one fiscal year, but the information that researchers managed to obtain is the performance contract between UPNYK and the Ristekdikti. To simplify the discussion, the risk management period of one year is devoted only to managing risks regarding the performance contract between UPNYK and the Ristekdikti. The risk management process begins when the performance contract document is signed by both parties (ratified). The risk management steps carried out in this period include the following:
1) The risk management process starts with providing necessary context, identifying risks, analyzing of risk, and evaluation of risk.
2) Review and align risks between work units.
3) Determination of risk profile.
4) Execution of risk management.
5) Reporting the description of the risk management measures.
The one-year risk management step begins when the performance contract document is ratified. The Chancellor submitted the performance contract documents to UMR. After studying the contents of the performance contract, UMR analyzes and determines which work units or UPR will be involved. UMR instructed the UPR involved to carry out the risk management process by sending a letter of instruction attached to the performance contract document.
After receiving instructions from UMR, UPR engages the task of establishing context, risk identification, risk analysis, and risk evaluation guided by the regulations set by KA. This process produces a draft UPR risk profile. UPR submits the draft risk profile to UMR for further processing.
UMR compiles all draft UPR risk profiles and reviews the completeness of risk information from each UPR. UMR examines the relationship of a risk with other risks in a UMP, the relationship of a risk in a UPR with risks in another UPR, and a UPR risk with business processes and regulations in other work units. This risk relationship review was carried out to synchronize risks to produce a comprehensive UPNYK risk profile draft. UMR submitted a draft UPNYK risk profile to the Chancellor for review and approval. After the Chancellor approves the draft risk profile, the Chancellor submits the UPNYK risk profile to KA as a report and to UMR for the handling process.
4.6. Certain Time Period Risk Management Procedures
A certain time period risk management procedure is a risk management implementation period, carried out to manage risks for engagements with a period of less than or equal to or more than one fiscal year. There are several types of engagement implementation as follows.
1) Engagement between UPNYK and partners and carried out by an ad hoc team.
2) Engagement between UPNYK and partners and implemented by one or more work units.
3) Engagement between work units and partners and implemented by one or more work units.
The risk management process begins when the engagement document is signed by both parties (ratified). The risk management steps carried out in this period include the following:
1) The risk management process starts with providing necessary context, identifying risks, analyzing of risk, and evaluation of risk,
2) Review risk profile, and
3) Reporting.
The initial and subsequent type of engagement of risk management would be executed through identical steps. To simplify the processes, in the second type of engagement an ad hoc team was formed, tasked with carrying out risk management together with UMR.
The risk management procedure begins after the agreement is signed by both parties or declared valid. Based on the engagement document, UMR together with the ad hoc team carried out a risk management process that starts with providing necessary context, identification, analysis, and risk evaluation. The procedure was done by an ad hoc team with UMR supervision and with regards to the regulations which were set by the KA. This process produces a risk profile report and risk management report, submitted to the chancellor as a report and then, the Chancellor has the option to present a comprehensive report to the KA.
In the third type of engagement, the risk management process begins after the agreement is signed by both parties or declared to be valid. Based on the engagement document, the UPR carries out a risk management process, including determining the relevancies, identification, analysis and evaluation of risks to produce a draft activity risk profile. UPR submits a draft activity risk profile to UMR for review and analysis of the handling program to be transformed to a risk profile and activity risk handling program. The risk profile and risk management program for these activities are the basis for UPR in handling risks. The risk handling process, which was the responsibility of the UPR, generates a document outlining the fulfillment of the risk management strategies. The handling implementation report is submitted by UPR to UMR as a report. UMR can publish a report of the risk management implementation to the Chancellor as a report (if needed).
The monitoring and review process for certain time risk management is carried out by UMR periodically. UMR develops and plans the parameter of the monitoring and review intensity derived from the risk profile produced in the risk identification and analysis and evaluation.
The integration of communication and consultation occurs within the framework of risk management and reporting. Throughout the risk management process, the ad hoc team and UMR engage in communication to synchronize and align perspectives. The reporting aspect and the detailing of risk management executions are also a component of the communication process that are directed towards the Chancellor.
5. Closing
Based on the analysis and discussion presented and reviewed previously, several main points can be concluded as follows:
1) The risk management system at UPNYK necessitates concise structures, methods, and procedures.
2) UPNYK’s risk management can employ a control model consisting of four level:
a) Policy level, which is the responsibility of the KA.
b) Operational level, which is the responsibility of the Chancellor and supported by UMR and UPR. UMR is run by the Quality Assurance Committee and Internal Audit Office. Meanwhile, UPR is carried out by work units.
c) Control Level of Supervision carried out by KA.
d) UPNYK’s risk management procedure should adopt the standards of AS/NZS 31,000:2009, which consists of; establishing context, risk identification, risk analysis, risk evaluation, risk handling (treatment), supervision and review, as well as communication and consultation.
3) The UPNYK risk management procedure consists of three procedures which are stratified in accordance with the UPNYK’s objective period, that is the five-year procedure, a one-year procedure, and a specific time procedure.
Based on the analysis and discussion in Chapter IV, several conclusions/several recommendations can be drawn as follows:
1) UPNYK needs to establish a risk management organizational structure as explained in the conclusion.
2) It is recommended that UPNYK adopt the risk management process standard AS/NZS 31,000:2009.
UPNYK is required to establish and put into practice a distinct set of risk management protocols that are tailored to serve a different timeframe, including procedures spanning five years, one years, and specific time procedure.