Artikel

ISU UTAMA:

• Berbagai studi lintas negara dan lintas sektor industri telah mengonfirmasi temuan bahwa implementasi Manajemen Risiko (MR) terbukti secara signifikan berkontribusi positif bagi peningkatan kinerja organisasi.
• Di Indonesia temuan tersebut ditanggapi dengan berbagai regulasi yang mewajibkan implementasi MR khususnya di sektor keuangan, misalnya dalam subsektor perbankan, asuransi, dan pasar modal. Lebih lanjut, Menteri BUMN telah mewajibkan implementasi MR di semua perusahaan milik negara.
• Di sektor publik (pemerintahan) implementasi MR sudah dimulai di beberapa kementerian/lembaga namun perkembangannya jauh lebih lambat daripada perkembangan implementasi MR di dunia korporasi.
• Policy Brief ini menguraikan argumentasi tentang urgensi implementasi MR, mengidentifikasi beberapa faktor penghambat implementasi MR, berikut strategi untuk mengakselerasi implementasi MR di organisasi-organisasi publik.
• Strategi yang diusulkan meliputi pendekatan top-down melalui kepemimpinan dan regulasi, pengembangan sumber daya manusia MR melalui pelatihan dan sertifikasi kompetensi, serta penerapan standar dan pengukuran kematangan (risk management maturity level).

RINGKASAN:

Studi pustaka atas artikel-artikel berbagai negara tentang pengalaman implementasi MR mengonfirmasi simpulan bahwa MR secara signifikan berkontribusi positif terhadap pencapaian kinerja organisasi, bukan hanya korporasi, melainkan juga organisasi nirlaba dan sektor publik. Fakta ini disadari juga oleh pimpinan berbagai kementerian/lembaga di Indonesia yang terbukti dengan terbitnya berbagai keputusan yang mendorong bahkan mewajibkan implementasi MR di lembaga-lembaga yang bersangkutan. Namun, survei termutakhir menunjukkan bahwa implementasi MR di sektor publik di Indonesia ternyata tidak berkembang secepat yang diharapkan. Policy brief ini secara ringkas memaparkan urgensi implementasi MR di sektor publik, menjabarkan faktor-faktor penghambatnya, serta menyarankan strategi untuk mengatasi hambatan tersebut serta beberapa prasyarat untuk mempercepat laju implementasi MR untuk meningkatkan kinerja organisasi-organisasi sektor publik.

PENDAHULUAN

Studi literatur di berbagai negara lintas sektoral berkesimpulan bahwa MR telah terbukti memberikan sumbangan positif signifikan terhadap kinerja organisasi. Negara-negara itu tidak terbatas pada yang berperekonomian maju melainkan juga di negara-negara yang sedang berkembang. Survei nasional yang melibatkan 309 responden pemimpin korporasi di Indonesia juga memberikan simpulan serupa. Secara lebih khusus, ada simpulan bahwa MR telah meningkatkan daya saing ekonomi organisasi korporasi (Priyarsono & Munawar 2020).

Berdasarkan sektor-sektor industri yang dikaji, memang secara historis sektor keuangan tergolong yang paling intensif menerapkan MR. Namun, akhir-akhir ini secara internasional praktis semua sektor telah menerapkan MR, termasuk lembaga-lembaga publik (1) , organisasi-organisasi nirlaba, bahkan lembaga
pendidikan tinggi (Priyarsono, Widhiani, Sari 2019).

Di luar dugaan, sektor publik di Indonesia tidak mengikuti trend tersebut di atas. Alijoyo dan Fisabilillah (2021) melakukan survei dan wawancara mendalam terhadap 25 narasumber pemimpin sektor publik di Indonesia. Mereka mengidentifikasi faktor-faktor penghambat implementasi MR di sektor publik di
Indonesia. Policy brief ini dimaksudkan untuk menjabarkan implikasi kebijakan dari tiga hasil kajian sebagaimana tercantum dalam daftar pustaka. Secara khusus akan dijabarkan beberapa faktor penghambat implementasi MR di sektor publik, berikut strategi untuk mengakselerasi implementasi MR di organisasi-organisasi publik.

HASIL DAN PEMBAHASAN

Menurut standar ISO 31000:2018, MR adalah aktivitas-aktivitas terkoordinasi untuk mengarahkan dan mengendalikan organisasi dalam kaitannya dengan risiko. Alasan khas mengapa MR berkontribusi positif bagi pencapaian kinerja organisasi adalah daya paksanya pada pengelola organisasi untuk secara eksplisit, terstruktur, dan sistematis mengantisipasi kemungkinan-kemungkinan kejadian di masa mendatang. Perilaku pengelola yang bersifat demikian meningkatkan probabilitas bahwa kejadian-kejadian di masa mendatang yang berdampak buruk pada organisasi dapat dikelola secara tepat, dan di pihak lain,
kesempatan yang berdampak baik pada organisasi dapat lebih mudah diraih.

Pernyataan teoretis tentang manfaat implementasi MR tersebut di atas secara empiris terbukti pula kebenarannya. Relevansi dan urgensi implementasi MR semakin menguat pada situasi dewasa ini yang kental diwarnai ciri-ciri volatile, uncertain, complex, dan ambiguous (VUCA) terlebih akibat seringnya
terjadi disrupsi teknologi dan masih belum selesainya pandemi COVID-19.

Untuk konteks pengelolaan organisasi-organisasi publik, MR menjadi semakin urgent untuk diterapkan, karena ranah publik bukan hanya berciri VUCA, melainkan secara langsung berkaitan dengan risiko-risiko gawat yang bila tidak dikelola dengan baik berpotensi mengancam eksistensi bangsa dan negara.

Beberapa contoh risiko yang harus dikelola oleh organisasi publik misalnya maraknya korupsi dan ancaman krisis ekonomi, baik selama penanganan maupun setelah pandemi COVID-19 berakhir. Sebenarnya, di luar konteks pandemi pun organisasi publik sudah harus mengelola risiko-risiko besar, misalnya terkait dengan kejahatan cyber yang mengiringi transformasi digital dalam pengelolaan urusan publik, ancaman separatisme dan terorisme, polarisasi politik yang mengancam keutuhan bangsa, bencana alam yang diramalkan bakal sering terjadi akibat pengelolaan lingkungan hidup yang kurang memadai, dan sebagainya. Di pihak lain, ada berbagai peluang yang bila dimanfaatkan secara tepat dapat berdampak positif bagi organisasi publik, misalnya fenomena bonus demografi, akses mobilitas yangsemakin maju seiring dengan keberhasilan pembangunan infrastruktur, dan sebagainya.

Berbagai upaya pemerintah Indonesia telah dilakukan untuk mendorong implementasi MR di sektor publik (2). Beberapa lembaga yang paling menonjol dalam upaya itu dapat disebut, misalnya BI, OJK, Kemenkeu, BPK, BPKP, Kementerian BUMN, dan sebagainya. Di antara lembaga-lembaga pendidikan tinggi, tercatat antara lain bahwa UI, IPB, dan ITB telah menerapkan MR dengan tingkat maturitasnya masing-masing. Secara umum, jumlah organisasi publik yang sudah menerapkan MR relatif sangat kecil dan tingkat maturitasnya jauh tertinggal dibandingkan dengan yang terjadi di sektor swasta.

Mengapa perkembangan implementasi MR di sektor publik di Indonesia tidak secepat yang diharapkan? (3)

Sifat dasar organisasi publik, misalnya dalam proses pengambilan keputusan, tidak selentur organisasi swasta. Dalam organisasi publik kepatuhan pada hukum/peraturan resmi lebih diprioritaskan daripada keutamaan berprakarsa (berinisiatif). Sifat berhati-hati lebih diutamakan daripada sifat proaktif kreatif.
Dengan latar belakang itu, prakarsa baru seperti implementasi MR tidak disambut secara cepat seperti yang terjadi dalam sektor swasta. Karena adopsi prakarsa itu terlambat, maka pada umumnya organisasi sektor publik belum berhasil mengintegrasikan sistem insentif, sistem kinerja, dan sistem pengelolaan
risiko. Dengan demikian, dapat dikatakan bahwa pengelolaan risiko dalam organisasi sektor publik sudah ada, namun secara umum masih bertingkat maturitas relatif rendah dengan ciri-ciri terfragmentasi (siloed), belum terintegrasi, bahkan dalam beberapa kasus masih seperti aksesori.

Berdasarkan hasil kajian teoretis maupun pengalaman empiris, dapat disarankan beberapa butir strategi untuk mempercepat implementasi sebagai berikut:

• Top-down approach. Implementasi MR tidak mungkin dalam waktu singkat membuahkan hasil yang terasakan oleh semua level pengurus organisasi. Bagi pengurus level menengah ke bawah, implementasi MR boleh jadi dipersepsikan sebagai tambahan beban kerja yang tidak bermanfaat. Oleh sebab itu, prakarsa implementasi MR harus dimulai dari pucuk pimpinan dan diselenggarakan dengan pendekatan top-down.
• Kepemimpinan dan komitmen. Selanjutnya, prakarsa awal implementasi MR perlu diikuti dengan tekad kuat pucuk pimpinan untuk menerapkan MR dengan komitmen yang dapat didemonstrasikan (demostratable commitment) kepada semua warga organisasi.
• Regulasi. Sesuai dengan ciri birokrasi, perlu ada peraturan resmi tertulis tentang implementasi MR yang dapat menjadi payung hukum bagi penyelenggaraan prakarsa tersebut.
• Pengembangan SDM. Salah satu langkah bagi implementasi MR adalah penciptaan critical mass, yakni sejumlah minimum orang yang mempunyai pengetahuan, sikap, perilaku, dan keterampilan yang dibutuhkan untuk melaksanakan implementasi MR. Untuk itu program pelatihan dan sertifikasi kompetensi MR menjadi sangat penting.
• Standardisasi. Implementasi MR memerlukan standar yang sudah terbukti mampu menjadi panduan implementasi MR di berbagai negara lintas sektoral. ISO 31000 yang telah berstatus sebagai Standar Nasional Indonesia dapat dinilai sebagai standar yang paling tepat.
• Pengembangan budaya risiko. Sesuai dengan standar itu, pengembangan budaya risiko menjadi salah satu kunci keberhasilan implementasi MR. Pengukuran maturitas. Secara periodik pengukuran tingkat kematangan implementasi MR perlu dilakukan, antara lain untuk memastikan apakah langkah-langkah implementasi MR sudah pada jalur yang benar dan untuk merencanakan langkah-langkah perbaikan di masa mendatang.
• Perbaikan terus-menerus. Sebagaimana berlaku juga dalam berbagai sistem manajemen, implementasi MR memerlukan continuous improvement.

KESIMPULAN DAN REKOMENDASI

Sebagai penutup, untuk memicu dan memacu prakarsa impelemetasi MR di sektor publik diperlukan demonstration effects, yakni pimpinan organisasi publik yang berprakarsa menerapkan MR perlu melihat secara langsung keberhasilan implementasi MR di berbagai organisasi. Untuk itu komunikasi dan studi
banding (benchmarking), dan berbagi pengalaman tentang MR (risk management experience sharing) melalui berbagai forum/komunitas perlu terus didorong.

DAFTAR PUSTAKA

Alijoyo A, Fisabilillah AFMS. 2021. Risk Management Implementation in Public Sector Organizations: A Case Study of Indonesia. Organizational Cultures 22(1).

Priyarsono DS, Widhiani AP, Sari DL. 2019. Starting The Implementation of Risk Management in a Higher Education Institution: The Case of IPB University. IOP Conference Series: Materials Science and Engineering 598 012107.

Priyarsono, DS, Munawar Y. 2020. Pengembangan SDM untuk Implementasi Manajemen Risiko: Perspektif Baru dari Sudut Pandang Pengguna. Jurnal Aplikasi Bisnis dan Manajemen 6(3): 478- 488

BEBERAPA DOKUMEN STANDAR MANAJEMEN RISIKO

International Organization for Standardization 2009. ISO GUIDE 73:2009 Risk Management Vocabulary.

International Organization for Standardization 2018. ISO 31000:2018 Risk Management Guidelines.

International Organization for Standardization 2019. IEC 31010:2019 Risk Management, Risk Assessment Techniques

Footnotes:

(1) World Development Report tahun 2014 menyatakan bahwa pengelolaan risiko dalam konteks pelayanan publik sudah menjadi suatu keharusan dalam rangka meningkatkan taraf kesejahteraan suatu negara

(2) Tata kelola pemerintahan yang akuntabel, efektif, dan efisien dalam mendukung peningkatan kinerja seluruh dimensi pembangunan antara lain diukur dengan indikator penerapan MR dalam pengelolaan kinerja instansi (Bappenas, Rancangan Teknokratik RPJMN 2020-2024).

(3) BPK melihat salah satu masalah utama dalam penerapan Sistem Pengendalian Intern Pemerintah dan banyaknya temuan terkait Sistem Pengendalian Intern adalah adanya kelemahan dalam penerapan unsur penilaian risiko (Pidato Ketua BPK dalam acara Expert Talk di Jakarta, 18 Oktober 2021).

-o0o-

People use the word ‘complex’ and ‘complicated’ interchangeably in many cases, and so does in a discussion of risk management. Do they have the same meaning or different ones? If they have different meanings, under which circumstances should we and would use ‘complex risk’ and/or ‘complicated risk.’?

Let us see what the dictionary says about the respective word. According to Cambridge Dictionary, complexity has many parts and is difficult to understand or find an answer to. Whereas the word ‘complicated’ refers to a situation that is not easy to deal with or understand. Although the descriptions of both sound similar as they intersect one another, they bring different profound meanings. Complexity is the phenomenon itself, while complicated is the elements of the mental standing of a person in dealing with such a phenomenon.

From a risk management perspective, we could say that complexity refers to the situation or the risk object itself, whereas complicated refers to the subject supposed to deal with such a risk object. In this regard, complexity brings some challenges to be sorted out, and therefore if we talk about complexity in the risk management universe, we call it complex risk. For example, cyber risks due to the rising of new technology may cause higher interconnectedness risk among concerned parties (as a result of much wider and numerous nodes). As it is a complex issue, hence we refer to it as ‘complexity.’

On the other hand, Complicated reflects the mental standing of the person dealing with a certain risk phenomenon. In this regard, the person tends to judge that the phenomenon is ‘complicated,’ either real or non-complex. Such a mental standing could happen because there is a gap between the capacity and capability of the person and the level of the phenomena they are dealing with. Unfortunately, such a gap may lead the person’s lens to be slipped into ‘complicated risk syndrome’ (CRS) if there are no cautious efforts to avoid otherwise. Moreover, since this syndrome is contagious, it could be widespread throughout the organization and may create an unhealthy risk culture later.

What actually can go wrong if this particular situation happens?

If such a situation happens, there is a possibility that people in the organization will be easily trapped to see all risks as ‘downside risks’ and therefore, they will allocate all the energy to reduce the likelihood of risk events and mitigate the impact to protect the value of the organization. If that happens, it will become a blind spot as the organization is not stimulated to explore their upside risk nor preparedness. As a result, their attention is blinded by downside risk. No or little energy will be allocated to exploit or capitalize upside risk to create value for the organization sustainably.

What should be done to avoid ‘complicated syndrome’?

Build healthy and conducive risk culture throughout the organization by having a higher risk management maturity level. Along with that initiative, develop risk management competency at the high and medium levels of the organization up to its critical mass. As such, they would be encouraged to see beyond their current horizon and do not fall into the trap of seeing complexity as a threat or downside risk. Instead, they could see complexity as an opportunity and then drive them up as upside-risk challenges.

The way onward?

Entering a new frontier Post Covid-19 Pandemic, we have seen many phenomena characterized by the origin of VUCA (Volatility, Uncertainty, Complexity, and Ambiguity). As such, the existence of complicated syndrome would hinder us from having a clear vision beyond boundaries and existing horizon lines, barely understanding and clarity over the VUCA.

On the way onward, there is a suggested approach to overcome such an originating VUCA, which is also called VUCA (Vision, Understanding, Clarity, and Agility). The VUCA (Vision, Understanding, Clarity, and Agility) can be established, developed, and institutionalized if no complicated syndrome is left throughout the organization. Therefore, let us begin to switch our mental standing whenever we face certain risk events. Risk due to ‘complexity’ is fine as we can always sort it out. Still, risk due to ‘’complicated’’ should not be tolerated as it will hinder us from progressing and capitalizing on opportunities that come with uncertainties.

I hope this article is helpful for risk management practitioners.

Dr. Antonius Alijoyo
Founder of Center for Risk Management and Sustainability Indonesia

-0O0-

Artikel ini juga diterbitkan dan di publikasi pada https://crmsindonesia.org/publications/dealing-with-complex-risk-or-complicated-risk/

Organizational Resilience (OR) is important because it gives an organization the strength needed to process and overcome hardship. Many organizations have experienced hard lessons during pandemic Covid-19, as the world is still dealing with a deadly pandemic that negatively influences our social and business world. Those lacking resilience get easily overwhelmed and may turn to ineffective and unhealthy coping mechanisms. Whereas resilient organizations tap into their strengths and support systems to overcome challenges, work through problems, and even turn them into opportunities.

Question: What does it mean organizational resilience?

That is “the ability of an organization to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions to survive and prosper” (Denyer, 2017). Resilience plays a crucial role in the survival of organizations as it is the ability to anticipate, survive in and recover from a turbulent environment with the ability to return to an original or an improved state (Chowdhury and Quaddus 2017; Brusset and Teller 2017; Pettit et al.2021/01/2). In that regard, resilience helps the organization recover control rapidly in unexpected change and maintain a general sense of comfort when managing several changes simultaneously without being affected.

Question: If organizational resilience is so important, why not all organizations take precautions and actions to build them up?

There are many reasons that organizations do not prepare and build their organizational resilience intentionally and systematically. One of them is the lack of enterprise risk management (ERM) practices, leading to the absence or insufficient risk assessment process. Therefore they don’t have a sufficient and comprehensive longer-term view of risk identification, analysis, and evaluation. As a result, they could probably fail to figure out their risk universe beyond the current horizon. Therefore they do not see any need or urgency to raise organizational resilience capability and make their organization future-ready at its earliest. Another reason is lacking standards or references that could help organizations establish their organizational resilience practically and effectively. In many cases, they found that establishing organizational resiliency is quite complex and requires a lot of resources and time-consuming exercise, whereas no such visible output and outcome could be expected and urgently needed.

Question: Is it complicated to build organizational resilience capacity and capability?

The illusion that drives many organizations about complexity in establishing and sustaining organizational resilience could be mixed up between the complexity of the object or the matter that we need to resolve and the approach of how to deal with it. In this case, the matter that drives the need of having organizational resilience could be due to the VUCA (Volatility, Uncertainty, Complexity, and Ambiguity) of the future, which is quite complex to figure out. Therefore, it might drive the opinion that the ‘how’ to deal with them is also complex and complicated. This opinion is ubiquitous as most organizational leaders recognize the VUCA issues but are not certain how to deal with them.

Question: Is there any standard or reference that organizations can use to establish and sustain their organizational leadership?

In this context, a new standard, ISO 22316, Security and resilience – Organizational resilience – Principles and attributes, has been issued to provide a framework to help organizations build and improve their resiliency effectively and practically.

Question: As a standard, what is the detail about ISO 22316, Security and resilience – Organizational resilience – Principles and attributes?

The standard contains some details of key principles, attributes, and activities. As such, James Crask, Convenor of ISO/TC 292’s working group WG 2, the group of experts that developed the standard, says improving the resilience of organizations ensures they are not only better placed for anticipating and responding to potential risks but can harness opportunities as well. Further, he also said that “The standard takes a wide view of the things that can drive resilience in an organization; many of these are behavioral and have historically been overlooked. This is why one of the key principles of the standard is to help them develop a culture that supports resilience”. Lastly, he said a very strong encouragement: “It also involves building upon existing forms of risk management, having shared values and an awareness of changing contexts, all the while underpinned by strong and empowered leadership.”

The existence of this standard would provide a tangible tool to simplify the process of building organizational resilience. As a standard, it brings a lot of help for organization’s leaders to lead, build and sustain organizational resilience more practical, simpler, and measurable. Further, it would also bring international reference and protocol organizations, which help them communicate their resilience approach to their international partners. As such, they use the same protocol, similar PDCA (Plan, Do, Check, Action) cycle. In short, resilience is rooted due to rising complexities in the business world. Therefore, it needs a practical approach rather than making the complexities we face more complex due to the use of a complex approach. Standard ISO 22316 serves the proposition and is therefore worth taking and be adopted for the organization to embrace their future by turning challenges to turn them out as opportunity, as it could turn out as threats if otherwise.

Question: How does this ISO 22316 interlink with ISO 31000 Risk Management Guidelines?

It fits and complements each other. The use of ISO 31000 and ISO 22316 help organizations not to deal with the ‘why’ risk management and organizational resilience are important but to deal effectively with ‘how’ to implement risk management and organization resilience simply and practically. As a closing, let us read together with the following citation: “The research on organizational resiliency suggests that successful firms are prepared for adversity and yet are also proactive and flexible when encountering a crisis. Resilient firms prepare for difficult situations and show a “generalized capacity to investigate, to learn, and to act, without knowing in advance what one will be called to act upon.” (Wildavsky, 1988).”

-o0o-

Dr. Antonius Alijoyo
Chair of National Mirror Committee Indonesia TC 262 – Risk Management and TC 309 –
Governance, Badan Standarisasi Nasional (BSN) Indonesia
Founder of Center for Governance, Risk Management, Compliance and Sustainability Studies
(www.crmsindonesia.org)