Entity context
Filter the SSoT by holding company or subsidiary
Methodology & taxonomy
The rules behind every score, control, and threshold in this register. Anchored to ISO 31000:2018, COSO ERM (2017), and Indonesian regulators (OJK / BSSN / UU 27/2022 PDP).
1. Risk taxonomy
- Strategic
- Threats to long-term objectives, market position, M&A, business model.
- Financial
- Liquidity, credit, market, capital adequacy, FX, accounting integrity.
- Operational
- Process failures, people, technology, outsourcing, third-party.
- Compliance
- Regulatory breaches against POJK, Kemenkes, BPOM, UU PDP, sectoral law.
- Reputational
- Stakeholder trust, media coverage, brand value, social licence.
- Cyber
- Confidentiality, integrity, availability of information assets (ISO 27005).
2. Control taxonomy
By function (when it acts)
- Preventive
- Stops the event from occurring. e.g. segregation of duties, MFA, training.
- Detective
- Identifies events that have occurred. e.g. SIEM alerts, reconciliations, audits.
- Corrective
- Restores state and limits damage. e.g. backups, IR runbooks, insurance.
By nature (where it lives)
- Policy
- Governance, procedures, codes of conduct, contracts.
- Physical
- Site access, CCTV, environmental controls, locked storage.
- Logical
- System / application configuration, IAM, encryption, monitoring.
Three Lines model (IIA 2020) is implied: 1st line owns the control, 2nd line oversees, 3rd line provides independent assurance.
3. Likelihood rubric (1–5)
Combines historical frequency and forward-looking probability per ISO 31000 §6.4.3.
| # | Level | Qualitative | Quantitative anchor |
|---|---|---|---|
| 1 | Rare | May occur only in exceptional circumstances; no precedent in the group. | <5% probability in 12 months · once every >5 years |
| 2 | Unlikely | Could occur but not expected; isolated precedent in the industry. | 5–25% in 12 months · once every 3–5 years |
| 3 | Possible | Might occur at some time; has happened in the group before. | 25–50% in 12 months · once every 1–3 years |
| 4 | Likely | Will probably occur in most circumstances; recurring near-misses. | 50–80% in 12 months · once a year |
| 5 | Almost certain | Expected to occur; already materialising or systemic weakness. | >80% in 12 months · multiple times a year |
4. Consequence rubric (1–5)
Multi-dimensional. Use the worst-case applicable descriptor across dimensions (ISO 31000 worst-credible-case principle).
Financial
Ref · COSO ERM · ISO 31000 (% of group revenue / EBITDA)| # | Level | Qualitative | Quantitative anchor |
|---|---|---|---|
| 1 | Insignificant | Absorbed by line budget. | <IDR 250 M · <0.1% revenue |
| 2 | Minor | Re-forecast within entity. | IDR 250 M – 2 B · 0.1–0.5% |
| 3 | Moderate | Material to entity P&L. | IDR 2 – 10 B · 0.5–2% |
| 4 | Major | Group earnings warning. | IDR 10 – 50 B · 2–5% |
| 5 | Catastrophic | Threatens going concern. | >IDR 50 B · >5% revenue |
Operational / Service
Ref · ISO 22301 BCM · clinical service continuity| # | Level | Qualitative | Quantitative anchor |
|---|---|---|---|
| 1 | Insignificant | Negligible disruption. | <1 hour outage · single workstation |
| 2 | Minor | Local workaround. | 1–4 h outage · single department |
| 3 | Moderate | Service degraded for one entity. | 4–24 h outage · 1 site |
| 4 | Major | Multi-site outage; SLAs missed. | 1–3 days · multiple sites |
| 5 | Catastrophic | Group-wide service failure. | >3 days · all entities |
Compliance / Regulatory
Ref · POJK · UU 27/2022 PDP · BSSN · Kemenkes| # | Level | Qualitative | Quantitative anchor |
|---|---|---|---|
| 1 | Insignificant | Internal policy deviation. | Self-reported, no regulator action |
| 2 | Minor | Regulator advisory letter. | Teguran tertulis (written warning) |
| 3 | Moderate | Administrative sanction. | Denda administratif · pembatasan kegiatan |
| 4 | Major | Licence restriction or PDP fine. | Up to 2% annual revenue (UU PDP) · pembekuan izin |
| 5 | Catastrophic | Licence revocation, criminal exposure. | Pencabutan izin usaha · pidana direksi |
Reputational
Ref · COSO ERM · stakeholder trust| # | Level | Qualitative | Quantitative anchor |
|---|---|---|---|
| 1 | Insignificant | Internal awareness only. | No external coverage |
| 2 | Minor | Local complaint. | Social media chatter <24 h |
| 3 | Moderate | Trade press coverage. | Negative national news 1–3 days |
| 4 | Major | Sustained adverse coverage. | National headlines >1 week · DPR scrutiny |
| 5 | Catastrophic | Brand damage, customer flight. | International coverage · loss of social licence |
Health & Safety (patient/staff)
Ref · Kemenkes · WHO patient-safety taxonomy| # | Level | Qualitative | Quantitative anchor |
|---|---|---|---|
| 1 | Insignificant | No injury; near-miss. | First-aid only |
| 2 | Minor | Reversible harm. | Outpatient treatment |
| 3 | Moderate | Temporary disability. | Hospitalisation, full recovery |
| 4 | Major | Permanent harm to ≥1 person. | Permanent disability · sentinel event |
| 5 | Catastrophic | Fatality or mass-casualty. | ≥1 death · multi-patient harm |
Cyber / Data
Ref · BSSN · UU 27/2022 PDP · ISO 27005| # | Level | Qualitative | Quantitative anchor |
|---|---|---|---|
| 1 | Insignificant | Contained anomaly. | No data exposed |
| 2 | Minor | Internal data exposure. | Non-sensitive data, <100 records |
| 3 | Moderate | PII exposure, contained. | 100–10k records · notifiable to OJK/BSSN |
| 4 | Major | Sensitive PII / health data breach. | 10k–1M records · UU PDP notification |
| 5 | Catastrophic | Mass breach or systemic compromise. | >1M records · ransomware on core systems |
5. Risk score, level and heatmap
- Inherent score
- Likelihood × Impact before controls.
- Residual score
- Likelihood × Impact after controls operate as designed.
- Low (1–7)
- Green — within appetite, monitor.
- Medium (8–14)
- Amber — manage, watchlist.
- High (15–25)
- Red — escalate, treat or transfer.
6. Governance thresholds
- Appetite
- Strategic willingness to accept this category of risk (Low / Moderate / High).
- Tolerance
- Soft upper bound for residual score — variation that can be absorbed.
- Limit
- Hard breach threshold — exceeding it triggers escalation to the Risk Committee.
The three are not interchangeable. Appetite is strategic, tolerance is operational variance, limit is the line that must not be crossed.
7. Per-control effectiveness attribution
The inherent → residual delta is split across a risk's controls weighted by function:
- Preventive — weight 0.5
- Detective — weight 0.3
- Corrective — weight 0.2
Preventive controls earn the largest attribution because they reduce likelihood at source. Detective controls reduce dwell time. Corrective controls limit consequence after the fact.
8. Indonesian regulatory anchors
- POJK 18/POJK.03/2016
- Manajemen risiko bagi bank umum.
- SEOJK 21/SEOJK.03/2017
- Manajemen risiko teknologi informasi bank umum.
- POJK 1/POJK.05/2015
- Manajemen risiko Lembaga Jasa Keuangan Non-Bank.
- UU 27/2022 PDP
- Perlindungan Data Pribadi — sanksi administratif s/d 2% pendapatan tahunan.
- BSSN — Pedoman MR Keamanan Informasi
- Sektor publik & Penyelenggara Sistem Elektronik.
- Kemenkes / WHO patient-safety taxonomy
- Klasifikasi insiden keselamatan pasien.
9. International frameworks referenced
- ISO 31000:2018
- Risk management — guidelines.
- ISO/IEC 31010
- Risk assessment techniques.
- ISO 22301
- Business continuity management — outage descriptors.
- ISO/IEC 27005
- Information security risk management.
- COSO ERM 2017
- Enterprise Risk Management — Integrating with Strategy and Performance.
- IIA Three Lines Model 2020
- Roles, accountability, assurance.