Enterprise Risk Management Implementation Maturity in Non Bank and Financial Companies

Previous studies of ERM implementation mostly using dummy variable to figure out relation with its determinant. Until today, studies that using risk management maturity as real variable are limited. Therefore, this study intends to determine the maturity level of ERM implementation in non-financial companies listed on Indonesia Stock Exchange during period 2015 and influence of firm's total assets, total employee, leverage and public ownership to the ERM maturity. The method use are qualitative and multiple regression analysis. The result of data analysis showed that ERM implementation in selected sample during 2015 are still low (majority in initial and repeatable level). In addition, from determinant factors only total asset that have significant influence to the ERM maturity. This result implies that non-financial listed companies are vulnerable to risks. Management should consider future benefit of a mature ERM, not only to comply with regulation.DOI: 10.15408/etk.v16i2.5440


INTRODUCTION
In order to achieve their objectives, every creature must face and manage their risks, including company management. Learning from the history, risk management begins with effort to manage the impact arising from the pure risk in finance or hazard risk in the operational (Dionne, 2013;Simona-Lulia, 2014). In other word, in the earlier period of risk management, it focused only on the financial and operational risks. Increasing complexity of business and the government requirements regarding compliance with laws, several scandals and failures of the products occurring in several companies such as Toshiba, Ford, Samsung Galaxy Note, etc., have increased awareness of the risks and the importance of managing risks facing by the companies.
Traditional risk management is now considered inadequate to provide protection against the possibilities of risk that could occur in a company. Risk is now cross-border and not limited to just one unit or certain divisions. Management realizing that effective risk management can become major solution for the company's success. Therefore, now there is a tendency of paradigm shift from traditional risk management practices towards comprehensive risk management -known as Enterprise Risk Management.
Enterprise Risk Management (ERM) has become attention of academic study began around 1992. Some researchers believe the Enterprise Risk Management (ERM) have a significant impact for companies that implement it compared to the companies who do not apply it (Beasley, et.al, 2007;Maurer, 2009;Nugraha, 2011;Manab and Ghazali, 2013;Lechner and Gatzert, 2016). Togok (2014) states that study in the field of Enterprise Risk Management usually classified into four groups: (1) Determinants of ERM implementation in the company, (2) The impact of ERM on the value and performance of the company or in any other aspect of a business; (3) Practical application of the ERM in the organization or company; (4) Role of personnel or the main function in the ERM.
In Indonesia, the ERM study has been done primarily to companies engaged in Previous studies of ERM implementation determinants often use dummy variable to predict the influence of those determinants to ERM implementation instead of using the risk management maturity tools (Razid and Golshan, 2012;Gordon, et.al, 2009). The study that discussed the risk management maturity are still limited. This happens because of lack of agreement from both academics and practitioners about the basic form of the Risk Management Maturity Model concept. Existing academic study on ERM tends more focused on the effect of the implementation of ERM on firm performance. It is difficult to get studies that evaluate the quality, or maturity ERM programs implemented by the company (Monda and Giorgino, 2013). In the other hand, practitioners develop concept according to their respective needs (Oliva, 2016).
Therefore, based on the fact above, through this study, the author is intended to (1) map the implementation maturity of risk management and (2) figure out the influence of determinant factors such as total asset, total employee, leverage, and public ownership on enterprise risk management maturity in in non-bank and financial companies listed on Indonesia Stock Exchange during 2015.
The distinctive characteristic of this study to the previous or similar study is the use of ERM maturity assessment tools to measure actual risk management implementation and not using dummy variables to determine the relationship between ERM with the influencing factors that determine its implementation.

METHOD
This study is mixed model research, which combines quantitative and qualitative data collection techniques and analysis procedures as well as combining quantitative and qualitative approaches at other phases of the research. Qualitative data in this study is the level maturity of ERM implementation while the quantitative data is calculation of total assets, total employee, leverage, composition of public ownership and multiple regressions.
The data used in this research is cross section data. Data were obtained from published annual reports of 100 non-bank and financial companies listed on Indonesia Stock Exchange selected as samples during the 2015. Samples were selected using purposive sampling methods using criteria (1) 50 samples were taken from list of companies under Kompas 100 and the remainder will be selected randomly to cover all sectors.
Qualitative analytical was performed through a set of checklist develop based on generally accepted framework [ISO 3100 (2009) and COSO (2016)]. There are 17 attributes (statements) used to figure out the level of company's risk management implementation maturity. For each statement being supported by information on annual report, the author will give score 1 and score 0 for unavailable information. The ERM maturity results calculated from the total of score obtained from each company selected as samples. The author also performs validity and reliability test to ensure objectivity, reliability and validity of gathered data.
Quantitative analytical was performed through multiple regression analysis. As discussed before, in this study, the author using ERM maturity instead of dummy variable.
Therefore, to perform regression analysis total score of ERM maturity of each companies will be converted to interval data. Independent variables of this research are total assets,  implementation is not straight forward as the conceptual appears (Nocco and Stultz, 2006).
Furthermore, in this study, the author did not use dummy variable. The author refers to Razid and Golshan (2012) conclusion that dummy variable could not reflect real conditions of tested research object. The results of t test shown that total asset has significant value of 0. 000 with t value of 5.433. It means that Total Asset has significant and positive value to ERM maturity (See Table 3). This result is consistent with study performed by Beasley, et.al, (2007); Hamid and Hudin (2014); Yazid (2011) that corporations with large assets have a tendency to apply ERM over a smaller company based on the amount of its assets.   Table 3). From this result, we can make conclusion that in partial, public ownership do not have influence to ERM maturity level.

Sectors
This condition also not supporting Subramaniam,et.al (2009) (Adam, et.al, 2016). In the other countries, public ownership can influence risk management. It done by placing a pressure to management while contrary in Indonesia, this condition is not applicable. This condition could happen because in Indonesia the owner of the public at large number consist of a small investors that do not have authority over financial and non-financial information desired and cannot affect the wide of disclosures (Adam, et.al, 2016).
Based on the results of multiple regression analysis in Table 3 In other word, ERM will not provide any value if the company does not have asset, employee, and leverage, public's ownership (independent variables have zero value).
Increment of total asset, leverage, public ownership will increase ERM due to several reasons, for example company will try to mitigate financial risk due to high leverage by managing their cash flows or more public ownership will make companies have better corporate governance and risk management-as one of corporate governance component [OECD (2014)]. Increment of employee number will reduce ERM because human resources can become serious risks, especially in the absence of human resources management (Becker and Smidt, 2016  practices integrated with the strategy and its implementation where companies rely on to manage risks in an effort to create, maintain and realize the value of the companies. Therefore, ERM should assist company to create, maintain and realize value no longer only to achieve company objectives (COSO, 2016). COSO and researchers belief that ERM provide values and benefits to the company (COSO, 2016); Hoyt, et.al, 2011;Lechner and Gatzert, 2016;Manab and Ghazali, 2013;Maurer, 2009).
To ensure benefit and optimization of ERM, company needs to evaluate their ERM practice because evaluation of ERM practice is an integral part of risk management [ISO 31000 (2009);COSO (2016)]. In other words, the evaluation is done to ensure compatibility between the implementation of the risk management objectives and strategy of the company. In accordance with COSO and ISO guidance, the author set 17 attributes (statement) to evaluate selected companies ERM practice and implementation maturity.
The results are presented in Table 4.
The results of qualitative analysis show that majority of the tested sample-67 companies (67% of 100 samples) -are at the initial level, 9% at the repeatable level, 9% at defined level, 13% at managed level and only 2 companies at the advance level. The summary of ERM maturity level based on the company sectors is presented in the Table 5.

Table 5. ERM Maturity Level Classification based on Score Obtained
Companies in initial level do not have adequate ERM practice; they only stating basic principle of risk management practice in their annual report to fulfill the requirement of regulation (Oliva, 2016;Chapman, 2011). These criteria suitable with the information obtained during the study. From the 17 attributes above, mostly companies do not have adequate information regarding their risk management. In addition, (1) there are 32 companies who own the same risk profile during 2014 and 2015 period; risk profiles are not updated. (2) 2 companies have identical risk even though they are a separate entity.
Risk is dynamic in nature and no one will have the same risks with the others.
In repeatable level, companies begin to realize the risks that may be encountered.
The companies try to implement principles of risk management tools and its methodologies. Risk management is created centrally and is characterized by lack of involvement of employees in general. In this level, ERM is implemented in inconsistency manner, repeated and reliance on selected people is relatively high (Oliva, 2016;Protiviti, 2006;Chapman, 2011). This statement consistent with the information obtained during study. From the samples, majority already try to identify their risk, however no companies provide training about risk management. In addition, most of companies do not have risk management framework, and no clear relation between risks and its strategies.
In defined level, ERM involvement in the company's business processes is quite high. There is a trend of companies increasingly applies the methods and techniques of risk management; Policies, processes and standards defined and institutionalized, Process uniformly applied across the organization (Oliva, 2016;Protiviti, 2006). From the samples and attributes tested, it can be known that in this level, companies already have risk management framework, there is policy and procedure in place. However, companies do not provide training, some of risks still not yet covered (especially strategic risks), and still using qualitative approach rather than quantitative.

Table 6. ERM Maturity Level Based on Company Sectors
Companies in managed level characteristic are: (1) company awareness regarding the risk management and business processes is very high.
(2) ERM is decentralized. (3) Communication is an important part and integrated in the application of risk management.
(4) All employees have been actively involved in risk management. (5)  measured/managed quantitatively and aggregated enterprise wise, (6) The benefits of risk management are understood by all levels within the company even though the benefits are not always achieved consistently (Olivia, 2016;Protiviti, 2006;Chapman, 2011). These characteristic consistent with assessment result. Companies already have using quantitative approach, and consider providing training to all staff and management. However, some companies show that people appointed in risk management function do not have adequate experience in handling risk management and some risks are not covered (especially strategic risks). Risk information is actively used to improve business processes and treated as source of competitive advantage, (4) Risk management process used to managed opportunities also its potentially negative impact, (5) knowledge accumulated and shared. (Protiviti, 2006;Chapman, 2011;Oliva, 2016). The assessment results of this study confirm this characteristic. From sector point of view, only mining sector that shown sound risk management maturity (1 company of total 10 selected samples in advanced level, 5 companies in the managed level, 2 companies in the defined level and 2 companies in repeatable level-no company in initial level). This condition happened because mining industry facing complex risks and tight regulations. The other sector varies from initial to managed level.

CONCLUSION
The results showed that the risk management maturity level the majority of nonbanks and financial companies listed in Indonesia Stock Exchange are still low (initial to repeatable level). Several company annual reports show the same risks over several periods or a company's risk profile, which exactly matches with the other company's risk profile.
Thus there is a possibility (1) The risk is not managed properly, (2) the company management display insufficient data only to meet reporting requirements required by Financial Service Authority (OJK). Only mining sector that shown sound risk management practice due to the process complexity and tight regulation.
In Indonesia, total asset plays significant influence as determinant of ERM maturity. The other factors such as leverage, total employee or public ownershipindividually do not have significant influence to ERM maturity level. These conditions due to Indonesia business circumstance that different with other countries, especially developed countries-where the previous research was conducted. The practical and management implication of this condition (low level ERM maturity) is companies are vulnerable to the risks (especially from strategic risks). Mitigation of strategic risks plays significant effort to company going concern and ability to create value. Therefore through this study, the author recommends that company should consider strengthening and implementing ERM as part of the company's strategic management. ERM could assist management reducing uncertainties in the future. The implementation of ERM should be viewed as an investment in the future rather than look at it as a cost.