Operational Risk Management on the Information Technology Uses (Case Study: PT Bank Ekspor Indonesia (Persero) - BEI)
By Faried Caesar Nugroho 19004067
Undergraduate Program School of Business and Management Institut Teknologi Bandung
ii
VALIDATION PAGE
Operational Risk Management on the Information Technology Uses (Case Study: PT Bank Ekspor Indonesia (Persero) -BEI)
By: FARIED CAESAR NUGROHO ID No: 19004067
Undergraduate Program School of Business and Management Institut Teknologi Bandung
Validated By
Dr.Ir. Sudarso Kaderi W.
iii
iv
ABSTRACT
The rapid development of technology and science has a global impact on the uses of the technology itself. In this context, the development of technology which triggered mainly by the development of information technology will change its uses behavior and knowledge. “The emerging of digital firms is one of the factors which trigger the development of information technology”, (Laudon & Laudon, 2006: 7). The information technology uses in the business world has a purposes to help every business activities, generate faster profit cycle for the corporations and at the end generate more shareholders value. Corporation’s efforts to keep improving their technology uses not only give them easiness on their business. It became two sided dagger which one side give a positive impact to the user and on the other side give many potential jeopardy whether from the internal systems or from outside the corporations. This jeopardy is called the risk. The topic of this research is ”Operational Risk Management on Information Technology Uses” which made Bank Ekspor Indonesia (BEI) as its case study. This research wants to explore the information technology uses and its relation with the risk management process. BEI is a state owned institution which runs on the export funding business. On their daily activities, they use many applications and tools of information technology which would help their daily business activities. This kind of information technology activities is vulnerable to such risk which may be occurring by different causes. Imagine if they can’t handle the risk especially which come from its information technology uses. The management team ad also our countries credibility is questioned caused BEI is a state owned company. For example if an intruders succeeded to get through to BEI internal system, stole some transaction data and shift its financial record to his/her account illegally. May be a big number of losses would suffered by BEI because of this risk. A movie titled Die Hard 4.0 has shown us about a threat which triggered by the development of information technology, even a big nations like United State of America is difficult to solve this kind of cyber terrorism. As one of the government institutions BEI has one the modest efforts to manage its risk. These efforts include the establishment of the risk management division and policies in BEI according to the Indonesian Central Bank (BI) Regulations. BEI also improving their uses in technology especially on the information technology systems in order help their daily activities. But this research found that there are no a specific regulation on their information technology risk management. Because of that, this research will analyze the potential risk which maybe occurs on their information technology uses. Researcher has done the risk assessment process to identify, measure, and plan the risk mitigation efforts to manage the risk. This research has identified at least nineteen risk events which may occur on the uses of information technology in BEI. These include the risks which caused by of the human factors, process factors and the development of technology factors. Researcher spread divisional questionnaire to measure the management approximation on the risks probability and severity of the company. The measurement show that the level of these risks majorly on moderate probability and severity level. This founding show difference result from BEI defined operational risk profile which measured based on their historical events. This result designate that BEI has to keep improving their information system and policy to avoid and minimize the impact caused from the risks. Keywords: Operational risk, Information system, Information system audit, Bank Ekspor Indonesia.
v
vi
ABSTRAK
Perkembangan ilmu pengetahuan dan teknologi yang berlangsung sangat cepat, mempunyai dampak secara global terhadap pemakaian teknologi itu sendiri. Perkembangan teknologi ini yang banyak dipengaruhi oleh perkembangan teknologi informasi akan mengubah sikap dan perilaku dari pengguna teknologi itu sendiri. “Munculya korporasi-korporasi digital merupakan salah satu faktor yang memicu perkembangan teknologi informasi oleh perusahaan-perusahaan produsen teknologi” (Laudon & Laudon, 2006: 7). Penggunaan teknologi informasi dalam dunia bisnis mempunyai tujuan untuk membantu aktivitas-aktivitas korporasi bisnis, menghasikan siklus uang yang cepat dan pada akhirnya akan meningkatkan nilai yang didapatkan pemegang saham. Usaha perusahaan untuk tetap mengembangkan infrastuktur teknologi informasi tentunya bukan hanya akan mempermudah mereka menjalankan usahanya tetapi di sisi lain teknologi informasi menjadi seperti dua mata pisau yang akan membawa dampak buruk bagi perusahaan. Dampak buruk inilah yang disebut dengan risiko. Penelitian ini akan membahas manajemen risiko operasional pada penggunaan teknologi informasi dimana Bank Ekspor Indonesia (BEI) akan menjadi kasus studi penelitian ini. Penelitian ini mencoba untuk menggali lebih dalam tentang teknologi informasi dan kaitannya dengan proses manajemen risiko. BEI merupakan institusi pemerintah yang bergerak di usaha pendanaan ekspor. Pada aktivitas harian mereka, BEI banyak menggunakan aplikasi-aplikasi teknologi informasi untuk membantu menjalankan kegiatan bisnis mereka. Penggunaan teknologi informasi ini sangat rapuh terhadap datangnya risiko yang disebabkan banyak hal. Bayangkan jika institusi ini tidak dapat menanggulangi risiko terutama risiko yang berasal dari penggunaan teknologi informasi. Kredibilitas manajemen BEI dan juga pemerintah Indonesia akan dipertanyakan. Jika saja ada penyusup maya yang berhasil membobol jaringan internal BEI, mencuri data-data transaksi dan men-transfer ke rekening pembobol secara illegal. Risiko ini mungkin akan menyebabkan nilai kerugian yang sangat besar. Sebuah film holywood bernama ”Die Hard 4.0” telah menunjukan sebuah bencana yang disebabkan oleh penggunaan teknologi informasi, bahkan bangsa besar seperti Amerika Serikat sulit untuk mencari solusi dari kejahatan maya seperti ini. Sebagai sebuah instansi pemeritah, BEI telah melakukan berbagai upaya untuk mencegah terjadinya risiko tersebut. Penyusunan divisi manajemen risiko dan kebijakannya adalah hal yang telah dilakukan BEI. BEI juga mengembangkan pemakaian teknologi informasi untuk membantu kegiatan mereka. Akan tetapi penelitian ini menemukan bahwa tidak ada regulasi khusus tentang manajemen risiko pada penggunaan teknologi informasi. Karena itu penelitian ini akan melakukan analisa terhadap risiko-risiko yang berpotensi terjadi pada penggunaan teknologi informasi di BEI. Peneliti telah melakukan proses identifikasi, pengukuran dan merancang usaha penanaggulagan risiko untuk BEI. Penelitian ini menemukan paling tidak 19 risiko pada penggunaan teknologi informasi. Termasuk risiko-risiko yang disebabkan oleh faktor manusia, proses, dan teknologi. Peneliti telah menyebar kuesioner divisi untuk mengukur perkiraan manajemen terhadap tingkat kemungkinan dan dampak risiko-risiko tersebut. Ditemukan bahwa ada perbedaan antara profil risiko BEI yang disusun berdasarkan kejadian historis risiko operasional. Hasil ini mengindikasikan bahwa BEI harus terus meningkatkan sistem dan kebijakan mereka untuk menghindari kemungkinan dan meminimalisasi dampak yang disebabkan oleh risiko operasional pada penggunaan teknologi informasi. Kata Kunci: Risiko operasional, Teknologi Informasi, Audit system informasi, Bank Ekspor Indonesia.
vii
viii
PREFACE The Research of “Operational Risk Management on Information Technology Uses” is a study which has done in Bank Ekspor Indonesia. It’s a government institution which runs in the export funding. This research is part of the writer final project due to the compulsion of the final year at SBM-ITB 2007 enrollment. This topic is chosen by the writer under some consideration. First, Risk Management is a new topic in the management subject, there is need to explore its components and implement it in a corporation. Second, the topic which is chosen by the writer reflects the expertness that the writer wants to focus at the professional work in the future. It’s become the up going issues which will be grown in the near future. Third, information technology is one of the writer interest subject which wants to be explored more. This research can be used by every corporation in Indonesia that has a plan to establish a policy of risk management especially in the information system risk management policy in order to manage the risk and minimize the potential losses which may be occur by the uses of information technology. The writer wants to thank all parties that have help set up this research. Thanks to: God Almighty for unlimited resources and paths, Researcher parents and family who give me energy to finish study, Also my counselor Mr. Sudarso who give me direction to arrange the research, Bank Ekspor Indonesia which allow me to make them as research object, Mrs. Mugi, Mr. Sumarno and Mr. Dani from BEI for all of data which used in this research, Mr. Yoyok Tarah for his access to research subject, Researcher colleague for their big appreciation and brainstorming, And other in-direct parties which has support in the planning and execution of the research.
ix
x
LIST OF CONTENTS VALIDATION PAGE ........................................................................................................ iii ABSTRACT (ENGLISH) ..................................................................................................... v ABSTRACT (BAHASA INDONESIA)............................................................................. vii PREFACE............................................................................................................................. xi LIST OF CONTENT .......................................................................................................... vii LIST OF FIGURES ........................................................................................................... xiii LIST OF TABLES .............................................................................................................. xv LIST OF APPENDIX ....................................................................................................... xvii CHAPTER I - INTRODUCTION ....................................................................................... 1 1.1 Background ........................................................................................................... 1 1.2 Problem identification........................................................................................... 4 1.3 Importance of problem solving ............................................................................. 4 1.4 Scope of research and assumption ........................................................................ 5 1.4.1 Scope of research ................................................................................... 5 1.4.2 Assumption ............................................................................................ 6 CHAPTER II – THEORITICAL FOUNDATION ............................................................ 7 2.1 The risk concept .................................................................................................... 7 2.1.1 Risk, its definition .................................................................................. 7 2.1.2 Why it is happen? .................................................................................. 8 2.1.3 Different kind of risk ........................................................................... 10 2.2 Operational risk................................................................................................... 11 2.3 Risk management ................................................................................................ 12 2.3.1 Risk identification ................................................................................ 14 2.3.2 Risk measurement ................................................................................ 15 2.3.3 Manage the risk (risk mitigation)......................................................... 18 2.4 Indonesian Central Bank (BI) regulation on risk management .......................... 19 2.5 Information technology concept ......................................................................... 21 2.5.1 Enterprise information systems ........................................................... 21 2.5.2 Information technology infrastructure ................................................. 21 2.5.3 Information system control .................................................................. 26 xi
CHAPTER III – METHODOLOGY ................................................................................ 29 3.1 Preface studies .................................................................................................... 30 3.2 Problem identification ........................................................................................ 30 3.3 Set the research objectives ................................................................................. 30 3.4 Literature studies ................................................................................................ 30 3.5 Data gathering .................................................................................................... 31 3.6 Risk analysis ....................................................................................................... 31 3.7 Risk identification .............................................................................................. 32 3.8 Risk measurement .............................................................................................. 33 3.9 Risk mitigation assessment ................................................................................ 34 3.10 Conclusion ........................................................................................................ 34 3.11 Research recommendation ............................................................................... 34 CHAPTER IV – DATA COLLECTION AND ANALYSIS ........................................... 35 4.1 Data collection .................................................................................................... 35 4.1.1 Company profile .................................................................................. 35 4.1.2 Risk management in BEI ..................................................................... 37 4.1.3 Information technology in BEI............................................................ 41 4.2 Data Analysis ..................................................................................................... 43 4.2.1 Risk identification ............................................................................... 43 4.2.2 Risk measurement ............................................................................... 49 4.2.3 Risk mitigation plan ............................................................................ 54 CHAPTER V – CONCLUSION AND RECOMMENDATION .................................... 59 5.1 Conclusion .......................................................................................................... 61 5.2 Recommendation ................................................................................................ 62 REFERENCES .................................................................................................................. xix APPENDIX ........................................................................................................................ xxi
xii
LIST OF FIGURES
Figure 2.1 – The Risk Driver .................................................................................................. 8 Figure 2.2 – Risk Topology from Balance Sheet.................................................................. 10 Figure 2.3 – Risk Management Process................................................................................ 13 Figure 2.4 – Risk Matrix 1 .................................................................................................... 16 Figure 2.5 – Risk Matrix 2 .................................................................................................... 17 Figure 2.6 – Risk Mitigation Matrix ..................................................................................... 18 Figure 2.7 – IT Infrastructure Symbols ................................................................................ 23 Figure 2.8 – Differences types of server ............................................................................... 24 Figure 2.9 – Network Symbols ............................................................................................. 25 Figure 2.10 – Internet Platforms Diagrams .......................................................................... 25 Figure 3.1 – Research Methodology Diagram ...................................................................... 29 Figure 4.1 – BEI Risk Management Division Structure ....................................................... 37 Figure 4.2 – BEI Operational Risk Profile ........................................................................... 40 Figure 4.3 – BEI IT Division Structure ................................................................................ 41 Figure 4.4 – BEI IT Topology .............................................................................................. 42 Figure 4.5 – Risk Plotting Matrix ......................................................................................... 52
xiii
xiv
LIST OF TABLES
Table 2.1 – List of Risk Table .............................................................................................. 15 Table 2.2 – Risk Impact Constrain Table ............................................................................. 16 Table 2.3 – Risk Probability Constrain Table....................................................................... 16 Table 4.1 – BEI Risk Event Database................................................................................... 38 Table 4.2 – Operational IT Risks Event Database ................................................................ 45 Table 4.3 – Reliability for Probability Questionnaire........................................................... 50 Table 4.4 – Reliability for Severity Questionnaire ............................................................... 50 Table 4.5 – Weighted Questionnaire Result Table ............................................................... 51 Table 4.6 – Risk Level Table ................................................................................................ 54 Table 4.7 – Risk Mitigation Plan Table ................................................................................ 55
xv
xvi
LIST OF APPENDIX
APPENDIX A – Glossary .................................................................................................. xxii APPENDIX B – Research Approval Letter from BEI...................................................... xxiii APPENDIX C – BEI Risk Management Roadmap .......................................................... xxiv APPENDIX D – BEI Risk Management Reporting .......................................................... xxv APPENDIX E – BEI Risk Management Capital Allocation ............................................ xxvi APPENDIX F – BEI Operational Risk Management Database ...................................... xxvii APPENDIX G – BEI IT Infrastructure Description ......................................................... xxix APPENDIX H – The Questionnaire ................................................................................. xxxi APPENDIX I – The Questionnaire Result ....................................................................xxxiiii
xvii
