Scope of risk management


On November 18 and 19 2014 the newly established Financial Services Authority (OJK) issued a set of regulations governing the financial services industry:

  • Regulation 17 (POJK.03/2014) regarding the application of integrated risk management for financial conglomerates; and
  • Regulation 18 (POJK.03/2014) regarding the application of integrated governance for financial conglomerates.

The OJK noted in its preamble to the regulations that they are intended to promote sustainability, stability and competitiveness in light of the increasing complexity of transactions and interactions between financial institutions, as well as between companies within a financial conglomerate. In addition, financial conglomerates face significant control issues due to enhanced risk exposure arising from the number of subsidiaries within their control and the wide array of financial activities in which these subsidiaries engage. As such, the OJK considered that the industry needed regulations to enhance good governance and provide guidance so that financial conglomerates can integrate risk management systems more effectively.

In its press release following issuance of the regulations, the OJK stated that the recent global financial crises (which have been associated with extreme risk taking) have underlined the necessity of enhancing the financial regulatory framework with the aim of making the market more stable, efficient and transparent. Regulations 17 and 18 apply to both conventional and Sharia/Islamic-based financial conglomerates.(1)

Scope of risk management

According to Regulation 17, 'financial conglomerates' comprise a principal entity and subsidiary companies or related companies and their subsidiaries. The term 'financial conglomerate' covers financial services companies engaged in the banking, insurance and reinsurance, securities and finance sectors.(2) 'Subsidiary companies' include companies that are owned or controlled directly or indirectly by a financial services company located in Indonesia or abroad and are engaged in financial services activities.(3) The only exception to the term 'financial conglomerate' are Indonesian government-owned or controlled financial services providers.(4)

Integrated risk management for financial conglomerates as required under Regulation 17 involves the following minimum measures:(5)

  • supervision by management(6) of the principal entity (holding company) of the financial conglomerate or a financial services company appointed by the holding company;
  • adequate integrated risk policies, procedures and restrictions;
  • adequate identification processes, measurements, monitoring mechanisms and IT systems to control integrated risks; and
  • a comprehensive internal control system for risk management.

Risks to be managed include credit, market, liquidity, operational, legal, reputational, strategic, compliance and insurance-related risks, as well as intergroup transactions. Management measures for insurance-related risks are not mandatory for financial conglomerates which include no insurance or reinsurance-related companies.(7)


The management of the holding company is responsible for ensuring the implementation of risk management measures in accordance with the characteristics and complexities of the financial conglomerate's business. The management's responsibilities should include:(8)

  • preparing a written comprehensive risk management policy in accordance with OJK regulations;
  • implementing and developing a culture of risk awareness; and
  • independently applying risk management procedures and periodically evaluating these procedures.

The holding company must appoint a director to implement the risk management policy.(9) In addition, the board of supervisors is responsible for guiding, approving and evaluating the implementation of the risk management plan.(10) Regulation 17 also mandates the formation of a committee and a taskforce to assist the holding company in implementing the risk management plan.(11) The specific tasks of this risk management committee are stipulated in Regulation 17.(12)


Regulation 18 provides guidance to financial conglomerates on the establishment of good governance practices as part of the implementation of a risk management plan. This includes the principles of transparency, accountability, responsibility, independence, professionalism and fairness.

Regulation 18 stipulates that good governance should include:(13)

  • specific duties and responsibilities for the management and the board of supervisors;
  • the preparation and implementation of integrated guidance on governance;
  • specific duties and responsibilities for the integrated governance committee and its taskforce; and
  • the application of integrated risk management policies.

Regulation 18 also provides that the board of directors and the board of supervisors of both conventional and Sharia/Islamic-based holding companies must have knowledge not only of the business of the holding company, but also that of all financial services providers within the conglomerate. This forms part of the obligation to ensure integrated governance and facilitates the follow-up of any audit findings and implementation of recommendations of the taskforce.(14)

Regulation 18 stipulates that the holding company must comply with various criteria in preparing its good governance guidance. The guidance, to be prepared by the holding company's board of directors and approved by the board of supervisors, must include:

  • an integrated governance framework for the holding company; and
  • a governance framework for all financial services providers within the conglomerate.(15)

Regulation 18 sets out requirements governing the eligibility of candidates for the board of directors and the board of supervisors, the structure of these boards and their powers and duties.(16) Regulation 18 also addresses important issues such as compliance, internal and external audits, risk management, remuneration and conflicts of interest.(17)

Of particular note is Article 42 of Regulation 18, which stipulates that financial conglomerates whose holding company is a branch of a foreign entity must also comply with the provisions on integrated governance that are set out in various OJK regulations.


Regulations 17 and 18 both establish reporting requirements. The holding company and its members' financial services providers must file reports with the OJK. In particular, the holding company must prepare a report every semester on its integrated risk profile, which will be rated on a scale of one to five (where five is considered the highest risk and one the lowest).

The report must be compiled every semester ending in June and December and submitted to the OJK within 15 days of the second month following the end of each reporting period. Holding companies which fail to file the report will be subject to monetary and administrative penalties as stipulated in Regulations 17 and 18.(18)

For further information on this topic please contact Hamud Balfas at Ali Budiardjo, Nugroho, Reksodiputro by telephone (+62 21 250 5125), fax (+62 21 250 5121) or email ([email protected]). The Ali Budiardjo, Nugroho, Reksodiputro website can be accessed at


(1) Article 11(2) of Regulation 17.

(2) Article 4 of Regulation 17 and Article 3 of Regulation 18.

(3) Article 5(1) of Regulation 17 and Article 4(1) of Regulation 18.

(4) Article 311 of Regulation 17 and Article 50 of Regulation 18.

(5) Article 8 of Regulation 17.

(6) According to Regulation 17, this includes both the board of directors and the board of supervisors.

(7) Article 9 of Regulation 17.

(8) Article 12 of Regulation 17.

(9) Article 13 of Regulation 17.

(10) Article 14 of Regulation 17.

(11) Article 16 of Regulation 17.

(12) Articles 17 to 19 of Regulation 17.

(13) Article 8 of Regulation 18.

(14) Articles 8 to 27 of Regulation 18.

(15) Articles 28 to 30 of Regulation 18.

(16) Articles 31 to 37 of Regulation 18.

(17) Articles 38 to 41 of Regulation 18.

(18) Articles 27 to 30 of Regulation 17 and Articles 44 to 49 of Regulation 18.