Two years after the "Three Lines Model" risk management protocol was issued by the Institute of Internal Auditors (https://www.theiia.org/) to help organizations manage risk and successfully achieve their goals, the Ministry of State-Owned Enterprises ("MSOE") has adopted it for the state-owned sector in Indonesia via MSOE Regulation No. PER-5/MBU/09/2022 ("Reg. 5/2022").1Prior to the issuance of Reg. 5/2022, detailed MSOE-level regulations on good corporate governance, risk management, and the allocation of responsibilities and authority within state-owned enterprises ("SOE") did not exist.
The Three Lines Model was issued as an update on the previous risk management protocol, namely, the "Three Lines of Defense." Key changes promoted in the Three Lines Model are focused on the active role of each corporate organ instead of a divisive structural role, a shift from defense to put priority on achieving the organizational objectives through a collaboration of all corporate organs, and a stronger and yet more open and collaborative purpose of the internal audit function.
2. Characterization of SOEs
Reg. 5/2022 differentiates SOEs into what are termed Conglomerate SOEs ("CSOE") and Individual SOEs ("ISOE"). An SOE is defined as a CSOE if:
- Its total revenue from consolidated subsidiaries amounts to 20% or more of the CSOE's total revenue;
- its investments in its subsidiaries amount to 5% or more of the CSOE's capital;
- it has a subsidiary that has issued series A shares; and/or
- it is categorized as a CSOE by the relevant minister, authority, or regulator.
A CSOE that lacks any of the above characteristics is categorized as an ISOE.
Both CSOEs and ISOEs are required to implement the Three-Lines Model.
As with the shift towards a risk-based approach in the OSS business licensing system, SOEs are, pursuant to Reg. 5/2022, classified according to their inherent risk level. Measurement parameters include their role in performing public service obligations, their strategic relationship with technical ministries, market share, and the degree to which they might be replicated by the private sector in both the short and medium term.
3. Organizational Restructuring
CSOEs and ISOEs that are deemed to exhibit the highest level of risk (in terms of potential losses and impact on the public) are required to adapt their management structures so as to establish up to eight risk management organs, including a risk oversight and an integrated good corporate governance committee, and to appoint a risk management director (which requirements are generally satisfied in well-run financial services or public companies).
One of the principles promoted in the Three Lines Model is that of coordination and parallel support between risk management bodies. For example, the Internal Audit Unit ("IAU"), charged primarily with independent scrutiny, should be assisted by the Board of Commissioners ("BOC") or Board of Supervisors ("BOS"), and the Board of Directors ("BoD") to ensure that it has access to all data of relevance that it might require. The IAU also has a duty to participate in strategic meetings so that significant findings can quickly be reported to the president director, BOC, or BOS.
By 2 September 2023, the BODs and BOCs / BOSs of SOEs are required to establish new, or adjust existing, internal guidelines, organizational structures and risk management organs, having regard to the provisions of Reg. 5/2022 and the characteristics of the SOE concerned.
4. Other Obligations and Reporting
In addition to making the required adjustments so as to comply with Reg. 5/2022, every SOE (and its subsidiaries) is required to prepare a risk-breakdown analysis as part of the process of formulating performance targets.
The BOD of an SOE must also submit quarterly and annual reports on the realization of the risk management, internal auditing, and good corporate governance functions, which should then be used as a basis for assessing the SOE's performance.
5. ABNR Commentary
The Three Lines Model is aimed at helping identify risks and overcoming then more quickly, as evidenced by the attention it devotes to the division of duties and authority, as well as its focus on achieving seamless coordination between risk management bodies.
As the BOD, generally, is charged with overseeing risk management, internal audit, and integrated good corporate governance, SOE executives responsible for day-to-day operations under the BOD will now be obliged to fully incorporate their responsibilities as regards risk management, internal audit, and integrated good corporate governance into their work.
In addition, the IAU will be required to not only define and operate risk management but also play an active role in achieving the company's objectives.
Ideally, the IAU should be proactive in promoting intra-company synergy and effective communication (rather than simply policing company regulations or protocols without also offering appropriate and speedily implementable solutions) to executives who operate daily at the "coal face" of risk management.
Equally, it will be crucially important that state auditors take on board the same fundamental objectives when applying the Three Lines Model, as this would significantly help SOE directors and executives to unconditionally embrace innovation – not just caution – as essential features of contemporary risk management.
1. Peraturan Menteri Badan Usaha Milik Negara Nomor PER-5/MBU/09/2022 Tentang Penerapan Manajemen Risiko pada Badan Usaha Milik Negara
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.