RISK MITIGATION USING INTEGRATION ENTERPRISE RISK MANAGEMENT AND BALANCED SCORECARD MODEL (A Case Study in a Consulting Services Company in Indonesia)

ARTICLE INFO ABSTRACT Article history : Received : August 2020 Accepted : April 2021 Risk is the uncertainty of events that can hurt organizational goals. The risks that exist in the company need to be managed or controlled to reduce risk pressure on the goals the company wants to achieve. ERM is an integrated or holistic strategic risk management that manage risk more comprehensively. Meanwhile, the Balanced scorecard is a tool used to help companies measure performance based on financial and nonfinancial perspectives. The purpose of this study is to determine the extent to which companies can apply ERM based on the balanced scorecard perspective and how the integration of ERM and balanced scorecard can help managerial decisions. This research conducted at a consulting service company using semi-quantitative methods. The results showed 36 events identification. Risk management is carried out based on the level and amount of risk that has been evaluated and made in a risk priority map. Handling risk three strategies, apply namely accept, share and reduce under capabilities, and resources the company has in managing risk. Implementation of ERM and Balanced Scorecard companies can reduce existing risks, and assist stakeholders in making decisions related to risk management.


INTRODUCTION
Modern economic development dynamically requires companies to increase innovation. Companies need to make the right strategies formulation, effectiveness implementation, and performance evaluation can cope with change (Kurniawati, 2017). Every company wants good quality of the business journey. The companies superior performance is a representation that the business processes in the companies are well executed. Performance measurement of companies is needed to interpret the vision, mission, and strategy of the company. Organizational performance of the organization elements such as customer service, cost management, quality, productivity and asset management (Durst et al., 2019).To achieve strategic goals, vision, and the performance management of key risk indicators, using a balanced scorecard as a strategy to improve ERM performance. Results of (Rasid et al., 2017) finding the relationship between ERM and the company performance measurement system (balanced scorecard) cannot integrate simultaneously. Cheng et.al (2018), finding that evaluating the results of integration information on risk strategies and a balanced scorecard does not help as a driver of performance improvement. Besides, (Suttipun et al., 2018) risk assessment activities of goal setting, control, and monitoring have a positive and significant impact on the performance SMEs as measured by the BSC, while risk identification has a negative effect. The result of integrating risk management with BSC is not reducing risk pressures, measurable potential losses, but rather to understand risk issues in work orientation (Thekdi & Aven, 2016).
Innovative industrial risks arise due to uncoordinated and balanced innovative projects, which are accompanied by the emergence of various stochastic effects that have an impact on innovative processes of complex economic systems (Ponikarova & kadeeva, 2020). Implementation ERM is most important for various sectors, banks, insurance and non-financial companies, especially SMEs (Anton & Nucu, 2020). Other studies on the relationship between risk management and balanced scorecard in service banks (Elkhouly et al., 2015); and (Ratri & Pangeran, 2020). Looking at the various advantages of the ERM integration model with the balanced scorecard, this study aims to find out the extent to which the company can explore the ERM in conducting risk identification, risk assessment, and risk response based on the perspective of a balanced scorecard. How the integration of ERM and balanced scorecard can help managerial in decision making regarding strategic management applied to improve the company performance, achieve the desired goals of the company. A case study in a consulting company in Indonesia is conducted.
Risk is an uncertainty factor that can hinder the achievement of organizational goals (Olivia, 2016). Risk management can create value at either the company or business unit level (Khameneh et al., 2016). Enterprise Risk Management (ERM) is a company management process that involves risk identification and collective risk assessment that can affect firm value and how companies implement risk management strategies (Meulbroek, 2002). The ERM analyzes the portfolio risk process faced by companies ensuring that the effects caused by these risks are within acceptable tolerance limits (Beasley et al., 2008). ERM includes the methods and the processes that organizations use risk and seize the opportunities outside achieve their goals (Rasid et al., 2017). ERM is a fundamental and comprehensive model that has evolved from a traditional system, a holistic and integrated system (Nasr et al., 2019). This can provide a greater awareness of the company about the risks that increase and the company's ability to respond to risk effectively, thereby increasing the efficiency and effectiveness of the company's operations (Ali et al., 2019).
The Committee of Sponsoring Organization of the Treadway Commission (COSO) 2004 explains, risk management as a process engaged in the board of directors, management and other personnel entity, applied determination of strategies and design company, to identify potential impacts and managed the risks could affect entity not lose risk appetite provide reasonable assurance entity regarding the fulfillment of the objectives. The COSO ERM aims to provide a risk management framework included as an importantly part of directing organizational goals. The COSO ERM has become a standard and de facto risk management framework for large companies (Weeserik & Spruit, 2018). The COSO ERM consists of eight components, namely the determination of the risk context (objectives), risk assessment, event identification, risk assessment, risk response, control activities, information and communication, and monitoring, meanwhile the traditional risk management system consists of five components, namely identification, analysis, evaluating, managing and monitoring risk (Annamalah et al., 2018). According to (Frigo, 2009) three ERM COSO elements relate to the strategy ERM deals directly with the determination of the strategy and becomes effective if embedded and connected directly with the development of the company strategy, ERM design to identify events that may affect the company strategy performance; the objective of ERM is to assure that the company achieves the SPEKTRUM INDUSTRI e-ISSN : 2442-2630Vol. 19, No. 1, April 2021p-ISSN : 1963 76 strategic objective. ERM practice is most important for organizations in the current era because it facilitates companies to control their internal business systems (Yang et al., 2018). Performance measurement is a method developed to measure performance indicators and relate them to contextual factors to measure performance (Weeserik & Spruit, 2018). The balanced scorecard is an organizational management performance control system popularized by Kaplan and Norton. The balanced scorecard is a management system that provides a framework for interpreting the company's vision and mission into a coherent set of performance measures (Kaplan & Norton, 1996). The balanced scorecard explains fact importance of nonfinancial factors in determining strategic goals (Kotze et al., 2015). The balanced scorecard has four main perspectives that identify whether the company performance is good or not, namely finance, customers, internal business, learning, and growth. Stakeholders establish key performance indicators (KPIs) to achieve their strategic goals. Key performance indicators are used to measure and evaluate organizational performance in achieving strategic objectives. Khameneh et al (2016), used 19 KPIs for risk management system performance.
Performance measurement directs the company to a more viable and profitable future, while risk management is how the company avoids impacts that can harm and destroy business (Bourne and Mura, 2018). Risk management related to company performance aims to grow the company and prepare the basis for decision-making (Klučka & Grűnbichler, 2020). The balanced scorecard is used for organizational performance strategies in achieving goals, while ERM helps company leaders think about positive and negative factors that affect the achievement of goals (Beasley et al., 2006). Studies conducted (Beasley et al., 2006) and (Wood, 2007) combined ERM with BSC as a corporate control strategy to strengthen goal achievement. ERM and balanced scorecard complement each other. For example, the Balanced Scorecard creates strategic work for everyone in the entity from top to bottom, as well as ERM, which shows that everyone in the entity has a responsibility in managing company risk (Nagumo, 2005). A balanced scorecard and ERM can be implemented simultaneously because of the division of elements and are an ongoing process related to company strategy (Kotze et al., 2015). The integration of ERM with the Balanced Scorecard also strengthens the balanced scorecard process of capturing more information about risk management objectives, and actors become more aware of risks and the need to manage risks, thereby enhancing learning and growth (Beasley et al., 2006). Nagumo (2005), combines 8 risk management components in COSO ERM and a balanced scorecard into a mapping chart (see Figure 1). Internal environment refers to the top management commitment using a balanced scorecard with the ERM system to enhance the security and safety of the organization. COSO has four categories a strategic, operations, report and compliance in order to achieving goals. Strategic objectives in the perspective of the balanced scorecard closely related to the achievement of the company vision and mission. While other objectives are closely related to the internal business, financial, customer and growth and learning processes, both in operations, reporting and policies set by the company.   -ISSN : 2442-2630Vol. 19, No. 1, April 2021p-ISSN : 1963 Strategy of executing the risk management process starts from risk identification, risk assessment, risk management and control activities in carrying out risk management. Development of COSO ERM and a balanced scorecard reduce the risk impact that could interfere in achieving organizational objectives. A COSO ERM practice with a balanced scorecard as a single package that cannot be separated. Although according to (Calandro and Lane, 2006) the use of COSO ERM with a balanced scorecard can be done separately, but integrating the two will have a potential impact because management will balance risk measurement and risk management measurement.

RESEARCH METHOD
This research is semi-quantitative in nature, and the subject of this research is a consulting, training, and certification service company located in the Special Region of Yogyakarta. The company provides four types of services, public training, in-house training, certification, and consulting. Clients of this company consist of more than 800 state-owned, private, educational, and non-government institutions. The training fields offered include various including Human Resources and Development, Business and Management, Engineering, Oil and Gas, Electricity and Energy, Information Technology, Finance, Law, and The risk management framework used in this study is based on the ERM balanced scorecard model see (figure 1). The implementation of strategic risk management based on (figure 1), with the following explanation. 1. Event identification is the identification of internal and external events that affect the organization reaching the goal. Event identification was conduct using key indicators performance balanced scorecard defined by the companies and an in-depth interview to collect related information to potential risks and impacts that affect the company performance. Data collected by distributing questionnaires from departments such as finance, operational, marketing, and information technology. The Validation and reliability of the questionnaire based on expert opinion. 2. Risk assessment: A scenario to calculate likelihood, consequences and potential risks. The risk assessment consist of two activities; a. Risk Analysis Risk analysis aims to understand the nature of risk and its characteristics including suitability and level of risk. Risk analysis is carried out in a semi-quantitative manner by determining the magnitude of the likelihood and consequences of the risk, so that the magnitude and level of risk are obtained. The magnitude and level of risk are known from a combination of likelihood and the consequances of risk on the risk matrix. Then the risk is mapped based on the level of risk. In this study the magnitude of the level of probability, impact of risk and risk level can be seen in tables 1 -3 (BSN, 2018). Risk map is shown in figure 3 adopt from (Cox, 2008) the dotted line shows the acceptable risk tolerance limit. Large Inhibit in increasing profits and low productivity 5 Very Large Inhibit in increasing profit and very low productivity

. Risk Evaluation
Risk evaluation is done by comparing the results of risk analysis with established risk criteria. This risk evaluation includes setting priorities for risk and determining key risks. The purpose of risk evaluation is to support the decision making process in risk mitigation. 3. Risk response is a plan to address the risk, either by avoiding, accepting, reducing or dividing the risk. 4. Control activities are policies and procedures set up to help the company effectively and efficiently respond to risks.

RESULTS AND DISCUSSION A. Event Identification
The purpose of implementing the ERM balanced scorecard is to help managers achieve strategic goals in accordance with the vision or mission. Implementation of risk management is carried out in accordance with existing resources. Event identification is carried out by identifying KPIs based on the BSC that have been assigned by the company. From the results of interviews and questionnaires, there are 20 indicators obtained and there are 36 risk events that are grouped into four perspectives namely financial, customer, internal business and learning. The types of risks are shown in Table 4.

Risk Assessment
The event risk is analyzed based on the probability and impact of the risk to determine the level of risk.

RL = L × C
(1) SPEKTRUM INDUSTRI e-ISSN : 2442-2630Vol. 19, No. 1, April 2021p-ISSN : 1963 Where: RL = Risk Level C = Consequence L = Likelihood Determination of the level of probability and risk impact using a likert scale (see table 1-3) with the magnitude of the risk level can be seen in Table 5.  Based on the results of risk level in Table 4 above, then the risk is mapped to facilitate the determination of risk evaluation. Risk map can be seen in figure 3.  Figure 3. Risk maps before mitigation From the risk maps above, risks are grouped based on the level of risk. Risk priorities are grouped into three, namely, the main risk E8, where this risk has the highest magnitude of risk, then risk groups E14, E15 and E27, and finally risk groups E3, E5, E13 and E25. Risk groups that are below the dotted line are not included in the priority risks that must be addressed because these risks can still be tolerated.

Risk Response
The next step is to treat risk. Treat risks according to the policies and capabilities resources of the organization in dealing with existing risks. Decisions in managing risks are also seen from the resources that the organization has. In this study, the risk management strategies adopted are reducing, sharing, and accepting. Risks accepted (accept) are that risks have an impact not harmful and threatens the operational and management of company, and do not require special treatment for handling risk. Share strategies are carried out by sharing risk with third parties. Strategies that be applied are selecting suppliers and making contractual agreements with suppliers, involving suppliers in discussions in developing modules, learning processes, evaluating and controlling indoor activities. Establish cooperation with hotel suppliers or other place service providers to provide alternative places, if there a sudden change in schedule or high level of demand, that in scheduling training, the operational team has no difficulty finding and providing a strategic place SPEKTRUM INDUSTRI e-ISSN : 2442-2630Vol. 19, No. 1, April 2021p-ISSN : 1963 for training. Collaboration is also to reduce operational costs in providing training venues. Reduced strategy is applied to reduce the likelihood or impact of risks by improving operational procedures, making new policies, improving financial accounting systems, providing training to employees, and giving invoices earlier to clients. Risk mitigation undertaken in this study see in Table 6.  Figure 4 shows a risk map after risk management is carried out. Some of the risks that are prioritized for risk management have reduced levels of likelihood and impact so that they do not threaten the company's survival. From the map, it can be seen that there are significant and positive changes after risk mitigation. Risk management with the integration of the balanced scorecard and ERM can reduce the risks that occur in the company more strategically. In addition, management can also be careful in taking action both in improving performance and risk management. This integration also makes it easier for management to control and monitor all elements of the organization. This is in line with the results of research from several namely (Ratri & Pangeran, 2020); (Lamanda & Võneki, 2015); (Leech, 2013) and (Hilson & Webster, 2011).
Each element of the organization can easily carry out operations and reports to superiors with policies that facilitate the sharing of information at every level.
ERM integration and balanced scorecard will balance the improvement of company performance and risk management. This integration can help managerial in obtaining overall information and strategic decision making in achieving company goals based on the company's vision and mission (Suttipun et al., 2018); (Nagumo, 2005); (Beasley et al., 2006) and (Frigo, 2009). Companies can improve performance and reduce the possibility of risks that affect the SPEKTRUM INDUSTRI e-ISSN : 2442-2630Vol. 19, No. 1, April 2021p-ISSN : 1963 company as a whole. The integration of ERM with the balanced scorecard has a positive influence in reducing existing risks (Wisutteewong & Rompho, 2015

CONCLUSIONS
This study can identified 36 risk events based on four balanced scorecard perspectives. These risks are then analyzed and evaluated to obtain risks that are a priority to be addressed. Managing risks, the researcher can apply a share, reduce and accept strategy base on the level and magnitude of the risk. Risk acceptance strategy carried out for risks that have low level and do not require special treatment, do not have impact and threaten the company survival. Share and reduce risk is a priority to be addressed. Type of risk management corresponds to the category and event of the risk. Share strategy carried out by sharing the risk with third parties. The integration between ERM and balanced scorecard could balance the improvement of company performance and risk management. This integration makes it easier for management to control and monitor all elements of the organization.