198 The main framework used in risk management at Telkom COSO ERM Framework includes three major components: 1. Company risk management must be able to support the companys goals from the following aspects: strategic, operational, Reporting and compliance. 2. Enterprise risk management applied at all levels of the organization within the company includes: Enterprise-level, Division, Business unit and Subsidiary. 3. The implementation of enterprise risk management consists of eight components which are: a. Developing the internal environment process b. Objective setting process c. Event identification process d. Risk assessment process e. Risk response process f. Control activities process g. Information Communication Process h. Monitoring process However, in its implementation, Telkom also pays attention and integrates the framework with references and other relevant guidelines, among others: 1. ISO 31000 - Enterprise Risk Management as a comparison and complementary implementation 2. ISO 27001 - Information Security Management System ISMS as a reference in the development of risk management to ensure information security in terms of Confidentiality, Integrity and Availability 3. ISO 22301 - Business Continuity Management System BCMS as a reference in ensuring business continuity 4. ISO 20000 - Information Technology Service Management ITSM as a reference in ensuring IT services 5. Safety and Health Management System SMK3 based on Government Regulation No. 50 of 2012 on the application of SMK3 6. ISO 18001 - Occupational Health and Safety Assessment System OHSAS as a reference to support the implementation SMK3 IMPLEMENTATION OF RISK MANAGEMENT POLICY AND FRAMEWORK

1. Efforts to add value to the management of the company

In line with the basic frameworks COSO ERM Framework, risk management at Telkom is expected to provide added value in achieving the objectives of the company, especially in the aspects of: Strategic, Operation, Reporting and Compliance. Strategic Aspect: Risk management attempts to provide added value through the implementation of risk management in the companys planning process, for example during the preparation of the Corporate Strategic Scenario CSS, as well as in the strategic decision-making process. Operational Aspect: Implementation of Risk Management to protect the Companys assets will include: · Physical Security Management for infrastructures security · IT Security Management System including Confidentiality, Integrity and Availibility · Management of Work Health and Safety Management System · Management of Business Continuity Management, Disaster Recovery Plan and Crisis Management Team · Management of Revenue Assurance and Anti Fraud Program Compliance Aspect: Risk management is strived to provide some added values through: · Management of compliance of the External Regulations and Internal Rules · Management of compliance of SOX Provisions through the design and implementation of adequate Internal Control Reporting Aspect: Risk management strives to provide added value to the process of setting financial reporting disclosure controls through Disclosure Control Procedure DCP. 199

2. Enterprise Risk Management ERM Governance

Telkom realizes that risk management is an integral part of Good Corporate Governance GCG to ensure business continuity. Governance of risk management referring to the Company Risk Management Policy includes: a. Board of Directors: In the implementation of risk management policies, acting and responsible for establishing policies related to the management risk and ensures that company risk management is effectively implemented through all the companys management processes. b. Risk Committee: Acting and responsible for setting Policies, reviews and recommendations on company risks and provide feedback or guidance for every person in charge of company risk. c. Corporate Risk Management Unit: Acting and responsible for coordinating the implementation of the companys risk management policy. d. Internal Audit Unit: Internal Audit function plays acts and is responsible for providing independent opinion to the Board of Directors, Risk Committee and Risk Management unit of the company. e. Head of Unit: Unit leadersSenior Leaders have the duty and responsibility to implement and supervise the whole process of company risk management in the unit he leads. f. All Employees: Have the task and responsibility of effectively and efficiently implementing company risk management policy according to their roles and positions g. Subsidiary: Has the task and responsibility of implementing risk management with a framework referring to the framework used by PT. Telkom

3. The process of building and maintaining Enterprise Risk Management ERM