- 191 - Table of Content

2. Enterprise Risk Management ERM

Telkom realizes that risk management is an integral part of the management of Good Corporate Governance GCG to ensure business continuity. Governance of risk management basically refers to the concept of 3 Lines of Defense, including: a. First Line: The entire Organization Unit in the Office of the Company, Divisions and Subsidiaries as Risk Owners, are responsible for risk management in the unit works ranging from the process of risk identification, risk assessment, mitigation, monitoring and continuous improvement. b. Second Line: The function of Risk Management business unit, which is under the coordination of the CRMGA department, is to ensure the effectiveness of risk management through the provision of policies, frameworks, procedures and guidelines. c. Third Line: The function of the Internal Auditor is to carry out the audit of the effectiveness of the implementation of risk management and internal control independently.

3. Process of Constructing and Maintaining the Enterprise Risk Management

To be able to run the eight components of the COSO Framework process well, we build and maintain the Enterprise Risk Management through: 1. Structural aspects by buildings supporting internal environments through: 1. Building Commitment and Tone at the Top 2. Laying the foundation of risk management within the framework of GCG 3. Establishing a Risk Management Unit Management Organization, 4. Developing Policies, Guidelines for Risk Acceptance Criteria RAC, Guidelines for Risk Assessment Risk Control Self Assessment RCSA and Governance, 5. Developing Competence in Risk Management, 6. Providing adequate tools and system 2. Operational Aspect that focuses on: 1. Guarding the implementation of the risk assessment at the Corporate, Business Unit and Subsidiary as well as the preparation of adequate mitigation plan. 2. Developing risk assessment methodologies for specific functions by combining the implementation of the COSO ERM Framework with reference standards or other guidelines - 192 - Table of Content 3. Treatment aspect, which is focused on aspects of information processing, communicating, reviewing and continuous improvement include: - Guarding the implementation of the review, monitoring and reporting system risk - Coordinating the implementation of Risk Management Audit Implementation Enteprise - Maintaining Continuity Competency Development