International Journal of Environmental, Sustainability, and Social Sciences 
ISSN 2720-9644 (print); ISSN 2721-0871 (online) 

https://journalkeberlanjutan.com/index.php/ijesss 
 

65 
 

 

 MEASURING AND IMPROVING THE EFFECTIVENESS OF ISO 

31000 BASED ERM IN STATE-CONTROLLED PSO - A CASE STUDY 

OF TOLL ROAD OPERATORS IN INDONESIA 

Volume: 3 

Number: 1 

Page: 65-71 

1Antonius ALIJOYO, 2Charles R. VORST  
1Parahyangan Catholic University, Indonesia 
2Center for Risk Management and Sustainability, Indonesia 

Corresponding author: Antonius ALIJOYO 

E-mail: antonius.alijoyo@gmail.com 

Article History: 

Received: 2022-01-22 

Revised: 2022-02-11 

Accepted: 2022-03-05 

Abstract:  
Toll road operators need to implement effective risk management. This study 
focuses on how a State-Owned Enterprise (SOE) toll road operator assesses the 
maturity of their ISO 31000-based risk management practices by using an ISO 
31000-based risk management maturity model, ERMA ISO31000 RM3. The study 
is predominantly based on a qualitative approach through document reviews, 
questionnaires, and interviews. The assessment result shows that the company's 
risk management maturity score reaches 3.62 (a scale of 0.00 – 5.00) or at the 
DEFINED level of the risk management maturity. The study also shows that the 
company's risk management process gets the highest score, 4.45, while the 
lowest score, 3.22, is for the company's performance management. By using the 
maturity assessment result, the company's management can develop a risk 
management improvement road map to assist their efforts in increasing the 
effectiveness of their existing risk management practices. Referring to the 
assessment result, the management can prioritize the improvement on low-score 
maturity attributes, such as their performance management, risk culture, 
resilience and sustainability, risk management framework, and management 
process, while maintaining their current practices of the risk management 
process, which has already reached a considerably high maturity level. 
Keywords: maturity assessment, risk management, ISO31000, SOE, toll road 

operator 

 

 

 

Cite this as: ALIJOYO, A., VORST, C.R., (2022). “Measuring and Improving The 
Effectiveness Of ISO 31000 Based ERM In State-Controlled PSO - A Case Study 
Of Toll Road Operator In Indonesia.” International Journal of Environmental, 
Sustainability, and Social Sciences, 3 (1), 65-71 

 

INTRODUCTION 
As part of public infrastructure, land, sea, and air transportation infrastructures play a very 

important role in the economic system. By providing mobilization access for people, products, and 
services required by the economic development, and triggering economic growth of the 
surrounding areas, the condition of the transportation infrastructures significantly contributes to 
the gross domestic product (GDP) and many other economic indicators of a nation. Kawulur et al. 
even stated that the role of transportation in economic development is generally even bigger than 
just the value contributed by the transportation sector into the GDP (Kawulur, 2020). The total 
length of toll roads lately has become one popular indicator for assessing a country's economic 
development regarding the land transportation infrastructure. According to Noor et al., toll road 
development will affect the regional and economic development of two areas that are connected 
by the toll road (Noor, 2017). In Indonesia, trans-area road and toll road developments become 
part of strategic priority projects of the Medium-term National Development Plan 2020-2024 
released through Presidential Decree No. 18/2020. Indonesia Toll Road Regulatory Agency stated 
that there would be additional 410 kilometers of 17 new toll road sections in 2021 to achieve the 
total annual target of 2.756 kilometers (Bisnis.com, 2021). According to the Ministry of Public 
Works and Housing spokesperson, a total of 2.391 kilometers of toll roads are operated per April 
2021, consisting of 62 sections all over Indonesia (Liputan6.com, 2021). 



 

International Journal of Environmental, Sustainability, and Social Sciences 
ISSN 2720-9644 (print); ISSN 2721-0871 (online) 

https://journalkeberlanjutan.com/index.php/ijesss 
 

66 
 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 1. The vision of the Ministry of Public Works and Housing 2020-2024 & 2030 

(Source: adapted from Strategic Plan of the Ministry of Public Works and Housing Year 2020-2024, released 
by Ministry of Public Works and Housing, 2020) 

As important as its contributions to the economy, operating toll roads also gives many 
benefits to society, such as shorter routes and time in traveling, good quality and car-friendly road 
surfaces which reduce potential damages to the car, saving money from lower petrol consumption 
on shorter time and congestion-free journey, safer rest area to pull over in an emergency compare 
to alternative back-roads, more reliable factor in travel planning and budgeting (Emovis-tag.co.uk, 
2020). These benefits reflect the effectiveness of the toll road operator in fulfilling its public service 
obligation, which is maintaining the toll road to keep well-functioning for public use. However, 
many risks may hinder the toll road operator from achieving targeted toll road performance. For 
instance, a roadblock or traffic congestion can occur anytime from an accident, natural causes like 
landslide or flood, road damage, political rally, toll gate malfunction, maintenance or repairment 
project, or simply because overload traffic during public holidays (Satriaputri, 2015). These risks 
are only some examples of the risk universe of the toll road operation that bring the necessity for a 
toll road operator to have sound risk management in place. By practicing effective risk controls 
and treatments, the toll road operator increases their readiness to anticipate the risks that may 
impair the toll road performance and respond quickly to the occurring risks. 

According to ISO 31000:2018, an organization should continually improve the suitability, 
adequacy, and effectiveness of the risk management framework and the way the risk management 
process is integrated, where these improvements should contribute to the enhancement of risk 
management being practiced throughout the organization. One particular state-owned enterprise 
(SOE) in Indonesia, i.e., XYZ, would like to understand better whether its risk management 
practices have met best practice criteria and identify opportunities for improvements to make 
necessary enhancement of its risk management in a well-planned manner. To effectively meet this 
objective, the company applied a risk maturity assessment model which aligns with the adopted 
best practice reference, the ISO 31000. Such model is well fitted by ERMA ISO 31000 RM3 that has 
been designed and built upon the ISO 31000 standard covering the risk management principles, 
framework, and process. The assessment model suggests five levels of maturity: initial, repeatable, 
defined, managed, and optimizing, and consists of 6 assessment attributes which are cascaded 
down into detailed indicators, parameters, and testing factors (ERM Academy, 2021). 

This research focuses on how XYZ uses the ERMA ISO 31000 RM3 model to assess its risk 
management maturity. The results of this study help the management of the XYZ in 
understanding their risk management maturity level and identifying the necessary improvement 
that needs to be done to maintain and increase internal capacity in fulfilling their public service 



 

International Journal of Environmental, Sustainability, and Social Sciences 
ISSN 2720-9644 (print); ISSN 2721-0871 (online) 

https://journalkeberlanjutan.com/index.php/ijesss 
 

67 
 

 

obligation as toll road operators. Furthermore, this study may also benefit from the management 
of an SOE or any other companies and organizations in identifying the effectiveness of their risk 
management practices and other researchers in their quest of conducting related research in the 
future. 

 
METHODS 

The object is one of the largest Indonesian SOEs which serves public interests in the 
transportation sector. Becoming a public listed company in 2007, the company today is an 
operating holding company of 21 subsidiaries and 10 joint venture companies. It manages more 
than its 104 thousand billion Rupiah assets through three business lines, toll road operators, toll 
road maintenance, and other related business. At the end of 2020, the company has operated more 
than 51% of all toll road sections throughout Indonesia, consisting of more than 1.100 kilometers. 
However, the company's name could not be disclosed due to confidentiality. 

This study uses a combination of two data collection techniques, document reviews and 
supported by interviews with members of the board of directors and division heads to support 
and validate the information gathered from the document review process. All information is then 
compiled and mapped into more than a hundred testing factors of the ERM ISO 31000 RM3 model 
to calculate the aggregate scores of 6 assessment attributes and determine a single maturity score 
as the final assessment result. The ERM ISO 31000 RM3 algorithm also includes defining indicators 
of the assessment attributes, which group the testing factors into fifty-plus parameters. By using 
the ERM ISO 31000 RM3 model, the XYZ can identify the score of its risk management maturity 
and the score of each assessment attribute and identify which indicators of the assessment 
attributes the company gets a considerably low score. Based on the result, the study further 
develops a road map for XYZ to obtain a higher maturity to the level as targeted by the top 
management. 

 

RESULT AND DISCUSSION 
There are two combined methods of data gathering used in the field research. First is 

document review covering annual report 2018 and 2019, interim financial report Jan – Jun 2020, 
risk management report 2018, 2019, and 2020, incident/loss event database, sustainability report 
2018 and 2019, board manual, and committees’ charters. The second method is one to one 
interview with members of the board of directors and all division heads. 

Based on document review and interview results, the ERMA ISO 31000 RM3 algorithm 
shows a scoring result of 3.62. This result suggests that the overall company's risk management 
maturity is at the DEFINED level, which reflects the structured and systematic risk management 
the company has in place. The result is also reflected in the risk management practices that are 
becoming more integrated with the company's governance practices, and supported by broader 
and stronger risk competency, leadership, and commitment. 

The following are the detailed result of each assessment attribute and its respective scoring 
value that forms the final scoring value at 3.62 by using the arithmetic mean. 

 

 

 

 

 

 

 



 

International Journal of Environmental, Sustainability, and Social Sciences 
ISSN 2720-9644 (print); ISSN 2721-0871 (online) 

https://journalkeberlanjutan.com/index.php/ijesss 
 

68 
 

 

 

 

 

 

 

 

 

 

 

 

Figure 3. Result of Risk Management Maturity Assessment of XYZ 

1. Risk Management Framework at a scoring value of 3.64 

  The field research finds several evidence-based contributing factors to this attribute; for 
example, the organization executives have discharged their accountability to integrate the risk 
management into the business processes while the board of commissioners has actively 
overseen the integrations, where the integrated risk management practices are conducted 
consistently. Moreover, there is some other evidence showing that the boards' commitment to 
integrating risk management is clearly articulated, supported by a formal set of roles, main 
duties, functions, authorities, and accountabilities for every internal stakeholder who is being 
involved in risk management. In addition, required resources for risk management have also 
been allocated considerably. 

Despite those contributing factors above, some other evidence shows that the risk leadership of 
the top management is still not consistently visible to all lower management levels, the 
integration of risk management still has not fully satisfied the needs of the organization based 
on its internal and external context, and risk communication and consultation within the 
company has not fully supported with required data analytic function while the company is 
still improving data validity in presenting them real-time on the company dashboard. 

2. Risk Management Process at a scoring value of 4.45 

Many parameters of this attribute have been satisfactorily fulfilled, making this attribute the 
highest score among other attributes. Based on the evidence, many risk management practices 
have been integrated into the business process, consistently conducted in full cycle, and 
supported with appropriate IT/IS tools. In addition, every unit/function throughout the 
organization has already had a practical plan or design on how to integrate risk management 
into its business processes, while from these integrating plans, a company's grandmaster plan 
for risk management integration has been formalized. 

However, the integration processes of risk management are still in progress, and there is also 
evidence that shows that the effectiveness of the integration has not been measured or 
evaluated properly both on core and supporting business processes, thus it is not consistently 
included in the risk communication and consultation of the company. 

3. Management Process at a scoring value of 3.65 

The evidence from the field research shows there are contributing factors to the attribute's score; 
for example, appropriate risk assessment and treatment planning processes have been 
embedded with the company's strategic planning, and there is an adequate set of KPIs have 
been set to measure the effectiveness of the strategic plan execution, including the effectiveness 
of respective risk treatments where the interconnections with the effectiveness measurements of 
the operational risk management at the business process or activity levels can be traced down. 



 

International Journal of Environmental, Sustainability, and Social Sciences 
ISSN 2720-9644 (print); ISSN 2721-0871 (online) 

https://journalkeberlanjutan.com/index.php/ijesss 
 

69 
 

 

On the other hand, the result of the field research also shows that during the strategic planning, 
there is some internal and external context of the company which is not thoroughly considered 
in the risk assessment process, not to mention that the company has not evaluated the adequacy 
of the strategic planning itself in a regular manner where the company more depends on its 
compliance with the regulatory requirements on formulating a strategic plan. 

4. Performance Management at a scoring value of 3.22 

The field research results show that every objective has been defined with SMART criteria, KPIs 
have been set by carefully putting the identified risks and respective existing risk controls and 
treatments into consideration, and risk monitoring and evaluation has been embedded with the 
performance monitoring and evaluation mechanism. 

Although there are many contributing factors are found, the result of the field research also 
shows that to a certain extent, the improvement of the company's performance can still 
sometimes be quite challenging due to a dynamic changing situation where the contribution 
from the existing risk management practices is still considerably limited. 

5. Risk Management Culture at a scoring value of 3.37 

The contributing factors to this attribute's score are that risk philosophy has been adopted into 
the written organization culture, accountabilities in risk management have been clearly defined 
and discharged in a disciplined manner, and promoted with a suitable remuneration scheme. 
Also, the tone from the top has been implemented at every level of the organization and is 
supported with sufficient risk awareness at every corner of the organization and a positive 
attitude towards risk with risk competency shown at every level of the organization. 

However, the field research also finds that the company’s risk appetite framework has not yet 
been formalized, the risk governance structure still needs enhancement due to the increasing 
business complexity of the company, while the integration of risk management into personnel 
allocation and promotion mechanism is still under development. 

6. Resilience and Sustainability at a scoring value of 3.40 

Relates to this attribute, the company has adequately performed the environmental risk 
assessment and treatment and the risk assessment and treatment on the company's people, 
supply chain, information system, infrastructure, and financial resilience in anticipating the 
possible disruptions. 

The evidence that is less contributing to the attribute's score is that the assessment methods on 
the company's economic, environmental, and social sustainability are still under development 
where the company is still seeking the most practicable approach and methodology, especially 
in conducting the process in a fully quantitative manner. 

 
CONCLUSION 

The study shows that by using the ERMA ISO 31000 RM3, the SOE under this study can 
measure the maturity of their risk management, which is at the stage of DEFINED with a maturity 
score of 3.62. Based on this result, the company's management can develop a road map that assists 
them in increasing the maturity level of their existing risk management to a desirable level. In this 
regard, the management can prioritize their improvement first on the low score attributes, the 
performance management, risk culture, resilience and sustainability, risk management framework, 
and the management process, while maintaining their current practices of the risk management 
process, which has already reached a considerably high maturity level. In addition, the 
management also needs to define quick wins to increase the maturity score of each attribute and 
prioritize them in the short and short-to-medium term plan of the road map, while planning 
further required improvements in the medium-to-long and long-term part of the roadmap. It 
confirms that not only the SOE can use the risk management maturity assessment model to define 



 

International Journal of Environmental, Sustainability, and Social Sciences 
ISSN 2720-9644 (print); ISSN 2721-0871 (online) 

https://journalkeberlanjutan.com/index.php/ijesss 
 

70 
 

 

the baseline of its current risk management practices and then support the SOE increasing the 
effectiveness of its risk management, but it also confirms that ERMA ISO31000 RM3 is applicable 
and suitable maturity assessment model for ISO 31000 adopters for assessing their risk 
management maturity level. Despite the results provided, this study has limitations in terms of 
comparability with other SOEs and non-SOE toll road operators using the ISO 31000 as the main 
reference in their risk management practices. Thus, further research with a similar case study 
approach in other SOEs and other types of organizations is strongly recommended. 

 

REFERENCES 
Alijoyo, H. S. (2021). Enterprise Risk Management: The Maturity Model. #rd International 

Conference on Applied Research in Business, Management & Economics (p. 18). DPublication.com. 

Alijoyo, H. S. (2021). The State-of-The-Art of Enterprise Risk Management Maturity Models: A 
Review. The Annals of the Romanian Society for Cell Biology Vol. 25 Issue 2, 25. 

Alijoyo, N. (2021). Risk Management Maturity Assessment Based on ISO 31000 - A Pathway 
Toward the Organization's Resilience and Sustainability Post COVID-19: The Case Study of 
SOE Company in Indonesia. 3rd International Conference on Management, Economics & Finance, 
(p. 125). 

Bisnis.com. (2021, 03 24). BPJT: Pembangunan Jalan Tol Tahun Ini Bakal Ngebut. Retrieved from 

Bisnis: https://ekonomi.bisnis.com/read/20210324/45/1371972/bpjt-pembangunan-jalan-tol-
tahun-ini-bakal-ngebut 

Bryce, R. A. (2020). Resilience in the Face of Uncertainty: Early Lessons from the COVID-19 
Pandemic. Journal of Risk Research Vol. 23 Nos 7-8, 881. 

CNBCIndonesia.com. (2020, 12 3). Get Ready! Every SOE Will Have Risk Management Director in 

2021. Retrieved from CNBC Indonesia: 

https://www.cnbcindonesia.com/market/20201203122938-17-206557/siap-siap-setiap-bumn-ada-
direktur-risk-management-di-2021 

Emovis-tag.co.uk. (2020, 02 17). 5 Benefits of Toll Roads. Retrieved
 from Emovis-tag:https://www.emovis-tag.co.uk/articles/5-benefits-of-toll-roads 

ERM Academy. (2021). ERMA ISO31000 RM3 Risk Management Maturity Model - Methodology and 

Application of ISO 31000-Based Risk Management Maturity Assessment. ERM Academy. 

KataData.co.id. (2021, 4 29). Erick Thohir Assesses This Year Will Only Be A Momentum for SOE To 

Survive. Retrieved from Kata Data: 
https://katadata.co.id/yuliawati/finansial/608a8c449dd1d/erick-thohir-menilai-tahun-ini-
cuma-momen-bumn-bertahan-hidup 

Kawulur, N. M. (2020). Congestion Impact Analysis on the Economy of the Road User: In the Front 
of the Manado City Park Monument. Periodic Scientific Journal Efficiency Vol. 20 No. 10, 86. 

Liputan6.com. (2021, 04 27). The Length of Operating Toll Roads in Indonesia Have Reached 2.391KM. 

Retrieved from Liputan 6: https://www.liputan6.com/bisnis/read/4543324/panjang-
ruas-tol-di-indonesia-yang-sudah-beroperasi-capai-2391-
km#:~:text=Staf%20Ahli%20Menteri%20PUPR%20Bidang,Usaha%20Jalan%20Tol%20(BUJT) 

MediaBUMN.com. (2020, 10 19). Risk Management Should be the Focus of SOE. Retrieved from Media 
BUMN: https://mediabumn.com/manajemen-risiko-harus-jadi-perhatian/ 

MediaBUMN.com. (2020, 12 1). SOE Performance 2021 is Predicted Will Still Be Decreasing 30 Percent. 
Retrieved from Media BUMN: https://mediabumn.com/kinerja-bumn-tahun-2021-
diprediksi/ 



 

International Journal of Environmental, Sustainability, and Social Sciences 
ISSN 2720-9644 (print); ISSN 2721-0871 (online) 

https://journalkeberlanjutan.com/index.php/ijesss 
 

71 
 

 

Noor, H. S. (2017). Social Economy Impact Analysis on The Development of Toll Road Surabaya-
Mojokerto. National Seminar & Scientific Gathering Reseracher Network (p. 270). Banyuwangi: 
IAI Darussalam. 

Okezone.com. (2021, 1 22). Erick Thohir Monitor Risk Management of SOE Abroad. Retrieved from 

Okezone: https://economy.okezone.com/read/2021/01/22/320/2348962/erick-thohir-pelototi-
manajemen-risiko-bumn-yang-di-luar-negeri?page=1 

Proenca, V. B. (2017). Risk Management: A Maturity Model Based on ISO 31000. IEFE 19th 
Conference on Business Informatics, (p. 99). 

Satriaputri, C. (2015). Operational Risk Analysis on PT Jasa Marga (Persero) Tbk. Jagorawi Toll 
Road. Journal Management and Organization Vol. VI No. 3, 259. 

Susanti, M. (2015). Estimation of Congestion Cost in Medan. Puslitbang Manajemen Transportasi 
Multimoda. 

Vadali, S. R. (2008). Toll Roads and Economic Development: Exploring Effects on Property Values. 
The Annals of Regional Science, 20. 

Vorst, P. B. (2018). Risk management Based on SNI ISO 31000. National Standardization Agency.