SULTANIST: Jurnal Manajemen dan Keuangan Volume: 13 No: 2 Year 2025 Page .
ISSN: 2338-4328 (Prin.
ISSN: 2686-2646 (Onlin.
Available online at:https://sultanist.
id/index.
php/sultanist DEVELOPING A COMPREHENSIVE RISK MANAGEMENT MODEL FOR INTEGRATED ELECTRICITY PROVIDERS: INSIGHTS FROM ISO 22301BASED FINANCIAL IMPACT ANALYSIS Sutarmin.
Lisa Fitriani.
Faculty of Economics and Business.
Dr.
Soetomo University Surabaya.
Indonesia *E-mail: sutarmin2415@gmail.
com, lisaf.
maksi@gmail.
Abstrak Studi ini mengeksplorasi strategi ketahanan keuangan bagi penyedia layanan listrik terintegrasi dalam menghadapi gejolak global, termasuk tekanan regulasi dan transisi energi, ancaman siber, volatilitas nilai tukar, dan gangguan dalam rantai pasokan energi primer.
Analisis ini mengintegrasikan Indeks Kematangan Risiko (Risk Maturity Index/RMI) dan Analisis Dampak Bisnis (Business Impact Analysis/BIA) berdasarkan standar ISO 22301Aiyang umumnya diterapkan pada aspek operasional, tetapi dalam studi ini diperluas ke dimensi keuangan.
Penelitian ini menggunakan pendekatan campuran:
metode deskriptif kuantitatif dan penyelidikan kualitatif melalui studi kasus, wawancara, observasi, analisis dokumen, pengujian stres, pemetaan panas risiko, dan pengujian sensitivitas skenario.
Temuan menunjukkan bahwa perusahaan masih berada pada tingkat kematangan risiko yang rendah (RMI 2.
4 Ae fase pengembanga.
dan menghadapi risiko strategis yang signifikan dalam hal likuiditas, penetapan tarif, keandalan infrastruktur, dan keamanan siber.
Penerapan BIA keuangan memberikan gambaran risiko yang lebih jelas, mengidentifikasi pemicu krisis, dan merumuskan strategi pemulihan yang meningkatkan kemampuan keberlanjutan bisnis.
Studi ini merekomendasikan penguatan manajemen aset, peningkatan kapasitas sumber daya manusia, dan eksplorasi instrumen keuangan untuk mitigasi risiko.
Secara keseluruhan, temuan ini berkontribusi pada pengembangan model manajemen risiko komprehensif yang sangat relevan untuk perusahaan layanan publik strategis.
Kata Kunci: Indeks Kematangan Risiko (RMI).
Analisis Dampak Bisnis (BIA).
Sistem Manajemen Kelangsungan Bisnis ISO 22301 (BCMS) Abstract This study explores financial resilience strategies for integrated electricity service providers in navigating global turbulence, including regulatory pressures and energy transition, cyber threats, exchange rate volatility, and disruptions in primary energy supply chains.
The analysis integrates the Risk Maturity Index (RMI) and Business Impact Analysis (BIA) based on ISO 22301 standardsAicommonly applied to operational aspects, but in this study extended to financial The research employs a mixed approach: quantitative descriptive methods and qualitative inquiry through case studies, interviews, observations, document analysis, stress testing, risk heat mapping, and scenario sensitivity testing.
The findings indicate that the company remains at a low level of risk maturity (RMI 2.
4 Ae developing phas.
and faces significant strategic risks in liquidity, tariff setting, infrastructure reliability, and cybersecurity.
Applying financial BIA provides a clearer risk landscape, identifies crisis triggers, and formulates recovery strategies that enhance business continuity capabilities.
The study recommends strengthening asset management, improving human resource capacity, and exploring financial instruments for risk mitigation.
Overall, these findings contribute to the development of a comprehensive risk management model that is particularly relevant for strategic public service enterprises.
Keywords: Risk Maturity Index (RMI).
Business Impact Analysis (BIA).
ISO 22301 Business Continuity Management System (BCMS) Article History: Received: 23 January 2026 Revised: 05 February 2026 Accepted: 09 February 2026 SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026
INTRODUCTION
The era of globalization and digitalization is characterized by increasing For the electricity sectorAian essential driver of economic and social developmentAiglobal economic volatility, energy price fluctuations, technological disruption, and complex geopolitical risks have intensified financial and operational Under these conditions, financial resilience and sustainable operations become indispensable strategic priorities for electricity providers.
In Indonesia.
PT PLN (Perser.
Batam , the largest electricity provider, plays a vital role in safeguarding national energy security.
With services spanning almost the entire archipelago.
PLN functions not only as a business corporation but also as a strategic entity directly tied to public welfare.
In recent years, however, the company has faced significant financial pressures.
The financial reports from 2019 to 2023 reveal persistent challenges, including a high debt burden, volatility in primary energy prices .
oal and ga.
, and substantial financing needs for clean energy projects and grid Despite initiatives in digital transformation, operational efficiency, and debt restructuring, the risk of financial distress remains, underscoring the need for a systematic and measurable approach to strengthen corporate resilience.
These financial strains have reduced the companyAos capacity to mobilize investment for meeting future electricity demand.
Key performance indicators (KPI) falling below a Risk Maturity Index score of 2.
4 indicates a developing stage.
and Asset Management Level of 15% reflects an insufficient state (AiinnocentAn Such vulnerabilities directly affect technical reliability and corporate reputation, as Customer Satisfaction Index scores.
This paradox is striking given the integrated scope of operations and the vast resources managed by the utility, which holds significant potential to evolve into a corporate-scale However, it remains classified as an individual business scale, falling short of the Systemic A criteria outlined in PER-2/KBUMN/2023.
Business Continuity Management System (BCMS) provides a structured framework to ensure organizational resilience during crises.
At its core lies Business Impact Analysis (BIA), a systematic process for identifying critical operations, assessing potential disruptions, and designing effective recovery strategies.
Through BIA, companies can prioritize essential activities and financial risks, enabling risk management strategies to focus on what is truly vital for long-term (Steen.
Haug.
, &
Patriarca 2.
Integrating Business Impact Analysis with risk assessment and asset prioritization: A 2024 study demonstrates a decision-making model that BIA multi-criteria techniques .
BWMAeTOPSIS) to identify asset criticality and acceptable recovery times.
This approach is particularly relevant for electric utilities managing large, interdependent asset (Aghabegloo at al.
To ensure that Business Impact Analysis (BIA) is applied consistently and aligned with international best practices.
ISO 22301:2019 serves as a globally recognized standard.
It provides a structured framework for organizations to establish effective business continuity management systems by integrating risk identification, impact assessment, and recovery planning into a holistic approach.
Beyond enhancing crisis preparedness, the implementation of ISO 22301 strengthens Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 stakeholder trust, improves operational governance (International Organization for Standardization 2019.
The relevance of ISO 22301 is increasingly evident from various recent DellAoAtti et al.
2024 emphasized that the implementation of ISO 22301 has proven to be able to strengthen organizational resilience, not only in maintaining operational sustainability, but also in protecting financial stability in the midst of a crisis.
Similar findings were also revealed by Durak Uar 2.
and Khan et 2024, which indicates that ISO-certified companies tend to have better financial performance compared to non-ISO The certification improves the quality of governance, risk management efficiency, and investor confidence, which long-term profitability and financial resilience.
In the face of escalating geopolitical, climate, and cyber risks, adopting ISO 22301:2019 with a focus on Business Impact Analysis (BIA) offers PLN a strategic framework for resilience.
BIA enables the company to identify critical processes, set recovery tolerances, and quantify operational and financial impacts, forming the basis for adaptive recovery planning.
Beyond financial protection, this approach reflects PLNAos social responsibility to ensure reliable electricity supply, while evidence from Spain .
8Ae2.
highlights that resilient organizations are better positioned to withstand systemic crises.
The main factor of resilience is the ability to adapt, learn, and integrate business continuity strategies (Jose Sevilla et al.
Several studies have examined the implementation of Business Continuity Management Systems (BCMS).
Based on ISO 22301.
BCMS provides an international framework to safeguard organizational operations during major disruptions.
In the context of electricity companies exposed to global turbulenceAisuch as energy crises, economic instability, natural disasters, and cyberattacksAiBCMS ensures not only technical continuity but also financial Integrating BCMS with risk management strategies and Business Impact Analysis (BIA) organizations to identify critical functions, assess financial impacts, and design recovery strategies aligned with business This importance of conducting gap assessments against ISO 22301 and securing top management commitment to readiness.
(Setiawan.
Waluyo.
, & Pambudi The integration of BCMS into an integrated management system (IMS) strengthens organizational efficiency, risk management, and resilience (PeroviN.
& TodoroviN 2.
Offers a technical framework for integrating Risk Analysis and BIA to support ISO 22301.
Help visualize financial impact (Strelicz and Bognyr 2.
Other research by (Giannakis.
, & Papadopoulos 2.
shows that the success of BCMS is heavily influenced by organizational culture and Most emphasize operational resilience within normative or case-specific contexts.
This article proposes a novel model integrating risk quantification with ISO 22301 through stress-testing regulatory pressures and global dynamics.
The approach strengthens risk maturity, ensures product and service quality, and supports business continuity.
By aligning BCMS with Enterprise Risk Management and Business Impact Analysis, electricity companies can better identify financial operational-economic impacts, and design recovery strategies.
Thus.
BCMS functions not only as compliance but as a strategic instrument for long-term financial and operational Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 This study underscores the academic and practical urgency of adopting ISO 22301Aebased Business Impact Analysis (BIA) as a strategy for financial resilience in integrated electricity Academically, it enriches the literature on the nexus between business continuity management and financial resilience in the energy sector.
Practically, it provides strategic recommendations for PLN and other utilities to strengthen risk management systems that are more robust, adaptive, and capable of sustaining stakeholder trust amid global turbulence.
The urgency of such strategies is reflected in systemic performance indicators over the past three years, where recurrent loss events have emerged.
These include electricity tariffs set below the basic cost of supply, surging primary energy prices unaccompanied by tariff adjustments, and the depreciation of the Indonesian rupiah against the U.
dollar affecting gas imports as a key energy source.
LITERATURE REVIEWS
According to ISO 31000, risk management is a coordinated set of activities and methods designed to guide and control risks that may affect the achievement of organizational objectives (International Organization for Standardization According (Blokdijk 2.
The task of risk management is to manage risk by preventing companies from failure, reducing excessive expenditure from the results of the impact or risk that occurs Other sources (Blokdijk.
Engle.
& Brewster 2.
Risk Assessment through the Risk Maturity Index (RMI).
Risk identification in integrated electricity service providers is conducted using the Risk Maturity Index (RMI) framework.
Referring to Regulation PER-2/MBU/03/2023 State-Owned Enterprise Governance and Significant Corporate Activities, the assessment focuses on detecting potential failures across the chainAifrom processes to service deliveryAiensuring operational continuity and safeguarding customer trust (Kementerian BUMN RI The purpose of the Risk Maturity Index (RMI) assessment is to identify three key aspects: the root causes of failure, the potential impacts arising from such failures, and the criticality level of these impacts.
Business Impact Analysis (BIA) is a systematic process used to identify and evaluate critical business functions whose disruption would significantly affect an organizationAos operations and sustainability (Ramesh 2.
Prioritizing actions and recognizing resource interdependencies as a foundation for effective decision-making (International Organization Standardization 2019.
Business impact assessment using the measurement of the Risk Quantification method (Deputy for Finance and Risk Management 2.
Business impact assessment of crises resulting in disruption or suspension of processes in delivering products and services to customers encompasses three .
roducts/service.
, financial .
, and reputational .
These constitute the primary classifications of business impact Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 Table 1: Classification of business impact assessments on product and service aspects Impact level Description Value Insignificant Results in a momentary blackout for <15 minutes at a Results in a 15-minute blackout Ae 1 hour at a time Minor Results in blackout for 1 Ae 3 hours at a time Medium Resulting Ae Signifikan Resulting in blackouts for more than 1 day and/or A small five5 Resulting in rotating blackouts in the time frame year-old .
lackout syste.
Table 2: Classification of business impact assessments on financial/internal business process aspects.
Impact level Insignificant Description The company's business process activities are not disrupted Minor Resulting in the company's business process activities being disrupted in a limited way in 1 unit and not affecting services Medium Resulting in the company's business process activities being disrupted in a limited way in 1 unit and affecting services Signifikan Resulting in limited disruption of the company's business process activities in several A small five-year- Resulting in limited business process activities of the company being disrupted in a wide range Value Table 3: Classification of business impact assessments on reputational/external business process aspects Impact level Description Value Penyelesaian Tuntutan dilakukan melalui Insignificant Penyelesaian Tuntutan dilakukan melalui Minor musyawarah, dengan peran mediator Penyelesaian Tuntutan dilakukan melalui Medium alternatif penyelesaian sengketa Penyelesaian Tuntutan dilakukan melalui proses Signifikan peradilan, mulai dari Pengadilan Negeri.
Banding Pengadilan Tinggi.
Kasasi Mahkamah Agung RI A small five-year- Penyelesaian Tuntutan dilakukan melalui proses Peninjauan Kembali Mahkamah Agung RI.
ISO 22301:2019 offers a structured framework to safeguard business continuity against unforeseen disruptions.
In this study, it underpins the conceptual thinking and workflow design, guiding the organizationAos approach with clarity and resilience.
Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 Figure 1.
ISO 22301:2019 framework
METHODS
This study combined qualitative and quantitative approaches to explore Qualitative insights were drawn from case studies and content analysis of interviews.
Quantitatively, the Risk Maturity Index (RMI), stress testing, and sensitivity analysis captured the companyAos resilience against global turbulence, such as energy price surges, currency swings, and cyber Risk heat maps illustrated exposure levels, while the Altman Z-Score highlighted potential financial distress, linking risk assessment directly to organizational sustainability.
Data Analysis Techniques .
Qualitative Analysis: Case study analysis to examine business continuity management practices.
Content .
Quantitative Analysis: Risk Maturity Index (RMI): to measure the level of maturity of risk management.
Stress Testing & Sensitivity Analysis: to simulate global turbulence scenarios .
ising primary energy prices, exchange rate fluctuations, cyber attack.
Risk Heat Map: to visualize the level of risk based on probability and Altman Z-Score: to test the potential financial distress of companies.
RESULTS AND DISCUSSION
In the preparation of the Business Impact Analysis (ISO 22301 Clause 8.
of this financial aspect, considering that the provision of integrated electricity services has the potential to be multi-crisis .
, for the effectiveness of the impactful strategy, the following workflow is determined:
Examine the company's empirical data, vision and mission, as well as stakeholder needs and expectations.
Assess the alignment between the company's vision and mission and stakeholder requirements in achieving Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 performance objectives by reviewing the past three years of empirical data, presented through visualized business within the integrated Figure 2.
Business Processes in an Integrated Electrical Organization Ecosystem The electricity business ecosystem consists of six core pillars: .
Generation as the energy source, .
Transmission for long-distance delivery, .
Distribution to ensure electricity reaches end users, .
Customer Services encompassing sales, billing, and service protection, .
Supporting Functions including finance.
HR.
IT, audit, and risk management, and .
Beyond/Development, which focuses on business diversification such as fiber optics, data centers, and joint ventures.
This value chain is integrated, meaning the success of electricity supply relies on seamless coordination across all stages.
Efficient generation, reliable transmission, equitable distribution, and responsive customer service drive satisfaction, while robust support functions maintain operational health and regulatory Simultaneously, business development ensures future competitiveness.
Risk Maturity Index (RMI) Achievement.
The Risk Maturity Index (RMI), developed based on the Technical Guidelines of RMI SK-8 KBUMN, serves as a benchmark for organizational risk management capabilities.
The overall RMI score of 4 positions the organization in the Developing Phase, below the threshold for the Good Practice Phase (>.
Areas requiring improvement include: .
Dimensional Aspects: Risk Model.
Data, and Technology, scoring 2 (Initial Phas.
Performance Aspects: Health Level scoring 28.
Risk Composite scoring 5, with a score adjustment This assessment highlights specific focus areas for enhancing both structural and operational risk management capabilities.
Table 4: Risk Maturity Index Score Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 Financial Performance.
The companyAos financial health was assessed using the Altman Z-Score, which integrates liquidity, profitability, productivity, and equity to highlight critical financial thresholds.
The firm falls into Health Category B .
, while its bankruptcy risk lies in the Grey Area, indicating a high risk of financial distress .
core: 1.
Figure 3.
Altman Zscore Bankruptcy Score Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 Risk profile Risk Assessment of the company's Strategic Objectives obtained 13 business risks with 8 strategic risks .
, namely:
Figure 4.
Risk Heatmap Risks with a high or intolerant category .
occupy the most critical position on the company's risk map.
Based on the identification results, there are two main risk First, the risk with the code .
, 03, 05, .
which is categorized as very high because it has a "very likely Ae almost certain" probability of occurring, with a potential financial impact exceeding Rp 116.
93 billion.
Second, risks with codes .
, 04, 07, 13, 23, .
which are also included in the large category and are clearly still outside the tolerance limit as set out in the company's Risk Appetite Statement.
Must be mitigated immediately with additional controls, contingency plans, or risk transfers .
insurance/hedgin.
Strategic risks in the orange category .
, 08, 09, 16, 18, 19, .
are significant threats that have the potential to disrupt the company's performance and sustainability if not controlled.
Strategic risks in the orange category have great potential to disrupt the company's performance, requiring the close supervision of senior management.
Mitigation is focused on prevention through strong governance and adaptive contingency plans to protect business sustainability and stakeholder trust.
The moderate risks marked in the yellow category .
, 14, 15, 17, .
indicate that although the threat level is still relatively acceptable, it still has the potential to develop into more serious if not managed appropriately.
Therefore, a balanced management approach through periodic reviews is needed to ensure that risks remain under control, as well as the implementation of effective mitigation strategies so that they do not increase into strategic risks that can disrupt the sustainability of the Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 This approach reflects a proactive and thoughtful attitude in maintaining stability while encouraging a culture of vigilance in the work environment.
The Low Risk Ae Conservative (Gree.
category reflects conditions where the potential impact and probability of risk are relatively small so that they are still within acceptable limits.
In this context, risk does not cause significant disruption to the sustainability of business processes, so no major strategic intervention is required.
The right approach is to carry out routine monitoring mechanisms consistently so that any potential escalation can be detected early.
Thus, organizations can continue to operate as business as usual while ensuring vigilance and readiness in the event of a change in the risk environment.
Asset Management Maturity Level Based on the results of the evaluation of the six main elements in the asset management framework, the organization shows an average maturity level of 15%.
This figure indicates that the overall asset management process is still at the initial level, where the approach applied is generally reactive, not well documented, and not systematically integrated.
Figure 5.
Asset Maturity Level Strategy & Planning .
%): The maturity level is still low.
Asset planning has not been fully integrated with long-term business strategies.
Implications: Risk of asset management directions that are not in line with organizational goals.
therefore it is necessary: Preparation of asset management policies and strategic plans based on asset Asset Management Decision Making .
%): The process of making decisions related to assets is starting to exist, but it is still limited to operational aspects.
The implications that occur are potentially sub-optimal decisions because they are not based on long-term risk, cost, and benefit analysis.
Therefore, it is necessary to have a risk-based decision-making framework and business case analysis.
Life Cycle Delivery .
%) Ae Highest.
The most advanced aspect compared to the There is already a practice in managing the asset lifecycle .
rocurement, operation, maintenance, and dispositio.
The implication is that efficiency has begun Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 to be seen, although it is not yet consistent.
Therefore, it is necessary to optimize asset life cycle cost analysis so that the asset value is maximized.
The low availability of asset information .
%) indicates the weak quality of data, which has not been fully digitized and is often inaccurate.
This condition has an impact on difficulties in strategic and operational decision-making due to the limited availability of reliable information.
Therefore, the development of an integrated asset information system, such as the Asset Management System or Computerized Maintenance Management System (CMMS), is needed to improve accuracy, consistency, and ease of access to data, thereby supporting more effective and sustainable asset management.
Organisation & People .
%): Human resource capabilities in organisations can be categorized at a moderate level, but still face the fundamental challenge of not having a strong asset management culture in place.
This condition causes employee competence to be uneven, so it has the potential to cause errors in maintenance and asset management.
To reduce these risks, strategic interventions are needed in the form of structured training programs, asset management certification as a standard of professionalism, and the implementation of change management in order to create collective awareness and a consistent work culture in asset management.
Risk & Review has only reached 17%, meaning that the risk evaluation and performance review functions are already in place but not yet in place.
This makes asset risk not optimally monitored.
To improve this condition, companies need to strengthen risk registers, regularly conduct asset audits, and build a continuous evaluation cycle so that risks can be controlled more effectively.
Risk Assessment, identifying business process risks that have the potential for crisis, available resources, and bonds or obligations that must be fulfilled related to products/services in the form of SLAs .
ervice level agreement.
Table 5.
Critical Business Function Business Business Business Proces Level 0 Proces Level 1 Proces Level 2 Directorat Division Hasil Kritikalitas Kuisioner Critical Result Pertimbangan (Keputusan Manajemen Akhi.
Critical Critical Core Business Operation Pembangkitan Operation & Penyaluran Director Operation Division Supporting Finance Penjualan Finance Director Finance Division Non Critical Critical Critical Core Business Services Distribusi & Pelayanan Pelanggan Bussines & Commercial Director Bussines Division Critical Critical Critical Supporting Hubungan Human Masyarakat & Capital Director Corporate Secretary Division Non Critical Critical Critical Corporate Secretary Some activities are categorized as critical because they have the potential to cause serious obstacles or even complete termination of business activities if not managed properly.
Identification through the questionnaire, from the results of the questionnaire, there are activities that are assessed as Critical and some are Non-Critical.
However, even Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 though there are activities that were initially assessed as Non-Critical by the respondents, management considerations still designate them as Critical because they consider strategic impacts.
SLAs, and the linkages between business processes.
Management considerations, management classifies all activities on the table as Critical, including those originally considered Non-Critical.
This indicates significant consequences for service.
SLA compliance, and operational continuity if these activities are disrupted.
Implications for Service and SLA (Service Level Agreemen.
Critical activities are directly related to an organization's obligations to meet SLAs to customers and business partners.
Failure of any of the critical activities will cause: .
Service interruption .
elay, error, or downtim.
Financial risk due to SLA penalties or compensation to customers.
Reputational loss due to declining customer trust.
Legal and compliance risks in the event of a breach of the service contract.
Resources and Liabilities, to maintain the continuity of critical activities, the company must ensure the availability of key resources in the form of: .
Human resources are trained and competent in the management of core processes.
Reliable IT infrastructure & information systems, with backup & redundancy.
Contingency procedures and recovery plans that are in line with Business Continuity Management (BCM) and ISO 22301 standards.
Assign interested parties: interest party, dependent, independent of the company's business process.
Tabel 6.
List of Interested Parties Stakeholder Names Internal Ekstern Oo Government/Regulator Function/Process Relationship Dependency Dependent Oo Interested Parties Oo PT PLN (Perser.
Oo Oo Oo Oo Employee Oo Oo Oo Oo Oo Oo Oo Oo Oo Oo .
Customers, .
Community .
n Bata.
, .
PLN
utside Bata.
, .
Sub Holding (Icon .
Indonesia Power.
PLN EPI).
Labor union Oo Oo Descriptions Political functions .
Administrative functions .
the main shareholder for strategic corporate decision-making.
Partner in the achievement of strategic objectives Business Process Implementer and Owner Risk External customers/service users where PT PLN must provide excellent service Unions are representatives of accordance with the Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 Stakeholder Names Internal Ekstern Partners/ Suppliers Oo Mass media Oo Function/Process Relationship Dependency Dependent Oo Interested Parties Oo Oo Descriptions collective labor agreement, synergize with management in achieving the company's strategic As a partner of the service/product provider in supporting related business process activities in the contract within a certain time that is mutually necessary and beneficial.
Communication Media in corporate Setting a Trigger Level is a trigger level or trigger threshold in the form of a certain value or condition that when reached or exceeded will trigger a certain action or response.
Trigger Level is a threshold set on a company's financial indicators.
When the value of an indicator reaches or exceeds this limit, this will be an early warning signal for management to immediately take corrective action or implement a recovery plan.
In the data below, each indicator has three trigger levels: .
Safe Level (Norma.
E conditions are still healthy, low risk, no need for major intervention.
The Alert Level (Moderat.
E begins to show deviations from the target, management needs to monitor closely and prepare mitigation measures.
Crisis Level (Critica.
E indicator has passed the threshold, significant risk, must take immediate action or activate the Recovery Plan.
Capital (Debt to Equity Rati.
Current value: 2.
till in the safe zon.
However, if it rises to 2.
nter aler.
If it reaches 3.
00 crisis zones, it means that the capital structure is too heavy and endangers financial sustainability.
Liquidity (ICRC & CR): ICRC is currently 3.
If it drops to 2.
If it falls 00 .
ndicates that the ability to pay short-term obligations has decreased The same for CR (Current Rati.
: below 0.
74 means a liquidity crisis.
Profitability (ROE.
ROA.
EBITDA.
EBITDA Margi.
: The current ROE is 0.
%),
still safe.
If it drops to 0.
If it falls to 0.
he crisis Ie indicates that the ability to generate profits for shareholders is very lo.
The same pattern applies to ROA.
EBITDA, and EBITDA Margin.
Asset Quality (Non-Performing Asset / NPA).
Currently 0.
till saf.
If it rises to 0.
If it reaches 0.
risis Ie indicates a lot of problematic/unproductive asset.
Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 Limiting the impact of the financial C Risk Limit .
Rp.
146 Billion.
C Risk Appetite .
Rp.
Trillion, and C Risk Tolerance .
Rp,.
Trillion.
The Recovery Plan starts to be executed if a loss .
isk even.
exceeds the Risk Tolerance.
Figure 6.
Financial Level Triggers Relationship with Risk Limit Ae Appetite Ae Tolerance Risk Limit (IDR 146 Billio.
means the maximum loss limit that is still considered safe.
Risk Appetite (Rp 1.
91 T) means a level of risk that can still be tolerated in a state of Risk Tolerance (Rp 2.
11 T) means the alert limit.
if the loss exceeds this figure, the Recovery Plan should be implemented immediately.
Thus, the Trigger Level on each indicator serves as an early signal before the actual loss exceeds the Risk Tolerance limit.
Mapping the components of the recovery matrix:
Table 7.
RTO.
RPO.
MAO.
MBCO Recovery Matrix
Critical Systems Freq
RTO MAO
MBCO
Blackout .
idespread 2x/year System on grid hours hours protection must remain running to prevent Cyber attacks 3x/year AP2T & hours hours SCADA Customer Service App Keeps Running Priority Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026
Critical Systems MPP generator breakdown
Freq
2x/year RTO
MAO
MBCO
Memenuhi hours EAF 80% .
nergy Supply chain .
hortage 3/year 5 HOP fuel gas/coa.
days available .
in coal if gas Outbreaks/disasters/fires 1x/year Telkom's days internal service and systems continue to run Riots/demonstrations/coups 2x/year Operations run of National Vital Objects hours hours according to TMP (SLA) Supply Chain .
4/year Ensuring that days hours the emergency PBJ process continues to Compliance/Legal (Tariffs, 3x/year Operations run lawsuits, licensin.
month month according to TMP (SLA) Liquidity (Receivables, 5x/year Cashflow HGBT.
Exchange rate month month maintained by operating costs for the next 6 Priority Recovery Point Objective (RPO), and Recovey Time Objective (RTO) in the event of an identified crisis MAO (Maximum Acceptance Outag.
MBCO (Minimum Business Continuity Objectiv.
Analyze the financial impact on the product/service .
rom the cause of the operational, financial, reputational crisis of the compan.
Table 8.
List of Critical Systems and Their Impacts No Critical Systems Critical Finan Reputat Operat Prod Functions cial Blackout (Widespread blackout.
on grid Cyber attacks KITRAN.
BID OPS
INFRA,
Risk (Qual/Qu Quantitati Quantitati Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 No Critical Systems Critical Functions DISYAN MPP generator UB BES.
BID OPS
Supply chain
BID OPS,
hortage gas/coa.
BID REN
Outbreaks/disasters/ BID
HCGA,
BID
OPS/K3L
Riots/demonstration SETPER
s/coups of National Vital Objects Supply Chain
BID
onstruction MANPRO
DISYAN
Compliance/Legal SETPER (Tariffs, lawsuits.
Liquidity BID KEU, (Receivables.
BID REN.
HGBT.
Exchange UB BES rate weakenin.
Finan Reputat Operat Prod Risk (Qual/Qu Quantitati Quantitati Qualitativ Qualitativ Qualitativ Qualitativ Quantitati Based on the table, the analysis of the financial impact on the product/service can be reviewed from the relationship between the causes of the operational, financial, and reputational crises of the company.
Blackouts on the grid cause substantial direct financial losses, including lost revenue and recovery costs.
Service disruptions severely impact customers, eroding trust and highlighting the vulnerability of a companyAos reputation when core operations are Cyber Attacks.
Cyberattacks carry financial implications through system recovery costs and potential data loss.
Digital services, including customer applications and SCADA systems, may be disrupted, adversely affecting customer experience.
Corporate reputation is also at risk, as the public often gauges credibility based on security standards.
MPP Generator Breakdown.
Engine breakdowns have an impact on repair costs and loss of energy production capacity.
Customers can feel a decrease in supply reliability, which affects satisfaction and perception of service quality.
The reputation as a reliable energy provider will be eroded if this problem is repeated.
Supply Chain (Shortage Gas/Coa.
The limited supply of primary energy poses an additional financial burden as it has to look for emergency alternatives at high prices.
Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 Electrical products/services have the potential to be disrupted in their continuity, which can worsen the company's image as a safe and stable energy provider.
Outbreak/Disaster/Fire.
Disaster crises have caused significant financial losses, both from asset damage and reduced operating capacity.
Public services are temporarily halted, lowering user satisfaction.
The company's reputation can be affected because the public sees the inability to manage the crisis in a responsive manner.
Civil unrest, demonstrations, or coups targeting critical national infrastructure increase security costs and operational recovery efforts.
Service disruptions can halt essential public services, while the companyAos reputation may be perceived as fragile due to its inability to maintain stable operations amid socio-political turmoil.
Construction material supply delays escalate project costs and strain company budgets.
These delays hinder energy infrastructure development and are perceived by the public as operational inefficiency, potentially undermining long-term corporate reputation.
Compliance/Legal (Rates.
Litigation.
Licensin.
Legal risks impose financial burdens through fines or lawsuits.
Public services may be disrupted due to regulatory From a reputational perspective, non-compliance can signal irresponsibility, undermining stakeholder trust.
Liquidity (Receivables.
HGBT.
Currency Depreciatio.
Liquidity crises reduce a companyAos ability to finance operations, threatening service continuity and long-term electricity supply quality.
Public perception of financial instability can erode reputation and competitiveness.
Conducted stress testing as mandated by the Ministry of State-Owned Enterprises.
Sensitivity analysis of combined unfavorable variable changes increases the breakeven production cost (BPP), thereby reducing margins.
Tariffs fall below sustainable BPP if adjustments are not aligned with changes in primary energy prices.
Skenario Baseline (Norma.
Gas Prices Rise Tabel 9.
Stress Testing Scenario Total Trigger Loss Stress Percentage Level Event Recovery Plan Assumptions of Impact (Rp (IDR Billio.
Billio.
No stress Aman Gas price increase of Fire Fire incident, damage to 21% of assets Depreciation Exchange rate Rate Down < RUP Revenue Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung Set up a price control strategy & renegotiate supply contracts Strategy: fire safety mitigation Strategy: hedging & diversification of income Strategy: cost efficiency, long42 SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026
Skenario
Cyber
Attack
(SCADA)
Multi-Stress (Combined Stres.
Stress
Assumptions compared to RUP by 31% Cyberattacks that impact 2% A combination of rising gas
prices, rate
fires, cyber
attacks, and a decrease in RUP
Percentage of Impact
Total
Loss
Event
(IDR
Billio.
Total:
26% 31% Trigger Level (Rp Billio.
Recovery Plan term contract Strategy:
systems, routine IT audits, disaster recovery plan Integration of all recovery plans.
Table 10.
Matrik Stress Testing Improvement General Recommendations Aspects/Elements Person in Explanation (Corrective & Tested Charge (Justificatio.
Preventive Action.
Financial Review the Risk EIA & Risk assumptions on the Management & Assessment .
uch as EIA.
basis of financial Finance need to be used risk calculation in Division EIA and ERM.
accurately by more realistic market data.
Unrealistic Develop scenarios Finance & Business growth makes of varying levels of Supervision Development financial risk complexity .
Division Aspects moderate, sever.
need to be Focus on more realistic long-term BMP Financial Establish additional Business Business is sufficient, protocols for BMP Planning & Development Target Time 3 months 6 months 3 months Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 Improvement Recommendations Aspects/Elements (Corrective & Tested Preventive Action.
but the Financial scenarios Plan readiness of in the event of Recommendations plan needs to of internal procedures for the redistribution of funds & crisis Testing Program Financial stress Conduct a financial testing is very testing process at (Exercise limited, it least once a year.
Programm.
needs to be Involving multidone more often and with simulations focus more varied on financial Reserve funds Increase liquid cash Resources & capital Build buffer are still broader minimal, prone relationships with to shocks.
various financial Internal Develop a Communication communication proactive financial is not optimal, risk communication external needs plan for to be .
egulators, operators, the Some teams Train the Comparison & need further management team Training training in related to financial decisiondecision making, making under stress test simulation, and benchmarking best practices in similar General Explanation (Justificatio.
Person in Charge Target Time Finance Division Business Planning Division Every Year Finance Division Sustainable Communication, 3 months Management & Finance Division HR & Business Planning Division 6 months Discussion Copyright A 2026.
SULTANIST: Jurnal Manajemen dan Keuangan Sekolah Tinggi Ilmu Ekonomi Sultan Agung SULTANIST: Jurnal Manajemen dan Keuangan.
Vol 14 .
S).
February 2026 nal economic outcomes.
CONCLUSION
Low Risk Maturity Level.
The integrated electricity company under study remains at a Risk Maturity Index (RMI) of 2.
eveloping phas.
, indicating that its risk management system is suboptimal and has yet to reach best practice standards.
High Financial Vulnerability.
Financial analysis using the Altman Z-Score indicates that the company falls within the Grey Area, reflecting a high risk of financial distress.
Key drivers include declining liquidity, selling prices below the cost of production, and volatility in primary energy prices.
Strategic and Operational Risks: Among 13 identified business risks, eight are classified as high-level strategic risks .
, encompassing liquidity, tariff policies, infrastructure reliability, adequacy of primary energy, and cyber threats.
Weak Asset Management.
Asset Management Maturity Level has only reached 15%, which means that the asset management process is still in the early stages, reactive, and not yet integrated.
The implementation of Business Impact Analysis (BIA) based on ISO 22301 provides a comprehensive risk map, identification of critical activities, financial trigger levels, and recovery strategies.
This demonstrates that BIA serves as a vital instrument for enhancing financial resilience and ensuring the business continuity of electricity Risk Management Enhancement:
Elevate the Risk Maturity Index (RMI) toward the Aigood practiceAn phase (>.
by improving risk model, data, and technology dimensions.
Integrate Enterprise Risk Management (ERM) with BCMS and BIA to ensure preparedness for multi-dimensional crises.
Asset Management Optimization:
Enhancing asset maturity through a documented, integrated, and digitally driven management system.
Implementing predictive maintenance and real-time monitoring technologies to mitigate operational disruption risks.
Financial Diversification Instruments:
Investigating hedging strategies to mitigate risks from primary energy price volatility and foreign exchange fluctuations.
Promoting revenue diversification through renewable energy development and digital service offerings.
Enhancing Human Resource Capacity:
Providing intensive training on Business Continuity Management.
ISO 22301, and financial risk analysis.
Fostering an organizational culture that is adaptive and resilient to global changes.
Top Management & Stakeholder Engagement:
Position ISO 22301 implementation as a strategic corporate priority rather than mere administrative compliance.
Enhance communication with regulators, investors, and the public to strengthen trust and corporate legitimacy.
REFERENCE