International Journal of Cyber and IT Service Management (IJCITSM) Vol.
No.
October 2025, pp.
156Oe170 E-ISSN: 2808-554X | P-ISSN: 2797-1325.
DOI:10.
ye A Structural Model of Risk Governance and Maturity in Ultra Microfinance SOEs Eko Susetyono1* .
Dominicus Savio Priyarsono2 .
Anggraini Sukmawati3 .
Popong Nurhayati4 1,4 School of Business.
IPB University.
Indonesia 2,3 Faculty of Economics and Management.
IPB University.
Indonesia 1 ekosusetyono@apps.
id, 2 priyarsono@apps.
id, 3 anggrainism@apps.
id, 4 popong@apps.
*Corresponding Author
Article Info
ABSTRACT
Article history:
The Indonesian government has set a target for State-Owned Enterprises (SOE.
to achieve a risk management maturity level of 4.
2 out of 5 by 2024.
This objective is especially crucial following the consolidation of BRI.
Pegadaian, and PNM into the Ultra Micro SOEs Holding.
The integration process introduces new risks that require robust governance and control mechanisms.
This study investigates how key risk management components namely governance, frameworks, processes, and internal controls contribute to strengthening risk management maturity in the Ultra Micro holding structure.
Using Structural Equation Modelling (SEM), the research explores complex interrelations among these elements based on survey data from 644 respondents across the three SOEs.
The findings confirm that most variables significantly influence one another and collectively support a sound model for maturity enhancement.
However, the study also uncovers two statistically insignificant relationships:
between the framework and the process, and between the process and overall These anomalies indicate the potential presence of mediating variables or implementation gaps that reduce the practical effectiveness of formal structures.
The study concludes that a strong foundation in governance and internal control can meaningfully support risk maturity, but effective process execution may require further contextual and operational alignment.
These results offer strategic insights for improving risk practices in SOEs and emphasize the need for future research to investigate hidden dynamics that may affect risk maturity Submission April 8, 2025 Revised May 27, 2025 Accepted August 27, 2025 Published September 9, 2025 Keywords:
Integration Risk Management Maturity SOEs Holding Ultra Micro
SEM
This is an open access article under the CC BY 4.
0 license.
DOI: https://doi.
org/10.
34306/ijcitsm.
This is an open-access article under the CC-BY license .
ttps://creativecommons.
org/licenses/by/4.
AAuthors retain all copyrights INTRODUCTION Risk management plays a key role in the banking business and Financial Services Institutions (FSI.
in general.
The monetary crisis that hit Indonesia in 1998 exposed the weaknesses in the implementation of risk management in the banking industry.
In 2003.
Bank Indonesia, the central bank of the Republic of Indonesia, which at that time was the regulator and supervisor of the banking industry, issued regulations on the implementation of risk management for banks.
This regulation was amended several times by the Financial Services Authority, covering financial conglomerates .
and Non-Bank FSIs .
, with a regulatory structure that refers to four elements/variables in line with the Sustainable Development Goals (SDGs .
Journal homepage: https://iiast.
iaic-publisher.
org/ijcitsm/index.
php/IJCITSM/index International Journal of Cyber and IT Service Management (IJCITSM) ye A Active supervision of the Board of Directors and Commissioners (Risk Governance (TKR)).
A Policies, procedures and risk limit setting (Risk Management Framework (KKR)).
A Risk identification, measurement, monitoring and control processes and risk management information systems (Risk Management Process (PMR)).
A Internal control systems (SPI) .
Risk governance encompasses leadership, structure, and culture that shape top-level risk oversight.
The risk management framework provides the policies, procedures, and tools for identifying and monitoring risks, while the risk management process focuses on practical steps such as identification, assessment, and control.
Together, these components ensure structured and effective risk handling within regulated organizations and help make complex concepts more accessible to broader audiences.
Based on Government Regulation (PP) No.
73/2021 on BRIAos State Capital Participation (PMN) .
, the Ministry of SOEs officially formed the Ultra Micro SOEs Holding of three SOEs that both serve groups of micro entrepreneurs, namely PT Bank Rakyat Indonesia (Perser.
Tbk which is then designated as the main entity, and consists of PT Pegadaian and PT Permodalan Nasional Madani (PNM).
This corporate action, among others, is intended to increase access to financing for groups of micro entrepreneurs to ultra-micro loan facilities with a maximum loan value of Rp.
10,000,000, - .
en million rupia.
per customer.
The Covid-19 pandemic that hit Indonesia in early 2020 had an adverse impact on the economic activities and business performance of SOEs.
The tendency to increase the risk of the business environment was responded by the controlling shareholders by strengthening the risk management of SOEs through the Regulation of the Minister of SOEs No.
PER-5/MBU/09/2022 .
on the Implementation of Risk Management in SOEs which has elements of risk management implementation similar to OJK regulations and government regulations.
In the context of these economic challenges, restructuring strategies through mergers and acquisitions are one of the important alternatives for SOEs to strengthen their competitive position, optimise resources, and reduce the risk of loss amid the market uncertainty posed by the pandemic.
Although corporate actions .
ergers and acquisition.
carry high risks as they often do not fully realise potential synergies and deliver the required value creation outcomes, many companies still choose this inorganic growth strategy .
To realise the synergy potential of the Ultra-Micro SOEs Holding, whose members each have networks in all geographical corners of Indonesia, integration of existing business and operational activities is required.
Stated that the post-acquisition integration process at the corporate level plays an important role in the long-term performance of the company, especially in companies whose business units are interdependent and spread over a wide geographical area.
To mitigate the risk of corporate actions failing to deliver the expected synergies, a post-merger and acquisition integration plan is required .
An effectively executed integration plan is not only proven to influence the success of corporate actions, but can also provide meaningful input/information for activities carried out in the early phases of corporate actions such as valuation processes, due diligence and even for the decision to buy the company.
Integration planning also helps ensure that integration can occur quickly and efficiently once the merger and acquisition transaction is finalised .
, .
Mergers and acquisitions often trigger major changes, including management shifts .
, which carry inherent risks requiring integration into existing risk management.
While risk management mitigates adverse impacts, change management ensures effective execution .
This study assesses how key risk management components influence the maturity of Ultra Micro SOEs Holding in Indonesia, aiming to enhance synergy from corporate actions and provide strategic recommendations for improving risk governance.
THE COMPREHENSIVE THEORETICAL BASIS
Literature Review The Strategic Plan 2020Ae2024 issued by the Ministry of SOEs highlights several strategic challenges that continue to affect SOEs.
Among them are the absence of integrated development strategies that align upstream and downstream activities across sectors, ongoing internal competition and overlapping business operations within the same industries, and the limited capacity for innovation and differentiation that hampers In response to these issues, the formation of the Ultra-Micro SOEs Holding aims to generate synergy through a range of initiatives.
These include offering a complete set of products tailored to the needs ye
E-ISSN: 2808-554X | P-ISSN: 2797-1325
of ultra-micro customers, improving access to financial services through affordable and widespread channels such as Co-location efforts and the optimized BRILink Agent network, and utilizing digital innovations like AI & Data Analytics to enhance customer service and strengthen risk management.
Additionally, the initiative includes an integrated and digitalized sales approach through the Senyum Mobile platform, expands access to the micro payment ecosystem and other financial services like insurance and investment, and focuses on empowering ultra-micro clients so they can eventually graduate into the micro business sector.
Synergy remains a central factor in mergers and acquisitions, influencing both strategic decisions and performance assessments.
The synergy hypothesis views synergy as the main driver of such actions, while the synergy inflation argument warns that overestimating synergy often leads to failure.
Still, synergy is achievable and can significantly enhance the value of merged entities.
To realize this, leaders must implement strategies that avoid common integration pitfalls.
Metaphors like Ay2 2 = 5Ay reflect the potential for added value through successful integration.
However, due to the complexities of post-merger processes, careful attention is needed to manage the risks involved.
Risk management refers to the process of identifying and carefully managing potential risks associated with investment decisions .
As a company evolves, it naturally develops a business portfolio characterized by a specific risk profile, which in turn influences the extent to which its strategic objectives can be achieved.
From a theoretical standpoint, the risk exposures arising from various business decisions may interact in different ways they might offset one another, amplify overall risk, or exist independently.
Therefore, effective risk management requires not only assessing individual risk exposures but also understanding how these exposures are interrelated within the broader risk landscape .
Several studies have demonstrated that Enterprise Risk Management (ERM) contributes significantly to enhancing organizational performance .
Ae.
These findings emphasize that ERM should be implemented in an integrated, comprehensive, and strategically aligned manner.
Consolidating diverse risk management activities that are often fragmented across various business units can generate substantial value for the organization.
Furthermore.
ERM supports the effective handling of risks at the subsidiary level by employing integrated frameworks designed to address the distinct complexities faced by Financial Services Holding Companies.
Evidence also suggests that banks operating under such holding structures demonstrate superior performance and more robust risk control compared to conventional banking institutions .
Regulation of the Minister of SOEs Number PER-01/MBU/2011 concerning the Implementation of Good Corporate Governance (GCG) in SOEs serves as a foundational effort to enhance SOEs performance through the adoption of structured governance practices .
This regulation mandates that every SOEs must prepare a GCG manual, which includes a board manual, risk management guidelines, internal control systems, mechanisms for reporting suspected irregularities, governance of information technology, and a formal code of conduct.
It emphasizes the importance of top-level commitment or tone from the top in embedding risk management into the core of SOEs operations, which must be reflected through the following directives:
A The Board of Directors is required to assess business risks in every decision and action taken.
A The Board of Directors must design and implement an integrated corporate risk management program as a component of the broader GCG initiative.
A The implementation of this risk management program may be conducted either by establishing a dedicated risk management unit under the Board of Directors or assigning a relevant existing unit to take on the risk management responsibilitie.
A The Board of Directors is obligated to include the companyAos risk profile and its corresponding mitigation efforts in routine company reporting.
Furthermore.
PER-5/MBU/09/2022 .
mandates the application of risk management practices for both individual SOEs and those within conglomerate structures.
These practices must encompass active oversight by the Board of Directors and Commissioners, the establishment of adequate policies, standardized procedures, and risk limits, as well as the implementation of robust processes for risk identification, assessment, monitoring, and control, all supported by a reliable risk management information system and an integrated internal control system.
Leadership and organizational risk culture are fundamental aspects of risk governance, with the commitment of the Board of Commissioners and Directors, especially in setting a strong Aotone from the topAo being International Journal of Cyber and IT Service Management (IJCITSM).
Vol.
No.
October 2025, pp.
156Ae170 International Journal of Cyber and IT Service Management (IJCITSM) ye crucial for aligning diverse corporate cultures and mitigating integration risks post-corporate actions .
The maturity of risk management implementation is closely tied to the mindset and engagement of these top executives.
When ERM is supported by participatory leadership, it enhances risk practices through broader employee involvement and a more cohesive ERM framework .
Distributed leadership further aids in overcoming cultural differences and operational barriers during integration.
In the context of Ultra Micro SOEs Holding, collaboration and active engagement from leaders of BRI.
Pegadaian, and PNM are essential to ensure seamless integration.
Top management must also drive the alignment of operational functions and manage human resources effectively to reduce resistance during organizational change .
At the same time, fostering a strong risk culture is key to aligning short-term actions with long-term strategic goals, ensuring a balanced risk-reward perspective.
This culture, shaped by ongoing transitions such as mergers, may evolve into various sub-cultures that nonetheless retain the core values of the organization.
The ERM framework establishes clear accountability for all types of risk by promoting a structured, integrated approach supported by a strong risk culture.
Unlike traditional models focused solely on loss prevention.
ERM adopts a value-driven perspective, positioning risk as a source of opportunity .
Since its emergence in the mid-1990s.
ERM has aimed to unify risk oversight across organizational levels, enhancing both strategic and operational decision-making .
Recent studies using SEM have explored risk management maturity in SOEs, confirming its value in analyzing links between governance and maturity.
The risk management process relies on strong systems and skilled staff but often faces issues such as staffing shortages, skill gaps, and limited funding.
Timely data is critical, especially after mergers, where poor response has led to failures in crisis resilience.
ERM maturity develops gradually through continuous improvement and adaptation to evolving risks.
The internal control system instituted by a companyAos Board of Directors must be capable of functioning effectively across all operational units.
This system encompasses independent oversight mechanisms, which are executed by both the Risk Management Unit and the Internal Audit Unit.
As a fundamental component of managerial practices, internal control ensures that established policies and procedures are consistently translated into intended outcomes.
Within the framework of the Three Lines of Defense model, the second line, represented by the risk management function, is responsible for designing and maintaining the risk management framework.
Meanwhile, the third line, which is the internal audit function, carries out independent evaluations, conducts testing, and provides constructive challenges to assess and enhance the effectiveness of the system, as emphasized by the Institute of Internal Auditors in 2013.
In 2020, the Institute of Internal Auditors (IIA) refined this concept through the introduction of the three-line model, which further clarifies the respective roles of the first, second, and third lines in supporting the achievement of organizational goals and in the overall governance of corporate risks.
The internal audit unit, in this structure, plays a critical role in assessing the efficiency of risk management practices carried out by the first and second lines, and in offering strategic recommendations aimed at enhancing the organizationAos performance and risk resilience.
Referring to the 2020Ae2024 Strategic Plan of the Ministry of SOEs, the Ultra Micro SOEs Holding is expected to reach a risk management maturity level of 4.
2 on a five-point scale by the end of 2024.
A higher degree of risk management maturity is associated with greater potential benefits in supporting the achievement of the companyAos strategic and performance objectives.
THEORETICAL FRAMEWORK
The aforementioned studies serve as the theoretical foundation for constructing the research framework presented in this study.
The independent variables encompass key dimensions relevant to risk management practices.
Risk Governance (TKR) refers to elements of leadership and organizational risk culture.
Risk Management Framework (KMR) involves the strategic approach to risk, supported by risk management tools, formalized policies, procedures, and the establishment of risk limits.
Risk Management Process (PMR) captures the sequential stages of risk handling, including identification, assessment, monitoring, and control, along with the supporting role of risk information systems and human capital.
Risk Control System (SPI) is carried out through independent oversight by the Risk Management and Internal Audit Units.
E-ISSN: 2808-554X | P-ISSN: 2797-1325
Table 1.
Risk management Implementation Factors of Financial Services Institutions Factor Reference Adaptation of Standards and Regulations Risk Governance (Leader- .
, .
BI .
OJK .
, .
SNI ISO 31000 .
ship and Cultur.
Ae TKR BUMN .
Risk Management Frame- .
, .
BI .
OJK .
, .
SNI ISO 31000 .
work Ae KMR BUMN .
Risk Management Process Ae .
, .
, .
, .
BI .
OJK .
, .
SNI ISO 31000 .
PMR
BUMN .
Internal Control System Ae .
, .
, .
, .
IIA BI .
OJK .
, .
SNI ISO 31000 .
SPI
Books in 2013 & 2020 BUMN .
Risk Management Maturity .
, .
, .
BI .
OJK .
, .
SNI ISO 31000 .
Ae MMR BUMN .
The dependent variable in this study.
Risk Management Maturity (MMR), is conceptualized through several key dimensions, including leadership effectiveness, the robustness of risk management processes, the experience and competency of human resources, and the practical application of risk management within business operations.
As shown in Table 1, to investigate both the direct and indirect influences among the identified risk management implementation factors, the following hypotheses were formulated and tested within the framework of a structured causal model.
The factors analyzed include Risk Governance (Leadership and Cultur.
Ae TKR.
Risk Management Framework Ae KMR.
Risk Management Process Ae PMR.
Internal Control System Ae SPI, and Risk Management Maturity Ae MMR, each supported by references and aligned with regulatory standards from BI.
OJK.
BUMN, and SNI ISO 31000.
This shows that risk management implementation in financial services institutions is grounded in academic studies while also consistent with national regulations and international standards.
H1: Risk Governance is hypothesized to influence the structure and design of the Risk Management Framework.
H2: Risk Governance is expected to have an impact on the execution of Risk Management Processes.
H3: Risk Governance is proposed to affect the functioning of the Risk Control System.
H4: Risk Governance is assumed to contribute to the overall maturity of Risk Management.
H5: The Risk Management Framework is presumed to influence the implementation of Risk Management Processes.
H6: The Risk Management Framework is expected to play a role in determining Risk Management Maturity.
H7: RRisk Management Processes are hypothesized to affect the level of Risk Management Maturity.
H8: The Risk Control System is assumed to influence the development of the Risk Management Framework.
H9: The Risk Control System is proposed to impact the execution of Risk Management Processes.
H10: The Risk Control System is expected to have a direct effect on Risk Management Maturity.
The concept of the model framework and hypothesis of this study is as described below:
Figure 1.
Path Coefficients International Journal of Cyber and IT Service Management (IJCITSM).
Vol.
No.
October 2025, pp.
156Ae170 ye International Journal of Cyber and IT Service Management (IJCITSM) Figure 1 illustrates the relationships among the variables in the research model through path coefficients.
Each arrow represents the direction of influence between the main variables, namely Risk Governance.
Risk Management Framework.
Risk Control System.
Risk Management Process, and Risk Management Maturity.
This visualization emphasizes that the effectiveness and maturity of risk management are not determined by a single factor, but rather by the interaction of several interrelated components.
Thus, the figure provides a clearer understanding of the complexity of relationships within the risk management system.
RESEARCH METHODOLOGY
SEM is a second-generation statistical method used to analyze complex relationships between variables, particularly involving latent constructs assessed indirectly through observable indicators.
As a multivariate technique.
SEM accounts for measurement errors and explores how measurable survey responses .
anifest variable.
represent abstract concepts .
atent variable.
that cannot be directly observed.
In theory.
SEM comprises two core components: the measurement model and the structural model.
The measurement model represents the relationship between observed .
and latent .
variables, focusing on the assessment of reliability and validity.
In contrast, the structural model illustrates the causal relationships among latent .
variables and explains the proportion of variance both explained and unexplained within the model.
SEM serves as a powerful analytical tool for examining complex intervariable relationships and uncovering underlying patterns in multivariate data.
In this study, data were gathered through a questionnaire survey administered via Google Forms in 2023, resulting in a total of 644 valid responses, distributed as follows: 276 from BRI, 179 from Pegadaian, and 189 from PNM.
This sample size is considered adequate for SEM-based analysis.
The Partial Least Squares SEM (PLS-SEM) technique, in particular, is suitable for analyzing data with relatively small sample sizes and can still produce reliable It is generally recommended that PLS-SEM be applied to sample sizes ranging from 100 to 200 to ensure robustness of results, especially in studies with limited data (O .
RESULT AND ANALYSIS
Indicator Validity Test Indicator validity testing is the process of ensuring that the indicators used in a study actually measure what they are supposed to measure.
This is important to ensure the accuracy and reliability of the research In this study there were 28 indicators of five variables.
Indicators are declared valid if they have a contribution of 0.
Table 2 presents the contribution of indicators to each variable.
Indicator TKR1
TKR2
TKR3
TKR4
KMR1
KMR2
KMR3
KMR4
KMR5
KMR6
KMR7
PMR1
PMR2
PMR3
PMR4
SPI1
SPI2
Table 2.
Indicator Validity Test
Loading Factor
t-count
0,743
28,098
0,750
28,722
0,807
34,600
0,740
27,908
0,795
33,185
0,832
37,971
0,846
40,268
0,775
31,061
0,788
32,447
0,853
41,496
0,847
40,420
0,825
36,985
0,814
35,490
0,830
37,638
0,798
33,531
0,842
39,525
0,848
40,467
Description Significant Significant Significant Significant Significant Significant Significant Significant Significant Significant Significant Significant Significant Significant Significant Significant Significant E-ISSN: 2808-554X | P-ISSN: 2797-1325
Indicator SPI3
SPI4
MMR1
MMR2
MMR3
MMR4
MMR5
MMR6
MMR7
MMR8
MMR9
Loading Factor
0,808
0,835
0,787
0,798
0,846
0,848
0,829
0,761
0,882
0,867
0,827
t-count
34,720
38,465
32,321
33,587
40,231
40,623
37,515
29,723
47,392
44,007
37,246
Description Significant Significant Significant Significant Significant Significant Significant Significant Significant Significant Significant As presented in Table 2, all indicators are considered Significant, as each displays a loading factor 5 or 50%.
This conclusion is further supported by the t-statistic values, all of which surpass the critical value of 1.
Accordingly, when the calculated t-value exceeds the threshold of the t-table, the corresponding indicator is deemed statistically Significant.
These results confirm that the measurement indicators for Risk Governance.
Risk Management Framework.
Risk Management Process.
Internal Control System, and Risk Management Maturity all meet the validity requirements.
Hence, each indicator can be used reliably to represent its respective construct within the research model.
Variable Reliability and Validity Test Testing the validity and reliability of variables represents a critical step to ensure that the constructs employed within the research model are both accurate and dependable.
Average Variance Extracted (AVE) is utilized to assess construct validity, with a threshold value above 0.
5 indicating acceptable validity.
Meanwhile, composite reliability is applied to evaluate the internal consistency of each variable, where values exceeding 7 are considered reliable.
The outcomes of these assessments are summarized in Table 3.
Table 3.
Composite Reliability and AVE of Each Variable Composite Average Variance Extracted Reliabel
(AVE)
Risk Governance 0,846 0,578 Risk Management Framework
0,935
0,673
Risk Management Process
0,889
0,667
Risk Control System
0,901
0,694
Risk Management Maturity 0,951 0,686 Variabel From Table 3, it can be seen that all variables are reliable because they have a value of more than Meanwhile, the variable validity results have a value above 0.
5 so that it is declared valid.
These results confirm that the measurement model used in this study meets the required standards of reliability and validity, ensuring that the constructs of Risk Governance.
Risk Management Framework.
Risk Management Process.
Risk Control System, and Risk Management Maturity are measured consistently and accurately.
The high composite reliability scores indicate that the indicators are internally consistent and able to provide stable results across measurements, which strengthens the overall reliability of the model.
Similarly, the AVE values 5 demonstrate that each construct explains more than half of the variance in its indicators, reinforcing the evidence of convergent validity.
Taken together, these findings not only validate the appropriateness of the research instruments but also enhance the credibility of the subsequent structural model analysis, thereby providing a strong foundation for the testing of proposed hypotheses.
Hypothesis Testing Hypothesis testing is testing the relationship between the variables used in this research model .
The hypothesis is declared significant if the t-statistical value is greater than the t-table of 1.
Apart from being seen from statistics, it can also be seen from the p value, if the p value is smaller than 0.
05 with an error rate of 5%, it is declared significant.
Table 4 presents the results of hypothesis testing in this study.
International Journal of Cyber and IT Service Management (IJCITSM).
Vol.
No.
October 2025, pp.
156Ae170 ye International Journal of Cyber and IT Service Management (IJCITSM) Correlation H1: TKR Ie KMR H2: TKR Ie PMR H3: TKR Ie SPI H4: TKR Ie MMR H5: KMR Ie PMR H6: TKR Ie MMR H7: PMR Ie MMR H8: SPI Ie KMR H9: SPI Ie PMR H10: SPI Ie MMR Table 4.
Hypothesis Test
ST DEV
T stat
0,088
4,801
0,124
2,929
0,045
16,314
0,105
2,044
0,139
0,607
0,123
3,433
0,139
0,889
0,087
5,694
0,124
3,819
0,105
1,977
P value 0,000 0,003 0,000 0,041 0,544 0,001 0,374 0,000 0,000 0,048 In the hypothesis test Table 4, it can be concluded that eight out of ten hypotheses tested can be accepted at a real level of 5% so that they have a significant influence.
A The relationship of the risk governance variable (TKR) to the risk management framework (KMR) with a standard deviation of 0.
088, the statistical t-value is 4.
> 801 < 1.
and the p value is 0.
Based on these results, the null hypothesis (H.
stating that there is no relationship between risk governance and the risk management framework is rejected, while the alternative hypothesis (H.
stating that there is a significant relationship is accepted.
This is in line with several researchers who have found that effective risk governance has a positive and significant influence on a companyAos risk management framework .
Ae.
A The relationship of TKR variables to the risk management process (PMR) has a standard positive deviation of 0.
124, the statistical t-value is 2 > 929 .
and the p value is 0.
003 < 0.
The null hypothesis (H.
stating that there is no relationship between risk governance and the risk management process was rejected, while the alternative hypothesis (H.
stating that there is a significant relationship was accepted.
This is in line with research that found that strong risk governance significantly increases the effectiveness of a companyAos risk management process .
Ae.
A The relationship between the TKR variable and the risk control system (SPI) has a positive standard deviation of 0.
045, the t-statistic value is 16.
314 > 1.
and the p value is 0.
H0 is rejected and H1 is accepted, the results of the statistical analysis indicate a positive and very significant relationship between the risk governance variable and the risk control system.
The positive standard deviation of 0.
045, although relatively small, indicates a positive consistency in this Effective risk governance has a positive and significant effect on the companyAos risk control Companies with strong risk governance tend to have a more comprehensive and integrated risk control system .
, .
A The analysis indicates that the relationship between the Risk Governance (TKR) variable and Risk Management Maturity (MMR) exhibits a positive standard deviation of 0.
105, with a t-statistic of 2.
044 > 1.
and a p-value of 0.
041 < 0.
Based on these statistical results, the null hypothesis (H.
, which posits no relationship between risk governance and risk management maturity, is Conversely, the alternative hypothesis (H.
, asserting a significant relationship between the two variables, is accepted.
These findings are consistent with previous studies demonstrating that effective risk governance positively influences a companyAos risk control systems .
In addition, related research has found that corporate governance significantly contributes to the financial performance of banks in Indonesia, suggesting that institutions with sound governance practices are better equipped to manage risks and make strategic decisions that enhance overall performance .
A The analysis reveals that the Risk Management Framework (KMR) variable has a positive effect on Risk Management Maturity (MMR), indicated by a standard deviation of 0.
123, a t-statistic value of 3.
433 > 1.
, and a p-value of 0.
001 < 0.
Based on these results, the null hypothesis (H.
is rejected, and the alternative hypothesis (H.
is accepted.
This provides strong evidence that ye
E-ISSN: 2808-554X | P-ISSN: 2797-1325
the risk management framework significantly influences the maturity level of risk management implementation.
These findings are in line with previous research by .
, which emphasized that a well-established risk management framework plays a critical role in enhancing the overall maturity of corporate risk management systems.
A The relationship between the Risk Control System (SPI) and the Risk Management Framework (KMR) shows a positive standard deviation of 0.
087, with a t-statistic value of 5.
694 > 1.
and a p-value of 0.
000 < 0.
These statistical results lead to the rejection of the null hypothesis (H.
and the acceptance of the alternative hypothesis (H.
, indicating that the risk control system exerts a significant influence on the development of the risk management framework.
This strong and positive association suggests that an effective risk control system serves as a key feedback mechanism, enabling continuous refinement and enhancement of the organizationAos risk management framework.
The ability of control systems to detect gaps and provide actionable insights contributes to the overall robustness of risk governance structures.
A The statistical analysis demonstrates a positive relationship between the Risk Control System (SPI) and the Risk Management Process (PMR), indicated by a standard deviation of 0.
124, a t-statistic value of 819 .
819 > 1.
, and a p-value of 0.
000 < 0.
Based on these results, the null hypothesis (H.
, which posits no relationship between the two variables, is rejected, while the alternative hypothesis (H.
, suggesting a significant association, is accepted.
These findings affirm that the effectiveness of the risk control system substantially influences the execution and quality of risk management processes.
This conclusion aligns with prior studies that highlight the critical role of control mechanisms in shaping and enhancing risk management activities .
, .
A The analysis reveals a positive relationship between the Risk Control System (SPI) and Risk Management Maturity (MMR), with a standard deviation of 0.
105, a t-statistic value of 1.
977 > 1.
, and a p-value of 0.
048 < 0.
, indicating statistical significance.
Accordingly, the null hypothesis (H.
is rejected, and the alternative hypothesis (H.
is accepted, confirming that the risk control system has a significant influence on the level of risk management maturity.
Nevertheless, given the marginal level of significance, it is important to acknowledge the possibility that additional factors may also contribute meaningfully to shaping an organizationAos risk management maturity.
Despite this, the findings support the conclusion that the risk control system plays a measurable role in advancing the overall maturity of risk management practices.
In this study, there are two hypotheses that are rejected, including:
A The relationship between the KMR variable and the PMR has a positive standard deviation of 0.
139, the t-statistic value is 0.
607 < 1.
and a p-value of 0.
544 > 0.
This finding is also interesting and may not be in accordance with general expectations, considering that the risk management framework is often considered an important foundation for an effective risk management process.
The existence of a formal risk management framework does not have a significant effect on the effectiveness of the risk management process .
A The relationship between the PMR variable and the MMR has a positive standard deviation of 0.
the t-statistic value is 0.
889 < 1.
and a p-value of 0.
374 > 0.
This finding may seem counterintuitive, the existence of formal and sophisticated risk management processes does not necessarily correlate with higher levels of risk management maturity .
The rejection of these two hypotheses indicates that the existence of a formal risk management framework and processes does not automatically ensure either the effectiveness or the maturity of risk management Although such frameworks are often emphasized in theory, the statistical results show that their influence is not significant in this study, suggesting that formalization alone cannot guarantee stronger outcomes in risk management.
International Journal of Cyber and IT Service Management (IJCITSM).
Vol.
No.
October 2025, pp.
156Ae170 International Journal of Cyber and IT Service Management (IJCITSM) ye Result and Analysis This study explores the interrelationships among critical factors that shape the maturity level of risk management implementation within the Ultra Micro SOEs Holding ecosystem.
The corporate restructuring through the establishment of the Ultra Micro SOEs Holding has introduced organizational changes that generate new risk exposures, necessitating identification and mitigation through comprehensive risk management While risk management focuses on identifying these emerging risks and minimizing their adverse effects, change management ensures that organizational transformations are executed efficiently.
The integration of both domains is essential to ensure the successful execution of the post-merger integration project.
The empirical findings confirm the existence of significant relationships among various risk management implementation factors, offering insights into how these elements interact to enhance implementation quality.
For instance, the study illustrates the substantial influence of risk governance on the effectiveness of the risk control The leadership and organizational risk culture within the Ultra Micro SOEs Holding play a vital role in strengthening control system quality.
Moreover, risk governance not only directly impacts risk management maturity but also indirectly shapes the framework, processes, and control mechanisms, reinforcing their contribution to achieving a highquality implementation of risk management .
These results underscore the importance of a strong Aytone from the topAy in initiating and sustaining effective risk management strategies, especially in mitigating potential barriers to achieving the intended synergies resulting from the integration of entities under the Ultra Micro SOEs Holding.
Quantitative findings from the survey further indicate that enhancements in risk governance are linked to tangible outcomes, such as a reported reduction in risk exposure ranging from 15% to 20%, as well as increased confidence in decision-making reported by 68% of respondents.
These empirical results reinforce the practical significance and relevance of the proposed governance improvements .
The study found no statistically significant impact of the risk management framework on the risk management process.
This is an unexpected result, considering the frameworkAos central role in guiding procedures.
Possible reasons include unaccounted mediating variables, lack of full integration into daily practices, or specific organizational contexts.
In many SOEs, formal frameworks often do not lead to effective implementation due to poor communication, limited training, and minimal automation.
These findings suggest a need for further research to understand the gap between formal structures and practical risk activities, and to identify stronger factors influencing process effectiveness.
Although regulatory frameworks and guidance have been formally established, numerous SOEs continue to encounter both technical and organizational challenges in fully operationalizing advanced risk management systems.
These challenges include the use of outdated information systems, weak integration between risk related and operational data, limited digitalization of monitoring and reporting tools, and shortages in qualified personnel with specialized expertise in risk modeling and analysis.
Furthermore, the presence of organizational silos often impedes enterprise wide implementation efforts, leading to fragmented coordination across business Cultural resistance to organizational transformation particularly within legacy institutions further complicates the adoption of integrated risk management.
Overcoming these barriers necessitates not only the modernization of technological infrastructure, but also the implementation of comprehensive change management strategies, targeted capacity building programs, and the deployment of adaptable, modular risk tools tailored to the varying levels of maturity across different SOEs.
By systematically identifying and addressing these constraints, implementation strategies can be refined to support the progressive and sustainable adoption of risk management best practices.
Findings from the study conducted by .
yielded unexpected insights.
The research, which involved 825 organizations in the Netherlands, revealed that the presence of a formal risk management framework did not significantly impact the effectiveness of risk management processes.
Instead, the study emphasized that factors such as active engagement from top management and a supportive organizational culture exerted a more substantial influence on the successful implementation of risk management practices.
Consistent with these findings, research by .
involving companies in Sweden also concluded that the existence of a formal risk management framework does not necessarily translate into a more effective risk management process.
Employing a qualitative approach through in-depth interviews, the study highlighted that the practical execution of risk management and the depth of employeesAo understanding of risk-related issues played a more pivotal role in determining process effectiveness than the mere presence of a formalized framework.
Another unexpected finding is the absence of a significant relationship between the risk management process and risk management maturity.
These findings indicate that the link between processes and maturity E-ISSN: 2808-554X | P-ISSN: 2797-1325 ye is not always direct but shaped by mediating, moderating, or contextual factors.
They highlight the need for further research and the importance of considering elements such as risk culture, leadership commitment, and organizational support in advancing risk maturity.
MANAGERIAL IMPLICATIONS
The findings of this study suggest that managerial efforts to improve risk management maturity in Ultra Micro SOEs must prioritize leadership commitment, operational integration, and internal control effectiveness.
While formal frameworks are in place, their practical impact remains limited without active top-level engagement and organization-wide adoption.
The internal control system, particularly the role of risk management and audit units, plays a significant role in supporting maturity.
Furthermore, outdated systems, limited risk expertise, and poor interdepartmental coordination continue to hinder implementation.
Therefore, managers should focus on strengthening risk culture, investing in digital infrastructure, and embedding risk governance practices into daily operations to ensure that risk management becomes a functional and strategic pillar across all units.
CONCLUSION
This research has demonstrated the interconnected roles and relationships among risk management implementation factors in shaping the maturity of risk management practices within the Ultra Micro SOEs Holding.
The findings reinforce previous studies, indicating that several key implementation elements contribute significantly to the enhancement of risk management quality and maturity.
Among the four core factors examined, the risk management process was the only variable found to lack a statistically significant impact on risk management maturity.
Despite this, the analysis reveals that all implementation components risk governance, risk management framework, risk control system, and risk management process are interrelated, though the strength of their interconnections varies.
These results highlight the systemic nature of risk management implementation and suggest that improving maturity requires a coordinated approach that considers the dynamic interactions between all contributing elements.
The structural model presented in this study offers valuable insights for both academic research and practical use.
It advances structural equation modeling (SEM) by confirming the interdependence between risk management implementation variables and risk management maturity, supporting the modelAos relevance in risk-related studies.
The findings identify key components that can guide future research on risk maturity.
focusing on the Ultra Micro SOEs Holding in Indonesia, the study adds contextual depth and enables comparisons across different organizations and countries.
From a managerial perspective, the results highlight the role of leadership and risk culture in enhancing internal control systems, which support stronger frameworks and Successful implementation also relies on alignment with established standards and investment in skilled personnel and digital infrastructure.
As risk management evolves, technologies such as artificial intelligence and blockchain are expected to improve risk detection, transparency, and control, requiring adaptable frameworks and forward-looking digital transformation within SOEs.
This study has several limitations.
The use of self-reported data from SOEs employees may introduce response bias or reflect limited understanding of risk management concepts.
The narrow focus on Ultra Micro Holding restricts generalizability to other sectors.
External factors such as macroeconomic shifts, regulatory changes, and post-pandemic recovery may have influenced perceptions but were not controlled.
Notably, two unexpected findings, the lack of significant links between the risk framework and process, and between the process and maturity suggest possible mediating variables or implementation gaps.
Future research should further examine these dynamics through longitudinal or mixed-method approaches.
DECLARATIONS
About Authors Eko Susetyono (ES) https://orcid.
org/0009-0000-1483-1866 Dominicus Savio Priyarsono (DS) Anggraini Sukmawati (AS) https://orcid.
org/0000-0003-4607-5633 https://orcid.
org/0000-0001-5602-5141 International Journal of Cyber and IT Service Management (IJCITSM).
Vol.
No.
October 2025, pp.
156Ae170 International Journal of Cyber and IT Service Management (IJCITSM) Popong Nurhayati (PN) ye https://orcid.
org/0009-0003-5665-5671 Author Contributions Conceptualization: PN.
Methodology: DS.
Software: ES.
Validation: AS and DS.
Formal Analysis:
ES and PN.
Investigation: DS.
Resources: ES.
Data Curation: PN.
Writing Original Draft Preparation: ES and DS.
Writing Review and Editing: PN and AS.
Visualization: DS.
All authors.
ES.
DS.
AS, and PN, have read and agreed to the published version of the manuscript.
Data Availability Statement The data presented in this study are available on request from the corresponding author.
Funding The authors received no financial support for the research, authorship, and/or publication of this article.
Declaration of Conflicting Interest The authors declare that they have no conflicts of interest, known competing financial interests, or personal relationships that could have influenced the work reported in this paper.
REFERENCES