Skip to content
Senior · Compliance & Risk

Compliance & Risk Officer Training That Turns Rule Keepers Into Strategic Board Partners

A modern Compliance Officer carries four parallel loads: multi-regulator compliance (POJK, OJK, BI, Kominfo, Kemenkeu), integrated risk management frameworks (ISO 31000, COSO ERM 2017), anti-bribery & AML-CFT (ISO 37001, UU 8/2010), and personal data protection (UU 27/2022 PDP). The Neksus 12–14 week program builds integrated competencies for Compliance Officers, Risk Managers, and Heads of Compliance across enterprise, banking, BUMN, and regulated industries.

Target audience
Compliance Officer · Risk Manager · DPO · Head of Compliance & RiskTarget audience
Typical duration
12–14 weeks (cohort)Typical duration
Core focus
ISO 37301 · ISO 31000 · ISO 37001 · UU PDP · AML-CFTCore focus
Format
Hybrid: workshop, case lab, peer-coachingFormat
Quick answer

The Neksus Compliance & Risk Officer program builds five foundations: modern compliance team leadership, ISO 37301:2021 compliance management, integrated ISO 31000:2018 + COSO ERM 2017 risk management, anti-bribery (ISO 37001:2016 ABMS) and AML-CFT (UU 8/2010, FATF), and personal data protection (UU 27/2022 PDP). Delivered as a 12–14 week cohort with workshops, case lab on the client risk register (de-identified), and weekly peer-coaching.

Role Context

Why the modern Compliance & Risk Officer carries a layered regulatory load

Compliance Officer and Risk Manager roles in Indonesian enterprises have shifted from rule keeper to translator of regulation for business decisions. Four recent regulatory waves have reshaped the landscape: UU 27/2022 Personal Data Protection (fully effective October 2024), POJK 17/2023 on Bank Risk Management, Permen BUMN PER-11/MBU/07/2021 on Integrated Governance, and the Anti-Corruption Law revision + KPK UKAP strengthening. At the same time, international standards have matured: ISO 37301:2021 Compliance Management has replaced ISO 19600; ISO 37001:2016 ABMS is now the anti-bribery reference; ISO 31000:2018 + COSO ERM 2017 form the dual-frame for integrated risk management. A modern Compliance & Risk Officer owns the compliance program, the risk register, the mitigation plan, and risk communication to the board. The Neksus program integrates all five domains in a single cohort with a case lab drawn from the client risk register (de-identified).

  • ISO 37301:2021 has replaced ISO 19600:2014 as the compliance management standard; many enterprises still hold the older certification
  • ISO 37001:2016 ABMS (Anti-Bribery Management System) is mandatory for BUMN and strongly recommended for listed issuers
  • ISO 31000:2018 + COSO ERM 2017 form the dual-frame for risk management; ISO for process, COSO for strategic alignment
  • UU 27/2022 PDP is fully effective from October 2024 with administrative sanctions up to 2% of annual revenue
  • FATF / AML-CFT (UU 8/2010) continues to tighten; FATF assessments of Indonesia shape country risk ratings
Promoting an internal auditor with no role transition equals reactive compliance plus a dead risk register

The strongest internal auditor is often promoted to Compliance Officer with zero framework for the new role. The result: compliance only surfaces when an external audit arrives, the risk register is filled once a year for the annual report, and the board fails to see compliance as a strategic partner. GRC Pundit 2024 research lists 'reactive compliance' as the #1 driver of regulator sanctions in Southeast Asian banking.

Reference frameworks

Neksus modules integrate ISO 37301:2021 Compliance Management, ISO 37001:2016 ABMS, ISO 31000:2018 + COSO ERM 2017, UU 27/2022 PDP + Kominfo regulations, Permen BUMN PER-11/MBU/07/2021 (for BUMN), POJK 17/2023 (for banking), the Anti-Corruption Law (UU 31/1999 jo 20/2001) + KPK UKAP, and FATF Recommendations + UU 8/2010 AML-CFT. Team leadership follows the GRC Capability Model 3.0 and the IIA Three Lines Model.

Compliance leadership is a measured discipline

Compliance breach rate, risk register coverage, control effectiveness rating, and time-to-remediation are numbers that can be tracked quarterly. A Compliance Officer who leads without a numeric baseline leads on assumption. The Neksus program begins with baselining four compliance KPIs: breach rate, risk coverage, control effectiveness, and remediation cycle time.

Boards and commissioners are ready for the strategic conversation

Modern boards and Audit Committees in Indonesia are now familiar with COSO ERM, ISO 37301, and the Three Lines Model. A Compliance Officer fluent in risk appetite, compliance maturity, and integrated assurance speaks on the same wavelength as the Audit Committee and commissioners.

TNA Profile

The TNA pattern we most often find in Compliance & Risk Officers

These patterns emerge consistently from initial Neksus diagnostics across banking, BUMN, insurance, securities, and listed enterprises.

Gap
Compliance program remains ad-hoc

Symptom: Compliance only surfaces during external audits or regulator visits; no annual compliance calendar exists; internal training is absent or a formality.

Business impact: Regulator sanctions recur; corporate reputation in the regulator's eyes deteriorates; the cost of reactive compliance runs much higher.

Gap
Risk register lives in Excel and is updated once a year

Symptom: The risk register is filled during the annual report; no quarterly updates exist; mitigation actions carry no owner or due date.

Business impact: Emerging risks go untracked; the board makes strategic decisions without a risk lens; the risk appetite statement is absent.

Gap
UU 27/2022 PDP has yet to be fully implemented

Symptom: A Data Protection Officer (DPO) is appointed in name yet has limited independence; ROPA (Record of Processing Activities) is missing; DPIAs are not routine.

Business impact: PDP administrative sanction risk up to 2% of annual revenue; customer trust erodes; data breach incidents become hard to handle.

Gap
ISO 37001 ABMS certification exists, implementation stays formal

Symptom: ISO 37001 certification is renewed annually; the whistleblowing channel exists yet stays unused; vendor due diligence is formal.

Business impact: For BUMN: KPK / BPK findings related to vendor fraud; for enterprises: integrity risk remains undetected until it becomes a major incident.

Gap
Three Lines Model has yet to come alive

Symptom: First line (operations) feels compliance is none of their concern; second line (compliance/risk) is overloaded; third line (internal audit) runs only formal compliance audits.

Business impact: Compliance ownership remains unspread; second line becomes the bottleneck; external audits find deficiencies that first line should have caught.

Gap
1-on-1s collapse into compliance case review

Symptom: A newly promoted Compliance Officer still dominates technical compliance decisions; staff get no room to grow.

Business impact: Senior compliance analysts fail to progress; the team becomes single-point-of-failure dependent; succession stalls.

Daily Pain Points

Pain points Compliance & Risk Officers feel on the ground

Unit directors see compliance as an obstacle to business decisions

Root: Compliance only surfaces when problems arise; the conversational language stays too legal/regulatory; no risk appetite statement exists.

Program response: The 'Compliance as Business Partner' module installs a board-defensible risk appetite statement, risk-vs-opportunity calibration with the COSO ERM framework, and risk storytelling using the Minto Pyramid structure.

Regulators (OJK / BI / Kominfo) issue repeat findings

Root: The compliance program is reactive; there is no ISO 37301-based compliance calendar; a remediation tracker is absent.

Program response: The 'Living Compliance Program' module installs an ISO 37301:2021 compliance calendar design, sector-specific control mapping, and a remediation tracker with accountability.

PDP implementation is confusing: the DPO holds no authority

Root: The DPO is appointed without an independence statement; ROPA + DPIA are missing; vendor processing agreements remain un-updated.

Program response: The 'UU 27/2022 PDP Implementation' module installs a DPO independence policy, ROPA template, DPIA workflow, vendor data processing agreement, and an incident response playbook for data breach.

The board treats the risk register as a dead document

Root: The risk register is only updated once a year; no heat map exists; mitigation actions carry no owner.

Program response: The 'Risk Register that Lives' module installs a quarterly review cadence, a likelihood × impact heat map, mitigation actions with RACI, and integration into business decisions.

BPK / KPK audits find integrity risks that ABMS should have caught

Root: ISO 37001 ABMS runs as a formality; the whistleblowing channel is under-utilized; vendor due diligence is not risk-based.

Program response: The 'Living ABMS' module installs risk-based vendor due diligence, whistleblowing channel governance (anonymity, non-retaliation, investigation playbook), and an integrity risk dashboard.

Three Lines Model remains a concept and has yet to come alive

Root: First line gets no compliance self-assessment toolkit; second line is overloaded; third line plays police, with trust kept low.

Program response: The 'Three Lines Activation' module installs a first-line self-assessment toolkit, a second-line advisor role, a third-line integrated assurance plan, and a quarterly governance forum.

Capability Ladder

The Compliance & Risk Officer capability ladder — first 14 months

Each stage lists the core competencies and the KPI signal that the next stage is ready to enter.

1
Months 1–3: Role identity + compliance KPI baseline
12 weeks
  • Internalize the shift from internal auditor to leader of a compliance team
  • Map the stakeholder graph: Board, Audit Committee, Risk Committee, regulators, internal audit, business units
  • Establish weekly 1-on-1 with every member of the compliance/risk team
  • Instrument a baseline of four KPIs: breach rate, risk coverage, control effectiveness, remediation cycle time
100% of team members have a weekly 1-on-1; the baseline dashboard has run for at least 30 days
2
Months 4–7: ISO 37301 + ISO 31000 + Three Lines
16 weeks
  • Build an ISO 37301:2021 compliance program (compliance calendar, control mapping, training plan)
  • Design an ISO 31000:2018 risk management framework with a COSO ERM strategic overlay
  • Activate the Three Lines Model — first-line self-assessment, second-line advisor, third-line integrated assurance
  • Author a board-defensible risk appetite statement
Compliance calendar is running; risk register lives with quarterly review; risk appetite statement is signed off by the board
3
Months 8–11: ABMS + AML-CFT + UU PDP
16 weeks
  • Operationalize ISO 37001 ABMS — risk-based due diligence, whistleblowing channel governance
  • Lead AML-CFT compliance (UU 8/2010, FATF Recommendations) — enhanced KYC, suspicious transaction reporting
  • Implement UU 27/2022 PDP — DPO independence, ROPA, DPIA, vendor DPA, incident response
  • Build an integrated assurance plan across domains (compliance + risk + audit)
Whistleblowing channel utilization rises; DPIAs run routinely; STR submissions land on time; vendor DPAs are 100% updated
4
Months 12–14: Compliance org as a system
12 weeks
  • Design a dual-track compliance career ladder (technical compliance + risk leadership)
  • Build the compliance operating cadence: monthly risk review, quarterly compliance review, annual ERM update, regulator engagement calendar
  • Present the risk register and compliance posture to the Audit Committee + commissioners with storytelling
  • Prepare a successor (manager-once-removed thinking)
The compliance team can operate 2–3 days without the Head present; one Senior Officer is ready to step into Compliance Manager
KPI Targets

KPIs that should shift while this program runs

Pick 3–5 KPIs from the list before the program starts so impact is measured with consistent numbers.

Compliance breach rate (per regulation)
Down ≥ 50% within 12 months

The most sensitive indicator of compliance program health.

Risk register coverage (% business unit + process)
≥ 95% (client baseline typically 60–75%)

Unregistered risks go unmitigated; coverage is the prerequisite for risk governance.

Control effectiveness rating (high-rated controls)
≥ 80% of critical controls rated effective (from testing)

Evidence that the compliance program is alive, with documentation as a supporting layer.

Remediation cycle time (regulator finding closure)
Down 40–60% within 12 months

Indicator of the compliance team's responsiveness to external findings.

Whistleblowing channel utilization
Rise 2–4x with investigation closure rate ≥ 90%

An under-utilized channel signals a weak integrity culture; over-utilization without closure collapses trust.

12-month senior compliance analyst retention
≥ 88% (industry baseline ~80–85%)

The direct Compliance Officer is the #1 factor in senior compliance analyst retention.

Internal promotion rate from the compliance team
≥ 1 promotion per 8–10 team members per year

A great Compliance Officer builds the next Compliance Officer.

Decision Aid

Three-day workshop vs 12–14 week cohort vs embedded coaching

Three intervention shapes with distinct ROI profiles. The 12–14 week cohort is the Neksus default recommendation for Compliance & Risk Officers.

CriterionThree-day workshop12–14 week cohort
Embedded coaching
Investment per participantIDR 6–10 millionIDR 22–38 millionIDR 60–110 million
Case lab on client risk register (de-identified)NoneYes — 30-day working caseYes — 90-day deep engagement
Scalability to 15+ Compliance OfficersHigh — parallel cohortsHigh in cohort formatLow — limited by senior coach capacity
Practice on real regulator engagementNoneYes — assignments + live audit simulationYes — every regulator engagement during the engagement
Best fitISO 37301 / UU PDP awareness for the boardDefault for Compliance Officers and Risk ManagersHead of Compliance / Chief Risk Officer transitioning to a C-level role
Engagement Path

The 12–14 week engagement flow — from kickoff to sustaining

  1. 1

    Diagnostic and compliance assessment

    Week 0

    Online pre-assessment (ISO 37301 maturity, ISO 31000 + COSO ERM self-assessment, UU PDP readiness check, ABMS utilization audit) plus 1:1 interview with every participant plus a walkthrough of the client risk register + compliance calendar. Output: compliance KPI baseline + team capability heatmap.

  2. 2

    Three-day onsite kickoff workshop

    Weeks 1–2

    Day 1: Compliance Officer role identity + ISO 37301:2021 foundation + Three Lines Model. Day 2: ISO 31000 + COSO ERM 2017 integrated risk framework + risk appetite statement. Day 3: UU 27/2022 PDP + ISO 37001 ABMS + AML-CFT compliance. Assignment: each participant drafts a 90-day plan.

  3. 3

    Case lab on client risk register (de-identified)

    Weeks 2–4

    The Neksus team plus the client Compliance Officer work on the client risk register (de-identified) to: identify 5 high-risks yet unmitigated, design a quarterly review cadence, and draft a risk appetite statement for the board.

  4. 4

    Thematic live workshops (bi-weekly, 3 hours)

    Weeks 3–12

    Rolling topics: Living Compliance Program (ISO 37301), Risk Register that Lives, UU PDP Implementation Deep Dive, Living ABMS, Three Lines Activation, Regulator Engagement Playbook. Each session ends with a two-week practice assignment.

  5. 5

    Peer-coaching pods (four officers per pod)

    Weeks 3–13

    Weekly 60-minute sessions between participants with a peer-coaching frame (problem framing, GROW peer-questioning, accountability check). A Neksus coach facilitates the first three sessions remotely; the pod runs self-managed afterwards.

  6. 6

    Mid-program check-in with Director of Compliance / CRO

    Week 7

    Participants plus Director of Compliance/CRO plus a Neksus coach in a 60-minute session. Review the 90-day plan, compliance KPI baseline, and calibrate compliance maturity uplift expectations.

  7. 7

    Capstone presentation — compliance org transformation

    Week 13

    Each participant presents: baseline four compliance KPIs → 90-day target, one compliance program brought to life (ISO 37301), one risk register quarterly review already running, one UU PDP gap closed, and the career ladder plan for the team.

  8. 8

    Sustaining: quarterly clinic + regulator engagement review

    Week 14 → 12 months

    A 90-minute quarterly clinic with a Neksus coach to work through live cases (new regulation, upcoming audit, incident response). Access to the Compliance Officer Indonesia alumni network.

Decision Makers

Decision-makers in a compliance & risk leadership program

Five stakeholder rings that must align before the program succeeds.

Director of Compliance / Chief Risk Officer
Sponsor + mid-program check-in

Justifies the compliance program ROI, connects it to the corporate GRC roadmap, and secures regulator engagement readiness.

Audit Committee + Risk Committee (commissioners)
Beneficiary + capstone reviewer

Compliance maturity consistency, a readable ERM dashboard, and an annual integrated assurance plan.

Internal Audit / SPI (BUMN)
Co-coach for the Three Lines module

Three Lines Model coordination, audit-plan integration with the compliance program, and hand-off of findings into the remediation tracker.

L&D / Training Manager
Program owner

Operational logistics, Kirkpatrick evaluation, LMS integration, and reporting up to the CHRO.

Data Protection Officer + Legal Counsel
Co-design for the UU PDP module

UU PDP implementation coordination, vendor DPA, incident response playbook, and regulator engagement (Kominfo, OJK).

Procurement
Process owner

Vendor scoring, contracting, e-procurement (BUMN/government via SPSE LKPP) for multi-cohort engagement.

Program Design Notes

Design notes — why we built it this way

  • Hybrid format (live + case lab + async)
    50% live cohort, 30% case lab on client risk register (de-identified), 20% async assignment
    Compliance leadership demands practice on a real risk register. Theory workshops without a case lab create awareness that evaporates within 30 days.
  • Cohort size
    8–12 Compliance & Risk Officers per cohort
    Small enough for deep case lab and confidential discussion, large enough for cross-sector diversity (banking, BUMN, insurance, listed enterprises).
  • Total duration
    12–14 weeks (ISO 37301 + ISO 31000 + ABMS + UU PDP modules need repeated practice)
    Kirkpatrick L3 research shows meaningful impact emerges after at least 8 weeks of practice with feedback; compliance leadership adds extra latency so one quarterly risk review + regulator engagement cycle can run.
  • Facilitator profile
    Facilitators with at least 12 years of field compliance/risk leadership experience plus one credential of ICA, CRMA, CISA, or ISO 37301 / ISO 31000 Lead Implementer
    Field experience earns credibility; the professional credential enforces methodological discipline.
  • Language of delivery
    Bahasa Indonesia (default) — compliance + risk discussion stays sensitive and needs nuance; bilingual ID/EN for multinational corporates with regional CRO calls
    Risk + compliance judgment discussion runs deeper in the mother tongue; ISO/COSO jargon stays in its original language.
  • Effectiveness measurement
    Kirkpatrick L1 (satisfaction) + L2 (competency) + L3 (behavior, 3 months post) + L4 (breach rate + risk coverage + remediation cycle time, 6 months post)
    L4 for compliance leadership is clearly measurable via compliance KPIs; a compliance leadership program has a transparent source of impact evidence.
Training Topics

Neksus topics most often paired with a Compliance & Risk Officer program

Picked for this role

Employee Cybersecurity Awareness

UU PDP + ISO 27001 require Compliance Officers to lead security awareness within their teams. This module trains them to design and roll out a corporate cybersecurity awareness program.

See detail
Picked for this role

Data Literacy & Business Analytics

Modern ERM dashboards and compliance reporting require data literacy. This module accelerates compliance's transition from spreadsheet-based to evidence-based reporting.

See detail
Picked for this role

Executive Communication & Presentation

Compliance Officers must present the risk register and compliance posture to the Audit Committee. The Minto Pyramid + Storytelling with Data module trains them to speak in commissioner language.

See detail
Picked for this role

Business Negotiation & Influence

Compliance Officers must negotiate mitigation actions with business units, scope with regulators, and budget with the CFO. This module trains influencing without formal authority.

See detail
Picked for this role

Organizational Change Management

Compliance transformation is always met with operational resistance. The Kotter / ADKAR module equips Compliance Officers as regulatory change translators to operational stakeholders.

See detail
Typical Outcome Patterns

Typical outcome patterns from comparable clients

Context

A mid-sized bank, 10 Compliance Officers + Risk Managers across corporate banking + retail banking + treasury, targeting better POJK 17/2023 risk management outcomes and UU PDP implementation.

Intervention

A 14-week cohort with emphasis on ISO 31000 + COSO ERM 2017 + UU PDP Implementation. Case lab on the client risk register (de-identified). Thematic POJK 17/2023 mapping workshop with the Director of Compliance as co-facilitator. Mid-program check-in with the Director of Compliance.

Indicative result

The next OJK audit accepted UU PDP implementation with no major findings. Risk register coverage rose from 65% to 92% within 6 months. Three Compliance Officers presented the new practice at a National Bank Compliance forum.

Context

A large energy BUMN, 12 Compliance Officers across corporate compliance + business unit compliance + procurement, targeting better KPK / BPK audit outcomes on integrity risk and bringing ABMS to life.

Intervention

A 13-week cohort focused on ISO 37001 ABMS + Three Lines Activation + Risk Register that Lives. Thematic workshop with the SVP Internal Audit as co-facilitator. Whistleblowing channel governance workshop with the Audit Committee.

Indicative result

Whistleblowing channel utilization rose 3.2x within 6 months with a 94% investigation closure rate. The next KPK audit produced no material integrity risk findings. Four Compliance Officers were promoted to Head positions within 12 months.

Context

A multinational insurance subsidiary, 8 Risk Managers + DPO, targeting team readiness for their first ISO 37301:2021 certification audit and UU PDP compliance.

Intervention

A 12-week bilingual ID/EN cohort. Case lab on the client compliance program (de-identified). Thematic ISO 37301 + UU PDP workshop with the regional Compliance Director as co-facilitator.

Indicative result

The first ISO 37301:2021 certification was achieved on the first audit with no major non-conformity. The UU PDP DPIA and vendor DPA framework became a company standard within 5 months. Two Risk Managers moved into regional positions within 9 months.

Procurement Info

Procurement information

  • Contract format
    Inhouse fixed cohort (12–14 weeks), multi-cohort continuous program (2–3 cohorts per year), or long-term engagement (12 months with periodic refresh + quarterly clinic).
  • Location
    Onsite at client offices (Jabodetabek with no extra transport fee), regional onsite for multi-city BUMN, hybrid (onsite kickoff + bi-weekly online sessions), or fully online.
  • Language of delivery
    Bahasa Indonesia (default); bilingual ID/EN for multinational corporates with regional CRO calls.
  • Participant materials and certificate
    Modules, workbook, risk register + compliance calendar + DPIA + ROPA + risk appetite statement + RACI templates, 12-month access to the Compliance Officer Indonesia alumni resource hub, Neksus participation certificate. Onward certifications (ICA, CRMA, CISA, ISO Lead Implementer) available via a separate track.
  • Tax documentation and e-procurement
    VAT (PPN) tax invoice, official receipt, BAST. Support for BUMN/government e-procurement (SPSE LKPP). Comprehensive vendor scoring document available for internal evaluation.
  • Payment terms
    30% down payment at contract signing, 40% milestone after kickoff + case lab, 30% balance after capstone.
  • Optional add-ons
    Personal 1-on-1 coaching for Director of Compliance / CRO (separate hour-based package) plus a 90-minute executive briefing for Board / Audit Committee / Risk Committee on compliance capability roadmap.
  • NDA and confidentiality
    Standard or client-specific NDA with stricter confidentiality clauses (compliance datasets are highly sensitive); the Neksus team is accustomed to working with confidential risk registers from banking, BUMN, insurance, and listed enterprises.

Frequently Asked Questions

Let's design the Compliance & Risk Officer cohort for your team

Send the number of Compliance Officers / Risk Managers, the sector + regulations involved (POJK, Permen BUMN, UU PDP), and your target cohort start date. The Neksus team studies your context and prepares a tailored program design within 2 business days.

  • 12–14 week cohort with workshop + risk register case lab + peer-coaching
  • Facilitators with field compliance/risk leadership experience plus ICA / CRMA / CISA / ISO Lead Implementer credentials
  • Mid-program check-in with the Director of Compliance/CRO so participant 90-day plans land with board support
  • Kirkpatrick L1–L4 measurement using breach rate + risk coverage + remediation cycle time
  • Bahasa Indonesia / bilingual ID-EN delivery, with materials audit-ready for OJK / BPK / KPK / Kominfo
PIC Contact (HR / L&D / Procurement)
Company
Training Need