How long until risk culture maturity moves measurably?

Risk culture maturity score typically moves a full level (1-5 scale) within 12 months for enterprises that complete the four-pillar foundation with discipline. Repeat audit findings drop significantly in year one. External certification (ISO 37301 or SMAP ISO 37001) passes in year two after the foundation has rooted and documentation is audit-ready.

What is the difference between ISO 37301:2021 and ISO 37001:2016?

ISO 37301:2021 (Compliance Management Systems) is the umbrella standard for the entire organizational compliance system — replacing ISO 19600:2014. ISO 37001:2016 (Anti-Bribery Management Systems / SMAP) is a specific standard for bribery prevention only, usually a subset of the broader compliance system. Many Indonesian enterprises start with ISO 37001 (more specific, SOE expectation), then expand to ISO 37301 in year two or three.

Is POJK 17/2023 mandatory for every financial institution?

POJK 17/2023 on Commercial Bank Product Provision (and related POJKs) applies to commercial banks with specific expectations on risk management maturity. For other financial institutions (insurance, multifinance, securities), there are separate sectoral POJKs with a similar structure. The program is adapted to the relevant POJK for each client sector.

How is UU PDP 27/2022 integrated into an existing compliance program?

Pillar 1 (compliance literacy) incorporates UU PDP as a mandatory module with use cases per role (HR data, customer data, vendor data, AI processing). Pillar 2 (risk ownership) adds privacy risk to the BU risk register classified per Articles 5-14 (data subject rights) and Article 56 (cross-border transfer). Pillar 3 (audit) adds PDP audit to the risk-based audit plan. Pillar 4 (horizon scanning) monitors derivative regulations from Kemenkominfo.

What sets this program apart from large GRC consultancies (PwC, Deloitte, EY, KPMG)?

Big Four GRC focuses on assessment + advisory + external audit (high-touch consultancy). Neksus focuses on internal capability building + train-the-trainer + operational sustainability. Many clients use both in complement: Big Four for the annual independent external audit, Neksus for the capability building that makes the internal system audit-ready with a mature posture.

Can the program be procured through SPSE LKPP for SOEs and government agencies?

Yes. We have supplied through SPSE LKPP with full documentation (RKS, HPS, BAST). Envelope follows PMK 39/2024 and SBM K/L. For SOEs with an ISO 37001 SMAP target as part of the Ministry of SOE roadmap, the program can be packaged with external audit preparation through accredited partners.

How much time does the program need from executive sponsors (CEO, CCO, CRO)?

Quarterly steering committee at 90 minutes (4x/year) + one-day initial retreat + quarterly Commissioners' Audit Committee briefing at 90 minutes + monthly GRC Council attendance at 90 minutes. Roughly 25 hours per year per primary sponsor. The CEO as primary sponsor needs an additional 5-10 hours for tone-from-the-top communication and recognition program.

Does the whistleblowing channel have to be hosted by a third party?

Strongly recommended. Employee trust in anonymous protection is the primary determinant of utilization rate. Internal channels are often less trusted because they appear accessible to HR or IT. An independent third party (accredited partners such as Convercent, NAVEX Global, or a local equivalent) provides confidentiality with SLA and audit trail separated from internal systems. The upfront investment is repaid through higher utilization and more early warnings.

Org-Wide Theme

An Organization-Level Compliance & Risk Capability Building Program that Holds for a Full Year

Q: How does the program preserve Internal Audit independence?

Pillar 3 requires an Internal Audit Charter with a reporting line direct to the Commissioners' Audit Committee (with no routing via CEO/CFO). Charter reviewed annually by the Audit Committee. Independent external review every 3 years (per IIA Standards). The Head of Internal Audit accesses the Audit Committee with no management filter. The Neksus team trains capability; we do not replace the internal audit function.

An annual four-pillar theme (compliance literacy, risk ownership, internal audit & assurance, regulatory horizon scanning) aligned with ISO 37301:2021, ISO 37001:2016 SMAP, ISO 31000:2018, COSO ERM 2017, UU PDP 27/2022, UU 8/2010 APU-PPT, POJK 17/2023, and BCBS 239. Built for CEOs, Chief Compliance Officers, Chief Risk Officers, and Commissioners moving compliance from reactive obligation to organizational capability.

Program scale: Org-wide (CEO + CCO + CRO + Commissioners)Program scale
Typical duration: 12 months (renewable)Typical duration
Program pillars: 4: Literacy · Risk Ownership · Audit · Horizon ScanningProgram pillars
Budget envelope: Rp 400M – Rp 2.2B per yearBudget envelope

Short answer

Neksus's compliance & risk program is an annual four-pillar theme: compliance literacy (UU PDP 27/2022 + APU-PPT UU 8/2010 + sectoral POJK), risk ownership (ISO 31000:2018 + COSO ERM 2017 + three lines of defense), internal audit & assurance (ISO 19011:2018 + ISO 37301:2021 compliance management + ISO 37001:2016 SMAP anti-bribery), and regulatory horizon scanning (KPK UKAP + sectoral regulator monitoring). Rollout from a 30-day pilot to a 90-day wave to org-wide over 12 months with a Rp 400M – Rp 2.2B annual envelope for enterprises and SOEs.

Annual Theme

Why compliance & risk must be designed as an organizational capability instead of an annual pre-audit checkbox

The Indonesian and global regulatory landscape has entered its most intense phase in two decades. On the national side: UU 27/2022 on Personal Data Protection became fully effective in October 2024 with material sanctions; UU 8/2010 on Money Laundering Prevention with KPK's UKAP as an anti-corruption standard; POJK 17/2023 for banks raising the bar on risk culture maturity; PP 39/2024 reshaping SOE procurement. On the global side: ISO 37301:2021 (Compliance Management Systems) replaces ISO 19600:2014 as the current global standard; ISO 37001:2016 SMAP (Anti-Bribery Management Systems) has been adopted by many large SOEs; ISO 31000:2018 (Risk Management Guidelines) and COSO ERM 2017 (Enterprise Risk Management — Integrating with Strategy and Performance) anchor the risk backbone; BCBS 239 (Basel Committee Principles for Effective Risk Data Aggregation and Risk Reporting) is mandatory for systemic banks. The common corporate response — a generic annual compliance e-learning, ad-hoc Compliance Unit briefings, and reactive internal audits — fails to build capability because of three structural gaps: (a) compliance literacy stuck in the language of regulation instead of the language of employee workflow; (b) risk ownership trapped in the Risk Officer office, never cascaded to BUs; (c) audit assurance focused on reactive compliance findings, with no view of control effectiveness. The annual four-pillar theme closes these gaps with a capability discipline aligned with global standards + Indonesian regulation. ISO 19011:2018 is the reference for audit competency.

2024-2026 regulatory landscape is the most intense in two decades: UU PDP + APU-PPT + POJK + procurement PP
Current global standards: ISO 37301:2021 (compliance), ISO 37001:2016 (SMAP), ISO 31000:2018, COSO ERM 2017, BCBS 239
Three structural gaps: literacy stuck in regulation language, risk ownership trapped in Risk Officer, reactive audit
Annual four-pillar theme aligned with global standards + Indonesian regulation
ISO 19011:2018 as the backbone for audit competency

Generic annual compliance e-learning = compliance theater

Enterprises often deploy a 2-hour generic compliance e-learning per employee per year to pass audit. The result: 95% completion, field behavior returns to baseline in 60 days, and the same compliance findings repeat from audit to audit. Live compliance needs literacy calibrated to employee workflow (with no reliance on regulation language), reinforcement in work routine, and accountability mapped to the BU risk owner.

Four mandatory sponsors: CEO + CCO + CRO + Commissioners' Audit Committee

Rooted compliance & risk capability needs four sponsors: the CEO (tone from the top), the Chief Compliance Officer (program ownership), the Chief Risk Officer (risk methodology), and the Commissioners' Audit Committee (independent oversight). Without the Audit Committee, the program loses the independence required for external credibility.

Working three lines of defense = the highest leverage

The IIA (Institute of Internal Auditors) Three Lines Model 2020 places: line 1 (BUs as risk owners), line 2 (Compliance + Risk Function as oversight), line 3 (Internal Audit as independent assurance). Most enterprises carry this structure in the org chart while line 1 does not actually own risk; in Pillar 2 of this program, risk ownership is shifted from the Risk Officer to the BU Head with integrated risk KPIs.

ISO 37301:2021 = the universal language of compliance management

ISO 37301:2021 (Compliance Management Systems — Requirements with guidance for use, replacing ISO 19600:2014) gives a global language consistent with ISO 9001 (quality), ISO 27001 (information security), and ISO 45001 (OHS). External audits are standardized, integration with existing management systems is natural, and board reporting is calibrated. Adopting the ISO 37301 structure is a strong year-one choice.

Program Architecture

Four-pillar architecture — Literacy · Risk Ownership · Audit · Horizon Scanning

Each pillar addresses a different compliance capability determinant with global frameworks and Indonesian regulation. The annual program weaves all four into a documented organizational discipline.

Pillar 1

Pillar 1 — Compliance Literacy (Workflow-First Instead of Regulation-First)

Compliance literacy calibrated to employee workflow per BU. UU PDP 27/2022 modules with real use cases (HR data, customer data, vendor data). UU 8/2010 APU-PPT modules for financial and relevant non-financial industries. Sectoral POJK / Permen modules. Anti-bribery module aligned with ISO 37001:2016 SMAP.

100% of employees complete 4-8 hours of role-calibrated literacy
Acceptable Use Policy + AI Policy + Data Protection Policy ratified + signed by 100% of employees
Compliance helpline + whistleblowing channel running with metric tracking

Pillar 2

Pillar 2 — Risk Ownership at BU Level (ISO 31000 + COSO ERM)

Risk ownership shifted from the Risk Officer to the BU Head using the ISO 31000:2018 framework + COSO ERM 2017 (Strategy + Operations + Reporting + Compliance objectives). Live risk register per BU with inherent vs residual risk classification. Risk appetite statement ratified by the board.

Live risk register in every BU with inherent + residual + control + owner
Risk appetite statement ratified by the board, cascaded to BUs with tolerance limits
BU Heads complete 16 hours of risk ownership + annual risk culture maturity scoring

Pillar 3

Pillar 3 — Internal Audit & Assurance (ISO 19011:2018 + ISO 37301)

Internal auditors trained in ISO 19011:2018 with competency aligned to audit type (compliance, financial, operational, IT). Audits aligned with ISO 37301:2021 for the compliance management system + ISO 37001:2016 for SMAP. Risk-based audit plan (with no reliance on calendar-based scheduling) prioritized by risk score.

100% of internal auditors certified to ISO 19011:2018 lead auditor
Annual risk-based audit plan with at least 70% of audits focused on high-risk areas
Audit findings actioned within SLA + tracked on the executive dashboard

Pillar 4

Pillar 4 — Regulatory Horizon Scanning

Multi-source regulatory monitoring team (OJK, BI, KPK, Kemenkominfo, KPPU, Kemenkes, Kemenperin per industry). Quarterly regulatory horizon scan to the board + impact assessment per new regulation. Integration with the AI Council where a separate AI Governance pillar exists.

Quarterly regulatory horizon report to the Commissioners' Audit Committee + Board
Impact assessment delivered within 30 days for every relevant new regulation
Compliance roadmap updated quarterly based on the horizon scan

Annual Budget Envelope

Annual budget envelope by sectoral regulatory complexity

These ranges cover all four pillars + internal auditor certification + external audit preparation. Optional GRC software (MetricStream, ServiceNow GRC) sits outside the envelope.

Scope	Participants	Budget Range	Notes
Mid-size non-financial enterprise (300-800 employees)	Four pillars focused on UU PDP + ISO 37001 SMAP + relevant sectoral	Rp 400-700M per year	First year focused on literacy + risk ownership + foundational audit.
Large non-financial enterprise (800-2500 employees)	Four full pillars + certification of 10-20 internal auditors + risk culture survey	Rp 700M – Rp 1.4B per year	Standard 12-month four-pillar rollout with ISO 37301 or ISO 37001 external audit preparation.
Bank / Insurance / Financial institution	Four pillars + specialized POJK 17/2023 + BCBS 239 + deep APU-PPT modules	Rp 1.2-2.2B per year	POJK 17/2023 carries high risk-culture maturity expectations. BCBS 239 for systemic banks. APU-PPT intensity high across all lines of business.
SOE with high GRC expectations	Four pillars + ISO 37001 SMAP audit prep + UKAP KPK + RKAP integration	Rp 1-1.8B per year	Procurement via SPSE LKPP. Envelope follows PMK 39/2024 and SBM K/L. ISO 37001 SMAP certification often part of Ministry of SOE targets.
Multinational subsidiary	Localized global compliance program + bilingual + global GRC alignment	Rp 800M – Rp 1.5B per year	Final contract approved by regional HQ. Bilingual ID/EN reporting. Aligned with FCPA / UK Bribery Act for the global group.

Rollout Phases

Rollout phases — 30-day pilot → 90-day wave → 12-month org-wide

Phased rollout calibrates literacy to local workflow and prepares documentation for external audits.

Pilot — 30 days

Month 1

Validate the four pillars with one pilot BU of 30-80 employees + compliance documentation preparation.

Pilot BU risk register with 15-30 identified risks (inherent + residual)
8-hour literacy delivered to the entire pilot BU with workflow integration
Pilot internal auditors (3-5 people) complete ISO 19011:2018 foundation
Pilot retrospective with module + risk register template calibration

Wave 1 — 90 days

Months 2-4

Scale to 3 priority BUs with all four pillars + foundational compliance system documentation.

Live risk register in 3 priority BUs + risk appetite statement draft
100% literacy in 3 priority BUs + Acceptable Use Policy + Data Protection Policy ratified
First-wave internal auditors (60% of target) complete ISO 19011:2018
Compliance Management System (CMS) aligned with ISO 37301:2021 draft v1.0

Wave 2-3 — 180 days

Months 5-10

Roll out to the rest of the organization + optional external audit certification + active horizon scanning.

100% of employees complete literacy + 100% of BUs with live risk register
100% of internal auditors ISO 19011:2018 certified
ISO 37301 CMS / ISO 37001 SMAP readiness for external audit if selected
Quarterly regulatory horizon report begins publishing

Sustaining — 60 days + renewal

Months 11-12 + renewal

Formalize compliance & risk as a permanent organizational discipline.

Capstone report to the Commissioners' Audit Committee: risk register update, compliance posture, finding trend
Quarterly GRC Council established as a permanent forum
External ISO 37301 or ISO 37001 audit completed if selected
Year-two design with advanced focus (risk quantification, GRC tooling)

Org-Wide Success Metrics

Organization-level success metrics — beyond e-learning completion rate

Pick 5-7 metrics from this list before the program starts. Risk culture maturity and audit finding trend are the primary metrics.

Risk culture maturity score

Up ≥1 level (1-5 scale) within 12 months

Validated risk culture survey (IFC Risk Culture / KPMG framework), baseline + Q4

Compliance literacy completion + assessment pass rate

100% completion within 12 months + ≥85% assessment pass rate

LMS + post-training assessment

Risk register live across all BUs

100% of BUs have a live risk register reviewed at least quarterly

Risk register audit + dashboard tracking

Audit findings actioned within SLA

≥90% high-risk findings closed within SLA, ≥80% medium-risk

Audit issue tracking system

Whistleblowing channel utilization rate

≥1.5 reports per 100 employees per year (global benchmark)

Whistleblowing channel log (anonymous)

Compliance repeat findings

Down ≥30% within 12 months (audit-to-audit)

Audit issue tracking system with repeat tagging

Internal auditors ISO 19011:2018 certified

100% of internal auditors certified within 12 months

Certification register

Regulatory horizon scan adoption

100% of relevant new regulations have an impact assessment within 30 days

Regulatory tracker with SLA

Decision Aid

Four-pillar annual theme vs Generic compliance e-learning vs Compliance Unit briefing only

Three approaches often taken by enterprises for compliance & risk — with very different capability impact profiles.

Criterion	Generic compliance e-learning	Four-pillar annual theme ★	Compliance Unit briefing only
Typical annual budget	Rp 100-300M	Rp 400M – Rp 2.2B	Rp 150-400M (in-house)
Workflow-first literacy	Regulation language	Calibrated per role + workflow	Partial
Risk ownership at BU level	None	Yes — live risk register per BU	No
Risk-based audit + ISO 19011	Calendar-based audit	Risk-based + certified auditors	Ad-hoc audit
Regulatory horizon scanning	Reactive	Quarterly scan + impact assessment	Reactive
Aligned with ISO 37301 / SMAP / COSO	Not aligned to a standard	Aligned + audit prep	Partial

Engagement Path

Neksus engagement flow for a year-long compliance & risk theme

1
Kickoff & GRC maturity diagnostic (4 weeks)
Weeks 1-4
Two-day workshop with CEO + CCO + CRO + Commissioners' Audit Committee + 15 BU Head interviews + baseline risk culture survey + historical audit finding analysis. Output: program charter + maturity assessment + rollout design.
2
30-day single-BU pilot
Month 2
Four-pillar rollout to one pilot BU. Risk register built, 8-hour literacy, pilot internal auditors ISO 19011:2018 foundation. The Neksus team and pilot-BU GRC Champions work side by side.
3
Pilot retro & calibration (2 weeks)
Early Month 3
Retrospective workshop. Modules adjusted to feedback. Risk register template and ISO 37301 CMS framework refined. Wave 1 (3 priority BUs) plan agreed.
4
Wave 1 — 3 priority BUs (90 days)
Months 3-5
Live risk register in 3 BUs, 100% literacy, first-wave internal auditors ISO 19011:2018, CMS draft v1.0, risk appetite statement draft. Weekly calibration with the steering committee.
5
Wave 2-3 — all BUs + audit prep (180 days)
Months 6-11
Rollout to the rest of the organization. Auditors 100% certified. ISO 37301 CMS or ISO 37001 SMAP audit readiness if selected. Quarterly regulatory horizon scan published.
6
Capstone & year-two design
Month 12
Capstone report to the Commissioners' Audit Committee with risk culture maturity, compliance posture, finding trend, regulatory readiness. Year-two design workshop with focus on risk quantification + GRC tooling.

Program Governance

Program governance — who, what role, what cadence

Clear governance prevents compliance from collapsing back into an isolated unit and preserves assurance independence.

Commissioners' Audit Committee (Independent)

Quarterly (aligned with the audit committee cycle)

Highest oversight of compliance & risk capability. Review annual capstone report, ratify audit charter, approve risk appetite statement. Accountable to shareholders + regulators.

Steering Committee (CEO + CCO + CRO + CFO + Audit Committee Chair)

Quarterly

Executive sponsorship. Ratify compliance policy, allocate budget, prioritize waves, escalate cross-BU conflicts. Accountable to the Commissioners' Audit Committee.

GRC Council (CCO + CRO + Head of Internal Audit + Head of Legal + Head of HR + IT Security Lead)

Monthly

Review risk register updates, compliance findings, regulatory horizon scan, and thematic policies. Cross-functional decision making for borderline cases.

Program Office (GRC Program Manager + L&D Lead + PMO)

Weekly

Operational execution. Training scheduling, auditor certification coordination, monthly GRC dashboard, external certification partner coordination.

GRC Champions per BU (1-2 per BU)

Weekly check-ins, monthly all-champions

Risk owners in the BU, risk register update coordinators, peer trainers for literacy. 24-hour train-the-trainer + formal 10% work-time allocation.

Internal Audit Function (Independent)

Audits per cycle + monthly finding review

Risk-based audit aligned with ISO 19011:2018. Direct access to the Commissioners' Audit Committee for independence. Reporting bypasses the Board on sensitive topics.

Neksus Engagement Team (Account Director + GRC Architect + Lead Auditor Trainer)

Weekly steering call + onsite per wave

Co-design the program, facilitate literacy + risk + audit training, ISO 19011 trainer certification, escalate methodology.

Target Participants

Who joins from your organization — a multi-cohort design

The program moves governance tier, BU Heads, support functions, and all-employee cohorts in parallel with distinct curricula.

Commissioners' Audit Committee

3-5 people

Annual briefing on compliance posture, risk culture maturity, and regulatory horizon. 8 hours per year + capstone presentation.

Board + Executives (CEO, CCO, CRO, BU Heads)

10-25 people

Steering committee + risk ownership. ISO 37301 + COSO ERM + risk appetite statement module. 16 hours per year.

BU Heads + Senior Managers (Risk Owners)

30-100 people

BU risk ownership with ISO 31000 framework. Risk register building + reporting cadence. 24 hours.

Compliance Officers + Risk Officers (Line 2)

10-30 people

Deep module on ISO 37301:2021 CMS, ISO 37001:2016 SMAP, sectoral POJK, and oversight skills. 40 hours.

Internal Auditors (Line 3)

5-30 people depending on scale

ISO 19011:2018 lead auditor certification + ISO 37301 compliance audit + risk-based audit methodology. 80 hours + real capstone audit.

GRC Champions per BU

1-2 per BU

24-hour train-the-trainer for peer literacy + risk register maintenance. Formal 10% work-time allocation.

All-employee compliance literacy

100% of employees

4-8 hour module calibrated per role: UU PDP, APU-PPT (where relevant), anti-bribery, AI ethics, whistleblowing.

Topic Constellation

Neksus topic constellation that composes this theme

Each topic is a structured module. The compliance & risk theme weaves several topics into integrated pillars.

Compliance Literacy — Data Protection

Employee Cybersecurity Awareness

Core module for Pillar 1 covering information security + UU PDP literacy. ISO 27001 alignment.

See topic detail

Risk Ownership — Culture Shift

Organizational Change Management

Shifting risk ownership from the Risk Officer to BU Heads is a structural culture change. Change management module for Pillar 2.

See topic detail

Risk Ownership — Manager Layer

Leadership for First-Line Managers

Line managers as compliance champions on the floor. Tone from the middle. Supporting module for Pillars 1 + 2.

See topic detail

Audit & Assurance — Reporting

Executive Communication & Presentation

CCO + CRO + Head of Internal Audit need presentation capability for risk culture maturity + finding trend to the Commissioners' Audit Committee.

See topic detail

Program Risk Mitigations

Common failure modes — and effective mitigations

Risk ownership stays with the Risk Officer; BU Heads refuse accountability

Risk register filled out by the Risk Officer alone; BU Heads formally sign with no understanding or ownership.

Mitigation: Risk register score becomes part of the BU Head KPI with 10-15% weight. Quarterly steering committee reviews per-BU risk culture. CEO openly recognizes BUs with the highest risk maturity.

Internal Audit loses independence under operational pressure

Audit findings softened before reporting to the Audit Committee, or sensitive audit areas skipped.

Mitigation: Internal Audit Charter with a reporting line direct to the Commissioners' Audit Committee (with no routing via CEO/CFO). Charter reviewed annually by the Audit Committee + independent external review every 3 years.

ISO 37301 / SMAP certification forced in year one with no foundation

The team prepares audit documentation in a crash; post-certification the system is not actually run; formal certificate with no effectiveness.

Mitigation: Year one focuses on the foundation (literacy + risk ownership + audit competency). External audit preparation is recommended for year two after the foundation has taken root. A year-one internal pilot audit measures readiness.

Compliance literacy fails because it speaks regulation language instead of workflow language

Employees 'pass' UU PDP e-learning and still forward client emails to a personal Gmail account because the literacy is not calibrated to their work context.

Mitigation: Literacy modules designed per role with real workflow use cases from the BU. Co-creation with BU Champions. Assessment scenario-based, with no reliance on regulation multiple choice.

Whistleblowing channel dies because of low trust

The channel exists with zero reports; employees are unsure of anonymity protection or retaliation risk.

Mitigation: Channel hosted by an independent third party (with no routing via internal HR/IT), CEO + Audit Committee communicates regularly on protection, and metrics are tracked publicly (anonymous aggregate). Investigation protocol documented.

Regulatory horizon scanning decays after 6 months

Quarterly horizon scan skipped when operational pressure rises; impact assessment of new regulation never produced; the enterprise is surprised at enforcement time.

Mitigation: Horizon scan becomes part of the CCO KPI + a dedicated regulatory analyst. Quarterly cadence locked into the board calendar. Subscribe to a regulatory monitoring service (Compliance.ai or equivalent) as input.

Typical Outcome Patterns

Typical outcome patterns from similar engagements

Context

Mid-size bank, 2200 employees, POJK 17/2023 high expectations, baseline risk culture maturity at level 2 (out of 5), high repeat audit findings.

Intervention

Four-pillar annual theme focused on POJK + BCBS 239 + deep APU-PPT. Pilot in Credit Risk, wave to Operations + Compliance + Treasury. Certification of 18 internal auditors to ISO 19011:2018. Live risk register in 12 BUs.

Indicative result

Risk culture maturity up from level 2 to 3 within 11 months. Repeat audit findings down 38%. POJK off-site supervision review showed risk management framework improvement. APU-PPT compliance posture acknowledged by the regulator.

Context

Energy SOE, 3500 employees, Ministry of SOE target for ISO 37001:2016 SMAP certification, baseline low whistleblowing channel utilization.

Intervention

Annual theme integrating ISO 37001 SMAP with KPK UKAP. Pilot in Procurement (high corruption risk area), wave across the entire SOE. Whistleblowing channel hosted by a third party. Risk owner shift to BU Heads.

Indicative result

ISO 37001:2016 certification audit completed with zero major findings. Whistleblowing channel utilization up from 0.3 to 2.1 reports per 100 employees per year. Procurement compliance posture acknowledged in the Ministry of SOE public report.

Context

Public-listed manufacturing enterprise, 1500 employees, preparing for IPO with GRC maturity questioned by auditors.

Intervention

Annual theme focused on ISO 37301:2021 CMS as backbone, ISO 31000 live risk register, and internal audit restructured for independence. 12-month roadmap to IPO auditor readiness.

Indicative result

GRC readiness assessment by the external auditor came back positive. ISO 37301:2021 external audit passed in year two as part of corporate governance differentiation versus peers. The Commissioners' Audit Committee was recognized as strong by the IPO underwriter.

Procurement Info

Procurement information

Contract format
Structured annual theme (renewable). Multi-year engagement with an SOW agreed per year.
Location
Onsite at the client office (Greater Jakarta with no added transport fee), regional onsite, or hybrid (onsite kickoff + bi-weekly online sessions + onsite audit training per region).
Delivery language
Bahasa Indonesia (default) or bilingual ID/EN for multinational enterprises with global reporting.
Materials & participant certificates
Structured modules, ISO 37301/37001/31000 + COSO ERM workbook, risk register + CMS template, 12-month alumni resource hub access, completion + ISO 19011:2018 lead auditor certificate (via accredited partner).
Optional external certification
ISO 37301:2021 CMS audit preparation, ISO 37001:2016 SMAP audit preparation, or partner-led Risk Practitioner certification (FRM, PRMIA). 6-12 months of readiness support before the external audit.
Tax & e-procurement documentation
PPN tax invoice, official receipt, BAST. SOE/government e-procurement (SPSE LKPP) supported. SBM K/L envelope for ministries and agencies.
Payment terms
20% deposit on contract, 30% milestone per wave (3x), 20% balance after year-one capstone.
Optional add-ons
Personal coaching for CCO/CRO (separate package), Commissioners' Audit Committee briefing series (90 minutes quarterly), GRC tooling implementation support (MetricStream, ServiceNow GRC), and external audit preparation.

Frequently Asked Questions

Discuss your organization's compliance & risk capability theme design

Share your industry sector, organization size, regulator expectations, and the GRC challenge you face. The Neksus team studies your context and returns an annual theme design within 5 business days.

Four integrated pillars (literacy · risk ownership · audit · horizon scanning) aligned with ISO 37301 + ISO 37001 + ISO 31000 + COSO ERM + UU PDP + APU-PPT + POJK
30-day pilot → 90-day wave → 12-month org-wide
Internal auditors certified to ISO 19011:2018 lead auditor
Live risk register per BU with risk appetite statement ratified by the board
Capstone report to the Commissioners' Audit Committee with risk culture maturity + finding trend + regulatory readiness

An Organization-Level Compliance & Risk Capability Building Program that Holds for a Full Year

Why compliance & risk must be designed as an organizational capability instead of an annual pre-audit checkbox

Four-pillar architecture — Literacy · Risk Ownership · Audit · Horizon Scanning

Annual budget envelope by sectoral regulatory complexity

Rollout phases — 30-day pilot → 90-day wave → 12-month org-wide

Organization-level success metrics — beyond e-learning completion rate

Four-pillar annual theme vs Generic compliance e-learning vs Compliance Unit briefing only

Neksus engagement flow for a year-long compliance & risk theme

Kickoff & GRC maturity diagnostic (4 weeks)

30-day single-BU pilot

Pilot retro & calibration (2 weeks)

Wave 1 — 3 priority BUs (90 days)

Wave 2-3 — all BUs + audit prep (180 days)

Capstone & year-two design

Program governance — who, what role, what cadence

Who joins from your organization — a multi-cohort design

Neksus topic constellation that composes this theme

Employee Cybersecurity Awareness

Organizational Change Management

Leadership for First-Line Managers

Executive Communication & Presentation

Common failure modes — and effective mitigations

Typical outcome patterns from similar engagements

Procurement information

Frequently Asked Questions

How long until risk culture maturity moves measurably?

What is the difference between ISO 37301:2021 and ISO 37001:2016?

Is POJK 17/2023 mandatory for every financial institution?

How is UU PDP 27/2022 integrated into an existing compliance program?

What sets this program apart from large GRC consultancies (PwC, Deloitte, EY, KPMG)?

Can the program be procured through SPSE LKPP for SOEs and government agencies?

How does the program preserve Internal Audit independence?

How much time does the program need from executive sponsors (CEO, CCO, CRO)?

Does the whistleblowing channel have to be hosted by a third party?

Discuss your organization's compliance & risk capability theme design