Risk Management Framework Design Based on ISO 31000 and SCOR Model

In every large, medium and small industrial enterprise, risks must occur in the business process. The study conducted at one of the small medium enterprise (SME) in the Bantul, Yogyakarta. It begins with the fact that obstacles that often occur are delays in delivery, product damage, and also other obstacles. Hence, those are the reasons of this study conducted. Further, the risk management framework has an important role in reducing these problems. The approach used ISO 31000 method and the SCOR Model in making a proposed framework to improve risk management performance. Based on the proposed framework that has been made, the risk identification process in Rajut Bamboo has 32 risks in its business processes. The risk mitigation proposal is carried out on seven risks in the high-risk category. The risk mitigation results are obtained in the risk codes (D3) unfinished product and absence of SOP, (M2) quality control takes a long time, (P5) unplanned overhead costs, and (A1) products in storage are damaged or lost, thus it showed down to medium risk category, then the risk codes (D9) expensive packaging material costs, (D2) order time exceeds the specified time, and (M6) no mitigation planning, thus it showed down to low-risk category.

Mirga Maulana Rachmadhani (Risk Management Framework Design Based on ISO 31000 and SCOR Model) flow process. In the supply chain process, a measurement method can assist organizations/companies in making quick improvements, namely the Supply Chain Operation Reference (SCOR) (APICS, 2017). In its application, there are six main processes owned by SCOR, namely plan, source, make, deliver, return, and enable (Christopher, 2016). Thus, in its implementation, activities that may causes risk can be categorized based on the six primary processes of SCOR.
This study conducted at one of the SMEs in Bantul, Yogyakarta. This industry produces handicrafts made of bamboo. Problems that often occur in this small industry are returning orders because they differ from buyer expectations, product damage during the production period caused by employee negligence, irregular production schedules caused by planning and running out of raw material inventory in the warehouse.
The current study used ISO 31000 and SCOR Model to design the proposed framework to increase risk management performance such as previous research by de (Oliveira et al., 2017) explained on apply the ISO 31000 standard to implement it in the context of Supply Chain Risk Management (SCRM) as a framework for the company. Then also research by (Bukhori et al., 2015) conducted on company XYZ regarding the poultry supply chain. The method used by Bukhori is SCOR with the aim of assessing supply chain performance in two perspectives, namely internal business processes and in dealing with customers.
The other study by (Ahmad et al., 2014) also analyzed enterprise risk management implementation in some empirical evidence from large Australian companies. Also, (Nimmy et al., 2022) about risk management in the supply chain and (Ridwan et al., 2019) risk management in SME Sate Bandeng, they found that there are some risks identified. Moreover, in (Sari et al., 2017), risk identification, risk assessment, and responding to and controlling risks are carried out based on a risk management framework. The study by (Ekwere, 2016) considers risk management for Small and Medium Enterprises (SMEs). It relates to Ekwere argues that SMEs require the implementation of risk management strategies compared to larger businesses because they do not have the resources to deal with risk threats that can potentially harm SMEs in the future. However, based on research conducted de (Oliveira et al., 2017) and (Bukhori, 2015), it has weaknesses in the application of working time, communication relationships between suppliers and buyers and the absence of risk assessment in other industrial sectors. In contrast, research conducted by (Sari et al., 2017) and (Ekwere, 2016) emphasized that the framework and risk management process are indispensable in Small and Medium Enterprises (SMEs).
The objectives of the current study are creating a new framework between the SCOR model and ISO 31000:2009 and creating risk mitigation based on it. The use of ISO 31000 and the SCOR model is intended to facilitate researchers in identifying, assessing and mitigating risks in business processes and supply chain flows at Rajut Bamboo.
Furthermore, according to (Zevallos, 2004) in his book entitled Risk Management Guidelines, risk management is a process that involves steps that can reduce or minimize the loss of an event that has a negative impact, and risk can assist in making decisions. It is based on steps consisting of context determination, risk identification, risk analysis, risk evaluation, risk, monitoring, and communicating risk in all activities or processes. Risk management can understand the potential positive and negative aspects that can affect the company's activities and can simultaneously increase the chances of business success (Rubino, 2018).
Also, according to (Parviainen et al., 2021) the international standard ISO 31000 is a standard that can be used by all organizations in dealing with risks. One thing that distinguishes ISO 31000 from other risk management standards is that it has a broader and more conceptual perspective compared to other risk management standards. Based on ISO 31000:2009, the risk management process consists of three main aspects: risk management principles (principles), risk management frameworks, and risk management processes (process). The relationship between these three aspects can be seen in Fig. 1. 43 Vol. 21, No. 1, 2023, pp. 41-51 Mirga Maulana Rachmadhani (Risk Management Framework Design Based on ISO 31000 and SCOR Model) Then about supply chain management it can be described such as the supply chain itself is an organizational activity that distributes its products and services to customers. In contrast to the supply chain, which is a physical network, Supply Chain Management includes fulfilling the supply of goods from suppliers to manufacturers to the fulfillment of order fulfillment from customers (Christopher, 2016).
Supply Chain Operation Reference (SCOR) is a measurement method and benchmarking tool that helps organizations make quick improvements in supply chain processes (APICS, 2017). In its implementation, the SCOR system has six main processes that must be met before being implemented: Plan, Source, Make, Delivery, Return and Enable. Moreover, Supply Chain Risk Management (SCRM) in SCOR includes systematic identification, assessment and mitigation activities against potential disruptions in the logistics network to reduce negative impacts on the supply chain network performance (Christopher, 2016). There are five measurement references in the SCOR model: Reliability, Responsiveness, Agility, Cost, and Asset Management. This research contribution is using Design Science Research Methodology (DSRM) as (Venable et al., 2017) in choosing a design science research methodology.

Method
This study uses ISO 31000 and SCOR Model to design the proposed framework to increase risk management performance. The data used in this study include primary data obtained directly through the interview process and filling out questionnaires to employees and business owners Rajut Bamboo. The process flow in this study also uses the Design Science Research Methodology (DSRM) concept to make it easier to understand the research process flow. The following is an overview of the DSRM process model shown in Fig. 2. Thus, based on the general picture of the DSRM, the study process flow is explained in Fig. 3. ISSN 1693-6590 Vol. 21, No. 1, 2023 Mirga Maulana Rachmadhani (Risk Management Framework Design Based on ISO 31000 and SCOR Model)

Proposed Framework Design of Risk Management
The proposed framework design uses the ISO 31000:2009 approach and the SCOR Model. The framework made in general can be explained by there are three main stages, namely: Based on these three stages, Fig. 4 shows the design drawing of the proposed risk management framework. Besides those three stages, there are elements of the communication and consultation process, monitoring and review, and recording and reporting in the proposed framework above. The communication and consultation process carries out at every stage, where each step of the process will always be communicated and consulted to the owner's feedback. The monitoring and review process is also carried out at every stage. It is done so that every process exists at all stages. It is monitored and reviewed. Likewise, with the recording and reporting process, the difference is that this process is carried out at the final stage to determine whether the mitigation carried out is correct or not. Also, the recording and reporting process is communicated to the owner.

Implementation
The case study in this study was conducted in Rajut Bamboo that located in the Bantul area, Yogyakarta. In this study case, the results of the proposed framework will be implemented. It showed that the Rajut Bamboo requires a proposed framework to improve the performance of the risk management system because several problems often occur, both outside the company and within the company.

First Stage (Context Determination by SCOR Model)
The first stage, determining the context using the SCOR model, is to define the object of research, namely Rajut Bamboo, a company or business entity using bamboo as the primary raw material. The risk performance assessed is based on the SCOR 12 hierarchy by outlining the risk criteria based on ISSN 1693-6590 Vol. 21, No. 1, 2023 Mirga Maulana Rachmadhani (Risk Management Framework Design Based on ISO 31000 and SCOR Model) levels 1 to level 3. At level 1, the assessment includes the process of the plan (planning), make (production process), source (source/supplier), delivery (delivery process), return (return process), and enable (management). While level 2 is the definition of categories at each level 1 to identify metrics. Where metrics are used to identify risks carried out in each supply chain process, level 2 is sufficient to represent the metrics. The description of each level 1 and level 2 process and the grouping of metrics can be seen in Table 1.

Second Stage (Risk Assessment) Risk Identification
Based on the performance matrix of the plan, source, make, delivery, return and enable, as many as 32 (risk events) were identified, including in the planning process five risks, source as many as three risks, make as many as six risks, delivery as many as ten risks, return as many as six risks and enable two risks. The risk plan process identified 3 SCOR attributes, namely reliability, responsiveness, and cost, in the risk source process identified risk made from 2 SCOR attributes, namely agility, and cost, in the risk-making process identified 3 SCOR attributes, namely responsiveness, agility, and cost, in the delivery process the identified risks include all 5 SCOR attributes, in the form of reliability, responsiveness, agility, cost and asset management, in the riskreturn process identified from 4 SCOR attributes, namely responsiveness, agility, cost, asset management. In contrast, the identified risks include asset management attributes in the enable process. After identifying the risks from each existing process, the causes and impacts of the above risks are identified. The causes of each risk are known based on interviews with the owner. The reasons (risk cause) and impact (risk impact) of each risk can be seen in Table 2.

Risk Analysis
The next stage is risk analysis based on the results, the risk identification list, and the causes and impacts of risks obtained from observations and interviews with experts. Risk analysis is carried out by measuring the likelihood and consequences for the owner of Rajut Bamboo. The following values are the likelihood and consequences shown in Table 3 and Table 4. ISSN 1693-6590 47 Vol. 21, No. 1, 2023 Mirga Maulana Rachmadhani (Risk Management Framework Design Based on ISO 31000 and SCOR Model)  The loss suffered by the company each risk between more than one million rupiah to two million five hundred thousand rupiah 3 Moderate The loss suffered by the company each risk between more than two million five hundred thousand rupiah to five million rupiah 4 Major The loss suffered by the company for each risk is between more than five million rupiah to ten million rupiah 5 Catastrophic The loss suffered by the company per risk is more than ten million rupiah There are the results of probability and consequence values based on the results of the questionnaire distributed to respondents shown in Table 5. Based on the likelihood and consequences results, there are seven risks in the red zone (high risk), namely D3, D9, M2, P5, D2, M6, and A1, and then there are 13 risks in the yellow zone (medium risk). Namely S2, P4, D1, D7, S1, D6, D10, R5, A2, P2, M1, M3, and D8. There are also twelve risks in the green zone (low risk), namely M4, M5, D5, R4, P1, P3, R2, R3, S3, D4, R1, and R9. The following is a risk map from the likelihood and consequences assessment results shown in Fig. 5. Based on the risk map results, the next step is to do a fishbone analysis of the seven risks in the red zone (high risk). The following is a fishbone analysis of one of the risks in the high-risk category 1. Fishbone analysis on D3 shown in Fig. 6. The risk in the D3 code was identified using fishbone analysis (Ishikawa), with the top event being "Delivery of product Takes a Long Time."

Risk Evaluation
Based on the risk analysis and risk map above, the researcher found seven risks with high-risk categories in the red zone. Each of these risks includes: D3 with the top event, "Shipping takes time," D9 with the top event, "Expensive packaging material costs," M2 with the top event, "Quality control takes a long time," P5 with the top event "There are high costs arise outside of planning," D2 with the top event "Order time exceeds the specified time" M6 with the top event "No mitigation planning," and A1 with the top event "Storage product is damaged/lost." Risks belonging to the high-risk category (red zone) will be prioritized and handled at the risk mitigation stage.

Third Stage (Risk Treatment)
Based on the fishbone analysis of each risk, the next stage is to propose a risk mitigation strategy based on the root cause and effect of the seven risks that fall into the high-risk category (red zone). The following table of risk mitigation proposals is based on seven risks in the high-risk category shown in Table 6. . .

A1
Moldy stuff Workers are given guidance on the level of water content in bamboo and are more careful in making sure the product is dry properly.
The temperature of storage is damp A room temperature meter is made or installed so that it can monitor a good room temperature level. As a step in implementing the proposed mitigation strategy, a discussion was held with the owner of the Rajut Bamboo to assess whether the proposed mitigation strategy could reduce the likelihood and impact of the risk shown in Fig. 7. The following are the results of the discussion with the Rajut Bamboo owner which has been mapped into the new risk map shown in Table 7. Based on the results of the risk map, in the D3 risk code after discussion the risk level drops to medium risk (yellow zone), in the D9 risk code after discussion the risk level drops to low risk (green zone), in the M2 risk code after risk discussion. the level drops to medium risk (yellow zone), at risk code P5 after discussion the risk level drops to medium risk (yellow zone), in risk code D2 after discussion the risk level drops to low risk (green zone), at risk code M6 after discussion, the risk level drops to low risk (green zone), and on risk code A1 after discussion, the risk level drops to medium risk (yellow zone).

Conclusion
The conclusions that can be drawn from this research are as follows. First, a framework design using ISO 31000:2009 and the SCOR Model as an improvement in risk management performance has been successfully created and developed. It can be said that by collaborating the two methods, a new framework can be created that can be used to improve risk management performance. This proposed framework has been implemented in a case study so that in its implementation the results are as expected. Second, based on the risk mitigation strategy carried out with the results of discussions with owner it was found that the risk code D3 risk level fell to the medium risk category, in the D9 risk code the risk level fell to the low risk category, in the M2 risk code the risk level decreased to in the medium risk category, in the P5 risk code the risk level drops to the medium risk category, in the D2 risk code the risk level decreases to the low risk category, in the M6 risk code the risk level drops to the low risk category, and in the A1 risk code the risk level falls into the low risk category. medium risk. ISSN 1693-6590 Vol. 21, No. 1, 2023 Mirga Maulana Rachmadhani (Risk Management Framework Design Based on ISO 31000 and SCOR Model) Author Contribution: All authors contributed equally to the main contributor to this paper. All authors read and approved the final paper.
Funding: This research received no external funding.

Conflicts of Interest:
The authors declare no conflict of interest.