Risk Management in Private Companies and Public Sector Organizations: A Preliminary Comparative Study

Purpose – The effectiveness of risk management in an organization depends largely on its organizational culture as revealed in its governance structure and organizational process. The research question of this study is how to develop strategy to improve the effectiveness of risk management under the constraints of a given organizational culture. The objective of this study is to show that there are fundamental differences and similarities between the governance structure and organizational process that significantly influence the effectiveness of risk management in private companies and the one in public sector organizations. Methodology – To achieve the objective, legal documents of major public and private organizations are reviewed and key resource persons working for the organizations are interviewed. Findings – This paper reports preliminary results that identify several important dimensions of governance structure and organizational process in both sectors that crucially influence the effectiveness of risk management. Originality – Studies on the similarities and differences between public and private organizations in implementing risk management have been very rare. Very few studies explicitly address the effectiveness of risk management in the perspective of the comparative study. This study has never been carried out before, at least in the Indonesian context.


Introduction
It has been widely recognized that risk management significantly contributes to organizations, both private and public, in creating and protecting value. The effectiveness of risk management implementation in an organization critically depends on its culture which is revealed in the organizational process of decision making. The objective of this paper is to show that there are fundamental differences and similarities between decision-making processes that crucially influence the effectiveness of risk management in private companies and those in public sector organizations. Understanding the differences and the similarities becomes the key to the success of formulating a strategy to initiate and improve the implementation of risk management in both public and private sector organizations in Indonesia.
Differences and similarities between organizations in the public and private sectors have been a major topic in management studies. Van Der Wal et al. (2006) formulated important central values of government and business. They described similarities and differences between the underlying values of organizational management in the two sectors (Table 1).  Caemmerer & Dewar (2013)investigated whether public sector organizations and their private counterparts fared the same in terms of service performance. She carried out a quantitative quasi-experimental study based on the SERVQUAL framework to compare recipients' service expectations and perceptions in private and public service settings. The results reveal no significant differences between expectations towards and perceptions of private and public services.
Rahman Khan & Khandaker (2016) attempted to ascertain the similarities and differences between public and private organizations based on the application and relevance of some important organizational concepts such as goals, goods and services, resource ownership, structure, culture, leadership and managership, and decision making. This analysis indicates that despite the manifestation of diverse variations between public and private organizations, in some cases they do share common attributes. For example, it is assumed that bureaucracy is the most dominant feature in public organizations, but such a model is also being followed by many big private organizations.
Likewise, private managerial practices and structural components are also being adopted by public organizations. In other words, they confirmed the existence of uniqueness and diversities of both public and private organizations. Unlike private organizations, public organizations traditionally do not operate in a competitive market and are largely chained by legal, economic, and political bindings. Due to internal and external pressures, public organizations have been forced to undergo structural and procedural changes and have undertaken many practices used by private organizations. Public organizations are also working in partnership with private organizations. All these changes are bringing public and private organizations closer minimizing their gaps and helping to create a new form of organization called a "hybrid" organization.
Studies on the similarities and differences between public and private organizations in implementing risk management have been very rare. Recent studies on factors affecting the effectiveness of risk management do not explicitly address the differences and similarities between public and private sectors (Alijoyo & Fisabilillah, 2021;Posner & Stanton, 2014;Sheedy & Canestrari-Soh, 2023). Consequently, there is no clear basis for differentiating strategies of implementation and improvement of risk management in organizations in the two sectors. On the other hand, it is evident in Indonesia and other countries, that the maturity level of risk management in public organizations is, in general, different from that in private companies.
Naturally, risk management maturity in organizations in highly regulated sectors-i.e., finance and other high-risk industries-is higher than that in non-finance and low-risk industries. It is also logical that generally the longer time risk management is implemented in an organization the higher the maturity level. Based on these assumptions, the two aspects-i.e., finance versus non-finance sectors and the number of years of risk management implementation-will be considered in the sampling method that will be discussed later in the methodology.
The remaining parts of the paper are organized as follows. In the following section, the methodology will be described. It is followed by a section describing the result and discussion. The paper will be concluded with a number of recommendations.

Research Methods
This article reports the result of a preliminary study. By "preliminary," it is meant that, to the best of the authors' knowledge, no previous report on the topic (comparative study on risk management in public and private sectors) has been publicly accessible. Accordingly, little is known about the topic. Therefore, qualitative and descriptive methods were employed in this study, without any attempt to answer questions of causality or demonstrate clear relationships among variables. In other words, this study is more exploratory rather than explanatory. The target of this study is to produce tentative research questions or hypotheses to be tested with quantitative methods (or other more formal scientific approaches) in future research.
Six organizations that represent both sectors and industries are analyzed (see Table 2). Many dimensions should be considered in comparing private companies and public organizations in implementing risk management. Emphasis is given to the comparison of the main roles and structure of governance of risk management in organizations in the two sectors. To provide greater comprehension, the context of each sampled organization in implementing risk management will be described in the following section. Source: processed data Data and other evidence for analysis were collected from publicly accessible sources. Indepth interviews with high-ranked officials (in total, 61 officials of one level under top management or higher ranks, from both sectors) were conducted virtually from January 2021 through February 2022 (14 months) to dig deeper relevant information that provides clearer pictures from each case. No rigid procedure of interview, e.g., a standardized questionnaire, was used in this study. However, the interviews emphasized the following points in each sampled organization-i.e., historical background and motivation of risk management implementation; main roles, scope, and focus of risk management; adopted standard/system and the risk governance structure; assessment of risk maturity; and special characteristics or features of the implementation.
Before describing the summary of the in-depth interviews, important points from the literature study will be briefly sketched. Special attention is paid to the central role of the Indonesia Financial and Development Advisory Agency (Badan Pengawasan Keuangan dan Pembangunan, BPKP) in risk management in public sector organizations. BPKP functions as the second line of defense in the risk governance of the Government of Indonesia (The Institute of Internal Auditors, n.d.). All government organizations are obliged by law to implement the Government Internal Control System (Sistem Pengendalian Intern Pemerintah, SPIP), which is developed by BPKP. The system provides guidelines for risk management and a scheme for measuring the risk management maturity level of an organization (ranging from level 1 = the worst to level 5 = the best).
While all government organizations have to implement SPIP, most private companies adopt ISO 31000 as the guidelines for implementing risk management. Therefore, it is important to discuss some important points regarding the comparison between SPIP and ISO 31000.

The Role of National Government Internal Auditor (BPKP) in Risk Management in Public Sector Organizations
BPKP is a non-ministerial government agency that performs governing duties of supervision in financial and developmental affairs including auditing, consultancy, assistance, evaluation, corruption eradication, and education and training in supervision as stipulated in the government regulations. The results of the supervision are reported to the President as the head of the government for consideration in developing policies, executing the government, and fulfilling his or her accountability. The results are also needed by government agencies including regional governments for guiding the pursuit of improving the performance of their organizations.
The role of BPKP is very significant as the second line of defense in the risk governance structure of the Government of Indonesia. BPKP is responsible for the implementation of SPIP, including the development of the guidelines, the provision of education and training, coaching and consultancy, and competency development programs for public auditors (Aparat Pengawasan Intern Pemerintah, APIP).
One of the biggest external problems faced by BPKP is the fact that the audited financial statement of 99 (or 18% of the total) regional governments have not earned unqualified opinions. The root causes of the problem have been identified as the low commitment of top management to improving the capacity of APIP and the absence of a legal basis for risk management implementation in public sector organizations.
It is interesting to note that among 34 provincial governments in Indonesia, 24 that achieved maturity level 3 in the SPIP have a low level (lower than 3, on average) in the aspect of risk management. The other 10 provincial governments that achieved maturity of a level lower than 3, have a much lower level (lower than 2, on average) in the aspect of risk management. Similarly, among 514 district and municipality governments in Indonesia, 218 that achieved maturity level 3 in the SPIP have a low level (lower than 3, on average) in the aspect of risk management. In addition, 290 district and municipality governments have a very low level (nearly 1, the worst level) of risk management maturity. It is safe to conclude that on average the risk maturity level of regional governments in Indonesia is low or very low. The maturity levels of risk management in non-regional government organizations, i.e., ministries and agencies, are more heterogeneous. Some of them have been at advanced levels, whereas others are still in the initial stages.
Internally, BPKP also faces several serious problems. One of them is the lack of common perception of the strategic objectives of the organization, organizational commitment, and synergic collaboration among units within the organization. Furthermore, BPKP has not completely developed the design of integrated information technology to facilitate its tasks as the coordinator of SPIP (Sistem Pengendalian Internal Pemerintah) implementation in all government organizations.
Risk management has been implemented in BPKP since 2008 as part of the SPIP implementation. One important innovation within the risk management initiative is the application of risk-based audits. In 2021 BPKP published guidelines for ISO 31000-based risk management. Therefore, since its publication, BPKP has had two foundations (system and standard) for risk management, i.e., the SPIP and ISO 31000. With all the challenges and achievements, according to an internal assessment, BPKP succeeds in earning the predicate 'defined' (level 3) of risk maturity. This achievement gives more confidence to BPKP to become the role model of risk management in the public sector.

ISO 31000 and the Government Internal Control System (SPIP)
ISO 31000, which was launched on 13 November 2009, provides a standard for the implementation of risk management. A revised and harmonized ISO/IEC Guide 73 was published at the same time. The ISO 31000:2009 is aimed to be applicable and adaptable for "any public, private or community enterprise, association, group or individual". An update to ISO 31000 was added in early 2018. The update is different in that "ISO 31000:2018 provides more strategic guidance than ISO 31000:2009 and places more emphasis on both the involvement of senior management and the integration of risk management into the organization." (https://www.iso.org/standard/).
Risk standards or systems adopted by an organization are important factors that influence the effectiveness of the implementation. Most private companies, including those owned by the government, adopt ISO 31000 as their risk management standard. Some state-owned enterprises (SOE) used to implement COSO ERM, but since the Ministry of SOE enacted a regulation on the obligation for every SOE to implement risk management, many SOEs started to adopt ISO 31000 (for a recent discussion on the progress of COSO, see (Prewett & Terry, 2018). The ministry supports the establishment of the SOE Risk Management Forum (Forum Manajemen Risiko BUMN), a club of risk management professionals to facilitate the implementation of risk management in SOEs. The banking industry has additional risk management best practices that are regulated by the Financial Service Authority (Otoritas Jasa Keuangan, OJK).
All government organizations are obliged to adopt SPIP as the controlling system including the practices of risk management. Recent development shows that a number of ministries and other state organizations started to implement ISO 31000. The pioneer of this trend is the Ministry of Finance. It has been followed by other ministries (including the Ministry of Agrarian Affairs and Spatial Planning/National Land Agency) and several state organizations such as the Audit Board of the Republic of Indonesia (Badan Pemeriksa Keuangan Republik Indonesia, BPK RI) and BPKP.
The ISO 31000 standard consists of three main elements (pillars)-i.e., principles, framework, and process of risk management (see Figure 1). The purpose of risk management (the creation and protection of value) is stated in the principles part of the standard. In addition, there are eight principles of risk management (integrated, structured, comprehensive, customized, inclusive, dynamic, best available information, human and cultural factors, and continual improvement). The purpose of the risk management framework is to assist the organization in integrating risk management into significant activities and functions. Framework development encompasses integrating, designing, implementing, evaluating, and improving risk management across the organization. Leadership and commitment are central to the risk management framework. The risk management process involves the systematic application of policies, procedures, and practices to the activities of communicating and consulting, establishing the context, and assessing, treating, monitoring, reviewing, recording, and reporting risk (Badan Standardisasi Nasional, 2018). The SPIP (Sistem Pengendalian Intern Pemerintah), which is derived from COSO 1992, consists of five elements-i.e., control environment, risk assessment, control activities, information and communication, and monitoring (see Figure 2). Although the SPIP is focused on internal control, it is relatively clear that these five elements are similar to the steps of a risk management process, which are described in the risk management standard of ISO 31000. A quick observation may lead to a misunderstanding that risk management is part of the SPIP that is derived from COSO 1992. A more careful analysis would, however, result in quite the contrary: the SPIP focuses more on the process of risk management and addresses relatively little emphasis on the principles and framework of risk management. The SPIP provides a set of criteria for measuring implementation maturity. There are five levels of maturity in this system, namely rintisan (initial), berkembang (developing), terdefinisi (defined), terkelola dan terukur (managed and measured), and optimum (optimum). This measuring system is similar to that of the ERMA ISO 31000 RM3 (methodology and application of risk management maturity assessment based on ISO 31000).
In implementing the SPIP, the role of APIP (Aparat Pengawasan Intern Pemerintah, or Government Internal Inspection Official) is central. APIP has two functions, i.e., internal auditor and risk management functions. This point raises the question of independence, a principle that is fundamental in risk governance. In the IIA's Three Lines Model, internal audit has the role of independent and objective assurance and advice on all matters related to the achievement of objectives (The Institute of Internal Auditors, n.d.). It is difficult to maintain independence when a single unit functions as both second and third lines of defense.

Risk Management in the Ministry of Agrarian Affairs and Spatial Planning/National Land Agency (ATR/BPN)
The Ministry of ATR/BPN (Agraria dan Tata Ruang/Badan Pertanahan Nasional) has the duties dealing with agrarian/land and spatial planning in the government to assist the President in executing the government of the state. This ministry is directly under and responsible to the President. The main duty of this ministry is to formulate, establish, and execute policies on spatial systems, infrastructure, agrarian/land affairs, agrarian laws, land provision, land utilization control, and other agrarian/land affairs.
One strategic target of this ministry is to issue legal documents (land certificates) for 126 million packets by 2024. Until 2016, the capacity of the ministry to issue land certificates was 800 thousand documents at the maximum per year. In order to achieve the target, the ministry has to extremely accelerate capacity development. The business process must be reformed, including the deployment of external human resources and the application of new information technologies. On the other hand, the available budgeted fund is approximately only Rp 2.5 trillion per year. Any initiatives and efforts to match the strategic objective with the available resources will create risks. Therefore, the role of risk management becomes very strategic in this ministry.
The result of a recent assessment of the risk management maturity shows that the ministry achieves a risk management index of level 1 or 'ad hoc'. Efforts to create a risk register were made, but no reviews on whether they were sufficient and appropriate according to a standard (SPIP, ISO 31000, or any standard) were made evident. There has not yet been any organization unit within the ministry that is exclusively dedicated to managing risks. For the time being, risk management has been taken care of by the Bureau of Finance and Government Owned Assets under the Secretary General of the ministry.
In early 2022, a swift move was made by the ministry in embarking on risk management improvement programs. A new ministerial decree on risk management was introduced. ISO 31000-based risk management training and certification programs for improving the risk competency of the top management and high-ranking (Echelon I and II) staff were intensively organized. These steps were meant to disseminate risk awareness in order to develop a risk culture in the ministry. Following these steps, a more permanent structural unit of the risk management task force was planned. A road map has been initiated for guiding risk management development toward 2024.

Risk Management at IPB University
Bogor Agricultural Institute (Institut Pertanian Bogor, IPB) is a national public university with a student body of over 26 thousand. Since its establishment in 1963, it has always been on the list of best universities in Indonesia together with older national public universities such as Universitas Indonesia (UI), Universitas Gadjah Mada (UGM), and Institut Teknologi Bandung (ITB). In 2020, the Ministry of Education and Culture ranked IPB as the best university in Indonesia. At the global level, the rank of IPB University consistently rises. In 2021 it was ranked 511-520 in the QS World University Rankings and was ranked 41 in the QS World University Rankings for the subject of agriculture and forestry. This has made the university one of the best agricultural universities in Asia.
IPB started implementing risk management in 2018 ( (Priyarsono et al. 2019). It followed UI that had established Risk Management Unit in 2015. IPB implements risk management not because it is regulated by the government, but because of the leadership of its top management. The Rector has wide professional experience as an expert consultant to many high-risk projects mainly in the mining and maritime industries, as he strongly believes that risk management contributes to achieving the objectives of an organization.
Initially, the risk management unit in IPB was an ad hoc small task force reporting directly to the Rector. This task force managed to embark on a risk management training and certification program for top-level officials of the university, including the Rector. The program was successful in granting the participants (approximately 80 top leaders) certificates of Qualified Chief Risk Officer (QCRO) and Qualified Risk Governance Professional (QRGP). In addition, documents on risk policy and risk guidelines (standard operating procedure) were published in the first year after the unit was established. In the second year, a more permanent official unit of risk management was introduced in the university's organizational structure. The new unit was named the Office of Risk Management and Work Environment Protection. It is led by the University Secretary who directly reports to the Rector. It has one risk specialist and one administrative staff. To support the unit, an ad hoc team of risk management specialists was established.
The first program of the new unit was to undertake operational and reputational risk management processes. Operational risks are related to educational activities, whereas reputational risks are related to the position of the university in the world university ranking systems. These steps provided opportunities for the team to apply risk management techniques with real data. However, the output of the activities has not been utilized in the organizational strategic process of the university.
The main problem faced in the risk management process was the available input data that contained mismatches between objectives and the corresponding key performance indicators. This problem is difficult to solve because risk management is not involved in the process of strategic planning. In other words, risk management has not been fully embedded in the organizational process of the university. It will take some more years to transform the strong leadership and commitment of the top management in implementing risk management to the involvement of risk management in the strategic decision-making process in the university.

Risk Management in PT AA
PT AA (or AA, for short) is recognized as one of the best general insurance companies in Indonesia by many rating agencies. It has been serving customers for more than half a century in several industries such as automotive, health, mining, agribusiness, and general commerce. AA is a subsidiary of a big business group. Its assets steadily grow and reached Rp 6.6 trillion in 2020.
Being a well-experienced player in the highly regulated insurance industry, AA (founded in 1956) complies with regulations issued by the OJK, including those related to risk management. Consequently, the risk governance structure and process in AA are generally in line with risk management standards (ISO 31000). The IIA's Three Lines Model is well implemented in both structure and functions of risk governance not only in the company as a single business entity but also as a member of a financial conglomeration. All management processes starting from planning and execution through monitoring and evaluation are well supported by the top management. In general, all staff under the leadership are committed to managing threats and opportunities in business activities.
A recent independent ISO 31000-based risk maturity assessment resulted in the conclusion that AA is in the third level ('Defined' level). It means that there is already a risk management framework that refers to the standard and begins to be integrated with the mission, governance, strategy, objectives, and operations through the design, implementation, evaluation, and improvement of risk management effectiveness. The risk management process refers to the standard and starts to be implemented according to the organization's needs to integrate the processes for managing risks into business processes. However, risk management has been carried out systematically based on a governance system supported by competencies to manage risks which tend to be uneven at various levels (Enterprise Risk Management Academy, 2022).
The support of information technology to the success of risk management in AA is remarkable. It is interesting to note that as a financial company, AA explicitly has formulated its performance targets using monetary values. In many cases, this kind of formulation can easily be translated into managerial actions by utilizing information technology. Applications of information technology also help the company in improving the quality of its risk culture.

Risk Management in PT Pelindo II
PT Pelindo II, a state-owned company founded in 1992, operates twelve major seaports mainly in Java and Sumatra, including Tanjung Priok, the busiest port in Indonesia. The company had assets of over Rp 52 trillion and employed more than 11 thousand people in 2019. In the same year, it earned a profit of over Rp 2.5 trillion. On 1 October 2021, together with Pelindo I, III, and IV, the company merged into one holding company namely PT Pelindo.
PT Pelindo II earned many awards from various public agencies including "The Most Resilient SOE Award", "The Best CEO Award", "The Best Public Service Provider Award", "The Best IT and Technology Governance Award", and other awards for several years. It established its risk management unit in 2006. The company can be considered one of the most experienced nonfinancial enterprises that formally implement risk management.
Risk management is well applied in the company and all its subsidiaries and branches. It is embedded in nearly all aspects of the organizational process including project activities, business processes, and compliance. The company's long-term plan (Rencana Jangka Panjang Perusahaan, RJPP) and the company's work plan and budget (Rencana Kerja dan Anggaran Perusahaan, RKAP) are developed with full consideration of ISO 31000-based risk management.
The priority level of risk management in the company varies over the years. In 2016, when the priority level was high, the company organized a forum attended by approximately 100 senior executives discussing risk awareness initiatives. In the following year, 324 high-ranked officials attended risk management training and competency certification programs. The programs significantly improved the risk culture in the company.

Risk Management in PT Bank BRI (Bank Rakyat Indonesia)
Founded in 1895, PT Bank Bank Rakyat Indonesia (or BRI for short) is one of the biggest banks in Indonesia. The owner of this bank is the Government of Indonesia (56.75%). In 2019, the number of employees was more than 125 thousand, net income was Rp 34.4 trillion. In 2020, the total assets will be worth Rp 1512 trillion. BRI has nine subsidiaries, all of which are financial companies. BRI adopted Risk Management Standard based on OJK Regulations. However, Indonesia as a member of the G-20 forum and other international forums-such as the Financial Stability Board (FSB), and Basel Committee on Banking Supervision (BCBS)-has committed to adopting the recommendations produced by these forums. In line with that, the OJK in carrying out its duties cannot be separated from efforts to adopt these various recommendations. Therefore, BRI also refers to BASEL in the implementation of its risk management, especially for risk management methodological standards that have not been regulated. In order to implement reliable risk management, BRI adopted BASEL as a reference for the implementation of risk management internally, outside of what has been regulated by the OJK. BRI also adopts Risk Management based on ISO 31000 to improve the identification of opportunities and threats and to effectively allocate and use resources for risk treatment.
The maturity of risk management implementation at BRI is also reflected in the risk management awards that have been received. BRI managed to earn five awards in the 2021 GRC & Performance Excellence Award as an appreciation for the implementation of Governance, Risk, and Compliance (GRC) carried out by the company. The awards were The Best GRC Overall for Corporate Governance & Performance 2021 (Retail and Micro Banking), the Best Board of Commissioners in Banking Industries, the Best Chief Compliance Officer, and the Best Chief Risk Management Officer. The company has continued to maintain and improve Good Corporate Governance and Risk Management, and it always provides excellent service for customers in order to maintain the maturity level of the company's risk management. For further discussions on the role of GRC in the banking industry see Ullah et al. (2023) and Ilyas et al. (2020).
The implementation of risk management at BRI is slightly different from other organizations. BRI has a dedicated Risk Officer who has multiple reporting lines with a command line to the Risk Management Division and a coordination line to the Head of Business Units of the Regional Office, Branch, Sub-Branch, and Unit.
BRI strengthens the second-line functions in every activity and working unit which directed the risk management implementation in both business and operation. The risk management function aids business units in carrying out their business activities. The scope of assistance provided by the risk management function at the regional office level includes improvement of risk culture and the assessment of credit quality based on analysis of business opportunities and target markets, and data awareness. Credit and operational risks are of major concern at the regional office level. As reported by Saiful & Ayu (2019), those major risks affect bank financial performance in Indonesia.

Synthesis of the Findings
This study confirms a common belief that leadership (tone at the top, commitment of top management) is a very important success factor of risk management in an organization. Institutional environments such as regulation and the nature of stakeholders of the organization are influential too. In general, strong regulations (with clear incentive mechanisms) on risk management help organizations in improving their risk maturity. Conversely, in many public organizations, it is often more difficult to implement risk management, because there is no strong regulation or no clear incentive mechanism regarding risk management.
Companies in highly regulated industries are generally earlier in implementing risk management than those in less regulated industries. Since risk maturity level is positively correlated with the length of time (number of years) of risk management implementation, the risk maturity level of companies in highly regulated industries is generally higher than that of companies in less regulated industries. This point is obviously observed when financial companies are compared with their counterparts in non-financial industries.
In implementing risk management, all government organizations are obliged to adopt SPIP as a main reference. In SPIP risk management is considered a part of the control system; therefore, the risk management function does not explicitly exist in the governance structure of many government organizations. In many cases, the risk management function is taken care of by the internal audit unit (inspektorat).
In an organization where a risk management function does not exist in the governance structure, risks are usually managed by a non-permanent (ad hoc) task force. Risk maturity in an organization where risk is managed by an ad hoc task force tends to be low. With few exceptions, it is evident that most private companies are generally more mature in implementing risk management than their counterparts in the public sector. A remarkable exception is the case of the Ministry of Finance. In this ministry there are several organizational units whose main job is risk management, such as the Directorate General of Budget Financing and Risk Management (Direktorat Jenderal Pengelolaan Pembiayaan dan Manajemen Risiko) and Fiscal Policy Agency (Badan Kebijakan Fiskal) that is responsible in, among others, managing fiscal risks of the finance of state-owned enterprises (risiko fiskal dari keuangan BUMN).
Public organizations with high-risk maturity deliberately supplement their risk management systems with elements that are not covered in SPIP. A good example of this point is the case of the Ministry of Finance which evidently adopts elements of ISO 31000. This ministry has become a pioneer and role model of a public organization that effectively implements risk management. This fact implies that there is a need to modify SPIP by supplementing elements that are sufficient for reference in implementing risk management in government organizations.
As already mentioned in previous paragraphs, it is evident that public regulation on risk management is a key factor that can effectively improve the risk maturity of organizations both in the public as well as private sectors. This finding can in fact be generalized to a broader proposition that initiating and improving risk management in an organization requires a top-down approach (Carlsson-Wall et al., 2019). An important step to improve risk maturity is to create a critical mass of human resources that is competent in leading risk management implementation in the organization (Priyarsono & Munawar, 2020;Silva et al., 2013).

Limitations of the Study
As discussed in the introduction, comparative study on the management of private corporations versus public organizations has been a major topic in theories of organization. However, only very few studies explicitly address the effectiveness of risk management from the perspective of the comparative study. In addition, the number of papers on the practice of risk management published in scientific journals is relatively limited. Many of them discussed factors that determine the effectiveness of risk management, for example, Ranong & Phuenngam (2009), Zhao et al. (2013, Cormican (2014), Gottwald & Mensah (2015), and Kikwasi (2018). This situation hinders the effort to establish a strong theoretical foundation for a comparative study (between private and public organizations) on the effectiveness of risk management.
The research method employed in this study is descriptive and qualitative. Organizations were chosen by using a purposive sampling technique instead of the probabilistic sampling method. The size of organizations sampled is only six, although the number of resource persons (respondents) in this study is relatively sufficient. All these limitations prevent the paper from establishing good generalizations accordingly.

Future Study
As indicated in the title, this paper reports the preliminary results of a comparative study. It is expected, therefore, that this study will be followed by a further research project. For future projects, the following list of research questions, which are inspired by the in-depth interviews with key resource persons in this research, can be considered. These queries are derived from the key question-i.e., whether the strategies to improve risk maturity in private corporations and public organizations should be different or just the same (for the context of not-for-profit organizations, see for example, (Chen et al., 2019).
1. What are the differences and similarities between risk governance in private companies and public organizations? Do they adopt the same model of three lines? 2. Among the eight principles of risk management as described in ISO 31000, which principle is the most difficult to follow in private companies and public organizations? How balanced do they perceive the objective of creating value and protecting value? 3. Do private companies and public organizations adopt the framework of risk management as described in ISO 31000 (Plan, Do, Check, Act)? 4. Do private companies and public organizations adopt the process of risk management as described in ISO 31000? Are there any differences between the two sectors in following the process of risk management? 5. How do private companies and public organizations adopt technology for improving the effectiveness of risk management? 6. How important is the role of leadership in risk management in private companies and public organizations? 7. Are there any differences between risk culture in private companies and public organizations? Which culture is more conducive to risk management? 8. Do private companies and public organizations involve risk management in developing strategic planning? Do they behave the same or differently in managing strategic risks? 9. How do private companies and public organizations deal with legal risks? Do they behave the same or differently in dealing with legal risks? 10. How do private companies and public organizations deal with compliance risks? Do they behave the same or differently in dealing with compliance risks? 11. How is the quality of human resources for risk management in private companies and public organizations? What are the differences and similarities? How do they improve the quality of human resources for risk management? 12. How do private companies and public organizations allocate resources for risk management? Do they allocate the same percentage of the total budget for risk management?

Conclusions
This study attempts to compare the characteristics of risk management in public and private organizations. It is not easy to find a conclusive finding on whether risk maturity depends on sectors of the organization (public or private) or depends on other factors. However, this study finds that six aspects can be referred to compare the characteristics-i.e., (1) role of leadership, (2) role of human resource, (3) regulation, (4) incentive mechanism, (5) complexity of stakeholders, and (6) organizational structure. In the first two aspects, there are similarities between the two types of organizations. On the other hand, there are clear and inherent differences between the two in the other four aspects (see Table 3). This finding explains the similarities and differences in risk management in organizations of the two sectors.
This study also suggests that some characteristics (mainly the institutional environment) embedded in an organization are responsible for determining its agility which influences the effectiveness of risk management. In general, the institutional environment of a public organization is more complicated than that of a private company. For example, to execute a new strategic initiative (e.g., risk management), a minister needs multiple approvals from multiple authorities (the president, the parliament, the finance minister, and other ministers). On the contrary, to execute the same initiative a director of a private company needs approval mainly only from a single entity, i.e., the owner of the company. In both types of organizations, leadership is a pivotal determinant of RM effectiveness. Consequently, a top-down approach is more effective than a bottom-up approach in initiating, implementing, and improving RM. Role of human resource (HR) In both types of organizations, the role of HR (especially HR for RM) is important in initiating RM (risk awareness) as well as in improving RM maturity level. Consequently, the quality of RM implementation can be improved through HR development. Regulation RM is better implemented in well-regulated sectors such as the finance sector. In the public sector, the Ministry of Finance and the Bank of Indonesia are champions of RM. These organizations enact strong regulations on the implementation of RM. Similarly, RM in financial enterprises is generally more mature because of the strong regulations in the industry. Consequently, to improve RM maturity, especially in the public sector, stronger regulations are needed. Incentive mechanism RM is more effective in organizations where incentive mechanism regarding RM is clear and consistently implemented. In general, this incentive mechanism is weaker in public sector organizations. Consequently, to improve RM in public sector organizations stronger incentive mechanisms are needed, including mechanisms that relate RM to performance management.

Complexity of stakeholders
In general, organizations in the public sector have a greater number and more complex stakeholders (especially in the political environment that is often difficult to handle) than those in the private sector. As a result, the progress of RM in public sector organizations is slower than that in private sector organizations. Organizational structure In the public sector, RM is implemented only as a small part of SPIP. In a public sector organization generally, there is no working unit that is specially dedicated to managing risk (the second line in the Three Lines Model). Instead, the internal audit unit (inspektorat) handles RM. On the other hand, most major private organizations generally establish a special unit for handling RM. This may explain the difference between public and private organizations in their RM maturity levels. Consequently, it can be recommended that public sector organizations establish a working unit for RM (a specially dedicated unit as the second line in the Three Lines Model).
Source: processed data In addition, this study can define a proposition that public organizations emphasize the important role of risk management in protecting values (managing downside risks); while private companies consider risk management not only as a value protector but also as a value creator (by exploiting opportunities). To prove the validity of this proposition a more analytical method of research is needed.
This study provides cases of organizations in the private and public sectors implementing risk management. In both sectors, the effectiveness of risk management critically depends on leadership and the quality of human resources. Therefore, it is recommended that to improve risk management maturity level effective leadership (e.g., top-down approach) and human resource (especially those related to risk management human resource) development be given higher priority.
In general, there are specific characteristics of public sector organizations and the strategic environments in which they operate that hinder the organizations in their effort to initiate, implement, and improve risk management. Four aspects are responsible for this situation (see Table 3), i.e., regulation, incentive mechanism, the complexity of stakeholders, and organizational structure. Consequently, to develop risk management in public sector organizations these four aspects should be carefully considered.
For future research, two possible directions can be explored, i.e., quantitative analytical approach-based studies, and qualitative (grounded theory-based) case studies. In the former path, the population of organizations, the sampling method, and the quantitative variables should be formulated more formally. The transmission mechanism (causal relationship) among the variables should be established based on strong theoretical foundations. Empirical evidence can then be analyzed to verify the validity of the findings. In the latter path, the study should focus on the process of decision-making in organizations. Qualitative studies are needed to explore and develop well-defined concepts in risk management.
Both paths are important and necessary for understanding the fundamental differences and similarities between private companies and public organizations especially in the context of risk management decision making. A good understanding of key success factors will surely help the development of strategies to improve the effectiveness of risk management in both public and private organizations.