Improving the Performance of the Balanced Scorecard Through Implementing Iso 31000 Risk Assessment at Shofa Pharmacy

This study aims to integrate the Balanced Scorecard and Risk Management at Shofa Pharmacy and its one branch. The risk assessment is based on the ISO 31000 framework model and the Balanced Scorecard is based on a financial perspective, a customer perspective, an internal business perspective and a learning and growth perspective. The results of risk identification show that the risks, faced by Shofa Pharmacy, are financial risk, operational risk, technology risk, business ethics risk, health and safety risk, economic risk, legal risk, political risk, market risk, and project risk. Based on the results of the analysis, the highest risk is a technology risk with the risk group in information technology protection, economic risk with the fall in a demand risk group, political risk with an inflation risk group and project risk with an evaluation risk group, then risk management is carried out to reduce the risk level.


Introduction
Health is a basic need that must be guaranteed by the state [1,2]. Pharmacy is an important part in the health sector, this is evidenced by the large number of production in the pharmaceutical sector and medical devices. In 2018 in the country of Indonesia there were around 227 pharmaceutical industries, 135 Traditional Medicine Industry/Natural Extract Extraction Industry (IOT/IERA), Small/Micro Medicines (UKKOT/ UMOT) around 1,976 small traditional medicine businesses, medical device production was also recorded in 2018 amounting to 208 medical device manufacturers, as well as production. In the distribution process itself, there were 2,274 pharmaceutical wholesalers in 2018, the number of pharmacies in 2018 was 28,233 and drug stores in 2018 were 10,773 and medical devices in 2018 were 3,831 companies [3].
The number of pharmacies in 2018 is the largest number for the pharmaceutical distribution process [3]. This means that pharmacies have an important role in supporting health to reach remote areas. Apotek Shofa is a drug retailer in the Ngawi Regency, East Java Province (Indonesia) and currently there is one branch. Based on observations and interviews that the author conducted, pharmacy owners experienced a decrease in the number of sales, problems in product availability so that they felt they could not meet market needs.
Based on Tab. 1, it shows that net sales at Shofa Pharmacy had experienced an increase in sales every year from 2016 to 2018, but then decreased in 2019, inversely proportionally to the total inventory, from 2017 to 2018 there was a decline, but rose again in 2019. Shofa Pharmacy as a company, which is engaged in pharmacy, certainly has some risks, but the fact is that Shofa pharmacies have not implemented modern risk management. This is very risky because at any time this company could experience damage or the effect of unidentified risks. The next fact is that pharmacies should also have good performance management, even though they have not implemented a balanced scorecard-based performance management.
The Balanced Scorecard (BSC) is a management tool in ensuring a company strategy that can be achieved with the presence of a balanced scorecard, it is hoped, that the company can encourage effectiveness and promote transparency and the process of implementing a corporate strategy so that it is more measurable and can be handled properly. Performance measurement of Business, management and accounting the implementation of a corporate strategy is often called as Key Performance Indicators (KPI). To achieve organizational goals requires the application of Enterprise Risk Management because the application of ERM in a company will be able to help control management activities so that the company can minimize the occurrence of errors that can harm the company and in the end the objectives are also achieved. The ERM and BSC systems share many elements [4]. As a result, an implemented BSC system can provide a unique platform for companies to leverage an existing infrastructure to benefit from ERM. BSC is used as a performance measurement, which is the company's goal in determining the success or failure of the strategy. Companies need the integration of both because the Balanced scorecard defines what and how the strategy needs to be executed, while ERM provides proactive and adaptive capabilities in the process of executing the defined strategy. In the end, the integration between ERM and Balanced Scorecard will improve performance in a company. So from the above thinking, to improve the performance of Shofa Pharmacy, researchers must know what risk factors affect performance in order to improve performance, then analyze the value of risk and its handling and analyze the performance of Shofa Pharmacy, based on the Balanced Scorecard, with four perspectives.
Competitive Adventage theory Competitive advantage is the ability a company gets through its characteristics and resources to be able to have a higher performance, compared to other companies in the same industry and market. [5,6]. Companies that have a competitive advantage always have the ability to understand changes in the market structure and are able to choose effective marketing strategies.
Competitive advantage is the company's ability to act better than other companies in the same industrial environment [5,7]. So far, the business world is known for its fairly fierce competition, so that managers must have the right patterns and ways to succeed in achieving company goals. Porter & Roach formulate competitive advantage as follows: first overall cost leadership, second differentiation and focus [8].
Enterprise Risk Management / ISO 31000 ISO 31000 [9], defines risk as the effect of uncertainty on the achievement of organizational goals, while for risk management itself ISO 31000 defines coordinated activities, carried out in order to manage and control an organization, related to the risks it faces, while the British Standards Institute (BS 4778, 1991) defines risk as "a combination of the probability or frequency of occurrence of the specified hazard and the magnitude of the event." Minimizing the risk of loss, it is necessary to carry out a risk assessment of a company, as well as in-depth analysis using risk management, based on ISO 31000 with various characteristics of the level, magnitude, complexity of risk in an organization. Therefore, this standard provides guidance on the principles and application of generic risk management. Before making a business decision, the associated risks need to be identified and an appropriate response plan needs to be developed to reduce, mitigate, or ideally eliminate potential adverse impacts [10], therefore Chapman [11] defines corporate risk management as: "a comprehensive and integrated framework for managing risk throughout the company to maximize corporate value". There are two main components in the risk management process in the standard ISO 31000 (2009) like tracking moving objects in a sequence of images. The method is based on the Weickert-Romeney-Viergever (additive operator splitting, namely a framework that guides the organization to understand the overall structure and workings of an organization's risk management and processes that describe actual methods of identifying, analyzing and managing risk Guidelines in implementing ISO 31000 [12].
Balance Scorecard According to Kaplan, 1992the Balanced scorecare was first introduced by Peter Drucker in 1954 [13]. Drucker argues that all employees must have a personal performance where employees in each division must contribute and participate in achieving the goals of each division, connected with the main goals of the company. This 4 perspective relationship concept introduces a company performance measurement system using certain criteria. These criteria are actually a description of the company's mission and strategy in the long term, which are classified into four different perspectives, namely financial, customer, internal business processes and growth learning perspectives.
Kaplan 1992expresses the concept of the Balanced Scorecard, made and developed to be a complement in measuring financial performance and as an important tool for corporate organizations to reflect new thinking to be more effective and more competitive [13].
The aim of this study is to integrate the Balanced Scorecard and Risk Management at Shofa Pharmacy and its one branch.

Research method
In this research, the company that will be studied is the Shofa Pharmacy, located in the Ngrambe, Ngawi in the East Java Province (Indonesia) area with already one branch in the same city. A company, engaged in the trade of drugs and medical devices that has been established since 2000.
The method in this research is a case study using the ISO 31000 model and the balanced scorecard. ISO 31000 risk management is a structured and systematic process in identifying, measuring, monitoring and controlling or minimizing risks that arise in business activities with the aim of avoiding greater losses. The process of determining the context will display the scope of risk to be carried out, then the risk assessment process will identify, analyze and evaluate risks so that it is hoped that risks will be identified at Shofa Pharmacy. The next step is to handle the previously discovered risks.
At the risk identification stage there are also criteria that are likely to occur, including possible criteria and impact criteria, namely: a. Probability Criteria ( Fig. 1) b. Impact Criteria (Fig. 2)

Fig. 1. The Level of Risk Probability Criteria at Apotek Shofa
The risk criteria will be the basis for measuring each impact and the likelihood of occurrence (likelihood risk) at the next stage, so that it can be a reference for determining the level of risk, evaluating and analyzing risks (Fig. 3).  The Balanced scorecard analysis is conducted to determine the company's performance against the risks of a business activity. This analysis will be carried out using 4 perspectives, namely financial, customer, internal business processes and learning and growth perspectives.
After knowing the performance of Shofa Pharmacy with the balanced scorecard analysis, an analysis of the relationship between risk management, based on ISO 31000 and balanced scorecard, is conducted (Fig. 4).
It is known from this study, that the combination of ISO 31000 and a balanced scorecard can align a company's efforts to face existing risks. Data collection techniques in this study are observation, interviews and questionnaires. The author directly observes company activities and accommodates different information needed in writing, then conducts interviews with company owners and provides questionnaires that have been compiled, based on existing indicators, both to the owner of the entity and to parties, related to the entity under study. Business, management and accounting

Result and discussion Proses Balance Scorecard
The internal business perspective will improve with the increase in the growth perspective, where the better the leadership and work motivation, the better the supply and distribution. Each Business, management and accounting balanced scorecard perspective at the Shofa Pharmacy has a reciprocal relationship with each other. The internal business perspective will improve with the increase in the growth perspective, where the better the leadership and work motivation, the better the supply and distribution. Increasing the quality of internal management is directly proportional to the increase in customer perspectives, where the quality of products and services is getting better and prices are getting lower. In the end, all these improvements in perspective will make finances even better seen from the cost structure and will automatically increase shareholder value (Fig. 5). The strategic balanced scorecard map for Shofa pharmacies can be achieved in 2021 by maximizing all lines of the strategy map. Cost leadership is a strategy that allows a company to make a quality product but at a low price, compared to its competitors. The strategic target that will be achieved by the Shofa Pharmacy is cost leadership (low cost) so that it can increase shareholder value / profit.

Business, management and accounting
According to the results of the balanced scorecard analysis of the Shofa Pharmacy in 2017-2019, it can be stated, that the company has poor performance. This value illustrates that the company has not focused on improving company performance in every perspective. Companies must be able to improve each perspective from the balanced scorecard. Company performance that only focuses on some aspects becomes ineffective because there will be imbalances in its management.
Based on the researcher's observations, it is known, that the low performance of the Shofa Pharmacy is caused by the financial, customer, internal business process and learning and growth perspectives that are interrelated. The results of the study found that the low performance of the company was mainly due to the inoperability of internal business processes, which was marked by a high percentage of defective products and delays by suppliers in delivering products. So to anticipate this in the coming years, company management needs to change suppliers and carry out quality control of the products received. In addition, there needs to be intense communication between the central and branch Shofa Pharmacy in order to create cooperation and mutual commitment in implementing the balanced scorecard.
The low performance of the internal business process perspective, based on the findings of this study, has influenced other perspectives, so that it does not produce balanced performance results. Therefore, management commitment in implementing the balanced scorecard needs to be disseminated to all central and branch employees continuously, in this case the company's vision and mission must be understood by all parties involved to be implemented consistently, thereby achieving stability of the performance of the company, four perspectives were studied.
Analisis Fishbone Fishbone diagrams are often called Cause-and-Effect Diagrams or Ishikawa. This diagram was introduced by Dr. Kaoru Ishikawa, a quality control expert from Japan, as one of the seven basic quality tools (7 basic quality tools). This section will analyze the indicators that are considered the most bored in the perspective of the balanced scorecard. This can be seen from the achievements that have not reached the target each year (Fig. 6)

Business, management and accounting
In the Fishbone balanced scorecard analysis, decreased sales growth is caused by five factors that are interrelated with one another. The provision of training and THR that are not on target is caused by several factors, such as the absence of objectives and awareness of the importance of employee training, lack of funds/costs for training and lack of understanding of employee satisfaction. Damaged products are also a factor, at Shofa Pharmacy, damaged products that always increase every year are caused by several factors, such as vendors, not checking the products to be sent and not conducting periodic product inspections and poor warehouse facilities.
Pre-orders that exceed the target are caused by several factors, such as the limited selection of vendors and the owner's lack of ability in supply chain management and weak communication between owners and vendors. Likewise, complaints are always increasing due to several factors, such as high employee turnover and short training periods. Limited product types and product arrangement have not been systematic, as well as checking the number of products manually, and still having one warehouse are also considered to be influencing factors.
In the Balanced Scorecard analysis, ROA at the Shofa Pharmacy has decreased every year studied, namely from 2017, 2018 and 2019 and none of them match the company's targets. ROA, which always decreases, is caused by several factors, such as the cost of employee salaries that continue to increase and operational costs that cannot be reduced. Low customer retention is also considered to be an influencing factor, as is the product cost price (HPP), which cannot be reduced.

ISO 31000 Risk Management Process
Risk management is a process of identifying, measuring risk, and forming a strategy to manage it through the available resources. Risk management aims to manage this risk so that it can obtain optimal results. The risk management process is divided into 5, namely setting the context, identifying risks, analyzing risks, evaluating risks and managing risks (Fig. 7). Determination of Context, Identification of Risks and Risk Analysis Determination of a risk context is the determination for consideration of compiling a risk register when managing risks, determining the scope, risk criteria for risk management policies. Risk criteria is a standard measure of how big the impact or consequence is likely to occur and how likely the risk will occur.

Business, management and accounting
Risk analysis is an attempt to understand risk more deeply. In this process, an assessment of the possible risks that have been identified will also be carried out. This risk analysis will be an input for risk and strategic decision-making processes regarding these risks.
Risk Map Risk map is a process, in which various business units or departments, organizational functions, or transaction process flows are mapped, based on risk types (Fig. 8).

Fig. 8. Risk Map (Inherent Risk)
Source: Data Primer In the Shofa Pharmacy itself, there are several findings of risks that often arise to disrupt the running of their business processes. The highest risk with a value of 20 (very high) is the lack of company knowledge about technology, where existing data is not backed up, resulting in loss of sales and inventory data. In terms of readiness of Shofa Pharmacy owners in facing price increases due to economic risks and political risks, they are also not good because of the high risk value, namely 16 (high).

Business, management and accounting
The next risk value is 12 in the medium category, where there are several risks, including non-standard accounting records, late delivery of goods / products from vendors, high employee turnover, disruption in business procedures and periodic evaluation. The risk with the next highest value is the risk value of nine (low), including the risk of theft at pharmacies, recording errors in financial reports, similar business competition within a 5 km radius, sales and inventory data at branches, cannot be accessed in real-time, and lack of owner's capacity in processing existing financial data.
The next risk value is six (low), the risk that has been identified is the risk of conducting periodic evaluations, the risk at the branch pharmacy that some products are not available and the risk of the Pharmacy's inability to collect debt. While the risks that are in the value of four and one are in the very low risk category, some of them are recommended product risks, all risks that are contained in legal risks, health and safety risks, and others.
Risk Evaluation and Risk Management After analyzing the context setting stage, identifying and analyzing the risks that may occur, the next step is to conduct a risk evaluation. Risk evaluation is a process for evaluating the level of danger of each risk using predetermined criteria, when determining the scope of risk management and determining the risk treatment to be determined [9].
The IT protection risk process has a risk level of 20, the risk of falling in demand & macro politics: inflation has a level of risk of 16, financial system risk, human resource risk, incorrect accounting risk, evaluation risk, process and system risk has a risk level of 12, Crime Risk, Communication Technology Use Risk, Incorrect Accounting Risk, Competition Risk has a risk level of 9 as well as Liquidity Risk, Process and System Risk, Evaluation has a risk level of 6, which is the level that is evaluated and is given treatment according to the temporary recommendations at risk levels 1 to 4, not done risk handling.
This risk evaluation and management process aims to assist companies in setting priorities regarding the implementation of actions in treating risk. Every risk that has been identified and its risk value analyzed, will then be recommended for handling it. According to Susilo and Kaho (2011), risk management is a stage to determine actions to be taken to treat risk with the aim of reducing or eliminating the impact and possibility of risk. The recommended handling is adjusted to the observations, made by the author, and based on the results of interviews, conducted with the owner of the Shofa Pharmacy. Each treatment recommendation, made by the author has been adjusted to the existing risks and the ability of the Shofa Pharmacy owner.

Risk Map Residual
Residual risk is the risk that remains after management has taken action to reduce the impact and likelihood of an adverse event, including control activities in response to risk.
Based on Fig. 9, the risk map after risk treatment has decreased in value but the risk of IT backup data protection remains outside the risk appetite. In the risk of IT backup data protection, it has decreased from the risk value of 20 to 15, but at the risk of inflation and fall in demand, the risk has decreased from 16 to 6 so that it is already below risk appetite. This risk reduction occurs because of the treatments that researchers have analyzed and recommended to Shofa Pharmacy owners.
Relationship between ISO 31000 Risk Management and Balance Scorecard Risk Register Analysis The Risk Register is used to identify, assess and manage risks to an acceptable level through a review and update process. The purpose of the Risk Register is to record details of all identified risks along with their analysis and plans for how risks will be treated.
Based on Tab. 2, the results of the Risk Register analysis, each risk in the balanced scorecard has different values and causes. Sales growth, which has decreased every year, was studied, getting an RPN of 20 with a very high category, as well as a decreasing ROA, also getting an RPN value of 20 with a very high category. In the value of RPN 12 in the moderate category, there is a risk of increasing the number of complaints and giving bonuses and allowances, when the salary is not on target. Meanwhile, the value of RPN 9 is in the low category, there is a risk of product pre-orders, exceeding the cycle time, and an increased percentage of damaged products. The result of the integration analysis between ERM ISO 31000 and Balanced Scorecard is done by dividing all identified risks, then dividing each risk into internal and external groups. Each risk group is also divided, based on 4 balanced scorecard perspectives and is assigned a risk score before treatment and a risk value after treatment.

Business, management and accounting
In the internal risk group, there are 3 types of perspectives, namely financial, internal business and learning and growth. From a financial perspective, there are several risks and 2 of the highest risks, namely the risk of the company, experiencing a decline in sales in a certain period and the risk of the company, not keeping books consistently. Both of these risks are very dangerous to internal financial perspectives because decreased sales will lead to bankruptcy and inconsistency in making bookkeeping that will create confusion / bias in financial reports, causing financial data that should be used as a reference in making strategies or goals can be wrong. Then from the internal business perspective there are also 2 perspectives with the highest risk value, namely the risk of distribution from vendors to pharmacies not going well and the risk of embezzlement of funds / goods in the company. Both of these risks are very dangerous to the internal business perspective of the Shofa Pharmacy because the vendor is the most important aspect in this company, so if the distribution cannot be done properly it will cause a shortage of drugs and medical devices to be sold. 5. Liquidity risk, information technology risk, financial system risk, process and system risk, licensing risk, child labor risk, misleading advertising risk, tax risk, counterfeit goods risk, privacy violation risk, policy risk, legal risk, risk contract, intellectual property risk, gratuity risk, tax risk, liquidity risk, information technology risk, human resource risk, process and system risk, IT protection risk, economic value risk, new goods risk (1) (2)  ISO 31000 Relation with Balance Scorecard The result of the integration analysis between ERM ISO 31000 and Balanced Scorecard is done by dividing all identified risks, then dividing each risk into internal and external groups. Each risk group is also divided, based on 4 balanced scorecard perspectives and is assigned a risk score before treatment and a risk value after treatment.
In the internal risk group, there are 3 types of perspectives, namely financial, internal business and learning and growth. From a financial perspective, there are several risks and 2 of the highest risks, namely the risk of the company, experiencing a decline in sales in a certain period and the risk of the company, not keeping books consistently. Both of these risks are very dangerous to internal financial perspectives because decreased sales will lead to bankruptcy and inconsistency in making bookkeeping that will create confusion / bias in financial reports, causing financial data that should be used as a reference in making strategies or goals can be wrong. Then from the internal business perspective there are also 2 perspectives with the highest risk value, namely the risk of distribution from vendors to pharmacies not going well and the risk of embezzlement of funds/goods in the company. Both of these risks are very dangerous to the internal business perspective of the Shofa Pharmacy because the vendor is the most important aspect in this company, so if the distribution cannot be done properly it will cause a shortage of drugs and medical devices to be sold.
The risk of embezzlement of funds / goods is also a very big risk if it often occurs because it can cause financial loss and the owner's trust with employees. In the perspective of learning and internal growth, there are several risks with the 2 highest risks being that employee turnover is quite high in the company and the company does not use an integrated technology system for each Business, management and accounting of its company's operations. Both of these risks are likely to be big risks because high employee turnover will cause new costs to be incurred by Shofa Pharmacy to recruit new employees and training costs, while the risk of a system that is not integrated for any operational activities will cause delays in information between the center and branches and at eventually the supplies that should have been distributed to the branch would be too late.
In the external risk group, there are 3 types of perspectives, namely financial, learning and growth and customers. From a financial perspective, there are 4 risks and 2 highest risks, namely the risk of inflation in the Indonesian economy, having an impact on companies and the risk of companies, not applying bookkeeping according to applicable accounting standards. The risk of economic inflation will be an uncontrollable risk if the pharmacy does not handle it properly, while the risk that occurs if the pharmacy does not carry out the bookkeeping process according to accounting standards will cause problems in the future if there are already outside shareholders or funders. From the perspective of learning and external growth there are 5 risks and the risk with the highest value is the risk that the company does not use external parties in building systems at the company, this risk will be greater if the Shofa Pharmacy has developed so that it requires a better technology system. From the perspective of external customers, there are 10 risks with the highest value being the risk of the company having competition with similar products within a 5km radius of the company, this risk is the risk that is caused by competition between pharmacies around the Shofa Pharmacy so that the owner must care about the services, provided to his customers. Each of these analyzes requires that Shofa Pharmacy is more concerned about internal and external risks that may occur. If every risk can be minimized with the application, recommended by the researcher, it is expected that Shofa Pharmacy will be able to improve the performance of the 4 perspectives in the balanced scorecard.

Conclusion
The relationship between Enterprise Risk Management (ERM) and Balanced Scorecard (BSC) is feasible to be applied in Shofa Pharmacy. After the BSC is integrated with ERM, the goals/targets of pharmacies that have been set are reflected in the 4 BSC perspectives, the strategic objectives will be more focused on achieving outcomes in 2021, namely in the form of system improvements in the Shofa Pharmacy management system. The four balanced scorecard perspectives provide a more comprehensive view of strategic planning, as well as a more comprehensive view of the possible risks that may arise as well as possible risk management in order to achieve pharmacy goals/objectives.
Based on the results of the analysis, from a financial perspective, it was found that the company experienced a decline in sales with a risk value of 20 (very high) then after recommendations for handling, the risk could be reduced to a value of 6 (low). This is indicated by the factor of Return of Assets (ROA) and declining sales growth, Fall in Demand and inaccurate bookkeeping, so that the control function does not work well.
There are 2 risks from the internal business perspective, the vendor supply chain distribution risk with a risk value of 12 (moderate), then after the recommended treatment it drops to 1 (very low), this is indicated by the distribution of vendors to pharmacies that are not going well, causing the Pre old order. Then the distribution risk of the central supply chain to branches with a risk value of 9 (low) to 4 (very low), this is indicated by the low ability of the distribution process from the center to the pharmacy branch, which causes a high rate of damaged products.
From the learning and growth perspective, there is a risk of implementing evaluation, giving bonuses and training to employees with a risk value of 12 (moderate), then after the treatment analysis drops to 6 (low). This is indicated by the company never implementing performance evaluation, data backup, giving bonuses and training to employees, so that bonuses and allowances are not on target, which causes high employee turnover. From the customer perspective, there is a risk of a complaint with a risk value of 9 (moderate), then 6 (low). This is marked by the provision of drugs that are not in accordance with what the customer needs, causing complaints to be made by the customer and also competition from similar companies, which also causes the customer to get other options for transactions, when they are not satisfied.

Business, management and accounting
The limitation in this study is that the theory used is limited to the balanced scorecard and risk management, based on ISO 31000, and has a small scope in data collection. Data collection is only limited to observation, interviews and giving questionnaires with the respondent being the owner of the Shofa Pharmacy. Each division did not contribute to providing data due to their busy schedule, so they could not take the time to participate in discussions or fill out questionnaires.
After the risk management analysis is carried out at Shofa Pharmacy, not all risks can be handled optimally. This is characterized by a reduction in the level of risk, where not all risks can reach a very low risk level (1)(2)(3)(4)(5). This is done by considering the relevance of risk management to the limitations of the Shofa Pharmacy in the technological and economic fields. The next limitation is the limited human resources in providing recommendations for handling. The Shofa Pharmacy still does not have employees with sufficient knowledge of risk management as well as other factors from outside the company that do not support the optimal handling recommendation.
For further research it is expected to add the scope in data collection, expand the types of risks, and create a more complete reporting system on the risk management system. For further research, it is hoped that it can develop measurements outside of this research in 4 perspectives and more in-depth research using ISO 31000.