Overview of SAP BusinessObjects Risk Management 10.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 1

Overview of SAP BusinessObjects

Risk Management 10.0

Applies to:

SAP BusinessObjects Risk Management 10.0, SAP NetWeaver 7.0, Enhancement Package 2. For more information, visit the Governance, Risk, and Compliance homepage

Summary

SAP Risk Management enables an enterprise-wide risk management process as mandated by certain legal requirements and recommended by best practice management frameworks. This article provides a high level understanding of SAP GRC Risk Management10.0.and its Assessment work centre. It’s compiled from the information available on various SAP sites and from the expert sessions on GRC 10.0.

Author: Charukesh R Gaikwad

Company: KPMG India

Created on: 10 May 2011

Author Bio

Charukesh Gaikwad is working as SAP GRC Consultant in KPMG ERP Advisory services.

http://www.sdn.sap.com/irj/bpx/grc

Overview of SAP BusinessObjects Risk Management 10.0


© 2011 SAP AG 2

Table of Contents

Risk Management 10.0: Introduction .................................................................................................................. 3

New and Enhanced Features: Released Notes .............................................................................................. 3

New Focus Areas: ........................................................................................................................................... 3

Risk Management 10.0: Landscape ............................................................................................................... 4

Risk Terminology in GRC 10.0 ........................................................................................................................... 5

Risk Management Process ................................................................................................................................. 6

Workflows in Risk Management 10.0: ................................................................................................................ 7

Event-based workflows ................................................................................................................................... 7

Planner-based workflows ................................................................................................................................ 7

Integration: .......................................................................................................................................................... 8

Integration with EH&S ..................................................................................................................................... 8 Analysis Automation: ................................................................................................................................................... 8

Integration with Process Controls 10.0: ....................................................................................................................... 8

Reusing the PC Central Process Hierarchy in RM ....................................................................................................... 8

Assessment Work centre for Risk Management 10.0 ........................................................................................ 9

Risk Assessments ........................................................................................................................................... 9 Incident Management ................................................................................................................................................ 11

Scenario Management ............................................................................................................................................... 11

Surveys: ..................................................................................................................................................................... 12

Assessment Planning: ............................................................................................................................................... 12

Related Content ................................................................................................................................................ 13

Disclaimer and Liability Notice .......................................................................................................................... 14



© 2011 SAP AG 3

Risk Management 10.0: Introduction

SAP Risk Management enables an enterprise-wide risk management process as mandated by certain legal requirements and recommended by best practice management frameworks. SAP Risk Management uses the various work centers of the GRC, in which you can carry out all Risk Management activities.

Risk Management 10.0 is part of newly released SAP Governance Risk & Compliance (GRC) 10.0 which also comprised of Access Control 10.0, Process control 10.0, and Global Trade Services.

New and Enhanced Features: Released Notes

SAP BusinessObjects Risk Management 10.0 includes the following new features and enhancements:

Multiple stakeholders can now participate in collaborative risk assessment, which improves productivity by reducing administrative time spent conducting workshops, by aggregating participant feedback, and by documenting risk assessment results.

The graphical view provides a visual workbench for non-experts to model risks and their relationship to business impacts and responses, and bridges the gap between risk management and the business functions of an organization.

By allowing risks to be assigned to corporate policies and enabling procedures to be assigned as risk mitigations, integration with policy management ensures that the company is appropriately mitigating the risks required to comply with the corporate policies currently in its residual risk profile.

Integrated issue management documents and follows up on issues identified for risks, activities, responses, opportunities and scenarios.

The risk catalog serves as a repository for risk templates and best-practice responses to risks. The catalog distributes risks across the organization and provides a unified view on risks across the enterprise.

The response catalog is a repository for best-practice risk responses to mitigate, transfer, and avoid risk.

Risk scoring is a new assessment tool that uses a point system approach to complement qualitative and quantitative risk assessment methods, thus making it easier for non-experts to assess risk.

Enhanced overview dashboards provide greater usability and aggregation capabilities when analyzing loss structure and reviewing risks.

New Focus Areas:

Source: SAP GRC Solutions 10.0: Live Expert Sessions



© 2011 SAP AG 4

Risk Management 10.0: Landscape

The GRC 10.0 suite runs on AS ABAP 7.02 SP6 or higher. Access Control, Process Control and Risk Management are contained in one ABAP add-on “GRCFND_A”

Source: GRC 10.0 Pre installation Guide on SAP BPX

Front end:

The front-end needs a web browser or (optionally) a client installation of the NetWeaver Business Client 3.0 (NWBC).The web browser can be used to access the embedded NWBC or GRC via the NetWeaver Portal

The Adobe flash player 10 is used for displaying dashboards e.g. RM heat map. SAPGUI 7.10 PL 15 or higher is required for administration or customizing tasks –note that SAPGUI 7.20 is recommended due to the end-of-maintenance of SAPGUI 7.10. The Crystal Reports Adapter (CRA) is required for viewing (GRC) Crystal Reports.

Portal:

The NetWeaver Portal 7.02 can be used optionally. The GRC Portal Content contains the GRC Portal UI elements to access the GRC suite. The Portal’s AS Java can contain an Adobe Document Services instance, in effect Portal and ADS may be shared on one AS Java instance

ERP and Non SAP Business Applications:

The GRC solutions can communicate with SAP ERP and non-SAP business applications via plug-ins. NW Function Modules hold the AC functions for ERP systems without HR (former non-HR RTA).PC relevant features are contained in the plug-in GRCPIERP, for example, for running automated controls and the HR relevant functions for AC (former HR RTA).

GTS functions are part of the SLL-PI plug-in, for example, for GTS integration into the Logistics, HR, FI/CO and/or HCM processes in SAP ERP.Non-SAP ERP systems can also be connected via adapters from an SAP Partner company

BI Content:

NetWeaver BW can be used for reporting via the GRC BI Content.The GRC BI Content is part of BI Content 7.06NetWeaver BW 7.02 is used for the GRC BI Content.



© 2011 SAP AG 5

SAP NetWeaver 7.02 Search & Classification:

SAP NetWeaver 7.02 Search & Classification may be used for searching documents attached to objects in some GRC solutions, such as Process Control or Risk Management

Adobe Document Services:

An instance of Adobe Document Services (ADS) should be accessible from the GRC AS ABAP for generating offline forms. Although it is technically optional, it is highly recommended for generating PDF reports. These ADS can be an existing instance and can also be shared with other applications

The Portal’s AS Java can contain an Adobe Document Services instance, so Portal and ADS may be shared on one AS Java instance.

Risk Terminology in GRC 10.0

Risk Management, Process Control, and Access Control have several risk-related terms. The following table provides an overview of risk terms, their definitions and the location in the applications where they are used.

Term Explanation Location in Application

Risk Management

SAP NetWeaver application for managing enterprise-wide risks

Entire Risk Management application

Risk An uncertain event or condition that, if it occurs, has a negative impact on business objectives

Entire Risk Management application

Risk assessment

The evaluation of risks through definition and mitigation via responses

Assessments work center

Risk template A template to be used for creating actual risks

Master Data work center, Risk Catalog

Primary risk A risk used in a scenario, which has no risks influencing it

Assessments work center, Scenario Management

Top risks A report containing user-defined risks that are very significant to management

Reports and Analytics work center, Management section

Influenced risk A risk influenced by another risk Assessments work center, Risks and Opportunities

Affected risk A risk affected by a response Assessments work center, Responses

Risk event A risk that has not occurred Assessments work center, Incident Management

Inherent risk Overall risk before response Assessments work center, Risks and Opportunities, Analysis tab of a risk

Residual risk Overall risk after response Assessments work center, Risks and Opportunities, Analysis tab of a risk

Proposed risk, risk proposal

A risk proposed by a casual user My Home work center, Ad-hoc tasks

Risk appetite Level of risk to be supported, which can be described qualitatively and quantitatively

Master Data work center, Organizations

Underlying risk Risk defined on lower level of organization Assessments work center, Risks and Opportunities

Risk category User-defined category of risk Master Data work center, Risks and Responses, Risk Catalog

Parent risk category

A high-level user-defined risk category Master Data work center, Risks and Responses, Risk Catalog

Risk incident An incident entered directly for a risk Assessments work center, Risks and Opportunities, Risk Incidents tab, and Incident Management section.

Risk level Specifies degree of risk using traffic light icons

Assessments work center, Risks and Opportunities

Risk factor Synonym of influence factor, a risk with Assessments work center, Risks and



© 2011 SAP AG 6

probability and impact data attached Opportunities

Risk summary A report summarizing all risks per period, organization, and so on

Reports and Analytics work center

Risk analysis Analysis of one risk Assessment work center, Risks and Opportunities, Analysis tab of a risk

Risk scenario A scenario containing several risks to be analyzed and evaluated

Assessments work center, Scenario Management

Risk aspect A field in reports evaluating risks. By checkmarking this field in reports, the user can see how an impact level would be rated if the risk were seen from the perspective (aspect) of a different organizational unit.

Reports and Analytics work center, Risks per Organizational Unit

Risk instance A risk template applied to an individual risk is considered as an instance of the risk template, or risk instance.

Assessments work center, Risks and Opportunities, Analysis tab

Local risk The same as a risk instance Assessments work center, Risks and Opportunities, Analysis tab

Access risk A risk defined for Access Control, specifying the severity of an irregularity related to Segregation of Duties (SOD) risks.

Access Management work center, Access Risk Analysis section

SOD risk The same as an access risk Access Management work center, Access Risk Analysis section

Risk Management Process



© 2011 SAP AG 7

Workflows in Risk Management 10.0:

The Risk Management application is shipped with a set of workflows that enable collaboration on risk

management activities within a company by making use of the standard SAP workflow functionality.

SAP workflows are based on the Guided Procedures that walk users through a risk management activity or

process. Workflows in Risk Management can be classified according to whether they are:

Event-based workflows

These are predefined end-to-end processes triggered by user actions such as proposing a risk. Event-based workflows are defined using business events: A business event involves the assignment of a workflow task to a recipient, which is also known as agent determinators. Following are the event based workflows.

Workflow name Description Trigger

Risk proposal Ensures that users review a (potential) risk entered through the Propose Risk application and rework it if needed before it is stored in the risk database.

Risk proposed.

Incident validation Ensures that users check a reported incident for completeness and accuracy before it is stored in the incident database.

Incident posted.

KRI implementation request

Ensures the proper configuration and system setup for Key Risk Indicator (KRI) related data, which should be available for risk monitoring.

KRI implementation request.

KRI localization request Optional adjustment of an assigned KRI with respect to risk-specific settings

KRI localization request.

Propose control (for users of both Risk Management and Process Control)

Allows users (for example, Risk Managers) to propose a control to mitigate a risk. The control becomes part of the regular monitoring activities in Process Control.

Risk mitigation using controls.

Planner-based workflows

These are workflows that are planned and triggered through the Risk Management Planner function. Following are the planner based workflows.

Workflow name Description

Activity validation Allows a planner (for example, a risk manager) to obtain sign-off and confirmation on the current risk situation for an activity (such process, project, or company asset).

Risk validation Enables the risk manager to obtain sign-off and confirmation on the current risk (including the assigned responses).

Opportunity validation Enables the risk manager to obtain sign-off and confirmation on the current opportunity (including analysis and assigned enhancement plans).

Risk assessment Supports risk managers by providing an update for risks in their areas of responsibility by sending out risk assessment work items.

Opportunity assessment Supports the risk manager by providing an update for opportunities by sending out an opportunity assessment work item.

Response update Enables risk managers and risk owners to keep track of current risk responses by sending work items to the validator's work inbox



© 2011 SAP AG 8

Integration:

Integration with EH&S

Analysis Automation:

Some enterprise risks are related to environmental and worker safety. SAP has a separate solution, Environment, Health and Safety Management (EH&S), where such risks can be processed by the solution-specific mechanisms absent in operational risk management. Integrating EH&S using analysis automation allows you to track all enterprise risks using one application (Risk Management).

Analysis automation creates EH&S risk assessments from risk analyses in Risk Management, tracking their probability and severity values, and copying those values to the corresponding analysis parameters according to rules predefined in Customizing.

Risk managers are not required to have any EH&S background to create an EH&S risk assessment from a risk analysis. EH&S risk assessments are intended to be processed by an EH&S manager or other responsible user. Risk managers can use a specific report that runs in the background to track the current probability and impact levels of the EH&S-related risks that they create

Integration with Process Controls 10.0:

Risk templates are common to both Process Control and Risk Management. They can be defined and assigned from both the Risk Management and Process control applications.

Source: SAP Risk Management Application Help

Reusing the PC Central Process Hierarchy in RM

You can use the central PC subprocesses as activity categories in GRC Risk Management. Furthermore, you can use the local PC subprocesses as local activities in RM.

In this way, a defined RM activity category can later be used to assign (local) activities to it. Otherwise no direct assignment of a (local) activity to the activity category is possible. This enables you to structure your risk assessment and risk reporting processes, with the option of using the activity hierarchy (containing the assigned categories) primarily as a reporting or an assessment structure, or both.



© 2011 SAP AG 9

Assessment Work centre for Risk Management 10.0

Risk Assessments

The Risk Assessments section is used to create activities to be evaluated for risks and opportunities such as projects or business processes. These are assigned to risks and opportunities that you create. Besides specifying risks and opportunities, you can also:

Analyze the risks and enter the appropriate responses to mitigate these risks.

Document risks that have occurred (called “incidents”).

Define specific risk scenarios.

Run risk assessment surveys.

Risk and Opportunities:

Risks and Opportunities section is where you enter risks and opportunities for your organization. Both a risk and an opportunity can be defined with or without a template Risks and opportunities are defined as follows:

A risk is any event that can prevent management from meeting the business goals of an organization.

An opportunity represents an uncertain event or condition that, if it occurred, would have a positive

impact on business objectives. An opportunity can therefore be regarded as a positive aspect of a risk as defined in Risk Management.

Opportunity Management refers to the analysis of opportunities. The process involves the following steps:

Identifying and documenting the opportunities in an organization.

Analyzing the expected benefits of an opportunity.

Viewing and understanding any possible trade-offs between risks and opportunities.

Graphical View Risk Creation:

To centrally store risk-related information on an organization's risks and to simplify working with Risk

Management, the application contains several functions enabling you to work in a graphical and easy-to-use

interface.

The graphical view has the following functions:

Summary: This is a read-only section that provides overview information about the risk.

Identify Risk: You define the risk with all its dependent information using drag and drop.

Assess Risk: You assess the risk by entering or editing information about risk drivers, impacts, and

other objects, which you can drag to the working area of the screen.

Mitigate Risk: You can mitigate the risk by proposing new mitigation measures, existing responses,

or controls.

Risk Response and Enhancement plans:

A risk response is any counter-measure taken to mitigate a risk. Risk responses are planned and/or executed within the context of the given risk, and have the intention of reducing the risk exposure.

Documenting and managing response strategies helps to proactively manage risks in your organization. Responses can be used to lower the chance of the risk occurring (that is, the probability) or to lower the potential impact of the risk event if it occurs.



© 2011 SAP AG 10

The influence of the response on the risk exposure is split into the following three independent factors:

Mitigating reduction of all responses, leading to the calculated residual risk analysis.

Entering a value for the completeness of the response

Entering a value for the effectiveness of the response

The following three steps are essential to reducing the probability or impact of risks defined for an organization:

Define impact and probability data and Risk and Opportunity Analysis.

Reduce the impact and probability of the risk by creating responses and controls, enabling you to mitigate the risk and monitor the costs.

Carry out a risk analysis to view the results of the risk mitigation measures that were implemented, and make additional resources available if necessary.

Activities:

An activity is any project, process, or an object within your business or organization that might be affected by a specific risk.

Typical types of activities are:

Processes: Potentially all operational and administrative processes within an enterprise.

Projects: Potentially all internal and customer projects.

Objects: Refers to generic activities that are neither a project nor a process.

You can define all the activities that need to be monitored through dedicated risk management procedures, in this way structuring risk management in different areas of the business. These structures can later be used for reporting.You must assign all activities to an activity category.

For each activity, you can do the following:

Specify the activity category and validity period, as well as enter relevant constraints and assumptions for the activity.

Assign users/roles responsible for processing the activity.

Link the corresponding risks and opportunities identified for that activity.

Display any surveys to be executed for the activity.

Display and print out a PDF fact sheet with relevant activity information.

Working with Context:

Contexts in Risk Management enable you to store data from other networked applications, such as those in the SAP Business Suite. This data is then used to carry out assessments in Risk Management.The context of a risk describes the environment in which a risk can occur.

A context is made up of dimensions and their corresponding values. When you select a dimension, you more closely define the environment or context of the risk.

The focus is on integration with the following areas:

SAP Enterprise Asset Management (EAM)

SAP Environment, Health & Safety Management (EH&S)

SAP Management of Change (MOC)

Supply Chain Management (SCM)



© 2011 SAP AG 11

You can also use contexts to define your own customer-specific content. The following areas contain Context tabs that you can use to enter context data. Note that in some of these areas, the tab is called Allowed Dimensions.

Risks, risk templates, risk categories

Opportunities, opportunity templates, opportunity categories

Responses, response templates, enhancement plans

Risk Management reporting, where context dimensions can be used as reporting filters.

Risk Assessment reports:

In the Risk Assessment Reports section of the Risk Assessment work center, you can run various reports to review the results of your risk assessment process. You can run separate reports to evaluate your top risks and the incidents that occurred within a specific period.

Incident Management

Risks that occur are called incidents. For each recorded incident, you can also record individual losses. Documenting incidents provides historical information to identify and analyze the drivers of risks, and enables you to design response actions for risks that have characteristics similar to the documented incidents. The process of managing incidents involves recording them and includes validation to ensure that incident data is correct and properly states the impact of the incident. In this way, you can analyze, control, and understand your losses, so that you can decide on how to reduce them. You can use the workflow functions to carry out an analysis of your losses, and provide an audit trail for incidents leading to losses. The systematic recording of incidents enables you to:

Better predict your organization's risk exposure.

Anticipate new losses.

Monitor and mitigate existing risks.

Adjust existing risk practices where necessary.

In the incident management process, you document and save each incident, which then triggers a workflow item for the validator. The objective of the validation step is to ensure that the documented incident data is correct and represents an accurate impact on the organization.

Scenario Management

In Scenario Management, you can define scenarios to be used for Risk Management. Scenarios are events that link risks in a logical way and then show the effect of a scenario change on these events. After defining a scenario containing individual linked risks, you can use the scenarios that you have defined for simulation and testing.Scenarios can be managed by corporate risk managers, unit risk managers, or other risk owners. The tasks involved in scenario management are as follows:

Classifying and grouping scenarios via classifications and if necessary, scenario subclassifications if a detailed structure is needed

Deciding what organizational units, activity categories and risk categories are affected by each scenario

Providing an initial estimate of the impact of the scenario on the organization

Defining the risks and modeling their dependencies via the inclusion of influenced risks within the scenario

Forwarding this information to a group of risk owners, after which each risk can be documented by the risk owner it belongs to

All users responsible for risks can change the loss values for primary (that is, non-influenced) risks and see the results on influenced risks and on the scenario.



© 2011 SAP AG 12

Surveys:

A survey is a gathering of sample data or evaluations that is considered to be representative of the whole. Within GRC, surveys are used to obtain information on the existence and evaluation of risks (RM) or the adequacy of controls (PC). Surveys are used to carry out assessments on objects such as risks, activities, or policies, for example. The assessments are defined via plans in the Planner. Surveys can be handled via workflow or through the Survey library.

The Question and Survey Library:

The Question Library lists the user-defined questions that you can use within your surveys. Each question comprises the category, text and answer type of the question along with other information like its status (active/inactive) and the created by(user) and created on (date) information. Using the Question Library, you can create a new question, open question for editing, delete questions and upload question from file.

The Survey Library lists the user-defined surveys that you can use to obtain information on the existence and evaluation of risks (RM) or the adequacy of controls (PC). Each survey comprises the category, title and description of the survey along with other information like the questions in the survey, survey status (active/inactive) and the created by(user) and created on (date) information. Using the Survey Library, you can create a new survey, open surveys for editing and delete unscheduled surveys.

You can use the questions defined in the Question Library with the surveys listed in the Survey Library.

Assessment Planning:

Risk Management Planner:

Using the Planner, you can plan risk assessments, collaborative risk assessments, risk surveys, activity survey, risk indicator surveys, opportunity assessments, and risk and activity validation.

You can access the Planner under Assessment Planning in the Assessments work center. The window that opens displays all Process Control and Risk Management plans and associated activities.

Using the Planner, you can do the following:

Display existing plans, create a new plan, or copy and change an existing plan.

Display the organizations for which plans are to be used.

Display planning dates, including the start date, due date, and actual end date.

Display the status of a plan.

Split a plan, which has not executed, involving more than one organization.

http://help.sap.com/saphelp_grcrm10/helpdata/en/53/991c60e1484b4a94faf20e4f35f05b/frameset.htm



© 2011 SAP AG 13

Related Content

SAP BUSINESSOBJECTS ACCESS CONTROL 10.0

SAP Library- Risk management

SAP GRC Solutions 10.0: Live Expert Sessions

For more information, visit the Governance, Risk, and Compliance homepage

http://www.sdn.sap.com/irj/bpx/grc?rid=/webcontent/uuid/60450e87-bc4d-2e10-a18c-bd47b51cb646

http://help.sap.com/saphelp_grcrm10/helpdata/en/13/de98bd929b45ac9cb6ad56d3ccb9c8/frameset.htm

https://websmp205.sap-ag.de/~sapidb/011000358700000171482011E/

http://www.sdn.sap.com/irj/bpx/grc



© 2011 SAP AG 14

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.

SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.

SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.

Documents

Overview of SAP BusinessObjects Risk Management 10.0