Upload
muhamad-rahil-riaz-razac
View
214
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Risk Management 3.0 Response and Enhancement Plan
Citation preview
SAP BusinessObjects Risk Management 3.0
Business Blueprint Workshop
Response and Enhancement Plan
Version 1.0 Initial Release
SAP 2008 / Page 2
Business Blue Print Response and Enhancement Plan
Applies to:
SAP BusinessObjects Risk Management 3.0
Summary
This document is intended to explain the necessary steps required to configure Risk
Management 3.0.
Author(s): Customer Advisory Organization and Regional Implementation Group
Company: Governance, Risk, and Compliance
SAP BusinessObjects Division
Created on: August 2009
SAP 2008 / Page 3
1. Maintain Response and Enhancement Plan
Purpose
2. Maintain Response and Enhancement Plan
Completeness
3. Set Up Link from Control Results to RM
4. Convert Control Rating for RM Response
Field
5. Maintain Response and Enhancement Plan
Effectiveness
6. Maintain Enhancement Plan Types
7. Maintain Response Plan Types
The following IMG activities are covered in
this document
Each IMG activity has the following sections:
Business context: Summarizes the business purpose.
Solution functionality: Shows the related UI screens.
Configuration and data gathering: Shows the IMG table, suggested interview questions, and data capture area.
SAP 2008 / Page 4
1. Maintain Response and Enhancement Plan Purpose
2. Maintain Response and Enhancement Plan Completeness
3. Set Up Link from Control Results to RM
4. Convert Control Rating for RM Response Field
5. Maintain Response and Enhancement Plan Effectiveness
6. Maintain Enhancement Plan Types
7. Maintain Response Plan Types
The following IMG activities are covered in
this document
SAP 2008 / Page 5
Business Context
Response and Enhancement Plan Purpose
What is the Response and Enhancement Plan Purpose?
To maintain the overarching goal of the response tasks.
Why is Response and Enhancement Plan Purpose Important?
Defines the overall strategy for the response (e.g. Do we want to work on preventing the risk from occurring, or focus our effort on developing recovery plans knowing that we cant do anything to prevent the risk event.).
What are the Benefits of Response and Enhancement Plan Purpose?
Guides the response owner in shaping the response and subsequent actions to fit the needs
of the mitigation strategy.
Codifies the response plans to help determine if the response strategies be employed follow
specific patterns.
SAP 2008 / Page 6
Business Context
Example Response and Enhancement Plan Purpose
Recall, Risk Management has two sides to the same coin;
Risk = negative outcome
Opportunity = positive outcome
Thus, for many companies the purpose of response plans is either to prevent or
recover from a risk, or enrich or facilitate an opportunity.
For example, if your company has captured a risk relating to the potential for a
pandemic they may employ two potential response actions:
Prevent provide training to employees on how handle personal illness
Recover employ Business Continuity Plan relating to Pandemics
SAP 2008 / Page 7
Solution Functionality
Response and Enhancement Plan Purpose
Copy of UI
RM 3.0 allows you to configure the appropriate response types for your
company
SAP 2008 / Page 8
Configuration and Data Gathering
Response and Enhancement Plan Purpose
Maintain Response and Enhancement Plan PurposeIn this Customizing activity, you maintain the specific purposes of responses to risks or enhancement
plans for opportunities. For example, you can define the purpose of the response as being preventive or
corrective.
SAP 2008 / Page 9
Configuration and Data Gathering
Response and Enhancement Plan Purpose
When working with your response plans for risk how would you categorize the response
purposes for your company?
When working with your response plans for opportunities how would you categorize the
response purposes company?
SAP 2008 / Page 10
Configuration Requirements
Response and Enhancement Plan Purpose
Response Code Response Purpose Text
1
2
3
4
5
6
7
8
9
10
SAP 2008 / Page 11
1. Maintain Response and Enhancement Plan Purpose
2. Maintain Response and Enhancement Plan Completeness
3. Set Up Link from Control Results to RM
4. Convert Control Rating for RM Response Field
5. Maintain Response and Enhancement Plan Effectiveness
6. Maintain Enhancement Plan Types
7. Maintain Response Plan Types
The following IMG activities are covered in
this document
SAP 2008 / Page 12
Business Context
Response and Enhancement Plan Completeness
What is Response and Enhancement Plan Completeness?
Percentages used to indicate the how well a response is being managed with respect to a risk
or opportunity.
Why is Response and Enhancement Plan Completeness Important?
They provide an indication of whether or not response actions are actually being
implemented.
Response completeness is used to calculate the residual risk level (along with response
effectiveness).
What are the Benefits of Defining Response and Enhancement Plan Completeness?
Improved visibility into response progress.
Enable the tracking of the required work involved in performing the response plan.
Ensure a proactive response to managing risks by the Response Plan Owner
SAP 2008 / Page 13
Business Context
Example Response and Enhancement Plan Completeness
Risk Management 3.0 allows the user to set a default percentage completion for a
response plan based on the start date for the plan. Once the plan is complete and a
finished date is entered the completion percentage moves to 100%
For example, if the Response Plan for a Pandemic is to develop a Business Continuity Plan
(BCP) the completion percentage could default to 20% (based on a configuration table) once
the Actual Start Date for the Response Plan is entered in the system.
Once the BCP is completed the Response Owner can enter the Actual Finish Date for the
completion of the plan, resulting in a Completeness percentage of 100% (also based on the
configuration table)
It is also possible for the Response Owner to over-write the percentage of completeness
based on the configuration tables by using the provided checkbox
SAP 2008 / Page 14
Solution Functionality
Response and Enhancement Plan Completeness
Actual Start Date and Actual Finish Date use a configuration table to determine the
Completeness of a Response. The checkbox can be used to over-write these
settings
SAP 2008 / Page 15
Configuration and Data Gathering
Response and Enhancement Plan Completeness
Maintain Response and Enhancement Plan CompletenessIn this Customizing activity, you maintain the date at which the default start and finish of the
"response completeness" takes place, together with a percentage degree of completion for
the response completion start and finish. (Note that for a risk, you enter data for a response,
but for an opportunity, you are entering data for an enhancement plan.)
Note: The Start Completion will default to 20% once the Start Date is entered in the User
Entry Screen. The remaining 80% will be added to the percentage of completion when the
Actual Finished Date is entered. In the Configuration table the Start and Finish Dates must
= 100%. These settings are time sensitive and can be activated by using the radio button
SAP 2008 / Page 16
Configuration and Data Gathering
Response and Enhancement Plan Completeness
What date would you like your default completeness percentages to be activated on?
Once a Start Date is entered for a Response Plan what should be the Default Value for
Completeness?
The Percentage for the Finished Completion field is the difference between your default start
percentage and 100% (example: 100% - 20% = 80%). What is the result for your company?
SAP 2008 / Page 17
Configuration Requirements
Response and Enhancement Plan Completeness
Date Start Completion Finished Completion
1
2
3
4
5
6
7
8
10
SAP 2008 / Page 18
1. Maintain Response and Enhancement Plan Purpose
2. Maintain Response and Enhancement Plan Completeness
3. Set Up Link from Control Results to RM
4. Convert Control Rating for RM Response Field
5. Maintain Response and Enhancement Plan Effectiveness
6. Maintain Enhancement Plan Types
7. Maintain Response Plan Types
The following IMG activities are covered in
this document
SAP 2008 / Page 19
Business Context
Link from Control Results to RM
What is the re Link from Control Results to RM?
The link between Risk Management and Process Controls for Response Plans
Why is the Link from Control Results to RM Important?
The link can be used to leverage existing Control Plans from PC to help manage risks.
What are the Benefits of Defining the Link from Control Results to RM?
You can leverage your existing controls (or Response Plans) to help manage your companies
risks. In this way multiple risks can be handled via a single control.
In addition you can use your Risk Management system to provide Process Controls with
information on the effectiveness of its controls.
SAP 2008 / Page 20
Business Context
Example Link from Control Results to RM
The Purchasing Organization may be maintaining multiple risks associated with the fraud
relating to vendors or employees
Fake vendors
Suspicious vendor selection
Missing Purchase Orders
Improper sign-offs
Each risk could be addressed uniquely within RM 3.0 with its own response plan. However, with the RM, PC link the user can leverage the existing Purchasing Controls within PC to
respond to the risks.
Finally, the Risk Management system could then be used to provide feedback to Process
Controls concerning the effectiveness of the control.
SAP 2008 / Page 21
Solution Functionality
Link from Control Results to RM
RM 3.0 allows the User to create a Response, use and existing Response, or use a
Control from Process Controls
SAP 2008 / Page 22
Set Up Link from Control Results to RM
Use
In this Customizing activity, you set up a link to the control results from the Process Control
application, which can subsequently be used in the Risk Management application. The control
results are stored in SAP Records Management in the form of "cases". The following two
criteria are used for classification: Completeness and Effectiveness
TE = P/C effectiveness testing
CD = Control Design Assessment
CE = Control Self Assessment
CO = automated testing,
MO = automated monitoring
Case Type or Entity Types = high
level grouping in PC (G_TL=
testing, G_AS = assessment)
CL= Completeness, EF=
effectiveness
Pc gives case type, category, rating
(g,r,y). Also decide for CL and EF
Configuration and Data Gathering
Link from Control Results to RM
SAP 2008 / Page 23
Configuration and Data Gathering
Link from Control Results to RM
What Process Controls should be used in your RM 3.0 Application?
What Entity Types and Category combinations from Process Controls should be used to
retrieve the Controls?
SAP 2008 / Page 24
Configuration Requirements
Link from Control Results to RM
Case Type Category Field
SAP 2008 / Page 25
1. Maintain Response and Enhancement Plan Purpose
2. Maintain Response and Enhancement Plan Completeness
3. Set Up Link from Control Results to RM
4. Convert Control Rating for RM Response Field
5. Maintain Response and Enhancement Plan Effectiveness
6. Maintain Enhancement Plan Types
7. Maintain Response Plan Types
The following IMG activities are covered in
this document
SAP 2008 / Page 26
Business Context
Control Rating for RM Response Field
What is the Control Rating for RM Response Field?
Process Control maintains control ratings for each control depending on tests and
assessments. Each control is given a rating of Green (G), Yellow (Y), or Red (R) as to its Completeness and Effectiveness
Why is the Control Rating for RM Response Field Important?
The Control Rating is important because it is used in RM 3.0 to adjust the Completeness
Percentage field for each response.
What are the Benefits of Defining the Control Rating for RM Response Field?
By adjusting the Control Rating rules for RM 3.0 you can better manage the effectiveness of
the response plan for your risks.
SAP 2008 / Page 27
Business Context
Example Control Rating for RM Response Field
If you recall, the Purchasing Organization may be maintaining multiple risks associated with
the fraud relating to vendors or employees
Fake vendors
Suspicious vendor selection
Missing Purchase Orders
Improper sign-offs
Since these risks are using the Purchasing Controls as response strategies they are subject
to the effectiveness and completeness of the control.
As the Purchasing Control is tested/assessed and rated (G, Y, R) in PC, its ratings can be used to evaluate the effectiveness of the control for the risks being managed.
SAP 2008 / Page 28
Solution Functionality
Control Rating for RM Response Field
RM 3.0 allows the User to create a Response, use and existing Response, or use a
Control from Process Controls
SAP 2008 / Page 29
Convert Control Rating for RM Response FieldIn this Customizing activity, you assign the completeness and effectiveness response fields
from Process Control, including the control rating, to a Risk Management response field. You
do this by specifying the percentage value with which the absolute control rating results from
Process Control are converted to a value in Risk Management.
Configuration and Data Gathering
Control Rating for RM Response Field
SAP 2008 / Page 30
Configuration and Data Gathering
Control Rating for RM Response Field
For each combination of Completeness and Effective with Green (G), Yellow (Y), Red what
should be the default Completion Percentage in RM 3.0?
Completeness: G =
Completeness: Y =
Completeness: R =
Effectiveness: G =
Effectiveness: Y =
Effectiveness: R =
SAP 2008 / Page 31
Configuration Requirements
Control Rating for RM Response Field
Field Rating Percentage
SAP 2008 / Page 32
1. Maintain Response and Enhancement Plan Purpose
2. Maintain Response and Enhancement Plan Completeness
3. Set Up Link from Control Results to RM
4. Convert Control Rating for RM Response Field
5. Maintain Response and Enhancement Plan Effectiveness
6. Maintain Enhancement Plan Types
7. Maintain Response Plan Types
The following IMG activities are covered in
this document
SAP 2008 / Page 33
Business Context
Response and Enhancement Plan Effectiveness
What is Response and Enhancement Plan Effectiveness?
A qualitative and quantitative factor used to indicate how well a response is being managed
with respect to a risk or opportunity.
Why is Response and Enhancement Plan Effectiveness Important?
Assists the Response Owner and/or Risk Manager in determining the current effectiveness of
the response plan so that corrective action can be taken if necessary (e.g. change the
response action).
Response effectiveness is used to calculate the residual risk level (along with response
completeness).
What are the Benefits of Defining Response and Enhancement Plan Effectiveness?
Increased management of risks.
Better response categorization and control of response plans
Automatically adjusts the Residual Risk amounts.
SAP 2008 / Page 34
Business Context
Example Response and Enhancement Plan Effectiveness
The owner of all of the Purchasing Organization risks can use the Response Plan Effectiveness
indicator to monitor how well the identified risks are being managed, adjust the residual risk,
and can take corrective action if necessary.
Risk Response
Effectiveness
Eff % Management Action
Fake
vendors
Very Effective 100% None. Risk is being managed effectively
Suspicious
vendor
selection
Effective 75% None. Risk is being managed effectively
Missing
Purchase
Orders
Ineffective 10% Response Plan is not working. Immediate
Attention required
Improper
sign-offs
Somewhat
Effective
50% Response Plan needs to reviewed
SAP 2008 / Page 35
Business Context
Example Response and Enhancement Plan Effectiveness
Based on the grid for effective % the Residual Risk for each would be adjusted accordingly
Risk Planned
Response
Reduction
Response
Effectiveness
Eff % Adj. Risidual %
(Eff% X Planned)
Fake vendors 100% Very Effective 100% 100%
Suspicious
vendor
selection
80% Effective 75% 60%
Missing
Purchase
Orders
95% Ineffective 10% 9.5%
Improper sign-
offs
100% Somewhat Effective 50% 50%
SAP 2008 / Page 36
Solution Functionality
Response and Enhancement Plan Effectiveness
SAP 2008 / Page 37
Configuration and Data Gathering
Response and Enhancement Plan Effectiveness
Maintain Response and Enhancement Plan EffectivenessIn this Customizing activity, you define levels for the effectiveness of responses to risks, as well
as the effectiveness of the enhancement plan for an opportunity. In this way you define how
effective your responses and enhancement plans are. The entries are user-defined.
Note: the effectiveness level is applied for risk responses as well as for enhancement plans for
opportunities.
Based on the selection, the associated Response Effectiveness Percentage is used to
calculate Residual Risks (Response Effectiveness % X Planned Probability)
SAP 2008 / Page 38
Configuration and Data Gathering
Response and Enhancement Plan Effectiveness
Consider what type of relationship you would like to maintain between the percentage of
effectiveness of a response plan and a descriptive text.
You may wish to define the text portion before applying percentages. For example:
Ineffective = %
Slightly effective = %
Somewhat effective = %
Effective = %
Very Effective = %
SAP 2008 / Page 39
Configuration Requirements
Response and Enhancement Plan Effectiveness
Effective
Level
Response Effective
%Effectiveness Description
0
1
2
3
4
SAP 2008 / Page 40
1. Maintain Response and Enhancement Plan Purpose
2. Maintain Response and Enhancement Plan Completeness
3. Set Up Link from Control Results to RM
4. Convert Control Rating for RM Response Field
5. Maintain Response and Enhancement Plan Effectiveness
6. Maintain Enhancement Plan Types
7. Maintain Response Plan Types
The following IMG activities are covered in
this document
SAP 2008 / Page 41
Business Context
Enhancement Plan Types
What are Enhancement Plan Types?
Used to categorize responses for Opportunities (enhance, ignore, watch, share, research)
Why are Enhancement Plan Types Important?
Allow you to categorize the different responses based on the type, or level of management
action and/or non-action that should be taken when responding to an opportunity.
What are the Benefits of Defining Enhancement Plan Types?
Risk Manager can categorize the response plans for each opportunity and better assess, and
allocate resources to enhancement plans requiring active participation (example; enhancing a
plan requires activity and ignoring does not).
SAP 2008 / Page 42
Business Context
Example Enhancement Plan Types
Enhancement plan types can be used by the Purchasing Manager to better organize and
determine which opportunities will be allocated valuable resources.
For example, if there are two opportunities being managed:
1. Enhance supplier relationships
Response: Implement a Supply Chain Management system.
Response Type: Enhance
2. Build Strategic Buying Power
Response: Join internet buying consortium
Response type: Watch
Based on the Response Types the 1st opportunity would be prioritized higher than the 2nd
based on its Enhanced response type.
SAP 2008 / Page 43
Solution Functionality
Enhancement Plan Types
SAP 2008 / Page 44
Configuration and Data Gathering
Enhancement Plan Types
Maintain Enhancement Plan TypesIn this Customizing activity, you maintain enhancement plan types for opportunities.
SAP 2008 / Page 45
Configuration and Data Gathering
Enhancement Plan Types
How would your company like to categorize responses for opportunities?
A traditional model would include:
Enhance
Watch
Ignore
Share
Research
SAP 2008 / Page 46
Configuration Requirements
Enhancement Plan Types
Type Description
SAP 2008 / Page 47
1. Maintain Response and Enhancement Plan Purpose
2. Maintain Response and Enhancement Plan Completeness
3. Set Up Link from Control Results to RM
4. Convert Control Rating for RM Response Field
5. Maintain Response and Enhancement Plan Effectiveness
6. Maintain Enhancement Plan Types
7. Maintain Response Plan Types
The following IMG activities are covered in
this document
SAP 2008 / Page 48
Business Context
Response Plan Types
What are Response Plan Types?
Used to categorize responses for Risks (accept, watch, research, transfer, mitigate)
Why are Response Plan Types Important?
Allow you to categorize the different responses based on the type, or level of management
action and/or non-action that should be taken when responding to a Risk.
What are the Benefits of Defining an Response Plan Types?
Risk Manager can categorize the response plans for each risk and better assess, and allocate
resources to risk response plans requiring active participation (example: mitigating a risk
requires activity and accepting does not).
SAP 2008 / Page 49
Business Context
Example Response Plan Types
Like Enhancement Plan Types, Response plan types can be used by the Purchasing
Manager to better organize and determine which risks will be managed first.
In this example there are two risks being managed:
1. Fictitious Vendor Creation
Response: Develop vendor creation policy.
Response Type: Mitigate
2. Sole Source Vendor Selection
Response: Develop purchasing policy requiring a minimum of three vendor quotations
Response type: Research
Again, based on the Response Types the 1st risk would be prioritized higher than the 2nd
based on its Mitigate response type.
SAP 2008 / Page 50
Solution Functionality
Response Plan Types
SAP 2008 / Page 51
Configuration and Data Gathering
Response Plan Types
Maintain Response Plan Types
In this Customizing activity you configure and maintain specific response types for the risks
defined.
SAP 2008 / Page 52
Configuration and Data Gathering
Response Plan Types
How would your company like to categorize responses for risks?
A traditional model would include:
Accept
Watch
Research
Transfer
Mitigate
SAP 2008 / Page 53
Configuration Requirements
Response Plan Types
Type Description
SAP 2008 / Page 54
Comments and Feedback
Your feedback is very valuable and will enable us to improve our documents. Please
take a few moments to complete our feedback form. Any information you submit will
be kept confidential.
You can access the feedback form at:
http://www.surveymonkey.com/s.aspx?sm=stdoYUlaABrbKUBpE95Y9g_3d_3d