Upload
pam4764
View
233
Download
0
Embed Size (px)
Citation preview
7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
1/18
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
2012 SAP AG
Applies to:
SAP GRC Risk Management 10.0 and SAP GRC Process Control 10.0
Summary
This document shows how customers can use content from RiskBusiness an international risk advisory
firm that specializes in the design and delivery of integrated operational and enterprise risk management
solutions for financial institutions with GRC Risk Management and GRC Process Control 10.0. This
document is a how-to guide that describes a repeatable process that customers can use to deploy and
manage content from RiskBusiness.
Author(s): Satyen Paneri (I822317)
Company: Governance, Risk, and Compliance
Analytics Division
Created on: November 20, 2012
Version 1.0
Using RiskBusiness Content with GRC
Risk Management and Process Control
10.0
7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
2/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
2012 SAP AG
Document History
Document Version Description
1.00 Initial version
7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
3/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
2012 SAP AG
Typographic Conventions
Type Style Description
Example Text Words or characters quotedfrom the screen. These
include field names, screen
titles, pushbuttons labels,
menu names, menu paths,
and menu options.
Cross-references to other
documentation
Example text Emphasized words or
phrases in body text, graphic
titles, and table titles
Example text File and directory names and
their paths, messages,
names of variables and
parameters, source text, and
names of installation,
upgrade and database tools.
Example text User entry texts. These are
words or characters that you
enter in the system exactly as
they appear in the
documentation.
Variable user entry. Angle
brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 orENTER.
Icons
Icon Description
Caution
Note or Important
Example
Recommendation or Tip
7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
4/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
2012 SAP AG
Table of Contents
1. Business Scenario............................................................................................................... 12. About RiskBusiness ............................................................................................................ 23. Prerequisites ........................................................................................................................ 34. Using RiskBusiness Content ............................................................................................. 4
4.1 RiskBusiness Taxonomies ........................................................................................... 44.1.1 Taxonomy Elements Mapping ......................................................................... 54.1.2 Taxonomy Elements Samples ......................................................................... 74.1.3 Taxonomy Elements Import Procedure ........................................................... 7
4.2 RiskBusiness KRI Library ............................................................................................. 84.2.1 KRI Library ....................................................................................................... 84.2.2 KRI Samples .................................................................................................. 104.2.3 Using RiskBusiness KRIs .............................................................................. 12
5. Appendix A Mapping Organizations in CLM ................................................................... 136. Copyright ............................................................................................................................ 14
7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
5/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
1. Business ScenarioRisk management in the financial services industry is quite different and is much more advanced than
risk management in other industries. Financial risk management includes different types of risks such
as Credit Risk, Market Risk, Operational Risk, and Liquidity Risk.
Operational risk, as the name suggests, is risk arising from execution of a company's business
functions. It is a very broad concept which focuses on the risks arising from the people, systems and
processes through which a company operates. It also includes other categories such as fraud risks,
legal risks, physical or environmental risks. A widely used definition of operational risk is the one
contained in theBasel IIregulations. This definition states that operational risk is the risk of loss
resulting from inadequate or failed internal processes, people and systems, or from external events.
The approach to managing operational risk differs from that applied to other types of risk, because it is
not used to generate profit. In contrast, credit risk is exploited by lending institutions to create profit,
market risk is exploited by traders and fund managers, and insurance risk is exploited by insurers.
They all however manage operational risk to keep losses within their risk appetite - the amount of risk
they are prepared to accept in pursuit of their objectives. Unlike other types of risk, operational risk
impacts the entire organization, its people and all its business processes.
GRC Risk Management 10.0 Service Pack 05 delivers specific enhancements to support Operational
Risk Management for financial institutions:
Define and manage complex dynamically changing organization, risk category, product and
process hierarchies. Support multiple views (Management View, Legal View, Audit View, Basel
View, Internal View, etc.) for the organization and risk category hierarchies.
Manage internal and external loss events with allocation across multiple master data hierarchies.
Loss events can also be easily uploaded and downloaded from the solution.
Continuously monitor internal and external data sources using key risk indicators and aggregate
across organization and risk categories.
Perform risk control self-assessments, document issues, and manage resolution actions.
Perform value-at-risk (VAR) simulations to determine capital requirements using the Advanced
Measurement Approach (AMA). This is accomplished by exporting loss information from GRC-RM
and using a NW certified Partner solution QRR OpVision.
Monitor the operational risk management program and comply with Basel and Solvency
regulations using comprehensive reports and analytics.
The key benefits from these solution enhancements are:
Improves the effectiveness of the operational risk management with:o Loss reduction,
o Process optimization
o Capital reduction
o Increased rating agency confidence
o Profit increases
Comply with regulatory operational risk requirements (Basel II and III)
Enterprise solution leveraging GRC Access Control and Process Control
Solution can be interconnected with various operative systems (HR, Credit Processing,
Transactional Banking, etc.)
The operational risk management solution for banks and financial institutions was launched in Q42011 and the go-to-market materials areavailable here(internal SAP access only).
http://en.wikipedia.org/wiki/Basel_IIhttp://en.wikipedia.org/wiki/Basel_IIhttp://en.wikipedia.org/wiki/Basel_IIhttps://wiki.wdf.sap.corp/wiki/display/GFOSolutionBD/8+ORM+for+Banks+and+FIhttps://wiki.wdf.sap.corp/wiki/display/GFOSolutionBD/8+ORM+for+Banks+and+FIhttps://wiki.wdf.sap.corp/wiki/display/GFOSolutionBD/8+ORM+for+Banks+and+FIhttps://wiki.wdf.sap.corp/wiki/display/GFOSolutionBD/8+ORM+for+Banks+and+FIhttp://en.wikipedia.org/wiki/Basel_II7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
6/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
RiskBusiness is a content provider for the operational risk management solution and this document is
a how-to guide that describes a repeatable process that customers can use to deploy and manage
this content in GRC Risk Management 10.0 and GRC Process Control 10.0.
2. About RiskBusinessRiskBusinessis an international risk advisory firm comprised of industry professionals who specialize
in the design and delivery of market-leading integrated solutions for operational and enterprise risk
management solutions to financial institutions large and small. Over 175 of the worlds largest and
smallest banks, insurers, broker-dealers, hedge funds, asset managers & financial services
institutions, in over 30 countries, have been using over 20 risk content, tools, information, advisory and
education products and services for over 10 years. RiskBusiness provides numerous types of services
for their client such as Risk Advisory Services, Risk Education Services,Risk Content Services, Risk
Tool Services, and Risk Information Services.
RiskBusiness integrated solution (shown below) enables organizations to build their risk capability
across Business Function as well as Line of Business, providing greater risk intelligence to optimize
compliance & business decision-making. This solution:
Provides a platform with a flexible, integrated suite of risk management content and libraries with
tools and information products to solve your specific needs
Provides industry-leading, experience-based Taxonomy, KRI, and Scenario content to link
process, risks and controls in order to categorize, measure and manage risk
Delivers subject-matter-expertise and advice to implement & support risk management initiatives,
regulatory compliance, business optimization and process improvement
The Integrated Risk Management Solution:
Can be delivered in phases based on the timing of clients needs
Is a cost-effective risk management platform
Can be instantiated into any existing platform including excel
Is an enterprise grade risk management tool designed to increase your return on investment in
technology
Supports multiple risk programs and risk functions
http://www.riskbusiness.com/http://www.riskbusiness.com/http://www.riskbusiness.com/Public.RiskContentServices.aspxhttp://www.riskbusiness.com/Public.RiskContentServices.aspxhttp://www.riskbusiness.com/Public.RiskContentServices.aspxhttp://www.riskbusiness.com/Public.RiskContentServices.aspxhttp://www.riskbusiness.com/7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
7/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
The SAP partnership only leverages RiskBusiness content services taxonomies, KRI library, and
scenario library. This is because the operational risk management solution and platform is provided by
SAP.
NOTE: Customers will have to license required content and other services (implementation, advisory,
and support) as per their preference directly from RiskBusiness. SAP only offers the GRC RiskManagement license and shows how customers can leverage RiskBusiness content with the solution
this document.
3. PrerequisitesThe following software must be installed, configured, and ready-to-use for this How-To-Guide:
GRC 10.0 (Process Control and Risk Management) with Service Pack 05 (preferably with the
latest service package)
GRC 10.0 Content Lifecycle Management (CLM)
This document also assumes that user is familiar with PC, RM, and CLM functionality and usage. For
additional help please refer to the following.
GRC Risk Management 10.0 Help Portal
GRC Process Control 10.0 Help Portal
GRC Process Control 10.0 CLM User Guide
GRC Risk Management and Process Control 10.0 Content Starter Kits
Taxonomy (Process, Risk & Control)
Scenario Library
KRI Library
Risk Benchmarking Services (BBA, ABA, ABI etc.)
Scenario Mgmt Proc ess
ComplianceProcess
BusinessContinuity
Process
Capital Estimation/Mgmt Process
Expertise
ITSecurityProcess
AuditProcess
SOXProcess
Loss/Incident Mgmt Process
Risk/Control Assessment
Legend: RBA Content RBA Tools
RBA Advisory
KRI Mgmt Process
Risk FunctionsRisk Programs
One or More Risk Platforms
http://help.sap.com/rmhttp://help.sap.com/rmhttp://help.sap.com/pchttp://help.sap.com/pchttp://scn.sap.com/docs/DOC-1597http://scn.sap.com/docs/DOC-1597https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582http://help.sap.com/pchttps://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582http://scn.sap.com/docs/DOC-1597http://help.sap.com/pchttp://help.sap.com/rm7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
8/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
4. Using RiskBusiness ContentRisk Content Services from RiskBusiness consists of three offerings:
Taxonomies: comprises an online encyclopaedia of standard, risk-related classification structures
that users may browse, customize, map to internal models, map to existing industry models (BaselII, etc.), or apply in building/enhancing integrated risk management programs.
KRI Library: comprises a library of specific operational risk indicators, cross-linked to risk
categories and business functions.
Scenario Library: contains an extensive set of sample scenarios, created from one or more
scenario event types.
This document shows how customers can leverage RiskBusiness Taxonomies and KRI Library within
GRC Risk Management 10.0 and GRC Process Control 10.0. This document will later be further
enhanced to show how customers can leverage the Scenario Library.
4.1 RiskBusiness TaxonomiesA key issue confronting operational risk managers today is a lack of broadly accepted standards for
risk-related data classification. Numerous, inconsistent classification structures are used both within
and between individual firms and among different regions, regulatory authorities and products. This
prevents easy comparison of data across different interest groups and users.
RiskBusiness taxonomies are a collection of risk classification hierarchies and consist of three primary
components:
Taxonomy Elements: are the primary mechanism to categorize data related to risks, exposures,
losses, and mitigation. Each taxonomy element a name, description/definition, keywords,
conditions, and qualifiers. These elements can be applied to loss data, risk and control
assessments, indicators, scenarios and risk profiles. Examples of taxonomy elements are Risk
Categories, Business Functions, Control Types, and Business Lines.
Taxonomy Attributes: are a generic way of classifying data and are typically used to augment or
support information which has been classified using taxonomy elements. Taxonomy attributes are
also typically not financial services industry specific and are general industry standards published
by internationally recognized bodies. Each taxonomy attribute has a name and a
description/definition. Examples of taxonomy attributes are Geographical Regions, Currencies,
Industries, and Control Classes.
Taxonomy Dimensions: are various mechanisms to sub-filter, scale or sub-classify data which
has been primarily categorized using taxonomy elements. Each taxonomy dimension has a name,description/definition, and instances. Examples of taxonomy dimensions are Gross Income Bands,
Headcount Bands, Customer Relationship Bands, and Asset Size Bands.
Taxonomy elements are designed with varying degrees of granularity and hierarchy depth, based on
experience with actual use in client initiatives. The greatest level of granularity occurs in the Risk
Category and Control Type hierarchies. But for all taxonomy elements, whether or not highly granular,
"base level" categories have been developed in accordance with strict rules of composition, designed
to create clear and consistent boundary conditions to support objective, unambiguous classification.
Customers subscribing to the RiskBusiness taxonomy services obtain software of creating andmanaging different taxonomies. Such software allows users to browse, search, and manage multiple
taxonomy libraries. In addition this service can also be accessed programmatically (SDK) using an
7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
9/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
XML/SOAP based request/response mechanism. This SDK enables tight integration between the
RiskBusiness platform and the operational risk management solution. Taxonomies can also be easily
exported from the RiskBusiness platform into Excel (XLS) documents.
The SAP recommended approach for taxonomy content deployment is to export selected taxonomiesinto Excel (XLS) documents and then translate and use CLM (Content Lifecycle Management) for
upload into GRC Risk Management 10.0 and GRC Process Control 10.0. Such an approach works
well because the tight integration approach is more time consuming with the need for consulting type
resources. Moreover, taxonomies map to GRC master data and once setup do not require frequent
changes.
The elements are the primary component of the taxonomy service that maps to master data within
operational risk solutions. The attributes and dimensions are means for further classification, sub-
classification, and filtering the elements. Typicallythe attributes and dimensions will map to
certain master data object attributes and/or configuration (IMG) settings. This document will describe
how the elements are mapped and deployed as GRC master data. Users will have to determine
which attributes and dimensions are applicable in their scenario and accordingly map and update
the master data object or configuration setting. Such mappings are outside of the scope of this
document.
4.1.1 Taxonomy Elements Mapping
Taxonomy elements are collections of hierarchies of operational risk classification data. Table below
lists the elements provided by RiskBusiness, their definition/usage, and the mapping to the
corresponding GRC master data object.
Taxonomy Element Definition GRC Master Data Object
Mapping
Business Lines Hierarchical collection of business lines within
a financial institution.
Examples of banking business lines are Retail
Banking, Commercial Banking, Trading &
Sales, Corporate Finance, Asset Management
etc.
Examples of insurance business lines are
General Insurance, Reinsurance, Life,Insurance Broking etc.
Organizations master or
dependent hierarchy
Customer may choose to
directly use the business lines
as the master organization
hierarchy or setup as a
dependent hierarchy with
mappings to the masterhierarchy for reporting
Products or Services Hierarchical collection of products or services
offered by a financial institution. Products /
services are aligned with business lines.
Products offered by Retail Banking business
are Retail Cards and Retail Credit;
Commercial Banking offers Commercial
Cards and Commercial Credit.
Similarly General Insurance business offers
Commercial Lines and Investment Products.
Activity Hierarchy for
Products/Services
7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
10/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
Business Functions Business processes structure for a financial
institution.
Activity Hierarchy for Business
Processes
Risk Categories Risk classification structure primarily derived
from Basel II definitions.
Risk Catalog
Control Types Subprocess and control structure. Subprocesses and Central
Controls
Causal Type Causes for loss events. Risk / Loss Driver Type
Direct Impact Type Direct business impact resulting from a loss
event.
Risk Impact Type
Indirect Impact Type Indirect business impact resulting from a loss
event.
Risk Impact Type
Recovery Type Types of recovery measures used by a
financial institution.
Risk Response Type
Each taxonomy element contains some key attributes. Elements may also contain additional
attributes. Table below lists the key attributes along with a definition and suggested mapping to GRC
master data attributes.
Element Attribute Definition GRC Master Data Object Attribute
Mapping
Name Element name Object name. Supports only 40 characters.
Level Hierarchical level No direct mapping but used for setting upobject hierarchy relations.
Definition Element description Object description.
Qualifications Qualifiers (specified as
includes and excludes) that
help users further define usage
of the element
No direct mapping. Will require setup of
custom object attributes for loading into the
operational risk solution.
Users will typically use this attribute directly
on the RiskBusiness platform to determine
which elements are applicable for their use.
Once this is done the qualification attribute
has little significance for loading into the
operational risk solution.
Keywords Search keywords. Used for
enterprise search within the
RiskBusiness platform
No direct mapping. Will require setup of
custom object attributes for loading into the
operational risk solution.
Users will typically use this attribute for
searching and filtering data within the
RiskBusiness platform. Once this is done
the qualification attribute has little
significance for loading into the operational
risk solution.
7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
11/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
Unique ID RiskBusiness assigned unique
identifier
No direct mapping. Will require setup of
custom object attributes for loading into the
operational risk solution.
Can be leveraged with CLM package
schema definition and upload procedure to
support change management.
4.1.2 Taxonomy Elements Samples
Samples of the different taxonomy elements areavailable here(internal SAP access only). Please
note this is not a complete set and are just meant to provide examples. Actual content will have to be
licensed from RiskBusiness.
4.1.3 Taxonomy Elements Import Procedure
The taxonomy elements import procedure is a manual one using GRC Content Lifecycle Management(CLM). The procedure is: Select the appropriate taxonomy elements from the RiskBusiness platform and export to Excel
(XLS) document Import the taxonomy elements as described below
Taxonomy Element GRC Master Data
Object Mapping
Import Procedure
Business Lines Organizations Refer to Section 4.1.5Section 4.1.7 in the
GRC Risk Management and Process Control 10.0
Content Starter Kitsdocument on SCN for a
detailed CLM import procedure.
However, this procedure does not specifically
cover the organizations import portion. For this
please refer to Appendix A: Mapping
Organizations in CLM. This is to be used within
the context of the general import procedure
described in the SCN document.
Products or Services Activity Hierarchy Activity Hierarchy cannot be imported with the FlatXML CLM Schema. Customers have the followingoptions for importing these catalogs:
Import using the Hierarchical XML CLMSchema for GRC Risk Management.
Setup the content manually in the GRC RiskManagement system.
Business Functions Activity Hierarchy
Risk Categories Risk Catalog Refer to Section 4.1.5Section 4.1.7 in the
GRC Risk Management and Process Control 10.0
Content Starter Kitsdocument on SCN for a
detailed CLM import procedure.
Control Types Subprocesses and
Central Controls
Causal Type Risk / Loss Driver Type
Direct Impact Type Risk Impact Type
Indirect Impact Type Risk Impact Type
https://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20Taxonomy.xlsxhttps://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20Taxonomy.xlsxhttps://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20Taxonomy.xlsxhttps://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20Taxonomy.xlsx7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
12/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
Recovery Type Risk Response Type IMG (Transaction: SPRO) entry Governance,
Risk and Compliance Risk Management
Response and Enhancement Plan Maintain
Response Types.
4.2 RiskBusiness KRI Library...
4.2.1 KRI Library
The RiskBusiness KRI Library was designed and developed in conjunction with the Risk Management
Association (RMA) and its member organizations. The KRI Library is a structured repository of metrics
designed to support the ongoing measurement and monitoring of risk and control exposures on aconsistent basis, both within or across firms. The KRI Library consists of over 2,500 KRI specifications,
created through working groups whose participants represented some fifty financial services
institutions from around the world, and further developed by ongoing special working groups.
The KRI Library employs the KRI Framework (a sub-set of the RiskBusiness Taxonomy) to define a
series of "risk points." Risk points represent significant pairings of Detailed Risk Categories and
Business Functions. Each defined "risk point" is associated with a set of applicable KRIs.
By subscribing to the KRI Library, a client is automatically entitled to use the KRI Framework, a
construct maintained by RiskBusiness that is fully compatible in functionality and taxonomic content
with other RiskBusiness products and services.
Key Features of the KRI Library include:
Detailed mappings and specifications relating to use, metrical criteria and data collection rules for
more than 2,500 indicators.
Facility for subscribers to define custom indicators and to select standard indicators to modify for
internal use.
Ability to record comments on each indicator for discussion among subscribers.
Access to standardized industry "risk profiles".
Right to use the KRI Framework.
For additional information on the KRI Library and the related RiskBusiness services please see the
document on Setting up a Key Risk Indicator Program.
4.2.1.1 Finding the right (and good) KRIs
The RiskBusiness KRI Library consists of over 2500 indicators for Banking and Insurance clients.
RiskBusiness provides guidance and assistance on finding both the right and the good KRIs for use
within specific customer scenarios. Such guidance is provided as follows:
http://www.riskbusiness.com/Services/RiskBusiness%20KRI%20Library.pdfhttp://www.riskbusiness.com/Services/RiskBusiness%20KRI%20Library.pdfhttp://www.riskbusiness.com/Services/RiskBusiness%20KRI%20Library.pdfhttp://www.riskbusiness.com/Services/RiskBusiness%20KRI%20Library.pdf7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
13/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
Industry Risk Profiles
An industry risk profile is a one-page profile of the points of risk for a specific industry, organization,business line or product. The KRI library provides a number of industry risk profiles under the IndustryRisk Maps tab. Figure below is a schematic of an industry risk profile. A risk point is the intersection
point between the three dimensions of the industry risk profile. It is a specific risk associated with aspecific business activity for a specific business line or product. The risk profile dimensions are definedand standardized to ensure a comprehensive and robust assessment of risk.
The industry risk profiles in the library are aggregated from profiles provided by various industries.Each risk point in the profile is color coded [using a nine-point scale with green representing low risk(1-3), amber representing medium risk (4-6), and red representing high risk (7-9)] to reflect the level ofrisk assessed by the industry, based on this aggregation. Industry risk profiles are useful for getting anindustry view on the points of highest risk within a line of business or region.
Search for KRIs
Customers can directly search for KRIs from the library with different search criteria:
Search keywords
Search by Risk Categories, Business Lines, and Business Functions
Advanced search using all KRI attributes
KRI Effectiveness Ratings
Every KRI in the library is given several ratings to assist users in assessing their effectiveness. Someof these can be used as search criteria. These criteria help identify the good KRIs from the right setof KRIs selected by the above methods.
Key ratings include:
Internal Comparability: Rated on a scale from 0 (cannot meet criteria) to 3 (meets all criteria)
External Comparability:Rated as either Yes or No
7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
14/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
Ease of Use: Rated on a scale from 0 (cannot meet criteria) to 3 (meets all criteria)
Nature: Leading, current or lagging, or any combination of these three
Effectiveness: Rated on a scale from 0 (cannot meet criteria) to 3 (meets all criteria)
The library also indicates whether each KRI is being used or considered for KRI Benchmarking,whether it has been flagged as being in use by another financial institution; and in many cases, how itscored in a popularity vote by KRIeX subscribers.
4.2.2 KRI Samples
Samples of the KRIs for Banking and Insurance areavailable here(internal SAP access only). Please
note this is not a complete set and are just meant to provide examples. Actual content will have to be
licensed from RiskBusiness.
Each KRI has a unique ID (or number) and details that include Definition, Specification, Guidance,
and Usage. As an example details for KRI 60100: Card Delinquency - Number of Delinquent CardAccounts is shown below.
https://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20KRIs.xlsxhttps://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20KRIs.xlsxhttps://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20KRIs.xlsxhttps://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20KRIs.xlsx7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
15/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
16/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
4.2.3 Using RiskBusiness KRIs
As shown above RiskBusiness not only provides a library of over 2500 KRIs each with detailed
business specifications, it also provides a KRI Framework along with guidance on how to select the
appropriate indicators.
GRC Risk Management 10.0 embeds a KRI Framework for documenting, automating, and monitoring
risk indicators. Service Pack 05 also introduced the capabilities to define KRIs for organizations (in
addition to risks) along with KRI Aggregation (roll-up) capabilities. Hence, it is recommended that
customers select the appropriate KRIs using RiskBusiness guidance but then use the KRI Framework
in GRC Risk Management 10.0 solution. For details on these solution capabilities please refer to the
Product documentation.
The RiskBusiness KRI specifications are business specifications and not technical automation
specifications. Hence the selected KRIs selected will need to be leveraged as manual KRIs in the
GRC Risk Management 10.0 solution. Please refer to Appendix A in theGRC Risk Management and
Process Control 10.0 Content Starter Kitsdocument on SCN for setting up and using manual KRIs.
Customers will have to plan and deploy automation of the KRIs with internal resources. SAP
recommends implementing selected KRIs as manual KRIs and plan for automation in a later projectphase.
https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-325827/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
17/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
5. Appendix A Mapping Organizations in CLM
To map and import new organizational entities in CLM: Either delete all rows from the Organization CLM worksheet or insert new rows as described
below. Either option is fine as we are only adding/deploying new content. To insert new data proceed as described below.
CLM Entity Column Business Lines Attribute Mapping
Organization ID Specify IDs using the ORGUNIT/00000001, ORGUNIT
/00000002, ORGUNIT /00000003, format
Name Business Lines Name
Description Business Lines Definition
Orgunit Parent Specify ID of the parent Orgunit using the ORGUNIT
/00000001, ORGUNIT /00000002, ORGUNIT /00000003, format
Orgunit View Specify the Orgunit view as per the desired mapping
from the exported CLM data.
Regardless of whether Business Lines are to mapped
under the master organization hierarchy or as a
dependent hierarchy, the system will require the setup of
the organization view in IMG configuration along with a
root node definition.
The exported CLM information will contain this view ID.
Depending on where the Business Lines need to beuploaded find and copy the correct view ID in this
column.
Repeat Settings:
Indirect ELC Test
Enter C for each Orgunit entry
Repeat Settings:
Indirect ELC
Assessment
Enter C for each Orgunit entry
Review Settings:
Remediation Plan
Enter C for each Orgunit entry
Review Settings:
Indirect ELC Test
Enter C for each Orgunit entry
Review Settings:
Indirect ELC
Assessment
Enter C for each Orgunit entry
Average Cost Per
Control
Enter 0 for each Orgunit entry
Currency Enter EUR or USD for each Orgunit entry
Review the parent entries such that the desired Business Lines hierarchy structure is defined.
The other organization attributes defined above are mandatory organization attributes in thesystem and need default values to avoid errors during content deployment.
7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf
18/18
Using RiskBusiness Content With GRC Risk Management and Process Control 10.0
6.Copyright 2012 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained herein may be changed without priornotice.
Some software products marketed by SAP AG and its distributors contain proprietary software
components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z,
System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,
S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture,
POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2,
Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are
trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered
trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web
Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology
invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, and other SAP products and services mentioned herein as well as their respective logos
are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of Business Objects
Software Ltd. Business Objects is an SAP company.Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products
and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies.
Data contained in this document serves informational purposes only. National product specifications
may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and
its affiliated companies ("SAP Group") for informational purposes only, without representation or
warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the
materials. The only warranties for SAP Group products and services are those that are set forth in the
express warranty statements accompanying such products and services, if any. Nothing herein shouldbe construed as constituting an additional warranty.