Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf

7/27/2019 Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf

1/18

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

2012 SAP AG

Applies to:

SAP GRC Risk Management 10.0 and SAP GRC Process Control 10.0

Summary

This document shows how customers can use content from RiskBusiness an international risk advisory

firm that specializes in the design and delivery of integrated operational and enterprise risk management

solutions for financial institutions with GRC Risk Management and GRC Process Control 10.0. This

document is a how-to guide that describes a repeatable process that customers can use to deploy and

manage content from RiskBusiness.

Author(s): Satyen Paneri (I822317)

Company: Governance, Risk, and Compliance

Analytics Division

Created on: November 20, 2012

Version 1.0

Using RiskBusiness Content with GRC

Risk Management and Process Control

10.0


2/18

Using RiskBusiness Content With GRC Risk Management and Process Control 10.0


2012 SAP AG

Document History

Document Version Description

1.00 Initial version


3/18



2012 SAP AG

Typographic Conventions

Type Style Description

Example Text Words or characters quotedfrom the screen. These

include field names, screen

titles, pushbuttons labels,

menu names, menu paths,

and menu options.

Cross-references to other

documentation

Example text Emphasized words or

phrases in body text, graphic

titles, and table titles

Example text File and directory names and

their paths, messages,

names of variables and

parameters, source text, and

names of installation,

upgrade and database tools.

Example text User entry texts. These are

words or characters that you

enter in the system exactly as

they appear in the

documentation.

Variable user entry. Angle

brackets indicate that you

replace these words and

characters with appropriate

entries to make entries in the

system.

EXAMPLE TEXT Keys on the keyboard, for

example, F2 orENTER.

Icons

Icon Description

Caution

Note or Important

Example

Recommendation or Tip


4/18



2012 SAP AG

Table of Contents

1. Business Scenario............................................................................................................... 12. About RiskBusiness ............................................................................................................ 23. Prerequisites ........................................................................................................................ 34. Using RiskBusiness Content ............................................................................................. 4

4.1 RiskBusiness Taxonomies ........................................................................................... 44.1.1 Taxonomy Elements Mapping ......................................................................... 54.1.2 Taxonomy Elements Samples ......................................................................... 74.1.3 Taxonomy Elements Import Procedure ........................................................... 7

4.2 RiskBusiness KRI Library ............................................................................................. 84.2.1 KRI Library ....................................................................................................... 84.2.2 KRI Samples .................................................................................................. 104.2.3 Using RiskBusiness KRIs .............................................................................. 12

5. Appendix A Mapping Organizations in CLM ................................................................... 136. Copyright ............................................................................................................................ 14


5/18


1. Business ScenarioRisk management in the financial services industry is quite different and is much more advanced than

risk management in other industries. Financial risk management includes different types of risks such

as Credit Risk, Market Risk, Operational Risk, and Liquidity Risk.

Operational risk, as the name suggests, is risk arising from execution of a company's business

functions. It is a very broad concept which focuses on the risks arising from the people, systems and

processes through which a company operates. It also includes other categories such as fraud risks,

legal risks, physical or environmental risks. A widely used definition of operational risk is the one

contained in theBasel IIregulations. This definition states that operational risk is the risk of loss

resulting from inadequate or failed internal processes, people and systems, or from external events.

The approach to managing operational risk differs from that applied to other types of risk, because it is

not used to generate profit. In contrast, credit risk is exploited by lending institutions to create profit,

market risk is exploited by traders and fund managers, and insurance risk is exploited by insurers.

They all however manage operational risk to keep losses within their risk appetite - the amount of risk

they are prepared to accept in pursuit of their objectives. Unlike other types of risk, operational risk

impacts the entire organization, its people and all its business processes.

GRC Risk Management 10.0 Service Pack 05 delivers specific enhancements to support Operational

Risk Management for financial institutions:

Define and manage complex dynamically changing organization, risk category, product and

process hierarchies. Support multiple views (Management View, Legal View, Audit View, Basel

View, Internal View, etc.) for the organization and risk category hierarchies.

Manage internal and external loss events with allocation across multiple master data hierarchies.

Loss events can also be easily uploaded and downloaded from the solution.

Continuously monitor internal and external data sources using key risk indicators and aggregate

across organization and risk categories.

Perform risk control self-assessments, document issues, and manage resolution actions.

Perform value-at-risk (VAR) simulations to determine capital requirements using the Advanced

Measurement Approach (AMA). This is accomplished by exporting loss information from GRC-RM

and using a NW certified Partner solution QRR OpVision.

Monitor the operational risk management program and comply with Basel and Solvency

regulations using comprehensive reports and analytics.

The key benefits from these solution enhancements are:

Improves the effectiveness of the operational risk management with:o Loss reduction,

o Process optimization

o Capital reduction

o Increased rating agency confidence

o Profit increases

Comply with regulatory operational risk requirements (Basel II and III)

Enterprise solution leveraging GRC Access Control and Process Control

Solution can be interconnected with various operative systems (HR, Credit Processing,

Transactional Banking, etc.)

The operational risk management solution for banks and financial institutions was launched in Q42011 and the go-to-market materials areavailable here(internal SAP access only).
http://en.wikipedia.org/wiki/Basel_IIhttp://en.wikipedia.org/wiki/Basel_IIhttp://en.wikipedia.org/wiki/Basel_IIhttps://wiki.wdf.sap.corp/wiki/display/GFOSolutionBD/8+ORM+for+Banks+and+FIhttps://wiki.wdf.sap.corp/wiki/display/GFOSolutionBD/8+ORM+for+Banks+and+FIhttps://wiki.wdf.sap.corp/wiki/display/GFOSolutionBD/8+ORM+for+Banks+and+FIhttps://wiki.wdf.sap.corp/wiki/display/GFOSolutionBD/8+ORM+for+Banks+and+FIhttp://en.wikipedia.org/wiki/Basel_II


6/18


RiskBusiness is a content provider for the operational risk management solution and this document is

a how-to guide that describes a repeatable process that customers can use to deploy and manage

this content in GRC Risk Management 10.0 and GRC Process Control 10.0.

2. About RiskBusinessRiskBusinessis an international risk advisory firm comprised of industry professionals who specialize

in the design and delivery of market-leading integrated solutions for operational and enterprise risk

management solutions to financial institutions large and small. Over 175 of the worlds largest and

smallest banks, insurers, broker-dealers, hedge funds, asset managers & financial services

institutions, in over 30 countries, have been using over 20 risk content, tools, information, advisory and

education products and services for over 10 years. RiskBusiness provides numerous types of services

for their client such as Risk Advisory Services, Risk Education Services,Risk Content Services, Risk

Tool Services, and Risk Information Services.

RiskBusiness integrated solution (shown below) enables organizations to build their risk capability

across Business Function as well as Line of Business, providing greater risk intelligence to optimize

compliance & business decision-making. This solution:

Provides a platform with a flexible, integrated suite of risk management content and libraries with

tools and information products to solve your specific needs

Provides industry-leading, experience-based Taxonomy, KRI, and Scenario content to link

process, risks and controls in order to categorize, measure and manage risk

Delivers subject-matter-expertise and advice to implement & support risk management initiatives,

regulatory compliance, business optimization and process improvement

The Integrated Risk Management Solution:

Can be delivered in phases based on the timing of clients needs

Is a cost-effective risk management platform

Can be instantiated into any existing platform including excel

Is an enterprise grade risk management tool designed to increase your return on investment in

technology

Supports multiple risk programs and risk functions
http://www.riskbusiness.com/http://www.riskbusiness.com/http://www.riskbusiness.com/Public.RiskContentServices.aspxhttp://www.riskbusiness.com/Public.RiskContentServices.aspxhttp://www.riskbusiness.com/Public.RiskContentServices.aspxhttp://www.riskbusiness.com/Public.RiskContentServices.aspxhttp://www.riskbusiness.com/


7/18


The SAP partnership only leverages RiskBusiness content services taxonomies, KRI library, and

scenario library. This is because the operational risk management solution and platform is provided by

SAP.

NOTE: Customers will have to license required content and other services (implementation, advisory,

and support) as per their preference directly from RiskBusiness. SAP only offers the GRC RiskManagement license and shows how customers can leverage RiskBusiness content with the solution

this document.

3. PrerequisitesThe following software must be installed, configured, and ready-to-use for this How-To-Guide:

GRC 10.0 (Process Control and Risk Management) with Service Pack 05 (preferably with the

latest service package)

GRC 10.0 Content Lifecycle Management (CLM)

This document also assumes that user is familiar with PC, RM, and CLM functionality and usage. For

additional help please refer to the following.

GRC Risk Management 10.0 Help Portal

GRC Process Control 10.0 Help Portal

GRC Process Control 10.0 CLM User Guide

GRC Risk Management and Process Control 10.0 Content Starter Kits

Taxonomy (Process, Risk & Control)

Scenario Library

KRI Library

Risk Benchmarking Services (BBA, ABA, ABI etc.)

Scenario Mgmt Proc ess

ComplianceProcess

BusinessContinuity

Process

Capital Estimation/Mgmt Process

Expertise

ITSecurityProcess

AuditProcess

SOXProcess

Loss/Incident Mgmt Process

Risk/Control Assessment

Legend: RBA Content RBA Tools

RBA Advisory

KRI Mgmt Process

Risk FunctionsRisk Programs

One or More Risk Platforms
http://help.sap.com/rmhttp://help.sap.com/rmhttp://help.sap.com/pchttp://help.sap.com/pchttp://scn.sap.com/docs/DOC-1597http://scn.sap.com/docs/DOC-1597https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582http://help.sap.com/pchttps://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582http://scn.sap.com/docs/DOC-1597http://help.sap.com/pchttp://help.sap.com/rm


8/18


4. Using RiskBusiness ContentRisk Content Services from RiskBusiness consists of three offerings:

Taxonomies: comprises an online encyclopaedia of standard, risk-related classification structures

that users may browse, customize, map to internal models, map to existing industry models (BaselII, etc.), or apply in building/enhancing integrated risk management programs.

KRI Library: comprises a library of specific operational risk indicators, cross-linked to risk

categories and business functions.

Scenario Library: contains an extensive set of sample scenarios, created from one or more

scenario event types.

This document shows how customers can leverage RiskBusiness Taxonomies and KRI Library within

GRC Risk Management 10.0 and GRC Process Control 10.0. This document will later be further

enhanced to show how customers can leverage the Scenario Library.

4.1 RiskBusiness TaxonomiesA key issue confronting operational risk managers today is a lack of broadly accepted standards for

risk-related data classification. Numerous, inconsistent classification structures are used both within

and between individual firms and among different regions, regulatory authorities and products. This

prevents easy comparison of data across different interest groups and users.

RiskBusiness taxonomies are a collection of risk classification hierarchies and consist of three primary

components:

Taxonomy Elements: are the primary mechanism to categorize data related to risks, exposures,

losses, and mitigation. Each taxonomy element a name, description/definition, keywords,

conditions, and qualifiers. These elements can be applied to loss data, risk and control

assessments, indicators, scenarios and risk profiles. Examples of taxonomy elements are Risk

Categories, Business Functions, Control Types, and Business Lines.

Taxonomy Attributes: are a generic way of classifying data and are typically used to augment or

support information which has been classified using taxonomy elements. Taxonomy attributes are

also typically not financial services industry specific and are general industry standards published

by internationally recognized bodies. Each taxonomy attribute has a name and a

description/definition. Examples of taxonomy attributes are Geographical Regions, Currencies,

Industries, and Control Classes.

Taxonomy Dimensions: are various mechanisms to sub-filter, scale or sub-classify data which

has been primarily categorized using taxonomy elements. Each taxonomy dimension has a name,description/definition, and instances. Examples of taxonomy dimensions are Gross Income Bands,

Headcount Bands, Customer Relationship Bands, and Asset Size Bands.

Taxonomy elements are designed with varying degrees of granularity and hierarchy depth, based on

experience with actual use in client initiatives. The greatest level of granularity occurs in the Risk

Category and Control Type hierarchies. But for all taxonomy elements, whether or not highly granular,

"base level" categories have been developed in accordance with strict rules of composition, designed

to create clear and consistent boundary conditions to support objective, unambiguous classification.

Customers subscribing to the RiskBusiness taxonomy services obtain software of creating andmanaging different taxonomies. Such software allows users to browse, search, and manage multiple

taxonomy libraries. In addition this service can also be accessed programmatically (SDK) using an


9/18


XML/SOAP based request/response mechanism. This SDK enables tight integration between the

RiskBusiness platform and the operational risk management solution. Taxonomies can also be easily

exported from the RiskBusiness platform into Excel (XLS) documents.

The SAP recommended approach for taxonomy content deployment is to export selected taxonomiesinto Excel (XLS) documents and then translate and use CLM (Content Lifecycle Management) for

upload into GRC Risk Management 10.0 and GRC Process Control 10.0. Such an approach works

well because the tight integration approach is more time consuming with the need for consulting type

resources. Moreover, taxonomies map to GRC master data and once setup do not require frequent

changes.

The elements are the primary component of the taxonomy service that maps to master data within

operational risk solutions. The attributes and dimensions are means for further classification, sub-

classification, and filtering the elements. Typicallythe attributes and dimensions will map to

certain master data object attributes and/or configuration (IMG) settings. This document will describe

how the elements are mapped and deployed as GRC master data. Users will have to determine

which attributes and dimensions are applicable in their scenario and accordingly map and update

the master data object or configuration setting. Such mappings are outside of the scope of this

document.

4.1.1 Taxonomy Elements Mapping

Taxonomy elements are collections of hierarchies of operational risk classification data. Table below

lists the elements provided by RiskBusiness, their definition/usage, and the mapping to the

corresponding GRC master data object.

Taxonomy Element Definition GRC Master Data Object

Mapping

Business Lines Hierarchical collection of business lines within

a financial institution.

Examples of banking business lines are Retail

Banking, Commercial Banking, Trading &

Sales, Corporate Finance, Asset Management

etc.

Examples of insurance business lines are

General Insurance, Reinsurance, Life,Insurance Broking etc.

Organizations master or

dependent hierarchy

Customer may choose to

directly use the business lines

as the master organization

hierarchy or setup as a

dependent hierarchy with

mappings to the masterhierarchy for reporting

Products or Services Hierarchical collection of products or services

offered by a financial institution. Products /

services are aligned with business lines.

Products offered by Retail Banking business

are Retail Cards and Retail Credit;

Commercial Banking offers Commercial

Cards and Commercial Credit.

Similarly General Insurance business offers

Commercial Lines and Investment Products.

Activity Hierarchy for

Products/Services


10/18


Business Functions Business processes structure for a financial

institution.

Activity Hierarchy for Business

Processes

Risk Categories Risk classification structure primarily derived

from Basel II definitions.

Risk Catalog

Control Types Subprocess and control structure. Subprocesses and Central

Controls

Causal Type Causes for loss events. Risk / Loss Driver Type

Direct Impact Type Direct business impact resulting from a loss

event.

Risk Impact Type

Indirect Impact Type Indirect business impact resulting from a loss

event.

Risk Impact Type

Recovery Type Types of recovery measures used by a

financial institution.

Risk Response Type

Each taxonomy element contains some key attributes. Elements may also contain additional

attributes. Table below lists the key attributes along with a definition and suggested mapping to GRC

master data attributes.

Element Attribute Definition GRC Master Data Object Attribute

Mapping

Name Element name Object name. Supports only 40 characters.

Level Hierarchical level No direct mapping but used for setting upobject hierarchy relations.

Definition Element description Object description.

Qualifications Qualifiers (specified as

includes and excludes) that

help users further define usage

of the element

No direct mapping. Will require setup of

custom object attributes for loading into the

operational risk solution.

Users will typically use this attribute directly

on the RiskBusiness platform to determine

which elements are applicable for their use.

Once this is done the qualification attribute

has little significance for loading into the


Keywords Search keywords. Used for

enterprise search within the

RiskBusiness platform




Users will typically use this attribute for

searching and filtering data within the

RiskBusiness platform. Once this is done

the qualification attribute has little

significance for loading into the operational

risk solution.


11/18


Unique ID RiskBusiness assigned unique

identifier




Can be leveraged with CLM package

schema definition and upload procedure to

support change management.

4.1.2 Taxonomy Elements Samples

Samples of the different taxonomy elements areavailable here(internal SAP access only). Please

note this is not a complete set and are just meant to provide examples. Actual content will have to be

licensed from RiskBusiness.

4.1.3 Taxonomy Elements Import Procedure

The taxonomy elements import procedure is a manual one using GRC Content Lifecycle Management(CLM). The procedure is: Select the appropriate taxonomy elements from the RiskBusiness platform and export to Excel

(XLS) document Import the taxonomy elements as described below

Taxonomy Element GRC Master Data

Object Mapping

Import Procedure

Business Lines Organizations Refer to Section 4.1.5Section 4.1.7 in the

GRC Risk Management and Process Control 10.0

Content Starter Kitsdocument on SCN for a

detailed CLM import procedure.

However, this procedure does not specifically

cover the organizations import portion. For this

please refer to Appendix A: Mapping

Organizations in CLM. This is to be used within

the context of the general import procedure

described in the SCN document.

Products or Services Activity Hierarchy Activity Hierarchy cannot be imported with the FlatXML CLM Schema. Customers have the followingoptions for importing these catalogs:

Import using the Hierarchical XML CLMSchema for GRC Risk Management.

Setup the content manually in the GRC RiskManagement system.

Business Functions Activity Hierarchy

Risk Categories Risk Catalog Refer to Section 4.1.5Section 4.1.7 in the

GRC Risk Management and Process Control 10.0

Content Starter Kitsdocument on SCN for a

detailed CLM import procedure.

Control Types Subprocesses and

Central Controls

Causal Type Risk / Loss Driver Type

Direct Impact Type Risk Impact Type

Indirect Impact Type Risk Impact Type
https://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20Taxonomy.xlsxhttps://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20Taxonomy.xlsxhttps://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20Taxonomy.xlsxhttps://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20Taxonomy.xlsx


12/18


Recovery Type Risk Response Type IMG (Transaction: SPRO) entry Governance,

Risk and Compliance Risk Management

Response and Enhancement Plan Maintain

Response Types.

4.2 RiskBusiness KRI Library...

4.2.1 KRI Library

The RiskBusiness KRI Library was designed and developed in conjunction with the Risk Management

Association (RMA) and its member organizations. The KRI Library is a structured repository of metrics

designed to support the ongoing measurement and monitoring of risk and control exposures on aconsistent basis, both within or across firms. The KRI Library consists of over 2,500 KRI specifications,

created through working groups whose participants represented some fifty financial services

institutions from around the world, and further developed by ongoing special working groups.

The KRI Library employs the KRI Framework (a sub-set of the RiskBusiness Taxonomy) to define a

series of "risk points." Risk points represent significant pairings of Detailed Risk Categories and

Business Functions. Each defined "risk point" is associated with a set of applicable KRIs.

By subscribing to the KRI Library, a client is automatically entitled to use the KRI Framework, a

construct maintained by RiskBusiness that is fully compatible in functionality and taxonomic content

with other RiskBusiness products and services.

Key Features of the KRI Library include:

Detailed mappings and specifications relating to use, metrical criteria and data collection rules for

more than 2,500 indicators.

Facility for subscribers to define custom indicators and to select standard indicators to modify for

internal use.

Ability to record comments on each indicator for discussion among subscribers.

Access to standardized industry "risk profiles".

Right to use the KRI Framework.

For additional information on the KRI Library and the related RiskBusiness services please see the

document on Setting up a Key Risk Indicator Program.

4.2.1.1 Finding the right (and good) KRIs

The RiskBusiness KRI Library consists of over 2500 indicators for Banking and Insurance clients.

RiskBusiness provides guidance and assistance on finding both the right and the good KRIs for use

within specific customer scenarios. Such guidance is provided as follows:
http://www.riskbusiness.com/Services/RiskBusiness%20KRI%20Library.pdfhttp://www.riskbusiness.com/Services/RiskBusiness%20KRI%20Library.pdfhttp://www.riskbusiness.com/Services/RiskBusiness%20KRI%20Library.pdfhttp://www.riskbusiness.com/Services/RiskBusiness%20KRI%20Library.pdf


13/18


Industry Risk Profiles

An industry risk profile is a one-page profile of the points of risk for a specific industry, organization,business line or product. The KRI library provides a number of industry risk profiles under the IndustryRisk Maps tab. Figure below is a schematic of an industry risk profile. A risk point is the intersection

point between the three dimensions of the industry risk profile. It is a specific risk associated with aspecific business activity for a specific business line or product. The risk profile dimensions are definedand standardized to ensure a comprehensive and robust assessment of risk.

The industry risk profiles in the library are aggregated from profiles provided by various industries.Each risk point in the profile is color coded [using a nine-point scale with green representing low risk(1-3), amber representing medium risk (4-6), and red representing high risk (7-9)] to reflect the level ofrisk assessed by the industry, based on this aggregation. Industry risk profiles are useful for getting anindustry view on the points of highest risk within a line of business or region.

Search for KRIs

Customers can directly search for KRIs from the library with different search criteria:

Search keywords

Search by Risk Categories, Business Lines, and Business Functions

Advanced search using all KRI attributes

KRI Effectiveness Ratings

Every KRI in the library is given several ratings to assist users in assessing their effectiveness. Someof these can be used as search criteria. These criteria help identify the good KRIs from the right setof KRIs selected by the above methods.

Key ratings include:

Internal Comparability: Rated on a scale from 0 (cannot meet criteria) to 3 (meets all criteria)

External Comparability:Rated as either Yes or No


14/18


Ease of Use: Rated on a scale from 0 (cannot meet criteria) to 3 (meets all criteria)

Nature: Leading, current or lagging, or any combination of these three

Effectiveness: Rated on a scale from 0 (cannot meet criteria) to 3 (meets all criteria)

The library also indicates whether each KRI is being used or considered for KRI Benchmarking,whether it has been flagged as being in use by another financial institution; and in many cases, how itscored in a popularity vote by KRIeX subscribers.

4.2.2 KRI Samples

Samples of the KRIs for Banking and Insurance areavailable here(internal SAP access only). Please

note this is not a complete set and are just meant to provide examples. Actual content will have to be

licensed from RiskBusiness.

Each KRI has a unique ID (or number) and details that include Definition, Specification, Guidance,

and Usage. As an example details for KRI 60100: Card Delinquency - Number of Delinquent CardAccounts is shown below.
https://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20KRIs.xlsxhttps://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20KRIs.xlsxhttps://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20KRIs.xlsxhttps://portal.wdf.sap.corp/irj/go/km/docs/room_project/cm_stores/documents/workspaces/5167e4cd-6810-2c10-549f-ad7a9b03ef46/GFO%20Wiki/10_Solution%20Community/20_Business%20User/Assets%20for%20Wiki/GRC/Banking%20ORM%20_%20ORM%20for%20FI/RB%20KRIs.xlsx


15/18



16/18


4.2.3 Using RiskBusiness KRIs

As shown above RiskBusiness not only provides a library of over 2500 KRIs each with detailed

business specifications, it also provides a KRI Framework along with guidance on how to select the

appropriate indicators.

GRC Risk Management 10.0 embeds a KRI Framework for documenting, automating, and monitoring

risk indicators. Service Pack 05 also introduced the capabilities to define KRIs for organizations (in

addition to risks) along with KRI Aggregation (roll-up) capabilities. Hence, it is recommended that

customers select the appropriate KRIs using RiskBusiness guidance but then use the KRI Framework

in GRC Risk Management 10.0 solution. For details on these solution capabilities please refer to the

Product documentation.

The RiskBusiness KRI specifications are business specifications and not technical automation

specifications. Hence the selected KRIs selected will need to be leveraged as manual KRIs in the

GRC Risk Management 10.0 solution. Please refer to Appendix A in theGRC Risk Management and

Process Control 10.0 Content Starter Kitsdocument on SCN for setting up and using manual KRIs.

Customers will have to plan and deploy automation of the KRIs with internal resources. SAP

recommends implementing selected KRIs as manual KRIs and plan for automation in a later projectphase.
https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582https://scn.sap.com/docs/DOC-32582


17/18


5. Appendix A Mapping Organizations in CLM

To map and import new organizational entities in CLM: Either delete all rows from the Organization CLM worksheet or insert new rows as described

below. Either option is fine as we are only adding/deploying new content. To insert new data proceed as described below.

CLM Entity Column Business Lines Attribute Mapping

Organization ID Specify IDs using the ORGUNIT/00000001, ORGUNIT

/00000002, ORGUNIT /00000003, format

Name Business Lines Name

Description Business Lines Definition

Orgunit Parent Specify ID of the parent Orgunit using the ORGUNIT

/00000001, ORGUNIT /00000002, ORGUNIT /00000003, format

Orgunit View Specify the Orgunit view as per the desired mapping

from the exported CLM data.

Regardless of whether Business Lines are to mapped

under the master organization hierarchy or as a

dependent hierarchy, the system will require the setup of

the organization view in IMG configuration along with a

root node definition.

The exported CLM information will contain this view ID.

Depending on where the Business Lines need to beuploaded find and copy the correct view ID in this

column.

Repeat Settings:

Indirect ELC Test

Enter C for each Orgunit entry

Repeat Settings:

Indirect ELC

Assessment


Review Settings:

Remediation Plan


Review Settings:

Indirect ELC Test


Review Settings:

Indirect ELC

Assessment


Average Cost Per

Control

Enter 0 for each Orgunit entry

Currency Enter EUR or USD for each Orgunit entry

Review the parent entries such that the desired Business Lines hierarchy structure is defined.

The other organization attributes defined above are mandatory organization attributes in thesystem and need default values to avoid errors during content deployment.


18/18


6.Copyright 2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the

express permission of SAP AG. The information contained herein may be changed without priornotice.

Some software products marketed by SAP AG and its distributors contain proprietary software

components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft

Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z,

System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,

S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture,

POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,

BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2,

Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are

trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered

trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are

trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web

Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology

invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,

StreamWork, and other SAP products and services mentioned herein as well as their respective logos

are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal

Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned

herein as well as their respective logos are trademarks or registered trademarks of Business Objects

Software Ltd. Business Objects is an SAP company.Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products

and services mentioned herein as well as their respective logos are trademarks or registered

trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies.

Data contained in this document serves informational purposes only. National product specifications

may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and

its affiliated companies ("SAP Group") for informational purposes only, without representation or

warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the

materials. The only warranties for SAP Group products and services are those that are set forth in the

express warranty statements accompanying such products and services, if any. Nothing herein shouldbe construed as constituting an additional warranty.

Documents

Using Risk Business Content with GRC - Risk Management and Process Control 10.0.pdf