GRC340.pdf
February 25, 2017 | Author: Ravi Venkatesh K P | Category: N/A
Short Description
Download GRC340.pdf...
Description
GRC340 BusinessObjects Risk Management SAP Business Objects - Business Intelligence
Date Training Center Instructors Education Website
Instructor Handbook Course Version: 93 Course Duration: 3 Day(s) Material Number: 50098333 Owner: [First name] [Last name] ([Employee ID])
An SAP Compass course - use it to learn, reference it for work
Copyright Copyright © 2010 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Trademarks •
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.
•
IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®, AS/400®, OS/390®, and OS/400® are registered trademarks of IBM Corporation.
•
ORACLE® is a registered trademark of ORACLE Corporation.
•
INFORMIX®-OnLine for SAP and INFORMIX® Dynamic ServerTM are registered trademarks of Informix Software Incorporated.
•
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
•
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
•
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
•
JAVA® is a registered trademark of Sun Microsystems, Inc.
•
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
•
SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.com are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other products mentioned are trademarks or registered trademarks of their respective companies.
Disclaimer THESE MATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE, INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTS CONTAINED HEREIN. IN NO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY KIND WHATSOEVER, INCLUDING WITHOUT LIMITATION LOST REVENUES OR LOST PROFITS, WHICH MAY RESULT FROM THE USE OF THESE MATERIALS OR INCLUDED SOFTWARE COMPONENTS.
g201021110041
About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. It is not suitable for self-study.
Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used. Type Style
Description
Example text
Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths, and options. Also used for cross-references to other documentation both internal and external.
2010
Example text
Emphasized words or phrases in body text, titles of graphics, and tables
EXAMPLE TEXT
Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example SELECT and INCLUDE.
Example text
Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, and passages of the source text of a program.
Example text
Exact user entry. These are words and characters that you enter in the system exactly as they appear in the documentation.
Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.
© 2010 SAP AG. All rights reserved.
iii
About This Handbook
GRC340
Icons in Body Text The following icons are used in this handbook. Icon
Meaning For more information, tips, or background
Note or further explanation of previous point Exception or caution Procedures
Indicates that the item is displayed in the instructor’s presentation.
iv
© 2010 SAP AG. All rights reserved.
2010
Contents Course Overview ......................................................... vii Course Goals ...........................................................vii Course Objectives ..................................................... ix
Unit 1: Introduction to Risk Management ............................ 1 Risk and Business Environment ......................................2 Risk Management Process Overview .............................. 10
Unit 2: Risk Planning.................................................... 21 Master Data............................................................ 23 Organization Hierarchy and Views ................................. 33 Objective Hierarchy................................................... 43 Activity Hierarchy ..................................................... 50 Risk and Opportunity Classification ................................ 56
Unit 3: Risk Identification .............................................. 63 Activity Management ................................................. 64 Risk/Opportunity Creation ........................................... 73
Unit 4: Risk Analysis .................................................... 83 Surveys................................................................. 85 Risk Analysis .........................................................100 Risk Grouping ........................................................ 113 Risk Inter-Relationships .............................................120 What-If Scenario .....................................................128 Monte-Carlo Analysis................................................142 Risk Validation........................................................152
Unit 5: Risk Response ................................................. 159 Responses and Enhancement Plans..............................161 Response Assignment ..............................................168 Creating a new Response in a risk ................................182 Residual Risk Analysis (current) ...................................188 Assign a Control to a Risk ..........................................198 Control Proposal .....................................................205
Unit 6: Key Risk Indicators ........................................... 217 Introduction to Key Risk Indicators ................................219 KRI Design............................................................222
2010
© 2010 SAP AG. All rights reserved.
v
Contents
GRC340
KRI Template Creation ..............................................225 KRI Implementation..................................................233 KRI Instantiation......................................................241 KRI Localization ......................................................248 KRI Business Rules .................................................254
Unit 7: Risk Monitoring ................................................ 265 Planner ................................................................266
Unit 8: My Home......................................................... 279 Work Inbox............................................................281 Ad Hoc Tasks .........................................................288 Reports and Analytics ...............................................296 Document Search....................................................306
Unit 9: Roles and Authorizations ................................... 309 Roles and Authorizations ...........................................310
vi
© 2010 SAP AG. All rights reserved.
2010
Course Overview This course will discuss the functionality of SAP BusinessObjects Risk Management. We will discuss what risks and opportunities are in a business environment, the different types of responses for risks as well as Key Risk Indicators and how they are used. This course will also explain the master data that is used in SAP BusinessObjects Risk Management and how they relate to each other.
Target Audience This course is intended for the following audiences: •
[Enter target audience.]
Course Prerequisites Required Knowledge •
Understanding of risks and opportunities in a business environment
Course Duration Details
2010
Unit 1: Introduction to Risk Management Risk and Business Environment Risk Management Process Overview
30 Minutes 30 Minutes
Unit 2: Risk Planning Master Data Exercise 1: High Level System Overview Organization Hierarchy and Views Exercise 2: Create an Organization Unit Objective Hierarchy Exercise 3: Create an Objective Activity Hierarchy Exercise 4: Create an Activity Category Risk and Opportunity Classification Exercise 5: Create a Risk
15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes
Unit 3: Risk Identification Activity Management Exercise 6: Create an Activity Risk/Opportunity Creation Exercise 7: Create a Risk
15 Minutes 15 Minutes 15 Minutes 15 Minutes
Unit 4: Risk Analysis Surveys
15 Minutes
© 2010 SAP AG. All rights reserved.
vii
Course Overview
GRC340
Exercise 8: Create a Risk Survey Risk Analysis Exercise 9: Create an Inherent Risk Analysis Risk Grouping Exercise 10: Risk Grouping Risk Inter-Relationships Exercise 11: Risk Inter-Relationships What-If Scenario Exercise 12: What-If Scenario Monte-Carlo Analysis Exercise 13: Monte Carlo Analysis Risk Validation Exercise 14: Risk Validation Unit 5: Risk Response Responses and Enhancement Plans Exercise 15: Create a Risk Response Response Assignment Exercise 16: Assign a Response to a Risk and Creating a Residual Risk (Planned) Analysis Creating a new Response in a risk Exercise 17: Create a Risk Response Residual Risk Analysis (current) Exercise 18: Perform Residual Risk Analysis (current) Assign a Control to a Risk Exercise 19: Assign a Control to a Risk Control Proposal Exercise 20: Control Proposal
viii
30 Minutes 30 Minutes 30 Minutes 20 Minutes 15 Minutes 20 Minutes 15 Minutes 15 Minutes 30 Minutes 30 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 10 Minutes 30 Minutes 10 Minutes 15 Minutes
Unit 6: Key Risk Indicators Introduction to Key Risk Indicators KRI Design KRI Template Creation Exercise 21: Create a KRI Template KRI Implementation Exercise 22: Implement a KRI KRI Instantiation Exercise 23: Add a KRi to a Risk KRI Localization Exercise 24: Localize a KRI KRI Business Rules Exercise 25: Configure a KRI Business Rule
15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes 15 Minutes
Unit 7: Risk Monitoring Planner Exercise 26: Create a Plan
30 Minutes 15 Minutes
© 2010 SAP AG. All rights reserved.
2010
GRC340
Course Overview
Unit 8: My Home Work Inbox Ad Hoc Tasks Exercise 27: Propose a Risk Exercise 28: Report an Incident Reports and Analytics Exercise 29: Run a Report Exercise 30: View a Dashboard Document Search
10 Minutes 5 Minutes 5 Minutes 5 Minutes 5 Minutes 5 Minutes 15 Minutes 5 Minutes
Unit 9: Roles and Authorizations Roles and Authorizations
15 Minutes
Course Goals This course will prepare you to: • • • •
Identify risks and opportunities Run the various types of risk analysis Add responses to risks Understand Key Risk Indicators and how they are used in SAP BusinessObjects Risk Management
Course Objectives After completing this course, you will be able to: • • • •
Identify risks and opportunities in a business environment Run the various types of risk analysis Add responses to risks Show what a Key Risk Indicator is and how SAP BusinessObjects Risk Management uses them.
INSTRUCTOR INFORMATION This template describes all recommended information which should be in an instructor guide or instructor handbook for SAP courses to ensure a good quality standard of instructor information. The information is essential to minimize the need for support by the global training support especially before training. RECOMMENDED INFORMATION Hints on preparing this course
2010
© 2010 SAP AG. All rights reserved.
ix
Course Overview
GRC340
Remember to check for additional information which was published after the course material was finally released. For latest information or course updates see additional Instructor Guide/System Setup Guide or Trouble Shooting Guide on SAP Service Marketplace. Most of them you will find under the alias /curr-info: http://service.sap.com/curr-info. Also other aliases are possible (e.g. /curr-adm; /curr-ep). The current alias normally you will find in the Instructor Guide. Training System Availability Your training system will be available and accessible on Sunday evening (CET time zone) of the week the training takes place. Do not use the system or prepare your course before that time. The system can still be in use by another course or in the refresh procedures of the IT preparation for your course! If you need a test/prep. system before your course takes place, see details under paragraph Test-/Prep. System. Test- / Prep. System Either: not applicable There are test/prep. systems for most of the SAP courses available. You will find the necessary information on http://service.sap.com/curr-info. In case you cannot access this site please ask the responsible Education coordinator (the one who send you this guide) to make the relevant information available to you. Or: If no test/prep. system exists for the course, but testing or preparation is essential, the responsible Education department can order such a system – this should be done ideally at least one week before the training. Please note that test/prep. Systems must not be used for training without the permission of KPS. An access violation fee will be charged in this cases. Required System Landscape SAP BusinessObjects Risk Management 3.0 Support Pack 5. System landscape consists of ABAP and Portal.. Using Training WTS Farm Nearly all SAP courses are designed to be taught via SAP Training Window Terminal Service Server Farms (= WTS-Farms) to enable also trainings on customer site (so called Onsite-Training). If restrictions of the course don’t mention another WTS Farm or the usage of the local PC front end, always use the Common Training WTS farm for your training. Use SAP software on local PC front end only in SAP owned training centers with good network bandwidth
x
© 2010 SAP AG. All rights reserved.
2010
GRC340
Course Overview
connections. The usage of SAP software on local PC front end restricts the training support to the local IT support. The global training support can only support trainings via Training WTS farms. •
Training at SAP Training Centers/Internal SAP Training The internal connectivity to the training WTS farms can only be used inside of SAP network infrastruc-ture. To connect to the training WTS farm use http://wts.wdf.sap.corp:1080 . Choose a region (AMERICAS, EMEA or APJ). Select the Training-Zone menu. Connect to Common Training, if no other WTS farm is named for the training.
•
Customer Onsite Training / Third Party Training Center Customer Onsite training can only connect to SAP training WTS farm via the SAP Citrix Secure Gateway (SAP CSG). Therefore you need a CSG-User ID. The User ID has to be already created by the education department for the time of the training. The data (User ID and password) are delivered to you by the education department. Trainer and participants use the same dedicated CSG-User-ID and password for the training. To connect to the training WTS farm use http://mywts.sap.com. Choose a region (AMERICAS, EMEA or APJ). Enter the CSG-User ID and password and log on. Select the Training icon. Connect to Common Training, if no other WTS farm is named for the training.
User ID and Passwords for the Course •
Training with existing User IDs in the master system: GRC340-00 through GRC340-20 with the password initial1. The instructor will use the GRC340-00 ID the password will be initial1 in the Portal as well as the ABAP, the participants will only log on to the portal and not the ABAP.
Additional preparation in the system CATTs/eCATTS: not applicable a)
Automatic CATTs/eCATTs not applicable
b)
Training CATTs/eCATTs not applicable.
Switching ON/OFF table locking in SAP systems: not applicable Example ABAPs:
2010
© 2010 SAP AG. All rights reserved.
xi
Course Overview
GRC340
not applicable Technical Hints [Further technical hints like shared folder for participants files, additional trainer information or special software usage during the training or additional course preparations on the training WTS farm like initialize course scripts should be mentioned here.]
xii
© 2010 SAP AG. All rights reserved.
2010
Unit 1 Introduction to Risk Management
1
This unit will introduce you to risk management, and provide an overview of the typical process to identify, analyze, treat and monitor risk.
Unit Overview This unit will introduce you to risk management, and provide an overview of the typical process to identify, analyze, treat and monitor risk.
Unit Objectives After completing this unit, you will be able to: • • • • • • •
Explain how risk can influence business performance List the various sources of risk Define Enterprise Risk Management List the benefits of Enterprise Risk Management Identify requirements for effective Enterprise Risk Management Define risk and list the determinants for the degree of risk Explain the risk management process steps
Unit Contents Lesson: Risk and Business Environment.......................................2 Lesson: Risk Management Process Overview............................... 10
2010
© 2010 SAP AG. All rights reserved.
1
Unit 1: Introduction to Risk Management
Lesson: 2
GRC340
Risk and Business Environment Lesson Duration: 30 Minutes
Lesson Overview This lesson will help you answer the question “why do organizations need to manage risk?”
Lesson Objectives After completing this lesson, you will be able to: • • • • •
Explain how risk can influence business performance List the various sources of risk Define Enterprise Risk Management List the benefits of Enterprise Risk Management Identify requirements for effective Enterprise Risk Management
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example CRG Global Enterprise is a conglomerate with global operations. Nancy – the Director of ERM for CRG – has been asked to give a high-level overview of CRG’s Enterprise Risk Management Program (ERM) to the senior management committee. The CFO would like Nancy to explain how risk can influence CRG’s performance, and explain how the ERM program differs from traditional risk management.
2
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk and Business Environment
Governance Risk and Compliance (GRC) – The Big Picture
Figure 1: The Big Picture
Organizations set objectives that define what needs to be achieved. Typical objectives for companies include revenue, customer satisfaction, operational effectiveness, and cost. A business model defines the organization’s strategic, financial, regulatory, and operational processes / products / services and the associated performance objectives that must be undertaken in order to achieve the objectives. Organizations must operate within defined boundaries. The mandated boundary represents regulatory/legal requirements that are imposed on the organization (such as SOX compliance, employment standards, etc). The voluntary boundary is set by management such as public commitments or organizational values. Obstacles may prevent the achievement of the objectives. It is these obstacles that are the focus of risk management.
2010
© 2010 SAP AG. All rights reserved.
3
Unit 1: Introduction to Risk Management
GRC340
The Problem Today
Figure 2: The Problem Today
Here are the typical challenges that organizations face. In general, there is a lack of transparency and no support for decision making. Risk Managers are typically responsible for ensuring that a consistent risk management process is followed throughout the organization. However, the risks are “owned” by the lines of business. As a result, risk managers constantly struggle with tracking the progress of responding to risks. The Lines of Business typically don’t think about risks per se, but more meeting their performance objectives. They tend to receive several surveys or assessment requests from different groups that ask similar questions (i.e. Risk Management, Audit, IT Security, Business Continuity, etc...). Typically, the business units come up with good solutions to address the risks they know about... but only the risks they know about. They have absolutely no visibility into risks outside of their silo that could negatively affect them. Risk mitigation efforts that are successful are often one-offs, and are typically never reapplied to other regions or similar business units. Executives and Directors are mainly concerned with market expectations and delivering the strategy. Risk are often not specifically addressed during management meetings. As a result, executives are left not knowing if any negative surprises will keep them from meeting their projections until it is too late. The effect of this fragmented, disjointed approach to risk management is that risks slip through the cracks and turn into losses. A 2005 study by Deloitte showed that the effects can be dramatic as shown in Figure 3: • •
4
Nearly 1/2 of Fortune 1000 companies lost more than 20% of their stock value in a 1 month period during the last decade. 1/2 of the companies require more than a year to regain the lost value; 22% never recovered.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk and Business Environment
What’s driving these losses? Often, it’s when multiple risks turn into loss events at the same time. For example, losses result when a new competitor enters the market at the same time that your supplier can’t deliver on time. It’s important to get an enterprise-wide view of your risks and understand the relationships among them. To protect the value of their brands, organizations need to develop the ability to “see around corners”. A McKinsey study showed that tangible, focused activities are effective at protecting brand. Developing a proactive risk management strategy and implementing strong preventive controls against “hot issues” like data privacy leaks, consumer privacy leaks, environmental accidents, financial fraud, is an effective approach. These programs in conjunction with social and economic development initiatives also ultimately help to build up the corporate profile and reputation.
An Enterprise View of Risks An organizations’s uncoordinated, and sometimes conflicting, approaches to managing risk can lead to the management team ignoring some risks while spending too much time managing others. The result: management does not have a complete picture of the risks it faced, thereby increasing the likelihood that the organization would be surprised by events that, in retrospect, could be predictable. Enterprise Risk Management (ERM) provides an integrated or holistic approach to understand and manage all of the risks that an organization faces. Its primary purpose is to improve the quality of decision-making. It provides management with the visibility to recognize the interdependency of risks, thereby decreasing the likelihood that the organization would be surprised by events that, in retrospect, could have been predictable.
Figure 3: Scope of Enterprise Risks
2010
© 2010 SAP AG. All rights reserved.
5
Unit 1: Introduction to Risk Management
GRC340
Organizations face many types of risks. These risks include: •
•
•
•
Strategic risks that involve an organization’s direction. Is the organization’s current course and ability to adapt to market changes correct, or does it need to be changed to keep from stagnating or collapsing? Strategic risks include an organizations’s overall objectives, the assumptions that underlie those objectives, as well as the constraints the organization faces. Financial risk that involve the allocation of resources, including an organization’s financial investments. For instance, are financial resources allocated so they create the best return for an organization’s shareholders? Regulatory risks that involve an organization’s compliance with corporate sustainability, trade, financial reporting, and other legal and regulatory requirements. Operational risks that involve the people, processes and technology that are needed to carry out an organization’s strategic objectives. These risks would include how well information technology systems function or the effectiveness of information security to perfect confidential data.
Managing Risk as a System
Figure 4: Managing Risk as a System
ERM approaches risk from an enterprise wide basis, embedding awareness and information about risks into daily management and operational activities. In short, ERM manages risk “as a system”.
6
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk and Business Environment
The benefits of this approach include: •
• •
Managing risks as a system will help an organization improve its situational awareness, which in turn will allow it to respond to risks more pro-actively and lead to fewer surprises An organization will also have a better chance to achieve its strategic goals if it understands the underlying causes of potential failure. It will be able to create better value from resources by eliminating the need to respond to unexpected crises. This will give an organization more time to pursue other (value creating) work.
For ERM to work and to be effective: •
•
•
•
2010
An organization will need to define and communicate its tolerance for risk (specifically the willingness to incur a loss in pursuit of its business objectives). Without a definition, managers will not know which risks are too large and which are too small to address. Information about risks must flow seamlessly and blamelessly across an organization to the management teams. Risk information has sometimes been perceived to be bad news instead of a call for action, which likely has caused some managers to filter or hide information. An organization’s managers and employees must value risk information, which typically requires a cultural mind-set for change so a healthy risk communication culture ca take hold, ERM practitioners say. In addition, responsibility for risks should be assigned to those managers who can best oversee them. Risk without responsibility is a recipe for organizational disaster.
© 2010 SAP AG. All rights reserved.
7
Unit 1: Introduction to Risk Management
GRC340
Facilitated Discussion After completing this discussion, you will be able to: • • • •
Explain how risks are typically addressed in organizations Describe the extent of executive support for risk management Explain how risk policies are used List the methodologies used in organizations
Business Example CRG Global Enterprises is a conglomerate with flobal operations. Nancy – the Director of ERM for CRG – has been asked to give a high-level overview of CRG’s Enterprise Risk Management Program (ERM) to the senior management committee. The CFO would like Nancy to explain how risk can influence CRG’s performance, and explain how the ERM program differs from traditional risk management.
Discussion Questions Use the following questions to engage the participants in the discussion. Feel free to use your own additional questions. 1. 2. 3. 4. 5. 6. 7.
8
How are risks addressed in your organization (for compliance reason only) ? Is there strong executive support for risk management? What is the risk culture? Is there a risk policy? Is staff dedicated to risk management? Do you have a standard risk management methodology? Can you provide an example where a problem could have been managed as a risk? What was the impact of the problem on the organization’s performance?
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk and Business Environment
Lesson Summary You should now be able to: • Explain how risk can influence business performance • List the various sources of risk • Define Enterprise Risk Management • List the benefits of Enterprise Risk Management • Identify requirements for effective Enterprise Risk Management
2010
© 2010 SAP AG. All rights reserved.
9
Unit 1: Introduction to Risk Management
Lesson: 9
GRC340
Risk Management Process Overview Lesson Duration: 30 Minutes
Lesson Overview This lesson will introduce the basic risk management process.
Lesson Objectives After completing this lesson, you will be able to: • •
Define risk and list the determinants for the degree of risk Explain the risk management process steps
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example Pete – the General Manager for CRG Global International asked Nancy - the Director of ERM fro CRG – to meet with his team to explain the ERM process steps. Pete wants to ensure that his team incorporates the process steps as part of its day-to-day operations.
What is Risk? Risk is any even that may result in a significant deviation from a planned objective resulting in an unwanted, negative consequence. The planned objective could be any aspect of an organization’s strategic, financial, regulatory, and operational processes /products /services. The degree of risk associated with an even is determined by the likelihood (uncertainty, probability) of the event occurring, the consequences (impact) if the event were to occur, and its timing.
10
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Management Process Overview
Figure 5: Risk Management Process
Most risk management processes are aimed at answering the following key questions: 1. 2. 3. 4.
What business activities need to be reviewed and how should we proceed? (Risk Planning) What events could prevent us from achieving our business objectives, and how significant are they? (Risk Identification and Analysis) How should we respond to the most critical risks? (Risk Response) Are our response actions effective? If not, what else needs to be done? (Risk Monitoring)
Risk Planning Objectives Define the basic parameters within which risks are to be managed For example, business activities to be assessed, risk threshold levels, risk management participants Key Activities
2010
© 2010 SAP AG. All rights reserved.
11
Unit 1: Introduction to Risk Management
GRC340
Establish the external context •
•
This step defines the external environment in which the organization operates. It also defines the relationship between the organization and its external environment This may include, for example: – – – –
The business, social, regulatory, cultural, competitive, financial, and political environment. The organization’s strengths, weaknesses, opportunities, and threats. External stakeholders Key business drivers
Establish the internal context •
Before a risk management activity is commenced, at any level, it is necessary to understand the organization. Key areas include: – – – –
Culture Internal stakeholders Structure Capabilities in terms of resources such as people, systems, processes, capital
Establish the risk management context •
The goals, objectives, strategies, scope, and parameters of the activity or part of the organization to which the risk management process is being applied should be established. Setting the scope and boundaries of an application of risk management involves: – – –
Defining the organization, process, project, or activity and establishing its goals and objectives Specifying the nature of the decisions that must be made Defining the depth and breadth of the risk management activities to be carried out, including specific inclusions and exclusions
Develop risk criteria •
• •
12
Decide the criteria against which risk is to be evaluated. These often depends on an organization’s internal policies, goals and objectives and the interests of stakeholders. Define the structure for the rest of the process This involves subdividing the activity, process, project into a set of elements or steps in order to provide a logical framework that helps ensure significant risks are not overlooked (e.g. a project work breakdown structure; or a process map)
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Management Process Overview
Risk Identification Comprehensive identification using a well-structured systematic process is critical, because a risk not identified at this stage may be excluded from further analysis. Identification should include risks whether or not they are under the control of the organization. Objectives •
Identify the risks to be managed.
Key Activities •
What can happen, where and when? –
•
Generate a comprehensive list of sources of risk events that might have an impact on the achievements of each of the objectives identified in the context. These events might prevent, degrade, delay, or enhance the achievement of those objectives. – Approaches used to identify risks include checklists, judgements based on experience, and records, flow charts, brainstorming, systems analysis, scenario analysis, and systems engineering techniques. Why and how it can happen?
–
Having identified what might happen, it is necessary to consider possible causes and impacts. There are many ways an event can occur. It is important that no significant causes are omitted.
Risk Analysis Risk analysis involves consideration of the sources of risk, their positive and negative consequences, and the likelihood that those consequences may occur. Factors that affect consequences and likelihood may be identified. Risk is analyzed by combining consequences and their likelihood. In most circumstances existing controls are taken into account. A Preliminary analysis can be carried out so that similar risks are combined or low-impact risks are excluded from detailed study, Where possible, excluded risks should be listed to demonstrate the completeness of the risk analysis. Where appropriate, the confidence placed on estimates of levels of risk should be included. Assumptions made in the analysis should be clearly stated. Objectives •
2010
Develop an understanding of the risk
© 2010 SAP AG. All rights reserved.
13
Unit 1: Introduction to Risk Management
GRC340
Key Activities • • • •
• • •
Evaluate the completeness and effectiveness of existing response/controls Process control completeness and effectiveness Evaluate likelihood and consequences Assess the likelihood of the event and magnitude of the associated consequences in the context of the effectiveness of the existing responses/controls An event may have multiple consequences and affect different objectives Likelihood and consequences are combined to produce a level of risk Techniques include: – – – –
Structured interviews with experts in the area of interest Use of multi-disciplinary groups of experts Individual evaluations using questionnaires Use of models and simulations
Risk Response The purpose of risk response is to make decisions based on the risk analysis about which risks need to be addressed, and the associated priorities. Risk response involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. The objectives of the organization and the extent of business objectives should be considered. Where a choice is to be made between options, higher potential losses may be associated with higher potential gains and the appropriate choice will depend on an organization’s context. Decisions should take account of the wider context of the risk and include consideration of the tolerability of the risks borne by parties other than the organization that benefits from it. In some circumstances, the risk evaluation may lead to a decision to undertake further analysis.
14
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Management Process Overview
When identifying options for treating risks with negative outcomes, the options include: • •
•
•
Reducing the risk by changing the likelihood of the risk, thereby reducing the likelihood of the negative outcomes. Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk (where this is practicable). Risk avoidance can occur inappropriately if individuals or organizations are unnecessarily risk-averse. Inappropriate risk avoidance may increase the significance of other risks or may lead to the loss of opportunities for gain. Transferring (or sharing) the risk with another party. Mechanisms include the use of contracts, insurance arrangements, and organizational structures such as partnerships and joint ventures to spread responsibility and liability. Generally there is some financial cost or benefit associated with sharing part of the risk with another organization, such as the premium paid for insurance. Where risks are shared in whole or in part, organization transferring the risk has acquired a new risk in that the organization to which the risk has been transferred may not manage the risk effectively. Accepting (or retaining) the risk. After risks have been changed or shared, there will be residual risks that are retained. Risks can also be retained by default, for example when there is a failure to identify, appropriately share, or otherwise treat risks.
Objectives • •
Evaluate the analyzed risks Select risks (and opportunities) that should be “treated”
Key Activities • •
Identifying options for treating risks with negative outcomes Identifying options for the treatment of risks with positive outcomes –
Treatment options for risks having positive outcomes (opportunities) are not necessarily mutually exclusive or appropriate in all circumstances.
Risk Monitoring Objectives • • •
2010
Monitor the effectiveness and completeness of the response actions Take corrective action Communicate the status of the risks
© 2010 SAP AG. All rights reserved.
15
Unit 1: Introduction to Risk Management
GRC340
Key Activities • • • •
Implement response actions Report on response action status Analyze status information for trends and deviations Take actions as required to address status issues. Actions could include: – – – – –
16
Re-plan the response actions Close the risk Invoke a contingency plan Continue to monitor the risk Prepare and distribute risk reports
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Management Process Overview
Lesson Summary You should now be able to: • Define risk and list the determinants for the degree of risk • Explain the risk management process steps
2010
© 2010 SAP AG. All rights reserved.
17
Unit Summary
GRC340
Unit Summary You should now be able to: • Explain how risk can influence business performance • List the various sources of risk • Define Enterprise Risk Management • List the benefits of Enterprise Risk Management • Identify requirements for effective Enterprise Risk Management • Define risk and list the determinants for the degree of risk • Explain the risk management process steps
18
© 2010 SAP AG. All rights reserved.
2010
GRC340
Test Your Knowledge
19
Test Your Knowledge 1.
The degree of risk associated with an even is determined by the of the event occurring, the if the event were to occur, and its . Fill in the blanks to complete the sentence.
2.
involves consideration of the sources of risk, their positive and negative consequences, and the likelihood that those consequences may occur. Fill in the blanks to complete the sentence.
3.
The purpose of is to make decisions based on the risk analysis about which risks need to be addressed, and the associated priorities. Fill in the blanks to complete the sentence.
4.
2010
When identifying options for treating risks with negative outcomes, the options include:
© 2010 SAP AG. All rights reserved.
19
Test Your Knowledge
20
GRC340
Answers 1.
The degree of risk associated with an even is determined by the probability of the event occurring, the impact if the event were to occur, and its timeframe. Answer: probability, impact, timeframe
2.
Risk Analysis involves consideration of the sources of risk, their positive and negative consequences, and the likelihood that those consequences may occur. Answer: Risk Analysis
3.
The purpose of Risk Response is to make decisions based on the risk analysis about which risks need to be addressed, and the associated priorities. Answer: Risk Response
4.
When identifying options for treating risks with negative outcomes, the options include: Answer: 1. 2. 3. 4.
20
Reducing Avoiding Transferring Accepting
© 2010 SAP AG. All rights reserved.
2010
Unit 2 Risk Planning
21
In this unit, you will learn about the master data used for risk management with SAP BusinessObjects Risk Management.
Unit Overview In this unit, you will learn about the master data used for risk management with SAP BusinessObjects Risk Management.
Unit Objectives After completing this unit, you will be able to: • • • • • • • • • •
Describe the types of master data used in SAP BusinessObjects Risk Management Navigate in the organization hierarchy Create and setup a new organization unit Share organization structure between organization views Navigate in the objective hierarchy Create and setup a new objective Navigate in the activity hierarchy Create and setup a new activity hierarchy Navigate in the risk and opportunity hierarchy Create and setup a new risk and opportunity category
Unit Contents Lesson: Master Data ............................................................ 23 Exercise 1: High Level System Overview ................................ 29 Lesson: Organization Hierarchy and Views .................................. 33 Procedure: Creating an Organization Structure ......................... 35 Procedure: Creating an Organization View .............................. 37
2010
© 2010 SAP AG. All rights reserved.
21
Unit 2: Risk Planning
GRC340
Exercise 2: Create an Organization Unit ................................. 39 Lesson: Objective Hierarchy ................................................... 43 Procedure: ................................................................... 45 Exercise 3: Create an Objective........................................... 47 Lesson: Activity Hierarchy ...................................................... 50 Procedure: Creating an Activity Hierarchy ............................... 52 Exercise 4: Create an Activity Category.................................. 53 Lesson: Risk and Opportunity Classification ................................. 56 Procedure: Creating a Risk and Opportunity Classification Hierarchy 58 Exercise 5: Create a Risk .................................................. 59
22
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: 23
Lesson: Master Data
Master Data Lesson Duration: 15 Minutes
Lesson Overview This lesson will introduce you to the types of master data used in SAP BusinessObjects Risk Management
Lesson Objectives After completing this lesson, you will be able to: •
Describe the types of master data used in SAP BusinessObjects Risk Management
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example Enterprise risks are generally documented for organizational entities and business activities. Business activities can be different types - business processes, assets, projects, programs, etc. The organization and activity structures are hierarchical in nature. The key need is the ability to document enterprise risks and assign them to different nodes in organization and activity structure. As part of the SAP BusinessObjects Risk Management implementation project, a Business Blueprint is typically prepared that documents the organization’s risk management requirements. The central risk management team sets up the master data elements (org hierarchy; org unit objectives; activity classification; and risk / opportunity category) based on the approved Business Blueprint. Changes to the master data are usually performed by the central team only.
2010
© 2010 SAP AG. All rights reserved.
23
Unit 2: Risk Planning
GRC340
Risk Management Data Model
Figure 6: Risk Management Data Model
The elements on the left hand side show the Master Data Catalog objects. The elements on the right hand side show examples of actual application data objects. The dotted lines between the Master Data Catalogs and the actual application data objects show the relationships between them. The Organization Structure is a hierarchical structure of organizational units and is the main entry point for SAP BusinessObjects Risk Management. This defines how information will be aggregated and rolled up. The Objective Hierarchy is a hierarchy of strategies and objectives. The main root node can have numerous strategies documented, and each strategy can have numerous objectives documented. The hierarchy always has two levels: strategies and objectives. The Activity Hierarchy is used to define different types of business activities: processes, initiatives, project etc. These are shown as the root nodes. For each activity type, you can document a hierarchical activity structure. The Risk and Opportunity Classification is a hierarchical structure to categorize risks and opportunities.
24
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Master Data
Organizational Structure Organization master data is a standard SAP component used to capture the structure of a business. The organizations’ master data is setup during implementation or can be imported from other applications. The data in the organization structure may be changed a few times in a year. There can be only one top node for the organizations catalog and the top node is defined in the Implementation Guide. A hierarchical structure can be defined under the top node. Each node in the structure is called an organizational unit. Each organizational unit entry stores additional master data attributes and is the main entry point for SAP BusinessObjects Risk Management. Each organizational unit is headed by an Organizational Unit Manager.
Figure 7: Example Organization Structure
The setup of the organization structure is based on the customer’s requirements with various setups such as: • • •
Geographic (Americas, EMEA, APJ, and so on) Divisional (Investment Banking, Retail Banking, and so on) Functional (Corporate, Sales, Marketing, Operations, IT, and so on)
Objective Hierarchy Organizations typically have several strategic initiatives with different objectives for each. The Objective Hierarchy provides a framework for documenting the strategic initiatives and the objectives.
2010
© 2010 SAP AG. All rights reserved.
25
Unit 2: Risk Planning
GRC340
Figure 8: Example Objective Hierarchy
The Objective Hierarchy has a default root node with two levels defined below. The first level captures the strategic initiatives; the second level captures the objectives for each strategic initiative. The objectives defined in the hierarchy can be shared with the organization units defined in the organization structure master data.
Activity Hierarchy An activity is any risk-bearing activity such as a business process, a project, or a program. Activities provide an additional perspective for structuring risk information. An Activity must be assigned to an Activity Category.
Figure 9: Example Activity Hierarchy
26
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Master Data
The Activity Hierarchy consists of activity Types and activity Categories. Activity Types can be: • • • •
Business Processes, such as Operational, Financial, and Administrative processes within an enterprise; Projects, such as internal and customer projects; Initiatives; or Objectives, a generic type of activity such as Production Facility, Financial Planning and so on.
There are no limits in the number of levels and the number of Activity Categories. Each Activity Category entry stores additional master data attributes.
Risk and Opportunity Classification Risks and Opportunities are the basic entities managed by SAP BusinessObjects Risk Management. Risks and opportunities are managed separately and are defined for Activities. Risks and opportunities classification consists of Risk Categories and Opportunity Categories. All risks and opportunities must respectively be assigned to a Risk Category and an Opportunity Category, Risk and Opportunity Categories are both hierarchical structures.
Figure 10: Example Risk Classification
There are no limits in the number of levels and the number of Risk or Opportunity Categories. Each Risk and Opportunity Category entry stores additional master data attributes.
2010
© 2010 SAP AG. All rights reserved.
27
Unit 2: Risk Planning
28
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
29
Lesson: Master Data
Exercise 1: High Level System Overview Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Locate the various master data items in the system
Business Example Enterprise risks are generally documented for organizational entities and business activities. Business activities can be different types - business processes, assets, projects, programs, etc. The organizational and activity structures are hierarchical in nature. The key need is the ability to document enterprise risks and assign them to different nodes in organization and activity structure. As part of the SAP BusinessObjects Risk Management implementation project, a Business Blueprint is typically prepared that documents the organization’s risk management requirements. The central risk management team sets up the master data elements (org hierarchy; org unit objectives; activity classification; and risk/opportunity categories) based on the approved Business Blueprint. Changes to the master data are usually performed by the central team only.
System Data System: Client: User ID: Password: Set up instructions: 1.
2010
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
© 2010 SAP AG. All rights reserved.
29
Unit 2: Risk Planning
GRC340
Task: Locate Master Data Items The master Data elements are located in the Risk Structure work center.
30
1.
Choose GRC Risk Management → Risk Structure work center. What master data topics do you see?
2.
Select Organizations. When the window opens, select any organization unitand then click Open. What tabs do you see in the popup window? Select the Cancel pushbutton and then close the popup window by clicking the ’X’ in the upper right-hand corner.
3.
Select Risk Classification. When the window opens, select any organization unit and then click Open. What tabs do you see in the popup window? Select the Cancel pushbutton and then close the popup window by clicking the ’X’ in the upper right-hand corner.
4.
Select Objectives Hierarchy. When the window opens, select any organization unit and then click Open. What tabs do you see in the popup window? Select the Cancel pushbutton then close the popup window by clicking the ’X’ in the upper right-hand corner.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Master Data
Solution 1: High Level System Overview Task: Locate Master Data Items The master Data elements are located in the Risk Structure work center. 1.
Choose GRC Risk Management → Risk Structure work center. What master data topics do you see? Answer: Organizations; Risk Classification; Risk Structure Reports; Activity Hierarchy; Opportunity Classification; Objectives Hierarchy
2.
Select Organizations. When the window opens, select any organization unitand then click Open. What tabs do you see in the popup window? Select the Cancel pushbutton and then close the popup window by clicking the ’X’ in the upper right-hand corner. Answer: General; Objective; Unit of Measure; Risk Appetite; Risk Thresholds; Assignments; Roles; Attachments & Links
3.
Select Risk Classification. When the window opens, select any organization unit and then click Open. What tabs do you see in the popup window? Select the Cancel pushbutton and then close the popup window by clicking the ’X’ in the upper right-hand corner. Answer: General; KRI Template (when group classification selected); Attachments & Links
4.
Select Objectives Hierarchy. When the window opens, select any organization unit and then click Open. What tabs do you see in the popup window? Select the Cancel pushbutton then close the popup window by clicking the ’X’ in the upper right-hand corner. Answer: General; objectives (or Organization Unit if sub-objective selected); Attachments & Links
2010
© 2010 SAP AG. All rights reserved.
31
Unit 2: Risk Planning
GRC340
Lesson Summary You should now be able to: • Describe the types of master data used in SAP BusinessObjects Risk Management
32
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: 33
Lesson: Organization Hierarchy and Views
Organization Hierarchy and Views Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how to create an organization unit.
Lesson Objectives After completing this lesson, you will be able to: • • •
Navigate in the organization hierarchy Create and setup a new organization unit Share organization structure between organization views
In this lesson an overview of the Organizational Hierarchy will be discussed as well as going into the system to show the process of creating a new organization unit and selecting different views for the Organization Hierarchy.
Business Example There are various ways of representing an organization for risk reporting purposes. Organizational Hierarchies allow you to tailor risk reporting by different organizational views (e.g. legal structure, geographic, lines of business, etc.). The benefits of defining Organizational Hierarchies are flexible risk reporting to meet the requirements of different risk management stakeholders, and improved risk transparency.
Organization Structure The Organization Structure is a hierarchical structure of organizational units and is the main entry point for SAP BusinessObjects Risk Management. This defines how information will be aggregated and rolled up. Organization master data is a standard SAP component used to capture the structure of a business. The organizations’ master data is setup during implementation or can be imported from other applications. The data in the organization structure may be changed a few times in a year. There can be only one top node for the organizations catalog and the top node is defined in the Implementation Guide. A hierarchical structure can be defined under the top node. Each node in the structure is called an organizational unit.
2010
© 2010 SAP AG. All rights reserved.
33
Unit 2: Risk Planning
GRC340
Each organizational unit entry stores additional master data attributes and is the main entry point for SAP BusinessObjects Risk Management.
Figure 11: Organization Master Data Attributes
Each organization unit has the following master data attributes: • • • • • • • •
34
General: Name for the organization and the currency. Objective: Objectives that correspond to the organization’s strategy. Unit of Measure: Unit of measure and conversion factors for different impact categories. Risk Appetite: Degree of risk-taking this is to be applied when individual risks are entered into the system. Risk Threshold: Various risk thresholds with their impact levels. Assignments: On the Assignment tab, you see the organizational views that are assigned to this organization. Roles: Assigned users to the organizational roles. Attachments & Links: Links to documents and Web sites.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Organization Hierarchy and Views
Creating an Organization Structure 35
1.
Choose GRC Risk Management → Risk Structure work center and select Organizations. This opens a popup window that displays the organizations. The details of the selected organization unit are displayed on the right hand side in a view-only manner.
2.
Select the View named Standard Hierarchy.
3.
Select the organizational unit under which you want to create a new organization unit.
4.
Choose the Create pushbutton to create the new organization unit.
5.
Complete the organization setup with the General tab. The organization information includes the following (fields marked with an asterisk (’*’) are mandatory): 1. 2. 3. 4.
5.
Name: Name of the organizational unit. Descriptions: Description of the organization unit. Currency: Reporting currency (can be different for each organization unit). Valid From: This defaults from the parent organization unit. You can change the default date to a later date but not earlier than the Valid From date of the parent organization unit. Choose the Objective tab and then the Add pushbutton. Use the checkboxes to assign one or more objectives to the organization unit. Note: The objectives are defined in the Objective Hierarchy
6.
Choose the Objective tab. and then the Add pushbutton. Use the check boxes to assign one or more obejctives to the organization unit Note: The objectives are defined in the Objective Hierarchy
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
35
Unit 2: Risk Planning
7.
GRC340
Choose the Unit of Measure tab. To create the units of measure for the organization unit: 1.
Select an Impact Category from the dropdown list. Note: Impact categories are configurable master data items.
2. 3.
Choose the Create pushbutton. Select the Unit of Measure Name. Note: Unit of Measure names are configurable master data items.
4.
Enter the Conversion Factor. The factor converts the Unit of Measure Name to the organization Unit Currency. Enter the Valid To date until which the Unit of Measure will remain valid, You can change the date at a later time if required.
5. 8.
Choose the Risk Appetite tab. To define the organization’s risk appetite: 1.
Select the Qualitative Appetite level. Note: Appetite levels are configurable master data items
2. 3. 9.
Enter a Quantitative Amount that relates to the Qualitative Appetite. Enter a description
Choose the Risk Threshold tab. For each Impact Level enter the Quantitative Lower Limit and Quantitative Upper Limit values in terms of the organization unit Currency. Note: Impact Levels are configurable master data items.
10. Choose the Assignments tab. Here you will see the different organization hierarchy views to which the organization unit has been assigned (see the next session “Creating an Organization Value”.) 11. Choose the Roles tab. Select the Assign pushbutton to add files and links. 12. Choose the Attachments & Links tab. Select the Add pushbutton to add files and links. 13. When you’re finished, choose the Save pushbutton to save the new organization.
36
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Organization Hierarchy and Views
Creating an Organization View 37
Use An organization typically has different reporting views such as by line of business, legal entity, or geography. An organizational view is simply an assignment of organization units to different “views”. In SAP BusinessObjects Risk Management you can define multiple organizational views in a single organizational repository. There is no limitation on the number of views that can be defined. The organizational structure is shared between SAP BusinessObjects Risk Management and SAP BusinessObjects Process Controls.
Procedure
2010
1.
Choose GRC Risk Management → Risk Structure work center and select Organizations. This opens a popup window that displays the organizations. The details of the selected organization unit are displayed on the right hand side in a view-only manner.
2.
Select the View name (Other then Standard Hierarchy).
3.
Choose the Actions pushbutton and select Assign Organization.
4.
You will see all of the organization units in the Standard Hierarchy. Select the organization unit that you wish to assign to the View selected in Step 2. Choose the OK pushbutton.
5.
You should see a message confirming the assignment of the selected organization unit to the selected View.
© 2010 SAP AG. All rights reserved.
37
Unit 2: Risk Planning
38
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
39
Lesson: Organization Hierarchy and Views
Exercise 2: Create an Organization Unit Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create an Organization Unit
Business Example There are various ways of representing an organization for risk reporting purposes. Organizational Hierarchies allow you to tailor risk reporting by different organizational views (e.g. legal structure, geographic, lines of business, etc.) The benefits of defining Organization Hierarchies are flexible risk reporting to meet the requirements of different risk management stakeholders, and improved risk transparency.
System Data System: Client: User ID: Password: Set up instructions: 1.
2010
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The intitial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
© 2010 SAP AG. All rights reserved.
39
Unit 2: Risk Planning
GRC340
Task: Create an Organization Unit
40
1.
Choose GRC Risk Management → Risk Structure work center and select Organizations. What do you see?
2.
Select the Manufacturing organization unit and choose the Create pushbutton. What do you see?
3.
Finish creating the organization unit.
4.
Select the Save pushbutton to close the popup window. Close the popup window by clicking the “X” in the upper right-hand corner.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Organization Hierarchy and Views
Solution 2: Create an Organization Unit Task: Create an Organization Unit 1.
Choose GRC Risk Management → Risk Structure work center and select Organizations. What do you see? Answer: This opens a popup window that displays the organizations. A portion of the CRG Global Enterprises organization structure is already setup. The details of the selected organizational unit are displayed on the right hand side in a view-only manner.
2.
Select the Manufacturing organization unit and choose the Create pushbutton. What do you see? Answer: The General tab displays the organization unit name and description. The description is optional.
3.
Finish creating the organization unit. a) 1.
General Tab:
2.
• Name: GRC340-XX • Currency: USD • Valid From: Today’s date (mm/dd/yyy) • Valid To: 12/31/9999 Objectives Tab:
3.
• add the following objects: GRC340-XX Objective Unit of Measure Tab:
4.
• 1 HR = 100 USD Roles Tab: •
4.
Select the Save pushbutton to close the popup window. Close the popup window by clicking the “X” in the upper right-hand corner. a)
2010
Unit Risk Manager: GRC340-XX
The organization data is saved.
© 2010 SAP AG. All rights reserved.
41
Unit 2: Risk Planning
GRC340
Lesson Summary You should now be able to: • Navigate in the organization hierarchy • Create and setup a new organization unit • Share organization structure between organization views
42
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: 42
Lesson: Objective Hierarchy
Objective Hierarchy Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how to create an objective hierarchy.
Lesson Objectives After completing this lesson, you will be able to: • •
Navigate in the objective hierarchy Create and setup a new objective
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example Objective Categories are a means of classifying an organization’s performance goals. They are important as they will help the risk managers discuss risk in terms of what’s important to the business. The benefits defining an Objective Hierarchy are that they provide an added dimension for risk reporting, and they will give risk managers better insight into the areas of the business impacted by risks.
Objective Hierarchy
2010
© 2010 SAP AG. All rights reserved.
43
Unit 2: Risk Planning
GRC340
Figure 12: Example Objective Hierarchy
The Objective Hierarchy is a hierarchy of strategies and objectives. The main root node can have numerous strategies documented, and each strategy can have numerous objectives documented. The hierarchy always has two levels: strategies and objectives. Organizations typically have several strategic initiatives with different objectives for each. The Objective Hierarchy provides a framework for documenting the strategic initiatives and the objectives. The Objective Hierarchy has a default root node with two levels defined below. The first level captures the strategic initiatives; the second level captures the objectives for each strategic initiative. The Objectives defined in the hierarchy can be shared with the organization units defined in the organization structure master data.
44
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Objective Hierarchy
1.
Choose GRC Risk Management → Risk Structure work center and select Objectives Hierarchy. This opens a popup window that displays the objectives. The details of the selected objective are displayed on the right hand side in a view-only manner.
2.
Select the main root node.
3.
Choose the Create pushbutton and select Strategy.
4.
In the General tab provide the following information (fields marked with an asterisk (’*’) are mandatory):
44
1. 2. 3. 5.
Choose the Save pushbutton to save the strategy.
6.
Select the strategy that you just created.
7.
Choose the Create pushbutton and select Objective.
8.
Choose the Create pushbutton and select Objective. 1. 2. 3. 4.
9.
2010
Name: Name of the strategy. Description: Description of the strategy. Valid To: Select a date until which the strategy will remain valid. You can change the date at a later time if required.
Name: Name of the objective. Objective Category: Select the category from the drop-down list. Description: Description of the objective. Valid To: Select a date until which the objective will remain valid. You can change the date at a later time if required.
Choose the Save pushbutton to save the new objective.
© 2010 SAP AG. All rights reserved.
45
Unit 2: Risk Planning
46
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
45
Lesson: Objective Hierarchy
Exercise 3: Create an Objective Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create an Objective
Business Example Objective Categories are a means of classifying an organization’s performance goals. They are important as they will help the risk managers discuss risk in terms of what’s important to the business. The benefits defining an Objective Hierarchy are that they provide an added dimension for risk reporting, and they will give risk managers better insight into the areas of the business impacted by risks.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide to class. Instructor will provide to class GRC340-XX where XX is your student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Create an Objective
2010
1.
Choose GRC Risk Management → Risk Structure work center and select Objectives Hierarchy.
2.
Select the main root node.
3.
Choose the Create pushbutton and select Strategy.
4.
In the General tab provide the following information:
5.
Choose the Save pushbutton to save the new strategy.
6.
Select the strategy that you just created.
7.
Choose the Create pushbutton and select Objective.
8.
In the General tab provide the following information.
9.
Choose the Save pushbutton to save the new objective.
© 2010 SAP AG. All rights reserved.
47
Unit 2: Risk Planning
GRC340
Solution 3: Create an Objective Task: Create an Objective 1.
Choose GRC Risk Management → Risk Structure work center and select Objectives Hierarchy. a)
2.
Select the main root node. a)
3.
5.
a)
Name: GRC340-XX-Strategy
b)
Description: GRC340-XX-Strategy
c)
Valid To: XXXXX
Choose the Save pushbutton to save the new strategy.
9.
This opens a popup window for the new objective.
In the General tab provide the following information. a)
Name: GRC340-XX-Obj
b)
Objective Category: XXXXX
c)
Description: GRC340-XX-Obj
d)
Valid To: XXXXX
Choose the Save pushbutton to save the new objective. a)
48
The details of the selected objective are displayed on the right hand side.
Choose the Create pushbutton and select Objective. a)
8.
New strategy saved.
Select the strategy that you just created. a)
7.
This opens a popup window for the new strategy.
In the General tab provide the following information:
a) 6.
The details of the selected objective are displayed on the right hand side.
Choose the Create pushbutton and select Strategy. a)
4.
This opens a popup window that displays the objectives hierarchy.
New objective saved.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Objective Hierarchy
Lesson Summary You should now be able to: • Navigate in the objective hierarchy • Create and setup a new objective
2010
© 2010 SAP AG. All rights reserved.
49
Unit 2: Risk Planning
Lesson: 48
GRC340
Activity Hierarchy Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how to create an Activity Hierarchy.
Lesson Objectives After completing this lesson, you will be able to: • •
Navigate in the activity hierarchy Create and setup a new activity hierarchy
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example Activity Categories are a means of classifying an organization’s risk-bearing business activities. Activity categories provide an added dimension for risk reporting, and give risk managers additional insight into the areas of the business impacted by risks.
Activity Hierarchy The Activity Hierarchy is used to define different types of business activities: processes, initiatives, projects, etc. These are shown as the root nodes. For each activity type, you can document a hierarchical activity structure. An activity is any risk-bearing business activity such as a business process, a project, or a program. Activities provide an additional perspective for structuring risk information. An Activity must be assigned to an Activity Category.
50
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Activity Hierarchy
Activity Types can be: • • • •
Business Processes, such as Operational, Financial, and Administrative processes within an enterprise; Projects, such as internal and customer projects; Initiatives; or Objectives, a generic type of activity such as Production Facility, Financial Planning, and so on.
There are no limits in the number of levels and the number of Activity Categories. Each Activity Category entry stores additional master data attributes.
2010
© 2010 SAP AG. All rights reserved.
51
Unit 2: Risk Planning
GRC340
Creating an Activity Hierarchy 49
1.
Choose GRC Risk Management → Risk Structure work center and select Activity Hierarchy. This opens a popup window that displays the activity categories. The details of the selected activity category are displayed on the right hand side in a view-only manner.
2.
Select the Activity Type to Show from the dropdown list. Note: Activity Types are configurable master data items.
3.
Select the main root node.
4.
Choose the Create pushbutton.
5.
In the General tab provide the following information (fields marked with an asterisk (’*’) are mandatory): 1. 2. 3.
4.
52
Name : Name of the activity category Description : Description of the activity category Allow Activity Assignment: Select the radio button to define whether or not you want to allow the assignment of activities to this activity category. Valid To: Select a date until which the activity will remain valid. You can change the date at a later time if required.
6.
Use the Risk Classification and Opportunity Classification tabs to assign risk/opportunity categories to the activity.
7.
Use the Attachments & Links tab to attach files or links.
8.
Choose the Save pushbutton to save the activity classification.
© 2010 SAP AG. All rights reserved.
2010
GRC340
51
Lesson: Activity Hierarchy
Exercise 4: Create an Activity Category Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create an Activity Category
Business Example Activity categories are a means of classifying an organization’s risk-bearing business activities. Activity categories provide an added dimension for risk reporting, and give risk managers additional insight into the areas of the business impact by risks.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Create an Activity Category
2010
1.
Choose GRC Risk Management → Risk Structure work center and select Activity Hierarchy.
2.
Select the Activity Type XXXXX from the dropdown list.
3.
Select the main root node.
4.
Choose the Create pushbutton.
5.
In the General tab provide the following information (fields marked with an asterisk (’*’) are mandatory):
6.
Choose the Save pushbutton to save the activity classification
© 2010 SAP AG. All rights reserved.
53
Unit 2: Risk Planning
GRC340
Solution 4: Create an Activity Category Task: Create an Activity Category 1.
Choose GRC Risk Management → Risk Structure work center and select Activity Hierarchy. a)
2.
Select the Activity Type XXXXX from the dropdown list. a)
3.
6.
This opens a popup window for the new activity.
In the General tab provide the following information (fields marked with an asterisk (’*’) are mandatory): a)
Name: GRC340-XX-CAT
b)
Description: GRC340-XX-CAT
c)
Allow Activity Assignment: Select the “Yes” radio button.
d)
Valid To: XXXXX
Choose the Save pushbutton to save the activity classification a)
54
The details of the selected activity are displayed on the right hand side.
Choose the Create pushbutton. a)
5.
This displays the hierarchy for the select Activity Type.
Select the main root node. a)
4.
This opens a popup window that displays the activity hierarchy.
New activity classification saved.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Activity Hierarchy
Lesson Summary You should now be able to: • Navigate in the activity hierarchy • Create and setup a new activity hierarchy
2010
© 2010 SAP AG. All rights reserved.
55
Unit 2: Risk Planning
Lesson: 54
GRC340
Risk and Opportunity Classification Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how to create a risk and opportunity classification hierarchy.
Lesson Objectives After completing this lesson, you will be able to: • •
Navigate in the risk and opportunity hierarchy Create and setup a new risk and opportunity category
In this lesson you will show the risk and opportunity classification to the students.
Business Example Risk (and opportunity) categories are attributes that help the risk managers organize the array of risks that an organization is likely to encounter. A sufficient number of descriptive groupings are needed so that every unique risk can be mapped to some representative risk category. Risk categories help the risk team create value from the information being collected in order that increasingly “rich” conversations can be held across the organization. Risk information is a tremendously valuable resource for identifying systemic sources of both organizational risks and problems that create costly rework, unnecessary overhead, and reduce corporate earnings.
56
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk and Opportunity Classification
Risk and Opportunity Classification
Figure 13: Risk and Opportunity Classification
The Risk and Opportunity Classification is a hierarchical structure to categorize risks and opportunities. Risks and Opportunities are the basic entities managed by SAP BusinessObjects Risk Management. Risks and Opportunities are managed separately and are defined for Activities. Risks and Opportunities classification consists of Risk Categories and Opportunity Categories. All risks and opportunities must respectively be assigned to a Risk Category and an Opportunity Category Risk and Opportunity Categories are both hierarchical structures.
2010
© 2010 SAP AG. All rights reserved.
57
Unit 2: Risk Planning
56
GRC340
Creating a Risk and Opportunity Classification Hierarchy Use To create a Risk Classification Hierarchy: Note: The same steps are used to create an Opportunity Classification Hierarchy
Procedure 1.
Choose GRC Risk Management → Risk Structure work center and select Risk Classification. This opens a popup window that displays the risk categories. The details of the selected risk category are displayed on the right hand side in a view-only manner.
2.
Select the main root node.
3.
Choose the Create pushbutton and select Risk Category.
4.
In the General tab provide the following information (fields marked with an asterisk (’*’) are mandatory): 1. 2. 3. 4.
58
Name: Name of the risk category. Description: Description. Allow Assignment: Select the radio button to define whether or not you want to allow the assignment of risks to this risk category. Valid To: Select a date until which the risk category will remain valid.
5.
Use the KRI Template tab to assign Key Risk Indicator (KRI) templates to the risk category
6.
Use the Attachments & Links tab to attach files or links.
7.
Choose the Save pushbutton to save the risk category.
© 2010 SAP AG. All rights reserved.
2010
GRC340
57
Lesson: Risk and Opportunity Classification
Exercise 5: Create a Risk Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create a Risk
Business Example CRG Global Enterprises is a conglomerate with global operations. CRG has a highly cost-competitive global supply chain that is greatly-impacted by global trade regulations. CRG has instituted strict policies to comply with the regulations. All supplies and equipment must be sourced from preferred vendors. To be preferred, vendors must provide accurate documentation with each delivery including accurate country-of-origin information. Sourcing from non-preferred vendors is allowed only when customer commitments are jeopardized. Neil – the Procurement Manager – has been tasked with documenting the supply chain risks for his organization. Neil will be assigned as the risk owner, and he will document the risks in the SAP BusinessObjects Risk Management.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Create a Risk
2010
1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management.
2.
Choose the Create pushbutton and select Risk from the drop-down list. Complete the risk creation starting with the General tab.
© 2010 SAP AG. All rights reserved.
59
Unit 2: Risk Planning
GRC340
Solution 5: Create a Risk Task: Create a Risk 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. a)
2.
This opens a popup window that displays the risks and opportunities with the attributes defined in the query.
Choose the Create pushbutton and select Risk from the drop-down list. Complete the risk creation starting with the General tab. a) 1. 2. 3. 4. 5. 6. 7. 8. 9.
Name: GRC340-XX-Risk Organization Unit: XXXX Secondary Organization: XXXX Objective: XXXX Activity: XXXX Risk Category: GRC340-XX-Cat Description: GRC340-XX-Risk Valid To: XXXX Driver: a) b)
60
Category: XXXX Description: XXXX
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk and Opportunity Classification
Lesson Summary You should now be able to: • Navigate in the risk and opportunity hierarchy • Create and setup a new risk and opportunity category
2010
© 2010 SAP AG. All rights reserved.
61
Unit Summary
GRC340
Unit Summary You should now be able to: • Describe the types of master data used in SAP BusinessObjects Risk Management • Navigate in the organization hierarchy • Create and setup a new organization unit • Share organization structure between organization views • Navigate in the objective hierarchy • Create and setup a new objective • Navigate in the activity hierarchy • Create and setup a new activity hierarchy • Navigate in the risk and opportunity hierarchy • Create and setup a new risk and opportunity category
62
© 2010 SAP AG. All rights reserved.
2010
Unit 3 Risk Identification
61
In this unit you will learn about Activities and their relationship to organization units and risks, and how to create a risk with SAP BusinessObjects Risk Management.
Unit Overview In this unit you will learn about Activities and their relationship to organization units and risks, and how to create a risk with SAP BusinessObjects Risk Management.
Unit Objectives After completing this unit, you will be able to: • • •
Describe the purpose of Activities Explain how to create an Activity Create a risk
Unit Contents Lesson: Activity Management .................................................. 64 Procedure: Creating an Activity ........................................... 66 Exercise 6: Create an Activity ............................................. 69 Lesson: Risk/Opportunity Creation ............................................ 73 Procedure: Create a Risk .................................................. 75 Exercise 7: Create a Risk .................................................. 79
2010
© 2010 SAP AG. All rights reserved.
63
Unit 3: Risk Identification
Lesson: 62
GRC340
Activity Management Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how to manage Activities.
Lesson Objectives After completing this lesson, you will be able to: • •
Describe the purpose of Activities Explain how to create an Activity
In this lesson you will show the students how to create an Activity in the Risk Management system.
Business Example CRG Global Enterprises is a conglomerate with global operations. CRG has a highly cost-competitive global supply chain that is greatly-impacted by global trade regulations. CRG has instituted strict policies to comply with the regulations. All supplies and equipment must be sourced from preferred vendors. To be preferred, vendors must provide accurate documentation with each delivery including accurate country-of-origin information. Sourcing from non-preferred vendors is allowed only when customer commitments are jeopardized. Neil – the Procurement Manager – has been tasked with documenting the supply chain risks for his organization Before Neil can document the risks, he wants to set up an Activity for the supply chain planning and execution.
Activity Management In SAP BusinessObjects Risk Management you have the option of attaching risks (and opportunities) to an Activity or directly to an Organization Unit.
64
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Activity Management
An Activity is any risk-bearing business activity such as a business process, a project, or a program. Activities provide an additional perspective for structuring risk information. Examples of types of activities are: • • • •
Process (Supply Chain Product ABC) Project (Silverado Contract XYZ) Initiative (Staff Retention) Strategy (International Expansion)
The Activity holds generic data and makes use of Activity Categories which support data analysis, sorting, selecting and reporting. In the data model, an Activity is assigned to a node of the Organization Hierarchy. Risks and Opportunities can be attached to either an Activity or directly to an Organization Unit. Activities help structure risk management data and provide an additional reporting dimension.
Activity Users and Roles The following groups of users and roles are typically involved with Activities: • •
•
Activity Owner: Manages the risk and opportunity assessment process within the activity; processes the activity through the Validation process. Risk Manager: Creates activities and assigns activity owners; monitors the risk management process through visibility of the risks and opportunities attached to activities Risk Owner: Accesses owned risks through the activities.
Activity Management Process
Figure 14: Activity Management Process
Before an Activity can be created, the following must have been performed: • •
2010
Organizational unit created Activity hierarchy created
© 2010 SAP AG. All rights reserved.
65
Unit 3: Risk Identification
GRC340
Creating an Activity 64
Figure 15: Create an Activity
1.
Choose GRC Risk Management → Risk Structure work center and select Activity Management. This opens a popup window that displays the Activities with the attributes defined in the query.
2.
To modify the Activity query parameters, choose Change Query at the top right-hand side of the Activity listing. 1. 2.
Enter the Organization Unit and/or Status then click Apply. Activities meeting the new Query selection criteria are displayed in the query results window. Note: Validity dates are particularly relevant to projects or contracts, which have a fixed start and finish date. For Activities with no end date or a variable end date, you can set the Valid To date far into the future.
3.
To create a new Activity, choose the Create pushbutton.
Continued on next page
66
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Activity Management
4.
Complete the activity creation starting with the General tab. The activity information includes the following fields (fields marked with an asterisk (’*’) are mandatory): 1. 2. 3. 4. 5.
Name : Name of the activity. Description : Description of the activity. Organization Unit: The organization unit to which the activity is attached. Valid From: Must be equal to or later than the Activity Category Valid From date. It is read-only. Valid To: Must be within the validity dates of the Activity Category and Organization Unit. The initial value is empty, and if you do not enter a value it defaults to the Valid To of the Organization Unit or Activity Category Note: Validity dates are particularly relevant to projects or contracts, which have a fixed start and finish date. For Activities with no end date or a variable end date, you can set the Valid To date far into the future.
6. 5.
Choose the Risks and Opportunities tab if you want to create risks to the activity.
6.
Choose the Attachments & Links tab. Select the Add pushbutton to add files and links.
7.
When you’re finished, choose one of the following pushbuttons: 1. 2.
2010
Comments: General comments about the activity.
Submit: To activate the activity for use. After submitting the activity, you will be returned to the activity query screen. Save Draft: To save a draft of the activity. After saving the draft, you can continue to work on the new activity.
© 2010 SAP AG. All rights reserved.
67
Unit 3: Risk Identification
68
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
67
Lesson: Activity Management
Exercise 6: Create an Activity Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create an Activity
Business Example CRG Global Enterprises is a conglomerate with global operations. CRG has a highly cost-competitive global supply chain that is greatly-impacted by global trade regulations. CRG has instituted strict policies to comply with the regulations. All supplies and equipment must be sourced from preferred vendors. To be preferred, vendors must provide accurate documentation with each delivery including accurate country-of-origin information. Sourcing from non-preferred vendors is allowed only when customer commitments are jeopardized. Neil – the Procurement Manager – has been tasked with documenting the supply chain risks for his organization Before Neil can document the risks, he wants to set up an Activity for the supply chain planning and execution.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1.
[Enter all instructions necessary for the maintenance of this exercise.] Data Name Description Organization Valid To
Date Value XXX XXXX XXXX XXXX
Task: Create an Activity 1.
Choose GRC Risk Management → Risk Assessment work center and select Activity Management. Continued on next page
2010
© 2010 SAP AG. All rights reserved.
69
Unit 3: Risk Identification
70
GRC340
2.
Choose the Create pushbutton and enter the following:
3.
Choose Save Draft.
4.
Return to the General tab and enter Comments:
5.
Choose Submit.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Activity Management
Solution 6: Create an Activity Task: Create an Activity 1.
Choose GRC Risk Management → Risk Assessment work center and select Activity Management. a)
2.
3.
Choose the Create pushbutton and enter the following: a)
Name: GRC340-XX-Act
b)
Description: GRC340-XX-Actitity
c)
Organization Value: XXXX
d)
Valid To: XXXX
Choose Save Draft. a)
4.
Enter a comment for this Activity
Choose Submit. a)
2010
Activity saved as draft. You can continue to work on the new activity.
Return to the General tab and enter Comments: a)
5.
This opens a popup window that displays the Activities with the attributes defined in the query.
Activity activated for use.
© 2010 SAP AG. All rights reserved.
71
Unit 3: Risk Identification
GRC340
Lesson Summary You should now be able to: • Describe the purpose of Activities • Explain how to create an Activity
72
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: 70
Lesson: Risk/Opportunity Creation
Risk/Opportunity Creation Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how to create a risk.
Lesson Objectives After completing this lesson, you will be able to: •
Create a risk
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example CRG Global Enterprise is a conglomerate with global operations. CRG has a highly cost-competitive global supply chain that is greatly-impacted by global trade regulations. CRG has instituted strict policies to comply with the regulations. All supplies and equipment must be sourced from preferred vendors. To be preferred, vendors must provide accurate documentation with each delivery including accurate country-of-origin information. Sourcing from non-preferred vendors is allowed only when customer commitments are jeopardized. Neil – the Procurement Manager – has been tasked with documenting the supply chain risks for his organization. Neil will be assigned as the risk owner, and he will document the risks in the SAP BusinessObjects Risk Management.
Risk ’Bow-Tie’ The model for representing risks and opportunities in SAP BusinessObjects Risk Management is as follows:
2010
© 2010 SAP AG. All rights reserved.
73
Unit 3: Risk Identification
GRC340
Figure 16: Risk ’Bow-Tie’ Model
Risks can be linked to an Activity or directly to an Organization Unit. The risk is described in terms of drivers ( i.e. events that could cause the risk to occur), and impacts (i.e. consequences if the risk event were to occur). Multiple drivers and impacts can be assigned to a risk.
74
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk/Opportunity Creation
Create a Risk 72
Figure 17: Create a Risk
1. 2. 3.
Enter the Type, Organization Unit and/or Status and select Apply. Risks and opportunities meeting the new Query selection criteria are displayed in the query results window.
To create a new Risk, choose the Create pushbutton. You will be offered four options 1. 2. 3. 4.
Risk (select this option) This opens a popup window that displays the risk data tabs. With Central Risk as Template Opportunity With Central Opportunity as Template
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
75
Unit 3: Risk Identification
4.
GRC340
Complete the risk creation starting with the General tab. The activity information includes the following (fields marked with an asterisk (“*”) are mandatory): 1.
2. 3. 4. 5. 6. 7. 8.
9.
Name: Name of the risk. When naming a risk, keep the name short and include the nature of the event. for example: a) Loss of senior research scientist b) Logistics disruption c) Earthquake Organization Unit: The organization unit to which the risk is attached. Secondary Organization Unit: A second organization unit to which the risk is attached. Objective: The key business objective that would be impacted by the risk. Activity: Select the Activity to which the risk is attached. Risk Category: Select the risk category from the list. Description: A description of the risk even. Use this field to add context about the risk. Valid From (system read-only default value) and Valid To (editable) define the period within which the risk can occur. You can change the Valid To date at a later time if required Drivers:
a) In the Show drop-down list select Drivers. b) Choose the Add pushbutton. c) Select the driver Category from the drop-down list. d) Enter the Description of the driver. e) Choose the OK pushbutton to add the driver to the risk. 10. Impacts: a) b) c) d) e)
In the Show drop-down list select Impacts. Choose the Add pushbutton. Select the impact Category from the drop-down list. Enter a Description of the impact. Choose the OK pushbutton to add the impact to the risk.
5.
Choose the Roles tab assign the risk owner (i.e. the person with management accountability for the risk).
6.
Choose the Attachments & Links tab, Select the Add pushbutton to add files and links.
Continued on next page
76
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk/Opportunity Creation
7.
When you’re finished, choose one of the following pushbuttons: 1. 2.
2010
Submit: To activate the risk for use. After submitting the risk, you will be returned to the risk query screen. Save Draft: To save a draft of the risk. After saving the draft, you can continue to work on the new risk.
© 2010 SAP AG. All rights reserved.
77
Unit 3: Risk Identification
78
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
75
Lesson: Risk/Opportunity Creation
Exercise 7: Create a Risk Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create a Risk
Business Example CRG Global Enterprises is a conglomerate with global operations. CRG has a highly cost-competitive global supply chain that is greatly-impacted by global trade regulations. CRG has instituted strict policies to comply with the regulations. All supplies and equipment must be sourced from preferred vendors. To be preferred, vendors must provide accurate documentation with each delivery including accurate country-of-origin information. Sourcing from non-preferred vendors is allowed only when customer commitments are jeopardized. Neil – the Procurement Manager – has been tasked with documenting the supply chain risks for his organization. Neil will be assigned as the risk owner, and he will document the risks in the SAP BusinessObjects Risk Management.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Create a Risk
2010
1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management.
2.
Choose the Create pushbutton and select Risk from the drop-down list. Complete the risk creation starting with the General tab.
© 2010 SAP AG. All rights reserved.
79
Unit 3: Risk Identification
GRC340
Solution 7: Create a Risk Task: Create a Risk 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. a)
2.
This opens a popup window that displays the risks and opportunities with the attributes defined in the query.
Choose the Create pushbutton and select Risk from the drop-down list. Complete the risk creation starting with the General tab. a) 1. 2. 3. 4. 5. 6. 7. 8. 9.
Name: GRC340-XX-Risk Organization Unit: XXXX Secondary Organization: XXXX Objective: XXXX Activity: XXXX Risk Category: GRC340-XX-Cat Description: GRC340-XX-Risk Valid To: XXXX Driver: a) b)
80
Category: XXXX Description: XXXX
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk/Opportunity Creation
Lesson Summary You should now be able to: • Create a risk
2010
© 2010 SAP AG. All rights reserved.
81
Unit Summary
GRC340
Unit Summary You should now be able to: • Describe the purpose of Activities • Explain how to create an Activity • Create a risk
82
© 2010 SAP AG. All rights reserved.
2010
Unit 4 Risk Analysis
79
In this unit you will learn how to run a risk analysis and the relationships between risks.
Unit Overview In this unit you will learn the various ways in which risks can be analyzed with SAP BusinessObjects Risk Management.
Unit Objectives After completing this unit, you will be able to: • • • • • • • • • • • • • • • •
2010
Explain how surveys work Explain how to create a risk survey Explain the difference between inherent and residual risk Explain the difference between qualitative and quantitative and qualitative risk analysis Explain how a risk level matrix is constructed Perform a residual risk analysis Create grouped risks Create risk inter-relationships Create a Scenario Classification and Sub-classification Create a Scenario Case Create a Scenario Case Analysis Create a Response to a Scenario Case Review the Scenario Case and use Sensitivity Analysis Explain Monte Carlo analysis Perform a Monte-Carlo Analysis Validate a risk analysis
© 2010 SAP AG. All rights reserved.
83
Unit 4: Risk Analysis
GRC340
Unit Contents Lesson: Surveys ................................................................. 85 Procedure: Creating Survey Questions .................................. 87 Procedure: Creating a Survey ............................................. 88 Procedure: Scheduling a Survey .......................................... 89 Procedure: Completing a Survey.......................................... 93 Procedure: Viewing Survey Results ...................................... 94 Exercise 8: Create a Risk Survey ......................................... 95 Lesson: Risk Analysis ..........................................................100 Procedure: Inherent Risk Analysis .......................................104 Exercise 9: Create an Inherent Risk Analysis ..........................109 Lesson: Risk Grouping ......................................................... 113 Procedure: Risk Grouping................................................. 114 Exercise 10: Risk Grouping ............................................... 117 Lesson: Risk Inter-Relationships .............................................120 Procedure: Creating Risk Inter-Relationships ..........................122 Exercise 11: Risk Inter-Relationships....................................125 Lesson: What-If Scenario ......................................................128 Procedure: Scenario Case Creation .....................................130 Procedure: Scenario Case Analysis .....................................132 Procedure: Scenario Case Response ...................................134 Procedure: Scenario Case Result Review ..............................135 Exercise 12: What-If Scenario ............................................137 Lesson: Monte-Carlo Analysis ................................................142 Procedure: Performing a Monte Carlo Analysis ........................146 Exercise 13: Monte Carlo Analysis.......................................149 Lesson: Risk Validation ........................................................152 Procedure: Validating a Risk ..............................................153 Procedure: The Validation Steps .........................................154 Exercise 14: Risk Validation ..............................................155
84
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: 81
Lesson: Surveys
Surveys Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how to obtain risk analysis information using a survey.
Lesson Objectives After completing this lesson, you will be able to: • •
Explain how surveys work Explain how to create a risk survey
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known. Before proceeding with the risk owners often survey their counterparts in other departments about their experience with a particular risk. Risk owners can use the survey features in SAP BusinessObjects Risk Management to identify new risks, receive and update risk information, or to create checklists.
What are Surveys? Conducting a survey is a useful way of obtaining risk information, which in turn is used to make risk-based decisions. The value of the survey depends on the accuracy of the information the survey contains. The Following Figure gives an overview of the general process flow of surveys in SAP BusinessObjects Risk Management. The survey functionality leverages Adobe Interactive Forms to support offline data entry. For example, a survey recipient can complete the survey in the airplane and email the completed form back to the system.
2010
© 2010 SAP AG. All rights reserved.
85
Unit 4: Risk Analysis
GRC340
Figure 18: Survey Process
There are three available survey types: Activity, Risk, and Risk Indicator.
86
•
Activity Survey: Used to identify new risks and potential shortcomings related to an activity (for example, project, process).
•
Risk Survey: Used to initiate a risk assessment (or re-assessment) to uncover new circumstances that might impact the risk assessment.
•
Risk Indicator Survey: Used to receive manual indications on the development of a Key Risk Indicator.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Surveys
Creating Survey Questions 83
1.
Choose GRC Risk Management → Risk Assessment work center and select Questions Library. This opens a popup window that displays the question library.
2.
To create a new question, choose the Create push-button.
Figure 19: Create Question
3.
Complete the question creation. The question information includes the following (fields marked with an asterisk (‘*’) are mandatory): 1. 2. 3. 4.
Category: Survey type (i.e., Activity, Risk, or KRI) Question: The question that you want answered Active: To indicate if survey is active Answer Type: The desired type of answer as one of the following: a) b) c) d) e)
4.
2010
Rating (1 – 5) Yes / No / NA Text Percentage Amount
Choose the Save push-button to save the survey.
© 2010 SAP AG. All rights reserved.
87
Unit 4: Risk Analysis
GRC340
Creating a Survey 84
1.
Choose GRC Risk Management → Risk Assessment work center and select Survey Library. This opens a popup window that displays the survey library.
Figure 20: Create Survey
2.
To create a new survey, choose the Create push-button.
3.
Complete the survey creation. The survey information includes the following (fields marked with an asterisk (‘*’) are mandatory): 1. 2. 3. 4.
4.
To add Questions to the survey: 1. 2.
5.
88
Category: Survey type (i.e., Activity, Risk, or KRI) Title: Survey title. Description: Description of the survey. Active: To indicate if survey is active.
Choose the Add push-button. This opens a popup that displays the available survey questions (See Creating Survey Questions). Select the question that you want to include in the survey and choose the OK push-button.
Choose the Save push-button to save the survey.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Surveys
Scheduling a Survey 85
1.
Choose GRC Risk Management → Risk Monitoring work center and select Planner. This opens a popup window that displays all of the scheduled surveys and other planned assessment activities.
2.
To schedule a survey question, choose the Create push-button. You will be presented with a guided procedure starting with Enter Plan Details.
Figure 21: Survey Details
3.
Enter the plan details. The question information includes the following (fields marked with an asterisk (‘*’) are mandatory): 1. 2. 3. 4. 5.
4.
Plan Name: Name of the survey plan Plan Activity: Select from the available plans Survey: Select from the available surveys Start Date: The date the survey will be sent Due Date: The date the completed survey must be returned
Choose the Next push-button and select the organization that is to complete the survey.
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
89
Unit 4: Risk Analysis
GRC340
Figure 22: Survey Organizations
5.
Choose the Next push-button. Use the radio button to select the filter procedure to apply to the survey.
Continued on next page
90
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Surveys
Figure 23: Survey Filter
6.
Choose the Next push-button. Use the radio button to review the survey plan details.
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
91
Unit 4: Risk Analysis
GRC340
Figure 24: Survey Review
92
7.
Choose the Activate Plan push-button to activate the survey according to its Start Date.
8.
Choose the Finish pushbutton to return to the list of scheduled surveys and other planned activities.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Surveys
Completing a Survey 89
Use Surveys are sent as an Adobe Form attachment in the recipient’s email inbox.
Procedure
2010
1.
Open the Adobe Form attachment in the email.
2.
Complete the survey and save the completed document to any local directory.
3.
Reply to the email and with the completed Adobe Form as an attachment.
© 2010 SAP AG. All rights reserved.
93
Unit 4: Risk Analysis
GRC340
Viewing Survey Results 90
Use Now assume you are the owner of the survey and want to view the results.
Procedure
94
1.
Choose GRC Risk Management → Risk Assessment work center.
2.
If your survey category was Risk, select Risk and Opportunity Management. If your survey category was Activity, select Activity Management.
3.
This opens a popup window that displays all of the risks / activities. Select the desired risk / activity and choose the Open push-button.
4.
Select the Surveys tab and from the Survey dropdown list, select from among the available surveys. All the recipients of selected survey are displayed in the table. Questions in the survey are displayed as columns in the table.
5.
Click the name of recipient to open his / her survey form
© 2010 SAP AG. All rights reserved.
2010
GRC340
91
Lesson: Surveys
Exercise 8: Create a Risk Survey Exercise Duration: 30 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create survey questions • Create a survey
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known. Before proceeding with the risk owners often survey their counterparts in other departments about their experience with a particular risk. Risk owners can use the survey features in SAP BusinessObjects Risk Management to identify new risks, receive and update risk information, or to create checklists.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task 1: Create a Risk Survey Question 1.
1. Choose GRC Risk Management → Risk Assessment work center and select Questions Library.
2.
2. Choose the Create pushbutton
3.
3. Complete the question creation as follows: a. Category: b. Question: c. Active: d. Answer Type: Continued on next page
2010
© 2010 SAP AG. All rights reserved.
95
Unit 4: Risk Analysis
4.
GRC340
4. Choose the Save push-button to save the question.
Task 2: Create a Risk Survey 1.
1. Choose GRC Risk Management → Risk Assessment work center and select Survey Library.
2.
2. Choose the Create push-button.
3.
3. Complete the question creation as follows: a. Category: b. Title: c. Description: d. Active:
96
4.
4. Add Questions to the survey:
5.
5. Choose the Save push-button.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Surveys
Solution 8: Create a Risk Survey Task 1: Create a Risk Survey Question 1.
1. Choose GRC Risk Management → Risk Assessment work center and select Questions Library. a)
2.
2. Choose the Create pushbutton a)
3.
This opens a popup window that displays the question library.
This opens a popup window that displays the question form.
3. Complete the question creation as follows: a. Category: b. Question: c. Active: d. Answer Type: a)
a. Category: Risk Survey b. Question: What other project risks should be considered? c. Active: Yes d. Answer Type: Text
4.
4. Choose the Save push-button to save the question. a)
This saves the new survey question.
Task 2: Create a Risk Survey 1.
1. Choose GRC Risk Management → Risk Assessment work center and select Survey Library. a)
2.
2. Choose the Create push-button. a)
3.
This opens a popup window that displays the survey library.
This opens a popup window that displays the survey form.
3. Complete the question creation as follows: a. Category: b. Title: c. Description: Continued on next page
2010
© 2010 SAP AG. All rights reserved.
97
Unit 4: Risk Analysis
GRC340
d. Active: a)
a. Category: Risk Survey b. Title: Risk Survey for Project ABC c. Description: The purpose of this survey is to identify new risks. d. Active: Yes.
4.
4. Add Questions to the survey: a)
a. Choose the Add push-button. b. Select the question that you want to include in the survey and choose the OK push-button.
5.
5. Choose the Save push-button. a)
98
This saves the new survey.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Surveys
Lesson Summary You should now be able to: • Explain how surveys work • Explain how to create a risk survey
2010
© 2010 SAP AG. All rights reserved.
99
Unit 4: Risk Analysis
Lesson: 96
GRC340
Risk Analysis Lesson Duration: 30 Minutes
Lesson Overview This lesson will show you how to perform an inherent risk analysis.
Lesson Objectives After completing this lesson, you will be able to: • • • •
Explain the difference between inherent and residual risk Explain the difference between qualitative and quantitative and qualitative risk analysis Explain how a risk level matrix is constructed Perform a residual risk analysis
In this section you will discuss with the students the reason for doing a risk analysis and explain the different analysis types that are available within Risk Management.
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known The Risk Owner now proceeds to analyze the risks based on information gathered. S/he can perform three types of risk analysis: Inherent risk analysis; Residual risk analysis; Planned residual risk analysis. Each type of risk analysis includes the probability of the risk event occurring, and the impact of the risk event. The Risk Owner has the option of performing either a qualitative or quantitative analysis.
100
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Analysis
Risk Analysis Types Risk analysis involves consideration of the sources of risk, their consequences, and the likelihood that those consequences may occur. With SAP BusinessObjects Risk Management you can perform three types of analysis: • • •
Inherent risk analysis: The likelihood and impact of the risk with the existing response measures in place. Residual risk analysis: The likelihood and impact of the risk with additional response measures put in place. Planned residual risk analysis: The target likelihood and impact required for the risk level to be acceptable.
You can also perform quantitative or qualitative risk analysis: •
•
Quantitative risk analysis: Numerical probability and impact values are used in the analysis. For example: – Probability: 60% – Impact: $525,000 Qualitative risk analysis: Scales are used to describe the likelihood and impact of the risk. For example: – –
Likelihood: 1 = Remote Impact: 4 = Major Impact
The preferred analysis method is defined during configuration of the solution.
Risk Level Matrix A Risk Level Matrix is used to portray (and rank) the results of a risk analysis. Risk ranking is an important step in the risk management process for prioritizing risks for response purposes. This section will explain how a risk level matrix is generated in SAP BusinessObjects Risk Management. As described above, risk analysis involves the consideration of the likelihood (or probability) a risk event will occur, and the potential negative impact that could result. One of the simplest methods of portraying the results of a risk analysis is a risk level matrix.
2010
© 2010 SAP AG. All rights reserved.
101
Unit 4: Risk Analysis
GRC340
Figure 25: Risk Level Matrix
This matrix serves three purposes. • •
•
It converts likelihood of the risk event occurring and impact of occurrence into risk levels (as shown by the letter designations in the cells; L, M, H). It helps you prioritize risks based on their risk level as shown by the numbers next to the risk levels (where 1 is the highest priority and 3 is the lowest priority). When coupled with the risk level definitions at the right, it provides a final check on the resulting risk level ratings in terms of the required management action.
A risk level matrix is typically presented as a 3 x 3 or 5 x 5, although other variations are possible in SAP BusinessObjects Risk Management such as a 7 x 7. A 5 x 5 matrix should be sufficient to help you prioritize risks. The bigger the matrix, the more difficult it will be to come up with differentiating definitions of the likelihood and impact bands. The risk level matrix is designed such that the higher risk levels appear in the upper right hand corner while lower level risks appear near the lower left hand corner. An important way to ensure that the risk level matrix is self-explanatory is by “calibrating” the likelihood scale using quantitative or qualitative definitions. For example: Calibrating Probability Levels:
102
Level
Quantitative Calibration (Probability)
1
1% - 9%
2
10% - 29%
© 2010 SAP AG. All rights reserved.
Qualitative Calibration (Frequency) Remote; Occurs once every 20 years Unlikely; Occurs once every 5 to 20 years
2010
GRC340
Lesson: Risk Analysis
3
30% - 49%;
Possible; Occurs once every 2 to 5 years
4
50% - 75%
Likely; Occurs once per year
5
76% - 99%
Highly Likely; Occurs multiple times a year
Calibrating Impact Levels (e.g. Brand Impact)
2010
Level
Quantitative Calibration
Qualitative Calibration
1
-
Inconsequential
2
-
Minor; Local media < 3 days of coverage
3
-
Moderate; National media < 3 days of coverage
4
-
Major; National media > 3 days of coverage Catastrophic;
5
-
High profile court case
© 2010 SAP AG. All rights reserved.
103
Unit 4: Risk Analysis
GRC340
Inherent Risk Analysis 100
Use To perform an inherent risk analysis:
Procedure 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. This opens a popup window that displays the risk table for the selected organization unit.
2.
To display risks for a specific organization unit where you have user authorization, choose the Show Quick Criteria Maintenance push-button at the top of the risk table. 1. 2. 3. 4.
3.
Select Type as Risk. Select the organization unit. Choose the Apply push-button. Choose the Hide Quick Criteria Maintenance push-button.
Select the risk that you want to analyze and choose the Open push-button. This opens a popup window that displays the risk information.
Continued on next page
104
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Analysis
Figure 26: Risk General
4.
Select the Analysis tab. Notice the table on the right side with the three types of analysis: Inherent Risk, Residual Risk, and Residual Risk (Planned).
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
105
Unit 4: Risk Analysis
GRC340
Figure 27: Risk Analysis
5.
Choose the Create New Analysis push-button. The Analysis Date will display today’s date.
6.
Select Inherent Risk. 1. 2.
Enter the Probability (or select the likelihood, depending on how your organization’s system is configured). Choose the Impact Category Allocation push-button. This opens a popup window where you enter the impact information.
Continued on next page
106
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Analysis
Figure 28: Impact Category Allocation
7.
For each Impact Category: 1. 2. 3.
8.
Select the Analysis Method. If you select Quantitative, enter a figure in the Impact column. If you select Qualitative, select the Impact Level from the drop-down list.
Choose OK.
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
107
Unit 4: Risk Analysis
GRC340
Figure 29: Example Qualitative Impact Analysis
9.
108
Choose the Save push-button to save the results of your analysis.
© 2010 SAP AG. All rights reserved.
2010
GRC340
105
Lesson: Risk Analysis
Exercise 9: Create an Inherent Risk Analysis Exercise Duration: 30 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create an Inherent Risk Analysis
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known. The Risk Owner now proceeds to analyze the risks based on information gathered. S/he can perform three types of risk analysis: Inherent risk analysis; Residual risk analysis; Planned residual risk analysis. Each type of risk analysis includes the probability of the risk event occurring, and the impact of the risk event. The Risk Owner has the option of performing either a qualitative or quantitative analysis.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Create a Risk Survey Question 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management.
2.
Choose the Show Quick Criteria Maintenance push-button at the top of the risk table.
3.
Select the risk GRC340-XX-Risk and choose the Open push-button.
4.
Select the Analysis tab.
5.
Choose the Create New Analysis push-button. Continued on next page
2010
© 2010 SAP AG. All rights reserved.
109
Unit 4: Risk Analysis
110
GRC340
6.
Select Inherent Risk and enter the probability.
7.
Choose the Impact Category Allocation push-button.
8.
Choose OK then the Save push-button
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Analysis
Solution 9: Create an Inherent Risk Analysis Task: Create a Risk Survey Question 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. a)
2.
3.
Choose the Show Quick Criteria Maintenance push-button at the top of the risk table. a)
Select Type as Risk.
b)
Select the organization unit GRC340-XX-Org
c)
Choose the Apply pushbutton.
d)
Choose the Hide Quick Criteria Maintenance push-button.
Select the risk GRC340-XX-Risk and choose the Open push-button. a)
4.
8.
Probability: XX%
Choose the Impact Category Allocation push-button. a)
This opens a popup window where you enter the impact information.
b)
Select the Impact Category XXXXX:
c)
Select the Quantitative Analysis Method. And enter $XXXXXX in the Impact column.
Choose OK then the Save push-button a)
2010
The Analysis Date will display today’s date
Select Inherent Risk and enter the probability. a)
7.
A table is displayed on the right side with the three types of analysis: Inherent Risk, Residual Risk, and Residual Risk (Planned).
Choose the Create New Analysis push-button. a)
6.
This opens a popup window that displays the risk information.
Select the Analysis tab. a)
5.
This opens a popup window that displays the risk table for the selected organization unit.
Analysis results saved.
© 2010 SAP AG. All rights reserved.
111
Unit 4: Risk Analysis
GRC340
Lesson Summary You should now be able to: • Explain the difference between inherent and residual risk • Explain the difference between qualitative and quantitative and qualitative risk analysis • Explain how a risk level matrix is constructed • Perform a residual risk analysis
112
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: 108
Lesson: Risk Grouping
Risk Grouping Lesson Duration: 20 Minutes
Lesson Overview This lesson will show you how to group risks.
Lesson Objectives After completing this lesson, you will be able to: •
Create grouped risks
You will discuss with the students why certain risks may be grouped together under a parent risk.
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known. Once all the risks have been identified and documented, it is often necessary to consolidate groups of risks into one parent risk. This consolidation helps in rolling up risk information thus reducing the number of risks that need to be analyzed. Reporting is also made simple by viewing risk levels of consolidated risk groups rather than the complete set of risks.
2010
© 2010 SAP AG. All rights reserved.
113
Unit 4: Risk Analysis
GRC340
Risk Grouping 109
Use To group risks:
Procedure 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. This opens a popup window that displays the risk table for the selected organization unit.
2.
To display risks for a specific organization unit where you have user authorization, choose the Show Quick Criteria Maintenance push-button at the top of the risk table. 1. 2. 3. 4.
Select Type as Risk. Select the organization unit. Choose the Apply push-button. Choose the Hide Quick Criteria Maintenance pushbutton.
3.
Select the risk that you want to analyze and choose the Open push-button. This opens a popup window that displays the risk information.
4.
Select the Underlying Risks tab. In the table at the bottom of the window you will see a list of risks grouped under the risk.
Continued on next page
114
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Grouping
Figure 30: Underlying Risks
5.
To add a risk: 1. 2. 3. 4. 5.
6.
2010
Choose the Assign push-button. Select the Organization Unit, Activity, Risk Category, and/or Name to pinpoint the risks to be grouped. Choose the Go push-button. Select the risk and choose the OK push-button. Repeat as often as needed.
Choose the Save push-button to save the grouped risks.
© 2010 SAP AG. All rights reserved.
115
Unit 4: Risk Analysis
116
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
111
Lesson: Risk Grouping
Exercise 10: Risk Grouping Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create grouped risks
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known. Once all the risks have been identified and documented, it is often necessary to consolidate groups of risks into one parent risk. This consolidation helps in rolling up risk information thus reducing the number of risks that need to be analyzed. Reporting is also made simple by viewing risk levels of consolidated risk groups rather than the complete set of risks.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Create Grouped Risks
2010
1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management.
2.
To display risks for a specific organization unit where you have user authorization, choose the Show Quick Criteria Maintenance push-button at the top of the risk table.
3.
Select the risk GRC340-XX-Risk and choose the Open push-button.
4.
Select the Underlying Risks tab.
5.
Add a risk:
6.
Choose the Save pushbutton
© 2010 SAP AG. All rights reserved.
117
Unit 4: Risk Analysis
GRC340
Solution 10: Risk Grouping Task: Create Grouped Risks 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. a)
2.
3.
To display risks for a specific organization unit where you have user authorization, choose the Show Quick Criteria Maintenance push-button at the top of the risk table. a)
Select Type as Risk
b)
Select the organization unit XXXXX
c)
Choose the Apply push-button.
d)
Choose the Hide Quick Criteria Maintenance push-button.
Select the risk GRC340-XX-Risk and choose the Open push-button. a)
4.
6.
Review the risks grouped under the risk.
Add a risk: a)
Choose the Assign push-button.
b)
Select: Organization Unit: GRC340-XX-Org (Activity, Risk Category, Name: Leave blank)
c)
Choose the Go push-button.
d)
Select the risk GRC340-XX-Risk and choose the OK push-button.
Choose the Save pushbutton a)
118
This opens a popup window that displays the risk information.
Select the Underlying Risks tab. a)
5.
This opens a popup window that displays the risk table for the selected organization unit.
Grouped risks are saved.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Grouping
Lesson Summary You should now be able to: • Create grouped risks
2010
© 2010 SAP AG. All rights reserved.
119
Unit 4: Risk Analysis
Lesson: 114
GRC340
Risk Inter-Relationships Lesson Duration: 20 Minutes
Lesson Overview This lesson will show you how to establish relationships between risks.
Lesson Objectives After completing this lesson, you will be able to: •
Create risk inter-relationships
In this lesson you will discuss with the students why a risk may influence another risk and show how it is put into the Risk Management system.
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known. Risks often do not occur in silos, and the occurrence of one risk could have an influence on one or more other risks. SAP BusinessObjects Risk Management allows users to find and add all risks that influence the current risk along with the influence factors.
Influence Factors In SAP BusinessObjects Risks Management, risk inter-relationships are modeled using Influence Factors. The interrelationships are also used in Scenario Analysis and Monte Carlo Analysis. In SAP BusinessObjects Risks Management, risk inter-relationships are modeled using Influence Factors. The interrelationships are also used in Scenario Analysis and Monte Carlo Analysis. The risk interrelationships illustrated in this example are defined by indicating whether a risk: (i) causes (or influences) another risk; (ii) is itself the result of another risk; or (iii) has no relationship to another risk. The "strength" of the relationship is expressed as either strong, medium, or weak as illustrated by the arrow thickness in the illustration.
120
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Inter-Relationships
The risk influence evaluation can be quantitative or qualitative. The quantitative evaluation method specifies the influence factor for the current risk “impact” and “probability” using a percentage number The qualitative evaluation method specifies the Correlation strength in terms of High Positive Influence, Low Positive Influence, No Influence, Low Negative Influence, or High Negative Influence. There are several benefits in using Influence Factors including: • • •
2010
Increased risk scenario flexibility Richer risk analysis Simulate the effect of business decisions
© 2010 SAP AG. All rights reserved.
121
Unit 4: Risk Analysis
GRC340
Creating Risk Inter-Relationships 116
Use To create risk inter-relationships:
Procedure 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. This opens a popup window that displays the risk table for the selected organization unit.
2.
To display risks for a specific organization unit where you have user authorization, choose the Show Quick Criteria Maintenance push-button at the top of the risk table. 1. 2. 3. 4.
Select Type as Risk. Select the organization unit. Choose the Apply push-button. Choose the Hide Quick Criteria Maintenance push-button.
3.
Select the risk that you want to analyze and choose the Open push-button. This opens a popup window that displays the risk information.
4.
Select the Influenced Risks tab. In the table at the bottom of the window you will see a list of risks that are “influenced” by the open risk.
Continued on next page
122
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Inter-Relationships
Figure 31: Influenced Risks
5.
To add a risk inter-relationship: 1. 2. 3. 4.
5.
Choose the Create Influence Factor push-button. This opens a popup window that displays the influence factor information. Choose the Create Influence Factor push-button. This opens a popup window that displays the influence factor information. Choose the Go push-button. Select the risk and choose the OK push-button. Now you will see the selected risks along with its Organization Unit, Activity Category, and Risk Classification. Selection the preferred Evaluation Type radio button. a)
6. 7.
Quantitative: Allows you to enter numeric influencing factors for the impact and probability. b) Qualitative: Allows you to enter correlation strength. (The qualitative types are configured items). Enter either the Influence factor on Impact and Influence factor on Probability or the Correlation Strength. Choose the OK push-button.
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
123
Unit 4: Risk Analysis
GRC340
Figure 32: Create Influence Factor
6.
124
Choose the Save push-button to save the influenced risks.
© 2010 SAP AG. All rights reserved.
2010
GRC340
119
Lesson: Risk Inter-Relationships
Exercise 11: Risk Inter-Relationships Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create risk inter-relationships
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known. Risks often do not occur in silos, and the occurrence of one risk could have an influence on one or more other risks. SAP BusinessObjects Risk Management allows users to find and add all risks that influence the current risk along with the influence factors.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class] GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Create Risk Inter-Relationships
2010
1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management.
2.
To display risks for a specific organization unit where you have user authorization, choose the Show Quick Criteria Maintenance push-button at the top of the risk table.
3.
Select the risk GRC340-XX-Risk and choose the Open push-button.
4.
Select the Influenced Risks tab
5.
Add a risk inter-relationship:
6.
Choose the Save push-button
© 2010 SAP AG. All rights reserved.
125
Unit 4: Risk Analysis
GRC340
Solution 11: Risk Inter-Relationships Task: Create Risk Inter-Relationships 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. a)
2.
3.
To display risks for a specific organization unit where you have user authorization, choose the Show Quick Criteria Maintenance push-button at the top of the risk table. a)
Select Type as Risk.
b)
Select the organization unit GRC340-XX-Org.
c)
Choose the Apply push-button.
d)
Choose the Hide Quick Criteria Maintenance push-button.
Select the risk GRC340-XX-Risk and choose the Open push-button. a)
4.
6.
The table at the bottom of the window will list the risks that are “influenced” by the open risk.
Add a risk inter-relationship: a)
Choose the Create Influence Factor push-button.
b)
Select the Name of influenced risk. You will see a popup window. Select Organization Unit =GRC340-XX-Org Activity = GRC340-XX-Act Risk Category = GRC340-XX-Cat
c)
Choose the Go push-button .
d)
Select the risk GRC340-XX-Risk and choose the OK push-button.
e)
Selection the preferred Evaluation Type radio button = Quantitative.
f)
Enter the Influence factor on Impact = 1.2 and Influence factor on Probability = 1.5.
g)
Choose the OK push-button.
Choose the Save push-button a)
126
This opens a popup window that displays the risk information.
Select the Influenced Risks tab a)
5.
This opens a popup window that displays the risk table for the selected organization unit.
Influenced risk is saved.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Inter-Relationships
Lesson Summary You should now be able to: • Create risk inter-relationships
2010
© 2010 SAP AG. All rights reserved.
127
Unit 4: Risk Analysis
Lesson: 122
GRC340
What-If Scenario Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how to create a business scenario that involves risks.
Lesson Objectives After completing this lesson, you will be able to: • • • • •
Create a Scenario Classification and Sub-classification Create a Scenario Case Create a Scenario Case Analysis Create a Response to a Scenario Case Review the Scenario Case and use Sensitivity Analysis
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known. The risk management team has the option of defining “Scenarios” to describe plausible risks and the impacts. A Scenario helps the risk team address complex risk conditions and options. The risk team can create different cross-organizational Scenarios and analyze them.
What is a Scenario? A scenario is a story used to describe plausible future risk and associated negative (or positive) impacts. A scenario provides a basis for communicating complex risk conditions and options. A scenario is an event that link risks in a logical way, and then shows the effect of changes on these events. With SAP BusinessObjects Risk Management you can create different scenarios and analyze them individually.
128
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: What-If Scenario
Figure 33: Scenario Creation Process
2010
© 2010 SAP AG. All rights reserved.
129
Unit 4: Risk Analysis
GRC340
Scenario Case Creation 124
Use Before you create a scenario case you must first define the scenario classification and sub-classification.
Procedure 1.
Choose GRC Risk Management → Risk Assessment work center and select Scenario Analysis. This opens a popup window that displays the different scenarios created.
2.
To display scenarios created by other users, choose the Show Quick Criteria Maintenance push-button at the top of the risk table. 1. 2. 3.
Select the Creator of the scenario Select the scenario Status (Draft, In process, Cancelled) Choose the Hide Quick Criteria Maintenance push-button.
3.
Choose the Create push-button. Select Classification. This opens a popup window. Enter the Name and Description of the scenario Classification. Choose the Save push-button.
4.
Select the scenario Classification that you just created and choose Create push-button. Select Subclassification. This opens a popup window. Enter the Name and Description of the scenario Subclassification. Choose the Save push-button.
5.
Select the scenario Classification and subclassification that you just created and choose Create push-button. Select Case. This opens a popup window.
Continued on next page
130
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: What-If Scenario
Figure 34: Scenario Case Creation
6.
In the Component tab, enter the following: 1. 2. 3. 4. 5. 6.
7.
In the Risks table at the bottom of the window you can assign the primary risk events that might occur in the scenario. The system automatically retrieves all related Influence Factors (which you can delete if you don’t want them in the scenario). To assign risks to the scenario: 1. 2. 3. 4. 5.
2010
Name: Short name of the case Description: Description of the scenario. Cause: The drivers behind the scenario. Rational for Likelihood: Why you believe the scenario could materialize. Likelihood: The likelihood that the scenario could occur. Currency: Used for the analysis of the scenario.
Choose the Assign push-button. This opens a popup window to select the risks that are to be assigned to the scenario. Optional: Select the Organization Unit, Activity, Risk Category, and/or risk Name. Choose the Go push-button. Select the risks and choose the OK push-button. Choose the Save push-button.
© 2010 SAP AG. All rights reserved.
131
Unit 4: Risk Analysis
GRC340
Scenario Case Analysis 126
Use To analyze a scenario:
Procedure 1.
Choose GRC Risk Management → Risk Assessment work center and select Scenario Analysis. This opens a popup window that displays the different scenarios created.
2.
Select the scenario and choose the Open push-button. Select Case.
3.
Select the Assumption tab.
Figure 35: Scenario Case Analysis
4.
Enter the following values for the scenario: 1. 2. 3.
Overall Change on Probability: Enter a percentage for the overall change in probability of the risks occurring under the scenario. Overall Change on Impact: Enter a percentage for the overall change in the risk impacts under the scenario. Overall Benefit from Scenario: If applicable, enter the estimated benefit in monetary terms that would result under the scenario. Continued on next page
132
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: What-If Scenario
5.
Choose the Apply Overall Changes push-button to apply the above assumptions for the scenario. This will apply the assumptions to the risks linked to the scenario. Choose the Reset push-button to reset the values.
Figure 36: Scenario Case Assumptions
6.
2010
Choose the Save pushbutton to save the assumptions
© 2010 SAP AG. All rights reserved.
133
Unit 4: Risk Analysis
GRC340
Scenario Case Response 128
Use To view and/or create response plans for a scenario:
Procedure 1.
Choose GRC Risk Management → Risk Assessment work center and select Scenario Analysis. This opens a popup window that displays the different scenarios created.
2.
Select the scenario and choose the Open push-button. Select Case.
3.
Select the Response tab. You will see all the responses related to the risks assigned to the scenario.
Figure 37: Scenario Case Response
4.
134
You can Create or Assign new risk responses, or Open the risk to view the risk details. Risk response tasks are covered in detail in the Unit Risk Response.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: What-If Scenario
Scenario Case Result Review 129
Use To prepare response plans for a scenario:
Procedure 1.
Choose GRC Risk Management → Risk Assessment work center and select Scenario Analysis. This opens a popup window that displays the different scenarios created.
2.
Select the scenario and choose the Open push-button. Select Case.
3.
Select the Result tab. You will see a summary of the calculated results for each impact category. The results are shown without and with the scenario use, as well as with the scenario before and after responses.
Figure 38: Scenario Case Results
2010
© 2010 SAP AG. All rights reserved.
135
Unit 4: Risk Analysis
136
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
131
Lesson: What-If Scenario
Exercise 12: What-If Scenario Exercise Duration: 30 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create a Scenario Case
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known. The risk management team has the option of defining “Scenarios” to describe plausible risks and the impacts. A Scenario helps the risk team address complex risk conditions and options. The risk team can create different cross-organizational Scenarios and analyze them.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Create a Scenario Case 1.
Choose GRC Risk Management → Risk Assessment work center and select Scenario Analysis.
2.
To display scenarios created by other users, choose the Show Quick Criteria Maintenance push-button at the top of the risk table.
3.
Choose the Create push-button. Select Classification.
4.
Select the scenario Classification that you just created and choose Create push-button. Select Subclassification.
5.
Select the scenario Classification and subclassification that you just created and choose Create push-button. Select Case. Continued on next page
2010
© 2010 SAP AG. All rights reserved.
137
Unit 4: Risk Analysis
6.
138
GRC340
In the Risks table at the bottom of the window assign the primary risk events that might occur in the scenario. The system automatically retrieves all related Influence Factors (which you can delete if you don’t want them in the scenario). To assign risks to the scenario:
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: What-If Scenario
Solution 12: What-If Scenario Task: Create a Scenario Case 1.
Choose GRC Risk Management → Risk Assessment work center and select Scenario Analysis. a)
2.
To display scenarios created by other users, choose the Show Quick Criteria Maintenance push-button at the top of the risk table. a)
3.
This opens a popup window that displays the different scenarios created.
Leave the Creator, Status fields blank. Choose the Hide Quick Criteria Maintenance push-button.
Choose the Create push-button. Select Classification. a)
This opens a popup window. Enter the following: 1. 2.
Name: GRC340-XX-Class Description: GRC340-XX-Classification
Choose the Save pushbutton. 4.
Select the scenario Classification that you just created and choose Create push-button. Select Subclassification. a)
This opens a popup window. Enter the following: 1. 2.
Name: GRC340-XX-Sub Description: GRC340-XX-Subclassification
Choose the Save pushbutton. 5.
Select the scenario Classification and subclassification that you just created and choose Create push-button. Select Case. a)
This opens a popup window. In the Component tab, enter the following: 1. 2. 3. 4. 5. 6.
Name: GRC340-XX-Case Description: GRC340-XX-Case Cause: XXXXX Rational for Likelihood: XXXXX Likelihood: XXXXX Currency: USD
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
139
Unit 4: Risk Analysis
6.
GRC340
In the Risks table at the bottom of the window assign the primary risk events that might occur in the scenario. The system automatically retrieves all related Influence Factors (which you can delete if you don’t want them in the scenario). To assign risks to the scenario: a)
Choose the Assign push-button. This opens a popup window to select the risks that are to be assigned to the scenario. Select the following: 1. 2. 3. 4.
140
Organization Unit: GRC340-XX-ORG Activity: GRC340-XX-Act Risk Category: Leave blank Name: Leave blank
b)
Choose the Go push-button.
c)
Select the risk GRC340-XX-Risk and choose the Go push-button.
d)
Choose the Save push-button.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: What-If Scenario
Lesson Summary You should now be able to: • Create a Scenario Classification and Sub-classification • Create a Scenario Case • Create a Scenario Case Analysis • Create a Response to a Scenario Case • Review the Scenario Case and use Sensitivity Analysis
2010
© 2010 SAP AG. All rights reserved.
141
Unit 4: Risk Analysis
Lesson: 135
GRC340
Monte-Carlo Analysis Lesson Duration: 30 Minutes
Lesson Overview Monte-Carlo Analysis
Lesson Objectives After completing this lesson, you will be able to: • •
Explain Monte Carlo analysis Perform a Monte-Carlo Analysis
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known. Risk Management 3.0 provides risk managers with the ability to simulate complex risk scenarios through the use of Monte Carlo analysis. The Monte Carlo method is a method for analyzing the effect of uncertainty. Using this analysis technique, the risk team can determine how random variation or lack of knowledge affects the impact of risks. Impacts are randomly generated from probability distributions to simulate the process of sampling from an actual population. The data generated from the simulation can be represented as probability distributions (or histograms).
Introduction to Monte Carlo Analysis Simulation is any analytical method that is meant to represent a real-life system. Monte Carlo analysis is a type of simulation that randomly generates values for uncertain variables over and over to simulate a model. In the context of risk management, we are trying to simulate the expected loss resulting from a risk event.
142
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Monte-Carlo Analysis
Monte Carlo analysis was named for the casinos of Monte Carlo, Monaco. Games of chance such as roulette wheels, dice, and slot machines exhibit random behavior. For example, if you roll a die, you know that either a 1, 2, 3, 4, 5, or 6, will come up, but you don’t know which for any particular trial. It is the same with risk exposure. You may know the range of loss values, but you would be uncertain as to the value for any particular occurrence of the risk event. Possible loss values are defined with probability distributions. The type of distribution used depends on the conditions surrounding the risk. In SAP BusinessObjects Risk Management 3.0 the following probability distributions are provided:
2010
© 2010 SAP AG. All rights reserved.
143
Unit 4: Risk Analysis
GRC340
Figure 39: Probability Distributions
•
•
•
•
144
Discrete: Describes distinct loss values with no intermediate values. If you were to roll a die over and over, recording the results as you go, you would end up with a uniform structure with results ranging from 1 through 6. The result is a Discrete (equal probability that the number will be between 1 and 6) Uniform Distribution. Continuous: Assumes an infinite number of loss values between any two points in the distribution. Variables in a Continuous uniform distribution can randomly occur anywhere between finite or infinite values. Unlike the Discrete distribution, the results are not constrained (i.e., variables do not produce discrete results like rolling a single die. Normal: A Normal distribution (“bell curve”) is based on random results that are weighted by a predetermined average or mean, and a standard deviation. The standard deviation is a measure of variability from the mean. For example, if you were to take a poll of co-workers and have them guess a colleague’s age, you might wind up with a bell-shaped distribution curve with a mean value of 40 and a standard deviation of 1. Normal curves tend to have even distributions around the mean. Lognormal: Lognormal distributions are similar to normal distributions, but are generally characterized by a very large number of independent, identically-distributed variables whose natural log results in a normal distribution. Lognormal Distributions start at 0 and are skewed right. The degree of skewness increases as the standard deviation increases with the logarithmic mean held constant.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Monte-Carlo Analysis
To select the correct probability distribution, start by looking at the risk in question. You might be able to gather historical loss information for similar risk events. If historical information is not available, use your judgement based on experience. Next, select the distribution that best characterizes the risk.
2010
© 2010 SAP AG. All rights reserved.
145
Unit 4: Risk Analysis
GRC340
Performing a Monte Carlo Analysis 139
Use To perform a Monte Carlo Analysis:
Procedure 1.
Choose GRC Risk Management → Risk Assessment work center and select Scenario Analysis using Monte Carlo. This opens a popup window that displays saved analysis scenarios. Choose the Create push-button. This opens a popup window.
2.
Select the Component tab and enter the following: 1. 2. 3. 4.
3.
In the Risks table at the bottom of the window assign the risk events that you want to simulate. The system automatically retrieves all related Influence Factors. To assign risks to the analysis: 1. 2. 3. 4. 5.
4.
Choose the Assign push-button. This opens a popup window to select the risks that are to be assigned to the analysis. Optional: Select the Organization Unit, Activity, Risk Category, and/or risk Name. Choose the Go push-button. Select the risks and choose the OK push-button. Choose the Save push-button.
Select the Assumption tab and enter the following: 1. 2. 3.
5.
Name: The name of the analysis. Currency: The currency used to present the analysis results. Certainty: A percentage value between 50% and 99.99%. Description: A description of the analysis.
Number of Runs: The number of times you want to perform the analysis. For example, 5000. Frequency Distribution: Select the risk and enter the number of random numbers generated each run. For example, 2. Severity Distribution: For the selected risk, choose the probability distribution for the risk from the drop down (i.e., Continuous, Discrete, Lognormal, Normal). Next, choose the Details push-button and enter the parameters related to the selected probability distribution.
Choose the Simulate push-button. This will perform the analysis according to the Number of Runs that you specified.
Continued on next page
146
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Monte-Carlo Analysis
6.
When the simulation completes select the Result tab. Here you will see the following simulation results for the Certainty defined on the Component tab: 1. 2.
2010
The Average Case Impact. The Worst Case Impact.
© 2010 SAP AG. All rights reserved.
147
Unit 4: Risk Analysis
148
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
141
Lesson: Monte-Carlo Analysis
Exercise 13: Monte Carlo Analysis Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Perform a Monte Carlo Analysis
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known. Risk Management 3.0 provides risk managers with the ability to simulate complex risk scenarios through the use of Monte Carlo analysis. The Monte Carlo method is a method for analyzing the effect of uncertainty. Using this analysis technique, the risk team can determine how random variation or lack of knowledge affects the impact of risks. Impacts are randomly generated from probability distributions to simulate the process of sampling from an actual population. The data generated from the simulation can be represented as probability distributions (or histograms).
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1.
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Perform a Monte Carlo Analysis
2010
1.
Choose GRC Risk Management → Risk Assessment work center and select Scenario Analysis using Monte Carlo.
2.
Select the Component tab and enter the following:
3.
In the Risks table at the bottom of the window, assign the following risk to the analysis.
4.
Select the Assumption tab and enter the following:
5.
Choose the Simulate push-button.
6.
When the simulation completes select the Result tab.
© 2010 SAP AG. All rights reserved.
149
Unit 4: Risk Analysis
GRC340
Solution 13: Monte Carlo Analysis Task: Perform a Monte Carlo Analysis 1.
Choose GRC Risk Management → Risk Assessment work center and select Scenario Analysis using Monte Carlo. a)
2.
3.
4.
This opens a popup window that displays saved analysis scenarios. Choose the Create push-button. This opens a popup window.
Select the Component tab and enter the following: a)
Name: GRC340-XX-Comp
b)
Currency: USD.
c)
Certainty: 80%
d)
Description: GRC340-XX-Component.
In the Risks table at the bottom of the window, assign the following risk to the analysis. a)
Organization Unit: GRC340-XX-Org
b)
Activity: GRC340-XX-Act
c)
Risk Category: Leave blank
d)
Name: Leave blank.
Select the Assumption tab and enter the following: a)
Number of Runs: 5000.
b)
Frequency Distribution: Select the risk XXXXX and enter 1 as the number of random numbers generated each run.
c)
Severity Distribution: Choose the probability distribution Normal for the risk
d)
Choose the Details push-button and enter the following parameters related to the selected probability distribution: 1. 2.
5.
Choose the Simulate push-button. a)
6.
This will perform the analysis according to the Number of Runs that you specified.
When the simulation completes select the Result tab. a)
150
Standard Deviation: XXXXX Mean Value: XXXXX
Review the Average Case Impact and the Worst Case Impact.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Monte-Carlo Analysis
Lesson Summary You should now be able to: • Explain Monte Carlo analysis • Perform a Monte-Carlo Analysis
2010
© 2010 SAP AG. All rights reserved.
151
Unit 4: Risk Analysis
Lesson: 144
GRC340
Risk Validation Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how to validate a risk analysis
Lesson Objectives After completing this lesson, you will be able to: •
Validate a risk analysis
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known. Risk validation is the process of reviewing and validating risks. Risk validation is optional and provides a mechanism for selective validation of critical risks.
152
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Validation
Validating a Risk 145
Use To validate a risk:
Procedure 1.
Choose GRC Risk Management → Risk monitoring work center and select Planner. This opens a popup window that displays previously planned events. The Planner is a common SAP BusinessObjects component that can be used to schedule various types of activities and workflows.
2.
Choose the Create push-button. This opens a guided activity popup window. Enter the following: 1. 2. 3. 4.
3.
Choose the Next push-button. Select the organization unit and choose the Next push-button.
4.
Choose one of the following radio buttons to select the risks that are to be sent for validation: 1. 2. 3.
2010
Plan Name: The name of the risk validation plan. Plan Activity: Select Perform Risk Validation from the drop down list. Start Date: The date that the planner will initiate the workflow. Due Date: The date by which the validation must be completed.
Select all Risks Select by Risk Attributes Select Specific Risk
5.
Choose the Next push-button. Review the results of the planner setup. Choose the Show Detail push-button to see which risks have been selected.
6.
Choose the Activate Plan push-button to activate the risk validation process.
7.
Choose the Finish push-button to return to the planner table.
© 2010 SAP AG. All rights reserved.
153
Unit 4: Risk Analysis
GRC340
The Validation Steps 146
Use The risk validation initiated using the Planner will create a Work Inbox assignment for the recipients (Risk Owners). To access the work assignment the designated risk validator must do the following:
Procedure 1.
Select the My Home work center under GRC Risk Management
2.
Select the Work Inbox. From the list of workflow items, select the risk validation task. This will open a popup window.
Figure 40: Risk Validation
3.
154
Choose the Approve push-button to complete the risk validation work item.
© 2010 SAP AG. All rights reserved.
2010
GRC340
147
Lesson: Risk Validation
Exercise 14: Risk Validation Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Validate a risk analysis
Business Example Identified risks are not always equally critical. Risks need to be analyzed before deciding which risks should be addressed. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they become known. Risk validation is the process of reviewing and validating risks. Risk validation is optional and provides a mechanism for selective validation of critical risks.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Validate a risk analysis
2010
1.
1. Choose GRC Risk Management → Risk monitoring work center and select Planner.
2.
Choose the Create push-button. Enter the following:
3.
Choose the Next push-button.
4.
Choose the Next push-button.
5.
Choose the Next push-button
© 2010 SAP AG. All rights reserved.
155
Unit 4: Risk Analysis
GRC340
Solution 14: Risk Validation Task: Validate a risk analysis 1.
1. Choose GRC Risk Management → Risk monitoring work center and select Planner. a)
2.
3.
Choose the Create push-button. Enter the following: a)
Plan Name: GRC340-XX-Plan.
b)
Plan Activity: Select Perform Risk Validation from the drop down list.
c)
Start Date: Enter today’s date.
d)
Due Date: XXXXX.
Choose the Next push-button. a)
4.
156
Select the organization unit GRC340-XX-Org
Choose the Next push-button. a)
5.
This opens a popup window that displays previously planned events.
Choose Select all Risks
Choose the Next push-button a)
Review the results of the planner setup. Choose the Show Detail push-button to see which risks have been selected.
b)
Choose the Activate Plan push-button to activate the risk validation process.
c)
Choose the Finish push-button to return to the planner table.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Risk Validation
Lesson Summary You should now be able to: • Validate a risk analysis
2010
© 2010 SAP AG. All rights reserved.
157
Unit Summary
GRC340
Unit Summary You should now be able to: • Explain how surveys work • Explain how to create a risk survey • Explain the difference between inherent and residual risk • Explain the difference between qualitative and quantitative and qualitative risk analysis • Explain how a risk level matrix is constructed • Perform a residual risk analysis • Create grouped risks • Create risk inter-relationships • Create a Scenario Classification and Sub-classification • Create a Scenario Case • Create a Scenario Case Analysis • Create a Response to a Scenario Case • Review the Scenario Case and use Sensitivity Analysis • Explain Monte Carlo analysis • Perform a Monte-Carlo Analysis • Validate a risk analysis
158
© 2010 SAP AG. All rights reserved.
2010
Unit 5 Risk Response
151
In this unit you will learn how to respond to a risk or opportunity by adding a response to a risk and running the residual risk analysis.
Unit Overview In this unit you will learn the various ways in which responses are used with SAP BusinessObjects Risk Management.
Unit Objectives After completing this unit, you will be able to: • • • • • • • • • • • • •
Explain the purpose of the Responses and Enhancement Plans catalogue Create a catalogue Response Explain the purpose of risk responses Explain how Residual Risk (Planned) is determined Assign a risk to a response in the Risk Response Tab Perform a residual risk analysis Review the overall Residual Risk (Planned) Explain the reasons for creating a response directly within a risk Assign a response to a risk in the Risk Response Tab Explain how the Response Completeness and Effectiveness are updated Update the Response completeness and Effectiveness and thereby create the current Residual Risk result. Assign a Control to a Risk Propose a Control to manage a risk
Unit Contents Lesson: Responses and Enhancement Plans ..............................161
2010
© 2010 SAP AG. All rights reserved.
159
Unit 5: Risk Response
GRC340
Procedure: Creating a Risk Response in the Responses and Enhancement Plans catalogue ...........................................162 Exercise 15: Create a Risk Response ..................................165 Lesson: Response Assignment ...............................................168 Procedure: Assign a Risk Response to a Risk .........................169 Procedure: Create the Residual Risk (Planned) Analysis ............173 Exercise 16: Assign a Response to a Risk and Creating a Residual Risk (Planned) Analysis ...................................................177 Lesson: Creating a new Response in a risk.................................182 Procedure: Creating a new Risk Response directly within the Response Plans tab of a Risk .........................................................183 Exercise 17: Create a Risk Response ..................................185 Lesson: Residual Risk Analysis (current)....................................188 Procedure: Updating a Risk Response with the current Effectiveness and Completeness results.................................................189 Procedure: View the Residual Risk Analysis ...........................190 Exercise 18: Perform Residual Risk Analysis (current) ...............193 Lesson: Assign a Control to a Risk ...........................................198 Procedure: Assigning a Control to a Risk ...............................199 Exercise 19: Assign a Control to a Risk .................................201 Lesson: Control Proposal ......................................................205 Procedure: Proposing a Control to a Risk...............................206 Exercise 20: Control Proposal ............................................ 211
160
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: 153
Lesson: Responses and Enhancement Plans
Responses and Enhancement Plans Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how to create a response to a risk and how to create an enhancement plan for an opportunity in the Response and Enhancement Plans catalogue.
Lesson Objectives After completing this lesson, you will be able to: • •
Explain the purpose of the Responses and Enhancement Plans catalogue Create a catalogue Response
In this lesson you will discuss creation of response or enhancement plans for risks and opportunities. Keep in mind that responses and enhancements can be made in this catalogue as well as in the risk or opportunity itself.
Business Example Some risk response measures are generic or common across many risks and applicable in many parts of the business. Maintaining a Responses catalogue allows the organization to reuse successful risk responses across different risks and different parts of the business. This technique promotes adherence to risk policy and facilitates learning.
What is the Responses & Enhancement Plans catalogue? The Responses and Enhancement Plans catalogue is the master data table. This is where standard Responses and standard Enhancement Plans are maintained. Risk owners can browse the Responses and Enhancement Plans catalogue to select from a list of standard responses or enhancements applicable to their risk or opportunity from the master data table.
2010
© 2010 SAP AG. All rights reserved.
161
Unit 5: Risk Response
154
GRC340
Creating a Risk Response in the Responses and Enhancement Plans catalogue Use To create a risk response:
Procedure 1.
Choose GRC Risk Management → Risk Assessment work center and select Responses & Enhancement Plans. This opens an Active Queries window that displays the responses and enhancement plans.
2.
To create a new risk response, choose the Create push-button and select Response.
Figure 41: Create Response
Continued on next page
162
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Responses and Enhancement Plans
3.
Complete the response creation. The response information includes the following (fields marked with an asterisk (‘*’) are mandatory): 1. 2. 3. 4. 5. 6. 7. 8.
9.
4.
2010
Name: Response title Description: Description of the response Response Details: Steps or Actions required to perform the response Organization Unit: The part of the business where the Response would be applicable (select from a dropdown pick list) Owner: The person responsible for the Response (select from drop down pick list) Type: Response Type (i.e. Accept, Watch, Transfer, Mitigate) Purpose: How the risk will be affected (i.e. Prevent, Recover) Share Response: Can the response be used by all parts of the business or not (i.e. Shared – Requires Approval, Shared – Does not require Approval, Not Shared) Status: The response is in status Draft and can be saved as Draft by selecting the Save Draft pushbutton. Selecting Submit will make the response plan active.
Choose the Submit push-button to save the Response.
© 2010 SAP AG. All rights reserved.
163
Unit 5: Risk Response
164
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
157
Lesson: Responses and Enhancement Plans
Exercise 15: Create a Risk Response Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create a risk response in the catalog.
Business Example Some risk response measures are generic or common across many risks and applicable in many parts of the business. The same is true for measures to improvement the positive effects (enhancement plans) of opportunities. Maintaining a Responses catalogue allows the organization to reuse successful risk responses across different risks and different parts of the business. This technique promotes adherence to risk policy and facilitates learning.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Create a risk response in the Responses and Enhancement Plans catalog. The Responses and Enhancement Plans catalogue is the master data table. This is where standard Responses and standard Enhancement Plans are maintained. Risk owners can browse the Responses and Enhancement Plans catalogue to select from a list of standard responses or enhancements applicable to their risk or opportunity from the master data table.
2010
1.
Choose GRC Risk Management → Risk Assessment work center and select Response & Enhancement Plan Management.
2.
Choose the Create push-button and select Response from the drop down pick list.
3.
Complete the response creation as follows:
4.
Choose the Submit push-button to save the Response.
© 2010 SAP AG. All rights reserved.
165
Unit 5: Risk Response
GRC340
Solution 15: Create a Risk Response Task: Create a risk response in the Responses and Enhancement Plans catalog. The Responses and Enhancement Plans catalogue is the master data table. This is where standard Responses and standard Enhancement Plans are maintained. Risk owners can browse the Responses and Enhancement Plans catalogue to select from a list of standard responses or enhancements applicable to their risk or opportunity from the master data table. 1.
Choose GRC Risk Management → Risk Assessment work center and select Response & Enhancement Plan Management. a)
2.
Choose the Create push-button and select Response from the drop down pick list. a)
3.
4.
This opens a popup window that displays the response form.
Complete the response creation as follows: a)
Name: GRC340-XX-Response
b)
Description: GRC340-XX-Response
c)
Response Details: XXXXXXXXXXXX
d)
Organization Unit: XXXXXXXXXX (select from a dropdown pick list)
e)
Owner: XXXXXXXXXXXX (select from drop down pick list)
f)
Type: Mitigate (select from drop down pick list)
g)
Purpose: Prevent (select from drop down pick list)
h)
Share Response: Not Shared (select from drop down pick list)
i)
Status: Note that the response is in status Draft and can be saved as Draft by selecting the Save Draft pushbutton. Selecting Submit will make the response plan active.
Choose the Submit push-button to save the Response. a)
166
This opens the Active Queries window that displays the existing responses and enhancement plans.
This saves the new response.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Responses and Enhancement Plans
Lesson Summary You should now be able to: • Explain the purpose of the Responses and Enhancement Plans catalogue • Create a catalogue Response
2010
© 2010 SAP AG. All rights reserved.
167
Unit 5: Risk Response
Lesson: 160
GRC340
Response Assignment Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how to assign a response to a risk.
Lesson Objectives After completing this lesson, you will be able to: • • • • •
Explain the purpose of risk responses Explain how Residual Risk (Planned) is determined Assign a risk to a response in the Risk Response Tab Perform a residual risk analysis Review the overall Residual Risk (Planned)
In this lesson you will discuss adding the response from the previous chapter to a risk that was already created.
Business Example Once a risk has been identified and the inherent risk level analyzed, the next step is to decide what, if anything should be done about the risk. Decisions need to be made about measure to take to reduce the risks probability of occurring and /or reduce the risk impact if it does occur. It could be decided that no immediate action is needed or possible, and this ‘decision’ in itself needs to be recorded. For each response the effect on the risk needs to be determined, in terms of the reduction of the probability of the risk occurring and / or the reduction in the impact(s) of the risk. It is these reduction effects that result in the calculation of the level of Residual Risk (Planned). This is the target likelihood and impact required for the risk level to be acceptable.
168
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Response Assignment
Assign a Risk Response to a Risk 161
1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. This opens an Active Queries window that displays the risks and opportunities.
2.
Select a Risk from the Active Queries result and choose the Open push-button. This opens a popup window that displays the risk information.
Figure 42: Risk
3.
Select the Response tab.
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
169
Unit 5: Risk Response
GRC340
Figure 43: Response Tab
4.
If there are existing responses already assigned to the risk these will display in the Response tab template. The main display area will show summary information about existing responses (and controls) and the lower portion of the window will display the Probability and Loss Reduction and Mitigation Effect data for the highlighted response or control for the most recent Analysis Date.
5.
To assign a risk response from the Responses catalogue, chose the Assign push-button and select Response. A search dialogue popup will display.
Continued on next page
170
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Response Assignment
Figure 44: Assign Existing Responses
6.
The search can be restricted based on Response Name, Response Owner, and Response Type. Choose the Search push-button to search all responses.
Figure 45: Search Available Responses
7.
Select a response to assign to the risk. The selected response will appear in the Responses area of the window. Continued on next page
2010
© 2010 SAP AG. All rights reserved.
171
Unit 5: Risk Response
GRC340
Figure 46: Responses in Response Tab
172
8.
All responses (existing and new) will show in the Responses area of the screen
9.
Choose Save to save the response and the risk.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Response Assignment
Create the Residual Risk (Planned) Analysis 165
1.
From the Active Queries window, choose Open to reopen the risk
2.
Select Responses tab
3.
Highlight the response most recently created.
4.
The lower part of the window displays the following information: 1. 2. 3. 4.
Analysis Date: Probability Reduction: Total Loss Reduction: Mitigation Effect:
Figure 47: Responses in Response Tab
5.
The values you see in these fields depend on which Response or Control is selected.
6.
Depending on the system configuration setting for the Risk Analysis methods selected, and on the Impact category or categories relevant for this risk, these fields will require or show either qualitative or quantitative input.
7.
Analysis Date: This will show the most recently selected Analysis Date from the Analysis Tab. The default is the most recent date available. Continued on next page
2010
© 2010 SAP AG. All rights reserved.
173
Unit 5: Risk Response
8.
GRC340
Probability Reduction: •
Assuming a Quantitative analysis method is available enter into the Reduction field a probability percentage representing the degree of reduction in the overall probability level. –
• 9.
(For example: If the Inherent Risk Probability = 90% then if enter 40% in the Probability Reduction. Residual Risk Probability will be 50%, i.e. 90 – 40 = 50.) Assuming a Qualitative analysis method is available for probability, select the appropriate probability category.
Loss Reduction: • •
•
Choose the Impact Category Allocation push-button. This opens a popup window. Assuming a Qualitative analysis method is available, enter the Reduction amount and, if available additionally enter the Unit of Measurement. Assuming a Qualitative analysis method is available, in the Mitigation Effect field, using the dropdown picklist, select the appropriate qualitative reduction effect.
10. Choose the OK push-button to close the Impact Allocation popup window. 11. The Mitigation Effect (if it is being used) will display in the Mitigation Effect field. 12. Choose the Save push-button to save the responses and its Residual Risk (Planned) Analysis. 13. To view the aggregate Residual Risk (Planned) Analysis, Select the Analysis tab.
Continued on next page
174
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Response Assignment
Figure 48: Residual Risk (Planned) in Response Tab
2010
© 2010 SAP AG. All rights reserved.
175
Unit 5: Risk Response
176
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
169
Lesson: Response Assignment
Exercise 16: Assign a Response to a Risk and Creating a Residual Risk (Planned) Analysis Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Assign a risk response to a risk • Perform a Residual Risk (Planned) analysis
Business Example Risk Response - Once a risk has been identified and the inherent risk level analyzed, the next step is to decide what, if anything should be done about the risk. Decisions need to be made about measure to take to reduce the risks probability of occurring and /or reduce the risk impact if it does occur. It could be decided that no immediate action is needed or possible, and this ‘decision’ in itself needs to be recorded. Residual Risk (Planned) Analysis - For each response the effect on the risk needs to be determined, in terms of the reduction of the probability of the risk occurring and / or the reduction in the impact(s) of the risk. It is these reduction effects that result in the calculation of the level of Residual Risk (Planned). This is the target likelihood and impact required for the risk level to be acceptable.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task 1: Assign a Risk Response 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management.
2.
Choose the Show Quick Criteria Maintenance push-button at the top of the risk table. Continued on next page
2010
© 2010 SAP AG. All rights reserved.
177
Unit 5: Risk Response
GRC340
3.
Select the risk GRC340-XX-Risk and choose the Open push-button.
4.
Select the Response Plans tab.
5.
Assign a response to the risk:
6.
Choose the Search push-button to search for available Responses.
7.
Select a Response by highlighting it; and choose the OK push-button
8.
Save the Response
Task 2: Creating a Residual Risk (Planned) Analysis 1.
Open the Risk in the Active Query window
2.
Navigate to the Responses tab
3.
Select the newly created response from the Response Plans summary by highlighting it. The lower part of the window displays the following information: a) Analysis Date: b) Probability Reduction: c) Total Loss Reduction: d)Mitigation Effect:
178
4.
Choose the OK push-button
5.
Choose the Save pushbutton
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Response Assignment
Solution 16: Assign a Response to a Risk and Creating a Residual Risk (Planned) Analysis Task 1: Assign a Risk Response 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. a)
2.
3.
Choose the Show Quick Criteria Maintenance push-button at the top of the risk table. a)
Select Type as Risk.
b)
Select the organization unit GRC340-XX-Org
c)
Choose the Apply push-button.
d)
Choose the Hide Quick Criteria Maintenance push-button.
Select the risk GRC340-XX-Risk and choose the Open push-button. a)
4.
A list of available responses displays
Select a Response by highlighting it; and choose the OK push-button a)
8.
Choose Assign push-button. Select Response from the menulist.
Choose the Search push-button to search for available Responses. a)
7.
A table is displayed showing a summary of existing Responses and Controls for this risk.
Assign a response to the risk: a)
6.
This opens a popup window that displays the risk information.
Select the Response Plans tab. a)
5.
This opens a popup window that displays the risk table for the selected organization unit.
The selected response is returned to the Response Plans window.
Save the Response a)
Select the Save push-button to Save the Response.
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
179
Unit 5: Risk Response
GRC340
Task 2: Creating a Residual Risk (Planned) Analysis 1.
Open the Risk in the Active Query window a)
2.
Navigate to the Responses tab a)
3.
Select the Open push-button when the risk is highlighted
Select the Response tab
Select the newly created response from the Response Plans summary by highlighting it. The lower part of the window displays the following information: a) Analysis Date: b) Probability Reduction: c) Total Loss Reduction: d)Mitigation Effect:
4.
a)
Enter a probability Reduction: 10%
b)
Choose the Impact Category Allocation push-button
c)
Quantitative Analysis: Enter Reduction: 10000
d)
Qualitative Analysis: AND/OR Select from the Mitigation Effect field “Medium”.
Choose the OK push-button a)
5.
Choose the Save pushbutton a)
180
The Impact Category Allocation window closes
The Response and its associated Residual Risk (Planned) Analysis is saved.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Response Assignment
Lesson Summary You should now be able to: • Explain the purpose of risk responses • Explain how Residual Risk (Planned) is determined • Assign a risk to a response in the Risk Response Tab • Perform a residual risk analysis • Review the overall Residual Risk (Planned)
2010
© 2010 SAP AG. All rights reserved.
181
Unit 5: Risk Response
Lesson: 174
GRC340
Creating a new Response in a risk Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how to create a new response from within a risk.
Lesson Objectives After completing this lesson, you will be able to: • •
Explain the reasons for creating a response directly within a risk Assign a response to a risk in the Risk Response Tab
In this lesson you will discuss creating a response directly in the risk instead of in the Risk and Enhancement Plans section.
Business Example Once a risk has been identified and the inherent risk level analyzed, the next step is to decide what, if anything should be done about the risk. Existing response measures need to be reviewed to see if any of them are suitable to mitigate this risk. The catalogue of response measures should be browsed and any suitable ones selected for this risk. However, if there are no appropriate existing measures a new response should be created. This can be performed directly from within the response tab of the risks in the GRC RM 3.0 system.
182
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Creating a new Response in a risk
175
Creating a new Risk Response directly within the Response Plans tab of a Risk 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. This opens an Active Queries window that displays the risks and opportunities.
2.
Select a Risk from the Active Queries result and choose the Open push-button. This opens a popup window that displays the risk information.
3.
Select the Response Plans tab
4.
Choose the Create push-button, and select Response from the dropdown menu options.
5.
Complete the response creation. The response information includes the following (fields marked with (*) are mandatory. 1. 2. 3. 4. 5.
Name: Response title Description: Description of the response Response Details: Steps or Actions required to perform the response Organization Unit: This field will be pre-populated with the organisation unit where the risk belongs. Owner: The person responsible for the Response (this field will be pre-populated with the current user). a)
6. 7. 8.
9.
2010
If a different user is select, the user will be prompted to enter a Response Notification Date. The selected user will receive a Response Notification in their workflow inbox. Type: Response Type (i.e. Accept, Watch, Transfer, Mitigate) Purpose: How the risk will be affected (i.e. Prevent, Recover) Share Response: Can the response be used by all parts of the business or not? The options are: Shared – Requires Approval; Shared – Does not require Approval; Not Shared. As the response is being created directly for the current risk this may influence the option selected. Status: The response is in status Draft and can be saved as Draft by selecting the Save Draft pushbutton. Selecting Submit will make the response plan active.
6.
Select Choose the Submit push-button to save the response which gives it the status of Active.
7.
Refer to the previous exercise to perform the Residual Risk (Planned) Analysis.
© 2010 SAP AG. All rights reserved.
183
Unit 5: Risk Response
184
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
177
Lesson: Creating a new Response in a risk
Exercise 17: Create a Risk Response Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create a risk response in the catalog.
Business Example Some risk response measures are generic or common across many risks and applicable in many parts of the business. The same is true for measures to improvement the positive effects (enhancement plans) of opportunities. Maintaining a Responses catalogue allows the organization to reuse successful risk responses across different risks and different parts of the business. This technique promotes adherence to risk policy and facilitates learning.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Create a risk response in the Responses and Enhancement Plans catalog. The Responses and Enhancement Plans catalogue is the master data table. This is where standard Responses and standard Enhancement Plans are maintained. Risk owners can browse the Responses and Enhancement Plans catalogue to select from a list of standard responses or enhancements applicable to their risk or opportunity from the master data table.
2010
1.
Choose GRC Risk Management → Risk Assessment work center and select Response & Enhancement Plan Management.
2.
Choose the Create push-button and select Response from the drop down pick list.
3.
Complete the response creation as follows:
4.
Choose the Submit push-button to save the Response.
© 2010 SAP AG. All rights reserved.
185
Unit 5: Risk Response
GRC340
Solution 17: Create a Risk Response Task: Create a risk response in the Responses and Enhancement Plans catalog. The Responses and Enhancement Plans catalogue is the master data table. This is where standard Responses and standard Enhancement Plans are maintained. Risk owners can browse the Responses and Enhancement Plans catalogue to select from a list of standard responses or enhancements applicable to their risk or opportunity from the master data table. 1.
Choose GRC Risk Management → Risk Assessment work center and select Response & Enhancement Plan Management. a)
2.
Choose the Create push-button and select Response from the drop down pick list. a)
3.
4.
This opens a popup window that displays the response form.
Complete the response creation as follows: a)
Name: GRC340-XX-Response
b)
Description: GRC340-XX-Response
c)
Response Details: XXXXXXXXXXXX
d)
Organization Unit: XXXXXXXXXX (select from a dropdown pick list)
e)
Owner: XXXXXXXXXXXX (select from drop down pick list)
f)
Type: Mitigate (select from drop down pick list)
g)
Purpose: Prevent (select from drop down pick list)
h)
Share Response: Not Shared (select from drop down pick list)
i)
Status: Note that the response is in status Draft and can be saved as Draft by selecting the Save Draft pushbutton. Selecting Submit will make the response plan active.
Choose the Submit push-button to save the Response. a)
186
This opens the Active Queries window that displays the existing responses and enhancement plans.
This saves the new response.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Creating a new Response in a risk
Lesson Summary You should now be able to: • Explain the reasons for creating a response directly within a risk • Assign a response to a risk in the Risk Response Tab
2010
© 2010 SAP AG. All rights reserved.
187
Unit 5: Risk Response
Lesson: 180
GRC340
Residual Risk Analysis (current) Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how to update the risk response with the latest effectiveness and completeness results and thereby create a residual risk analysis for a risk.
Lesson Objectives After completing this lesson, you will be able to: • •
Explain how the Response Completeness and Effectiveness are updated Update the Response completeness and Effectiveness and thereby create the current Residual Risk result.
In this lesson you will discuss with the students about the difference between running an inherent risk analysis and the current risk analysis (residual).
Business Example Three measures of risk are often tracked as part of the risk management process. Inherent Risk – risk before responses or with current responses, Residual Risk Planned (or often referred to as Target Risk) – the level of risk that is acceptable to the organization and the target towards which the risk management efforts are focused, and Residual Risk – this is the current or actual risk level based on the completeness and effectiveness of the risk response measures. The response in GRC RM 3.0 is updated with Completeness and Effectiveness results so that businesses can track where they are with the risk management plans, and see how far they are away from the target risk level. This functionality is available for responses in status Active. Shared responses can be updated with the latest Completeness and Effectiveness results from Response and Enhancement Plan Management.
188
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Residual Risk Analysis (current)
181
Updating a Risk Response with the current Effectiveness and Completeness results 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. This opens an Active Queries window that displays the current risks and opportunities.
2.
Select a Risk from the Active Queries result and choose the Open push-button. This opens a popup window that displays the risk information.
3.
Select the Response Plans tab.
4.
Highlight a Response. Ensure Response in status Active is highlighted from the available responses in the Response summary table.
5.
Choose Open push-button. The highlighted response will open in a popup window.
6.
The following fields are available to update with the latest risk response information under the Response Details heading (right side of the window): 1. 2. 3. 4. 5. 6. 7. 8. 9.
Response Details: text field for actual steps or tasks Actual Start Date: must be in the past Actual Finish Date: cannot be in the future Overwrite Completeness: This is a checkbox to allow access to -> Completeness: percentage completeness of this response Response Effectiveness: this is a head Effective From: date Effective To: date Current Effectiveness: Dropdown picklist: “Somewhat Effective”
7.
Choose Save push-button. The updates to the response are saved.
8.
Choose Save push-button. The risk and the response updates are saved. The user is returned to the Active Queries window. Note: Just saving the response updates in not enough. To have the response data updates saved permanently, it is necessary to Save the whole risk.
2010
© 2010 SAP AG. All rights reserved.
189
Unit 5: Risk Response
GRC340
View the Residual Risk Analysis 182
1.
Choose Open push-button to reopen the risk.
2.
Select the Analysis Tab.
3.
View the updated analysis Residual Risk, where the response updates to Completeness and Effectiveness will be reflected.
Figure 49: Residual Risk Analysis
4.
Highlight the Residual Risk by selecting the square to the immediate left.
5.
Notice in the area below the Analysis: 1. 2.
3.
The Probability will reflect the aggregate residual probability based on the updates to the all individual responses The Total Loss will reflect the aggregate residual total loss based on the updates to the all individual responses (for Quantitatively analysed risks) The Impact Level will reflect the aggregate residual impact level based on the updates to the all individual responses Note: The breakdown of Total Loss can be viewed by selecting Impact Category Allocation. Continued on next page
190
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Residual Risk Analysis (current)
Figure 50: Impact Category Allocation
2010
© 2010 SAP AG. All rights reserved.
191
Unit 5: Risk Response
192
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
185
Lesson: Residual Risk Analysis (current)
Exercise 18: Perform Residual Risk Analysis (current) Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Update a risk response with the current Completeness and Effectiveness result
Business Example Three measures of risk are often tracked as part of the risk management process. Inherent Risk – risk before responses or with current responses, Residual Risk Planned (or often referred to as Target Risk) – the level of risk that is acceptable to the organization and the target towards which the risk management efforts are focused, and Residual Risk – this is the current or actual risk level based on the completeness and effectiveness of the risk response measures. The response in GRC RM 3.0 is updated with Completeness and Effectiveness results so that businesses can track where they are with the risk management plans, and see how far they are away from the target risk level. This functionality is available for responses in status Active. Shared responses can be updated with the latest Completeness and Effectiveness results from Response and Enhancement Plan Management.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task 1: Update a Risk Response with the current Effectiveness and Completeness results 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. Continued on next page
2010
© 2010 SAP AG. All rights reserved.
193
Unit 5: Risk Response
GRC340
2.
This opens a popup window that displays the risk information.
3.
Select the Response Plans tab.
4.
Highlight a Response. Ensure Response in status Active is highlighted from the available responses in the Response summary table.
5.
Choose Open push-button.
6.
Update the response with current Completeness and Effectiveness results.
7.
Save the response.
8.
Save the risk
Task 2: View the Residual Risk Analysis
194
1.
To view the Residual Risk Analysis, choose Open push-button to reopen the risk.
2.
Select the Analysis Tab
3.
View the updated analysis Residual Risk, where the response updates to Completeness and Effectiveness will be reflected.
4.
Select Residual Risk
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Residual Risk Analysis (current)
Solution 18: Perform Residual Risk Analysis (current) Task 1: Update a Risk Response with the current Effectiveness and Completeness results 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. a)
2.
This opens a popup window that displays the risk information. a)
3.
The highlighted response is in status Active.
Choose Open push-button. a)
6.
This displays the Response window.
Highlight a Response. Ensure Response in status Active is highlighted from the available responses in the Response summary table. a)
5.
This opens a popup window that displays the risk information.
Select the Response Plans tab. a)
4.
This opens an Active Queries window that displays the current risks and opportunities.
The highlighted response will open in a popup window.
Update the response with current Completeness and Effectiveness results. a)
The following fields are available to update with the latest risk response information under the Response Details heading (right side of the window): 1. 2. 3. 4. 5. 6. 7. 8. 9.
Response Details: XXXXX Actual Start Date: XXXXX Actual Finish Date: XXXXX Overwrite Completeness: This is a checkbox Completeness: 50% Response Effectiveness: This is a heading Effective From: leave as default Effective To: leave as default Current Effectiveness: Somewhat Effective
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
195
Unit 5: Risk Response
7.
GRC340
Save the response. a)
Choose Save push-button. The update to the response is saved.
8.
Save the risk a)
Choose Save push-button The risk and the response updates are saved. The user is returned to the Active Queries window. .
Task 2: View the Residual Risk Analysis 1.
To view the Residual Risk Analysis, choose Open push-button to reopen the risk. a)
2.
Select the Analysis Tab a)
3.
The risk opens in a popup window.
The Analysis window displays.
View the updated analysis Residual Risk, where the response updates to Completeness and Effectiveness will be reflected. a)
In the Analysis section of the window, notice 3 analyses display: 1. 2. 3.
4.
Select Residual Risk a)
Highlight the Residual Risk by selecting the square to the immediate left.
b)
Notice in the area below the Analysis: 1. 2.
3. c)
196
a. Inherent Risk b. Residual Risk c. Residual Risk (planned).
a. The Probability will reflect the aggregate residual probability based on the updates to the all individual responses b. The Total Loss will reflect the aggregate residual total loss based on the updates to the all individual responses (for Quantitatively analysed risks) c. The Impact Level will reflect the aggregate residual impact level based on the updates to the all individual responses
The breakdown of Total Loss can be viewed by selecting Impact Category Allocation.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Residual Risk Analysis (current)
Lesson Summary You should now be able to: • Explain how the Response Completeness and Effectiveness are updated • Update the Response completeness and Effectiveness and thereby create the current Residual Risk result.
2010
© 2010 SAP AG. All rights reserved.
197
Unit 5: Risk Response
Lesson: 190
GRC340
Assign a Control to a Risk Lesson Duration: 10 Minutes
Lesson Overview This lesson will show you how to assign a control to a risk.
Lesson Objectives After completing this lesson, you will be able to: •
Assign a Control to a Risk
In this lesson you will discuss with the students the integration between Process Controls and Risk Management when it comes to assigning a control as a response plan.
Business Example Most businesses will seek to respond to certain risks or types of risks (e.g. financial processes) through the creation and operation of controls. These control would form a part of the company’s internal controls system or framework. Controls are assigned to risks.
What is a Control? A control is process step or task performed as part of routine business operations with the purpose of mitigating risk.
198
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Assign a Control to a Risk
Assigning a Control to a Risk 191
1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. This opens a popup window that displays the risk table for the selected organization unit.
2.
To display risks for a specific organization unit where you have user authorization, choose the Show Quick Criteria Maintenance push-button at the top of the risk table. 1. 2. 3. 4.
Select Type as Risk. Select the organization unit. Choose the Apply push-button. Choose the Hide Quick Criteria Maintenance push-button.
3.
Select the risk to which you want to assign a control and choose the Open push-button. This opens a popup window that displays the risk information.
4.
Select the Responses tab. Current Responses and Controls will display in the window.
Figure 51: Responses and Controls
5.
Assign a control to the risk select Assign push-button and select Control menu option. Continued on next page
2010
© 2010 SAP AG. All rights reserved.
199
Unit 5: Risk Response
6.
GRC340
From the available search criteria select: 1. 2.
Choose the Regulation: SOX Note: The search can further be refined as follows:
3. 4. 5. 6. 7.
Select the Organization Unit, Control Name, Process, and/or Subprocess to pinpoint the control to be selected. Choose the Go push-button. Browse the available controls Optional: Select the Open push-button to view the details of the control Select the control and choose the OK push-button. Repeat as often as needed to select all the required controls. a) b) c)
The Control shows in the Responses window in status Active The Effectiveness and Completeness will be blank. When the assessment cycle is complete on the new control the Effectiveness and Completeness results will be updated.
Figure 52: Responses and Controls
200
© 2010 SAP AG. All rights reserved.
2010
GRC340
193
Lesson: Assign a Control to a Risk
Exercise 19: Assign a Control to a Risk Exercise Duration: 30 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Assign a Control to a Risk
Business Example Most businesses will seek to respond to certain risks or types of risks (e.g. financial processes) through the creation and operation of controls. These control would form a part of the company’s internal controls system or framework. Controls are assigned to risks.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Assign a Control to a Risk
2010
1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management.
2.
Display the risk where the control will be assigned.
3.
Select the risk to which you want to assign a control and open the risk.
4.
Navigate to the Response tab.
5.
Select the Assign Control menu option.
6.
Select a control.
7.
Save the Control and Risk.
© 2010 SAP AG. All rights reserved.
201
Unit 5: Risk Response
GRC340
Solution 19: Assign a Control to a Risk Task: Assign a Control to a Risk 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. a)
2.
This opens a popup window that displays the risk table for the selected organization unit.
Display the risk where the control will be assigned. a)
To display risks for a specific organization unit where you have user authorization, choose the Show Quick Criteria Maintenance push-button at the top of the risk table. 1. 2. 3. 4.
3.
Highlight the required risk and choose the Open push-button. This opens a popup window that displays the risk information.
Navigate to the Response tab. a)
5.
Select Type as Risk. Select the organization unit. Choose the Apply push-button. Choose the Hide Quick Criteria Maintenance push-button.
Select the risk to which you want to assign a control and open the risk. a)
4.
a. b. c. d.
Select the Responses tab. Current Responses and Controls will display in the window.
Select the Assign Control menu option. a)
To assign a control to the risk select Assign push-button and select Control menu option.
Continued on next page
202
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Assign a Control to a Risk
6.
Select a control. a)
From the available search criteria select: 1.
a. Choose the Regulation: SOX Note: The search can further be refined as follows:
2. 3. 4. 5. 6. 7. 7.
Save the Control and Risk. a)
2010
b. Select the Organization Unit, Control Name, Process, and/or Subprocess to pinpoint the control to be selected. c. Choose the Go push-button. d. Browse the available controls e. Optional: Select the Open push-button to view the details of the control f. Select the control and choose the OK push-button. g. Repeat as often as needed to select all the required controls.
Choose the Save push-button to save the controls with the risk.
© 2010 SAP AG. All rights reserved.
203
Unit 5: Risk Response
GRC340
Lesson Summary You should now be able to: • Assign a Control to a Risk
204
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: 197
Lesson: Control Proposal
Control Proposal Lesson Duration: 10 Minutes
Lesson Overview This lesson will show you how to propose a control.
Lesson Objectives After completing this lesson, you will be able to: •
Propose a Control to manage a risk
In this lesson you will discuss with the students the integration between Process Controls and Risk Management when it comes to proposing a control from Risk Management.
Business Example Most businesses will seek to respond to certain risks or types of risks (e.g. financial processes) through the creation and operation of controls. These control would form a part of the company’s internal controls system or framework. Controls are assigned to risks. If a suitable control does not exist for a particular risk a new control can be proposed for inclusion into the overall internal controls system.
What is a Control? A control is process step or task performed as part of routine business operations with the purpose of mitigating risk.
2010
© 2010 SAP AG. All rights reserved.
205
Unit 5: Risk Response
GRC340
Proposing a Control to a Risk 198
1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. This opens a popup window that displays the risk table for the selected organization unit.
2.
To display risks for a specific organization unit where you have user authorization, choose the Show Quick Criteria Maintenance push-button at the top of the risk table. 1. 2. 3. 4.
Select Type as Risk. Select the organization unit. Choose the Apply push-button. Choose the Hide Quick Criteria Maintenance push-button.
3.
Select the risk for which you want to propose a control and choose the Open push-button. This opens a popup window that displays the risk information.
4.
Select the Responses tab. Current Responses and Controls will display in the window.
Figure 53: Responses and Controls
5.
To propose a control for managing the risk select Create push-button and select Control Proposal menu option. Continued on next page
206
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Control Proposal
Figure 54: Controls Proposal
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
207
Unit 5: Risk Response
6.
GRC340
From the available fields enter the data about the control requested:: 1.
Choose the Regulation/Policy: XXX (SOX) select from dropdown picklist Note: The search can further be refined as follows:
2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 7.
Choose the Organization Unit: select from dropdown picklist Enter Control Name: XXXXX Enter Subprocess: select from dropdown picklist Enter Control Description: describe what you want the control to do Choose Control Significance: (Key Control or Standard Control) Choose Control Automation: select a radio button Automated, Semi-Automated, Manual Choose Control Purpose; select a radio button Detective or Preventative Choose Nature: select from dropdown picklist Select Trigger: select a radio button Event or Date If Date is selected then Select Frequency from drop down pick list (e.g. Annual, Quarterly, Monthly, Daily, etc) If Event is selected then Enter Event Description: XXXXX Enter Valid From and Valid To - adjust from the default values if needed Enter Notes: Additional comments or instructions to the Internal Controls Manager to help them evaluate the Control Proposal.
Choose the Submit push-button to save the Control Proposal with the risk.
Continued on next page
208
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Control Proposal
Figure 55: Control Proposal
8.
The Submitted Control Proposal shows in the Responses summary window with status “Proposed”. 1. 2. 3.
The Effectiveness and Completeness will be blank. Once the Internal Controls Manager in Process Control approves the Control Proposal, it will change to status “Active”. When the assessment cycle is complete on the new control the Effectiveness and Completeness results will be updated.
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
209
Unit 5: Risk Response
GRC340
Figure 56: Controls Proposal
9.
210
Choose Save to save the risk and the control proposal.
© 2010 SAP AG. All rights reserved.
2010
GRC340
203
Lesson: Control Proposal
Exercise 20: Control Proposal Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Propose a Control to manage a risk
Business Example Most businesses will seek to respond to certain risks or types of risks (e.g. financial processes) through the creation and operation of controls. These control would form a part of the company’s internal controls system or framework. Controls are assigned to risks. If a suitable control does not exist for a particular risk a new control can be proposed for inclusion into the overall internal controls system.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Proposing a Control for a Risk
2010
1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management.
2.
Display the required risk.
3.
Select the risk for which you want to propose a control.
4.
Select the Responses tab.
5.
Propose a Control
6.
Enter the Control data:
7.
Submit the Control Proposal
8.
Save the Risk and the Control Proposal.
© 2010 SAP AG. All rights reserved.
211
Unit 5: Risk Response
GRC340
Solution 20: Control Proposal Task: Proposing a Control for a Risk 1.
Choose GRC Risk Management → Risk Assessment work center and select Risk and Opportunity Management. a)
2.
This opens a popup window that displays the risk table for the selected organization unit.
Display the required risk. a)
To display risks for a specific organization unit where you have user authorization, choose the Show Quick Criteria Maintenance push-button at the top of the risk table. 1. 2. 3. 4.
3.
Highlight the Risk and choose the Open push-button. This opens a popup window that displays the risk information.
Select the Responses tab. a)
5.
Select Type as Risk. Select the organization unit. Choose the Apply push-button. Choose the Hide Quick Criteria Maintenance push-button.
Select the risk for which you want to propose a control. a)
4.
a. b. c. d.
Current Responses and Controls will display in the window.
Propose a Control a)
To propose a control for managing the risk select Create push-button and select Control Proposal menu option.
Continued on next page
212
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Control Proposal
6.
Enter the Control data: a)
From the available fields enter the data about the control requested: 1.
a. Choose the Regulation/Policy: XXX (SOX) select from dropdown picklist Hint: The search can further be refined as follows:
2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14.
7.
Submit the Control Proposal a)
8.
Choose the Submit push-button to save the Control Proposal with the risk. Note: Choosing Submit trigger an automatic workflow to the Internal Controls Manager.
Save the Risk and the Control Proposal. a)
2010
b. Choose the Organization Unit: select from dropdown picklist c. Enter Control Name: XXXXX d. Enter Subprocess: select from dropdown picklist e. Enter Control Description: describe what you want the control to do f. Choose Control Significance: (Key Control or Standard Control) g. Choose Control Automation: select a radio button Automated, Semi-Automated, Manual h. Choose Control Purpose; select a radio button Detective or Preventative i. Choose Nature: select from dropdown picklist j. Select Trigger: select a radio button Event or Date k. If Date is selected then Select Frequency from drop down pick list (e.g. Annual, Quarterly, Monthly, Daily, etc) l. If Event is selected then Enter Event Description: XXXXX m. Enter Valid From and Valid To - adjust from the default values if needed n. Enter Notes: Additional comments or instructions to the Internal Controls Manager to help them evaluate the Control Proposal.
Choose the Save push-button to save the Risk including the new Control Proposal data.
© 2010 SAP AG. All rights reserved.
213
Unit 5: Risk Response
GRC340
Lesson Summary You should now be able to: • Propose a Control to manage a risk
214
© 2010 SAP AG. All rights reserved.
2010
GRC340
Unit Summary
Unit Summary You should now be able to: • Explain the purpose of the Responses and Enhancement Plans catalogue • Create a catalogue Response • Explain the purpose of risk responses • Explain how Residual Risk (Planned) is determined • Assign a risk to a response in the Risk Response Tab • Perform a residual risk analysis • Review the overall Residual Risk (Planned) • Explain the reasons for creating a response directly within a risk • Assign a response to a risk in the Risk Response Tab • Explain how the Response Completeness and Effectiveness are updated • Update the Response completeness and Effectiveness and thereby create the current Residual Risk result. • Assign a Control to a Risk • Propose a Control to manage a risk
2010
© 2010 SAP AG. All rights reserved.
215
Unit Summary
216
GRC340
© 2010 SAP AG. All rights reserved.
2010
Unit 6 Key Risk Indicators
209
In this unit you will learn the various ways in which risks can be analyzed with SAP BusinessObjects Risk Management.
Unit Overview In this unit you will learn the various ways in which risks can be analyzed with SAP BusinessObjects Risk Management.
Unit Objectives After completing this unit, you will be able to: • • • • • • • • • • •
Explain how KRIs are used in Risk Management Explain the process for creating a KRI Explain what is needed to design a KRI Explain why SAP Query is needed Create a KRI template Request a KRI Implementation Implement a KRI Add an implemented KRI to a risk [Enter a lesson objective or delete if not used.] Request the localization of a KRI. Configure a KRI business rule.
Unit Contents Lesson: Introduction to Key Risk Indicators .................................219 Lesson: KRI Design ............................................................222 Lesson: KRI Template Creation...............................................225 Procedure: Creating a KRI Template ....................................226 Procedure: Requesting KRI Implementations ..........................228
2010
© 2010 SAP AG. All rights reserved.
217
Unit 6: Key Risk Indicators
GRC340
Exercise 21: Create a KRI Template.....................................229 Lesson: KRI Implementation ..................................................233 Procedure: To implement a KRI: .........................................234 Exercise 22: Implement a KRI ............................................237 Lesson: KRI Instantiation ......................................................241 Procedure: To add a KRI to a risk: .......................................242 Exercise 23: Add a KRi to a Risk.........................................245 Lesson: KRI Localization ......................................................248 Procedure: To localize a KRI: .............................................249 Exercise 24: Localize a KRI...............................................251 Lesson: KRI Business Rules ..................................................254 Procedure: Business Rule Configuration................................255 Procedure: Resetting a KRI Violation....................................257 Exercise 25: Configure a KRI Business Rule ...........................259
218
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: 211
Lesson: Introduction to Key Risk Indicators
Introduction to Key Risk Indicators Lesson Duration: 15 Minutes
Lesson Overview This lesson will introduce you to Key Risk Indicators (“KRIs”).
Lesson Objectives After completing this lesson, you will be able to: • •
Explain how KRIs are used in Risk Management Explain the process for creating a KRI
In this lesson you will discuss exactly what a KRI is and their use in the Risk Management system.
Business Example To provide continuous insight into the risks, one or more Key Risk Indicators (KRI) can be implemented. Essentially, a KRI is a forward-looking measure that provides a basis for estimating, the likelihood of the risk. A KRI can be quantitative (e.g. turnover rate in a business unit), or qualitative (e.g. adequacy of a system). To be useful, a KRI always has to be linked to one of the risk drivers.
What are Key Risk Indicators A Key Risk Indicator (KRI) is a forward-looking measure that provides a basis for estimating the likelihood of a risk event. A KRI can be quantitative (e.g. turnover rate in a business unit), qualitative (e.g. adequacy of a system). To be useful, a KRI always has to be linked o one of the risk drivers (or cause). Histroical performance trend is used as the basis for a forward-looking perspective. KRIs provide early warning signals by highlighting trends and changes in risk level by monitoring changes in actual performance.
Figure 57: Key Risk Indicators
2010
© 2010 SAP AG. All rights reserved.
219
Unit 6: Key Risk Indicators
GRC340
KRIs can use data from SAP and non-SAP systems. Examples are: • • • • • •
Cash position by day/currency (SAP ERP Financials) Quality of Service Provision (SAP Supply Chain Management) Number of warranty claims (SAP ERP Operations) Number of credit breaches per month (ROME Credit Risk) Employee Utilization (SAP Human Capital Management) Illness Rate (SAP Human Capital Management)
The following should be taken into consideration when designing KRIs: • • • • • •
220
Design the best KRIs independent of data availability; use interim KRIs if desired data not available Work with the business to design the KRIs. Keep KRIs simple to be understood. Establish KRIs that can be used across all business areas and locations if possible. Make sure KRIs are quantifiable. Use pre-defined escalation criteria for management actions (e.g. Acceptable; Acceptable but Watch; Unacceptable)
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Introduction to Key Risk Indicators
Lesson Summary You should now be able to: • Explain how KRIs are used in Risk Management • Explain the process for creating a KRI
2010
© 2010 SAP AG. All rights reserved.
221
Unit 6: Key Risk Indicators
Lesson: 214
GRC340
KRI Design Lesson Duration: 15 Minutes
Lesson Overview This lesson will provide an approach for designing Key Risk Indicators for implementation in SAP BusinessObjects Risk Management.
Lesson Objectives After completing this lesson, you will be able to: • •
Explain what is needed to design a KRI Explain why SAP Query is needed
In this lesson you will discuss how a KRI is designed and what questions to ask.
Business Example To provide continuous insight into the risks, one or more Key Risk Indicators (KRI) can be implemented. Essentially, a KRI is a forward-looking measure that provides a basis for estimating the likelihood of the risk. KRIs with good predictive capabilities is critical.
KRI Design Steps Certain design steps should be undertaken before implementing a Key Risk Indicator in SAP BusinessObjects Risk Management. To start, you need a specific risk event for which the KRIs will be used. A KRI is not a stand-alone metrics; it is a measure that provides a basis for estimating the likelihood of a specific risk event.
222
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: KRI Design
Start by asking the following questions when evaluating potential KRIs: • • • • • • • •
Can the KRI be measured at a frequency that is low enough to identify a potential risk event? Can KRI trigger levels be established? Can clear escalation criteria be established? Is the KRI leading enough? Is there a clear owner for the KRI data? Is the KRI data available in a SAP or non-SAP system? Does historical data exist? Is the KRI data accurate and reliable?
Next, the potential KRIs should be rated in terms of their relationship to the risk event drivers. That is, KRIs deemed to have a “strong” relationship to a driver should be implemented over a KRI that has a “weak” relationship to the same driver. Once you have selected the “strongest” KRIs, you are ready to start implementing them in SAP BusinessObjects Risk Management. This begins with the design of the SAP Query.
SAP Query SAP Query is a tool used to extract KRI data in SAP systsm. Once you know what data you need and from which SAP system (based on the KRI design), you should seek the help of a SAP Query resource. Similarly, if the KRI data resides in a non-SAP system, you will need a resource to design and develop the Web Service connector from the source system to SAP BusinessObjects Risk Management.
2010
© 2010 SAP AG. All rights reserved.
223
Unit 6: Key Risk Indicators
GRC340
Lesson Summary You should now be able to: • Explain what is needed to design a KRI • Explain why SAP Query is needed
224
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: 217
Lesson: KRI Template Creation
KRI Template Creation Lesson Duration: 15 Minutes
Lesson Overview This lesson will explain how to create KRI Templates
Lesson Objectives After completing this lesson, you will be able to: • •
Create a KRI template Request a KRI Implementation
In this lesson you will discuss how to create a template for a KRI. Reminder that this is done after the query has already been done in the backend system as well as the configuration in the IMG.
Business Example To provide continuous insight into the risks, one or more Key Risk Indicators (KRI) can be implemented. Essentially, a KRI is a forward-looking measure that provides a basis for estimating the likelihood of the risk. A central risk team can create several KRI templates linked to different risk categories. When creating risk events, the risk owners can see the KRIs attached to the risk category
KRI Template A KRI template is used to define the KRI before you have identified the required technical components (i.e. source system, transaction, RFC, Web service) and the Organizational Unit where the KRI will be implemented. The KRI Template is a business-oriented definition of the KRI (i.e. uses business terms to describe the KRI). A KRI Template is linked to a risk category using the Risk classification catalog. When a risk event is created that refers to the risk category, the KRI Template is automatically associated with the risk event.
2010
© 2010 SAP AG. All rights reserved.
225
Unit 6: Key Risk Indicators
GRC340
Creating a KRI Template 218
Use To Create a KRI Template:
Procedure 1.
Choose GRC Risk Management → Risk Monitoring work center → Key Risk Indicator Template. This opens a popup window that displays the KRI templates.
Figure 58: KRI Template
2.
To Create a new KRI template, choose the Create pushbutton.
Continued on next page
226
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: KRI Template Creation
3.
Select the General tab and enter the following: 1. 2. 3. 4. 5. 6. 7.
KRI Template Name: Short name of the KRI Valid to: The date until which the KRI remains valid Description: Description of the KRI Value Type: KRI value type System: Source system for KRI data Business Process: Relevant business process Component: Relevant business process component Note: The dropdown options for Value Type, System, Business Process, and Component are configurable items. These three KRI attributes are essentially a means of classifying the various KRI Templates.
4.
2010
Choose the Save pushbutton. The KRI can now be assigned to individual risk categories.
© 2010 SAP AG. All rights reserved.
227
Unit 6: Key Risk Indicators
GRC340
Requesting KRI Implementations 220
Use To request that a KRI be implemented from the KRI template:
Procedure 1.
Choose GRC Risk Management → Risk Monitoring work center → Key Risk Indicator Template. This opens a popup window that displays the KRI templates
2.
Select the KRI that you want to implement and choose the Open pushbutton.
3.
Select the Implementation tab.
4.
Choose the Create pushbutton. This opens a popup window where you can create a note.
Figure 59: KRI Implementation Request
228
5.
Choose the OK pushbutton.
6.
Choose the Save pushbutton. This will create a workflow item to the person designated to receive KRI implementation requests.
© 2010 SAP AG. All rights reserved.
2010
GRC340
221
Lesson: KRI Template Creation
Exercise 21: Create a KRI Template Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create a KRI template] • Request a KRI Implementation
Business Example To provide continuous insight into the risks, one or more Key Risk Indicators (KRI) can be implemented. Essentially, a KRI is a forward-looking measure that provides a basis for estimating the likelihood of the risk. A central risk team can create several KRI templates linked to different risk categories. When creating risk events, the risk owners can see the KRIs attached to the risk category.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide to class Instructor will provide to class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task 1: Create a KRI Template 1.
Choose GRC Risk Management → Risk Monitoring → Key Risk Indicator Template.
2.
Choose the Create pushbutton.
3.
Select the General tab and enter the KRI information.
4.
Choose the Save pushbutton.
Task 2: Request a KRI Implementation 1.
Choose GRC Risk Management → Risk Monitoring → Key Risk Indicator Template. Continued on next page
2010
© 2010 SAP AG. All rights reserved.
229
Unit 6: Key Risk Indicators
230
GRC340
2.
Select the KRI that you want to implement and choose the Open pushbutton.
3.
Choose the OK pushbutton and then choose the Save pushbutton.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: KRI Template Creation
Solution 21: Create a KRI Template Task 1: Create a KRI Template 1.
Choose GRC Risk Management → Risk Monitoring → Key Risk Indicator Template. a)
2.
Choose the Create pushbutton. a)
3.
4.
This opens a poup window that displays the KRI templates.
This opens a popup window that displays the KRI form.
Select the General tab and enter the KRI information. a)
KRI Template Name: GRC340-XX-Temp
b)
Valid to: XXX
c)
Description: XXX
d)
Value Type: XXX
e)
System: XXX
f)
Business Process: XXX
g)
Component: XXX
Choose the Save pushbutton. a)
The KRI can now be assigned to individual risk categories.
Task 2: Request a KRI Implementation 1.
Choose GRC Risk Management → Risk Monitoring → Key Risk Indicator Template. a)
2.
Select the KRI that you want to implement and choose the Open pushbutton. a)
3.
This opens a popup window. Create the note XXXXX.
Choose the OK pushbutton and then choose the Save pushbutton. a)
2010
This opens a popup window that displays the KRI templates.
This will create a workflow item to the person designated to receive KRI implementation requests.
© 2010 SAP AG. All rights reserved.
231
Unit 6: Key Risk Indicators
GRC340
Lesson Summary You should now be able to: • Create a KRI template • Request a KRI Implementation
232
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: 224
Lesson: KRI Implementation
KRI Implementation Lesson Duration: 15 Minutes
Lesson Overview This lesson will explain how to implement a KRI.
Lesson Objectives After completing this lesson, you will be able to: •
Implement a KRI
In this lesson you will discuss the implementation of a KRI after the template has already been created.
Business Example To provide continuous insight into the risk, one or more Key Risk Indicators (KRI) can be implemented. Essentially, a KRI is a forward-looking measure that provides a basis for estimating the likelihood of the risk.
KRI Implementation The following prerequisites must be fulfilled before you can implement a KRI: • •
2010
Complete the IMG customizing activities on system connectivity for Key Risk Indicators. Create the KRI template that will be referenced when implementing the KRI
© 2010 SAP AG. All rights reserved.
233
Unit 6: Key Risk Indicators
GRC340
To implement a KRI: 225
Figure 60: To implement a KRI:
1.
Choose GRC Risk Management → Risk Monitoring → Key Risk Indicator Implementation. This opens a popup window that displays the KRI implementation catalog.
2.
To implement a new KRI choose the Create pushbutton.
3.
Select the General tab and enter the following data: 1. 2. 3. 4. 5. 6.
KRI Implementation Name: Short name of the KRI Valid to: The date until which the KRI remains valid KRI Template: Select the KRI template Description: Description of the KRI Connector Type: Connector type Script: Relevant business process Note: The Connector Type, Connector and Script refer to a defined communication link between your systems. The following Connector types are available: SAP Query; SAP BW Query; Web Service.
4.
Choose the Test Connector and Test Script pushbuttons to test the connectors and scripts before saving them.
Continued on next page
234
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: KRI Implementation
Figure 61: KRI Implementation detail
5.
Select the Implementation tab.
6.
Enter additional information to define the output of the KRI Implementation: 1. 2.
3.
Value Column: Select a value to be used. Value Column selection is defined in the SAP Query Infoset. Currency/UoM Column: The currency to be used for the value you selected is displayed. Depending on the template type, this field is prefilled, so that you cannot make any entries. Aggregation Function: Select the type of data aggregation to be used. Aggregation Function Values are predefined.
7.
You can create a Selection table containing the SAP Query data defined in the source system by selecting from the dropdown list in the Selection Option and choosing the Add pushbutton to add data element to the Selection Table.
8.
For each data element, specify the variable values (Sign, Option, Low Value, High Value) that will be available for selection when a KRI is localized. Note: If the Mandatory field is not selected, you must set it in the KRI instance.
9.
Choose the Save pushbutton. The implementation will be displayed in the KRI implementation catalog.
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
235
Unit 6: Key Risk Indicators
GRC340
Figure 62: KRI Implementation Catalog
10. The KRI implementation status definitions are follows: •
• •
236
Draft: The KRI has not yet been sent for implementations. Draft KRIs will be invisible in the Linkage Corridor and in the Usage Corridor. They will only be visible in the Implementation Corridor, and can only be deleted or asked for implementation. Active: The KRI implementation is being used. Cancelled: A cancelled KRI implementation cannot be reactivated. All related instantiations are switched to “cancelled” in their own statuses once the implementations is cancelled.
© 2010 SAP AG. All rights reserved.
2010
GRC340
229
Lesson: KRI Implementation
Exercise 22: Implement a KRI Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Implement a KRI
Business Example To provide continuous insight into the risks, one or more Key Risk Indicators (KRI) can be implemented. Essentially, a KRI is a forward-looking measure that provides a basis for estimating the likelihood of the risk. To set up the KRI for the risk involves implementing the configured connector and script
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1.
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Create a KRI Template Student will be able to Implement a KRI Template
2010
1.
Choose GRC Risk Management → Risk Monitoring → Key Risk Indicator Implementation.
2.
Choose the Create pushbutton.
3.
Select the General tab and enter the KRI information.
4.
Choose the Test Connector and Test Script pushbuttons.
5.
Select the Implementation tab and enter additional information to define the output of the KRI implementation.
6.
Create a Selection Table by selecting from the dropdown list in the Selection Option and choosing the Add pushbutton too add data element to the Selection Table.
7.
Complete the selection table.
8.
Choose the Save pushbutton.
© 2010 SAP AG. All rights reserved.
237
Unit 6: Key Risk Indicators
GRC340
Solution 22: Implement a KRI Task: Create a KRI Template Student will be able to Implement a KRI Template 1.
Choose GRC Risk Management → Risk Monitoring → Key Risk Indicator Implementation. a)
2.
Choose the Create pushbutton. a)
3.
4.
6.
This opens the KRI implementation form.
Select the General tab and enter the KRI information. a)
KRI Implementation Name: GRC340-XX-Implement
b)
Valid to: XXX
c)
KRI Template: GRC340-XX-Temp
d)
Description: XXX
e)
Connector Type: XXX
f)
Connector: XXX
g)
Script: XXX
Choose the Test Connector and Test Script pushbuttons. a)
5.
This opens a popup window that displays the KRI implementation catalog
Connectors and script test okay.
Select the Implementation tab and enter additional information to define the output of the KRI implementation. a)
Value Column: XXX
b)
Currency/UoM Column: XXX
c)
Aggregation Function: XXX
Create a Selection Table by selecting from the dropdown list in the Selection Option and choosing the Add pushbutton too add data element to the Selection Table. a)
Add the following options to the table: • •
XXXX YYYY
Continued on next page
238
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: KRI Implementation
7.
Complete the selection table. a) Name
8.
Sign
Option
Low Value
High Value
Choose the Save pushbutton. a)
2010
Mandatory
The implementation will be displayed in the KRI implementation catalog.
© 2010 SAP AG. All rights reserved.
239
Unit 6: Key Risk Indicators
GRC340
Lesson Summary You should now be able to: • Implement a KRI
240
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: 233
Lesson: KRI Instantiation
KRI Instantiation Lesson Duration: 15 Minutes
Lesson Overview This lesson will describe how to add an implemented KRI to a risk
Lesson Objectives After completing this lesson, you will be able to: •
Add an implemented KRI to a risk
In this lesson you will discuss how to implement a KRI to a risk, this is done after the KRI template has been created and the KRI implementation has been done.
Business Example To provide continuous insight into the risks, one or more Key Risk Indicators (KRI) can be implemented. Essentially, a KRI is a forward-looking measure that provides a basis for estimating the likelihood of the risk. To set up the KRI for the risk involves adding the implemented KRI to the risk.
KRI Instantiation The following prerequisites must be fulfilled before you can add a KRI to a risk: •
2010
The KRI has been implemented.
© 2010 SAP AG. All rights reserved.
241
Unit 6: Key Risk Indicators
GRC340
To add a KRI to a risk: 234
1.
Choose GRC Risk Management → Risk Assessment work center → Risk and Opportunity Management. This opens a popup window that displays the risks
2.
Select the risk where the KRI is to be added and choose the Open pushbutton.
Figure 63: Assigned Key Risk Indicators
3.
Select the Key Risk Indicator tab. Here you will see a list of the assigned Key Risk Indicators.
Continued on next page
242
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: KRI Instantiation
Figure 64: KRI Creation
4.
Select Create pushbutton. This opens a popup window that displays the KRI data value fields.
5.
Enter the following: 1. 2.
3. 4. 5. 6.
KRI Instance Name: Enter the name of the KRI that you want to create. KRI Implementation: Select the KRI implementation that you want to use. After you select an implementation, the Selection Table will be populated with the corresponding KRI data. Monitor Frequency: Select the frequency with which you want the KRI to monitor your system. Data Time Frame: Select the desired timeframe for the KRI data. Next/Last Execution Date: Select the execution dates for monitoring. Historical Review Required: Select Yes to retain the previous KRI values in the database.
6.
The Selection table will contain the filter criteria for the KRI.
7.
Choose the Activate pushbutton to activate and assign the KRI to the risk.
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
243
Unit 6: Key Risk Indicators
GRC340
Figure 65: KRI History
8.
To see the History of KRI values, select the Key Risk Indicators tab and then select the KRI. Choose the Show History pushbutton. This opens a popup window with a chart and tabular KRI information. Note: The Historical Review Required radio button must be Yes in order to retain historical data.
244
© 2010 SAP AG. All rights reserved.
2010
GRC340
237
Lesson: KRI Instantiation
Exercise 23: Add a KRi to a Risk Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Add an implemented KRI to a risk.
Business Example To provide continuous insight into the risks, one or more Key Risk Indicators (KRI) can be implemented. Essentially, a KRI is a forward-looking measure that provides a basis for estimating the likelihood of the risk. To set up the KRI for the risk involves adding the implemented KRI to the risk
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The intitial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Add a KRI to aRisk
2010
1.
Choose GRC Risk Management → Risk Assessment work center → Risk and Opportunity Management.
2.
Select Create pushbutton.
3.
Enter the KRI information
4.
Choose the Activate pushbutton.
© 2010 SAP AG. All rights reserved.
245
Unit 6: Key Risk Indicators
GRC340
Solution 23: Add a KRi to a Risk Task: Add a KRI to aRisk 1.
Choose GRC Risk Management → Risk Assessment work center → Risk and Opportunity Management. a)
2.
Select Create pushbutton. a)
3.
4.
This opens a popup window that displays the KRI data value fields.
Enter the KRI information a)
KRI Instance Name: GRC340-XX-Instance
b)
KRI Implementation: GRC340-XX-Implement
c)
Monitor Frequency: XXXX
d)
Data Time Frame: XXXX
e)
Next/Last Execution Date: XXXX
f)
Historical Review Required: XXXX
Choose the Activate pushbutton. a)
246
This opens a popup window that displays the risks.
KRI activated and assigned to the risk.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: KRI Instantiation
Lesson Summary You should now be able to: • Add an implemented KRI to a risk
2010
© 2010 SAP AG. All rights reserved.
247
Unit 6: Key Risk Indicators
Lesson: 240
GRC340
KRI Localization Lesson Duration: 15 Minutes
Lesson Overview This lesson will describe how to localize a KRI
Lesson Objectives After completing this lesson, you will be able to: • •
[Enter a lesson objective or delete if not used.] Request the localization of a KRI.
In this lesson you will discuss localizing a KRI. An example of why this would be done is if the person adding the KRI to a risk doesn’t have all of the parameters of the Query that is behind the KRI a liaison that is specified in the backend system will fill out the table and sends the information back.
Business Example To provide continuous insight into the risks, one or more Key Risk Indicators (KRI) can be implemented. Essentially, a KRI is a forward-looking measure that provides a basis for estimating the likelihood of the risk. The last step needed to activate the KRI risk involves specifying the RFC parameters needed to start the KRI.
KRI Localization Requesting localization indicates that the relevant parameters have been set for detecting KRI data for a particular Organizational Unit, Country, Region, or Market. Once the localization request has been made, a KRI workflow goes to a liaison workflow processor as defined in the Risk Management workflows. The following prerequisites must be fulfilled before you can add a KRI to a risk: •
248
The KRI has been added to the risk.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: KRI Localization
To localize a KRI: 241
1.
Choose GRC Risk Management → Risk Assessment work center → Risk and Opportunity Management. This opens a popup window that displays the risks
2.
Select the risk with the KRI to be localized and choose the Open pushbutton.
3.
Select the Key Risk Indicator tab. Here you will see a list of the assigned Key Risk Indicators.
4.
Select the KRI to be localized and choose the Open pushbutton.
5.
Choose the Request Localization pushbutton.
Figure 66: KRI Localization Status
6.
2010
The KRI Status column now displays Localization Requested. When you save the data, a workflow is triggered. When the localization processor has processed the workflow item, it returns to the user inbox for processing approval, and so on.
© 2010 SAP AG. All rights reserved.
249
Unit 6: Key Risk Indicators
250
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
243
Lesson: KRI Localization
Exercise 24: Localize a KRI Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Request the localization of a KRI
Business Example To provide continuous insight into the risks, one or more Key Risk Indicators (KRI) can be implemented. Essentially, a KRI is a forward-looking measure that provides a basis for estimating the likelihood of the risk. The last step needed to activate the KRI risk involves specifying the RFC parameters needed to start the KRI.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The intitial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Student will be able to Request the Localization of a KRI.
2010
1.
Choose GRC Risk Managemnet → Risk Assessment work center → Risk and Opportunity Management.
2.
Select the risk GRC340-XX-Risk and choose the Open pushbutton. Now select the Key Risk Indicator tab
3.
Select the KRI GRC340 and choose the Open pushbutton. Now choose the Request Localization pushbutton.
© 2010 SAP AG. All rights reserved.
251
Unit 6: Key Risk Indicators
GRC340
Solution 24: Localize a KRI Task: Student will be able to Request the Localization of a KRI. 1.
Choose GRC Risk Managemnet → Risk Assessment work center → Risk and Opportunity Management. a)
2.
Select the risk GRC340-XX-Risk and choose the Open pushbutton. Now select the Key Risk Indicator tab a)
3.
You will see a list of the assigned Key Risk Indicators.
Select the KRI GRC340 and choose the Open pushbutton. Now choose the Request Localization pushbutton. a)
252
This opens a popup window that displays the risks.
The KRI status column now displays Localization Requested. When you save the data, a workflow is triggered. When the localization processor has processed the workflow item, it returns to the user inbox for processing, approval, so on.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: KRI Localization
Lesson Summary You should now be able to: • [Enter a lesson objective or delete if not used.] • Request the localization of a KRI.
2010
© 2010 SAP AG. All rights reserved.
253
Unit 6: Key Risk Indicators
Lesson: 246
GRC340
KRI Business Rules Lesson Duration: 15 Minutes
Lesson Overview This lesson will describe how to configure a business rule for a KRI.
Lesson Objectives After completing this lesson, you will be able to: •
Configure a KRI business rule.
In this lesson you will discuss with the students adding a business rule to a KRI for a risk. Note that there are classes to discuss business rules so this is not an in depth conversation about creating a business rule.
Business Example To provide continuous insight into the risks, one or more Key Risk Indicators (KRI) can be implemented. Essentially, a KRI is a forward looking measure that provides a basis for estimating the likelihood of the risk. Configuring a business rule is the final step in the setting up the KRI for a risk. Essentially, a business rule is a formula that defines the escalation criteria for management actions. For example, for the KRI “% of purchases from non-preferred vendors” you could define a threshold value of, say, 10% (i.e. IF the percentage of purchases from no-preferred vendors exceeds 10%, THEN trigger the KRI)
254
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: KRI Business Rules
Business Rule Configuration 247
Prerequisites The KRI has been localized
Procedure 1.
Choose GRC Risk Management → Risk Assessment work center → Risk and Opportunity Management. This opens a popup window that displays the risks.
2.
Select the risk for which you want to create the business rule and choose the Open pushbutton.
3.
Select the Key Risk Indicator tab. You will see a list of assigned Key Risk Indicators.
Figure 67: KRI Business Rule
4.
Select the KRI for which the business rule is to be configured. In the Business Rules table at the bottom of the window choose the Create pushubutton. This will open a KRI Business Rule popup window.
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
255
Unit 6: Key Risk Indicators
5.
Enter the following: 1. 2. 3.
Title: Title of the KRI Business rule Description: Description of the KRI business rule Active: Select whether or not the KRI is active.
6.
In the Mapping and Variables tables enter the calculation parameters to be used for the KRI Business Rule. After you have finished, you can check the syntax, test the rule or access the Business Rules Framework.
7.
Use the radio buttons at the bottome of the window to specify the workflows that are to take place when a KRI value meets the business rule criteria. The actions are: 1. 2. 3.
256
GRC340
Assessment Required: Whether a risk assessment worklfow is to be triggered when the KRI threshold is exceeded. Send Notification: Whether an email notification is to be sent to the risk owner Flag Risk: Whether the risk is to be flagged.
8.
Choose the Ok pushbutton.
9.
Choose the Save pushbutton.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: KRI Business Rules
Resetting a KRI Violation 249
Use To reset the KRI violation status.
Prerequisites If the KRI Business Rule is exceeded a yellow lightning symbol flag displays on the KRI tab.
Procedure
2010
1.
Choose the Reset KRI violation Status pushbutton. This will remove the yellow lightning symbol from the Key Risk Indicators tab and reset the status flag to green.
2.
Click Ok to finish processing. The window closes and you can see the new business rule in the list of rules assigned to the risk
© 2010 SAP AG. All rights reserved.
257
Unit 6: Key Risk Indicators
258
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
251
Lesson: KRI Business Rules
Exercise 25: Configure a KRI Business Rule Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Configure a KRI business rule
Business Example To provide continuous insight into the risks, one or more Key Risk Indicators (KRI) can be implemented. Essentially, a KRI is a forward-looking measure that provides a basis for estimating the likelihood of the risk. Configuring a business rule is the final step in the setting up of the KRI for a risk. Essentially, a business rule is a formula that defines the escalation criteria for management actions. For example, for the KRI “% of purchases from non-preferred vendors” you could define a threshold value of, say, 10%. (i.e. IF the percentage of purchases from non-preferred vendors exceeds 10%, THEN trigger the KRI)
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Configure a KRI Business Rule 1.
Choose GRC Risk Management → Risk Assessment work center → Risk and Opportunity Management.
2.
Select the risk GRC340-XX-Risk and choose the Open pushbutton. Now Select the Key Risk Indicator tab.
3.
Select the KRI GRC340. In the Business Rule table at the bottom of the window choose the Create pushbutton.
4.
Enter the general business rule information. Continued on next page
2010
© 2010 SAP AG. All rights reserved.
259
Unit 6: Key Risk Indicators
260
GRC340
5.
In the Mapping and Variables tables enter the calculations parameters to be used for the KRI Business Rule.
6.
After you have finished, you can check the syntax, test the rule or access the Business Rules Framework.
7.
Use the radio buttons at the bottom of the window to specify the workflows that are to take place when a KRI value meets the business rule criteria.
8.
Choose the OK pushbutton and then choose the Save pushbutton.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: KRI Business Rules
Solution 25: Configure a KRI Business Rule Task: Configure a KRI Business Rule 1.
Choose GRC Risk Management → Risk Assessment work center → Risk and Opportunity Management. a)
2.
Select the risk GRC340-XX-Risk and choose the Open pushbutton. Now Select the Key Risk Indicator tab. a)
3.
5.
You will see a list of the assigned Key Risk Indicators
Select the KRI GRC340. In the Business Rule table at the bottom of the window choose the Create pushbutton. a)
4.
This opens a popup window that displays the risks.
This will open a KRI Business Rule popup window.
Enter the general business rule information. a)
Title: GRC340-XX-Rule
b)
Description: GRC340-XX-Rule
c)
Active: XXXX
In the Mapping and Variables tables enter the calculations parameters to be used for the KRI Business Rule. a) Mapping Mapping Title
KRI Instance Aggr. Function
Limit
VAR # (system generated)
X
X
X
Name
Value for Testing
Currency
Unit of Measure
VAR # (system generated)
X
X
X
Formula
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
261
Unit 6: Key Risk Indicators
6.
After you have finished, you can check the syntax, test the rule or access the Business Rules Framework. a)
7.
8.
Rules test okay.
Use the radio buttons at the bottom of the window to specify the workflows that are to take place when a KRI value meets the business rule criteria. a)
Assessment Required: Yes
b)
Send Notification: Yes
c)
Flag Risk: Yes
Choose the OK pushbutton and then choose the Save pushbutton. a)
262
GRC340
Business rule saved.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: KRI Business Rules
Lesson Summary You should now be able to: • Configure a KRI business rule.
2010
© 2010 SAP AG. All rights reserved.
263
Unit Summary
GRC340
Unit Summary You should now be able to: • Explain how KRIs are used in Risk Management • Explain the process for creating a KRI • Explain what is needed to design a KRI • Explain why SAP Query is needed • Create a KRI template • Request a KRI Implementation • Implement a KRI • Add an implemented KRI to a risk • [Enter a lesson objective or delete if not used.] • Request the localization of a KRI. • Configure a KRI business rule.
264
© 2010 SAP AG. All rights reserved.
2010
Unit 7 Risk Monitoring
257
In this unit you will learn the various ways in which SAP BusinessObjects Risk Management supports Risk Monitoring.
Unit Overview In this unit you will learn the various ways in which SAP BusinessObjects Risk Management supports Risk Monitoring.
Unit Objectives After completing this unit, you will be able to: • •
Explain how the Planer works Explain how to create a risk assessment workflow using the Planner
Unit Contents Lesson: Planner.................................................................266 Procedure: To create a Planned workflow:..............................268 Exercise 26: Create a Plan................................................273
2010
© 2010 SAP AG. All rights reserved.
265
Unit 7: Risk Monitoring
Lesson: 258
GRC340
Planner Lesson Duration: 30 Minutes
Lesson Overview This lesson will show you how to us the planner to schedule workflows to support the risk management process.
Lesson Objectives After completing this lesson, you will be able to: • •
Explain how the Planer works Explain how to create a risk assessment workflow using the Planner
Business Example There are a variety of stakeholders in a business who need to participate in the risk management process. Some people will have a role in participating in the risk identification process and the risk analysis process. Others, especially managers, might get involved in approving risk assessments or reported incidents. While yet others could be assigned specific actions to take in response to a risk. These people, who participate in the risk management process infrequently, or occasionally, need help and prompting about when they need to take action and what they need to do. SAP BusinessObjects Risk Management supports users in this way through the generation of workflows to remind them something needs attention in the risk management system, and provides a guided interface for executing that action. The Planner is a tool for the Risk Manager to generate the workflows for the users and to keep track on the status of those workflows.
266
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Planner
What is a Planned Activity? SAP BusinessObjects Planner supports the following types of workflows: • • • • • • • • •
Activity Validation Opportunity Validation Risk Validation Risk Assessment Opportunity Assessment Response Update Activity Survey Risk Indicator Survey Risk Survey
There are three available validation types: Activity, Risk, and Opportunities. Validation is the term in the system user for “approvals”. • • •
Risk Validation: Used to approve an individual risk. Opportunity Validation: Used to approve an individual opportunity. Activity Validation: Used to approve a collection of risks under the umbrella grouping of an activity which could include one or more risks and opportunities (for example, project, initiative, strategy).
There are three available assessment types: Risk, Opportunities and Responses. An assessment is an update to the risk analysis and/or responses. • • •
Risk Assessment: Used to update risk analysis and responses. Opportunity Assessment: Used to update opportunity analysis and enhancement plans. Response Update: Used to update the details of the response to a risk.
There are three available survey types: Activity, Risk, and Risk Indicator. • • •
2010
Activity Survey: Used to identify new risks and potential shortcomings related to an activity (for example, project, process). Risk Survey: Used to initiate a risk assessment (or reassessment) to uncover new circumstances that might impact the risk assessment. Risk Indicator Survey: Used to receive manual indications on the development of a Key Risk Indicator.
© 2010 SAP AG. All rights reserved.
267
Unit 7: Risk Monitoring
GRC340
To create a Planned workflow: 260
1.
Choose GRC Risk Management → Risk Monitoring work center and select Planner. This opens a popup window that displays the planner.
2.
To create a new planned workflow, choose the Create pushbutton.
Figure 68: Planner
Continued on next page
268
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Planner
Figure 69: Create Plan
3.
Complete the plan creation. There are 5 Step in the Guided Procedure to create a new plan: 1.
Enter Plan Details a)
The workflow information includes the following (fields marked with an asterisk (‘*’) are mandatory): 1. Plan Name (free text) 2. Plan Activity: (one of the 9 plan ‘types’ mentioned above). 3. Start Date: the date when the workflow should be triggered 4. Due Date: the date when the workflow task should be completed. If plan type Risk Assessment or Opportunity Assessment is selected, the following addition field applies: 5. Analysis Date: the date on which the analysis is to take place If plan type is Activity Survey, Risk Survey or Key Risk Indicator Survey, the following additional field applies: 6. Survey: select from the available surveys If Plan type is Activity Survey, the following additional field applies: Continued on next page
2010
© 2010 SAP AG. All rights reserved.
269
Unit 7: Risk Monitoring
GRC340
7. Include Risks: Radio buttons: Yes or No. b) 2.
Choose the Next pushbutton to proceed to the next step in the guided procedure. Select Organizations a)
3.
Use the Expand All, Collapse All or Find pushbuttons to browse the available organization units. Or click on the org unit node in the Organisation window to browse the structure. b) Highlight the organization unit required c) Choose the Next pushbutton to move to the next step in the guided procedure. Perform Selection. The selection options will depend on the plan type selected in Step 1. a)
Selection Procedure: The following radiobuttons are available to narrow down the response or responses for selection: 1. Select All Responses 2. Select by Response Attributes 3. Select Specific Responses
Select Specific Responses radiobutton. Available responses in the selected organisation unit will display in the window. c) Highlight the response for update. d) Choose the Next pushbutton to proceed to the next step in the procedure. Review. The selection results are presented for review.
b)
4.
a) b)
Choose the Show Results pushbutton to view the details of the selected Responses and the users who will receive the workflow. Choose Close pushbutton to return to the main Create Plan Review window. Hint: At any stage the Previous and Next pushbuttons can be used the review previous selections and make amendments to selections
Choose Next pushbutton to proceed to the next step in the selection process. Confirmation. Saves the Plan
c) 5.
Continued on next page
270
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Planner
a)
Choose Activate Plan to confirm selections. Hint: Cancel aborts the process.
b) c)
The successful saving of the Plan is confirmed. Choose Finish to return to the main Planner window Hint: Selecting Create New Plan is a short cut to initiate creating further plans.
Figure 70: Planner Window
2010
© 2010 SAP AG. All rights reserved.
271
Unit 7: Risk Monitoring
272
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
265
Lesson: Planner
Exercise 26: Create a Plan Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Create a Plan
Business Example There are a variety of stakeholders in a business who need to participate in the risk management process. Some people will have a role in participating in the risk identification process and the risk analysis process. Others, especially managers, might get involved in approving risk assessments or reported incidents. While yet others could be assigned specific actions to take in response to a risk. These people, who participate in the risk management process infrequently, or occasionally, need help and prompting about when they need to take action and what they need to do. SAP BusinessObjects Risk Management supports users in this way through the generation of workflows to remind them something needs attention in the risk management system, and provides a guided interface for executing that action. Some workflows are triggered automatically by an event in the system such as submitting an incident or proposing a new risk. In other cases the workflow generation can be customized to suit the risk management process by using the Planner. The Planner is a tool for the Risk Manager to generate the workflows for the users and to keep track on the status of those workflows.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide to class Instructor will provide to class GRC340-XX where XX is your student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Create a Plan 1.
Choose GRC Risk Management → Risk Monitoring work center and select Planner. Continued on next page
2010
© 2010 SAP AG. All rights reserved.
273
Unit 7: Risk Monitoring
GRC340
2.
Choose the Create push-button.
3.
Create a Plan for a Risk Response Update as follows:
4.
Choose the Next push-button to proceed to the next step. Use the Expand All, Collapse All and Find push-button or click on the organization node hierarchy to navigate to the require the required organization unit: GRC340-XX-Org
5.
Proceed to the next step in the guided procedure.
6.
Select the Specific Responses radiobutton.
7.
Highlight the required response XXXXXX and proceed to the next step.
8.
View the plan selections and plan detail and then proceed to the next step.
9.
Activate the Plan
10. Finish and return to the Planner summary window.
274
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Planner
Solution 26: Create a Plan Task: Create a Plan 1.
Choose GRC Risk Management → Risk Monitoring work center and select Planner. a)
2.
Choose the Create push-button. a)
3.
4.
This opens a popup window that displays the current plans.
This opens a popup window that displays the Planner Guided Procedure.
Create a Plan for a Risk Response Update as follows: a)
Select Create push-button. This opens a popup window.
b)
Plan Name: GRC340-XX-Plan
c)
Plan Activity: Perform Response Update
d)
Start Date: Today
e)
Due Date: Today plus one week
Choose the Next push-button to proceed to the next step. Use the Expand All, Collapse All and Find push-button or click on the organization node hierarchy to navigate to the require the required organization unit: GRC340-XX-Org a)
5.
Proceed to the next step in the guided procedure. a)
6.
The available responses display in the window.
Highlight the required response XXXXXX and proceed to the next step. a)
8.
Choose the Next pushbutton.
Select the Specific Responses radiobutton. a)
7.
Highlight the required organization unit.
The response is highlighted. Choose the Next pushbutton to move to the next step in the guided procedure.
View the plan selections and plan detail and then proceed to the next step. a)
Choose Show Details pushbutton. Choose Close pushbutton to return to summary. Choose Next to proceed to the next step. Continued on next page
2010
© 2010 SAP AG. All rights reserved.
275
Unit 7: Risk Monitoring
9.
GRC340
Activate the Plan a)
Choose Activate Plan pushbutton. This moves to the next step.
10. Finish and return to the Planner summary window. a)
276
Choose Finish to return to the summary window.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Planner
Lesson Summary You should now be able to: • Explain how the Planer works • Explain how to create a risk assessment workflow using the Planner
2010
© 2010 SAP AG. All rights reserved.
277
Unit Summary
GRC340
Unit Summary You should now be able to: • Explain how the Planer works • Explain how to create a risk assessment workflow using the Planner
278
© 2010 SAP AG. All rights reserved.
2010
Unit 8 My Home
271
In this unit you will learn the variety of tasks and functions available in the SAP BusinessObjects Risk Management My Home work center.
Unit Overview In this unit you will learn the variety of tasks and functions available in the SAP BusinessObjects Risk Management My Home work center.
Unit Objectives After completing this unit, you will be able to: • • • • • • • • • • •
Explain the use of the Work Inbox Execute a task in the Work Inbox Explain the use of Propose a Risk Explain the use of Report an Incident Propose a Risk Report an Incident Understand that Reports can be run from the My Home work center Run a Report View a Dashboard Explain the use of the Document Search Search for a document using the Document Search
Unit Contents Lesson: Work Inbox ............................................................281 Procedure: Executing a task in the Work Inbox ........................283 Lesson: Ad Hoc Tasks .........................................................288 Procedure: Task: Propose a Risk ........................................289 Procedure: Task: Report an Incident ....................................290
2010
© 2010 SAP AG. All rights reserved.
279
Unit 8: My Home
GRC340
Exercise 27: Propose a Risk..............................................291 Exercise 28: Report an Incident ..........................................293 Lesson: Reports and Analytics................................................296 Procedure: Task: Run a Report ..........................................297 Procedure: Task: View Analytics Dashboard ...........................299 Exercise 29: Run a Report ................................................301 Exercise 30: View a Dashboard ..........................................303 Lesson: Document Search ....................................................306
280
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: 273
Lesson: Work Inbox
Work Inbox Lesson Duration: 10 Minutes
Lesson Overview In this unit you will learn the tasks and activities available in the My Home work center.
Lesson Objectives After completing this lesson, you will be able to: • •
Explain the use of the Work Inbox Execute a task in the Work Inbox
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example Those who participate in the risk management process often will do so due to a particular task or role they have in the organization. For most of the time they need only to go to that area of the system to execute the tasks assigned to them. SAP BusinessObjects Risk Management Work Inbox contains for each user the tasks and actions assigned specifically to them. The user need only click on the instruction in the Work Inbox and they will immediately access a guided procedure to assist them to execute the steps needed to complete the action.
What is the Work Inbox SAP BusinessObjects Work Inbox supports the following types of workflows: • • • • • • • • •
2010
Validate Activity Validate Opportunity Validate Proposed Risk Validate Risk Validate Response Validate Incident Risk Analysis (referred to elsewhere as Opportunity Assessment) Opportunity Analysis (referred to elsewhere as Opportunity Assessment) Response Update
© 2010 SAP AG. All rights reserved.
281
Unit 8: My Home
•
GRC340
Notification of assignment as Response Owner
There are six available validation types: Validate Activity, Validate Risk, Validate Proposed Risk, Validate Opportunty and Validate Response. Validation is the term in the system user for “approvals” or to apply a 4-eyes principal to the risk management process. • • •
• • •
Risk Validation: Used to approve an individual risk. Opportunity Validation: Used to approve an individual opportunity. Activity Validation: Used to approve a collection of risks under the umbrella grouping of an activity which could include one or more risks and opportunities (for example, project, initiative, strategy). Proposed Risk Validation: Used to approve a risk that has been proposed prior to it being formally accepted into the risk portfolio. Response Validation: Used to approve a response prior to it being formally accepted as an action or task. Incident Validation: User to approve a reported incident prior to it being formally accepted in the incident database.
There are three types of assessment: Risk Analysis, Opportunity Analysis and Response Update. An Analysis is the review and update of the qualitative or quantitative assessment of the risk interms of its probability and impact for inherent risk, residual risk and residual risk planned, and it includes review and update of responses. • • •
Risk Analysis: Used to update risk analysis and responses. Opportunity Analysis: Used to update opportunity analysis and enhancement plans. Response Update: Used to update the details of the response to a risk. No changes are made to the risk itself.
There is one type of notification: •
282
Response Owner: Used to notify a user that they have been assigned as a Response Owner for a particular response. The Response can be updated and submitted from the workflow link. In this sense it is the same action as Response Update.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Work Inbox
Executing a task in the Work Inbox 275
Figure 71: Work Inbox
1.
Choose GRC Risk Management → My Home work center → Work Inbox. This opens a popup window that displays the work inbox.
2.
Select the work item to be executed by clicking on the item Subject display column. This opens a popup window that displays the task to be executed.
Figure 72: Perform Risk Analysis - Analyze Risk
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
283
Unit 8: My Home
3.
GRC340
Step 1 - Analyze Risk. Enter Risk Analysis updates (as per Unit 4 Risk Analysis) as follows: 1.
Probability: XX%
4.
Select Impact Category Allocation pushbutton. A popup window displays the impact categories.
5.
Enter Impact.
6.
Select Further Mitigations radio button: Yes. The task is moved to the next step NB: If No is selected, Further Mitigations step is skipped.
Figure 73: Perform Risk Analysis - Assign Mitigations
7.
Step 2 - Assign Mitigations
Continued on next page
284
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Work Inbox
8.
Enter Risk Response updates (as per Unit 5 Risk Response) as follows: 1. 2. 3. 4. 5. 6.
9.
Select Open pushbutton to open the response a) Enter updated details Select Remove pushbutton to remove obsolete responses. NB: This can only be performed if the response is in status Draft. Select Create pushbutton to create either a new response or propose a new control. Select Assign pushbutton to assign a response or control to the risk.l Enter/Update Probability Reduction: XX% Select Impact Category Allocation pushbutton to update reduction; mitigation effect information. Select Ok pushbutton to return to previous window.
Choose Next pushbutton.
Figure 74: Perform Risk Analysis - Review
10. The Updated Risk Analysis is displayed for review. Select Finish pushbutton to complete the risk update. OR select Previous pushbutton to return to a previous step.
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
285
Unit 8: My Home
GRC340
Figure 75: Perform Risk Analysis
11. Choose Close pushbutton. This completes the task and moves to Step 3 Review of the guided procedure. 12. The Work Inbox displays. Choose Refresh pushbutton to refresh the tasks list. Completed tasks disappear.
286
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Work Inbox
Lesson Summary You should now be able to: • Explain the use of the Work Inbox • Execute a task in the Work Inbox
Related Information •
2010
[Enter an optional reference using the URL tag to additional information that learner may find useful. Examples include websites or whitepapers. Delete if not used.]
© 2010 SAP AG. All rights reserved.
287
Unit 8: My Home
Lesson: 280
GRC340
Ad Hoc Tasks Lesson Duration: 5 Minutes
Lesson Overview In this unit you will learn about the tasks Propose a Risk and Report an Incident available in the My Home work center.
Lesson Objectives After completing this lesson, you will be able to: • • • •
Explain the use of Propose a Risk Explain the use of Report an Incident Propose a Risk Report an Incident
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example Businesses have an operational need to allow employees to easily participate in the risk management process. Those who are closest to risk are best able to identify and manage them. Tasks such as proposing a risk should be made easy as possible for employees. SAP BusinessObjects Risk Management My Home Propose a Risk functionality support the easy entry of risks into the system. Similarly, being able to easily record when an incident occurs should encourage employees to make this information available. Maintaining complete and accurate information about incidents contributes to improved decision-making about where the business is vulnerable to risks and is therefore better able to allocate scarce resources to mitigate them. SAP BusinessObjects Risk Management My Home Report an Incident functionality support the easy reporting of incidents into the system. Incident Attributes are used to provide granularity to incident reporting and can be used as part of a route cause analysis exercise.
288
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Ad Hoc Tasks
Task: Propose a Risk 281
1.
Choose GRC Risk Management → My Home work center → Ad Hock Tasks work center → Propose a risk. This opens a popup window that displays the Propose a Risk window.
Figure 76: Create a Risk Proposal
2.
To create a new proposed risk, enter the details in the template: 1. 2. 3. 4. 5.
2010
Name: XXXX Organization Unit: Choose from available organizational unit nodes using the dropdown picklist. Activity: (optional) Choose from available activities using the dropdown picklist. Description: Free text to fully describe the risk Select Submit pushbutton to save the risk proposal. NB: Cancel abandons the entry process.
© 2010 SAP AG. All rights reserved.
289
Unit 8: My Home
GRC340
Task: Report an Incident 282
Figure 77: Report an Incident
1.
Choose GRC Risk Management → My Home work center → Ad Hoc Tasks → Report an Incident. This opens a popup window that displays the Report an Incident window.
2.
To create a new incident report, enter the details in the template: 1. 2. 3. 4. 5.
Incident Name: Free text to describe the incident Organization Unit: Choose from available organizational unit nodes using the dropdown picklist. Incident Date: XX/XX/XX Detection Date: XX/XX/XX Description: Free text to fully describe the risk a) b) c) d)
3.
290
Depending on system setting the Incident Attributes will display and may include default Values. Attribute Severity: Select from dropdown picklist. Attribute Cause of Incident: Select from dropdown picklist. Attribute Recommendation: Select from dropdown picklist.
Select Submit pushbutton to save the reported incident.
© 2010 SAP AG. All rights reserved.
2010
GRC340
283
Lesson: Ad Hoc Tasks
Exercise 27: Propose a Risk Exercise Duration: 5 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Propose a Risk
Business Example Businesses have an operational need to allow employees to easily participate in the risk management process. Those who are closest to risks are best able to identify and manage them. Tasks such as proposing a risk should be made as easy as possible for employees. SAP BusinessObjects Risk Management My Home Propose a Risk functionality support the easy entry of risks into the system.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Propose a Risk
2010
1.
Choose GRC Risk Management → My Home work center → Ad Hoc Tasks → Propose a Risk.
2.
To create a new proposed risk, enter the details in the template:
3.
Select Submit pushbutton to save the risk proposal.
© 2010 SAP AG. All rights reserved.
291
Unit 8: My Home
GRC340
Solution 27: Propose a Risk Task: Propose a Risk 1.
Choose GRC Risk Management → My Home work center → Ad Hoc Tasks → Propose a Risk. a)
2.
3.
To create a new proposed risk, enter the details in the template: a)
Name: GRC340-XX-Prop
b)
Organization Unit: GRC340-XX-Org
c)
Risk Category: GRC340-XX-Cat
d)
Description: GRC340-XX-Proposal
Select Submit pushbutton to save the risk proposal. a)
292
This opens a popup window that displays the Propose a Risk window.
Risk Proposal saved
© 2010 SAP AG. All rights reserved.
2010
GRC340
285
Lesson: Ad Hoc Tasks
Exercise 28: Report an Incident Exercise Duration: 5 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Report an Incident
Business Example When an incident occurs employees should be encouraged to make this information available. maintaining complete and accurate information about incidents contributes to improved decision-making about where the business is vulnerable to risks and is therefore better able to allocate scarce resources to mitigate them. SAP BusinessObjects Risk Management My Home Report an Incident functionality support the easy reporting of incidents into the system. Incident Attributes are used to provide granularity to incident reporting and can be used as part of a route cause analysis exercise.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Report an Incident
2010
1.
Choose GRC Risk Management → My Home work center → Ad Hoc Tasks → Report an Incident.
2.
To create a new incident report, enter the details in the template:
3.
Select Submit pushbutton to save the incident.
© 2010 SAP AG. All rights reserved.
293
Unit 8: My Home
GRC340
Solution 28: Report an Incident Task: Report an Incident 1.
Choose GRC Risk Management → My Home work center → Ad Hoc Tasks → Report an Incident. a)
2.
This opens a popup window that displays the Report an Incident window.
To create a new incident report, enter the details in the template: a)
Incident Name: GRC340-XX-Incident
b)
Organization Unit: GRC340-XX-Org
c)
Incident Date: XX/XX/XX
d)
Detection Date: XX/XX/XX
e)
Description: GRC340-XX-Incident 1. 2. 3. 4.
3.
Select Submit pushbutton to save the incident. a)
294
Depending on system setting the Incident Attributes will display and may include default Values. Attribute Severity: Select from dropdown picklist. Attribute Cause of Incident: Select from dropdown picklist Attribute Recommendation: Select from dropdown picklist.
Incident is saved
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Ad Hoc Tasks
Lesson Summary You should now be able to: • Explain the use of Propose a Risk • Explain the use of Report an Incident • Propose a Risk • Report an Incident
2010
© 2010 SAP AG. All rights reserved.
295
Unit 8: My Home
Lesson: 288
GRC340
Reports and Analytics Lesson Duration: 5 Minutes
Lesson Overview In this unit you will learn about the Reports and Analytics work center available in the My Home work center.
Lesson Objectives After completing this lesson, you will be able to: • • •
Understand that Reports can be run from the My Home work center Run a Report View a Dashboard
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example The Report and Analytics work center includes a subject of reports and dashboards available in the main Reporting and Analytics work center. This functionality allows a user to quickly access reports and dashboards that are relevant for their area of responsibility. This streamlines the risk process and improves worker efficiency.
296
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Reports and Analytics
Task: Run a Report 289
1.
Choose GRC Risk Management → My Home work center → Reports and Analytics work center → Top Risks . This opens a popup window that displays the report Input Selection window.
Figure 78: Report Input Selection
2.
Enter the selection parameters to run the report: 1. 2. 3. 4. 5. 6. 7.
Period: Year: Currency: Risk Classification: Organization: Activity: Report Settings: a)
3.
Bypass Buffer: checkbox
Select Display Report pushbutton to run the report OR select Schedule a Report pushbutton to schedule when the report should be run.
Continued on next page
2010
© 2010 SAP AG. All rights reserved.
297
Unit 8: My Home
GRC340
Figure 79: Report - Schedule GRC Report
4.
Enter the selection parameters to run the report: 1. 2. 3. 4. 5. 6. 7.
5.
298
To: CC: Subject: Message: User Name: Password: Enable Email Notification: checkboxes: Success, Failure
Select Schedule Report pushbutton to execute the scheduling of the report.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Reports and Analytics
Task: View Analytics Dashboard 291
Figure 80: Analytics Dashboard
1.
Choose GRC Risk Management → My Home work center → Reports → Analytics work center → Analytics Dashboard. This opens a popup window that displays the dashboard window and displays the data based on default values.
2.
Select: 1. 2. 3.
2010
Organization Unit: dropdown picklist Time Frame: dropdown picklist Year: dropdown picklist
© 2010 SAP AG. All rights reserved.
299
Unit 8: My Home
300
GRC340
© 2010 SAP AG. All rights reserved.
2010
GRC340
293
Lesson: Reports and Analytics
Exercise 29: Run a Report Exercise Duration: 5 Minutes
Exercise Objectives After completing this exercise, you will be able to: • Run a Report
Business Example The Report and Analytics work center includes a subset of reports and dashboards available in the main Reporting and Analytics work center. It is therefore a convenient means of quickly accessing reports. This functionality allows a user to quickly access reports and dashboards that are relevant for their area of responsibility. This streamlines the risk process and improves worker efficiency.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: Run a Report
2010
1.
Choose GRC Risk Management → My Home work center → Reports and Analytics work center → Run a Report.
2.
Select parameter to run the report immediately using default values.
© 2010 SAP AG. All rights reserved.
301
Unit 8: My Home
GRC340
Solution 29: Run a Report Task: Run a Report 1.
Choose GRC Risk Management → My Home work center → Reports and Analytics work center → Run a Report. a)
2.
Select parameter to run the report immediately using default values. a)
302
This opens a popup window that displays the Report Input Selection window.
Select Run Report pushbutton. The Report output displays in a popup window.
© 2010 SAP AG. All rights reserved.
2010
GRC340
295
Lesson: Reports and Analytics
Exercise 30: View a Dashboard Exercise Duration: 15 Minutes
Exercise Objectives After completing this exercise, you will be able to: • View a Dashboard
Business Example The Report and Analytics work center includes a subset of reports and dashboards available in the main Reporting and Analytics work center. It is therefore a convenient means of quickly accessing a dashboards. This functionality allows a user to quickly access reports and dashboards that are relevant for their area of responsibility. This streamlines the risk process and improves worker efficiency.
System Data System: Client: User ID: Password: Set up instructions: 1.
Instructor will provide during class Instructor will provide during class GRC340-XX where XX is your Student # The initial password is initial1
[Enter all instructions necessary for the maintenance of this exercise.]
Task: View Dashboards
2010
1.
Choose GRC Risk Management → My Home work center → Reports and Analytics work center → Analytics Dashboard.
2.
Use the available dropdown picklists on the dashboard to adjust the selection parameters.
© 2010 SAP AG. All rights reserved.
303
Unit 8: My Home
GRC340
Solution 30: View a Dashboard Task: View Dashboards 1.
Choose GRC Risk Management → My Home work center → Reports and Analytics work center → Analytics Dashboard. a)
2.
Use the available dropdown picklists on the dashboard to adjust the selection parameters. a)
304
This opens a popup window that displays the Analytics Dashboard.
The output adjusts on selection changes.
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Reports and Analytics
Lesson Summary You should now be able to: • Understand that Reports can be run from the My Home work center • Run a Report • View a Dashboard
2010
© 2010 SAP AG. All rights reserved.
305
Unit 8: My Home
Lesson: 298
GRC340
Document Search Lesson Duration: 5 Minutes
Lesson Overview In this unit you will learn the tasks and activities available in the My Home work center.
Lesson Objectives After completing this lesson, you will be able to: • •
Explain the use of the Document Search Search for a document using the Document Search
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example [Enter a business example that helps the learner understand the practical business use of this lesson.] [Enter a title and the conceptual information about this lesson in this section. You can also include additional sections, graphics, demonstrations, procedures, and/or simulations.
306
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Document Search
Lesson Summary You should now be able to: • Explain the use of the Document Search • Search for a document using the Document Search
Related Information •
2010
[Enter an optional reference using the URL tag to additional information that learner may find useful. Examples include websites or whitepapers. Delete if not used.]
© 2010 SAP AG. All rights reserved.
307
Unit Summary
GRC340
Unit Summary You should now be able to: • Explain the use of the Work Inbox • Execute a task in the Work Inbox • Explain the use of Propose a Risk • Explain the use of Report an Incident • Propose a Risk • Report an Incident • Understand that Reports can be run from the My Home work center • Run a Report • View a Dashboard • Explain the use of the Document Search • Search for a document using the Document Search
308
© 2010 SAP AG. All rights reserved.
2010
Unit 9 Roles and Authorizations
301
In this unit you will learn the way in which roles and authorizations are handled in SAP BuinessObjects Risk Management.
Unit Overview In this unit you will learn the way in which roles and authorizations are handled in SAP BuinessObjects Risk Management.
Unit Objectives After completing this unit, you will be able to: • • •
Explain the contribution of SAP NetWeaver back-end, RM application, and Enterprise Portal to authorizations. Identify the roles delivered as standard Business Content Explain the concepts of Delegation and Replacement
Unit Contents Lesson: Roles and Authorizations ............................................310
2010
© 2010 SAP AG. All rights reserved.
309
Unit 9: Roles and Authorizations
Lesson: 302
GRC340
Roles and Authorizations Lesson Duration: 15 Minutes
Lesson Overview This lesson will show you how roles and authorizations are handled in SAP BusinessObjects Risk Management 3.0.
Lesson Objectives After completing this lesson, you will be able to: • • •
Explain the contribution of SAP NetWeaver back-end, RM application, and Enterprise Portal to authorizations. Identify the roles delivered as standard Business Content Explain the concepts of Delegation and Replacement
[Enter a description of what the instructor should discuss with the participants about the context of the lesson. ]
Business Example The risk management process works well when all participants know and understand their particular role and are able to execute accordingly. SAP BusinessObjects Risk Management supports this through delivery of standard business roles applicable to risk management and through an authorization concept that allows users to interact with the system according to their role. This ensures that users are given appropriate system access which maintains confidentiality of data and supports a streamlined system interaction.
What are Roles and Authorizations? Authorizations for an end-user to view and change risk management information are determined in 3 areas • • •
SAP NetWeaver back-end Risk Management application SAP Enterprise Portal
Roles and Authorizations management extends SAP’s Users and Roles Management from SAP NetWeaver to provide additional flexibility for the en-user.
310
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Roles and Authorizations
SAP Roles Overview The Roles and Authorizations model from Risk Management includes 3 different areas. SAP NetWeaver back-end - Technical SAP Roles are maintained to operate the Risk Management application. Transaction PFCG defines Risk Management specific roles such as Risk Manager or Risk Owner. These roles contain the information about which actions and entities an en-user is allowed to perform once he/she is assigned the role. For example, Risk Owner (Business Role) can create and edit (actions) a risk (entity). Risk Management application - Use the web front-end of the application to assign end-users to Business User roles and to entities such as risks, opportunities, and organizations. In the example above, Mr. Miller is assigned to be Risk Manager for Organization Unit ABC. SAP Enterprise Portal - The portal role assigned to the end-user determines how and where the Risk Management specific information, such as the order and number of visible work center, is presented. The following SAP Roles are applicable for the Risk Management application: Role
Authorization
SAP_GRC_FN_BASE
Technical base role
SAP_GRC_FN_ALL
All authorizations
SAP_GRC_FN_DISPLAY
View-only authorizations
SAP_GRC_FN_BUSINESS_USER
Authorization dependent on Business User Role assigned to user
The SAP Roles listed above contain the basic authorizations to operate the Risk Management application.
2010
© 2010 SAP AG. All rights reserved.
311
Unit 9: Roles and Authorizations
GRC340
A system administrator can use transaction PFCG in SAP User and Role Management to modify these role definitions: •
•
•
•
FN_BASE: is the basic (minimal) technical role required to operate the Risk Management application. This role contains all necessary authorizations to make the necessary customizing settings in IMG for the Risk Management application. This role does not contain any authorizations for the portal interface. FN_ALL: contains authorization for administrative functions in IMG customizing, as well as power user authorization in the application. When this role is assigned to a user, the user becomes a power user. FN_DISPLAY: enables an end-user with this role to display all risk management information. This role is useful for external auditors who wish to check the system settings and view content, but should not be able to make changes to the application. FN_BUSINESS_USER: authorizes the suer to perform actions on only assigned entities in risk management. Note: The rest of this lesson will explain this concept.
Business Unit Roles Overview Unit Risk Manager (SAP_GRC_RM_API_RISK_MANAGER) Actions/Entity
ACTIVITY
RISK
INCIDENT
Create
X
X
X
Read
X
X
X
Update
X
X
X
Delete
X
X
Note: X = Authorization granted to role The table above shows the structure of a sample role. A user assigned to the Business User role of Unit Risk Manger is permitted to view (read), create, change (update) and delete risks and activities, for example, projects and processes in the application, but cannot delete an incident once it is created. A customer may use this structure to ensure segregation of duties for the application. Note: Authorization for “create”, “update”, “delete” always implies a “Read” authorization for corresponding entity. Transaction SE11 in the back-end can be used to view the list of available entities for SAP BusinessObjects Risk Management in database table GRCFNENTITY.
312
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Roles and Authorizations
A set of sample roles is delivered as Business Content for the application. SAP User and Role Management transaction PFCG can be used to modify the sample roles and create new roles.
Business User Roles in PFCG Business user roles and authorization profiles are created and maintained in transaction PFCG. In addition to action (Activity), and entity, a Data Part can be maintained to allow an even more granular authorization for entities. Examples of Data Parts are DATA and ROLES_RM for an organizational unit (see above), which determine that the user is authorized to change data such as Name, Description or the organization, as well as the assigned risk management roles, such as CEO or CFO, for an entity. You can use transaction SE11 to review the list of available Data Parts per entity in database table GRCFNDATAPART. Sub-entity allows further distinction of entities. As this feature is primarily used by SAP BusinessObjects Process Control, it is recommended to maintain “*” for Risk Management entities.
Assignment of Business User Roles to users use the web interface of the Risk Management application to assign users to roles. It is possible to assign multiple users to a role, depending on the customizing settings for GRC Authorizations in IMG. The Roles tab enables assignment of users to roles, replacement of an assigned user with a different user, or to remove a user from a role. In general, available users are derived from information maintained in SAP User & Role Management, transaction SU01 and subsequent. The exception is Second-Level Authorizations.
Maintain Relevant Roles for Entities The list of available roles for an entity is derived from the Entity Roles Assignment maintenance in IMG Customizing, SPRO → GRC Risk Management → General Settings → Maintain Entity Role Assignment. The Unique flag in customizing allows you to determine the assignment of roles and names. When set, only one user can be assigned to the role for the entity. If the flag is not set then multiple users can be assigned to a role.
2nd Level Authorizations for Business Roles The concept of second level authorizations was introduced to support segregation of duties conflicts.
2010
© 2010 SAP AG. All rights reserved.
313
Unit 9: Roles and Authorizations
GRC340
Once set in the IMG customizing
Special Authorizations Actions
Description
Reporting (PRINT)
Enables print reporting
Reporting (DISPLAY)
Enables online reporting
Post
Enables “Ad-hoc Tasks”, such as “Record an Incident” or “Propose a Risk”
Own Delegation
Allows delegation of own authorizations
Central Delegation
Allows central maintenance of delegations
In contrast to Create, Read, Display and Delete authorization, which is granted for a specific entity (through assignment), some special authorizations can be granted for a role. These actions are not limited to a specific entity, but enable functionality for a role, taking the individual authorization of an entity into account. For example, once granted Reporting (DISPLAY) authorization for a Unit Risk Manager, the assigned user can run online reports for the Risk Management application (special authorization). Once Executed, the report takes entity-specific authorizations into account; for example, the report shows only the risks (entities) to which the user is assigned.
Effects of User-Role Assignment There are three immediate effects once a user is assigned to a role for an entity or object such as a risk or organization: 1.
2. 3.
Authorization for the object and below is granted per Business User role definition. For example, Mr. Smith can Display, Update, and Delete (per role definition) the Risk 123. The user receives relevant workflows depending on the Business Event setup. Menu items become visible to access the information from the web interface of the Risk Management application in the SAP Enterprise Portal. In the example above, the Risk and Opportunity Management start pages to give Mr. Smith the required entry point to the application
Business Events Business Events define the recipients of a workflow task by mapping the workflow to one or multiple recipient roles.
314
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Roles and Authorizations
Business Events allow flexible adjustment of the workflow task to company-specific characteristics, such as approval and validation processes. The diagram below shows the general structure of a Business Even in the SAP BusinessObjects Risk Management 3.0 application.
Figure 81: Business Events
Business Event Customizing The table below provides an overview of customizing options for Business Events available in Risk Management IMG. The lists of available
Portal Role • •
The Portal Role maintained in SAP Enterprise Portal defines where and how the Risk Management content is presented to the end-user Each end-user needs to have a Portal Role assigned to access the Risk Management application
A default portal role, com.sap.grc.rm.Role_All, for the Risk Management application is shipped as SAP Enterprise Portal Content. The role can be copied and/or adjusted to match the target portal and information structure, for example, remove or rename tabs from the default role. Note: The number and visibility of the menu entries in the start pages of the Risk Management application is derived from the Business User roles that are assigned to the end-user.
2010
© 2010 SAP AG. All rights reserved.
315
Unit 9: Roles and Authorizations
GRC340
Figure 82: Work Center structure is derived from assigned SAP Enterprise Portal role. Visibility of menu items is per assigned Business User role (authorizations).
Delegation • • •
Delegation allows a user to act as delegate in the Risk Management application for a second user The delegate works on behalf of the second user, including all authorizations and workflow assignments Delegation can be given for own authorization or defined centrally depending on the Special Authorization assigned to the Business User role
In the default SAP Enterprise Portal role the entries for Central Own Delegation can be found in the “User Access” Work Center. The delegation concept is primarily targeted for temporary redistribution and reassignment of work, for example, during vacation or maternity leave of an employee. It also supports a permanent delegation of authorizations that might be applicable for some roles, for example, Executive Assistant acting on behalf of the CEO/CFO in the risk management application. These applications allow the definition of delegates through a step-by-step procedure. The delegate can change his current authorization he is working with by using “Change Delegation” on the upper right side of the Risk Management start pages. “Own Delegation” allows the definition of own delegates whereas “Central Delegation”
316
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Roles and Authorizations
Figure 83: GRC Risk Management
Figure 84: Changing Delegation
Figure 85: User Access Delegation
2010
© 2010 SAP AG. All rights reserved.
317
Unit 9: Roles and Authorizations
GRC340
Replacement •
Replacement allows the permanent removal and reassignments of existing authorizations
Replacement provides the ability to permanently remove a user and his authorizations from the Risk Management application and reassign them to one or multiple users. In contrast to the Removal of a user (see the Roles tab page for authorization-relevant entities) where authorization assignment is delimited without reassigning it, the Replacement mechanism automatically transfers all authorization for an object from the Effective Date onwards to one or more replacements, including the rerouting of workflow items. The replacements can be accessed in the default SAP Enterprise Portal role from User Access - Replacement/Removal, as well as from the Roles tab page for authorization-relevant entities, such as risks and activities.
Figure 86: GRC Risk Management User Access
318
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Roles and Authorizations
Figure 87: GRC Risk Management Replace or Remove User
Ticket Based Authorization • • •
•
• •
2010
Ticket-Based Authorization (TBA) ensures that the recipient is granted sufficient authorization to successfully complete a workflow task The (additional) authorization is assigned temporary as long as the workflow item is available in the recipient’s Work Inbox To avoid “deadlock” situations where a workflow recipient is asked to complete a task but the recipient’s assigned role does not have sufficient authorizations to complete the workflow item, the concept of “Ticket-Based Authorization” was added to the product. Ticket-Based Authorization ensures that workflow recipients are temporary granted sufficient authorization to complete a workflow task for the relevant entity (for example, risk or opportunity) When the workflow item is completed the authorization for the entity is removed from the user (One-Time Ticket) Ticket-Based Authorization minimizes the setup, customizing, and maintenance effort required to operate the Risk Management application
© 2010 SAP AG. All rights reserved.
319
Unit 9: Roles and Authorizations
GRC340
Figure 88: Sample of delivered authorization profile and Business Events for the role.
Sample Business User Roles The table below gives an overview of sample Business User roles that are delivered as Business Content for the Risk Management application. Use transaction PFCG to review the detailed authorization profiles delivered for the sample roles. Please note that the given description varies for each risk management organization, so this table can be seen as only sample definition reflecting the delivered authorization profile and Business Events for the role.
320
© 2010 SAP AG. All rights reserved.
2010
GRC340
Lesson: Roles and Authorizations
Lesson Summary You should now be able to: • Explain the contribution of SAP NetWeaver back-end, RM application, and Enterprise Portal to authorizations. • Identify the roles delivered as standard Business Content • Explain the concepts of Delegation and Replacement
2010
© 2010 SAP AG. All rights reserved.
321
Unit Summary
GRC340
Unit Summary You should now be able to: • Explain the contribution of SAP NetWeaver back-end, RM application, and Enterprise Portal to authorizations. • Identify the roles delivered as standard Business Content • Explain the concepts of Delegation and Replacement
322
© 2010 SAP AG. All rights reserved.
2010
GRC340
Course Summary
Course Summary You should now be able to: • • • •
2010
Identify risks and opportunities in a business environment Run the various types of risk analysis Add responses to risks Show what a Key Risk Indicator is and how SAP BusinessObjects Risk Management uses them.
© 2010 SAP AG. All rights reserved.
323
Course Summary
324
GRC340
© 2010 SAP AG. All rights reserved.
2010
Feedback SAP AG has made every effort in the preparation of this course to ensure the accuracy and completeness of the materials. If you have any corrections or suggestions for improvement, please record them in the appropriate place in the course evaluation.
2010
© 2010 SAP AG. All rights reserved.
325
View more...
Comments
