Overview of SAP Business Objects Risk Management 10 0
Short Description
Download Overview of SAP Business Objects Risk Management 10 0...
Description
Overview of SAP BusinessObjects Risk Management 10.0
Applies to: SAP BusinessObjects Risk Management 10.0, SAP NetWeaver 7.0, Enhancement Package 2. For more information, visit the Governance, Risk, and Compliance homepage
Summary SAP Risk Management enables an enterprise-wide risk management process as mandated by certain legal requirements and recommended by best practice management frameworks. This article provides a high level understanding of SAP GRC Risk Management10.0.and its Assessment work centre. It’s compiled from the information available on various SAP sites and from the expert sessions on GRC 10.0. Author:
Charukesh R Gaikwad
Company: KPMG India Created on: 10 May 2011
Author Bio Charukesh Gaikwad is working as SAP GRC Consultant in KPMG ERP Advisory services.
SAP COMMUNITY NETWORK © 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 1
Overview of SAP BusinessObjects Risk Management 10.0
Table of Contents Risk Management 10.0: Introduction .................................................................................................................. 3 New and Enhanced Features: Released Notes .............................................................................................. 3 New Focus Areas: ........................................................................................................................................... 3 Risk Management 10.0: Landscape ............................................................................................................... 4 Risk Terminology in GRC 10.0 ........................................................................................................................... 5 Risk Management Process ................................................................................................................................. 6 Workflows in Risk Management 10.0: ................................................................................................................ 7 Event-based workflows ................................................................................................................................... 7 Planner-based workflows ................................................................................................................................ 7 Integration: .......................................................................................................................................................... 8 Integration with EH&S ..................................................................................................................................... 8 Analysis Automation: ................................................................................................................................................... 8 Integration with Process Controls 10.0: ....................................................................................................................... 8 Reusing the PC Central Process Hierarchy in RM ....................................................................................................... 8
Assessment Work centre for Risk Management 10.0 ........................................................................................ 9 Risk Assessments ........................................................................................................................................... 9 Incident Management ................................................................................................................................................ 11 Scenario Management ............................................................................................................................................... 11 Surveys: ..................................................................................................................................................................... 12 Assessment Planning: ............................................................................................................................................... 12
Related Content ................................................................................................................................................ 13 Disclaimer and Liability Notice .......................................................................................................................... 14
SAP COMMUNITY NETWORK © 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 2
Overview of SAP BusinessObjects Risk Management 10.0
Risk Management 10.0: Introduction SAP Risk Management enables an enterprise-wide risk management process as mandated by certain legal requirements and recommended by best practice management frameworks. SAP Risk Management uses the various work centers of the GRC, in which you can carry out all Risk Management activities. Risk Management 10.0 is part of newly released SAP Governance Risk & Compliance (GRC) 10.0 which also comprised of Access Control 10.0, Process control 10.0, and Global Trade Services.
New and Enhanced Features: Released Notes SAP BusinessObjects Risk Management 10.0 includes the following new features and enhancements:
Multiple stakeholders can now participate in collaborative risk assessment, which improves productivity by reducing administrative time spent conducting workshops, by aggregating participant feedback, and by documenting risk assessment results. The graphical view provides a visual workbench for non-experts to model risks and their relationship to business impacts and responses, and bridges the gap between risk management and the business functions of an organization. By allowing risks to be assigned to corporate policies and enabling procedures to be assigned as risk mitigations, integration with policy management ensures that the company is appropriately mitigating the risks required to comply with the corporate policies currently in its residual risk profile. Integrated issue management documents and follows up on issues identified for risks, activities, responses, opportunities and scenarios. The risk catalog serves as a repository for risk templates and best-practice responses to risks. The catalog distributes risks across the organization and provides a unified view on risks across the enterprise. The response catalog is a repository for best-practice risk responses to mitigate, transfer, and avoid risk. Risk scoring is a new assessment tool that uses a point system approach to complement qualitative and quantitative risk assessment methods, thus making it easier for non-experts to assess risk. Enhanced overview dashboards provide greater usability and aggregation capabilities when analyzing loss structure and reviewing risks.
New Focus Areas:
Source: SAP GRC Solutions 10.0: Live Expert Sessions
SAP COMMUNITY NETWORK © 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 3
Overview of SAP BusinessObjects Risk Management 10.0
Risk Management 10.0: Landscape The GRC 10.0 suite runs on AS ABAP 7.02 SP6 or higher. Access Control, Process Control and Risk Management are contained in one ABAP add-on “GRCFND_A”
Source: GRC 10.0 Pre installation Guide on SAP BPX Front end: The front-end needs a web browser or (optionally) a client installation of the NetWeaver Business Client 3.0 (NWBC).The web browser can be used to access the embedded NWBC or GRC via the NetWeaver Portal The Adobe flash player 10 is used for displaying dashboards e.g. RM heat map. SAPGUI 7.10 PL 15 or higher is required for administration or customizing tasks –note that SAPGUI 7.20 is recommended due to the end-of-maintenance of SAPGUI 7.10. The Crystal Reports Adapter (CRA) is required for viewing (GRC) Crystal Reports. Portal: The NetWeaver Portal 7.02 can be used optionally. The GRC Portal Content contains the GRC Portal UI elements to access the GRC suite. The Portal’s AS Java can contain an Adobe Document Services instance, in effect Portal and ADS may be shared on one AS Java instance ERP and Non SAP Business Applications: The GRC solutions can communicate with SAP ERP and non-SAP business applications via plug-ins. NW Function Modules hold the AC functions for ERP systems without HR (former non-HR RTA).PC relevant features are contained in the plug-in GRCPIERP, for example, for running automated controls and the HR relevant functions for AC (former HR RTA). GTS functions are part of the SLL-PI plug-in, for example, for GTS integration into the Logistics, HR, FI/CO and/or HCM processes in SAP ERP.Non-SAP ERP systems can also be connected via adapters from an SAP Partner company BI Content: NetWeaver BW can be used for reporting via the GRC BI Content.The GRC BI Content is part of BI Content 7.06NetWeaver BW 7.02 is used for the GRC BI Content.
SAP COMMUNITY NETWORK © 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 4
Overview of SAP BusinessObjects Risk Management 10.0
SAP NetWeaver 7.02 Search & Classification: SAP NetWeaver 7.02 Search & Classification may be used for searching documents attached to objects in some GRC solutions, such as Process Control or Risk Management Adobe Document Services: An instance of Adobe Document Services (ADS) should be accessible from the GRC AS ABAP for generating offline forms. Although it is technically optional, it is highly recommended for generating PDF reports. These ADS can be an existing instance and can also be shared with other applications The Portal’s AS Java can contain an Adobe Document Services instance, so Portal and ADS may be shared on one AS Java instance.
Risk Terminology in GRC 10.0 Risk Management, Process Control, and Access Control have several risk-related terms. The following table provides an overview of risk terms, their definitions and the location in the applications where they are used.
Term
Explanation
Location in Application
Risk Management Risk
Entire Risk Management application
Influenced risk
SAP NetWeaver application for managing enterprise-wide risks An uncertain event or condition that, if it occurs, has a negative impact on business objectives The evaluation of risks through definition and mitigation via responses A template to be used for creating actual risks A risk used in a scenario, which has no risks influencing it A report containing user-defined risks that are very significant to management A risk influenced by another risk
Affected risk Risk event
A risk affected by a response A risk that has not occurred
Inherent risk
Overall risk before response
Residual risk
Overall risk after response
Proposed risk, risk proposal Risk appetite
A risk proposed by a casual user
Risk assessment Risk template Primary risk Top risks
Underlying risk
Level of risk to be supported, which can be described qualitatively and quantitatively Risk defined on lower level of organization
Risk category
User-defined category of risk
Parent risk category Risk incident
A high-level user-defined risk category
Risk level
Specifies degree of risk using traffic light icons Synonym of influence factor, a risk with
Risk factor
An incident entered directly for a risk
SAP COMMUNITY NETWORK © 2011 SAP AG
Entire Risk Management application
Assessments work center Master Data work center, Risk Catalog Assessments work center, Scenario Management Reports and Analytics work center, Management section Assessments work center, Risks and Opportunities Assessments work center, Responses Assessments work center, Incident Management Assessments work center, Risks and Opportunities, Analysis tab of a risk Assessments work center, Risks and Opportunities, Analysis tab of a risk My Home work center, Ad-hoc tasks Master Data work center, Organizations Assessments work center, Risks and Opportunities Master Data work center, Risks and Responses, Risk Catalog Master Data work center, Risks and Responses, Risk Catalog Assessments work center, Risks and Opportunities, Risk Incidents tab, and Incident Management section. Assessments work center, Risks and Opportunities Assessments work center, Risks and
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 5
Overview of SAP BusinessObjects Risk Management 10.0
Risk summary Risk analysis Risk scenario Risk aspect
Risk instance
Local risk Access risk
SOD risk
probability and impact data attached A report summarizing all risks per period, organization, and so on Analysis of one risk A scenario containing several risks to be analyzed and evaluated A field in reports evaluating risks. By checkmarking this field in reports, the user can see how an impact level would be rated if the risk were seen from the perspective (aspect) of a different organizational unit. A risk template applied to an individual risk is considered as an instance of the risk template, or risk instance. The same as a risk instance A risk defined for Access Control, specifying the severity of an irregularity related to Segregation of Duties (SOD) risks. The same as an access risk
Opportunities Reports and Analytics work center Assessment work center, Risks and Opportunities, Analysis tab of a risk Assessments work center, Scenario Management Reports and Analytics work center, Risks per Organizational Unit
Assessments work center, Risks and Opportunities, Analysis tab Assessments work center, Risks and Opportunities, Analysis tab Access Management work center, Access Risk Analysis section Access Management work center, Access Risk Analysis section
Risk Management Process
SAP COMMUNITY NETWORK © 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 6
Overview of SAP BusinessObjects Risk Management 10.0
Workflows in Risk Management 10.0: The Risk Management application is shipped with a set of workflows that enable collaboration on risk management activities within a company by making use of the standard SAP workflow functionality. SAP workflows are based on the Guided Procedures that walk users through a risk management activity or process. Workflows in Risk Management can be classified according to whether they are: Event-based workflows These are predefined end-to-end processes triggered by user actions such as proposing a risk. Event-based workflows are defined using business events: A business event involves the assignment of a workflow task to a recipient, which is also known as agent determinators. Following are the event based workflows. Workflow name
Description
Trigger
Risk proposal
Ensures that users review a (potential) risk entered through the Propose Risk application and rework it if needed before it is stored in the risk database.
Risk proposed.
Incident validation
Ensures that users check a reported incident for completeness and accuracy before it is stored in the incident database.
Incident posted.
KRI implementation request
Ensures the proper configuration and system setup for Key Risk Indicator (KRI) related data, which should be available for risk monitoring.
KRI implementation request.
KRI localization request
Optional adjustment of an assigned KRI with respect to risk-specific settings
KRI localization request.
Propose control (for users of both Risk Management and Process Control)
Allows users (for example, Risk Managers) to propose a control to mitigate a risk. The control becomes part of the regular monitoring activities in Process Control.
Risk mitigation using controls.
Planner-based workflows These are workflows that are planned and triggered through the Risk Management Planner function. Following are the planner based workflows. Workflow name Description
Activity validation
Allows a planner (for example, a risk manager) to obtain sign-off and confirmation on the current risk situation for an activity (such process, project, or company asset).
Risk validation
Enables the risk manager to obtain sign-off and confirmation on the current risk (including the assigned responses).
Opportunity validation
Enables the risk manager to obtain sign-off and confirmation on the current opportunity (including analysis and assigned enhancement plans).
Risk assessment
Supports risk managers by providing an update for risks in their areas of responsibility by sending out risk assessment work items.
Opportunity assessment
Supports the risk manager by providing an update for opportunities by sending out an opportunity assessment work item.
Response update
Enables risk managers and risk owners to keep track of current risk responses by sending work items to the validator's work inbox
SAP COMMUNITY NETWORK © 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 7
Overview of SAP BusinessObjects Risk Management 10.0
Integration: Integration with EH&S Analysis Automation: Some enterprise risks are related to environmental and worker safety. SAP has a separate solution, Environment, Health and Safety Management (EH&S), where such risks can be processed by the solutionspecific mechanisms absent in operational risk management. Integrating EH&S using analysis automation allows you to track all enterprise risks using one application (Risk Management). Analysis automation creates EH&S risk assessments from risk analyses in Risk Management, tracking their probability and severity values, and copying those values to the corresponding analysis parameters according to rules predefined in Customizing. Risk managers are not required to have any EH&S background to create an EH&S risk assessment from a risk analysis. EH&S risk assessments are intended to be processed by an EH&S manager or other responsible user. Risk managers can use a specific report that runs in the background to track the current probability and impact levels of the EH&S-related risks that they create Integration with Process Controls 10.0: Risk templates are common to both Process Control and Risk Management. They can be defined and assigned from both the Risk Management and Process control applications.
Source: SAP Risk Management Application Help Reusing the PC Central Process Hierarchy in RM You can use the central PC subprocesses as activity categories in GRC Risk Management. Furthermore, you can use the local PC subprocesses as local activities in RM. In this way, a defined RM activity category can later be used to assign (local) activities to it. Otherwise no direct assignment of a (local) activity to the activity category is possible. This enables you to structure your risk assessment and risk reporting processes, with the option of using the activity hierarchy (containing the assigned categories) primarily as a reporting or an assessment structure, or both.
SAP COMMUNITY NETWORK © 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 8
Overview of SAP BusinessObjects Risk Management 10.0
Assessment Work centre for Risk Management 10.0 Risk Assessments The Risk Assessments section is used to create activities to be evaluated for risks and opportunities such as projects or business processes. These are assigned to risks and opportunities that you create. Besides specifying risks and opportunities, you can also:
Analyze the risks and enter the appropriate responses to mitigate these risks. Document risks that have occurred (called “incidents”). Define specific risk scenarios. Run risk assessment surveys.
Risk and Opportunities: Risks and Opportunities section is where you enter risks and opportunities for your organization. Both a risk and an opportunity can be defined with or without a template Risks and opportunities are defined as follows:
A risk is any event that can prevent management from meeting the business goals of an organization. An opportunity represents an uncertain event or condition that, if it occurred, would have a positive impact on business objectives. An opportunity can therefore be regarded as a positive aspect of a risk as defined in Risk Management.
Opportunity Management refers to the analysis of opportunities. The process involves the following steps:
Identifying and documenting the opportunities in an organization. Analyzing the expected benefits of an opportunity. Viewing and understanding any possible trade-offs between risks and opportunities.
Graphical View Risk Creation: To centrally store risk-related information on an organization's risks and to simplify working with Risk Management, the application contains several functions enabling you to work in a graphical and easy-to-use interface. The graphical view has the following functions:
Summary: This is a read-only section that provides overview information about the risk. Identify Risk: You define the risk with all its dependent information using drag and drop. Assess Risk: You assess the risk by entering or editing information about risk drivers, impacts, and other objects, which you can drag to the working area of the screen. Mitigate Risk: You can mitigate the risk by proposing new mitigation measures, existing responses, or controls.
Risk Response and Enhancement plans: A risk response is any counter-measure taken to mitigate a risk. Risk responses are planned and/or executed within the context of the given risk, and have the intention of reducing the risk exposure. Documenting and managing response strategies helps to proactively manage risks in your organization. Responses can be used to lower the chance of the risk occurring (that is, the probability) or to lower the potential impact of the risk event if it occurs.
SAP COMMUNITY NETWORK © 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 9
Overview of SAP BusinessObjects Risk Management 10.0
The influence of the response on the risk exposure is split into the following three independent factors:
Mitigating reduction of all responses, leading to the calculated residual risk analysis. Entering a value for the completeness of the response Entering a value for the effectiveness of the response
The following three steps are essential to reducing the probability or impact of risks defined for an organization:
Define impact and probability data and Risk and Opportunity Analysis. Reduce the impact and probability of the risk by creating responses and controls, enabling you to mitigate the risk and monitor the costs. Carry out a risk analysis to view the results of the risk mitigation measures that were implemented, and make additional resources available if necessary.
Activities: An activity is any project, process, or an object within your business or organization that might be affected by a specific risk. Typical types of activities are:
Processes: Potentially all operational and administrative processes within an enterprise. Projects: Potentially all internal and customer projects. Objects: Refers to generic activities that are neither a project nor a process.
You can define all the activities that need to be monitored through dedicated risk management procedures, in this way structuring risk management in different areas of the business. These structures can later be used for reporting.You must assign all activities to an activity category. For each activity, you can do the following:
Specify the activity category and validity period, as well as enter relevant constraints and assumptions for the activity. Assign users/roles responsible for processing the activity. Link the corresponding risks and opportunities identified for that activity. Display any surveys to be executed for the activity. Display and print out a PDF fact sheet with relevant activity information.
Working with Context: Contexts in Risk Management enable you to store data from other networked applications, such as those in the SAP Business Suite. This data is then used to carry out assessments in Risk Management.The context of a risk describes the environment in which a risk can occur. A context is made up of dimensions and their corresponding values. When you select a dimension, you more closely define the environment or context of the risk. The focus is on integration with the following areas:
SAP Enterprise Asset Management (EAM) SAP Environment, Health & Safety Management (EH&S) SAP Management of Change (MOC) Supply Chain Management (SCM)
SAP COMMUNITY NETWORK © 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 10
Overview of SAP BusinessObjects Risk Management 10.0
You can also use contexts to define your own customer-specific content. The following areas contain Context tabs that you can use to enter context data. Note that in some of these areas, the tab is called Allowed Dimensions.
Risks, risk templates, risk categories Opportunities, opportunity templates, opportunity categories Responses, response templates, enhancement plans Risk Management reporting, where context dimensions can be used as reporting filters.
Risk Assessment reports: In the Risk Assessment Reports section of the Risk Assessment work center, you can run various reports to review the results of your risk assessment process. You can run separate reports to evaluate your top risks and the incidents that occurred within a specific period. Incident Management Risks that occur are called incidents. For each recorded incident, you can also record individual losses. Documenting incidents provides historical information to identify and analyze the drivers of risks, and enables you to design response actions for risks that have characteristics similar to the documented incidents. The process of managing incidents involves recording them and includes validation to ensure that incident data is correct and properly states the impact of the incident. In this way, you can analyze, control, and understand your losses, so that you can decide on how to reduce them. You can use the workflow functions to carry out an analysis of your losses, and provide an audit trail for incidents leading to losses. The systematic recording of incidents enables you to:
Better predict your organization's risk exposure. Anticipate new losses. Monitor and mitigate existing risks. Adjust existing risk practices where necessary.
In the incident management process, you document and save each incident, which then triggers a workflow item for the validator. The objective of the validation step is to ensure that the documented incident data is correct and represents an accurate impact on the organization. Scenario Management In Scenario Management, you can define scenarios to be used for Risk Management. Scenarios are events that link risks in a logical way and then show the effect of a scenario change on these events. After defining a scenario containing individual linked risks, you can use the scenarios that you have defined for simulation and testing.Scenarios can be managed by corporate risk managers, unit risk managers, or other risk owners. The tasks involved in scenario management are as follows:
Classifying and grouping scenarios via classifications and if necessary, scenario subclassifications if a detailed structure is needed Deciding what organizational units, activity categories and risk categories are affected by each scenario Providing an initial estimate of the impact of the scenario on the organization Defining the risks and modeling their dependencies via the inclusion of influenced risks within the scenario Forwarding this information to a group of risk owners, after which each risk can be documented by the risk owner it belongs to
All users responsible for risks can change the loss values for primary (that is, non-influenced) risks and see the results on influenced risks and on the scenario.
SAP COMMUNITY NETWORK © 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 11
Overview of SAP BusinessObjects Risk Management 10.0
Surveys: A survey is a gathering of sample data or evaluations that is considered to be representative of the whole. Within GRC, surveys are used to obtain information on the existence and evaluation of risks (RM) or the adequacy of controls (PC). Surveys are used to carry out assessments on objects such as risks, activities, or policies, for example. The assessments are defined via plans in the Planner. Surveys can be handled via workflow or through the Survey library. The Question and Survey Library: The Question Library lists the user-defined questions that you can use within your surveys. Each question comprises the category, text and answer type of the question along with other information like its status (active/inactive) and the created by(user) and created on (date) information. Using the Question Library, you can create a new question, open question for editing, delete questions and upload question from file. The Survey Library lists the user-defined surveys that you can use to obtain information on the existence and evaluation of risks (RM) or the adequacy of controls (PC). Each survey comprises the category, title and description of the survey along with other information like the questions in the survey, survey status (active/inactive) and the created by(user) and created on (date) information. Using the Survey Library, you can create a new survey, open surveys for editing and delete unscheduled surveys. You can use the questions defined in the Question Library with the surveys listed in the Survey Library. Assessment Planning: Risk Management Planner: Using the Planner, you can plan risk assessments, collaborative risk assessments, risk surveys, activity survey, risk indicator surveys, opportunity assessments, and risk and activity validation. You can access the Planner under Assessment Planning in the Assessments work center. The window that opens displays all Process Control and Risk Management plans and associated activities. Using the Planner, you can do the following:
Display existing plans, create a new plan, or copy and change an existing plan. Display the organizations for which plans are to be used. Display planning dates, including the start date, due date, and actual end date. Display the status of a plan. Split a plan, which has not executed, involving more than one organization.
SAP COMMUNITY NETWORK © 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 12
Overview of SAP BusinessObjects Risk Management 10.0
Related Content SAP BUSINESSOBJECTS ACCESS CONTROL 10.0 SAP Library- Risk management SAP GRC Solutions 10.0: Live Expert Sessions For more information, visit the Governance, Risk, and Compliance homepage
SAP COMMUNITY NETWORK © 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 13
Overview of SAP BusinessObjects Risk Management 10.0
Disclaimer and Liability Notice This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.
SAP COMMUNITY NETWORK © 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 14
View more...
Comments