SAP BusinessObjects Risk Management 10.0 enables SAP and its users to interact with each other via a shared graphical view. This approach helps companies comply with systemic risk requirements established by the Dodd-Frank Act of 2010, which focuses on systems and processes related to GRC, as well as better management of systemic risks. It also encourages standardized risk management documentation. SAP BusinessObjects Risk Management 10.0 provides support for the five phases of risk management: risk planning, identification, analysis, response, and monitoring.

Application to Other Business Sectors

Although the Dodd-Frank Act is specific to the financial services industry, the identification of system risks and standardization of risk management processes is applicable to other industries such as pharmaceuticals, medical device manufacturing, and food, where health risks may require recall of products. Compliance with the act provides other leading GRC practices and benefits that include providing integration between information security and business processes, implementing an effective data breach response program, ensuring good data access controls, tracking changes in GRC regulations and policies, and continuous monitoring of inherent and residual risks that may change over time.   

Risk Management Programs

SAP BusinessObjects Risk Management allows SAP and its users to interact with one another on common views of risks and responses. SAP BusinessObjects Risk Management’s graphical view provides a visual workbench to model risks and their relationship to business impacts and responses and to communicate them to SAP.

The companies that use SAP BusinessObjects Risk Management may find it differs somewhat from their previous approach to risk management processes in that it is based on risk and response catalogs. The risk catalog, located in SAP BusinessObjects Risk Management 10.0, serves as a repository for risk templates and best practice responses to risks. The templates are used for creating actual risks. The catalog provides a unified view on risks across the enterprise. The response catalog is a repository for best-practice standard risk responses to mitigate, transfer, and avoid risk. The asset catalog is a repository for assets identified and organized in a standard way.

An enterprise might start with risk assessment planning without creating risk and response catalogs, and then proceed to identify assets without the benefit of an asset catalog. It then determines what countermeasures to use for mitigating risks. Most countermeasures result in residual risks because an inherent risk only in very rare cases can be mitigated down to zero. As a final step, the enterprise monitors post-risk assessments. The problem with this approach is that it does not include catalogs that could be used for standardization planning purposes. These catalogs are needed to help the enterprise better identify assets, risks, and responses.

Now consider SAP BusinessObjects Risk Management’s support for risk management processes in five phases. The steps necessary to model risks and their relationship to business are plan, identify, analyze, respond, and monitor.

• Phase 1. Risk planning: Asset, risk, and response catalogs
• Phase 2: Risk identification: Vulnerabilities and risks
• Phase 3: Risk analysis: Scenarios
• Phase 4: Risk response: Mitigations
• Phase 5: Risk monitoring

You start the catalogs in the risk planning phase, identify vulnerabilities in the risk identification phase, compare scenarios in the risk analysis phase, and show how countermeasures are used in the risk response phase. Then you need to monitor risks continuously to track changes in risks, threats, and vulnerabilities, and most important of all, track standardization of the catalogs.

Phase 1. Risk Planning: Asset, Risk, and Response Catalogs

In risk planning, SAP BusinessObjects Risk Management provides a method of defining risk and response catalogs and an organization structure for risk reporting and assigning risk manager responsibilities. Asset categories can be divided into financial and nonfinancial groups. They represent the top-most grouping level. The next grouping level below the asset categories are the asset groups. An asset group can contain more asset groups and assets. You can skip groups to have an asset item directly under an asset category. A dollar value should be assigned to each asset category. Dollar values assigned can be the original purchase cost, cost to purchase, or depreciated costs over time.

In this article, in both financial and nonfinancial assets, descriptions for each asset category and item are included before the asset category example is presented. The descriptions need to be standardized to foster better communication between departments in an enterprise as well as between an enterprise and SAP.  

Asset Categories: Financial

The Dodd-Frank Act establishes a floor for capital requirements that cannot be lower than the standards set on the day the act went into effect. It authorizes the Financial Stability Oversight Council to impose a 15-1 leverage (debt-to-equity ratio) requirement at a company. Assets include bank deposits, loans, accounts receivable, and marketable securities. They include liquidation reports on company assets to be liquidated by the Federal Deposit Insurance Corporation (FDIC). Capital is the difference between the value of a bank’s assets and its liabilities. The total of the capital accounts of the bank sometimes includes loan loss reserves and subordinated debt. Table 1 shows categorizations for financial assets.

Table 1

Financial reporting assets

Asset Categories: Nonfinancial

Nonfinancial assets are needed to run system applications to identify, analyze, measure, and monitor system risks as well as to generate standardized risk management documentation. The assets include software, hardware, administrative, human resources, and sustainability controls. Table 2 shows categorizations for these five assets.

Table 2

Nonfinancial reporting assets

Software assets are needed to automate the risk assessment process and generate risk reports. System administrators rely on administrative assets, such as financial reports, software manuals, hardware manuals, security operating procedures, and disaster recovery plans. Auditors rely on customer and investor information to ensure privacy is enforced.

The administrative asset includes the labeling, marking, and handling to indicate the level of sensitivity of documents and data residing in servers, in client-side workstations, on tapes, and on other media devices. The higher the sensitivity of the data is, the more you have to ensure they are locked up in secure places of your facility so that you can prevent unauthorized physical access and unauthorized destruction.

Sustainability assets include items contributing to sustainability of your infrastructure at your facility such as geothermal wells or cooling water from ice tanks in your basement to cool floors of the rooms housing IT machines. Hardware assets, such as servers, are needed to run software assets. Human resources assets must be accounted for regarding their responsibilities for software, hardware, administrative, and sustainability controls assets as well for their participation in the risk management program.

Risk Categories

You describe each risk category and item before presenting the risk category example. Table 3 provides an example of a risk classification structure for capital requirements noncompliance and liquidity risks.

Table 3

Risk classification structure example for financial assets

This table shows risks of incurring penalties for noncompliance grouped directly under the risk category of capital requirements noncompliance. Capital is not floored at the satisfactory level. Risks of insufficient cash from liquidation of company assets come under the risk group of loan amounts risks and then the risk category of liquidity risks. Table 4 shows an example of risk classification for nonfinancial categories of technical, operational, and sustainability risks.

Table 4

Risk classification structure example for nonfinancial assets

Table 4 shows it is possible to have the first risk group (e.g., internal operational risks) divided into second risk groups (e.g., management failure) without assigning risk items to the first risk group. The risk item (Loss of production for X hours) is assigned to the second risk group. The sustainability risks category does not have risk groups. Risk items are grouped directly under the sustainability risks category.

Table 4 also shows software and hardware risks are grouped under the technical risks category. However, if you think the technical risks category is redundant or unnecessary, you could instead make the software hardware risks as categories.

Phase 2. Risk Identification: Vulnerabilities and Risk

A risk has loss potential or probability that a threat will exploit a vulnerability. If the risk has not occurred, it is a risk event. The risk event is a threat that a vulnerability will be exploited by a threat agent. If the risk has occurred after one or more vulnerabilities have been exploited, it is a risk incident.

In this phase, you identify from a risk category the key risks, such as risk drivers, and potential impacts. You need to identify what the vulnerabilities are before you assign key risk indicators (KRIs). A KRI measures trends in the risk environment. When certain tolerances (defined in business rules) are exceeded, a risk event becomes likely to occur and requires countermeasures. The business rules raise this attention in SAP BusinessObjects Risk Management 3.0/10.0 for business, operational, and credit risks. You create a business rule for a KRI on what action the system should take when a vulnerability is being exploited. KRI indicates the possibility of a future adverse impact on the organization.

In the area of managerial accounting, consider a budget overrun by a budget preparer as the vulnerability and the budget risk as the KRI. A budget overrun is the planned budget minus the actual budget costs. A business rule is created to trigger the system to send a message to the risk manager when the vulnerability is being exploited or earlier to avoid the risk event (e.g., when a threshold is exceeded). 

In the area of capital management, consider capital requirements noncompliance as the vulnerability and capital noncompliance risk as the KRI. Capital requirements noncompliance is the actual flooring less the planned flooring of capital requirements. A business rule is created to trigger the system to send a message to the risk manager when the vulnerability is being exploited.

In the area of liquidity and cash management, consider bad liquidity forecasting as the vulnerability and liquidity forecasting risk as the KRI. Bad liquidity forecasting could result in cash repayments from a company’s assets less than expected. A business rule is created to trigger the system to send a message to the risk manager when the vulnerability is being exploited.

Phase 3. Risk Analysis: Scenarios

In this phase you qualitatively and quantitatively analyze the likelihood of occurrence of company risks and the potential impacts of the identified risks in order of priority so that you can determine the necessary responses and investments to mitigate or control the risks. You can also use a risk scoring method, available as of SAP BusinessObjects Risk Management 10.0, to enter impacts and probability as numeric values.

You can collaborate with business stakeholders to collect risk analysis data or create surveys or other workflows to collect risk analysis data. This process enables you to build risk scenarios and determine your risk exposure.  

You can view results with and without scenarios based on different assumptions, add responses, and re-run scenarios as appropriate. Alternatively, you can choose Monte Carlo simulation to define severity distributions for the risk impacts and simulate the scenario for multiple runs. Monte Carlo simulation is a method of analyzing instruments, portfolios, and investments by simulating the various sources of uncertainty affecting their value and then determining their average value over the range of resultant outcomes.

Scenario Analysis: Account Payable Risk

Now you’ll consider the risk events for the account payable risk:

• Adverse charges in capital and liquidity
• Major accident to facility
• Violations of emission standards
• Misallocation of royalty payments

In one scenario, as shown in Table 5, you assign each risk event inherent and residual levels qualitatively: high, medium, or low based on risk response assumptions. You are responsible for providing inherent and residual total losses associated with each event. They are not shown in the table.

Table 5

First scenario of risk levels assigned to accounts payable risk

Now, create a second scenario, as shown in Table 6. Assume that for the adverse charges in capital and liquidity risk events, an application will become available in one month that will reduce the residual risk level from medium to low. You also assume that for the major accident facility risk event, the facility will be redesigned to reduce inherent and residual levels to high and medium, respectively. The changes in risk levels are in bold.

Table 6

Second scenario of risk level assigned to accounts payable risk

One point to make is that if three quarters of residual risk levels are high, you must find ways to mitigate these levels (e.g., by purchasing accident insurance to transfer the risks or by applying new technologies and applications that have not been tried before).

Scenario Analysis: Capital and Liquidity Risk

Now consider the risk events for capital and liquidity risks:

• Adverse charges in capital and liquidity
• Violations of capital standards
• Violations of loan requirements on repayment from a company’s liquidated assets

In one scenario, as shown in Table 7, you assign each risk event inherent and residual levels qualitatively based on risk response assumptions. You are responsible for providing inherent and residual total losses associated with each event. They are not shown in the table.

Table 7

First scenario of risk levels assigned to capital and liquidity risks

Now, create a second scenario, as shown in Table 8, assuming that for the adverse charges in capital and liquidity risk events, new applications, or technologies will become available in one month that will be applied to mitigate the residual risk level from medium to low, in bold. 

Table 8

Second scenario of risk levels assigned to capital and liquidity risks

Phase 4. Risk Response: Mitigations

In this phase, you document the response measures taken to manage the risks and their current status. You do this step by taking measures to actively mitigate the probability or potential impact of the risk. You can track mitigation response status by analyzing risks before and after responses (applying countermeasures).

You then compare inherent total loss before the response and residual total loss after the response to determine if there were significant savings resulting in good return on investment (ROI). After this step you choose the best scenario.

In an overly simplified example, the first step is to determine the results of annual loss expectancy (ALE) by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO) for a specific vulnerability to be exploited in the before scenario of responding to a risk (Table 9).

The next step is to determine the ALE in the after scenario of responding to the same risk (Table 10) by implementing the Dodd-Frank Act to mitigate or prevent the risks of noncompliance of minimum debt-to-equity ratio and loan requirements. The implementation costs, including additional staffing, required training, and system changes, vary from one company to another. 

The third step is to determine if current application or technologies will result in significant savings (Table 11). If they do not, the risks are residual. Finally, the ROI should be computed to determine the significance of the gain from investment over the cost of investment of ensuring compliance with the act (Table 12).

Table 9 shows the before scenario of a risk event for adverse changes in capital and liquidity that occurs three times a year with an ALE of US$6 billion. A risk event for violating capital requirements standards occurs twice a year with an ALE of US$2 million, while a risk event for violating loan requirements occurs twice a year with an ALE of US$4 million.

Table 9

The before scenario of annual loss expectancy

Table 10 shows the after scenario of a risk event for adverse changes in capital and liquidity that occurs once, rather than three times, a year with a new SLE of US$1 billion resulting in an ALE of US$1 billion. A risk event for violating capital requirement standards occurs once, rather than twice, a year with the same SLE of US$1 million resulting in a new ALE of $US1 million. A risk event for violating loan requirements occurs once every two years, rather than twice a year, with a new SLE of US$1 million resulting in a new ALE of US$500,000.

Table 10

The after scenario of annual loss expectancy

Table 11 lists oversimplified examples of ALE savings between the before and after scenarios. Expected savings for the risk event of adverse changes in capital and liquidity are US$5 billion, violations of capital requirements standards are US$1 million, while savings for the risk event of violating loan requirements are US$3.5 million.

Table 11

Expected ALE savings

Table 12 shows ROI is the highest for the risk response of loan requirements compliance, while the lowest ROI is for mandatory minimum debt-to-equity ratio. The ROI for risk response of capital requirements compliance takes the middle position. All costs are estimated and assumed to include the costs of additional staffing, training, and upgrades to the infrastructure of computer and network systems.

Table 12

Return on investments

Phase 5. Risk Monitoring

In this phase, you need to monitor risks continuously to track changes in risks, threats, and vulnerabilities as well as in the standardization of asset, risk, and response catalogs.

To evaluate changes in your organization’s risk exposure, you analyze and report on changes in your company’s risk situation. You document incidents and losses for occurred events and track how mitigation measures have been effective. You determine what new mitigation measures are needed and how many residual risks still exist after applying new security control technologies and implementing new legislations.

For each KRI, identified in the second phase, a business rule is created to trigger the system to send a message to a risk manager that there is a possibility of a future adverse impact on the organization owing to, for example, new legislations and technologies. Because risk managers are required to review the first four phases of risk assessments on a schedule (e.g., every six months or three years), they will find system-triggered KRI  messages as one of the bases for reviewing risk assessments sooner than the scheduled time.

Table 13 shows budget risk is the key risk for the managerial accounting area. The potential indicators are budget overrun, no plan in tracking budget, and lessons from previous budget overruns were not fed back into the current budget. Questions that need to be answered to mitigate budget risks include:

• What does the company do when the previous budget has overrun?
• What checks are made by the company to ensure the budget will not overrun?

Capital noncompliance risk is the key risk for the capital management area. The potential indicators are an inadequate plan to change to new capital requirements (e.g., an equity-to-debt ratio of 15:1), inadequate staffing to implement the change, and change governance strategy is not in place. The questions that need to be answered to mitigate risks include:

• What does the company do when the plan is inadequate?
• What is the company’s plan to increase staffing?
• How would the company implement change governance?

Bad liquidity forecasting is the key risk for liquidity and cash management. Potential indicators are a lack of tools to forecast liquidity adequately and cash repayments from the company’s assets are less than expected. The questions include:

• What tools does the company need to adequately forecast liquidity?
• Why does the company think cash repayments are less than expected?

Table 13

Example 1: Key risks and potential indicators

Table 14 shows adverse changes as the key risks for capital and liquidity. Potential indicators are failure to maintain flooring of capital requirements, an inadequate plan to maintain the flooring minimum, and failure to learn from lessons on maintaining the minimum. The questions include:

• What does the company do when capital requirements are not met?
• What checks are made to ensure minimum capital requirements?

Capital requirements noncompliance is the key risk for capital requirements. Potential indicators are audit reports indicate possible failure to comply and an inadequate plan to comply. The questions to ask include:

• What does the company do after reading audit reports?
• What is the company’s plan to ensure compliance?

Loan noncompliance is the key risk for loan requirements. Potential indicators are that auditors met with compliance officers on adverse reports and an inadequate plan to comply with loan requirements. The questions to ask include:

• What does the company do after getting adverse reports from the auditors?
• What tools does the company use to ensure compliance?

Table 14

Example 2: Key risks, indicators, and questions