The enterprise risk management process is comprised of five phases: risk planning, risk identification, risk analysis, risk response, and risk monitoring. During risk planning, all required master data structures are set up in SAP BusinessObjects Risk Management 3.0. This includes an organization hierarchy, hierarchies for your business activities such as business processes and projects, a hierarchy for your business objectives, and a risk classification schema. The risk identification phase focuses on a collaborative process for documenting all relevant aspects of risks that are threatening your business activities and strategic objectives in the different parts of your organization. The initial risk analysis examines inherent risks with no responses for risk mitigation that are taken into account.

As a result of the initial analysis, you identify your top business risks that need your particular attention during risk response planning and implementation. Within SAP BusinessObjects Risk Management, you document as risk responses your strategies and action plans to prevent or recover from risk events and reduce the inherent risk levels. This includes assigning response owners to ensure accountability for response implementation and documenting the costs for cost management.

Create a New Risk Response

In SAP BusinessObjects Risk Management, you can create responses in two ways: You can either navigate to Risk Assessment > Responses and Enhancement Plan Management (Figure 1) or in Risk Assessment > Risk and Opportunity Management you open a specific risk and click the Response Plans tab to create a new response for that risk (Figure 2). In either way, you can set up the responses to be shared across multiple risks and organization units.

Figure 1

Create responses in the Risk Assessment page of the SAP BusinessObjects Risk Management 3.0 user interface

Figure

Create responses directly in the context of a given risk in the Response Plans tab

In the response maintenance screen (Figure 3), enter a name and description for the new response, and assign the following:

Figure 3

Response maintenance screen

• Organization Unit (mandatory entry): It is possible to share responses across multiple risks assigned to different organization units. The organization unit entered here becomes relevant when planning a response validation workflow with the Planner tool explained later.
• Owner (mandatory entry): The owner takes on the accountability for response implementation
• Type (mandatory entry): Select a response type such as Accept, Watch, Research, Transfer, Mitigate, or Avoid from a list. You can maintain this list by following IMG menu path GRC Risk Management > Response and Enhancement Plans > Maintain Response Plan Types.
• Purpose: Select a response purpose such as Prevent or Recover from the available options. You can maintain them via IMG menu path GRC Risk Management > Response and Enhancement Plans > Maintain Response and Enhancement Plan Purpose.
• Share Response: If you want to assign the response to multiple risks to save costs, you can select from two options: Shared — does not require approval and Shared — requires approval. In the latter case, the assignment of the response to a given risk triggers a workflow task sent to the inbox of the response owner and the status of the response assignment remains at Pending approval until the response owner approves the assignment and the status changes to Active. If you don’t want to share the response, select Not Shared.
• Steps/Actions: Capture the steps or actions necessary to implement a response Actual Start Date and Actual Finish Date: These are the start and completion dates of the response implementation. Both dates have to be in the past and are usually entered at different points in time.
• Completeness: This field captures the percentage completion of the response implementation. The system can fill in this value using the percentage value at the Actual Start Date that you maintain. Follow IMG menu path GRC Risk Management > Response and Enhancement Plans > Maintain Response Completeness. The system displays 100 percent completeness if the Actual Finish Date of the response is already maintained. Select the Overwrite Completeness check box to enter a new value for the completeness manually.
• Cost: Capture the monetary amount for the cost of the response implementation. You can find the costs of selected risk responses by going to the report Risk Mitigation Details accessible at GRC Risk Management > Reporting and Analytics > Risk Reports. This allows you a certain level of cost management.
• Effective From and Effective To: Range of response effectiveness
• Current Effectiveness: Make a selection of the available choices Fully Effective, Substantially Effective, and so on, which you can maintain by following IMG menu path GRC Risk Management > Response and Enhancement Plans > Maintain Response And Enhancement Plan Effectiveness (Figure 4). The system converts your selection into percentage effectiveness for later residual risk analysis.

Figure 4

IMG customizing activity Maintain Response And Enhancement Plan Effectiveness

The Affected Risks tab lists all risks to which you assign the response. You can assign additional risks by clicking the Assign button or view a selected risk by clicking the Open button, respectively (Figure 5). You can also assign responses from the Response Plans tab of a selected risk by clicking the Assign button (Figure 2). The Attachments and Links tab is used to add documents as files or links that provide additional information about the response.

Figure 5

The Affected Risks tab lists all risks assigned to the response

Response Ownership and Workflows

The owner of a response is a mandatory attribute. The user creating a new response is assigned as the owner by default unless specified differently. You can change the owner at any time. The new owner of a response receives a notification in his inbox to review the details of the response and accept accountability for its implementation. The recipient of the workflow notification cannot reject the response ownership. However, the recipient can delegate ownership to another user, triggering a respective workflow notification sent to that user. When a response is shared that is set up to require approval, the response owner receives the workflow task to approve or reject the sharing of the response.

The response validation workflow is scheduled by risk managers with the Planner tool to keep track of the current status of the risk responses. The validators receive a workflow item to update the responses as needed (Figure 6). Clicking the workflow item opens the respective response. Saving the updated response deletes the workflow item from the inbox at the same time. The recipients of these workflow items are identified as holders of application roles that were customized to receive the task to update the responses selected in the Planner tool. For more information, refer to the SAP BusinessObjects Risk Management 3.0 Security Guide available in SAP Service Marketplace or to my comments in my earlier article on risk planning.

Figure 6

Workflow item to update a response in the inbox of the responsible validator

Perform a Residual Risk Analysis

SAP BusinessObjects Risk Management supports residual risk analysis in a number of different ways according to the analysis profile. You set this up by following IMG menu path GRC Risk Management > Risk and Opportunity Analysis > Maintain Analysis Profile. Just ensure that the Impact Reduction check box is set (Figure 7).

Figure 7

Define an analysis profile

For more information about analysis profiles, refer to my earlier article on risk analysis. Independent from which analysis profile you use, the system always follows the same overall approach during a residual risk analysis. It distinguishes a planned residual risk from an actual residual risk. The planned residual risk is computed under the assumption that all responses assigned to the risk are 100 percent complete and effective so each response i reduces the inherent probability P of the risk event by its planned probability reduction ?P_i. The total loss L is reduced by its planned total loss reduction ?L_i such that with N different responses assigned:

            Planned residual probability       = P – ?P₁ – ?P₂ – … – ?P_N   or 0

               Planned residual total loss         = L – ?L₁ – ?L₂ – … – ?L_N    or 0

The risk owner estimates the probability and total loss reduction for each impact category of a response and documents them in the Response Plans tab of the affected risk (Figure 8). The overall total loss reduction is derived from the total loss reductions estimated for each impact category (Figure 9) using the aggregation function maintained in the analysis profile (Figure 7).

Figure 8

Select each response to document your estimate for its probability and impact reduction

Figure 9

The overall impact reduction of a response is derived from the impact reductions for each impact category possibly estimated in various units of measure (UOM) involving conversion factors

The actual residual risk is computed replacing the planned probability reduction ?P_i and the planned total loss reduction ?L_i with the actual probability and total loss reductions. These actual values are derived from the planned values multiplying them with the percentage completeness and the percentage effectiveness of the respective response.

With this, a residual risk analysis for an analysis profile with both probability and impact value chosen to be quantitatively assessed works out as simple arithmetic. If the impact values in the analysis profile are chosen as Mixed, meaning that some impact categories are documented only in qualitative terms, only the quantitatively assessed impact categories contribute to the total loss reduction. A qualitative mitigation effect to the qualitatively assessed impact categories is documented by the risk owners. You can maintain mitigation effect levels and assign an integer value by following IMG menu path GRC Risk Management > Master Data Setup > Maintain Impact Levels (Figure 10).

Figure 10

Mitigation effect levels are maintained together with the impact levels in the Reduction/Improvement column during master data setup

If a purely qualitative analysis profile is used, the risk owner assigns a qualitative probability reduction (such as A [Insignificant] or B [Minor]) to each response from a drop-down list. You maintain this list and assign each level an integer value by following IMG menu path GRC Risk Management > Risk and Opportunity Analysis > Maintain Probability Levels (Figure 11).

Figure 11

Probability reduction levels are maintained together with the probability levels in the Reduction/Enhancement Level column

Furthermore, the risk owner assigns a mitigation effect for each response to each impact category. The system uses the integer values representing the assigned mitigation effect levels and the aggregation function selected in the analysis profile to compute a resulting mitigation effect of the response — also represented by an integer value from Figure 10. As inherent probability level, impact level, probability reduction, and mitigation effects are all represented by integer values, the system uses the same above formula to compute the planned residual risk for an entirely quantitative analysis profile. For the actual residual risk level, the factor percentage completeness multiplied by percentage effectiveness is replaced by zero, unless the response is 100 percent complete and effective. In the latter case, the factor equals 1.

Provided with probability and total loss reductions as well as percentage completeness and effectiveness, for each response the system computes planned and actual values for probability, total loss, and expected total loss. The expected total loss is calculated as the product of probability and total loss. It also computes the resulting impact and risk levels and displays them in graphical and tabular form in the Risk Analysis tab of the given risk (Figure 12).

Figure 12

The Analysis tab displays the results of the residual risk analysis

Integration with SAP BusinessObjects Process Control 3.0

SAP BusinessObjects Risk Management 3.0 and SAP BusinessObjects Process Control 3.0 are shipped as a single software component with a shared data model and run on the same technical platform. However, the two solutions are licensed separately and need to be activated separately in the productive system client. Companies that licensed both solutions can use a closed-loop integration scenario between both applications for risk response management. The leading principle here is that process controls can be used as risk responses as well. Of course, you cannot mitigate all types of risks by process controls, but it works to a certain degree. The closed loop consists of four integration points between the two solutions:

1. Risk owners can propose new controls
2. Risk owners can assign available controls as responses to a risk
3. Control completeness is assessed in SAP BusinessObjects Process Control and is used for the residual risk analysis in SAP BusinessObjects Risk Management
4. Control effectiveness is tested in SAP BusinessObjects Process Control and is used for the residual risk analysis in SAP BusinessObjects Risk Management

Proposing a New Control

From SAP BusinessObjects Risk Management, risk owners can propose a new control triggering a workflow item sent to the inbox of the holder of the SAP BusinessObjects Process Control application role Global Organization Owner. The proposal is created in the Response Plans tab of the selected risk by clicking the Create button and selecting Control Proposal (Figure 13).

Figure 13

Propose a new control in the Response Plans tab of the selected risk

Within SAP BusinessObjects Process Control, the risk owner has to select a regulation and an organization unit as mandatory fields, for which the control is to be created, and can optionally provide further details of the proposed control (Figure 14). Once the control proposal is submitted, the proposed control is listed as a response with the status Proposed, not yet having any a mitigation effect to the risk.

Figure 14

Creation of a control proposal

The organization owner opens the workflow Approve Control Proposal and reviews the proposal. If a similar control already exists, the organization owner can reject the proposal with a note referring to the existing proposal. Alternatively, the organization owner may initiate the implementation of the proposed control and approve the proposal mapping the correct name of the new control to the proposal. In both cases, the risk owner receives a workflow notification about the approval or rejection. If the proposal was approved, the control changes its status from Proposed to Active in the Response Plans tab of the affected risk. The risk owner can now start documenting probability and total loss reductions and mitigation effects needed for the residual risk analysis.

Assigning a Control as Risk Response

Risk owners can assign controls as risk responses that already exist in SAP BusinessObjects Process Control. No control proposal is required in this case. To assign a control, click the Response Plans tab of the selected risk and then click the Assign button and choose Control (Figure 13). This opens a selection screen from which you can choose the control (Figure 15). Then assign the control with status Active, which allows for immediate documentation of probability and total loss reductions or mitigation effects (Figure 16).

Figure 15

Selecting a control from the Response Plans tab

Figure 16

Assigning probability and total loss reductions to a control assigned as a risk response

Using Evaluation Results to Determine of Residual Risk Levels

Control completeness and effectiveness are required to compute the actual residual risk. Both are determined in assessments and tests scheduled and executed in SAP BusinessObjects Process Control. To transfer these results into SAP BusinessObjects Risk Management, follow IMG menu path GRC Risk Management > Response and Enhancement Plan and complete these tasks: 

• Set Up Link from Control Results to RM: In SAP BusinessObjects Process Control, specify the evaluations whose results you want to transfer to SAP BusinessObjects Risk Management as control completeness and effectiveness. You can see an example in Figure 17.

Figure 17

Selection of SAP BusinessObjects Process Control evaluations to transfer completeness and effectiveness of controls and indirect entity level controls into SAP BusinessObjects Risk Management

• Convert Control Rating for RM Response Field: Completeness and effectiveness are rated in SAP BusinessObjects Process Control with color codes green, yellow, and red, which need to be transferred into percentage values before they can be used for a residual risk analysis

If a new control is assigned as a risk response that hasn’t undergone any evaluations so far, the value zero is assigned as response completeness and effectiveness (Figure 18) until evaluation results become available. Risk owners receive a workflow notification upon publication of new evaluation results.

Figure 18

IMG settings to convert control ratings into percentage completeness and effectiveness

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

You may contact the author at frank.rambo@sap.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.