Ad hoc risk escalation is a new functionality in SAP Risk Management 10.1 that allows risk experts to create ad hoc risks while allowing for escalation if defined thresholds are exceeded. Ad hoc risk is a risk that is specifically created in response to identified vulnerability and possible issues. Ad hoc risks can be prompted by compliance or business events or result from identifying a threat area. This risk type does not exist as part of the risk master data and therefore needs to be raised separately when possible risk issues are encountered. It is basically a risk proposal that is subject to further validation that might require escalation. When creating ad hoc risk, you need to define the probability of the risk materializing and the associated possible impact value, which can be alarming in some cases. Ad hoc risks needs to be treated with a special reporting approach as it can be used for internal control purposes such as a whistle-blowing tool. This makes it important for defined ad hoc risks to be ratified and validated by appropriate personnel who understand the implications of the realization of the risk on an enterprise. The process of the identification of the appropriate personnel might necessitate the escalation of the ad hoc risk proposal to the corresponding approving authority for processing. This concept of ad hoc risk escalation works on the principle of defining risk thresholds for different organization units based on their positions in the organization’s hierarchy. This allows the escalation of risk issues for the purpose of dedicated evaluation and reporting by responsible persons when defined thresholds are exceeded. In the event that the defined threshold is surpassed, the workflow sends the ad hoc risk escalation request to the appropriate approver in the higher organization unit to process the workflow request. If the ad hoc risk escalation is within the defined risk threshold, the ad hoc risk escalation request is processed by the responsible approver at that organization unit. The ad hoc risk escalation functionality allows you to perform a number of actions while processing an ad hoc risk escalation request. The possible actions that can be performed on an ad hoc risk escalation workflow item include forward, activate, reject, and transfer. Furthermore, it is possible to associate a risk response with an ad hoc risk escalation while creating it. You can also provide a risk response while processing (transfer and activate) an ad hoc risk escalation workflow item. Another concept that is closely integrated with this functionality is the ability to perform risk analysis while activating an ad hoc risk using the defined customizations (analysis profile) and thresholds (probability levels and impact levels). I explain how to do the following: •    Activate ad hoc risk escalation •    Maintain custom agent determination rules •    Configure workflow settings •    Maintain organization hierarchy •    Simulate business examples •    Monitor the status of ad hoc risk escalation

Activate Ad Hoc Risk Escalation

Activation of ad hoc risk escalation is a prerequisite for harnessing this functionality. To activate ad hoc risk escalation, follow menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Risk Management > Master Data Setup > Activate Risk Proposal and/or Ad hoc Escalation (Figure 1). After you select the Activate check box, click the save icon in the menu bar at the top of the screen. (The save icon was cropped from the image in Figure 1.) Ad hoc risk escalation is initiated via the front end (for example, SAP NetWeaver Business Client [NWBC]). If this activity is not performed, the ad hoc risk escalation quick link is not displayed in My Home work center. Figure 2 shows what the Ad Hoc Tasks section of the My Home work center looks like when ad hoc risk escalation is activated in customizing. On the other hand, Figure 3 shows what the Ad Hoc Tasks section of the My Home work center looks like when ad hoc risk escalation is deactivated in customizing.

Maintain Custom Agent Determination Rules

The workflow concept in SAP Risk Management partially works on the concept of roles assignment to business events. A business event is used during recipient determination in workflow-driven scenarios. This customizing activity allows you to define roles that receive workflow requests for assigned tasks. The business event that is of interest in ad hoc risk escalation is 0RM_RISK_PROPOSE: Risk Proposal. This business event is aimed at defining the user who will be the recipient of the ad hoc risk escalation workflow task. The standard role associated with this business event is SAP_GRC_RM_API_RISK_MANAGER. For the purpose of this article, I retain the default assignment of the standard role to this business event. It is a good practice to copy standard roles into the customer name space. Consequently, it is necessary to maintain the standard mapping of roles to business events, especially if roles have been copied from the model roles or if you have created roles in your own namespace. To perform this customizing activity, follow menu path SPRO > SAP Reference IMG > Governance, Risk and Compliance > General Settings > Workflow > Maintain Custom Agent Determination Rule. Click the New Entries button and maintain the entries as shown in Figure 4.

Configure Workflow Settings

A workflow task can be initiated as a reaction to events triggered by the application. Therefore, specific events need to be defined as triggering events for the corresponding workflow task. The ad hoc risk escalation process is based on the standard workflow engine in the SAP NetWeaver ABAP stack. Therefore, it is important to perform all the mandatory baseline configuration activities via transaction code SWU3. These customizing activities need to be performed so that workflows can be executed successfully. Figure 5 shows a typical automatic workflow customizing screen. The configuration activities include the following:

• Maintain Run Time Environment
• Maintain Definition Environment
• Maintain Additional Settings and Services
• Classify Tasks as General
• Guided Procedures

Maintain Runtime Environment and Classify Tasks as General must have every task marked with a green check. All you have to do is to choose the individual nodes and click the generate icon to perform automatic workflow customizing. Some of the nodes cannot be customized automatically, but those are optional settings. You must define the Validate Risk Proposal task (TS 45607917) as a general task and also activate event linkage for Risk Proposal WF node as shown in Figures 6 and 7, respectively. Figure 6 can be accessed by following menu path SPRO > SAP Reference IMG > Governance, Risk and Compliance > General Settings > Workflow > Perform Task-Specific Customizing > GRC (folder) > GRC-RM (folder) > Assign Agents > Validate Risk Proposal. In the screen that opens (Figure 6) click the Attributes… button. In the Task dialog box (not shown), select the General Task radio button and click the Transfer button to confirm the changes. Access Figure 7 by following menu path SPRO > SAP Reference IMG > Governance, Risk and Compliance > General Settings > Workflow > Perform Task-Specific Customizing > GRC (folder) > GRC-RM (folder) > Activate Event Linking > WS 45600016 >   CL_GRRM_RISK_PROPOSE_WF-VALIDATE CL. Click the details icon in the Properties of Event Linkage dialog box (not shown) and then select the Event Linkage Activated check box. Click the Save button to confirm your changes.

Maintain Organizational Hierarchy

The maintenance of the organization hierarchy is central to using ad hoc risk escalation. Organizational structures are important shared master data that needs to exist in the system to use this functionality. Risk thresholds that influence the recipient of the ad hoc risk escalation workflow task are usually defined at the organization unit level. You typically need to create the root organization unit via the IMG by following menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Shared Master Data Settings > Create Root Organization Hierarchy. After you create the root organization in the IMG, you can maintain the organization in the front end by following menu path NWBC > Master Data > Organizations > Organizations. In the screen (not shown), highlight an organization unit (for example, KEN_LONDON) and click the Open button. In the next screen specify the required attributes, such as currency, as shown in Figure 8. Navigate to the top right corner of the screen and click the navigation menu icon (enclosed in red in Figure 9) to display the possible tabs. Select the Roles option. In the screen that appears, highlight the role Unit Risk Manager and click the Assign button to maintain the corresponding user (Figure 10). Click the Risk Thresholds tab and maintain the To and Escalation columns as shown in Figure 11. Click the Save button. You receive the following status message: Organization updated successfully. Navigate back to the organization unit (KEN_LONDON) and open it. Click the Risk Thresholds tab to review the From and To values (Figure 12). Repeat the same process for the definition of roles and risk threshold for the KEN_CHELSEA organization unit. After you complete this process, you end up with screens similar to Figure 13 (for roles maintenance) and Figure 14 (for risk threshold definition). In my business example (in Figures 13 and 14), I selected RM_CHELSEA to be the processor of any ad hoc risk escalation workflow request that applies to the KEN_CHELSEA organization unit (with KEN_LONDON as the parent organization unit). I also defined a risk threshold of £0.00 – £10.00, £10.01 - £20.00, £20.01 - £30.00, £30.01 - £40.00, £40.01 – infinity for Insignificant, Minor, Moderate, Major, and Catastrophic impact levels, respectively, for the KEN_CHELSEA organization unit. I also activated escalation for any impact value above £30 for ad hoc risk request. Suffice to say that any impact value (above £30) associated with an ad hoc risk escalation request is escalated to the risk manager of the higher organization level in the person of RM_LONDON. However, if the impact value associated with an ad hoc risk escalation request is less than £30, then the risk manager of the KEN_CHELSEA organization unit processes the workflow item.

Simulate Business Examples

I have structured this article to demonstrate how to process ad hoc risk escalation using different scenarios (escalation and no escalation) while also demonstrating the response actions against these different scenarios. Now I cover the following business examples:

• Simulate ad hoc risk escalation – no escalation (with activation option) scenario
• Simulate ad hoc risk escalation – escalation scenario (with risk transfer option)
• Simulate ad hoc risk escalation forwarding (and consequent rejection)

Simulate Ad Hoc Risk Escalation – No Escalation (with Activation) Scenario

The first step in initiating ad hoc risk escalation is to create a request. This business scenario shows how to create an ad hoc risk escalation workflow request that does not trigger escalation to a higher organization unit. The ad hoc risk proposal is consequently activated (and risk analysis initiated simultaneously) by the risk manager associated with the organization unit. Follow the procedure below to create an ad hoc risk escalation. Use transaction code NWBC and follow menu path My Home > Ad Hoc Tasks > Ad hoc Risk Escalation. In the screen that appears (Figure 15), maintain the general fields Name, Description, and Organization Unit. Provide analysis values for the Probability (%) and Impact Value columns. Note that I defined  an ad hoc risk escalation for the KEN_CHELSEA Organization Unit and specified an Impact Value of 25, which is within the risk threshold for this organization unit and does not require escalation (refer back to Figure 14). Click the Submit button. Figure 16 displays the following status message: Data successfully submitted. After you log on as the risk manager (RM_CHELSEA) of KEN_CHELSEA organization unit, you see a corresponding workflow item for the ad hoc risk escalation just created (Figure 17). Click the link enclosed in red in Figure 17 to open the workflow item for processing. Figure 18 appears. Click the Activate button. This action opens the screen shown in Figure 19. Enter values for the Risk Category, Risk Type, and Notes fields. The Activate check box displays when you chose a risk type. After you select the check box, you are prompted to define an impact category. An impact category is a definition of how an organization wants to group the impacts to which it is susceptible (for example, financial loss, revenue, and reputation). To maintain impact categories as master data entries, follow menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Shared Master Data Settings > Risk and Opportunities Attributes > Maintain Impact Categories. To perform risk analysis, you need to assign an impact category to the risk. After providing these details, you should have a screen that looks like Figure 20. After you click the Submit button, you receive the following status message: Data saved successfully. Navigate to the risk and opportunity management worklist by executing transaction code NWBC to access the NWBC portal. Click the Risks and Opportunities quick link under Risk Assessments in the Assessments work center (not shown). The newly created risk displays in the Risk and Opportunity Management worklist (Figure 21). The status of the risk is Active, and the risk score is already calculated as 130. Click the link to review the details. Figure 22 displays the General tab showing the Proposed Risk field with the value Logistics Disruption Risk (No Escal). Click the Analysis tab. Figure 23 displays the probability score, impact score, risk level, and risk scores. Click the value (50,00) under the Impact Score column to view additional details about the impact allocation table (Figure 24).

Simulate Ad Hoc Risk Escalation: Escalation Scenario (Risk Transfer Option)

This example demonstrates the escalation of an ad hoc risk escalation request to a senior risk manager in a higher organization unit. Additionally, I demonstrate how the transfer processing option can be applied to an ad hoc risk escalation workflow item. To complete this step, execute transaction code NWBC and follow menu path My Home > Ad Hoc Tasks > Ad hoc Risk Escalation. In the screen that displays (Figure 25), maintain the general fields Name, Description, and Organization Unit. Provide analysis values for the Probability (%) and Impact Value fields. After you populate these fields, click the Submit button. The impact value for this request is defined as 39, which clearly exceeds the defined risk threshold for KEN_CHELSEA (Figure 14). Therefore, it is expected that the workflow item will be escalated to the risk manager of the KEN_LONDON organization unit. To process the workflow item, log on as the risk manager (RM_LONDON) for the KEN_LONDON organization unit. Navigate to the workflow inbox by executing transaction code NWBC and following menu path My Home > Work Inbox > Work Inbox. Figure 26 displays with the corresponding ad hoc risk escalation workflow item. Click the workflow item link. This action opens the screen shown in Figure 27. Click the Transfer button. Choose a risk from the risk master data to which you want to transfer this risk. Provide details in the Notes section as shown in Figure 28. After you click the Submit button, the selected risk master data item page for ongoing maintenance of the risk appears (Figure 29). In this screen you can do any risk maintenance activity, such as defining a validity date, assigning a new impact category, or scheduling risk analysis. When you are finished, click the Save button.

Simulate Ad Hoc Risk Escalation Forwarding (and Consequent Rejection)

This business scenario demonstrates how the forward and reject options work. For this example, I created an ad hoc risk analysis escalation with a risk threshold within the bounds of the KEN_CHELSEA organization unit. I intend to forward the workflow item to the KEN_LONDON unit for further processing. The risk manager (RM_LONDON) of KEN_LONDON organization unit subsequently rejects the workflow item. To simulate this business scenario, log on as the KEN_CHELSEA and access the work inbox (Figure 30) by executing transaction code NWBC and following menu path My Home > Work Inbox > Work Inbox. Choose the workflow item you want to process by clicking the appropriate link. The screen shown in Figure 31 opens. Click the Forward button. In the next screen, change the Organization Unit to KEN_LONDON (from KEN_CHELSEA) and provide details for the action (in the Notes section) as shown in Figure 32. After you click the Submit button, you receive the following status message: Data successfully submitted. The next step is to log on as the risk manager (RM_LONDON) of KEN_LONDON organization unit to process the workflow item. To proceed, access the work inbox by executing transaction code NWBC and following menu path My Home > Work Inbox > Work Inbox. Click the link of the workflow item you want to process (Figure 33). This action opens the screen shown in Figure 34. Click the Reject button. In the next screen, enter details (in the Notes section) for the reason for the action as shown in Figure 35. The details provided in the forwarding workflow stage are shown in the screen. After you click the Submit button, you receive the following status message: Data successfully submitted.

Monitor the Status of Ad Hoc Risk Escalation

The system provides a standard report to help you monitor the status of ad hoc risk escalations. The report can be accessed by executing transaction code NWBC and following menu path Assessment > Risk Assessments > Proposed Risks and Ad-hoc Risk Escalations (Figure 36).   The different statuses that an ad hoc risk escalation can assume include Created, Forwarded, Rejected, Transferred, Active, and In Progress. In addition to the status information, the report provides information on when ad hoc risk escalation was created, who created it, and which organization unit was affected. If an ad hoc risk escalation item has not been completely processed, details about the actor responsible for processing the item are displayed under the Processing by column. You can drill down to the main screen of the risk escalation to review its detailed attributes by clicking an ad hoc risk escalation link under the Proposed Risk column (Figure 36). The Notes section of the next screen (Figure 37) provides a log of all comments defined during the approval stages. This log provides you with an audit trail. You can also drill down to the corresponding organization unit from the report by clicking the entry link under the Proposed Org. Unit column (for example, KEN_CHELSEA in Figure 36). This action opens the screen shown in Figure 38.