SAP BusinessObjects Risk Management 10.0 advances and best practices address the information and decision-making needs for enterprise resource management (ERM) inside the enterprise today. I look at how SAP BusinessObjects Risk Management 10.0 can shape ERM corporate policy, touching on critical operational areas and providing a broad framework of what an ERM program should consider in terms of best practices garnered by SAP over the past year.

The Three Key Pitfalls of ERM Programs

Risk management professionals often have an uncanny knack for determining relevant metrics to specific industries. If the metric is correlated properly this analysis can be viewed as prescient. However, it can be devastatingly inaccurate and irrelevant if correlated improperly. For example, financial analysts place significant value on an oil company’s  proved oil and gas reserves compared with the amount of refinery capacity and product inventory the company may have on hand. GRC resources, and ERM in particular, should be focused on that value driver. In another real-world example, an air carrier may be valued based  on customers’ service experiences, versus the value of the aircraft, landing rights, and route structures. In this case, a risk management professional may assess the risks related to his findings about customer service. The scores of flight attendants can be included after they complete training and those results can be given more weight as a predictor of financial and operational success.

In an effort to continuously simplify complex behaviors, risk management professionals — and the executives to which they report — have great difficulty making these correlations, determining key metrics, and relating these to specific ERM initiatives. In particular, in the last two years, SAP has identified three problem areas with its partners and customers in which ERM programs are often derailed or misunderstood from the point of view of the executive team:

1. ERM is not linked to fundamental value drivers of the business. For example, in the oil and gas industry it is common for 90 to 95 percent of governance, risk, and compliance activities to be based on product and crude inventory verification and valuation. That represents as little as 10 percent of the value of the corporation when compared against proved reserves. Similar examples of disproportionate ERM resource allocation can be shown in some health services organizations. This is due to the high level of insurance and documentation requirements. In this case, the risk management efforts related to documentation supporting reimbursement and payments can be as high as 80 percent, while the risk management resources related to actually delivering patient care can be as low as 20 percent.
2. Shareholder devaluation occurs based on measuring nonproductive drivers. For example, in the aforementioned cases, are these metrics really the best ways to value key assets and drive product? This dichotomy lends itself to a natural devaluation on the perceived value of a company because the organization is viewed as nonproductive against its own value drivers.
3. ERM is not focused significantly or deeply enough on the broad value killer fat-tail risks (i.e., risks that have a low probability, yet devastating impact). For example, consider the disruptions to the value chain resulting from the Japanese tsunami or the oil spill in the Gulf of Mexico. In these cases, companies relied on ill-defined risk plans and were unprepared to implement these risk plans on the scale required by actual catastrophic events. Few of these mitigation plans are based on valid scenario planning; fewer still coordinate those plans across the value chain.

SAP BusinessObjects Risk Management 10.0 attempts to address these three challenges with the use of a number of new features and libraries of key risk indicators (KRIs) that come free with the solution. In the next section I show you how to use one of these features to perform scenario- and value-based analysis on risk areas to define a structured ERM portfolio of activities.

SAP solutions address significant technology needs of the internal audit function that are identified as best practices of risk management. The audit management functionality of SAP NetWeaver can be used in an audit management environment with other SAP applications, such as SAP BusinessObjects Risk Management 10.0. For more information see William’s article, “How SAP Solutions Can Make Audit Management Processes More Cost-Effective.”

Using the Bow-Tie Builder Tool to Build ERM Portfolios

To tie key risk events into the cause and effect of ERM activities, SAP BusinessObjects Risk Management 10.0 includes a feature known as the bow-tie builder. The bow tie is a means of visually communicating the nature of a risk event and what the expected causes and impacts might occur if the risk event actually transpires. Additionally, the bow-tie representation often includes the following characteristics:

• The nature of the external or internal actors that can lead to a risk event
• The category of risk the risk event may be associated with (for example, supply chain disruption)
• The preventive controls that can be actively taken to avoid or mitigate the risk event
• The future responsive actions that can be taken to further avoid or mitigate the risk event, or should be taken after the risk event has occurred
• The specific outcomes that the risk event may create in terms of impact and likelihood of occurring

Additionally, the bow-tie builder feature of SAP BusinessObjects Risk Management 10.0 can also link specific responsible organizations to the risk event, as well as to the overall risk category and the risk activity defined in the risk management program.

To access the bow-tie builder of SAP BusinessObjects Risk Management 10.0, first launch the Assessments window from the main SAP BusinessObjects Risk Management 10.0 cockpit. From the Assessments window you may choose from the available options (Figure 1). There are a number of options to select for risk assessments; in this case you look at the existing risks and opportunities that have been previously logged in the Risk Management 10.0 solution for deeper analysis.

Figure 1

Access the risk assessments functions screen

Once you have selected the Risks and Opportunities option from the Assessments window, you find a list of risks tracked inside SAP BusinessObjects Risk Management 10.0 that are already associated with risk categories and primary organizations responsible for their governance (Figure 2). Best practices in risk management and governance suggest it is important to have one or more specific organization units associated with risk events. Later I show you how to add or modify organizations within the bow-tie builder.

Figure 2

Risks and opportunities list

Now you can select one of the risk events for deeper analysis. In this example, select Inconsistent Financial Reporting because you need to understand more clearly what the ramifications are for this risk and to illustrate possible outcomes to executive management. When you select the risk from the list, another Web-based window opens illustrating fields and values, including your understanding of what some of the preliminary impacts are to the risk.

In previous versions of SAP BusinessObjects Risk Management, this window would simply appear without any reference to specific risk-opportunity relationships found in Risk Management 10.0.  Risk professionals would need to develop their own illustrations, such as the bow tie, based on the practices of their own enterprises. With SAP BusinessObjects Risk Management 10.0, however, a graphical view option has been added. This option leads to the bow-tie builder analysis tool. As shown in Figure 3 the Switch to Graphical View button is available for each risk event created in SAP BusinessObjects Risk Management 10.0.

Figure 3

SAP BusinessObjects Risk Management 10.0 graphical view option

After you press the Switch to Graphical View button, the bow-tie builder environment opens (Figure 4). In this case, the left side of the display shows the elements of the risk bow tie, while the field on the right shows a clean graphical representation of the risk event. The primary elements of the risk event available in the bow-tie builder utility are:

• Primary organizational unit responsible
• Risk category
• Overall risk activities associated with the event (preventive or responsive)
• Impacts
• Drivers

Figure 4

Bow-tie builder’s graphical risk visualization

In this example you next take a closer look at the risk drivers to financial reporting, so you select the Drivers element (simply click the element) from the display on the left side of the window. When you select Drivers from the list (Figure 5), a sublist prepopulated with common selections of risk drivers allows you to choose which risk drivers you would like to add to the risk event. In this example, you choose People from the Drivers sublist, and simply drag and drop the element into the window field. You then receive a prompt asking you for a description of the element (which is then stored automatically in the SAP BusinessObjects Risk Management 10.0 data attributes for this risk for enterprise use).

Figure 5

Add specific risk elements

Another best practice is the ability to associate more than one organization unit as either primary or secondary for the risk event. Similarly, you can select Organizational Unit from the field list and have the organization structure of the enterprise available for selection in the sublist (Figure 6). Again, by dragging and dropping, you can add additional organizations to the bow-tie builder graphical view, while at the same time the information is being managed consistently in SAP BusinessObjects Risk Management 10.0.

Figure 6

Add primary or secondary risk events to organizations

As part of the bow-tie builder functionality, you can also address risk mitigation efforts. After you select the Mitigate Risk button of the bow-tie builder utility, the field window changes (Figure 7). The three primary responses to risk (mitigate, avoid, and transfer) that result suggest a number of control options for the mitigation stage. Selecting the drop-down list of possible options for controls enables you to determine which risk control activities can be added or deleted from the risk event. These drag-and-drop selections are added to the field window and automatically update the risk event description.

Figure 7

Predefined risk responses and controls

William Newman

William Newman, MBA, CMC is managing principal of Newport Consulting Group, LLC, an SAP partner focused on EPM and GRC solutions. He has over 25 years of experience in the development and management of strategy, process, and technology solutions spanning Fortune 1000, public-sector, midsized and not-for-profit organizations. He is a Certified Management Consultant (CMC) since 1995, qualified trainer by the American Society of Quality (ASQ) since 2000, and a trained Social Fingerprint consultant in social accountability since 2012. William is a recognized ASUG BusinessObjects influencer and a member of SAP’s Influencer Relations program. He holds a BS degree in aerospace engineering from the Henry Samueli School of Engineering and Applied Science at UCLA and an MBA in management and international business from the Conrad L. Hilton School of Management at Loyola Marymount University. He is a member of the adjunct faculty at both Northwood University and the University of Oregon with a focus on management studies and sustainability, respectively.

If you have comments about this article or BI Expert, or would like to submit an article idea, please contact the editor.

You may contact the author at wnewman@newportconsgroup.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.