In recent years, the importance of enterprise risk management (ERM) systems has risen, and still many companies don’t have a formal risk management system in place. Or, they have processes in place, but execute them in a siloed and inconsistent approach based on emails and spreadsheets. Typical issues with insufficient mature risk management systems are:

• Risk managers on board level suffer from a lack of insight into the current status of key business risks, and effectiveness and completeness of implemented risk responses
• Risk responses are often reactive, one-off actions
• Risk managers have no real-time indicators at hand upon which to base timely decision making
• Line managers understand business risks in their area, but can’t use experiences regarding risks and appropriate responses from other business areas
• Missing understanding of risk interdependencies that can accumulate multiple risks in combination to a perfect storm causing significant losses
• No feedback of risk exposure into the corporate strategy to identify strategic objectives at risk and take appropriate remediation actions in time

SAP Business Objects Risk Management 3.0 addresses these issues and helps institutionalize ERM in your organization. It reduces risk and loss events through near real-time risk transparency and by applying response measures based on your strategies and initiatives. It comes with a number of strengths:

• Enterprise scalability: The application runs on the SAP NetWeaver platform and comes with a fine-grained, object-level security concept
• Collaboration: It reaches out to all stakeholders in your company in workflow-driven processes to collect the best quality information on risks, risk responses, and incidents directly from where it resides in the business. This also includes your employees, who can propose new risks in a self-service scenario. The application also provides the means to share risk information across the organization so that you have the complete risk intelligence of your enterprise at hand when needed.
• Near real-time: The application provides continuous monitoring of key risk indicators (KRIs) implemented as automated queries in your SAP and non-SAP business systems. Moreover, its integration with SAP BusinessObjects Process Control 3.0 permits you to assign controls as risk responses for mitigation, measure their completeness and effectiveness in processes at risk, and update residual risk levels accordingly. 
• Risk interdependencies: The application provides scenario analysis and Monte-Carlo simulations to analyze the impact of risks influencing occurrence of other risks
• Opportunity management: Opportunities are uncertain events that, if they occur, would have a positive impact on business objectives. Opportunities can be regarded as positive risks and are managed separately, but with similar instruments applied to risks in the application.

I’ll introduce you to SAP BusinessObjects Risk Management 3.0, including how it fits into your ERM system and how it integrates with SAP BusinessObjects Strategy Management and SAP BusinessObjects Process Control. Before I go into that, I’ll show you a few studies that emphasize the benefits of an ERM system, and how you can evaluate it.

The Value of ERM

The relevance of ERM has been illustrated very impressively by the 2005 Deloitte study “Disarming the Value Killers.” It shows that nearly one-half of the 1,000 largest companies by market value have lost more than 20% of their market value in a one-month period at least once over the decade from 1994 to 2003 and relative to the MSCI stock index. The same study reveals that 28% of the affected companies required more than one year to fully recover, whereas 22% never recovered to their original values.

Examining more about the causes of the dramatic and enduring losses, they found with the 100 hardest-hit companies that the responsible events could be categorized into the four broad risk categories of strategic risks, operational risks, financial risks, and external risks. The number of companies affected by financial risks was significantly lower for the other risk categories. This coincides with the results of another study by IBM Global Business Services, “The Global CFO Study 2008,” stating that 85% of risk types that led to a company’s market capitalization decline of 30% or more were non-financial in nature.

Another key finding of the Deloitte study was that 80% of the companies that suffered the greatest losses in value were exposed to more than one type of risk and struggled to manage critical risk independencies. For this reason, the study recommends implementing an integrated risk management function to identify and manage interdependencies among all the risks facing the firm.

External stakeholders represent another key driver for more formal ERM processes. For example, since 2010, Standard & Poor’s (S&P) has been evaluating non-financial enterprises on their ERM practices with the resulting score affecting their credit rating and, ultimately, their cost of capital. The following summary of S&P’s underlying definition of ERM is based on the July 2008 edition of the Willis Enterprise & Risk Finance (WERF) Newsletter:

• A comprehensive set of risks
• Clearly defined risk appetite and tolerance
• A set of methods for avoiding situations that might cause losses outside of the firm’s tolerance
• A shift in focus from “cost/benefit” to “risk/reward”
• A way to help fulfill the fundamental responsibility of a company’s board and senior management
• A toolkit for identifying risks and mitigating them
• A common risk language

Other examples for external stakeholders are insurance companies that grant significant discounts on premiums to companies that have an effective ERM system in place, or investors or customers using existing ERM practices as a key benchmark for their investment decisions or acceptance of vendors, respectively. Now let’s look at how you can use SAP BusinessObjects Risk Management 3.0 as part of your own ERM system.

SAP BusinessObjects Risk Management and the Five Phases of ERM

SAP BusinessObjects Risk Management 3.0 covers all core ERM process steps including risk planning, risk identification, risk analysis, risk response, and risk monitoring (Figure 1). SAP BusinessObjects Risk Management 3.0 permits risk management for different types of assets, including business processes, projects, account groups, strategic objects, and other company assets and planning objects.

Figure 1

The five main phases of ERM for risk-adjusted corporate performance management

In particular, a risk analysis for strategic objectives reveals their risk exposure and allows for timely implementation of appropriate risk responses to keep your enterprise on track. This risk exposure information is made available via a Web service to your corporate strategy management solution. This interface is optimized for SAP BusinessObjects Strategy Management 7.5, but also works for other solutions that can consume the Web service. In combination, SAP BusinessObjects Strategy Management 7.5 and SAP BusinessObjects Risk Management 3.0 can include risk exposure information in the corporate scorecard (Figure 2) as forward-looking key performance indicators (KPIs) for strategic objectives (Figure 3).

Figure 2

Corporate scorecard in SAP BusinessObjects Strategy Management 7.5, with one objective well below the target displayed in red

Figure 3

Risk Exposure appears as an additional KPI of the strategic objective negatively affecting its overall score

The risk exposure information is updated with each risk reassessment and control evaluation if you assigned controls as risk responses as well. Starting from the corporate scorecard, you can drill down into SAP BusinessObjects Risk Management 3.0 and examine the risks associated with your strategic objectives in detail. KRIs provide early warning signals through predictive risk indicators, which highlight changes in the risk environment, response effectiveness, and potential risk issues before they occur. You can implement KRIs as automated queries in your SAP and non-SAP business systems, triggering risk reassessments, if customizable tolerances or other business rules are violated.

The following sections provide an overview of the capabilities of SAP BusinessObjects Risk Management 3.0 in the five main phases of ERM shown in Figure 1, and how to integrate with SAP BusinessObjects Strategy Management and SAP BusinessObjects Process Control 3.0.

Risk Planning

During risk planning, you set up the relevant master data supporting the ERM process (Figure 4). To integrate SAP BusinessObjects Risk Management 3.0 with SAP BusinessObjects Strategy Management, you start by identifying your strategic objectives and initiatives within SAP BusinessObjects Strategy Management.

Figure 4

Risk planning phase in four distinctive steps to set up relevant master data

Then continue setting up the required master data in SAP BusinessObjects Risk Management 3.0, which is organized in the following five separate hierarchies (Figure 5):

• Objectives Hierarchy: This consists of two levels — the first level captures strategic initiatives and the second level captures strategic objectives as defined in your strategy management solution
• Organizations: Define the hierarchy of organizational units as needed for reporting from a risk management perspective. You can assign risk appetite, risk thresholds, organizational unit managers, risk managers, and strategic objectives from your objectives hierarchy to your organizational units. You can share the organization hierarchy with SAP BusinessObjects Process Control 3.0 and it is possible to define multiple views on it.
• Risk Classification: Create multiple layers of risk categories as needed for your global risk taxonomy and create central risks within your risk categories. You can later use the central risks to streamline the risk assessment process and automate risk creation.
• Opportunity Classification: Provide a hierarchy of opportunity categories and opportunity templates in the same way as you did during risk classification
• Activity Hierarchy: You can define a hierarchy of activity categories for each type of activity you previously set up in the IMG customizing. Activity types are assets you want to include in the scope of your ERM system, such as business processes, projects, account groups, or other planning objects. You can exclude risk or opportunity categories from being available for selected activity categories where indicated. If you have already set up a central process catalog in SAP BusinessObjects Process Control 3.0, you can make it available as an activity hierarchy in SAP BusinessObjects Risk Management.

Figure 5

Risk Structure work center to perform risk planning-related tasks

Within each master data object you can attach documents or links to provide more information.

Risk Identification

The risk identification phase of risk management includes a collaborative process for identifying and documenting all risks for the company. It involves risk managers, line of business owners, directors, and executives. In addition, any user can propose a new risk within the application. The related risk drivers (e.g., root causes), risk impacts (e.g., consequences), KRIs, and the risk relationships are also documented (Figure 6).

Figure 6

Risk identification phase

Each new risk is assigned a risk owner. You can attach risks to organizational units, or to more granular activities. An activity is any project, process, or object within your business that might be affected by a specific risk and is always tied to one or multiple organizational units. After creating activity categories structured in an activity hierarchy, risk managers can create individual activities for the activity types defined in the IMG customizing and assign them to activity categories as needed for later reporting. Activities and the risks and opportunities assigned to them can undergo validation workflows requesting approvals from CEOs, CFOs, or any other authorized user.

Once all the risks have been identified and documented, it is often necessary to consolidate groups of risks into one parent risk. This consolidation helps in developing a risk hierarchy for consolidating and rolling up risk information across the organizational structure. Reporting is also made simple by viewing risk levels of consolidated risk groups rather than the complete set of risks, which can be overwhelming for large enterprises.

Risk Analysis

The risk analysis phase of risk management uses quantitative and qualitative methods to determine risk levels (Figure 7). The risk levels are critical to prioritize risks and develop appropriate risk responses. The risk analysis phase can also include reviews of historical losses as well as scenario analysis. The application analyzes the following risks:

• Inherent risks
• Actual residual risks
• Planned residual risks

Figure 7

Risk analysis phase

The inherent risk represents the initial risk with no response actions taken, whereas the residual risk is the remaining risk after implementation of risk responses to mitigate the risk. The planned residual risk assumes all responses being 100% complete and effective, whereas the actual residual risk is based on actual values for completeness and effectiveness. The first analysis of a new risk focuses on the inherent risk with no responses yet assigned to the risk resulting in all inherent and residual risk levels being equal (Figure 8).

Figure 8

The risk owner performs a risk analysis estimating inherent probability and impact of the risk event

SAP BusinessObjects Risk Management 3.0 supports risk analysis in quantitative, qualitative, or mixed mode. This refers to estimates given by risk owners for probability and impact. The system combines estimates for probability and impact to a risk level based on a customizable risk and opportunity level matrix and includes the new risk in the risk heat map (Figure 9). The risk heat map is used for risk monitoring and displays in a matrix the number of risks per probability and impact level.

Figure 9

The risk heat map displays the risks according to their probability and impact levels, as well as the top risks

Risk Response

The risk response phase of risk management includes documenting risk preventive and recovery responses along with ownership for mitigating the impact of potential risk events (Figure 10). Users can also propose and assign process controls as risk responses. You can also define risk reassessment and approval cycles as part of this phase. During response planning, risk owners estimate the reduction of probability and impact of the risk event under the assumption the risk responses are completely implemented and fully effective. The system uses these estimates to calculate the planned residual risk.

Figure 10

Risk response activities including integration with SAP BusinessObjects Process Control 3.0

A key product differentiator of SAP BusinessObjects Risk Management 3.0 is its integration with SAP BusinessObjects Process Control 3.0, which allows for assigning existing controls and proposing of new controls in business processes at risk. The controls are implemented and evaluated in SAP BusinessObjects Process Control 3.0. Results of control assessments and tests are fed back as values for actual response completeness and effectiveness, respectively. Consequently, risk monitoring is based on the most recent control evaluations and actual residual risk levels. Most companies periodically reanalyze critical risks, often on an annual basis, to ensure that the risk documentation matches the current business conditions. This kicks off a new cycle of assessments of inherent and residual risks and respective response planning (Figure 11).

Figure 11

The system tracks inherent, planned, and actual residual risk probabilities and impacts for each cycle of risk reassessments

Risk Monitoring

The risk monitoring phase of risk management includes monitoring KRIs and response completeness and effectiveness measures (Figure 12). The phase also includes documenting incidents and losses that have occurred as well as reporting on the overall risk exposure for the enterprise and the organizational entities. For the latter, the solution comes with a wide range of standard reports (Figure 13). One of these reports displays risk exposure of your strategic objectives (Figure 14). The risk exposure of an objective is made available to your corporate performance management solution via Web service as mentioned earlier.

Figure 12

Risk monitoring activities and feedback to corporate performance management

Figure 13

Standard reports in SAP BusinessObjects Risk Management 3.0

Figure 14

Standard report risks per objective

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

You may contact the author at frank.rambo@sap.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.