Risk monitoring is the key result of the enterprise risk management (ERM) process as it provides information that risk managers and decision makers can use to communicate risk information and determine where to allocate resources most effectively. SAP BusinessObjects Risk Management 3.0 includes a comprehensive framework for risk monitoring, including:

• Automated monitoring of key risk indicators (KRIs) as an early warning system for aversive trends in your risk environment
• Online reports using SAP Crystal Reports technology to support management decisions with actionable reports on your current risk status
• Incident and loss database (ILDB) to record risk incidents and their effective losses as lessons learned, and better predict risk exposure and anticipate losses

Early Warnings from KRIs 

KRIs are critical to the successful management of enterprise risks. Essentially, you use KRIs to monitor and predict events within your organization that may threaten its strategic objectives. In combination with escalation criteria, KRIs help educate management about emerging issues. They also help keep the risk management process dynamic and risk profiles current. KRIs are different from key performance indicators (KPIs) in that KRIs monitor forward-looking trends that make a risk event more likely to occur, whereas KPIs are typically historically focused and tied to a balanced scorecard.

In SAP BusinessObjects Risk Management 3.0, KRIs are tied to automated data connectors, obtaining data from various sources and combining them into business rules that define escalation criteria. If certain thresholds configured in these business rules are violated, the application automatically triggers actions such as raising alerts, sending notifications to risk owners, or initiating a risk reassessment. SAP BusinessObjects Risk Management 3.0 supports three different connector types:

• SAP queries retrieve data directly from various systems based on SAP NetWeaver (back to release 4.6C)
• SAP NetWeaver Business Warehouse (SAP NetWeaver BW) queries retrieve data available in SAP NetWeaver BW
• Web services retrieve data from any Web service compliant with the provided service definition given as Web service description language (WSDL) information

For example, you can use KRIs to obtain a liquidity forecast, monitor overdue payments, evaluate credit limit use of your customers, or count safety near-misses in your work environment. The implementation of KRIs in SAP BusinessObjects Risk Management involves the following steps:

1. SAP query, SAP NetWeaver BW query, and Web service implementation. This task is usually performed by developers or SAP NetWeaver BW experts, so I won’t go into more detail about it.
2. KRI templates
3. KRI implementations
4. KRI instantiation within a risk context
5. KRI localization (optional)
6. Business rules configuration

KRI Templates

A KRI template is a high-level definition of a KRI in business terms before IT has identified the right system, query or Web service, connection data, and required parameters to perform an implementation. All KRIs are associated with a KRI template and you can attach one or multiple KRI templates to a risk category during risk planning and master data setup. This limits the available choices of a risk owner who wants to create a KRI instance for his risk, because he or she only sees KRIs from KRI templates that were attached to the risk category to which the risk belongs.

You create KRI templates in SAP BusinessObjects Risk Management by following the menu path GRC Risk Management > Risk Monitoring > Key Risk Indicator Template. Click the Create button in the KRI Template Catalog and provide a name and description for the KRI template (Figure 1). Enter a validity period and select a value type from the available choices: Number, Currency, or Quantity. Then choose a system from the drop-down list (Figure 2). You can maintain this drop-down list by following IMG menu path GRC Risk Management > Key Risk Indicators > Maintain Systems (Figure 3).

Figure 1

Create a KRI template

Figure 2

Example of a KRI template for environmental, health, and safety KRIs

Figure 3

IMG customizing activity Maintain Systems

The systems defined here do not contain any connections parameters, but represent a business description for informational purposes. Once you enter the system, the Business Process field is ready for input. Select business processes from the available choices for the selected system. You can maintain the available business processes in each system by following IMG menu path GRC Risk Management > Key Risk Indicators > Maintain Business Processes (Figure 4).

Figure 4

IMG customizing activity Maintain Business Processes

Again, once you select the business process the Component field is ready for input and you can select a component of the previously selected business process. You can define these components via IMG menu path GRC Risk Management > Key Risk Indicators > Maintain Components (Figure 5). Business process and component selection only serves a logical categorization of KRI templates in business terms.

Figure 5

IMG customizing activity Maintain Components

KRI Implementations

Each KRI template can include several different KRI implementations retrieving data from different system connectors and queries or Web services. In this sense, a KRI template also serves as a grouping of similar KRI implementations. Existing KRI implementations to a selected KRI template are listed in the Implementations view in the Implementations tab (Figure 6).

Figure 6

The Implementations view in the Implementations tab lists all KRI implementations for the selected KRI template

You can request new KRI implementations from the same tab by selecting the Requests view and clicking the Create button (Figure 7). This sends a work item into the inbox of the holder of the application role that is configured in the security model of the application to receive workflow items that correspond to the business event KRI Liaison. Usually it is the role named SAP_GRC_RM_API_LIAISON, or a copy of it. For more information, refer to the SAP BusinessObjects Risk Management 3.0 Security Guide available in SAP Service Marketplace, SAP Note 1362997, or to my earlier article on risk planning. The recipient opens the KRI Implementation Request work item in his inbox and clicks the Create button to create a new KRI implementation. Alternatively and without workflow, you can also directly create a KRI implementation from the screen shown in Figure 6 or in the KRI implementation catalog by following the menu path GRC Risk Management > Risk Monitoring > Key Risk Indicator Implementation.

Figure 7

Create a KRI implementation request out of the Requests view in the Implementations tab of the selected KRI template

As a prerequisite, KRI implementations require some IMG customizing settings. You need to create the required system connectors by following the menu path GRC Risk Management > Key Risk Indicators > Connectivity > Maintain Connectors. Register the required SAP queries, SAP NetWeaver BW queries, and Web services executing the customizing activities named Maintain Scripts for SAP Query, BW Query, or Web Service. The latter allows for registration of these queries and Web services under a new and less technical name that is more tailored to SAP BusinessObjects Risk Management business users.

To create a new KPI implementation, provide a name and description, ensure a KRI template is assigned to it, and select values for Connector Type, Connector, and Script from the drop-down lists (Figure 8).

Figure 8

Example KRI implementation for KRI template EH&S KRIs

You can click the Test Connector and Test Script buttons to test the selected connector and script, respectively, to ensure that the connector has been configured correctly. In the Implementation Details tab, you can define selection criteria for the data retrieval and define the output of the KRI implementation in further detail (Figure 9). In the Value Column field, select the column to be used from the query response. In the Aggregation Function field, select how to aggregate the values from the Value Column field to compute the resulting KRI value. Possible choices are Arithmetic Average, Number of Values, First Value, Last Value, Maximum, Median, Minimum, Standard Deviation, Sum, and Variance. In the Currency/UoM Column field, the currency or unit of measure to be used for the value column you selected is displayed. Depending on the template type, this field is prefilled. You cannot make any entry here.

Figure 9

Implementation Detail tab containing the output value setup and the selection table

KRI Instances 

KRI instances relate KRI implementations to a specific risk. Risk owners create a KRI instance for a risk by following menu path GRC Risk Management > Risk Assessment > Risk and Opportunity Management and clicking the Create button in the Key Risk Indicator tab (Figure 10). It is possible to create multiple KRI instances from the same or from different KRI implementations or KRI templates for a selected risk. To create a new KRI instance, you need to provide (Figure 11):

• KRI Instance Name
• KRI Implementation: Once the selection is made, the system copies the entries from the selection table of the KRI implementation to the selection table of the KRI instance
• Description (optional)
• Monitor Frequency: Select the frequency you want the KRI to retrieve data from the source system, such as Weekly, Daily, Monthly, Quarterly, or Yearly
• Data Time Frame: Select the time frame, for example Year 2010
• Next Execution Date and Last Execution Date: Select the execution dates for monitoring
• Historical Review Required: Click Yes if you want to keep the previous KRI values in the database. Once the KRI monitoring is running, you can access the historical data in tabular and graphical form by clicking the Show History button shown in Figure 10.

Figure 10

Create a KRI instance for a selected risk

Figure 11

Enter information for a new KRI instance

In the Selection Table section, risk owners can add additional filters to localize the data retrieval with respect to the risk context. Alternatively, they can send a request for KRI localization by clicking the KRI Localization button shown in Figure 11 and submitting a note entered in the Notes frame. As for KRI implementation requests, the work item is sent to the inbox of the holders of the SAP_GRC_RM_API_LIAISON role for the affected organization unit. Finally, they can test the KRI instance by clicking the Test Instance button on the bottom of the screen shown in Figure 11.

KRI Localization 

KRI localization is an optional step and is only required if the selection table in a given KRI instance requires additional filters (e.g., country, plant, and market) to reflect the risk context. When the risk owner sends a KRI localization request, the status of the KRI instance changes from Instantiated to Localization Requested. The recipient can send the request back to the requester if additional information is needed. This changes the status to Requestor Action. Once the recipient has completed the localization the status changes to Localization Performed and the work item is sent back to the requestor for confirmation. Upon confirmation, the status changes to Localized.

Business Rules

KRI instances — localized or non-localized — collect data from source systems, but do not yet contain the criteria and thresholds to raise the flag to risk owners and trigger follow-up actions. The configuration of business rules closes this last gap. Business rules describe the constraints that apply for an organization to operate normally. If business rules are violated, the risk is increasing and actions must be taken. Business rules can use multiple KRI instances defined for a selected risk, combine the resulting KRI values from the monitoring runs in mathematical expressions, define thresholds for them, and select the actions to be taken if violated. You can select from the following actions:

• Flag risk: A yellow lightning symbol appears on the Key Risk Indicators tab of the affected risk. Click the Reset KRI Violation Status button on the bottom of the screen to reset this symbol (Figure 12)
• Send notification: An email notification is sent to the risk owner
• Assessment required: A risk assessment workflow is triggered

Figure 12

Example of a flagged risk with multiple KRI instances and business rules

It is also possible to create multiple business rules for a selected risk as shown in Figure 12. This way you can define multiple escalation levels, with each triggering a different action.

Create a new business rule by clicking the Create button in the Business Rules section in the Key Risk Indicators tab of the selected risk. This opens the Business Rules Details screen shown in Figure 13. Provide a name and description for the business rule. In the Mapping area, select KRI Instances from the risk you want to use for the business rule.

Figure 13

Create a business rule based on two KRI instances

For each selected KRI instance, the application generates a variable and lists it in the Variables area. You can overwrite the aggregation functions selected in the KRI implementations. In the box below the Variables area, you can combine the generated variables to a mathematical expression and define a threshold for it. Use the respective buttons to check the syntax and test the rule with the values for testing that you entered. The business rules are generated as business rules framework plus (BRF+) rules, which are part of the SAP NetWeaver platform. It is an application-independent framework to compute result values from a number of input values representing a business context. The BRF+ Workbench button provides access to this framework. The BRF+ Workbench is only needed if more complex expressions are required to build a business rule. On the bottom of the screen, select one or multiple actions to be triggered if the business rule is violated. When ready, ensure that the business rule is set to Active.

Support Decision Making with Actionable Risk Reports

SAP BusinessObjects Risk Management comes with a set of SAP Crystal Reports and dashboards accessible following menu path GRC Risk Management > Reporting and Dashboards, providing answers to typical management questions:

• What are the top risks? The Top Risks report lists the top risks for a selected period, year, organization, risk category, or business activity (Figure 14).

Figure 14

Top Risks report pre-delivered as an SAP Crystal Report

• What is the overall risk profile? The Risk Heatmap dashboard summarizes total and expected losses of inherent and residual risks, the number of risks per risk level in a color-coded risk heatmap, and the top risks for a selected organization unit, data time frame, and year (Figure 15). The Risk Heatmap allows for drill-down navigation into the risk details.

Figure 15

The Risk Heatmap summarizes total and expected losses

• What are the top risks to the organization’s strategic objectives? The Risks per Objectives report lists the risk by objectives for a selected organization, risk category, period, and year. The report is useful for identifying your strategic objectives that are most at risk and the risks threatening them.
• What are the key sources of risk? The Risk per Risk Category report lists risks by category, period, and year for a selected organization, and helps identify the types of risks that are threatening your business most.
• Where are concentrations of risk? The Risk per Organizational Unit and Risks per Activity Category reports help localize organization units and business activity that are exposed to high risk or many different risks at the same time.
• In which ways would risk events affect the business? The Risk Impact Details report displays inherent and residual losses by impact category (Figure 16).

Figure 16

Risk Impact Details shows inherent and residual losses

• What is the business doing about the risks, and what are the costs? The Risk Mitigation report details lists all risk responses per risk for a selected period, year, organization, risk category, and business activity. It also lists their implementation costs and their percentage completion and effectiveness.
• Which KRIs have we implemented as early warnings? The KRI for Risk report lists KRI details, including their current values by risk (Figure 17).

Figure 17

KRI details

• Which risk events have occurred and what are the losses? The Risk Incident Overview report displays incidents and losses by organization, risk, and impact category (Figure 18). It only displays incidents and losses you recorded in the ILDB as explained in the next section.

Figure 18

The risk incident overview displays incidents and losses by impact category

Record Risk Incidents and Losses as Lessons Learned

Risk events can occur and turn into incidents that lead to losses. SAP BusinessObjects Risk Management comes with the ILDB designed as a lessons-learned repository with the intention to better predict risk exposure and anticipate losses. The risk experience contained in the ILDB helps monitor and mitigate risks and over time may adjust risk practices where needed. Incidents are created by following menu path GRC Risk Management > Risk Assessment > Incident Management, or directly in the Incidents tab of a particular risk.

You can capture incidents and losses based on specific classifications such as impact categories and incident attributes and link them to one or multiple risks (Figure 19). You maintain incident attributes by following IMG menu path GRC Risk Management > Incident and Loss Database > Maintain Incident and Loss Attributes.

Figure 19

Incident creation in the ILDB

You can also allow employees to record incidents through an employee self-service. This is done through the simplified ad hoc task Report Incident available by following menu path GRC Risk Management > My Home > Ad-hoc tasks (Figure 20). You can also copy the URL of this task and add it to your corporate portal if you want to keep SAP BusinessObjects Risk Management transparent to your employees. Both ways, when you submit the incidents, an incident validation workflow is triggered and a work item to validate the incident is sent to the inbox of the incident validator. The validator is identified by the agent determination according to the security model of the application. The validator reviews the incident and approves or rejects it, or sends it back for rework.

Figure 20

Report incidence as employee self-service

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

You may contact the author at frank.rambo@sap.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.