Grc340 en Col93 Fv Inst a4

GRC340BusinessObjects Risk

ManagementSAP Business Objects - Business Intelligence

Date

Training Center

Instructors

Education Website

Instructor HandbookCourse Version: 93Course Duration: 3 Day(s)Material Number: 50098333Owner: [First name] [Last name] ([Employee ID])

An SAP Compass course - use it to learn, reference it for work

Copyright

Copyright © 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP AG. The information contained herein may be changedwithout prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary softwarecomponents of other software vendors.

Trademarks

• Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® areregistered trademarks of Microsoft Corporation.

• IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®,S/390®, AS/400®, OS/390®, and OS/400® are registered trademarks of IBM Corporation.

• ORACLE® is a registered trademark of ORACLE Corporation.• INFORMIX®-OnLine for SAP and INFORMIX® Dynamic ServerTM are registered

trademarks of Informix Software Incorporated.• UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.• Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®,

VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarksof Citrix Systems, Inc.

• HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, WorldWide Web Consortium, Massachusetts Institute of Technology.

• JAVA® is a registered trademark of Sun Microsystems, Inc.• JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for

technology invented and implemented by Netscape.• SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP

EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.comare trademarks or registered trademarks of SAP AG in Germany and in several other countriesall over the world. All other products mentioned are trademarks or registered trademarks oftheir respective companies.

Disclaimer

THESEMATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLYDISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDINGWITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE,INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTSCONTAINED HEREIN. IN NO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANYKIND WHATSOEVER, INCLUDING WITHOUT LIMITATION LOST REVENUES OR LOSTPROFITS, WHICH MAY RESULT FROM THE USE OF THESE MATERIALS OR INCLUDEDSOFTWARE COMPONENTS.

g201021110041

About This HandbookThis handbook is intended to complement the instructor-led presentation of thiscourse, and serve as a source of reference. It is not suitable for self-study.

Typographic ConventionsAmerican English is the standard used in this handbook. The followingtypographic conventions are also used.

Type Style Description

Example text Words or characters that appear on the screen. Theseinclude field names, screen titles, pushbuttons as wellas menu names, paths, and options.

Also used for cross-references to other documentationboth internal and external.

Example text Emphasized words or phrases in body text, titles ofgraphics, and tables

EXAMPLE TEXT Names of elements in the system. These includereport names, program names, transaction codes, tablenames, and individual key words of a programminglanguage, when surrounded by body text, for exampleSELECT and INCLUDE.

Example text Screen output. This includes file and directory namesand their paths, messages, names of variables andparameters, and passages of the source text of aprogram.

Example text Exact user entry. These are words and characters thatyou enter in the system exactly as they appear in thedocumentation.

<Example text> Variable user entry. Pointed brackets indicate that youreplace these words and characters with appropriateentries.

2010 © 2010 SAP AG. All rights reserved. iii

About This Handbook GRC340

Icons in Body TextThe following icons are used in this handbook.

Icon Meaning

For more information, tips, or background

Note or further explanation of previous point

Exception or caution

Procedures

Indicates that the item is displayed in the instructor’spresentation.

iv © 2010 SAP AG. All rights reserved. 2010

ContentsCourse Overview ......................................................... vii

Course Goals .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiCourse Objectives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Unit 1: Introduction to Risk Management ............................ 1Risk and Business Environment .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2Risk Management Process Overview ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Unit 2: Risk Planning.................................................... 21Master Data... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Organization Hierarchy and Views ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Objective Hierarchy... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Activity Hierarchy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Risk and Opportunity Classification ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Unit 3: Risk Identification .............................................. 63Activity Management .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Risk/Opportunity Creation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Unit 4: Risk Analysis .................................................... 83Surveys... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Risk Analysis .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100Risk Grouping ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Risk Inter-Relationships... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120What-If Scenario .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128Monte-Carlo Analysis.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142Risk Validation... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

Unit 5: Risk Response ................................................. 159Responses and Enhancement Plans... . . . . . . . . . . . . . . . . . . . . . . . . . . .161Response Assignment .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168Creating a new Response in a risk .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182Residual Risk Analysis (current) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188Assign a Control to a Risk ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198Control Proposal .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

Unit 6: Key Risk Indicators ........................................... 217Introduction to Key Risk Indicators .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219KRI Design... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

2010 © 2010 SAP AG. All rights reserved. v

Contents GRC340

KRI Template Creation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225KRI Implementation... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233KRI Instantiation... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241KRI Localization ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248KRI Business Rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254

Unit 7: Risk Monitoring ................................................ 265Planner .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266

Unit 8: My Home......................................................... 279Work Inbox... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281Ad Hoc Tasks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288Reports and Analytics .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296Document Search... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306

Unit 9: Roles and Authorizations ................................... 309Roles and Authorizations ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

vi © 2010 SAP AG. All rights reserved. 2010

Course OverviewThis course will discuss the functionality of SAP BusinessObjects RiskManagement. We will discuss what risks and opportunities are in a businessenvironment, the different types of responses for risks as well as Key RiskIndicators and how they are used. This course will also explain the master datathat is used in SAP BusinessObjects Risk Management and how they relate toeach other.

Target AudienceThis course is intended for the following audiences:

• [Enter target audience.]

Course PrerequisitesRequired Knowledge

• Understanding of risks and opportunities in a business environment

Course Duration DetailsUnit 1: Introduction to Risk ManagementRisk and Business Environment 30 MinutesRisk Management Process Overview 30 Minutes

Unit 2: Risk PlanningMaster Data 15 MinutesExercise 1: High Level System Overview 15 MinutesOrganization Hierarchy and Views 15 MinutesExercise 2: Create an Organization Unit 15 MinutesObjective Hierarchy 15 MinutesExercise 3: Create an Objective 15 MinutesActivity Hierarchy 15 MinutesExercise 4: Create an Activity Category 15 MinutesRisk and Opportunity Classification 15 MinutesExercise 5: Create a Risk 15 Minutes

Unit 3: Risk IdentificationActivity Management 15 MinutesExercise 6: Create an Activity 15 MinutesRisk/Opportunity Creation 15 MinutesExercise 7: Create a Risk 15 Minutes

Unit 4: Risk AnalysisSurveys 15 Minutes

2010 © 2010 SAP AG. All rights reserved. vii

Course Overview GRC340

Exercise 8: Create a Risk Survey 30 MinutesRisk Analysis 30 MinutesExercise 9: Create an Inherent Risk Analysis 30 MinutesRisk Grouping 20 MinutesExercise 10: Risk Grouping 15 MinutesRisk Inter-Relationships 20 MinutesExercise 11: Risk Inter-Relationships 15 MinutesWhat-If Scenario 15 MinutesExercise 12: What-If Scenario 30 MinutesMonte-Carlo Analysis 30 MinutesExercise 13: Monte Carlo Analysis 15 MinutesRisk Validation 15 MinutesExercise 14: Risk Validation 15 Minutes

Unit 5: Risk ResponseResponses and Enhancement Plans 15 MinutesExercise 15: Create a Risk Response 15 MinutesResponse Assignment 15 MinutesExercise 16: Assign a Response to a Risk andCreating a Residual Risk (Planned) Analysis 15 Minutes

Creating a new Response in a risk 15 MinutesExercise 17: Create a Risk Response 15 MinutesResidual Risk Analysis (current) 15 MinutesExercise 18: Perform Residual Risk Analysis(current) 15 Minutes

Assign a Control to a Risk 10 MinutesExercise 19: Assign a Control to a Risk 30 MinutesControl Proposal 10 MinutesExercise 20: Control Proposal 15 Minutes

Unit 6: Key Risk IndicatorsIntroduction to Key Risk Indicators 15 MinutesKRI Design 15 MinutesKRI Template Creation 15 MinutesExercise 21: Create a KRI Template 15 MinutesKRI Implementation 15 MinutesExercise 22: Implement a KRI 15 MinutesKRI Instantiation 15 MinutesExercise 23: Add a KRi to a Risk 15 MinutesKRI Localization 15 MinutesExercise 24: Localize a KRI 15 MinutesKRI Business Rules 15 MinutesExercise 25: Configure a KRI Business Rule 15 Minutes

Unit 7: Risk MonitoringPlanner 30 MinutesExercise 26: Create a Plan 15 Minutes

viii © 2010 SAP AG. All rights reserved. 2010

GRC340 Course Overview

Unit 8: My HomeWork Inbox 10 MinutesAd Hoc Tasks 5 MinutesExercise 27: Propose a Risk 5 MinutesExercise 28: Report an Incident 5 MinutesReports and Analytics 5 MinutesExercise 29: Run a Report 5 MinutesExercise 30: View a Dashboard 15 MinutesDocument Search 5 Minutes

Unit 9: Roles and AuthorizationsRoles and Authorizations 15 Minutes

Course GoalsThis course will prepare you to:

• Identify risks and opportunities• Run the various types of risk analysis• Add responses to risks• Understand Key Risk Indicators and how they are used in SAP

BusinessObjects Risk Management

Course ObjectivesAfter completing this course, you will be able to:

• Identify risks and opportunities in a business environment• Run the various types of risk analysis• Add responses to risks• Show what a Key Risk Indicator is and how SAP BusinessObjects Risk

Management uses them.

INSTRUCTOR INFORMATIONThis template describes all recommended information which should be in aninstructor guide or instructor handbook for SAP courses to ensure a good qualitystandard of instructor information. The information is essential to minimize theneed for support by the global training support especially before training.

RECOMMENDED INFORMATION

Hints on preparing this course

2010 © 2010 SAP AG. All rights reserved. ix


Remember to check for additional information which was published after thecourse material was finally released. For latest information or course updates seeadditional Instructor Guide/System Setup Guide or Trouble Shooting Guide onSAP Service Marketplace. Most of them you will find under the alias /curr-info:http://service.sap.com/curr-info.

Also other aliases are possible (e.g. /curr-adm; /curr-ep). The current aliasnormally you will find in the Instructor Guide.

Training System Availability

Your training system will be available and accessible on Sunday evening (CETtime zone) of the week the training takes place. Do not use the system or prepareyour course before that time. The system can still be in use by another course orin the refresh procedures of the IT preparation for your course! If you need atest/prep. system before your course takes place, see details under paragraphTest-/Prep. System.

Test- / Prep. System

Either:

not applicable

There are test/prep. systems for most of the SAP courses available. You will findthe necessary information on http://service.sap.com/curr-info. In case you cannotaccess this site please ask the responsible Education coordinator (the one who sendyou this guide) to make the relevant information available to you.

Or:

If no test/prep. system exists for the course, but testing or preparation is essential,the responsible Education department can order such a system – this should bedone ideally at least one week before the training. Please note that test/prep.Systems must not be used for training without the permission of KPS. An accessviolation fee will be charged in this cases.

Required System Landscape

SAP BusinessObjects Risk Management 3.0 Support Pack 5. System landscapeconsists of ABAP and Portal..

Using Training WTS Farm

Nearly all SAP courses are designed to be taught via SAP Training WindowTerminal Service Server Farms (= WTS-Farms) to enable also trainings oncustomer site (so called Onsite-Training). If restrictions of the course don’tmention another WTS Farm or the usage of the local PC front end, always usethe Common Training WTS farm for your training. Use SAP software on localPC front end only in SAP owned training centers with good network bandwidth

x © 2010 SAP AG. All rights reserved. 2010

http://service.sap.com/curr-info

http://service.sap.com/curr-info

GRC340 Course Overview

connections. The usage of SAP software on local PC front end restricts thetraining support to the local IT support. The global training support can onlysupport trainings via Training WTS farms.

• Training at SAP Training Centers/Internal SAP Training

The internal connectivity to the training WTS farms can only be used insideof SAP network infrastruc-ture.

To connect to the training WTS farm use http://wts.wdf.sap.corp:1080 .Choose a region (AMERICAS, EMEA or APJ). Select the Training-Zonemenu. Connect to Common Training, if no other WTS farm is named forthe training.

• Customer Onsite Training / Third Party Training Center

Customer Onsite training can only connect to SAP training WTS farm via theSAP Citrix Secure Gateway (SAP CSG). Therefore you need a CSG-UserID. The User ID has to be already created by the education department forthe time of the training. The data (User ID and password) are delivered toyou by the education department. Trainer and participants use the samededicated CSG-User-ID and password for the training.

To connect to the training WTS farm use http://mywts.sap.com. Choose aregion (AMERICAS, EMEA or APJ).

Enter the CSG-User ID and password and log on. Select the Training icon.Connect to Common Training, if no other WTS farm is named for thetraining.

User ID and Passwords for the Course

• Training with existing User IDs in the master system:

GRC340-00 through GRC340-20 with the password initial1. The instructorwill use the GRC340-00 ID the password will be initial1 in the Portal as wellas the ABAP, the participants will only log on to the portal and not the ABAP.

Additional preparation in the system

CATTs/eCATTS:

not applicable

a) Automatic CATTs/eCATTs not applicable

b) Training CATTs/eCATTs not applicable.

Switching ON/OFF table locking in SAP systems:

not applicable

Example ABAPs:

2010 © 2010 SAP AG. All rights reserved. xi

http://wts.wdf.sap.corp:1080

http://mywts.sap.com


not applicable

Technical Hints

[Further technical hints like shared folder for participants files, additional trainerinformation or special software usage during the training or additional coursepreparations on the training WTS farm like initialize course scripts should bementioned here.]

xii © 2010 SAP AG. All rights reserved. 2010

Unit 11 Introduction to Risk Management

This unit will introduce you to risk management, and provide an overview of thetypical process to identify, analyze, treat and monitor risk.

Unit OverviewThis unit will introduce you to risk management, and provide an overview of thetypical process to identify, analyze, treat and monitor risk.

Unit ObjectivesAfter completing this unit, you will be able to:

• Explain how risk can influence business performance• List the various sources of risk• Define Enterprise Risk Management• List the benefits of Enterprise Risk Management• Identify requirements for effective Enterprise Risk Management• Define risk and list the determinants for the degree of risk• Explain the risk management process steps

Unit ContentsLesson: Risk and Business Environment.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2Lesson: Risk Management Process Overview... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2010 © 2010 SAP AG. All rights reserved. 1

Unit 1: Introduction to Risk Management GRC340

Lesson:2

Risk and Business EnvironmentLesson Duration: 30 Minutes

Lesson OverviewThis lesson will help you answer the question “why do organizations need tomanage risk?”

Lesson ObjectivesAfter completing this lesson, you will be able to:

• Explain how risk can influence business performance• List the various sources of risk• Define Enterprise Risk Management• List the benefits of Enterprise Risk Management• Identify requirements for effective Enterprise Risk Management

[Enter a description of what the instructor should discuss with the participantsabout the context of the lesson. ]

Business ExampleCRG Global Enterprise is a conglomerate with global operations. Nancy – theDirector of ERM for CRG – has been asked to give a high-level overview ofCRG’s Enterprise Risk Management Program (ERM) to the senior managementcommittee. The CFO would like Nancy to explain how risk can influence CRG’sperformance, and explain how the ERM program differs from traditional riskmanagement.


GRC340 Lesson: Risk and Business Environment

Governance Risk and Compliance (GRC) – The BigPicture

Figure 1: The Big Picture

Organizations set objectives that define what needs to be achieved. Typicalobjectives for companies include revenue, customer satisfaction, operationaleffectiveness, and cost.

A business model defines the organization’s strategic, financial, regulatory,and operational processes / products / services and the associated performanceobjectives that must be undertaken in order to achieve the objectives.

Organizations must operate within defined boundaries. The mandated boundaryrepresents regulatory/legal requirements that are imposed on the organization(such as SOX compliance, employment standards, etc). The voluntary boundaryis set by management such as public commitments or organizational values.

Obstacles may prevent the achievement of the objectives. It is these obstaclesthat are the focus of risk management.



The Problem Today

Figure 2: The Problem Today

Here are the typical challenges that organizations face. In general, there is a lackof transparency and no support for decision making.

Risk Managers are typically responsible for ensuring that a consistent riskmanagement process is followed throughout the organization. However, therisks are “owned” by the lines of business. As a result, risk managers constantlystruggle with tracking the progress of responding to risks.

The Lines of Business typically don’t think about risks per se, but more meetingtheir performance objectives. They tend to receive several surveys or assessmentrequests from different groups that ask similar questions (i.e. Risk Management,Audit, IT Security, Business Continuity, etc...). Typically, the business units comeup with good solutions to address the risks they know about... but only the risksthey know about. They have absolutely no visibility into risks outside of theirsilo that could negatively affect them. Risk mitigation efforts that are successfulare often one-offs, and are typically never reapplied to other regions or similarbusiness units.

Executives and Directors are mainly concerned with market expectationsand delivering the strategy. Risk are often not specifically addressed duringmanagement meetings. As a result, executives are left not knowing if any negativesurprises will keep them from meeting their projections until it is too late.

The effect of this fragmented, disjointed approach to risk management is that risksslip through the cracks and turn into losses. A 2005 study by Deloitte showed thatthe effects can be dramatic as shown in Figure 3:

• Nearly 1/2 of Fortune 1000 companies lost more than 20% of their stockvalue in a 1 month period during the last decade.

• 1/2 of the companies require more than a year to regain the lost value; 22%never recovered.



What’s driving these losses? Often, it’s when multiple risks turn into loss eventsat the same time. For example, losses result when a new competitor enters themarket at the same time that your supplier can’t deliver on time.

It’s important to get an enterprise-wide view of your risks and understand therelationships among them. To protect the value of their brands, organizationsneed to develop the ability to “see around corners”. A McKinsey study showedthat tangible, focused activities are effective at protecting brand. Developinga proactive risk management strategy and implementing strong preventivecontrols against “hot issues” like data privacy leaks, consumer privacy leaks,environmental accidents, financial fraud, is an effective approach. These programsin conjunction with social and economic development initiatives also ultimatelyhelp to build up the corporate profile and reputation.

An Enterprise View of RisksAn organizations’s uncoordinated, and sometimes conflicting, approaches tomanaging risk can lead to the management team ignoring some risks whilespending too much time managing others. The result: management does not havea complete picture of the risks it faced, thereby increasing the likelihood that theorganization would be surprised by events that, in retrospect, could be predictable.

Enterprise Risk Management (ERM) provides an integrated or holistic approachto understand and manage all of the risks that an organization faces. Its primarypurpose is to improve the quality of decision-making. It provides managementwith the visibility to recognize the interdependency of risks, thereby decreasing thelikelihood that the organization would be surprised by events that, in retrospect,could have been predictable.

Figure 3: Scope of Enterprise Risks



Organizations face many types of risks. These risks include:

• Strategic risks that involve an organization’s direction. Is the organization’scurrent course and ability to adapt to market changes correct, or does it needto be changed to keep from stagnating or collapsing? Strategic risks includean organizations’s overall objectives, the assumptions that underlie thoseobjectives, as well as the constraints the organization faces.

• Financial risk that involve the allocation of resources, including anorganization’s financial investments. For instance, are financial resourcesallocated so they create the best return for an organization’s shareholders?

• Regulatory risks that involve an organization’s compliance with corporatesustainability, trade, financial reporting, and other legal and regulatoryrequirements.

• Operational risks that involve the people, processes and technology thatare needed to carry out an organization’s strategic objectives. These riskswould include how well information technology systems function or theeffectiveness of information security to perfect confidential data.

Managing Risk as a System

Figure 4: Managing Risk as a System

ERM approaches risk from an enterprise wide basis, embedding awareness andinformation about risks into daily management and operational activities. In short,ERM manages risk “as a system”.



The benefits of this approach include:

• Managing risks as a system will help an organization improve its situationalawareness, which in turn will allow it to respond to risks more pro-activelyand lead to fewer surprises

• An organization will also have a better chance to achieve its strategic goals ifit understands the underlying causes of potential failure.

• It will be able to create better value from resources by eliminating the needto respond to unexpected crises. This will give an organization more time topursue other (value creating) work.

For ERM to work and to be effective:

• An organization will need to define and communicate its tolerance forrisk (specifically the willingness to incur a loss in pursuit of its businessobjectives). Without a definition, managers will not know which risks aretoo large and which are too small to address.

• Information about risks must flow seamlessly and blamelessly across anorganization to the management teams. Risk information has sometimesbeen perceived to be bad news instead of a call for action, which likely hascaused some managers to filter or hide information.

• An organization’s managers and employees must value risk information,which typically requires a cultural mind-set for change so a healthy riskcommunication culture ca take hold, ERM practitioners say.

• In addition, responsibility for risks should be assigned to those managerswho can best oversee them. Risk without responsibility is a recipe fororganizational disaster.



Facilitated DiscussionAfter completing this discussion, you will be able to:

• Explain how risks are typically addressed in organizations• Describe the extent of executive support for risk management• Explain how risk policies are used• List the methodologies used in organizations

Business ExampleCRG Global Enterprises is a conglomerate with flobal operations. Nancy – theDirector of ERM for CRG – has been asked to give a high-level overview ofCRG’s Enterprise Risk Management Program (ERM) to the senior managementcommittee. The CFO would like Nancy to explain how risk can influence CRG’sperformance, and explain how the ERM program differs from traditional riskmanagement.

Discussion QuestionsUse the following questions to engage the participants in the discussion. Feel freeto use your own additional questions.

1. How are risks addressed in your organization (for compliance reason only) ?2. Is there strong executive support for risk management?3. What is the risk culture?4. Is there a risk policy?5. Is staff dedicated to risk management?6. Do you have a standard risk management methodology?7. Can you provide an example where a problem could have been managed as a

risk? What was the impact of the problem on the organization’s performance?



Lesson Summary

You should now be able to:• Explain how risk can influence business performance• List the various sources of risk• Define Enterprise Risk Management• List the benefits of Enterprise Risk Management• Identify requirements for effective Enterprise Risk Management



Lesson:9

Risk Management Process OverviewLesson Duration: 30 Minutes

Lesson OverviewThis lesson will introduce the basic risk management process.


• Define risk and list the determinants for the degree of risk• Explain the risk management process steps


Business ExamplePete – the General Manager for CRG Global International asked Nancy - theDirector of ERM fro CRG – to meet with his team to explain the ERM processsteps. Pete wants to ensure that his team incorporates the process steps as partof its day-to-day operations.

What is Risk?Risk is any even that may result in a significant deviation from a planned objectiveresulting in an unwanted, negative consequence. The planned objective could beany aspect of an organization’s strategic, financial, regulatory, and operationalprocesses /products /services.

The degree of risk associated with an even is determined by the likelihood(uncertainty, probability) of the event occurring, the consequences (impact) ifthe event were to occur, and its timing.


GRC340 Lesson: Risk Management Process Overview

Figure 5: Risk Management Process

Most risk management processes are aimed at answering the following keyquestions:

1. What business activities need to be reviewed and how should we proceed?(Risk Planning)

2. What events could prevent us from achieving our business objectives, andhow significant are they? (Risk Identification and Analysis)

3. How should we respond to the most critical risks? (Risk Response)4. Are our response actions effective? If not, what else needs to be done? (Risk

Monitoring)

Risk PlanningObjectives

Define the basic parameters within which risks are to be managed

For example, business activities to be assessed, risk threshold levels, riskmanagement participants

Key Activities



Establish the external context

• This step defines the external environment in which the organizationoperates. It also defines the relationship between the organization and itsexternal environment

• This may include, for example:

– The business, social, regulatory, cultural, competitive, financial, andpolitical environment.

– The organization’s strengths, weaknesses, opportunities, and threats.– External stakeholders– Key business drivers

Establish the internal context

• Before a risk management activity is commenced, at any level, it is necessaryto understand the organization. Key areas include:

– Culture– Internal stakeholders– Structure– Capabilities in terms of resources such as people, systems, processes,

capital

Establish the risk management context

• The goals, objectives, strategies, scope, and parameters of the activity or partof the organization to which the risk management process is being appliedshould be established. Setting the scope and boundaries of an application ofrisk management involves:

– Defining the organization, process, project, or activity and establishingits goals and objectives

– Specifying the nature of the decisions that must be made– Defining the depth and breadth of the risk management activities to be

carried out, including specific inclusions and exclusions

Develop risk criteria

• Decide the criteria against which risk is to be evaluated. These often dependson an organization’s internal policies, goals and objectives and the interestsof stakeholders.

• Define the structure for the rest of the process• This involves subdividing the activity, process, project into a set of elements

or steps in order to provide a logical framework that helps ensure significantrisks are not overlooked (e.g. a project work breakdown structure; or aprocess map)



Risk IdentificationComprehensive identification using a well-structured systematic process is critical,because a risk not identified at this stage may be excluded from further analysis.Identification should include risks whether or not they are under the control ofthe organization.

Objectives

• Identify the risks to be managed.

Key Activities

• What can happen, where and when?

– Generate a comprehensive list of sources of risk events that might havean impact on the achievements of each of the objectives identified inthe context. These events might prevent, degrade, delay, or enhance theachievement of those objectives.

– Approaches used to identify risks include checklists, judgementsbased on experience, and records, flow charts, brainstorming, systemsanalysis, scenario analysis, and systems engineering techniques.

• Why and how it can happen?

– Having identified what might happen, it is necessary to considerpossible causes and impacts. There are many ways an event can occur.It is important that no significant causes are omitted.

Risk AnalysisRisk analysis involves consideration of the sources of risk, their positive andnegative consequences, and the likelihood that those consequences may occur.Factors that affect consequences and likelihood may be identified. Risk isanalyzed by combining consequences and their likelihood. In most circumstancesexisting controls are taken into account. A Preliminary analysis can be carriedout so that similar risks are combined or low-impact risks are excluded fromdetailed study, Where possible, excluded risks should be listed to demonstrate thecompleteness of the risk analysis. Where appropriate, the confidence placed onestimates of levels of risk should be included. Assumptions made in the analysisshould be clearly stated.

Objectives

• Develop an understanding of the risk



Key Activities

• Evaluate the completeness and effectiveness of existing response/controls• Process control completeness and effectiveness• Evaluate likelihood and consequences• Assess the likelihood of the event and magnitude of the associated

consequences in the context of the effectiveness of the existingresponses/controls

• An event may have multiple consequences and affect different objectives• Likelihood and consequences are combined to produce a level of risk• Techniques include:

– Structured interviews with experts in the area of interest– Use of multi-disciplinary groups of experts– Individual evaluations using questionnaires– Use of models and simulations

Risk ResponseThe purpose of risk response is to make decisions based on the risk analysis aboutwhich risks need to be addressed, and the associated priorities. Risk responseinvolves comparing the level of risk found during the analysis process with riskcriteria established when the context was considered. The objectives of theorganization and the extent of business objectives should be considered.

Where a choice is to be made between options, higher potential losses may beassociated with higher potential gains and the appropriate choice will depend onan organization’s context. Decisions should take account of the wider context ofthe risk and include consideration of the tolerability of the risks borne by partiesother than the organization that benefits from it.

In some circumstances, the risk evaluation may lead to a decision to undertakefurther analysis.



When identifying options for treating risks with negative outcomes, the optionsinclude:

• Reducing the risk by changing the likelihood of the risk, thereby reducingthe likelihood of the negative outcomes.

• Avoiding the risk by deciding not to start or continue with the activity thatgives rise to the risk (where this is practicable). Risk avoidance can occurinappropriately if individuals or organizations are unnecessarily risk-averse.Inappropriate risk avoidance may increase the significance of other risks ormay lead to the loss of opportunities for gain.

• Transferring (or sharing) the risk with another party. Mechanisms includethe use of contracts, insurance arrangements, and organizational structuressuch as partnerships and joint ventures to spread responsibility and liability.Generally there is some financial cost or benefit associated with sharing partof the risk with another organization, such as the premium paid for insurance.Where risks are shared in whole or in part, organization transferring the riskhas acquired a new risk in that the organization to which the risk has beentransferred may not manage the risk effectively.

• Accepting (or retaining) the risk. After risks have been changed or shared,there will be residual risks that are retained. Risks can also be retained bydefault, for example when there is a failure to identify, appropriately share,or otherwise treat risks.

Objectives

• Evaluate the analyzed risks• Select risks (and opportunities) that should be “treated”

Key Activities

• Identifying options for treating risks with negative outcomes• Identifying options for the treatment of risks with positive outcomes

– Treatment options for risks having positive outcomes (opportunities) arenot necessarily mutually exclusive or appropriate in all circumstances.

Risk MonitoringObjectives

• Monitor the effectiveness and completeness of the response actions• Take corrective action• Communicate the status of the risks



Key Activities

• Implement response actions• Report on response action status• Analyze status information for trends and deviations• Take actions as required to address status issues. Actions could include:

– Re-plan the response actions– Close the risk– Invoke a contingency plan– Continue to monitor the risk– Prepare and distribute risk reports



Lesson Summary

You should now be able to:• Define risk and list the determinants for the degree of risk• Explain the risk management process steps


Unit Summary GRC340

Unit SummaryYou should now be able to:• Explain how risk can influence business performance• List the various sources of risk• Define Enterprise Risk Management• List the benefits of Enterprise Risk Management• Identify requirements for effective Enterprise Risk Management• Define risk and list the determinants for the degree of risk• Explain the risk management process steps


GRC340 Test Your Knowledge

19Test Your Knowledge

1. The degree of risk associated with an even is determined by theof the event occurring, the if the event

were to occur, and its .Fill in the blanks to complete the sentence.

2. involves consideration of the sources of risk,their positive and negative consequences, and the likelihood that thoseconsequences may occur.Fill in the blanks to complete the sentence.

3. The purpose of is to make decisions based onthe risk analysis about which risks need to be addressed, and the associatedpriorities.Fill in the blanks to complete the sentence.

4. When identifying options for treating risks with negative outcomes, theoptions include:


Test Your Knowledge GRC340

20Answers

1. The degree of risk associated with an even is determined by the probability ofthe event occurring, the impact if the event were to occur, and its timeframe.

Answer: probability, impact, timeframe

2. Risk Analysis involves consideration of the sources of risk, their positiveand negative consequences, and the likelihood that those consequencesmay occur.

Answer: Risk Analysis

3. The purpose of Risk Response is to make decisions based on the risk analysisabout which risks need to be addressed, and the associated priorities.

Answer: Risk Response

4. When identifying options for treating risks with negative outcomes, theoptions include:

Answer:

1. Reducing2. Avoiding3. Transferring4. Accepting


Unit 221 Risk Planning

In this unit, you will learn about the master data used for risk management withSAP BusinessObjects Risk Management.

Unit OverviewIn this unit, you will learn about the master data used for risk management withSAP BusinessObjects Risk Management.


• Describe the types of master data used in SAP BusinessObjects RiskManagement

• Navigate in the organization hierarchy• Create and setup a new organization unit• Share organization structure between organization views• Navigate in the objective hierarchy• Create and setup a new objective• Navigate in the activity hierarchy• Create and setup a new activity hierarchy• Navigate in the risk and opportunity hierarchy• Create and setup a new risk and opportunity category

Unit ContentsLesson: Master Data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Exercise 1: High Level System Overview ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Lesson: Organization Hierarchy and Views ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Procedure: Creating an Organization Structure ... . . . . . . . . . . . . . . . . . . . . . . 35Procedure: Creating an Organization View ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 37


Unit 2: Risk Planning GRC340

Exercise 2: Create an Organization Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Lesson: Objective Hierarchy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Procedure: .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Exercise 3: Create an Objective... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Lesson: Activity Hierarchy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Procedure: Creating an Activity Hierarchy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Exercise 4: Create an Activity Category.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Lesson: Risk and Opportunity Classification ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Procedure: Creating a Risk and Opportunity Classification Hierarchy 58Exercise 5: Create a Risk ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59


GRC340 Lesson: Master Data

Lesson:23

Master DataLesson Duration: 15 Minutes

Lesson OverviewThis lesson will introduce you to the types of master data used in SAPBusinessObjects Risk Management


• Describe the types of master data used in SAP BusinessObjects RiskManagement


Business ExampleEnterprise risks are generally documented for organizational entities and businessactivities. Business activities can be different types - business processes, assets,projects, programs, etc. The organization and activity structures are hierarchical innature. The key need is the ability to document enterprise risks and assign them todifferent nodes in organization and activity structure.

As part of the SAP BusinessObjects Risk Management implementation project, aBusiness Blueprint is typically prepared that documents the organization’s riskmanagement requirements. The central risk management team sets up the masterdata elements (org hierarchy; org unit objectives; activity classification; and risk /opportunity category) based on the approved Business Blueprint. Changes to themaster data are usually performed by the central team only.



Risk Management Data Model

Figure 6: Risk Management Data Model

The elements on the left hand side show the Master Data Catalog objects. Theelements on the right hand side show examples of actual application data objects.The dotted lines between the Master Data Catalogs and the actual application dataobjects show the relationships between them.

The Organization Structure is a hierarchical structure of organizational units andis the main entry point for SAP BusinessObjects Risk Management. This defineshow information will be aggregated and rolled up.

The Objective Hierarchy is a hierarchy of strategies and objectives. The mainroot node can have numerous strategies documented, and each strategy can havenumerous objectives documented. The hierarchy always has two levels: strategiesand objectives.

The Activity Hierarchy is used to define different types of business activities:processes, initiatives, project etc. These are shown as the root nodes. For eachactivity type, you can document a hierarchical activity structure.

The Risk and Opportunity Classification is a hierarchical structure to categorizerisks and opportunities.



Organizational StructureOrganization master data is a standard SAP component used to capturethe structure of a business. The organizations’ master data is setup duringimplementation or can be imported from other applications. The data in theorganization structure may be changed a few times in a year.

There can be only one top node for the organizations catalog and the top node isdefined in the Implementation Guide. A hierarchical structure can be definedunder the top node. Each node in the structure is called an organizational unit.

Each organizational unit entry stores additional master data attributes and is themain entry point for SAP BusinessObjects Risk Management. Each organizationalunit is headed by an Organizational Unit Manager.

Figure 7: Example Organization Structure

The setup of the organization structure is based on the customer’s requirementswith various setups such as:

• Geographic (Americas, EMEA, APJ, and so on)• Divisional (Investment Banking, Retail Banking, and so on)• Functional (Corporate, Sales, Marketing, Operations, IT, and so on)

Objective HierarchyOrganizations typically have several strategic initiatives with different objectivesfor each.

The Objective Hierarchy provides a framework for documenting the strategicinitiatives and the objectives.



Figure 8: Example Objective Hierarchy

The Objective Hierarchy has a default root node with two levels defined below.The first level captures the strategic initiatives; the second level captures theobjectives for each strategic initiative.

The objectives defined in the hierarchy can be shared with the organization unitsdefined in the organization structure master data.

Activity HierarchyAn activity is any risk-bearing activity such as a business process, a project,or a program. Activities provide an additional perspective for structuring riskinformation.

An Activity must be assigned to an Activity Category.

Figure 9: Example Activity Hierarchy



The Activity Hierarchy consists of activity Types and activity Categories. ActivityTypes can be:

• Business Processes, such as Operational, Financial, and Administrativeprocesses within an enterprise;

• Projects, such as internal and customer projects;• Initiatives; or• Objectives, a generic type of activity such as Production Facility, Financial

Planning and so on.

There are no limits in the number of levels and the number of Activity Categories.Each Activity Category entry stores additional master data attributes.

Risk and Opportunity ClassificationRisks and Opportunities are the basic entities managed by SAP BusinessObjectsRisk Management. Risks and opportunities are managed separately and aredefined for Activities.

Risks and opportunities classification consists of Risk Categories and OpportunityCategories. All risks and opportunities must respectively be assigned to a RiskCategory and an Opportunity Category, Risk and Opportunity Categories are bothhierarchical structures.

Figure 10: Example Risk Classification

There are no limits in the number of levels and the number of Risk or OpportunityCategories.

Each Risk and Opportunity Category entry stores additional master data attributes.





29 Exercise 1: High Level System OverviewExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Locate the various master data items in the system

Business ExampleEnterprise risks are generally documented for organizational entities and businessactivities. Business activities can be different types - business processes, assets,projects, programs, etc. The organizational and activity structures are hierarchicalin nature. The key need is the ability to document enterprise risks and assign themto different nodes in organization and activity structure.

As part of the SAP BusinessObjects Risk Management implementation project, aBusiness Blueprint is typically prepared that documents the organization’s riskmanagement requirements. The central risk management team sets up the masterdata elements (org hierarchy; org unit objectives; activity classification; andrisk/opportunity categories) based on the approved Business Blueprint. Changesto the master data are usually performed by the central team only.

System DataSystem: Instructor will provide during classClient: Instructor will provide during classUser ID: GRC340-XX where XX is your student #Password: The initial password is initial1Set up instructions:

1. [Enter all instructions necessary for the maintenance of this exercise.]



Task: Locate Master Data ItemsThe master Data elements are located in the Risk Structure work center.

1. Choose GRC Risk Management → Risk Structure work center. What masterdata topics do you see?

2. Select Organizations. When the window opens, select any organizationunitand then click Open. What tabs do you see in the popup window? Selectthe Cancel pushbutton and then close the popup window by clicking the’X’ in the upper right-hand corner.

3. Select Risk Classification. When the window opens, select any organizationunit and then click Open. What tabs do you see in the popup window? Selectthe Cancel pushbutton and then close the popup window by clicking the’X’ in the upper right-hand corner.

4. Select Objectives Hierarchy. When the window opens, select anyorganization unit and then click Open. What tabs do you see in the popupwindow? Select the Cancel pushbutton then close the popup window byclicking the ’X’ in the upper right-hand corner.



Solution 1: High Level System OverviewTask: Locate Master Data ItemsThe master Data elements are located in the Risk Structure work center.

1. Choose GRC Risk Management → Risk Structure work center. What masterdata topics do you see?

Answer: Organizations; Risk Classification; Risk Structure Reports;Activity Hierarchy; Opportunity Classification; Objectives Hierarchy

2. Select Organizations. When the window opens, select any organizationunitand then click Open. What tabs do you see in the popup window? Selectthe Cancel pushbutton and then close the popup window by clicking the’X’ in the upper right-hand corner.

Answer: General; Objective; Unit of Measure; Risk Appetite; RiskThresholds; Assignments; Roles; Attachments & Links

3. Select Risk Classification. When the window opens, select any organizationunit and then click Open. What tabs do you see in the popup window? Selectthe Cancel pushbutton and then close the popup window by clicking the’X’ in the upper right-hand corner.

Answer: General; KRI Template (when group classification selected);Attachments & Links

4. Select Objectives Hierarchy. When the window opens, select anyorganization unit and then click Open. What tabs do you see in the popupwindow? Select the Cancel pushbutton then close the popup window byclicking the ’X’ in the upper right-hand corner.

Answer: General; objectives (or Organization Unit if sub-objectiveselected); Attachments & Links



Lesson Summary

You should now be able to:• Describe the types of master data used in SAP BusinessObjects Risk

Management


GRC340 Lesson: Organization Hierarchy and Views

Lesson:33

Organization Hierarchy and ViewsLesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how to create an organization unit.


• Navigate in the organization hierarchy• Create and setup a new organization unit• Share organization structure between organization views

In this lesson an overview of the Organizational Hierarchy will be discussed aswell as going into the system to show the process of creating a new organizationunit and selecting different views for the Organization Hierarchy.

Business ExampleThere are various ways of representing an organization for risk reportingpurposes. Organizational Hierarchies allow you to tailor risk reporting by differentorganizational views (e.g. legal structure, geographic, lines of business, etc.).The benefits of defining Organizational Hierarchies are flexible risk reporting tomeet the requirements of different risk management stakeholders, and improvedrisk transparency.

Organization StructureThe Organization Structure is a hierarchical structure of organizational units and isthe main entry point for SAP BusinessObjects Risk Management. This defineshow information will be aggregated and rolled up.

Organization master data is a standard SAP component used to capturethe structure of a business. The organizations’ master data is setup duringimplementation or can be imported from other applications. The data in theorganization structure may be changed a few times in a year.

There can be only one top node for the organizations catalog and the top node isdefined in the Implementation Guide. A hierarchical structure can be definedunder the top node. Each node in the structure is called an organizational unit.



Each organizational unit entry stores additional master data attributes and is themain entry point for SAP BusinessObjects Risk Management.

Figure 11: Organization Master Data Attributes

Each organization unit has the following master data attributes:

• General: Name for the organization and the currency.• Objective: Objectives that correspond to the organization’s strategy.• Unit of Measure: Unit of measure and conversion factors for different

impact categories.• Risk Appetite: Degree of risk-taking this is to be applied when individual

risks are entered into the system.• Risk Threshold: Various risk thresholds with their impact levels.• Assignments: On the Assignment tab, you see the organizational views

that are assigned to this organization.• Roles: Assigned users to the organizational roles.• Attachments & Links: Links to documents and Web sites.



35Creating an Organization Structure

1. Choose GRC Risk Management → Risk Structure work center and selectOrganizations. This opens a popup window that displays the organizations.The details of the selected organization unit are displayed on the right handside in a view-only manner.

2. Select the View named Standard Hierarchy.

3. Select the organizational unit under which you want to create a neworganization unit.

4. Choose the Create pushbutton to create the new organization unit.

5. Complete the organization setup with the General tab. The organizationinformation includes the following (fields marked with an asterisk (’*’) aremandatory):

1. Name: Name of the organizational unit.2. Descriptions: Description of the organization unit.3. Currency: Reporting currency (can be different for each organization

unit).4. Valid From: This defaults from the parent organization unit. You can

change the default date to a later date but not earlier than the ValidFrom date of the parent organization unit.

5. Choose the Objective tab and then the Add pushbutton. Use thecheckboxes to assign one or more objectives to the organization unit.

Note: The objectives are defined in the Objective Hierarchy

6. Choose the Objective tab. and then the Add pushbutton. Use the check boxesto assign one or more obejctives to the organization unit

Note: The objectives are defined in the Objective Hierarchy

Continued on next page



7. Choose the Unit of Measure tab. To create the units of measure for theorganization unit:

1. Select an Impact Category from the dropdown list.

Note: Impact categories are configurable master data items.

2. Choose the Create pushbutton.3. Select the Unit of Measure Name.

Note: Unit of Measure names are configurable master dataitems.

4. Enter the Conversion Factor. The factor converts the Unit of MeasureName to the organization Unit Currency.

5. Enter the Valid To date until which the Unit of Measure will remainvalid, You can change the date at a later time if required.

8. Choose the Risk Appetite tab. To define the organization’s risk appetite:

1. Select the Qualitative Appetite level.

Note: Appetite levels are configurable master data items

2. Enter a Quantitative Amount that relates to the Qualitative Appetite.3. Enter a description

9. Choose the Risk Threshold tab. For each Impact Level enter the QuantitativeLower Limit and Quantitative Upper Limit values in terms of the organizationunit Currency.

Note: Impact Levels are configurable master data items.

10. Choose the Assignments tab. Here you will see the different organizationhierarchy views to which the organization unit has been assigned (see thenext session “Creating an Organization Value”.)

11. Choose the Roles tab. Select the Assign pushbutton to add files and links.

12. Choose the Attachments & Links tab. Select the Add pushbutton to add filesand links.

13. When you’re finished, choose the Save pushbutton to save the neworganization.



37Creating an Organization ViewUseAn organization typically has different reporting views such as by line of business,legal entity, or geography. An organizational view is simply an assignment oforganization units to different “views”.

In SAP BusinessObjects Risk Management you can define multiple organizationalviews in a single organizational repository. There is no limitation on the numberof views that can be defined.

The organizational structure is shared between SAP BusinessObjects RiskManagement and SAP BusinessObjects Process Controls.

Procedure1. Choose GRC Risk Management → Risk Structure work center and select

Organizations. This opens a popup window that displays the organizations.The details of the selected organization unit are displayed on the right handside in a view-only manner.

2. Select the View name (Other then Standard Hierarchy).

3. Choose the Actions pushbutton and select Assign Organization.

4. You will see all of the organization units in the Standard Hierarchy. Selectthe organization unit that you wish to assign to the View selected in Step 2.Choose the OK pushbutton.

5. You should see a message confirming the assignment of the selectedorganization unit to the selected View.





39 Exercise 2: Create an Organization UnitExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create an Organization Unit

Business ExampleThere are various ways of representing an organization for risk reportingpurposes. Organizational Hierarchies allow you to tailor risk reporting by differentorganizational views (e.g. legal structure, geographic, lines of business, etc.) Thebenefits of defining Organization Hierarchies are flexible risk reporting to meetthe requirements of different risk management stakeholders, and improved risktransparency.

System DataSystem: Instructor will provide during classClient: Instructor will provide during classUser ID: GRC340-XX where XX is your Student #Password: The intitial password is initial1Set up instructions:




Task:Create an Organization Unit

1. Choose GRC Risk Management → Risk Structure work center and selectOrganizations. What do you see?

2. Select the Manufacturing organization unit and choose the Create pushbutton.What do you see?

3. Finish creating the organization unit.

4. Select the Save pushbutton to close the popup window. Close the popupwindow by clicking the “X” in the upper right-hand corner.



Solution 2: Create an Organization UnitTask:Create an Organization Unit

1. Choose GRC Risk Management → Risk Structure work center and selectOrganizations. What do you see?

Answer: This opens a popup window that displays the organizations. Aportion of the CRG Global Enterprises organization structure is alreadysetup. The details of the selected organizational unit are displayed on theright hand side in a view-only manner.

2. Select the Manufacturing organization unit and choose the Create pushbutton.What do you see?

Answer: The General tab displays the organization unit name anddescription. The description is optional.

3. Finish creating the organization unit.

a)

1. General Tab:

• Name: GRC340-XX• Currency: USD• Valid From: Today’s date (mm/dd/yyy)• Valid To: 12/31/9999

2. Objectives Tab:

• add the following objects: GRC340-XX Objective3. Unit of Measure Tab:

• 1 HR = 100 USD4. Roles Tab:

• Unit Risk Manager: GRC340-XX

4. Select the Save pushbutton to close the popup window. Close the popupwindow by clicking the “X” in the upper right-hand corner.

a) The organization data is saved.



Lesson Summary

You should now be able to:• Navigate in the organization hierarchy• Create and setup a new organization unit• Share organization structure between organization views


GRC340 Lesson: Objective Hierarchy

Lesson:42

Objective HierarchyLesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how to create an objective hierarchy.


• Navigate in the objective hierarchy• Create and setup a new objective


Business ExampleObjective Categories are a means of classifying an organization’s performancegoals. They are important as they will help the risk managers discuss risk in termsof what’s important to the business. The benefits defining an Objective Hierarchyare that they provide an added dimension for risk reporting, and they will give riskmanagers better insight into the areas of the business impacted by risks.

Objective Hierarchy



Figure 12: Example Objective Hierarchy

The Objective Hierarchy is a hierarchy of strategies and objectives. The mainroot node can have numerous strategies documented, and each strategy can havenumerous objectives documented. The hierarchy always has two levels: strategiesand objectives.

Organizations typically have several strategic initiatives with different objectivesfor each.

The Objective Hierarchy provides a framework for documenting the strategicinitiatives and the objectives.

The Objective Hierarchy has a default root node with two levels defined below.The first level captures the strategic initiatives; the second level captures theobjectives for each strategic initiative.

The Objectives defined in the hierarchy can be shared with the organization unitsdefined in the organization structure master data.



441. Choose GRC Risk Management → Risk Structure work center and select

Objectives Hierarchy. This opens a popup window that displays theobjectives. The details of the selected objective are displayed on the righthand side in a view-only manner.

2. Select the main root node.

3. Choose the Create pushbutton and select Strategy.

4. In the General tab provide the following information (fields marked with anasterisk (’*’) are mandatory):

1. Name: Name of the strategy.2. Description: Description of the strategy.3. Valid To: Select a date until which the strategy will remain valid. You

can change the date at a later time if required.

5. Choose the Save pushbutton to save the strategy.

6. Select the strategy that you just created.

7. Choose the Create pushbutton and select Objective.


1. Name: Name of the objective.2. Objective Category: Select the category from the drop-down list.3. Description: Description of the objective.4. Valid To: Select a date until which the objective will remain valid. You

can change the date at a later time if required.

9. Choose the Save pushbutton to save the new objective.





45 Exercise 3: Create an ObjectiveExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create an Objective

Business ExampleObjective Categories are a means of classifying an organization’s performancegoals. They are important as they will help the risk managers discuss risk in termsof what’s important to the business. The benefits defining an Objective Hierarchyare that they provide an added dimension for risk reporting, and they will give riskmanagers better insight into the areas of the business impacted by risks.

System DataSystem: Instructor will provide to class.Client: Instructor will provide to classUser ID: GRC340-XX where XX is your student #Password: The initial password is initial1Set up instructions:


Task:Create an Objective

1. Choose GRC Risk Management → Risk Structure work center and selectObjectives Hierarchy.



4. In the General tab provide the following information:

5. Choose the Save pushbutton to save the new strategy.



8. In the General tab provide the following information.




Solution 3: Create an ObjectiveTask:Create an Objective

1. Choose GRC Risk Management → Risk Structure work center and selectObjectives Hierarchy.

a) This opens a popup window that displays the objectives hierarchy.


a) The details of the selected objective are displayed on the right hand side.


a) This opens a popup window for the new strategy.

4. In the General tab provide the following information:

a) Name: GRC340-XX-Strategy

b) Description: GRC340-XX-Strategy

c) Valid To: XXXXX

5. Choose the Save pushbutton to save the new strategy.

a) New strategy saved.


a) The details of the selected objective are displayed on the right hand side.


a) This opens a popup window for the new objective.

8. In the General tab provide the following information.

a) Name: GRC340-XX-Obj

b) Objective Category: XXXXX

c) Description: GRC340-XX-Obj

d) Valid To: XXXXX


a) New objective saved.



Lesson Summary

You should now be able to:• Navigate in the objective hierarchy• Create and setup a new objective



Lesson:48

Activity HierarchyLesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how to create an Activity Hierarchy.


• Navigate in the activity hierarchy• Create and setup a new activity hierarchy


Business ExampleActivity Categories are a means of classifying an organization’s risk-bearingbusiness activities. Activity categories provide an added dimension for riskreporting, and give risk managers additional insight into the areas of the businessimpacted by risks.

Activity HierarchyThe Activity Hierarchy is used to define different types of business activities:processes, initiatives, projects, etc. These are shown as the root nodes. For eachactivity type, you can document a hierarchical activity structure.

An activity is any risk-bearing business activity such as a business process, aproject, or a program. Activities provide an additional perspective for structuringrisk information.

An Activity must be assigned to an Activity Category.


GRC340 Lesson: Activity Hierarchy

Activity Types can be:

• Business Processes, such as Operational, Financial, and Administrativeprocesses within an enterprise;

• Projects, such as internal and customer projects;• Initiatives; or• Objectives, a generic type of activity such as Production Facility, Financial

Planning, and so on.

There are no limits in the number of levels and the number of Activity Categories.Each Activity Category entry stores additional master data attributes.



49Creating an Activity Hierarchy

1. Choose GRC Risk Management → Risk Structure work center and selectActivity Hierarchy. This opens a popup window that displays the activitycategories. The details of the selected activity category are displayed on theright hand side in a view-only manner.

2. Select the Activity Type to Show from the dropdown list.

Note: Activity Types are configurable master data items.


4. Choose the Create pushbutton.


1. Name : Name of the activity category2. Description : Description of the activity category3. Allow Activity Assignment: Select the radio button to define whether

or not you want to allow the assignment of activities to this activitycategory.

4. Valid To: Select a date until which the activity will remain valid. Youcan change the date at a later time if required.

6. Use the Risk Classification and Opportunity Classification tabs to assignrisk/opportunity categories to the activity.

7. Use the Attachments & Links tab to attach files or links.

8. Choose the Save pushbutton to save the activity classification.



51 Exercise 4: Create an Activity CategoryExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create an Activity Category

Business ExampleActivity categories are a means of classifying an organization’s risk-bearingbusiness activities. Activity categories provide an added dimension for riskreporting, and give risk managers additional insight into the areas of the businessimpact by risks.

System DataSystem: Instructor will provide during classClient: Instructor will provide during classUser ID: GRC340-XX where XX is your Student #Password: The initial password is initial1Set up instructions:


Task:Create an Activity Category

1. Choose GRC Risk Management → Risk Structure work center and selectActivity Hierarchy.

2. Select the Activity Type XXXXX from the dropdown list.




6. Choose the Save pushbutton to save the activity classification



Solution 4: Create an Activity CategoryTask:Create an Activity Category

1. Choose GRC Risk Management → Risk Structure work center and selectActivity Hierarchy.

a) This opens a popup window that displays the activity hierarchy.

2. Select the Activity Type XXXXX from the dropdown list.

a) This displays the hierarchy for the select Activity Type.


a) The details of the selected activity are displayed on the right hand side.


a) This opens a popup window for the new activity.


a) Name: GRC340-XX-CAT

b) Description: GRC340-XX-CAT

c) Allow Activity Assignment: Select the “Yes” radio button.

d) Valid To: XXXXX

6. Choose the Save pushbutton to save the activity classification

a) New activity classification saved.



Lesson Summary

You should now be able to:• Navigate in the activity hierarchy• Create and setup a new activity hierarchy



Lesson:54

Risk and Opportunity ClassificationLesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how to create a risk and opportunity classificationhierarchy.


• Navigate in the risk and opportunity hierarchy• Create and setup a new risk and opportunity category

In this lesson you will show the risk and opportunity classification to the students.

Business ExampleRisk (and opportunity) categories are attributes that help the risk managersorganize the array of risks that an organization is likely to encounter. A sufficientnumber of descriptive groupings are needed so that every unique risk can bemapped to some representative risk category. Risk categories help the risk teamcreate value from the information being collected in order that increasingly“rich” conversations can be held across the organization. Risk informationis a tremendously valuable resource for identifying systemic sources of bothorganizational risks and problems that create costly rework, unnecessary overhead,and reduce corporate earnings.


GRC340 Lesson: Risk and Opportunity Classification

Risk and Opportunity Classification

Figure 13: Risk and Opportunity Classification

The Risk and Opportunity Classification is a hierarchical structure to categorizerisks and opportunities.

Risks and Opportunities are the basic entities managed by SAP BusinessObjectsRisk Management. Risks and Opportunities are managed separately and aredefined for Activities.

Risks and Opportunities classification consists of Risk Categories and OpportunityCategories. All risks and opportunities must respectively be assigned to a RiskCategory and an Opportunity Category Risk and Opportunity Categories are bothhierarchical structures.



56Creating a Risk and Opportunity ClassificationHierarchyUseTo create a Risk Classification Hierarchy:

Note: The same steps are used to create an Opportunity ClassificationHierarchy

Procedure1. Choose GRC Risk Management → Risk Structure work center and select Risk

Classification. This opens a popup window that displays the risk categories.The details of the selected risk category are displayed on the right hand sidein a view-only manner.


3. Choose the Create pushbutton and select Risk Category.


1. Name: Name of the risk category.2. Description: Description.3. Allow Assignment: Select the radio button to define whether or not you

want to allow the assignment of risks to this risk category.4. Valid To: Select a date until which the risk category will remain valid.

5. Use the KRI Template tab to assign Key Risk Indicator (KRI) templates tothe risk category

6. Use the Attachments & Links tab to attach files or links.

7. Choose the Save pushbutton to save the risk category.



57 Exercise 5: Create a RiskExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create a Risk

Business ExampleCRG Global Enterprises is a conglomerate with global operations. CRGhas a highly cost-competitive global supply chain that is greatly-impacted byglobal trade regulations. CRG has instituted strict policies to comply with theregulations. All supplies and equipment must be sourced from preferred vendors.To be preferred, vendors must provide accurate documentation with each deliveryincluding accurate country-of-origin information. Sourcing from non-preferredvendors is allowed only when customer commitments are jeopardized. Neil –the Procurement Manager – has been tasked with documenting the supply chainrisks for his organization.

Neil will be assigned as the risk owner, and he will document the risks in theSAP BusinessObjects Risk Management.



Task:Create a Risk

1. Choose GRC Risk Management → Risk Assessment work center and selectRisk and Opportunity Management.

2. Choose the Create pushbutton and select Risk from the drop-down list.Complete the risk creation starting with the General tab.



Solution 5: Create a RiskTask:Create a Risk


a) This opens a popup window that displays the risks and opportunitieswith the attributes defined in the query.


a)

1. Name: GRC340-XX-Risk2. Organization Unit: XXXX3. Secondary Organization: XXXX4. Objective: XXXX5. Activity: XXXX6. Risk Category: GRC340-XX-Cat7. Description: GRC340-XX-Risk8. Valid To: XXXX9. Driver:

a) Category: XXXXb) Description: XXXX



Lesson Summary

You should now be able to:• Navigate in the risk and opportunity hierarchy• Create and setup a new risk and opportunity category


Unit Summary GRC340

Unit SummaryYou should now be able to:• Describe the types of master data used in SAP BusinessObjects Risk

Management• Navigate in the organization hierarchy• Create and setup a new organization unit• Share organization structure between organization views• Navigate in the objective hierarchy• Create and setup a new objective• Navigate in the activity hierarchy• Create and setup a new activity hierarchy• Navigate in the risk and opportunity hierarchy• Create and setup a new risk and opportunity category


Unit 361 Risk Identification

In this unit you will learn about Activities and their relationship to organizationunits and risks, and how to create a risk with SAP BusinessObjects RiskManagement.

Unit OverviewIn this unit you will learn about Activities and their relationship to organizationunits and risks, and how to create a risk with SAP BusinessObjects RiskManagement.


• Describe the purpose of Activities• Explain how to create an Activity• Create a risk

Unit ContentsLesson: Activity Management .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Procedure: Creating an Activity .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Exercise 6: Create an Activity .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Lesson: Risk/Opportunity Creation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Procedure: Create a Risk ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Exercise 7: Create a Risk ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79


Unit 3: Risk Identification GRC340

Lesson:62

Activity ManagementLesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how to manage Activities.


• Describe the purpose of Activities• Explain how to create an Activity

In this lesson you will show the students how to create an Activity in the RiskManagement system.

Business ExampleCRG Global Enterprises is a conglomerate with global operations. CRGhas a highly cost-competitive global supply chain that is greatly-impacted byglobal trade regulations. CRG has instituted strict policies to comply with theregulations. All supplies and equipment must be sourced from preferred vendors.To be preferred, vendors must provide accurate documentation with each deliveryincluding accurate country-of-origin information. Sourcing from non-preferredvendors is allowed only when customer commitments are jeopardized. Neil –the Procurement Manager – has been tasked with documenting the supply chainrisks for his organization

Before Neil can document the risks, he wants to set up an Activity for the supplychain planning and execution.

Activity ManagementIn SAP BusinessObjects Risk Management you have the option of attaching risks(and opportunities) to an Activity or directly to an Organization Unit.


GRC340 Lesson: Activity Management

An Activity is any risk-bearing business activity such as a business process, aproject, or a program. Activities provide an additional perspective for structuringrisk information. Examples of types of activities are:

• Process (Supply Chain Product ABC)• Project (Silverado Contract XYZ)• Initiative (Staff Retention)• Strategy (International Expansion)

The Activity holds generic data and makes use of Activity Categories whichsupport data analysis, sorting, selecting and reporting.

In the data model, an Activity is assigned to a node of the Organization Hierarchy.

Risks and Opportunities can be attached to either an Activity or directly to anOrganization Unit.

Activities help structure risk management data and provide an additional reportingdimension.

Activity Users and RolesThe following groups of users and roles are typically involved with Activities:

• Activity Owner: Manages the risk and opportunity assessment processwithin the activity; processes the activity through the Validation process.

• Risk Manager: Creates activities and assigns activity owners; monitors therisk management process through visibility of the risks and opportunitiesattached to activities

• Risk Owner: Accesses owned risks through the activities.

Activity Management Process

Figure 14: Activity Management Process

Before an Activity can be created, the following must have been performed:

• Organizational unit created• Activity hierarchy created



64Creating an Activity

Figure 15: Create an Activity

1. Choose GRC Risk Management → Risk Structure work center and selectActivity Management. This opens a popup window that displays theActivities with the attributes defined in the query.

2. To modify the Activity query parameters, choose Change Query at the topright-hand side of the Activity listing.

1. Enter the Organization Unit and/or Status then click Apply.2. Activities meeting the new Query selection criteria are displayed in

the query results window.

Note: Validity dates are particularly relevant to projects or contracts,which have a fixed start and finish date. For Activities with no enddate or a variable end date, you can set the Valid To date far intothe future.

3. To create a new Activity, choose the Create pushbutton.




4. Complete the activity creation starting with the General tab. The activityinformation includes the following fields (fields marked with an asterisk(’*’) are mandatory):

1. Name : Name of the activity.2. Description : Description of the activity.3. Organization Unit: The organization unit to which the activity is

attached.4. Valid From: Must be equal to or later than the Activity Category Valid

From date. It is read-only.5. Valid To: Must be within the validity dates of the Activity Category and

Organization Unit. The initial value is empty, and if you do not enter avalue it defaults to the Valid To of the Organization Unit or ActivityCategory

Note: Validity dates are particularly relevant to projectsor contracts, which have a fixed start and finish date. ForActivities with no end date or a variable end date, you can setthe Valid To date far into the future.

6. Comments: General comments about the activity.

5. Choose the Risks and Opportunities tab if you want to create risks to theactivity.

6. Choose the Attachments & Links tab. Select the Add pushbutton to add filesand links.

7. When you’re finished, choose one of the following pushbuttons:

1. Submit: To activate the activity for use. After submitting the activity,you will be returned to the activity query screen.

2. Save Draft: To save a draft of the activity. After saving the draft, youcan continue to work on the new activity.





67 Exercise 6: Create an ActivityExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create an Activity

Business ExampleCRG Global Enterprises is a conglomerate with global operations. CRGhas a highly cost-competitive global supply chain that is greatly-impacted byglobal trade regulations. CRG has instituted strict policies to comply with theregulations. All supplies and equipment must be sourced from preferred vendors.To be preferred, vendors must provide accurate documentation with each deliveryincluding accurate country-of-origin information. Sourcing from non-preferredvendors is allowed only when customer commitments are jeopardized. Neil –the Procurement Manager – has been tasked with documenting the supply chainrisks for his organization

Before Neil can document the risks, he wants to set up an Activity for the supplychain planning and execution.

System DataSystem: Instructor will provide during classClient: Instructor will provide during classUser ID: GRC340-XX where XX is your Student #Password: The initial password is initial1.Set up instructions:


Data Date ValueName XXXDescription XXXXOrganization XXXXValid To XXXX

Task:Create an Activity

1. Choose GRC Risk Management → Risk Assessment work center and selectActivity Management.




2. Choose the Create pushbutton and enter the following:

3. Choose Save Draft.

4. Return to the General tab and enter Comments:

5. Choose Submit.



Solution 6: Create an ActivityTask:Create an Activity

1. Choose GRC Risk Management → Risk Assessment work center and selectActivity Management.

a) This opens a popup window that displays the Activities with theattributes defined in the query.

2. Choose the Create pushbutton and enter the following:

a) Name: GRC340-XX-Act

b) Description: GRC340-XX-Actitity

c) Organization Value: XXXX

d) Valid To: XXXX

3. Choose Save Draft.

a) Activity saved as draft. You can continue to work on the new activity.

4. Return to the General tab and enter Comments:

a) Enter a comment for this Activity

5. Choose Submit.

a) Activity activated for use.



Lesson Summary

You should now be able to:• Describe the purpose of Activities• Explain how to create an Activity


GRC340 Lesson: Risk/Opportunity Creation

Lesson:70

Risk/Opportunity CreationLesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how to create a risk.


• Create a risk


Business ExampleCRG Global Enterprise is a conglomerate with global operations. CRG has ahighly cost-competitive global supply chain that is greatly-impacted by globaltrade regulations. CRG has instituted strict policies to comply with the regulations.All supplies and equipment must be sourced from preferred vendors. To bepreferred, vendors must provide accurate documentation with each deliveryincluding accurate country-of-origin information. Sourcing from non-preferredvendors is allowed only when customer commitments are jeopardized. Neil –the Procurement Manager – has been tasked with documenting the supply chainrisks for his organization.


Risk ’Bow-Tie’The model for representing risks and opportunities in SAP BusinessObjects RiskManagement is as follows:



Figure 16: Risk ’Bow-Tie’ Model

Risks can be linked to an Activity or directly to an Organization Unit.

The risk is described in terms of drivers ( i.e. events that could cause the risk tooccur), and impacts (i.e. consequences if the risk event were to occur). Multipledrivers and impacts can be assigned to a risk.



72Create a Risk

Figure 17: Create a Risk

1. Enter the Type, Organization Unit and/or Status and select Apply.2. Risks and opportunities meeting the new Query selection criteria are

displayed in the query results window.

3. To create a new Risk, choose the Create pushbutton. You will be offeredfour options

1. Risk (select this option) This opens a popup window that displays therisk data tabs.

2. With Central Risk as Template3. Opportunity4. With Central Opportunity as Template




4. Complete the risk creation starting with the General tab. The activityinformation includes the following (fields marked with an asterisk (“*”)are mandatory):

1. Name: Name of the risk. When naming a risk, keep the name short andinclude the nature of the event. for example:

a) Loss of senior research scientistb) Logistics disruptionc) Earthquake

2. Organization Unit: The organization unit to which the risk is attached.3. Secondary Organization Unit: A second organization unit to which

the risk is attached.4. Objective: The key business objective that would be impacted by the

risk.5. Activity: Select the Activity to which the risk is attached.6. Risk Category: Select the risk category from the list.7. Description: A description of the risk even. Use this field to add

context about the risk.8. Valid From (system read-only default value) and Valid To (editable)

define the period within which the risk can occur. You can change theValid To date at a later time if required

9. Drivers:

a) In the Show drop-down list select Drivers.b) Choose the Add pushbutton.c) Select the driver Category from the drop-down list.d) Enter the Description of the driver.e) Choose the OK pushbutton to add the driver to the risk.

10. Impacts:

a) In the Show drop-down list select Impacts.b) Choose the Add pushbutton.c) Select the impact Category from the drop-down list.d) Enter a Description of the impact.e) Choose the OK pushbutton to add the impact to the risk.

5. Choose the Roles tab assign the risk owner (i.e. the person with managementaccountability for the risk).

6. Choose the Attachments & Links tab, Select the Add pushbutton to add filesand links.




7. When you’re finished, choose one of the following pushbuttons:

1. Submit: To activate the risk for use. After submitting the risk, you willbe returned to the risk query screen.

2. Save Draft: To save a draft of the risk. After saving the draft, you cancontinue to work on the new risk.





75 Exercise 7: Create a RiskExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create a Risk

Business ExampleCRG Global Enterprises is a conglomerate with global operations. CRGhas a highly cost-competitive global supply chain that is greatly-impacted byglobal trade regulations. CRG has instituted strict policies to comply with theregulations. All supplies and equipment must be sourced from preferred vendors.To be preferred, vendors must provide accurate documentation with each deliveryincluding accurate country-of-origin information. Sourcing from non-preferredvendors is allowed only when customer commitments are jeopardized. Neil –the Procurement Manager – has been tasked with documenting the supply chainrisks for his organization.




Task:Create a Risk





Solution 7: Create a RiskTask:Create a Risk


a) This opens a popup window that displays the risks and opportunitieswith the attributes defined in the query.


a)

1. Name: GRC340-XX-Risk2. Organization Unit: XXXX3. Secondary Organization: XXXX4. Objective: XXXX5. Activity: XXXX6. Risk Category: GRC340-XX-Cat7. Description: GRC340-XX-Risk8. Valid To: XXXX9. Driver:

a) Category: XXXXb) Description: XXXX



Lesson Summary

You should now be able to:• Create a risk


Unit Summary GRC340

Unit SummaryYou should now be able to:• Describe the purpose of Activities• Explain how to create an Activity• Create a risk


Unit 479 Risk Analysis

In this unit you will learn how to run a risk analysis and the relationships betweenrisks.

Unit OverviewIn this unit you will learn the various ways in which risks can be analyzed withSAP BusinessObjects Risk Management.


• Explain how surveys work• Explain how to create a risk survey• Explain the difference between inherent and residual risk• Explain the difference between qualitative and quantitative and qualitative

risk analysis• Explain how a risk level matrix is constructed• Perform a residual risk analysis• Create grouped risks• Create risk inter-relationships• Create a Scenario Classification and Sub-classification• Create a Scenario Case• Create a Scenario Case Analysis• Create a Response to a Scenario Case• Review the Scenario Case and use Sensitivity Analysis• Explain Monte Carlo analysis• Perform a Monte-Carlo Analysis• Validate a risk analysis


Unit 4: Risk Analysis GRC340

Unit ContentsLesson: Surveys ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Procedure: Creating Survey Questions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Procedure: Creating a Survey ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Procedure: Scheduling a Survey ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Procedure: Completing a Survey... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Procedure: Viewing Survey Results .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Exercise 8: Create a Risk Survey ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Lesson: Risk Analysis .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100Procedure: Inherent Risk Analysis .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104Exercise 9: Create an Inherent Risk Analysis .. . . . . . . . . . . . . . . . . . . . . . . . .109

Lesson: Risk Grouping ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113Procedure: Risk Grouping... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114Exercise 10: Risk Grouping ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117

Lesson: Risk Inter-Relationships ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120Procedure: Creating Risk Inter-Relationships ... . . . . . . . . . . . . . . . . . . . . . . .122Exercise 11: Risk Inter-Relationships... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125

Lesson: What-If Scenario .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128Procedure: Scenario Case Creation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130Procedure: Scenario Case Analysis .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132Procedure: Scenario Case Response ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134Procedure: Scenario Case Result Review ... . . . . . . . . . . . . . . . . . . . . . . . . . . .135Exercise 12: What-If Scenario .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Lesson: Monte-Carlo Analysis .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142Procedure: Performing a Monte Carlo Analysis .. . . . . . . . . . . . . . . . . . . . . . .146Exercise 13: Monte Carlo Analysis.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149

Lesson: Risk Validation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152Procedure: Validating a Risk ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153Procedure: The Validation Steps ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154Exercise 14: Risk Validation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155


GRC340 Lesson: Surveys

Lesson:81

SurveysLesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how to obtain risk analysis information using a survey.


• Explain how surveys work• Explain how to create a risk survey


Business ExampleIdentified risks are not always equally critical. Risks need to be analyzed beforedeciding which risks should be addressed. The risk analysis process allows youto start with a qualitative analysis and then add quantitative measures when theybecome known.

Before proceeding with the risk owners often survey their counterparts in otherdepartments about their experience with a particular risk. Risk owners can use thesurvey features in SAP BusinessObjects Risk Management to identify new risks,receive and update risk information, or to create checklists.

What are Surveys?Conducting a survey is a useful way of obtaining risk information, which in turnis used to make risk-based decisions. The value of the survey depends on theaccuracy of the information the survey contains.

The Following Figure gives an overview of the general process flow of surveysin SAP BusinessObjects Risk Management. The survey functionality leveragesAdobe Interactive Forms to support offline data entry. For example, a surveyrecipient can complete the survey in the airplane and email the completed formback to the system.



Figure 18: Survey Process

There are three available survey types: Activity, Risk, and Risk Indicator.

• Activity Survey: Used to identify new risks and potential shortcomingsrelated to an activity (for example, project, process).

• Risk Survey: Used to initiate a risk assessment (or re-assessment) touncover new circumstances that might impact the risk assessment.

• Risk Indicator Survey: Used to receive manual indications on thedevelopment of a Key Risk Indicator.



83Creating Survey Questions

1. Choose GRC Risk Management → Risk Assessment work center and selectQuestions Library. This opens a popup window that displays the questionlibrary.

2. To create a new question, choose the Create push-button.

Figure 19: Create Question

3. Complete the question creation. The question information includes thefollowing (fields marked with an asterisk (‘*’) are mandatory):

1. Category: Survey type (i.e., Activity, Risk, or KRI)2. Question: The question that you want answered3. Active: To indicate if survey is active4. Answer Type: The desired type of answer as one of the following:

a) Rating (1 – 5)b) Yes / No / NAc) Textd) Percentagee) Amount

4. Choose the Save push-button to save the survey.



84Creating a Survey

1. Choose GRC Risk Management → Risk Assessment work center and selectSurvey Library. This opens a popup window that displays the survey library.

Figure 20: Create Survey

2. To create a new survey, choose the Create push-button.

3. Complete the survey creation. The survey information includes the following(fields marked with an asterisk (‘*’) are mandatory):

1. Category: Survey type (i.e., Activity, Risk, or KRI)2. Title: Survey title.3. Description: Description of the survey.4. Active: To indicate if survey is active.

4. To add Questions to the survey:

1. Choose the Add push-button. This opens a popup that displays theavailable survey questions (See Creating Survey Questions).

2. Select the question that you want to include in the survey and choosethe OK push-button.

5. Choose the Save push-button to save the survey.



85Scheduling a Survey

1. Choose GRC Risk Management → Risk Monitoring work center and selectPlanner. This opens a popup window that displays all of the scheduledsurveys and other planned assessment activities.

2. To schedule a survey question, choose the Create push-button. You will bepresented with a guided procedure starting with Enter Plan Details.

Figure 21: Survey Details

3. Enter the plan details. The question information includes the following(fields marked with an asterisk (‘*’) are mandatory):

1. Plan Name: Name of the survey plan2. Plan Activity: Select from the available plans3. Survey: Select from the available surveys4. Start Date: The date the survey will be sent5. Due Date: The date the completed survey must be returned

4. Choose the Next push-button and select the organization that is to completethe survey.




Figure 22: Survey Organizations

5. Choose the Next push-button. Use the radio button to select the filterprocedure to apply to the survey.




Figure 23: Survey Filter

6. Choose the Next push-button. Use the radio button to review the surveyplan details.




Figure 24: Survey Review

7. Choose the Activate Plan push-button to activate the survey according to itsStart Date.

8. Choose the Finish pushbutton to return to the list of scheduled surveys andother planned activities.



89Completing a SurveyUseSurveys are sent as an Adobe Form attachment in the recipient’s email inbox.

Procedure1. Open the Adobe Form attachment in the email.

2. Complete the survey and save the completed document to any local directory.

3. Reply to the email and with the completed Adobe Form as an attachment.



90Viewing Survey ResultsUseNow assume you are the owner of the survey and want to view the results.

Procedure1. Choose GRC Risk Management → Risk Assessment work center.

2. If your survey category was Risk, select Risk and Opportunity Management.If your survey category was Activity, select Activity Management.

3. This opens a popup window that displays all of the risks / activities. Selectthe desired risk / activity and choose the Open push-button.

4. Select the Surveys tab and from the Survey dropdown list, select from amongthe available surveys. All the recipients of selected survey are displayed inthe table. Questions in the survey are displayed as columns in the table.

5. Click the name of recipient to open his / her survey form



91 Exercise 8: Create a Risk SurveyExercise Duration: 30 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create survey questions• Create a survey


Before proceeding with the risk owners often survey their counterparts in otherdepartments about their experience with a particular risk. Risk owners can use thesurvey features in SAP BusinessObjects Risk Management to identify new risks,receive and update risk information, or to create checklists.



Task 1:Create a Risk Survey Question

1. 1. Choose GRC Risk Management → Risk Assessment work center andselect Questions Library.

2. 2. Choose the Create pushbutton

3. 3. Complete the question creation as follows:

a. Category:

b. Question:

c. Active:

d. Answer Type:Continued on next page



4. 4. Choose the Save push-button to save the question.

Task 2:Create a Risk Survey

1. 1. Choose GRC Risk Management → Risk Assessment work center andselect Survey Library.

2. 2. Choose the Create push-button.


a. Category:

b. Title:

c. Description:

d. Active:

4. 4. Add Questions to the survey:

5. 5. Choose the Save push-button.



Solution 8: Create a Risk SurveyTask 1:Create a Risk Survey Question

1. 1. Choose GRC Risk Management → Risk Assessment work center andselect Questions Library.

a) This opens a popup window that displays the question library.

2. 2. Choose the Create pushbutton

a) This opens a popup window that displays the question form.


a. Category:

b. Question:

c. Active:

d. Answer Type:

a) a. Category: Risk Survey

b. Question: What other project risks should be considered?

c. Active: Yes

d. Answer Type: Text

4. 4. Choose the Save push-button to save the question.

a) This saves the new survey question.

Task 2:Create a Risk Survey

1. 1. Choose GRC Risk Management → Risk Assessment work center andselect Survey Library.

a) This opens a popup window that displays the survey library.

2. 2. Choose the Create push-button.

a) This opens a popup window that displays the survey form.


a. Category:

b. Title:

c. Description:




d. Active:

a) a. Category: Risk Survey

b. Title: Risk Survey for Project ABC

c. Description: The purpose of this survey is to identify new risks.

d. Active: Yes.

4. 4. Add Questions to the survey:

a) a. Choose the Add push-button.

b. Select the question that you want to include in the survey and choosethe OK push-button.

5. 5. Choose the Save push-button.

a) This saves the new survey.



Lesson Summary

You should now be able to:• Explain how surveys work• Explain how to create a risk survey



Lesson:96

Risk AnalysisLesson Duration: 30 Minutes

Lesson OverviewThis lesson will show you how to perform an inherent risk analysis.


• Explain the difference between inherent and residual risk• Explain the difference between qualitative and quantitative and qualitative

risk analysis• Explain how a risk level matrix is constructed• Perform a residual risk analysis

In this section you will discuss with the students the reason for doing a risk analysisand explain the different analysis types that are available within Risk Management.

Business ExampleIdentified risks are not always equally critical. Risks need to be analyzed beforedeciding which risks should be addressed. The risk analysis process allows youto start with a qualitative analysis and then add quantitative measures when theybecome known

The Risk Owner now proceeds to analyze the risks based on information gathered.S/he can perform three types of risk analysis: Inherent risk analysis; Residual riskanalysis; Planned residual risk analysis. Each type of risk analysis includes theprobability of the risk event occurring, and the impact of the risk event. The RiskOwner has the option of performing either a qualitative or quantitative analysis.


GRC340 Lesson: Risk Analysis

Risk Analysis TypesRisk analysis involves consideration of the sources of risk, their consequences,and the likelihood that those consequences may occur. With SAP BusinessObjectsRisk Management you can perform three types of analysis:

• Inherent risk analysis: The likelihood and impact of the risk with theexisting response measures in place.

• Residual risk analysis: The likelihood and impact of the risk with additionalresponse measures put in place.

• Planned residual risk analysis: The target likelihood and impact requiredfor the risk level to be acceptable.

You can also perform quantitative or qualitative risk analysis:

• Quantitative risk analysis: Numerical probability and impact values areused in the analysis. For example:

– Probability: 60%– Impact: $525,000

• Qualitative risk analysis: Scales are used to describe the likelihood andimpact of the risk. For example:

– Likelihood: 1 = Remote– Impact: 4 = Major Impact

The preferred analysis method is defined during configuration of the solution.

Risk Level MatrixA Risk Level Matrix is used to portray (and rank) the results of a risk analysis.Risk ranking is an important step in the risk management process for prioritizingrisks for response purposes. This section will explain how a risk level matrix isgenerated in SAP BusinessObjects Risk Management.

As described above, risk analysis involves the consideration of the likelihood (orprobability) a risk event will occur, and the potential negative impact that couldresult. One of the simplest methods of portraying the results of a risk analysisis a risk level matrix.



Figure 25: Risk Level Matrix

This matrix serves three purposes.

• It converts likelihood of the risk event occurring and impact of occurrenceinto risk levels (as shown by the letter designations in the cells; L, M, H).

• It helps you prioritize risks based on their risk level as shown by the numbersnext to the risk levels (where 1 is the highest priority and 3 is the lowestpriority).

• When coupled with the risk level definitions at the right, it provides a finalcheck on the resulting risk level ratings in terms of the required managementaction.

A risk level matrix is typically presented as a 3 x 3 or 5 x 5, although othervariations are possible in SAP BusinessObjects Risk Management such as a 7 x7. A 5 x 5 matrix should be sufficient to help you prioritize risks. The bigger thematrix, the more difficult it will be to come up with differentiating definitions ofthe likelihood and impact bands.

The risk level matrix is designed such that the higher risk levels appear in the upperright hand corner while lower level risks appear near the lower left hand corner.

An important way to ensure that the risk level matrix is self-explanatory is by“calibrating” the likelihood scale using quantitative or qualitative definitions.For example:

Calibrating Probability Levels:

Level Quantitative Calibration(Probability)

Qualitative Calibration(Frequency)

1 1% - 9% Remote; Occurs once every 20years

2 10% - 29% Unlikely; Occurs once every 5 to20 years



3 30% - 49%; Possible; Occurs once every 2 to5 years

4 50% - 75% Likely; Occurs once per year

5 76% - 99% Highly Likely; Occurs multipletimes a year

Calibrating Impact Levels (e.g. Brand Impact)

Level Quantitative Calibration Qualitative Calibration

1 - Inconsequential

2 - Minor; Local media < 3 days of coverage

3 - Moderate; National media < 3 days ofcoverage

4 - Major; National media > 3 days ofcoverage Catastrophic;

5 - High profile court case



100Inherent Risk AnalysisUseTo perform an inherent risk analysis:

Procedure1. Choose GRC Risk Management → Risk Assessment work center and select

Risk and Opportunity Management. This opens a popup window thatdisplays the risk table for the selected organization unit.

2. To display risks for a specific organization unit where you have userauthorization, choose the Show Quick Criteria Maintenance push-buttonat the top of the risk table.

1. Select Type as Risk.2. Select the organization unit.3. Choose the Apply push-button.4. Choose the Hide Quick Criteria Maintenance push-button.

3. Select the risk that you want to analyze and choose the Open push-button.This opens a popup window that displays the risk information.




Figure 26: Risk General

4. Select the Analysis tab. Notice the table on the right side with the three typesof analysis: Inherent Risk, Residual Risk, and Residual Risk (Planned).




Figure 27: Risk Analysis

5. Choose the Create New Analysis push-button. The Analysis Date willdisplay today’s date.

6. Select Inherent Risk.

1. Enter the Probability (or select the likelihood, depending on how yourorganization’s system is configured).

2. Choose the Impact Category Allocation push-button. This opens apopup window where you enter the impact information.




Figure 28: Impact Category Allocation

7. For each Impact Category:

1. Select the Analysis Method.2. If you select Quantitative, enter a figure in the Impact column.3. If you select Qualitative, select the Impact Level from the drop-down

list.

8. Choose OK.




Figure 29: Example Qualitative Impact Analysis

9. Choose the Save push-button to save the results of your analysis.



105 Exercise 9: Create an Inherent RiskAnalysisExercise Duration: 30 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create an Inherent Risk Analysis


The Risk Owner now proceeds to analyze the risks based on information gathered.S/he can perform three types of risk analysis: Inherent risk analysis; Residual riskanalysis; Planned residual risk analysis. Each type of risk analysis includes theprobability of the risk event occurring, and the impact of the risk event. The RiskOwner has the option of performing either a qualitative or quantitative analysis.



Task:Create a Risk Survey Question


2. Choose the Show Quick Criteria Maintenance push-button at the top of therisk table.

3. Select the risk GRC340-XX-Risk and choose the Open push-button.

4. Select the Analysis tab.

5. Choose the Create New Analysis push-button.




6. Select Inherent Risk and enter the probability.

7. Choose the Impact Category Allocation push-button.

8. Choose OK then the Save push-button



Solution 9: Create an Inherent RiskAnalysisTask:Create a Risk Survey Question


a) This opens a popup window that displays the risk table for the selectedorganization unit.


a) Select Type as Risk.

b) Select the organization unit GRC340-XX-Org

c) Choose the Apply pushbutton.

d) Choose the Hide Quick Criteria Maintenance push-button.


a) This opens a popup window that displays the risk information.

4. Select the Analysis tab.

a) A table is displayed on the right side with the three types of analysis:Inherent Risk, Residual Risk, and Residual Risk (Planned).

5. Choose the Create New Analysis push-button.

a) The Analysis Date will display today’s date

6. Select Inherent Risk and enter the probability.

a) Probability: XX%

7. Choose the Impact Category Allocation push-button.

a) This opens a popup window where you enter the impact information.

b) Select the Impact Category XXXXX:

c) Select the Quantitative Analysis Method. And enter $XXXXXX inthe Impact column.

8. Choose OK then the Save push-button

a) Analysis results saved.



Lesson Summary

You should now be able to:• Explain the difference between inherent and residual risk• Explain the difference between qualitative and quantitative and qualitative

risk analysis• Explain how a risk level matrix is constructed• Perform a residual risk analysis


GRC340 Lesson: Risk Grouping

Lesson:108

Risk GroupingLesson Duration: 20 Minutes

Lesson OverviewThis lesson will show you how to group risks.


• Create grouped risks

You will discuss with the students why certain risks may be grouped togetherunder a parent risk.


Once all the risks have been identified and documented, it is often necessary toconsolidate groups of risks into one parent risk. This consolidation helps in rollingup risk information thus reducing the number of risks that need to be analyzed.Reporting is also made simple by viewing risk levels of consolidated risk groupsrather than the complete set of risks.



109Risk GroupingUseTo group risks:




1. Select Type as Risk.2. Select the organization unit.3. Choose the Apply push-button.4. Choose the Hide Quick Criteria Maintenance pushbutton.


4. Select the Underlying Risks tab. In the table at the bottom of the windowyou will see a list of risks grouped under the risk.




Figure 30: Underlying Risks

5. To add a risk:

1. Choose the Assign push-button.2. Select the Organization Unit, Activity, Risk Category, and/or Name to

pinpoint the risks to be grouped.3. Choose the Go push-button.4. Select the risk and choose the OK push-button.5. Repeat as often as needed.

6. Choose the Save push-button to save the grouped risks.





111 Exercise 10: Risk GroupingExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create grouped risks


Once all the risks have been identified and documented, it is often necessary toconsolidate groups of risks into one parent risk. This consolidation helps in rollingup risk information thus reducing the number of risks that need to be analyzed.Reporting is also made simple by viewing risk levels of consolidated risk groupsrather than the complete set of risks.

System DataSystem: Instructor will provide during classClient: Instructor will provide during classUser ID: GRC340-XX where XX is your student #Password: The initial password is initial1Set up instructions:


Task:Create Grouped Risks




4. Select the Underlying Risks tab.

5. Add a risk:

6. Choose the Save pushbutton



Solution 10: Risk GroupingTask:Create Grouped Risks




a) Select Type as Risk

b) Select the organization unit XXXXX

c) Choose the Apply push-button.




4. Select the Underlying Risks tab.

a) Review the risks grouped under the risk.

5. Add a risk:

a) Choose the Assign push-button.

b) Select: Organization Unit: GRC340-XX-Org (Activity, Risk Category,Name: Leave blank)

c) Choose the Go push-button.

d) Select the risk GRC340-XX-Risk and choose the OK push-button.


a) Grouped risks are saved.



Lesson Summary

You should now be able to:• Create grouped risks



Lesson:114

Risk Inter-RelationshipsLesson Duration: 20 Minutes

Lesson OverviewThis lesson will show you how to establish relationships between risks.


• Create risk inter-relationships

In this lesson you will discuss with the students why a risk may influence anotherrisk and show how it is put into the Risk Management system.


Risks often do not occur in silos, and the occurrence of one risk could have aninfluence on one or more other risks. SAP BusinessObjects Risk Managementallows users to find and add all risks that influence the current risk along with theinfluence factors.

Influence FactorsIn SAP BusinessObjects Risks Management, risk inter-relationships are modeledusing Influence Factors. The interrelationships are also used in Scenario Analysisand Monte Carlo Analysis.

In SAP BusinessObjects Risks Management, risk inter-relationships are modeledusing Influence Factors. The interrelationships are also used in Scenario Analysisand Monte Carlo Analysis.

The risk interrelationships illustrated in this example are defined by indicatingwhether a risk: (i) causes (or influences) another risk; (ii) is itself the result ofanother risk; or (iii) has no relationship to another risk. The "strength" of therelationship is expressed as either strong, medium, or weak as illustrated by thearrow thickness in the illustration.


GRC340 Lesson: Risk Inter-Relationships

The risk influence evaluation can be quantitative or qualitative.

The quantitative evaluation method specifies the influence factor for the currentrisk “impact” and “probability” using a percentage number

The qualitative evaluation method specifies the Correlation strength in terms ofHigh Positive Influence, Low Positive Influence, No Influence, Low NegativeInfluence, or High Negative Influence.

There are several benefits in using Influence Factors including:

• Increased risk scenario flexibility• Richer risk analysis• Simulate the effect of business decisions



116Creating Risk Inter-RelationshipsUseTo create risk inter-relationships:






4. Select the Influenced Risks tab. In the table at the bottom of the window youwill see a list of risks that are “influenced” by the open risk.




Figure 31: Influenced Risks

5. To add a risk inter-relationship:

1. Choose the Create Influence Factor push-button. This opens a popupwindow that displays the influence factor information.

2. Choose the Create Influence Factor push-button. This opens a popupwindow that displays the influence factor information.

3. Choose the Go push-button.4. Select the risk and choose the OK push-button. Now you will see the

selected risks along with its Organization Unit, Activity Category, andRisk Classification.

5. Selection the preferred Evaluation Type radio button.

a) Quantitative: Allows you to enter numeric influencing factorsfor the impact and probability.

b) Qualitative: Allows you to enter correlation strength. (Thequalitative types are configured items).

6. Enter either the Influence factor on Impact and Influence factor onProbability or the Correlation Strength.

7. Choose the OK push-button.




Figure 32: Create Influence Factor

6. Choose the Save push-button to save the influenced risks.



119 Exercise 11: Risk Inter-RelationshipsExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create risk inter-relationships


Risks often do not occur in silos, and the occurrence of one risk could have aninfluence on one or more other risks. SAP BusinessObjects Risk Managementallows users to find and add all risks that influence the current risk along with theinfluence factors.

System DataSystem: Instructor will provide during classClient: Instructor will provide during class]User ID: GRC340-XX where XX is your Student #Password: The initial password is initial1Set up instructions:


Task:Create Risk Inter-Relationships




4. Select the Influenced Risks tab

5. Add a risk inter-relationship:

6. Choose the Save push-button



Solution 11: Risk Inter-RelationshipsTask:Create Risk Inter-Relationships





b) Select the organization unit GRC340-XX-Org.





4. Select the Influenced Risks tab

a) The table at the bottom of the window will list the risks that are“influenced” by the open risk.

5. Add a risk inter-relationship:

a) Choose the Create Influence Factor push-button.

b) Select the Name of influenced risk. You will see a popup window. SelectOrganization Unit =GRC340-XX-Org Activity = GRC340-XX-ActRisk Category = GRC340-XX-Cat

c) Choose the Go push-button .

d) Select the risk GRC340-XX-Risk and choose the OK push-button.

e) Selection the preferred Evaluation Type radio button = Quantitative.

f) Enter the Influence factor on Impact = 1.2 and Influence factor onProbability = 1.5.

g) Choose the OK push-button.

6. Choose the Save push-button

a) Influenced risk is saved.



Lesson Summary

You should now be able to:• Create risk inter-relationships



Lesson:122

What-If ScenarioLesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how to create a business scenario that involves risks.


• Create a Scenario Classification and Sub-classification• Create a Scenario Case• Create a Scenario Case Analysis• Create a Response to a Scenario Case• Review the Scenario Case and use Sensitivity Analysis



The risk management team has the option of defining “Scenarios” to describeplausible risks and the impacts. A Scenario helps the risk team address complexrisk conditions and options. The risk team can create different cross-organizationalScenarios and analyze them.

What is a Scenario?A scenario is a story used to describe plausible future risk and associated negative(or positive) impacts. A scenario provides a basis for communicating complexrisk conditions and options.

A scenario is an event that link risks in a logical way, and then shows the effect ofchanges on these events. With SAP BusinessObjects Risk Management you cancreate different scenarios and analyze them individually.


GRC340 Lesson: What-If Scenario

Figure 33: Scenario Creation Process



124Scenario Case CreationUseBefore you create a scenario case you must first define the scenario classificationand sub-classification.


Scenario Analysis. This opens a popup window that displays the differentscenarios created.

2. To display scenarios created by other users, choose the Show Quick CriteriaMaintenance push-button at the top of the risk table.

1. Select the Creator of the scenario2. Select the scenario Status (Draft, In process, Cancelled)3. Choose the Hide Quick Criteria Maintenance push-button.

3. Choose the Create push-button. Select Classification. This opens a popupwindow. Enter the Name and Description of the scenario Classification.Choose the Save push-button.

4. Select the scenario Classification that you just created and choose Createpush-button. Select Subclassification. This opens a popup window. Enterthe Name and Description of the scenario Subclassification. Choose theSave push-button.

5. Select the scenario Classification and subclassification that you just createdand choose Create push-button. Select Case. This opens a popup window.




Figure 34: Scenario Case Creation

6. In the Component tab, enter the following:

1. Name: Short name of the case2. Description: Description of the scenario.3. Cause: The drivers behind the scenario.4. Rational for Likelihood: Why you believe the scenario could

materialize.5. Likelihood: The likelihood that the scenario could occur.6. Currency: Used for the analysis of the scenario.

7. In the Risks table at the bottom of the window you can assign the primary riskevents that might occur in the scenario. The system automatically retrievesall related Influence Factors (which you can delete if you don’t want themin the scenario). To assign risks to the scenario:

1. Choose the Assign push-button. This opens a popup window to selectthe risks that are to be assigned to the scenario.

2. Optional: Select the Organization Unit, Activity, Risk Category, and/orrisk Name.

3. Choose the Go push-button.4. Select the risks and choose the OK push-button.5. Choose the Save push-button.



126Scenario Case AnalysisUseTo analyze a scenario:



2. Select the scenario and choose the Open push-button. Select Case.

3. Select the Assumption tab.

Figure 35: Scenario Case Analysis

4. Enter the following values for the scenario:

1. Overall Change on Probability: Enter a percentage for the overallchange in probability of the risks occurring under the scenario.

2. Overall Change on Impact: Enter a percentage for the overall changein the risk impacts under the scenario.

3. Overall Benefit from Scenario: If applicable, enter the estimated benefitin monetary terms that would result under the scenario.




5. Choose the Apply Overall Changes push-button to apply the aboveassumptions for the scenario. This will apply the assumptions to the riskslinked to the scenario. Choose the Reset push-button to reset the values.

Figure 36: Scenario Case Assumptions

6. Choose the Save pushbutton to save the assumptions



128Scenario Case ResponseUseTo view and/or create response plans for a scenario:




3. Select the Response tab. You will see all the responses related to the risksassigned to the scenario.

Figure 37: Scenario Case Response

4. You can Create or Assign new risk responses, orOpen the risk to view the riskdetails. Risk response tasks are covered in detail in the Unit Risk Response.



129Scenario Case Result ReviewUseTo prepare response plans for a scenario:




3. Select the Result tab. You will see a summary of the calculated results foreach impact category. The results are shown without and with the scenariouse, as well as with the scenario before and after responses.

Figure 38: Scenario Case Results





131 Exercise 12: What-If ScenarioExercise Duration: 30 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create a Scenario Case


The risk management team has the option of defining “Scenarios” to describeplausible risks and the impacts. A Scenario helps the risk team address complexrisk conditions and options. The risk team can create different cross-organizationalScenarios and analyze them.



Task:Create a Scenario Case

1. Choose GRC Risk Management → Risk Assessment work center and selectScenario Analysis.


3. Choose the Create push-button. Select Classification.

4. Select the scenario Classification that you just created and choose Createpush-button. Select Subclassification.

5. Select the scenario Classification and subclassification that you just createdand choose Create push-button. Select Case.




6. In the Risks table at the bottom of the window assign the primary risk eventsthat might occur in the scenario. The system automatically retrieves allrelated Influence Factors (which you can delete if you don’t want them in thescenario). To assign risks to the scenario:



Solution 12: What-If ScenarioTask:Create a Scenario Case

1. Choose GRC Risk Management → Risk Assessment work center and selectScenario Analysis.

a) This opens a popup window that displays the different scenarios created.


a) Leave the Creator, Status fields blank. Choose the Hide Quick CriteriaMaintenance push-button.

3. Choose the Create push-button. Select Classification.

a) This opens a popup window. Enter the following:

1. Name: GRC340-XX-Class2. Description: GRC340-XX-Classification

Choose the Save pushbutton.

4. Select the scenario Classification that you just created and choose Createpush-button. Select Subclassification.

a) This opens a popup window. Enter the following:

1. Name: GRC340-XX-Sub2. Description: GRC340-XX-Subclassification

Choose the Save pushbutton.

5. Select the scenario Classification and subclassification that you just createdand choose Create push-button. Select Case.

a) This opens a popup window. In the Component tab, enter the following:

1. Name: GRC340-XX-Case2. Description: GRC340-XX-Case3. Cause: XXXXX4. Rational for Likelihood: XXXXX5. Likelihood: XXXXX6. Currency: USD




6. In the Risks table at the bottom of the window assign the primary risk eventsthat might occur in the scenario. The system automatically retrieves allrelated Influence Factors (which you can delete if you don’t want them in thescenario). To assign risks to the scenario:

a) Choose the Assign push-button. This opens a popup window to selectthe risks that are to be assigned to the scenario. Select the following:

1. Organization Unit: GRC340-XX-ORG2. Activity: GRC340-XX-Act3. Risk Category: Leave blank4. Name: Leave blank

b) Choose the Go push-button.

c) Select the risk GRC340-XX-Risk and choose the Go push-button.

d) Choose the Save push-button.



Lesson Summary

You should now be able to:• Create a Scenario Classification and Sub-classification• Create a Scenario Case• Create a Scenario Case Analysis• Create a Response to a Scenario Case• Review the Scenario Case and use Sensitivity Analysis



Lesson:135

Monte-Carlo AnalysisLesson Duration: 30 Minutes

Lesson OverviewMonte-Carlo Analysis


• Explain Monte Carlo analysis• Perform a Monte-Carlo Analysis



Risk Management 3.0 provides risk managers with the ability to simulate complexrisk scenarios through the use of Monte Carlo analysis. The Monte Carlo methodis a method for analyzing the effect of uncertainty. Using this analysis technique,the risk team can determine how random variation or lack of knowledge affectsthe impact of risks. Impacts are randomly generated from probability distributionsto simulate the process of sampling from an actual population. The data generatedfrom the simulation can be represented as probability distributions (or histograms).

Introduction to Monte Carlo AnalysisSimulation is any analytical method that is meant to represent a real-life system.Monte Carlo analysis is a type of simulation that randomly generates values foruncertain variables over and over to simulate a model. In the context of riskmanagement, we are trying to simulate the expected loss resulting from a riskevent.


GRC340 Lesson: Monte-Carlo Analysis

Monte Carlo analysis was named for the casinos of Monte Carlo, Monaco.Games of chance such as roulette wheels, dice, and slot machines exhibit randombehavior. For example, if you roll a die, you know that either a 1, 2, 3, 4, 5, or 6,will come up, but you don’t know which for any particular trial. It is the same withrisk exposure. You may know the range of loss values, but you would be uncertainas to the value for any particular occurrence of the risk event.

Possible loss values are defined with probability distributions. The type ofdistribution used depends on the conditions surrounding the risk. In SAPBusinessObjects Risk Management 3.0 the following probability distributionsare provided:



Figure 39: Probability Distributions

• Discrete: Describes distinct loss values with no intermediate values. If youwere to roll a die over and over, recording the results as you go, you wouldend up with a uniform structure with results ranging from 1 through 6. Theresult is a Discrete (equal probability that the number will be between 1and 6) Uniform Distribution.

• Continuous: Assumes an infinite number of loss values between any twopoints in the distribution. Variables in a Continuous uniform distributioncan randomly occur anywhere between finite or infinite values. Unlike theDiscrete distribution, the results are not constrained (i.e., variables do notproduce discrete results like rolling a single die.

• Normal: A Normal distribution (“bell curve”) is based on random resultsthat are weighted by a predetermined average or mean, and a standarddeviation. The standard deviation is a measure of variability from the mean.For example, if you were to take a poll of co-workers and have them guessa colleague’s age, you might wind up with a bell-shaped distribution curvewith a mean value of 40 and a standard deviation of 1. Normal curves tend tohave even distributions around the mean.

• Lognormal: Lognormal distributions are similar to normal distributions,but are generally characterized by a very large number of independent,identically-distributed variables whose natural log results in a normaldistribution. Lognormal Distributions start at 0 and are skewed right. Thedegree of skewness increases as the standard deviation increases with thelogarithmic mean held constant.



To select the correct probability distribution, start by looking at the risk inquestion. You might be able to gather historical loss information for similar riskevents. If historical information is not available, use your judgement based onexperience. Next, select the distribution that best characterizes the risk.



139Performing a Monte Carlo AnalysisUseTo perform a Monte Carlo Analysis:


Scenario Analysis using Monte Carlo. This opens a popup window thatdisplays saved analysis scenarios. Choose the Create push-button. Thisopens a popup window.

2. Select the Component tab and enter the following:

1. Name: The name of the analysis.2. Currency: The currency used to present the analysis results.3. Certainty: A percentage value between 50% and 99.99%.4. Description: A description of the analysis.

3. In the Risks table at the bottom of the window assign the risk events that youwant to simulate. The system automatically retrieves all related InfluenceFactors. To assign risks to the analysis:

1. Choose the Assign push-button. This opens a popup window to selectthe risks that are to be assigned to the analysis.

2. Optional: Select the Organization Unit, Activity, Risk Category, and/orrisk Name.

3. Choose the Go push-button.4. Select the risks and choose the OK push-button.5. Choose the Save push-button.

4. Select the Assumption tab and enter the following:

1. Number of Runs: The number of times you want to perform theanalysis. For example, 5000.

2. Frequency Distribution: Select the risk and enter the number of randomnumbers generated each run. For example, 2.

3. Severity Distribution: For the selected risk, choose the probabilitydistribution for the risk from the drop down (i.e., Continuous, Discrete,Lognormal, Normal). Next, choose the Details push-button and enterthe parameters related to the selected probability distribution.

5. Choose the Simulate push-button. This will perform the analysis accordingto the Number of Runs that you specified.




6. When the simulation completes select the Result tab. Here you will see thefollowing simulation results for the Certainty defined on the Component tab:

1. The Average Case Impact.2. The Worst Case Impact.





141 Exercise 13: Monte Carlo AnalysisExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Perform a Monte Carlo Analysis


Risk Management 3.0 provides risk managers with the ability to simulate complexrisk scenarios through the use of Monte Carlo analysis. The Monte Carlo methodis a method for analyzing the effect of uncertainty. Using this analysis technique,the risk team can determine how random variation or lack of knowledge affectsthe impact of risks. Impacts are randomly generated from probability distributionsto simulate the process of sampling from an actual population. The data generatedfrom the simulation can be represented as probability distributions (or histograms).



Task:Perform a Monte Carlo Analysis

1. Choose GRC Risk Management → Risk Assessment work center and selectScenario Analysis using Monte Carlo.


3. In the Risks table at the bottom of the window, assign the following risk tothe analysis.


5. Choose the Simulate push-button.

6. When the simulation completes select the Result tab.



Solution 13: Monte Carlo AnalysisTask:Perform a Monte Carlo Analysis

1. Choose GRC Risk Management → Risk Assessment work center and selectScenario Analysis using Monte Carlo.

a) This opens a popup window that displays saved analysis scenarios.Choose the Create push-button. This opens a popup window.


a) Name: GRC340-XX-Comp

b) Currency: USD.

c) Certainty: 80%

d) Description: GRC340-XX-Component.

3. In the Risks table at the bottom of the window, assign the following risk tothe analysis.

a) Organization Unit: GRC340-XX-Org

b) Activity: GRC340-XX-Act

c) Risk Category: Leave blank

d) Name: Leave blank.


a) Number of Runs: 5000.

b) Frequency Distribution: Select the risk XXXXX and enter 1 as thenumber of random numbers generated each run.

c) Severity Distribution: Choose the probability distribution Normal forthe risk

d) Choose the Details push-button and enter the following parametersrelated to the selected probability distribution:

1. Standard Deviation: XXXXX2. Mean Value: XXXXX

5. Choose the Simulate push-button.

a) This will perform the analysis according to the Number of Runs thatyou specified.

6. When the simulation completes select the Result tab.

a) Review the Average Case Impact and the Worst Case Impact.



Lesson Summary

You should now be able to:• Explain Monte Carlo analysis• Perform a Monte-Carlo Analysis



Lesson:144

Risk ValidationLesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how to validate a risk analysis


• Validate a risk analysis



Risk validation is the process of reviewing and validating risks. Risk validation isoptional and provides a mechanism for selective validation of critical risks.


GRC340 Lesson: Risk Validation

145Validating a RiskUseTo validate a risk:

Procedure1. Choose GRC Risk Management → Risk monitoring work center and select

Planner. This opens a popup window that displays previously plannedevents. The Planner is a common SAP BusinessObjects component that canbe used to schedule various types of activities and workflows.

2. Choose the Create push-button. This opens a guided activity popup window.Enter the following:

1. Plan Name: The name of the risk validation plan.2. Plan Activity: Select Perform Risk Validation from the drop down list.3. Start Date: The date that the planner will initiate the workflow.4. Due Date: The date by which the validation must be completed.

3. Choose the Next push-button. Select the organization unit and choose theNext push-button.

4. Choose one of the following radio buttons to select the risks that are to besent for validation:

1. Select all Risks2. Select by Risk Attributes3. Select Specific Risk

5. Choose the Next push-button. Review the results of the planner setup.Choose the Show Detail push-button to see which risks have been selected.

6. Choose the Activate Plan push-button to activate the risk validation process.

7. Choose the Finish push-button to return to the planner table.



146The Validation StepsUseThe risk validation initiated using the Planner will create a Work Inbox assignmentfor the recipients (Risk Owners). To access the work assignment the designatedrisk validator must do the following:

Procedure1. Select the My Home work center under GRC Risk Management

2. Select the Work Inbox. From the list of workflow items, select the riskvalidation task. This will open a popup window.

Figure 40: Risk Validation

3. Choose the Approve push-button to complete the risk validation work item.



147 Exercise 14: Risk ValidationExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Validate a risk analysis


Risk validation is the process of reviewing and validating risks. Risk validation isoptional and provides a mechanism for selective validation of critical risks.



Task:Validate a risk analysis

1. 1. Choose GRC Risk Management → Risk monitoring work center and selectPlanner.

2. Choose the Create push-button. Enter the following:

3. Choose the Next push-button.


5. Choose the Next push-button



Solution 14: Risk ValidationTask:Validate a risk analysis

1. 1. Choose GRC Risk Management → Risk monitoring work center and selectPlanner.

a) This opens a popup window that displays previously planned events.

2. Choose the Create push-button. Enter the following:

a) Plan Name: GRC340-XX-Plan.

b) Plan Activity: Select Perform Risk Validation from the drop down list.

c) Start Date: Enter today’s date.

d) Due Date: XXXXX.


a) Select the organization unit GRC340-XX-Org


a) Choose Select all Risks

5. Choose the Next push-button

a) Review the results of the planner setup. Choose the Show Detailpush-button to see which risks have been selected.

b) Choose the Activate Plan push-button to activate the risk validationprocess.

c) Choose the Finish push-button to return to the planner table.



Lesson Summary

You should now be able to:• Validate a risk analysis


Unit Summary GRC340

Unit SummaryYou should now be able to:• Explain how surveys work• Explain how to create a risk survey• Explain the difference between inherent and residual risk• Explain the difference between qualitative and quantitative and qualitative

risk analysis• Explain how a risk level matrix is constructed• Perform a residual risk analysis• Create grouped risks• Create risk inter-relationships• Create a Scenario Classification and Sub-classification• Create a Scenario Case• Create a Scenario Case Analysis• Create a Response to a Scenario Case• Review the Scenario Case and use Sensitivity Analysis• Explain Monte Carlo analysis• Perform a Monte-Carlo Analysis• Validate a risk analysis


Unit 5151 Risk Response

In this unit you will learn how to respond to a risk or opportunity by adding aresponse to a risk and running the residual risk analysis.

Unit OverviewIn this unit you will learn the various ways in which responses are used withSAP BusinessObjects Risk Management.


• Explain the purpose of the Responses and Enhancement Plans catalogue• Create a catalogue Response• Explain the purpose of risk responses• Explain how Residual Risk (Planned) is determined• Assign a risk to a response in the Risk Response Tab• Perform a residual risk analysis• Review the overall Residual Risk (Planned)• Explain the reasons for creating a response directly within a risk• Assign a response to a risk in the Risk Response Tab• Explain how the Response Completeness and Effectiveness are updated• Update the Response completeness and Effectiveness and thereby create the

current Residual Risk result.• Assign a Control to a Risk• Propose a Control to manage a risk

Unit ContentsLesson: Responses and Enhancement Plans ... . . . . . . . . . . . . . . . . . . . . . . . . . . .161


Unit 5: Risk Response GRC340

Procedure: Creating a Risk Response in the Responses andEnhancement Plans catalogue ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162Exercise 15: Create a Risk Response ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165

Lesson: Response Assignment .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168Procedure: Assign a Risk Response to a Risk ... . . . . . . . . . . . . . . . . . . . . . .169Procedure: Create the Residual Risk (Planned) Analysis .. . . . . . . . . . .173Exercise 16: Assign a Response to a Risk and Creating a ResidualRisk (Planned) Analysis .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177

Lesson: Creating a new Response in a risk.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182Procedure: Creating a new Risk Response directly within the ResponsePlans tab of a Risk .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183Exercise 17: Create a Risk Response ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

Lesson: Residual Risk Analysis (current). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188Procedure: Updating a Risk Response with the current Effectivenessand Completeness results.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189Procedure: View the Residual Risk Analysis .. . . . . . . . . . . . . . . . . . . . . . . . . .190Exercise 18: Perform Residual Risk Analysis (current) . . . . . . . . . . . . . . .193

Lesson: Assign a Control to a Risk ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198Procedure: Assigning a Control to a Risk ... . . . . . . . . . . . . . . . . . . . . . . . . . . . .199Exercise 19: Assign a Control to a Risk ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201

Lesson: Control Proposal .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205Procedure: Proposing a Control to a Risk... . . . . . . . . . . . . . . . . . . . . . . . . . . . .206Exercise 20: Control Proposal .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211


GRC340 Lesson: Responses and Enhancement Plans

Lesson:153

Responses and Enhancement PlansLesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how to create a response to a risk and how to createan enhancement plan for an opportunity in the Response and Enhancement Planscatalogue.


• Explain the purpose of the Responses and Enhancement Plans catalogue• Create a catalogue Response

In this lesson you will discuss creation of response or enhancement plans for risksand opportunities. Keep in mind that responses and enhancements can be made inthis catalogue as well as in the risk or opportunity itself.

Business ExampleSome risk response measures are generic or common across many risks andapplicable in many parts of the business. Maintaining a Responses catalogueallows the organization to reuse successful risk responses across different risksand different parts of the business. This technique promotes adherence to riskpolicy and facilitates learning.

What is the Responses & Enhancement Planscatalogue?The Responses and Enhancement Plans catalogue is the master data table. This iswhere standard Responses and standard Enhancement Plans are maintained. Riskowners can browse the Responses and Enhancement Plans catalogue to selectfrom a list of standard responses or enhancements applicable to their risk oropportunity from the master data table.



154Creating a Risk Response in the Responses andEnhancement Plans catalogueUseTo create a risk response:


Responses & Enhancement Plans. This opens an Active Queries windowthat displays the responses and enhancement plans.

2. To create a new risk response, choose the Create push-button and selectResponse.

Figure 41: Create Response




3. Complete the response creation. The response information includes thefollowing (fields marked with an asterisk (‘*’) are mandatory):

1. Name: Response title2. Description: Description of the response3. Response Details: Steps or Actions required to perform the response4. Organization Unit: The part of the business where the Response would

be applicable (select from a dropdown pick list)5. Owner: The person responsible for the Response (select from drop

down pick list)6. Type: Response Type (i.e. Accept, Watch, Transfer, Mitigate)7. Purpose: How the risk will be affected (i.e. Prevent, Recover)8. Share Response: Can the response be used by all parts of the business

or not (i.e. Shared – Requires Approval, Shared – Does not requireApproval, Not Shared)

9. Status: The response is in status Draft and can be saved as Draft byselecting the Save Draft pushbutton. Selecting Submit will make theresponse plan active.

4. Choose the Submit push-button to save the Response.





157 Exercise 15: Create a Risk ResponseExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create a risk response in the catalog.

Business ExampleSome risk response measures are generic or common across many risks andapplicable in many parts of the business. The same is true for measuresto improvement the positive effects (enhancement plans) of opportunities.Maintaining a Responses catalogue allows the organization to reuse successful riskresponses across different risks and different parts of the business. This techniquepromotes adherence to risk policy and facilitates learning.



Task:Create a risk response in the Responses and Enhancement Plans catalog.

The Responses and Enhancement Plans catalogue is the master data table. This iswhere standard Responses and standard Enhancement Plans are maintained. Riskowners can browse the Responses and Enhancement Plans catalogue to selectfrom a list of standard responses or enhancements applicable to their risk oropportunity from the master data table.

1. Choose GRC Risk Management → Risk Assessment work center and selectResponse & Enhancement Plan Management.

2. Choose the Create push-button and select Response from the drop downpick list.

3. Complete the response creation as follows:




Solution 15: Create a Risk ResponseTask:Create a risk response in the Responses and Enhancement Plans catalog.



a) This opens the Active Queries window that displays the existingresponses and enhancement plans.


a) This opens a popup window that displays the response form.


a) Name: GRC340-XX-Response

b) Description: GRC340-XX-Response

c) Response Details: XXXXXXXXXXXX

d) Organization Unit: XXXXXXXXXX (select from a dropdown picklist)

e) Owner: XXXXXXXXXXXX (select from drop down pick list)

f) Type: Mitigate (select from drop down pick list)

g) Purpose: Prevent (select from drop down pick list)

h) Share Response: Not Shared (select from drop down pick list)

i) Status: Note that the response is in status Draft and can be saved asDraft by selecting the Save Draft pushbutton. Selecting Submit willmake the response plan active.


a) This saves the new response.



Lesson Summary

You should now be able to:• Explain the purpose of the Responses and Enhancement Plans catalogue• Create a catalogue Response



Lesson:160

Response AssignmentLesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how to assign a response to a risk.


• Explain the purpose of risk responses• Explain how Residual Risk (Planned) is determined• Assign a risk to a response in the Risk Response Tab• Perform a residual risk analysis• Review the overall Residual Risk (Planned)

In this lesson you will discuss adding the response from the previous chapter to arisk that was already created.

Business ExampleOnce a risk has been identified and the inherent risk level analyzed, the next stepis to decide what, if anything should be done about the risk. Decisions need tobe made about measure to take to reduce the risks probability of occurring and/or reduce the risk impact if it does occur. It could be decided that no immediateaction is needed or possible, and this ‘decision’ in itself needs to be recorded.

For each response the effect on the risk needs to be determined, in terms of thereduction of the probability of the risk occurring and / or the reduction in theimpact(s) of the risk. It is these reduction effects that result in the calculation ofthe level of Residual Risk (Planned). This is the target likelihood and impactrequired for the risk level to be acceptable.


GRC340 Lesson: Response Assignment

161Assign a Risk Response to a Risk

1. Choose GRC Risk Management → Risk Assessment work center and selectRisk and Opportunity Management. This opens an Active Queries windowthat displays the risks and opportunities.

2. Select a Risk from the Active Queries result and choose the Openpush-button. This opens a popup window that displays the risk information.

Figure 42: Risk

3. Select the Response tab.




Figure 43: Response Tab

4. If there are existing responses already assigned to the risk these will displayin the Response tab template. The main display area will show summaryinformation about existing responses (and controls) and the lower portion ofthe window will display the Probability and Loss Reduction and MitigationEffect data for the highlighted response or control for the most recentAnalysis Date.

5. To assign a risk response from the Responses catalogue, chose the Assignpush-button and select Response. A search dialogue popup will display.




Figure 44: Assign Existing Responses

6. The search can be restricted based on Response Name, Response Owner, andResponse Type. Choose the Search push-button to search all responses.

Figure 45: Search Available Responses

7. Select a response to assign to the risk. The selected response will appear inthe Responses area of the window.




Figure 46: Responses in Response Tab

8. All responses (existing and new) will show in the Responses area of thescreen

9. Choose Save to save the response and the risk.



165Create the Residual Risk (Planned) Analysis

1. From the Active Queries window, choose Open to reopen the risk

2. Select Responses tab

3. Highlight the response most recently created.

4. The lower part of the window displays the following information:

1. Analysis Date:2. Probability Reduction:3. Total Loss Reduction:4. Mitigation Effect:

Figure 47: Responses in Response Tab

5. The values you see in these fields depend on which Response or Controlis selected.

6. Depending on the system configuration setting for the Risk Analysis methodsselected, and on the Impact category or categories relevant for this risk, thesefields will require or show either qualitative or quantitative input.

7. Analysis Date: This will show the most recently selected Analysis Date fromthe Analysis Tab. The default is the most recent date available.




8. Probability Reduction:

• Assuming a Quantitative analysis method is available enter into theReduction field a probability percentage representing the degree ofreduction in the overall probability level.

– (For example: If the Inherent Risk Probability = 90% then if enter40% in the Probability Reduction. Residual Risk Probability willbe 50%, i.e. 90 – 40 = 50.)

• Assuming a Qualitative analysis method is available for probability,select the appropriate probability category.

9. Loss Reduction:

• Choose the Impact Category Allocation push-button. This opens apopup window.

• Assuming a Qualitative analysis method is available, enter theReduction amount and, if available additionally enter the Unit ofMeasurement.

• Assuming a Qualitative analysis method is available, in the MitigationEffect field, using the dropdown picklist, select the appropriatequalitative reduction effect.

10. Choose the OK push-button to close the Impact Allocation popup window.

11. The Mitigation Effect (if it is being used) will display in the MitigationEffect field.

12. Choose the Save push-button to save the responses and its Residual Risk(Planned) Analysis.

13. To view the aggregate Residual Risk (Planned) Analysis, Select the Analysistab.




Figure 48: Residual Risk (Planned) in Response Tab





169 Exercise 16: Assign a Response to a Riskand Creating a Residual Risk (Planned)AnalysisExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Assign a risk response to a risk• Perform a Residual Risk (Planned) analysis

Business ExampleRisk Response - Once a risk has been identified and the inherent risk levelanalyzed, the next step is to decide what, if anything should be done about the risk.Decisions need to be made about measure to take to reduce the risks probability ofoccurring and /or reduce the risk impact if it does occur. It could be decided thatno immediate action is needed or possible, and this ‘decision’ in itself needs tobe recorded.

Residual Risk (Planned) Analysis - For each response the effect on the risk needsto be determined, in terms of the reduction of the probability of the risk occurringand / or the reduction in the impact(s) of the risk. It is these reduction effects thatresult in the calculation of the level of Residual Risk (Planned). This is the targetlikelihood and impact required for the risk level to be acceptable.



Task 1:Assign a Risk Response







4. Select the Response Plans tab.

5. Assign a response to the risk:

6. Choose the Search push-button to search for available Responses.

7. Select a Response by highlighting it; and choose the OK push-button

8. Save the Response

Task 2:Creating a Residual Risk (Planned) Analysis

1. Open the Risk in the Active Query window

2. Navigate to the Responses tab

3. Select the newly created response from the Response Plans summary byhighlighting it.

The lower part of the window displays the following information: a) AnalysisDate: b) Probability Reduction: c) Total Loss Reduction: d)MitigationEffect:

4. Choose the OK push-button




Solution 16: Assign a Response to a Riskand Creating a Residual Risk (Planned)AnalysisTask 1:Assign a Risk Response





b) Select the organization unit GRC340-XX-Org






a) A table is displayed showing a summary of existing Responses andControls for this risk.

5. Assign a response to the risk:

a) Choose Assign push-button. Select Response from the menulist.

6. Choose the Search push-button to search for available Responses.

a) A list of available responses displays

7. Select a Response by highlighting it; and choose the OK push-button

a) The selected response is returned to the Response Plans window.

8. Save the Response

a) Select the Save push-button to Save the Response.




Task 2:Creating a Residual Risk (Planned) Analysis

1. Open the Risk in the Active Query window

a) Select the Open push-button when the risk is highlighted

2. Navigate to the Responses tab

a) Select the Response tab

3. Select the newly created response from the Response Plans summary byhighlighting it.

The lower part of the window displays the following information: a) AnalysisDate: b) Probability Reduction: c) Total Loss Reduction: d)MitigationEffect:

a) Enter a probability Reduction: 10%

b) Choose the Impact Category Allocation push-button

c) Quantitative Analysis: Enter Reduction: 10000

d) Qualitative Analysis: AND/OR Select from the Mitigation Effect field“Medium”.

4. Choose the OK push-button

a) The Impact Category Allocation window closes


a) The Response and its associated Residual Risk (Planned) Analysisis saved.



Lesson Summary

You should now be able to:• Explain the purpose of risk responses• Explain how Residual Risk (Planned) is determined• Assign a risk to a response in the Risk Response Tab• Perform a residual risk analysis• Review the overall Residual Risk (Planned)



Lesson:174

Creating a new Response in a riskLesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how to create a new response from within a risk.


• Explain the reasons for creating a response directly within a risk• Assign a response to a risk in the Risk Response Tab

In this lesson you will discuss creating a response directly in the risk instead of inthe Risk and Enhancement Plans section.

Business ExampleOnce a risk has been identified and the inherent risk level analyzed, the next stepis to decide what, if anything should be done about the risk. Existing responsemeasures need to be reviewed to see if any of them are suitable to mitigate thisrisk. The catalogue of response measures should be browsed and any suitable onesselected for this risk. However, if there are no appropriate existing measures anew response should be created.

This can be performed directly from within the response tab of the risks in theGRC RM 3.0 system.


GRC340 Lesson: Creating a new Response in a risk

175Creating a new Risk Response directly within theResponse Plans tab of a Risk

1. Choose GRC Risk Management → Risk Assessment work center and selectRisk and Opportunity Management. This opens an Active Queries windowthat displays the risks and opportunities.


3. Select the Response Plans tab

4. Choose the Create push-button, and select Response from the dropdownmenu options.

5. Complete the response creation. The response information includes thefollowing (fields marked with (*) are mandatory.

1. Name: Response title2. Description: Description of the response3. Response Details: Steps or Actions required to perform the response4. Organization Unit: This field will be pre-populated with the

organisation unit where the risk belongs.5. Owner: The person responsible for the Response (this field will be

pre-populated with the current user).

a) If a different user is select, the user will be prompted to enter aResponse Notification Date. The selected user will receive aResponse Notification in their workflow inbox.

6. Type: Response Type (i.e. Accept, Watch, Transfer, Mitigate)7. Purpose: How the risk will be affected (i.e. Prevent, Recover)8. Share Response: Can the response be used by all parts of the business

or not? The options are: Shared – Requires Approval; Shared – Doesnot require Approval; Not Shared. As the response is being createddirectly for the current risk this may influence the option selected.

9. Status: The response is in status Draft and can be saved as Draft byselecting the Save Draft pushbutton. Selecting Submit will make theresponse plan active.

6. Select Choose the Submit push-button to save the response which gives itthe status of Active.

7. Refer to the previous exercise to perform the Residual Risk (Planned)Analysis.





177 Exercise 17: Create a Risk ResponseExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create a risk response in the catalog.

Business ExampleSome risk response measures are generic or common across many risks andapplicable in many parts of the business. The same is true for measuresto improvement the positive effects (enhancement plans) of opportunities.Maintaining a Responses catalogue allows the organization to reuse successful riskresponses across different risks and different parts of the business. This techniquepromotes adherence to risk policy and facilitates learning.



Task:Create a risk response in the Responses and Enhancement Plans catalog.








Solution 17: Create a Risk ResponseTask:Create a risk response in the Responses and Enhancement Plans catalog.



a) This opens the Active Queries window that displays the existingresponses and enhancement plans.


a) This opens a popup window that displays the response form.


a) Name: GRC340-XX-Response

b) Description: GRC340-XX-Response

c) Response Details: XXXXXXXXXXXX

d) Organization Unit: XXXXXXXXXX (select from a dropdown picklist)

e) Owner: XXXXXXXXXXXX (select from drop down pick list)

f) Type: Mitigate (select from drop down pick list)

g) Purpose: Prevent (select from drop down pick list)

h) Share Response: Not Shared (select from drop down pick list)

i) Status: Note that the response is in status Draft and can be saved asDraft by selecting the Save Draft pushbutton. Selecting Submit willmake the response plan active.


a) This saves the new response.



Lesson Summary

You should now be able to:• Explain the reasons for creating a response directly within a risk• Assign a response to a risk in the Risk Response Tab



Lesson:180

Residual Risk Analysis (current)Lesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how to update the risk response with the latesteffectiveness and completeness results and thereby create a residual risk analysisfor a risk.


• Explain how the Response Completeness and Effectiveness are updated• Update the Response completeness and Effectiveness and thereby create the

current Residual Risk result.

In this lesson you will discuss with the students about the difference betweenrunning an inherent risk analysis and the current risk analysis (residual).

Business ExampleThree measures of risk are often tracked as part of the risk management process.

Inherent Risk – risk before responses or with current responses,

Residual Risk Planned (or often referred to as Target Risk) – the level of risk thatis acceptable to the organization and the target towards which the risk managementefforts are focused, and

Residual Risk – this is the current or actual risk level based on the completenessand effectiveness of the risk response measures.

The response in GRC RM 3.0 is updated with Completeness and Effectivenessresults so that businesses can track where they are with the risk management plans,and see how far they are away from the target risk level.

This functionality is available for responses in status Active.

Shared responses can be updated with the latest Completeness and Effectivenessresults from Response and Enhancement Plan Management.


GRC340 Lesson: Residual Risk Analysis (current)

181Updating a Risk Response with the currentEffectiveness and Completeness results

1. Choose GRC Risk Management → Risk Assessment work center and selectRisk and Opportunity Management. This opens an Active Queries windowthat displays the current risks and opportunities.



4. Highlight a Response. Ensure Response in status Active is highlighted fromthe available responses in the Response summary table.

5. Choose Open push-button. The highlighted response will open in a popupwindow.

6. The following fields are available to update with the latest risk responseinformation under the Response Details heading (right side of the window):

1. Response Details: text field for actual steps or tasks2. Actual Start Date: must be in the past3. Actual Finish Date: cannot be in the future4. Overwrite Completeness: This is a checkbox to allow access to ->5. Completeness: percentage completeness of this response6. Response Effectiveness: this is a head7. Effective From: date8. Effective To: date9. Current Effectiveness: Dropdown picklist: “Somewhat Effective”

7. Choose Save push-button. The updates to the response are saved.

8. Choose Save push-button. The risk and the response updates are saved. Theuser is returned to the Active Queries window.

Note: Just saving the response updates in not enough. To have theresponse data updates saved permanently, it is necessary to Savethe whole risk.



182View the Residual Risk Analysis

1. Choose Open push-button to reopen the risk.

2. Select the Analysis Tab.

3. View the updated analysis Residual Risk, where the response updates toCompleteness and Effectiveness will be reflected.

Figure 49: Residual Risk Analysis

4. Highlight the Residual Risk by selecting the square to the immediate left.

5. Notice in the area below the Analysis:

1. The Probability will reflect the aggregate residual probability based onthe updates to the all individual responses

2. The Total Loss will reflect the aggregate residual total loss based onthe updates to the all individual responses (for Quantitatively analysedrisks)

3. The Impact Level will reflect the aggregate residual impact level basedon the updates to the all individual responses

Note: The breakdown of Total Loss can be viewed by selectingImpact Category Allocation.




Figure 50: Impact Category Allocation





185 Exercise 18: Perform Residual RiskAnalysis (current)Exercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Update a risk response with the current Completeness and Effectiveness

result

Business ExampleThree measures of risk are often tracked as part of the risk management process.

Inherent Risk – risk before responses or with current responses,

Residual Risk Planned (or often referred to as Target Risk) – the level of risk thatis acceptable to the organization and the target towards which the risk managementefforts are focused, and

Residual Risk – this is the current or actual risk level based on the completenessand effectiveness of the risk response measures.

The response in GRC RM 3.0 is updated with Completeness and Effectivenessresults so that businesses can track where they are with the risk management plans,and see how far they are away from the target risk level.

This functionality is available for responses in status Active.

Shared responses can be updated with the latest Completeness and Effectivenessresults from Response and Enhancement Plan Management.



Task 1:Update a Risk Response with the current Effectiveness and Completeness results





2. This opens a popup window that displays the risk information.



5. Choose Open push-button.

6. Update the response with current Completeness and Effectiveness results.

7. Save the response.

8. Save the risk

Task 2:View the Residual Risk Analysis

1. To view the Residual Risk Analysis, choose Open push-button to reopenthe risk.

2. Select the Analysis Tab


4. Select Residual Risk



Solution 18: Perform Residual RiskAnalysis (current)Task 1:Update a Risk Response with the current Effectiveness and Completeness results


a) This opens an Active Queries window that displays the current risksand opportunities.

2. This opens a popup window that displays the risk information.



a) This displays the Response window.


a) The highlighted response is in status Active.

5. Choose Open push-button.

a) The highlighted response will open in a popup window.

6. Update the response with current Completeness and Effectiveness results.

a) The following fields are available to update with the latest risk responseinformation under the Response Details heading (right side of thewindow):

1. Response Details: XXXXX2. Actual Start Date: XXXXX3. Actual Finish Date: XXXXX4. Overwrite Completeness: This is a checkbox5. Completeness: 50%6. Response Effectiveness: This is a heading7. Effective From: leave as default8. Effective To: leave as default9. Current Effectiveness: Somewhat Effective




7. Save the response.

a) Choose Save push-button.

The update to the response is saved.

8. Save the risk

a) Choose Save push-button

The risk and the response updates are saved. The user is returned to theActive Queries window.

.

Task 2:View the Residual Risk Analysis

1. To view the Residual Risk Analysis, choose Open push-button to reopenthe risk.

a) The risk opens in a popup window.

2. Select the Analysis Tab

a) The Analysis window displays.


a) In the Analysis section of the window, notice 3 analyses display:

1. a. Inherent Risk2. b. Residual Risk3. c. Residual Risk (planned).

4. Select Residual Risk

a) Highlight the Residual Risk by selecting the square to the immediateleft.

b) Notice in the area below the Analysis:

1. a. The Probability will reflect the aggregate residual probabilitybased on the updates to the all individual responses

2. b. The Total Loss will reflect the aggregate residual totalloss based on the updates to the all individual responses (forQuantitatively analysed risks)

3. c. The Impact Level will reflect the aggregate residual impactlevel based on the updates to the all individual responses

c) The breakdown of Total Loss can be viewed by selecting ImpactCategory Allocation.



Lesson Summary

You should now be able to:• Explain how the Response Completeness and Effectiveness are updated• Update the Response completeness and Effectiveness and thereby create the

current Residual Risk result.



Lesson:190

Assign a Control to a RiskLesson Duration: 10 Minutes

Lesson OverviewThis lesson will show you how to assign a control to a risk.


• Assign a Control to a Risk

In this lesson you will discuss with the students the integration between ProcessControls and Risk Management when it comes to assigning a control as a responseplan.

Business ExampleMost businesses will seek to respond to certain risks or types of risks (e.g.financial processes) through the creation and operation of controls. These controlwould form a part of the company’s internal controls system or framework.Controls are assigned to risks.

What is a Control?A control is process step or task performed as part of routine business operationswith the purpose of mitigating risk.


GRC340 Lesson: Assign a Control to a Risk

191Assigning a Control to a Risk

1. Choose GRC Risk Management → Risk Assessment work center and selectRisk and Opportunity Management. This opens a popup window thatdisplays the risk table for the selected organization unit.



3. Select the risk to which you want to assign a control and choose the Openpush-button. This opens a popup window that displays the risk information.

4. Select the Responses tab. Current Responses and Controls will display inthe window.

Figure 51: Responses and Controls

5. Assign a control to the risk select Assign push-button and select Controlmenu option.




6. From the available search criteria select:

1. Choose the Regulation: SOX2.

Note: The search can further be refined as follows:

Select the Organization Unit, Control Name, Process, and/orSubprocess to pinpoint the control to be selected.

3. Choose the Go push-button.4. Browse the available controls5. Optional: Select the Open push-button to view the details of the control6. Select the control and choose the OK push-button.7. Repeat as often as needed to select all the required controls.

a) The Control shows in the Responses window in status Activeb) The Effectiveness and Completeness will be blank.c) When the assessment cycle is complete on the new control the

Effectiveness and Completeness results will be updated.




193 Exercise 19: Assign a Control to a RiskExercise Duration: 30 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Assign a Control to a Risk

Business ExampleMost businesses will seek to respond to certain risks or types of risks (e.g.financial processes) through the creation and operation of controls. These controlwould form a part of the company’s internal controls system or framework.Controls are assigned to risks.



Task:Assign a Control to a Risk


2. Display the risk where the control will be assigned.

3. Select the risk to which you want to assign a control and open the risk.

4. Navigate to the Response tab.

5. Select the Assign Control menu option.

6. Select a control.

7. Save the Control and Risk.



Solution 19: Assign a Control to a RiskTask:Assign a Control to a Risk



2. Display the risk where the control will be assigned.

a) To display risks for a specific organization unit where you haveuser authorization, choose the Show Quick Criteria Maintenancepush-button at the top of the risk table.

1. a. Select Type as Risk.2. b. Select the organization unit.3. c. Choose the Apply push-button.4. d. Choose the Hide Quick Criteria Maintenance push-button.

3. Select the risk to which you want to assign a control and open the risk.

a) Highlight the required risk and choose the Open push-button. Thisopens a popup window that displays the risk information.

4. Navigate to the Response tab.

a) Select the Responses tab. Current Responses and Controls will displayin the window.

5. Select the Assign Control menu option.

a) To assign a control to the risk select Assign push-button and selectControl menu option.




6. Select a control.

a) From the available search criteria select:

1. a. Choose the Regulation: SOX


2. b. Select the Organization Unit, Control Name, Process, and/orSubprocess to pinpoint the control to be selected.

3. c. Choose the Go push-button.4. d. Browse the available controls5. e. Optional: Select the Open push-button to view the details of

the control6. f. Select the control and choose the OK push-button.7. g. Repeat as often as needed to select all the required controls.

7. Save the Control and Risk.

a) Choose the Save push-button to save the controls with the risk.



Lesson Summary

You should now be able to:• Assign a Control to a Risk


GRC340 Lesson: Control Proposal

Lesson:197

Control ProposalLesson Duration: 10 Minutes

Lesson OverviewThis lesson will show you how to propose a control.


• Propose a Control to manage a risk

In this lesson you will discuss with the students the integration between ProcessControls and Risk Management when it comes to proposing a control from RiskManagement.

Business ExampleMost businesses will seek to respond to certain risks or types of risks (e.g. financialprocesses) through the creation and operation of controls. These control wouldform a part of the company’s internal controls system or framework. Controls areassigned to risks. If a suitable control does not exist for a particular risk a newcontrol can be proposed for inclusion into the overall internal controls system.

What is a Control?A control is process step or task performed as part of routine business operationswith the purpose of mitigating risk.



198Proposing a Control to a Risk

1. Choose GRC Risk Management → Risk Assessment work center and selectRisk and Opportunity Management. This opens a popup window thatdisplays the risk table for the selected organization unit.



3. Select the risk for which you want to propose a control and choose the Openpush-button. This opens a popup window that displays the risk information.

4. Select the Responses tab. Current Responses and Controls will display inthe window.


5. To propose a control for managing the risk select Create push-button andselect Control Proposal menu option.




Figure 54: Controls Proposal




6. From the available fields enter the data about the control requested::

1. Choose the Regulation/Policy: XXX (SOX) select from dropdownpicklist


2. Choose the Organization Unit: select from dropdown picklist3. Enter Control Name: XXXXX4. Enter Subprocess: select from dropdown picklist5. Enter Control Description: describe what you want the control to do6. Choose Control Significance: (Key Control or Standard Control)7. Choose Control Automation: select a radio button Automated,

Semi-Automated, Manual8. Choose Control Purpose; select a radio button Detective or Preventative9. Choose Nature: select from dropdown picklist10. Select Trigger: select a radio button Event or Date11. If Date is selected then Select Frequency from drop down pick list (e.g.

Annual, Quarterly, Monthly, Daily, etc)12. If Event is selected then Enter Event Description: XXXXX13. Enter Valid From and Valid To - adjust from the default values if needed14. Enter Notes: Additional comments or instructions to the Internal

Controls Manager to help them evaluate the Control Proposal.

7. Choose the Submit push-button to save the Control Proposal with the risk.




Figure 55: Control Proposal

8. The Submitted Control Proposal shows in the Responses summary windowwith status “Proposed”.

1. The Effectiveness and Completeness will be blank.2. Once the Internal Controls Manager in Process Control approves the

Control Proposal, it will change to status “Active”.3. When the assessment cycle is complete on the new control the

Effectiveness and Completeness results will be updated.




Figure 56: Controls Proposal

9. Choose Save to save the risk and the control proposal.



203 Exercise 20: Control ProposalExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Propose a Control to manage a risk

Business ExampleMost businesses will seek to respond to certain risks or types of risks (e.g. financialprocesses) through the creation and operation of controls. These control wouldform a part of the company’s internal controls system or framework. Controls areassigned to risks. If a suitable control does not exist for a particular risk a newcontrol can be proposed for inclusion into the overall internal controls system.



Task:Proposing a Control for a Risk


2. Display the required risk.

3. Select the risk for which you want to propose a control.

4. Select the Responses tab.

5. Propose a Control

6. Enter the Control data:

7. Submit the Control Proposal

8. Save the Risk and the Control Proposal.



Solution 20: Control ProposalTask:Proposing a Control for a Risk



2. Display the required risk.

a) To display risks for a specific organization unit where you haveuser authorization, choose the Show Quick Criteria Maintenancepush-button at the top of the risk table.

1. a. Select Type as Risk.2. b. Select the organization unit.3. c. Choose the Apply push-button.4. d. Choose the Hide Quick Criteria Maintenance push-button.

3. Select the risk for which you want to propose a control.

a) Highlight the Risk and choose the Open push-button. This opens apopup window that displays the risk information.

4. Select the Responses tab.

a) Current Responses and Controls will display in the window.

5. Propose a Control

a) To propose a control for managing the risk select Create push-buttonand select Control Proposal menu option.




6. Enter the Control data:

a) From the available fields enter the data about the control requested:

1. a. Choose the Regulation/Policy: XXX (SOX) select fromdropdown picklist

Hint: The search can further be refined as follows:

2. b. Choose the Organization Unit: select from dropdown picklist3. c. Enter Control Name: XXXXX4. d. Enter Subprocess: select from dropdown picklist5. e. Enter Control Description: describe what you want the control

to do6. f. Choose Control Significance: (Key Control or Standard

Control)7. g. Choose Control Automation: select a radio button Automated,

Semi-Automated, Manual8. h. Choose Control Purpose; select a radio button Detective or

Preventative9. i. Choose Nature: select from dropdown picklist10. j. Select Trigger: select a radio button Event or Date11. k. If Date is selected then Select Frequency from drop down pick

list (e.g. Annual, Quarterly, Monthly, Daily, etc)12. l. If Event is selected then Enter Event Description: XXXXX13. m. Enter Valid From and Valid To - adjust from the default values

if needed14. n. Enter Notes: Additional comments or instructions to the

Internal Controls Manager to help them evaluate the ControlProposal.

7. Submit the Control Proposal

a) Choose the Submit push-button to save the Control Proposal with therisk.

Note: Choosing Submit trigger an automatic workflow to theInternal Controls Manager.

8. Save the Risk and the Control Proposal.

a) Choose the Save push-button to save the Risk including the newControl Proposal data.



Lesson Summary

You should now be able to:• Propose a Control to manage a risk


GRC340 Unit Summary

Unit SummaryYou should now be able to:• Explain the purpose of the Responses and Enhancement Plans catalogue• Create a catalogue Response• Explain the purpose of risk responses• Explain how Residual Risk (Planned) is determined• Assign a risk to a response in the Risk Response Tab• Perform a residual risk analysis• Review the overall Residual Risk (Planned)• Explain the reasons for creating a response directly within a risk• Assign a response to a risk in the Risk Response Tab• Explain how the Response Completeness and Effectiveness are updated• Update the Response completeness and Effectiveness and thereby create the

current Residual Risk result.• Assign a Control to a Risk• Propose a Control to manage a risk


Unit Summary GRC340


Unit 6209 Key Risk Indicators

In this unit you will learn the various ways in which risks can be analyzed withSAP BusinessObjects Risk Management.

Unit OverviewIn this unit you will learn the various ways in which risks can be analyzed withSAP BusinessObjects Risk Management.


• Explain how KRIs are used in Risk Management• Explain the process for creating a KRI• Explain what is needed to design a KRI• Explain why SAP Query is needed• Create a KRI template• Request a KRI Implementation• Implement a KRI• Add an implemented KRI to a risk• [Enter a lesson objective or delete if not used.]• Request the localization of a KRI.• Configure a KRI business rule.

Unit ContentsLesson: Introduction to Key Risk Indicators .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219Lesson: KRI Design ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222Lesson: KRI Template Creation... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225

Procedure: Creating a KRI Template .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226Procedure: Requesting KRI Implementations ... . . . . . . . . . . . . . . . . . . . . . . .228


Unit 6: Key Risk Indicators GRC340

Exercise 21: Create a KRI Template.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229Lesson: KRI Implementation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233

Procedure: To implement a KRI: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234Exercise 22: Implement a KRI .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237

Lesson: KRI Instantiation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241Procedure: To add a KRI to a risk: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242Exercise 23: Add a KRi to a Risk... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

Lesson: KRI Localization ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248Procedure: To localize a KRI: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249Exercise 24: Localize a KRI.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251

Lesson: KRI Business Rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254Procedure: Business Rule Configuration... . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255Procedure: Resetting a KRI Violation... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257Exercise 25: Configure a KRI Business Rule... . . . . . . . . . . . . . . . . . . . . . . . .259


GRC340 Lesson: Introduction to Key Risk Indicators

Lesson:211

Introduction to Key Risk IndicatorsLesson Duration: 15 Minutes

Lesson OverviewThis lesson will introduce you to Key Risk Indicators (“KRIs”).


• Explain how KRIs are used in Risk Management• Explain the process for creating a KRI

In this lesson you will discuss exactly what a KRI is and their use in the RiskManagement system.

Business ExampleTo provide continuous insight into the risks, one or more Key Risk Indicators(KRI) can be implemented. Essentially, a KRI is a forward-looking measurethat provides a basis for estimating, the likelihood of the risk. A KRI can bequantitative (e.g. turnover rate in a business unit), or qualitative (e.g. adequacy ofa system). To be useful, a KRI always has to be linked to one of the risk drivers.

What are Key Risk IndicatorsA Key Risk Indicator (KRI) is a forward-looking measure that provides a basis forestimating the likelihood of a risk event. A KRI can be quantitative (e.g. turnoverrate in a business unit), qualitative (e.g. adequacy of a system). To be useful, aKRI always has to be linked o one of the risk drivers (or cause).

Histroical performance trend is used as the basis for a forward-looking perspective.KRIs provide early warning signals by highlighting trends and changes in risklevel by monitoring changes in actual performance.

Figure 57: Key Risk Indicators



KRIs can use data from SAP and non-SAP systems. Examples are:

• Cash position by day/currency (SAP ERP Financials)• Quality of Service Provision (SAP Supply Chain Management)• Number of warranty claims (SAP ERP Operations)• Number of credit breaches per month (ROME Credit Risk)• Employee Utilization (SAP Human Capital Management)• Illness Rate (SAP Human Capital Management)

The following should be taken into consideration when designing KRIs:

• Design the best KRIs independent of data availability; use interim KRIsif desired data not available

• Work with the business to design the KRIs.• Keep KRIs simple to be understood.• Establish KRIs that can be used across all business areas and locations

if possible.• Make sure KRIs are quantifiable.• Use pre-defined escalation criteria for management actions (e.g. Acceptable;

Acceptable but Watch; Unacceptable)


GRC340 Lesson: Introduction to Key Risk Indicators

Lesson Summary

You should now be able to:• Explain how KRIs are used in Risk Management• Explain the process for creating a KRI



Lesson:214

KRI DesignLesson Duration: 15 Minutes

Lesson OverviewThis lesson will provide an approach for designing Key Risk Indicators forimplementation in SAP BusinessObjects Risk Management.


• Explain what is needed to design a KRI• Explain why SAP Query is needed

In this lesson you will discuss how a KRI is designed and what questions to ask.

Business ExampleTo provide continuous insight into the risks, one or more Key Risk Indicators(KRI) can be implemented. Essentially, a KRI is a forward-looking measurethat provides a basis for estimating the likelihood of the risk. KRIs with goodpredictive capabilities is critical.

KRI Design StepsCertain design steps should be undertaken before implementing a Key RiskIndicator in SAP BusinessObjects Risk Management. To start, you need a specificrisk event for which the KRIs will be used. A KRI is not a stand-alone metrics; it isa measure that provides a basis for estimating the likelihood of a specific risk event.


GRC340 Lesson: KRI Design

Start by asking the following questions when evaluating potential KRIs:

• Can the KRI be measured at a frequency that is low enough to identify apotential risk event?

• Can KRI trigger levels be established?• Can clear escalation criteria be established?• Is the KRI leading enough?• Is there a clear owner for the KRI data?• Is the KRI data available in a SAP or non-SAP system?• Does historical data exist?• Is the KRI data accurate and reliable?

Next, the potential KRIs should be rated in terms of their relationship to therisk event drivers. That is, KRIs deemed to have a “strong” relationship to adriver should be implemented over a KRI that has a “weak” relationship to thesame driver. Once you have selected the “strongest” KRIs, you are ready to startimplementing them in SAP BusinessObjects Risk Management. This begins withthe design of the SAP Query.

SAP QuerySAP Query is a tool used to extract KRI data in SAP systsm. Once you know whatdata you need and from which SAP system (based on the KRI design), you shouldseek the help of a SAP Query resource.

Similarly, if the KRI data resides in a non-SAP system, you will need a resource todesign and develop the Web Service connector from the source system to SAPBusinessObjects Risk Management.



Lesson Summary

You should now be able to:• Explain what is needed to design a KRI• Explain why SAP Query is needed


GRC340 Lesson: KRI Template Creation

Lesson:217

KRI Template CreationLesson Duration: 15 Minutes

Lesson OverviewThis lesson will explain how to create KRI Templates


• Create a KRI template• Request a KRI Implementation

In this lesson you will discuss how to create a template for a KRI. Reminderthat this is done after the query has already been done in the backend system aswell as the configuration in the IMG.

Business ExampleTo provide continuous insight into the risks, one or more Key Risk Indicators(KRI) can be implemented. Essentially, a KRI is a forward-looking measure thatprovides a basis for estimating the likelihood of the risk.

A central risk team can create several KRI templates linked to different riskcategories. When creating risk events, the risk owners can see the KRIs attachedto the risk category

KRI TemplateA KRI template is used to define the KRI before you have identified the requiredtechnical components (i.e. source system, transaction, RFC, Web service) and theOrganizational Unit where the KRI will be implemented. The KRI Template isa business-oriented definition of the KRI (i.e. uses business terms to describethe KRI).

A KRI Template is linked to a risk category using the Risk classification catalog.When a risk event is created that refers to the risk category, the KRI Template isautomatically associated with the risk event.



218Creating a KRI TemplateUseTo Create a KRI Template:

Procedure1. Choose GRC Risk Management → Risk Monitoring work center → Key

Risk Indicator Template. This opens a popup window that displays theKRI templates.

Figure 58: KRI Template

2. To Create a new KRI template, choose the Create pushbutton.




3. Select the General tab and enter the following:

1. KRI Template Name: Short name of the KRI2. Valid to: The date until which the KRI remains valid3. Description: Description of the KRI4. Value Type: KRI value type5. System: Source system for KRI data6. Business Process: Relevant business process7. Component: Relevant business process component

Note: The dropdown options for Value Type, System, BusinessProcess, and Component are configurable items. These three KRIattributes are essentially a means of classifying the various KRITemplates.

4. Choose the Save pushbutton. The KRI can now be assigned to individualrisk categories.



220Requesting KRI ImplementationsUseTo request that a KRI be implemented from the KRI template:

Procedure1. Choose GRC Risk Management → Risk Monitoring work center → Key

Risk Indicator Template. This opens a popup window that displays the KRItemplates

2. Select the KRI that you want to implement and choose the Open pushbutton.

3. Select the Implementation tab.

4. Choose the Create pushbutton. This opens a popup window where you cancreate a note.

Figure 59: KRI Implementation Request

5. Choose the OK pushbutton.

6. Choose the Save pushbutton. This will create a workflow item to the persondesignated to receive KRI implementation requests.



221 Exercise 21: Create a KRI TemplateExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create a KRI template]• Request a KRI Implementation


A central risk team can create several KRI templates linked to different riskcategories. When creating risk events, the risk owners can see the KRIs attachedto the risk category.

System DataSystem: Instructor will provide to classClient: Instructor will provide to classUser ID: GRC340-XX where XX is your Student #Password: The initial password is initial1Set up instructions:


Task 1:Create a KRI Template

1. Choose GRC Risk Management → Risk Monitoring → Key Risk IndicatorTemplate.


3. Select the General tab and enter the KRI information.

4. Choose the Save pushbutton.

Task 2:Request a KRI Implementation






3. Choose the OK pushbutton and then choose the Save pushbutton.



Solution 21: Create a KRI TemplateTask 1:Create a KRI Template


a) This opens a poup window that displays the KRI templates.


a) This opens a popup window that displays the KRI form.


a) KRI Template Name: GRC340-XX-Temp

b) Valid to: XXX

c) Description: XXX

d) Value Type: XXX

e) System: XXX

f) Business Process: XXX

g) Component: XXX


a) The KRI can now be assigned to individual risk categories.

Task 2:Request a KRI Implementation


a) This opens a popup window that displays the KRI templates.


a) This opens a popup window. Create the note XXXXX.


a) This will create a workflow item to the person designated to receiveKRI implementation requests.



Lesson Summary

You should now be able to:• Create a KRI template• Request a KRI Implementation


GRC340 Lesson: KRI Implementation

Lesson:224

KRI ImplementationLesson Duration: 15 Minutes

Lesson OverviewThis lesson will explain how to implement a KRI.


• Implement a KRI

In this lesson you will discuss the implementation of a KRI after the template hasalready been created.

Business ExampleTo provide continuous insight into the risk, one or more Key Risk Indicators(KRI) can be implemented. Essentially, a KRI is a forward-looking measure thatprovides a basis for estimating the likelihood of the risk.

KRI ImplementationThe following prerequisites must be fulfilled before you can implement a KRI:

• Complete the IMG customizing activities on system connectivity for KeyRisk Indicators.

• Create the KRI template that will be referenced when implementing the KRI



225To implement a KRI:

Figure 60: To implement a KRI:

1. Choose GRC Risk Management → Risk Monitoring → Key Risk IndicatorImplementation. This opens a popup window that displays the KRIimplementation catalog.

2. To implement a new KRI choose the Create pushbutton.

3. Select the General tab and enter the following data:

1. KRI Implementation Name: Short name of the KRI2. Valid to: The date until which the KRI remains valid3. KRI Template: Select the KRI template4. Description: Description of the KRI5. Connector Type: Connector type6. Script: Relevant business process

Note: The Connector Type, Connector and Script refer to a definedcommunication link between your systems. The following Connectortypes are available: SAP Query; SAP BW Query; Web Service.

4. Choose the Test Connector and Test Script pushbuttons to test the connectorsand scripts before saving them.




Figure 61: KRI Implementation detail

5. Select the Implementation tab.

6. Enter additional information to define the output of the KRI Implementation:

1. Value Column: Select a value to be used. Value Column selection isdefined in the SAP Query Infoset.

2. Currency/UoM Column: The currency to be used for the value youselected is displayed. Depending on the template type, this field isprefilled, so that you cannot make any entries.

3. Aggregation Function: Select the type of data aggregation to be used.Aggregation Function Values are predefined.

7. You can create a Selection table containing the SAP Query data defined inthe source system by selecting from the dropdown list in the Selection Optionand choosing the Add pushbutton to add data element to the Selection Table.

8. For each data element, specify the variable values (Sign, Option, Low Value,High Value) that will be available for selection when a KRI is localized.

Note: If the Mandatory field is not selected, you must set it in theKRI instance.

9. Choose the Save pushbutton. The implementation will be displayed in theKRI implementation catalog.




Figure 62: KRI Implementation Catalog

10. The KRI implementation status definitions are follows:

• Draft: The KRI has not yet been sent for implementations. Draft KRIswill be invisible in the Linkage Corridor and in the Usage Corridor.They will only be visible in the Implementation Corridor, and can onlybe deleted or asked for implementation.

• Active: The KRI implementation is being used.• Cancelled: A cancelled KRI implementation cannot be reactivated. All

related instantiations are switched to “cancelled” in their own statusesonce the implementations is cancelled.



229 Exercise 22: Implement a KRIExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Implement a KRI


To set up the KRI for the risk involves implementing the configured connectorand script



Task: Create a KRI TemplateStudent will be able to Implement a KRI Template

1. Choose GRC Risk Management → Risk Monitoring → Key Risk IndicatorImplementation.



4. Choose the Test Connector and Test Script pushbuttons.

5. Select the Implementation tab and enter additional information to define theoutput of the KRI implementation.

6. Create a Selection Table by selecting from the dropdown list in the SelectionOption and choosing the Add pushbutton too add data element to theSelection Table.

7. Complete the selection table.




Solution 22: Implement a KRITask: Create a KRI TemplateStudent will be able to Implement a KRI Template

1. Choose GRC Risk Management → Risk Monitoring → Key Risk IndicatorImplementation.

a) This opens a popup window that displays the KRI implementationcatalog


a) This opens the KRI implementation form.


a) KRI Implementation Name: GRC340-XX-Implement

b) Valid to: XXX

c) KRI Template: GRC340-XX-Temp

d) Description: XXX

e) Connector Type: XXX

f) Connector: XXX

g) Script: XXX

4. Choose the Test Connector and Test Script pushbuttons.

a) Connectors and script test okay.

5. Select the Implementation tab and enter additional information to define theoutput of the KRI implementation.

a) Value Column: XXX

b) Currency/UoM Column: XXX

c) Aggregation Function: XXX

6. Create a Selection Table by selecting from the dropdown list in the SelectionOption and choosing the Add pushbutton too add data element to theSelection Table.

a) Add the following options to the table:

• XXXX• YYYY




7. Complete the selection table.

a)

Name Manda-tory

Sign Option LowValue

HighValue


a) The implementation will be displayed in the KRI implementationcatalog.



Lesson Summary

You should now be able to:• Implement a KRI


GRC340 Lesson: KRI Instantiation

Lesson:233

KRI InstantiationLesson Duration: 15 Minutes

Lesson OverviewThis lesson will describe how to add an implemented KRI to a risk


• Add an implemented KRI to a risk

In this lesson you will discuss how to implement a KRI to a risk, this is done afterthe KRI template has been created and the KRI implementation has been done.


To set up the KRI for the risk involves adding the implemented KRI to the risk.

KRI InstantiationThe following prerequisites must be fulfilled before you can add a KRI to a risk:

• The KRI has been implemented.



234To add a KRI to a risk:

1. Choose GRC Risk Management → Risk Assessment work center → Risk andOpportunity Management. This opens a popup window that displays the risks

2. Select the risk where the KRI is to be added and choose the Open pushbutton.

Figure 63: Assigned Key Risk Indicators

3. Select the Key Risk Indicator tab. Here you will see a list of the assignedKey Risk Indicators.




Figure 64: KRI Creation

4. Select Create pushbutton. This opens a popup window that displays theKRI data value fields.

5. Enter the following:

1. KRI Instance Name: Enter the name of the KRI that you want to create.2. KRI Implementation: Select the KRI implementation that you want to

use. After you select an implementation, the Selection Table will bepopulated with the corresponding KRI data.

3. Monitor Frequency: Select the frequency with which you want theKRI to monitor your system.

4. Data Time Frame: Select the desired timeframe for the KRI data.5. Next/Last Execution Date: Select the execution dates for monitoring.6. Historical Review Required: Select Yes to retain the previous KRI

values in the database.

6. The Selection table will contain the filter criteria for the KRI.

7. Choose the Activate pushbutton to activate and assign the KRI to the risk.




Figure 65: KRI History

8. To see the History of KRI values, select the Key Risk Indicators tab and thenselect the KRI. Choose the Show History pushbutton. This opens a popupwindow with a chart and tabular KRI information.

Note: The Historical Review Required radio button must be Yesin order to retain historical data.



237 Exercise 23: Add a KRi to a RiskExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Add an implemented KRI to a risk.


To set up the KRI for the risk involves adding the implemented KRI to the risk



Task:Add a KRI to aRisk

1. Choose GRC Risk Management → Risk Assessment work center → Risk andOpportunity Management.

2. Select Create pushbutton.

3. Enter the KRI information

4. Choose the Activate pushbutton.



Solution 23: Add a KRi to a RiskTask:Add a KRI to aRisk


a) This opens a popup window that displays the risks.

2. Select Create pushbutton.

a) This opens a popup window that displays the KRI data value fields.

3. Enter the KRI information

a) KRI Instance Name: GRC340-XX-Instance

b) KRI Implementation: GRC340-XX-Implement

c) Monitor Frequency: XXXX

d) Data Time Frame: XXXX

e) Next/Last Execution Date: XXXX

f) Historical Review Required: XXXX

4. Choose the Activate pushbutton.

a) KRI activated and assigned to the risk.



Lesson Summary

You should now be able to:• Add an implemented KRI to a risk



Lesson:240

KRI LocalizationLesson Duration: 15 Minutes

Lesson OverviewThis lesson will describe how to localize a KRI


• [Enter a lesson objective or delete if not used.]• Request the localization of a KRI.

In this lesson you will discuss localizing a KRI. An example of why this would bedone is if the person adding the KRI to a risk doesn’t have all of the parameters ofthe Query that is behind the KRI a liaison that is specified in the backend systemwill fill out the table and sends the information back.


The last step needed to activate the KRI risk involves specifying the RFCparameters needed to start the KRI.

KRI LocalizationRequesting localization indicates that the relevant parameters have been set fordetecting KRI data for a particular Organizational Unit, Country, Region, orMarket. Once the localization request has been made, a KRI workflow goes to aliaison workflow processor as defined in the Risk Management workflows.

The following prerequisites must be fulfilled before you can add a KRI to a risk:

• The KRI has been added to the risk.


GRC340 Lesson: KRI Localization

241To localize a KRI:

1. Choose GRC Risk Management → Risk Assessment work center → Risk andOpportunity Management. This opens a popup window that displays the risks

2. Select the risk with the KRI to be localized and choose the Open pushbutton.

3. Select the Key Risk Indicator tab. Here you will see a list of the assignedKey Risk Indicators.

4. Select the KRI to be localized and choose the Open pushbutton.

5. Choose the Request Localization pushbutton.

Figure 66: KRI Localization Status

6. The KRI Status column now displays Localization Requested. When yousave the data, a workflow is triggered. When the localization processor hasprocessed the workflow item, it returns to the user inbox for processingapproval, and so on.





243 Exercise 24: Localize a KRIExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Request the localization of a KRI


The last step needed to activate the KRI risk involves specifying the RFCparameters needed to start the KRI.



Task:Student will be able to Request the Localization of a KRI.

1. Choose GRC Risk Managemnet → Risk Assessment work center → Risk andOpportunity Management.

2. Select the risk GRC340-XX-Risk and choose the Open pushbutton. Nowselect the Key Risk Indicator tab

3. Select the KRI GRC340 and choose the Open pushbutton. Now choosethe Request Localization pushbutton.



Solution 24: Localize a KRITask:Student will be able to Request the Localization of a KRI.

1. Choose GRC Risk Managemnet → Risk Assessment work center → Risk andOpportunity Management.


2. Select the risk GRC340-XX-Risk and choose the Open pushbutton. Nowselect the Key Risk Indicator tab

a) You will see a list of the assigned Key Risk Indicators.

3. Select the KRI GRC340 and choose the Open pushbutton. Now choosethe Request Localization pushbutton.

a) The KRI status column now displays Localization Requested. Whenyou save the data, a workflow is triggered. When the localizationprocessor has processed the workflow item, it returns to the user inboxfor processing, approval, so on.



Lesson Summary

You should now be able to:• [Enter a lesson objective or delete if not used.]• Request the localization of a KRI.



Lesson:246

KRI Business RulesLesson Duration: 15 Minutes

Lesson OverviewThis lesson will describe how to configure a business rule for a KRI.


• Configure a KRI business rule.

In this lesson you will discuss with the students adding a business rule to a KRIfor a risk. Note that there are classes to discuss business rules so this is not an indepth conversation about creating a business rule.

Business ExampleTo provide continuous insight into the risks, one or more Key Risk Indicators(KRI) can be implemented. Essentially, a KRI is a forward looking measure thatprovides a basis for estimating the likelihood of the risk.

Configuring a business rule is the final step in the setting up the KRI for a risk.Essentially, a business rule is a formula that defines the escalation criteria formanagement actions.

For example, for the KRI “% of purchases from non-preferred vendors” you coulddefine a threshold value of, say, 10% (i.e. IF the percentage of purchases fromno-preferred vendors exceeds 10%, THEN trigger the KRI)


GRC340 Lesson: KRI Business Rules

247Business Rule ConfigurationPrerequisitesThe KRI has been localized

Procedure1. Choose GRC Risk Management → Risk Assessment work center → Risk

and Opportunity Management. This opens a popup window that displaysthe risks.

2. Select the risk for which you want to create the business rule and choosethe Open pushbutton.

3. Select the Key Risk Indicator tab. You will see a list of assigned Key RiskIndicators.

Figure 67: KRI Business Rule

4. Select the KRI for which the business rule is to be configured. In the BusinessRules table at the bottom of the window choose the Create pushubutton. Thiswill open a KRI Business Rule popup window.




5. Enter the following:

1. Title: Title of the KRI Business rule2. Description: Description of the KRI business rule3. Active: Select whether or not the KRI is active.

6. In the Mapping and Variables tables enter the calculation parameters to beused for the KRI Business Rule. After you have finished, you can check thesyntax, test the rule or access the Business Rules Framework.

7. Use the radio buttons at the bottome of the window to specify the workflowsthat are to take place when a KRI value meets the business rule criteria.The actions are:

1. Assessment Required: Whether a risk assessment worklfow is to betriggered when the KRI threshold is exceeded.

2. Send Notification: Whether an email notification is to be sent to therisk owner

3. Flag Risk: Whether the risk is to be flagged.

8. Choose the Ok pushbutton.




249Resetting a KRI ViolationUseTo reset the KRI violation status.

PrerequisitesIf the KRI Business Rule is exceeded a yellow lightning symbol flag displays onthe KRI tab.

Procedure1. Choose the Reset KRI violation Status pushbutton. This will remove the

yellow lightning symbol from the Key Risk Indicators tab and reset thestatus flag to green.

2. Click Ok to finish processing. The window closes and you can see the newbusiness rule in the list of rules assigned to the risk





251 Exercise 25: Configure a KRI BusinessRuleExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Configure a KRI business rule


Configuring a business rule is the final step in the setting up of the KRI for arisk. Essentially, a business rule is a formula that defines the escalation criteriafor management actions.

For example, for the KRI “% of purchases from non-preferred vendors” you coulddefine a threshold value of, say, 10%. (i.e. IF the percentage of purchases fromnon-preferred vendors exceeds 10%, THEN trigger the KRI)



Task:Configure a KRI Business Rule


2. Select the risk GRC340-XX-Risk and choose the Open pushbutton. NowSelect the Key Risk Indicator tab.

3. Select the KRI GRC340. In the Business Rule table at the bottom of thewindow choose the Create pushbutton.

4. Enter the general business rule information.




5. In the Mapping and Variables tables enter the calculations parameters tobe used for the KRI Business Rule.

6. After you have finished, you can check the syntax, test the rule or access theBusiness Rules Framework.

7. Use the radio buttons at the bottom of the window to specify the workflowsthat are to take place when a KRI value meets the business rule criteria.




Solution 25: Configure a KRI BusinessRuleTask:Configure a KRI Business Rule



2. Select the risk GRC340-XX-Risk and choose the Open pushbutton. NowSelect the Key Risk Indicator tab.

a) You will see a list of the assigned Key Risk Indicators

3. Select the KRI GRC340. In the Business Rule table at the bottom of thewindow choose the Create pushbutton.

a) This will open a KRI Business Rule popup window.

4. Enter the general business rule information.

a) Title: GRC340-XX-Rule

b) Description: GRC340-XX-Rule

c) Active: XXXX

5. In the Mapping and Variables tables enter the calculations parameters tobe used for the KRI Business Rule.

a)

Mapping

Mapping Title KRI Instance Aggr.Function

Limit

VAR # (systemgenerated)

X X X

Formula

Name Value forTesting

Currency Unit of Measure

VAR # (systemgenerated)

X X X




6. After you have finished, you can check the syntax, test the rule or access theBusiness Rules Framework.

a) Rules test okay.

7. Use the radio buttons at the bottom of the window to specify the workflowsthat are to take place when a KRI value meets the business rule criteria.

a) Assessment Required: Yes

b) Send Notification: Yes

c) Flag Risk: Yes


a) Business rule saved.



Lesson Summary

You should now be able to:• Configure a KRI business rule.


Unit Summary GRC340

Unit SummaryYou should now be able to:• Explain how KRIs are used in Risk Management• Explain the process for creating a KRI• Explain what is needed to design a KRI• Explain why SAP Query is needed• Create a KRI template• Request a KRI Implementation• Implement a KRI• Add an implemented KRI to a risk• [Enter a lesson objective or delete if not used.]• Request the localization of a KRI.• Configure a KRI business rule.


Unit 7257 Risk Monitoring

In this unit you will learn the various ways in which SAP BusinessObjects RiskManagement supports Risk Monitoring.

Unit OverviewIn this unit you will learn the various ways in which SAP BusinessObjects RiskManagement supports Risk Monitoring.


• Explain how the Planer works• Explain how to create a risk assessment workflow using the Planner

Unit ContentsLesson: Planner.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266

Procedure: To create a Planned workflow:.. . . . . . . . . . . . . . . . . . . . . . . . . . . . .268Exercise 26: Create a Plan... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273


Unit 7: Risk Monitoring GRC340

Lesson:258

PlannerLesson Duration: 30 Minutes

Lesson OverviewThis lesson will show you how to us the planner to schedule workflows to supportthe risk management process.


• Explain how the Planer works• Explain how to create a risk assessment workflow using the Planner

Business ExampleThere are a variety of stakeholders in a business who need to participate in therisk management process. Some people will have a role in participating in the riskidentification process and the risk analysis process. Others, especially managers,might get involved in approving risk assessments or reported incidents. While yetothers could be assigned specific actions to take in response to a risk.

These people, who participate in the risk management process infrequently, oroccasionally, need help and prompting about when they need to take action andwhat they need to do. SAP BusinessObjects Risk Management supports users inthis way through the generation of workflows to remind them something needsattention in the risk management system, and provides a guided interface forexecuting that action.

The Planner is a tool for the Risk Manager to generate the workflows for the usersand to keep track on the status of those workflows.


GRC340 Lesson: Planner

What is a Planned Activity?SAP BusinessObjects Planner supports the following types of workflows:

• Activity Validation• Opportunity Validation• Risk Validation• Risk Assessment• Opportunity Assessment• Response Update• Activity Survey• Risk Indicator Survey• Risk Survey

There are three available validation types: Activity, Risk, and Opportunities.Validation is the term in the system user for “approvals”.

• Risk Validation: Used to approve an individual risk.• Opportunity Validation: Used to approve an individual opportunity.• Activity Validation: Used to approve a collection of risks under the

umbrella grouping of an activity which could include one or more risks andopportunities (for example, project, initiative, strategy).

There are three available assessment types: Risk, Opportunities and Responses.An assessment is an update to the risk analysis and/or responses.

• Risk Assessment: Used to update risk analysis and responses.• Opportunity Assessment: Used to update opportunity analysis and

enhancement plans.• Response Update: Used to update the details of the response to a risk.

There are three available survey types: Activity, Risk, and Risk Indicator.

• Activity Survey: Used to identify new risks and potential shortcomingsrelated to an activity (for example, project, process).

• Risk Survey: Used to initiate a risk assessment (or reassessment) to uncovernew circumstances that might impact the risk assessment.

• Risk Indicator Survey: Used to receive manual indications on thedevelopment of a Key Risk Indicator.



260To create a Planned workflow:

1. Choose GRC Risk Management → Risk Monitoring work center and selectPlanner. This opens a popup window that displays the planner.

2. To create a new planned workflow, choose the Create pushbutton.

Figure 68: Planner




Figure 69: Create Plan

3. Complete the plan creation. There are 5 Step in the Guided Procedure tocreate a new plan:

1. Enter Plan Details

a) The workflow information includes the following (fields markedwith an asterisk (‘*’) are mandatory):

1. Plan Name (free text)

2. Plan Activity: (one of the 9 plan ‘types’ mentioned above).

3. Start Date: the date when the workflow should be triggered

4. Due Date: the date when the workflow task should becompleted.

If plan type Risk Assessment or Opportunity Assessment isselected, the following addition field applies:

5. Analysis Date: the date on which the analysis is to take place

If plan type is Activity Survey, Risk Survey or Key Risk IndicatorSurvey, the following additional field applies:

6. Survey: select from the available surveys If Plan type isActivity Survey, the following additional field applies:




7. Include Risks: Radio buttons: Yes or No.

b) Choose the Next pushbutton to proceed to the next step in theguided procedure.

2. Select Organizations

a) Use the Expand All, Collapse All or Find pushbuttons to browsethe available organization units. Or click on the org unit node inthe Organisation window to browse the structure.

b) Highlight the organization unit requiredc) Choose the Next pushbutton to move to the next step in the guided

procedure.3. Perform Selection. The selection options will depend on the plan type

selected in Step 1.

a) Selection Procedure: The following radiobuttons are available tonarrow down the response or responses for selection:

1. Select All Responses

2. Select by Response Attributes

3. Select Specific Responses

b) Select Specific Responses radiobutton. Available responses in theselected organisation unit will display in the window.

c) Highlight the response for update.d) Choose the Next pushbutton to proceed to the next step in the

procedure.4. Review. The selection results are presented for review.

a) Choose the Show Results pushbutton to view the details of theselected Responses and the users who will receive the workflow.

b) Choose Close pushbutton to return to the main Create PlanReview window.

Hint: At any stage the Previous and Next pushbuttonscan be used the review previous selections and makeamendments to selections

c) Choose Next pushbutton to proceed to the next step in theselection process.

5. Confirmation. Saves the Plan




a) Choose Activate Plan to confirm selections.

Hint: Cancel aborts the process.

b) The successful saving of the Plan is confirmed.c) Choose Finish to return to the main Planner window

Hint: Selecting Create New Plan is a short cut to initiatecreating further plans.

Figure 70: Planner Window





265 Exercise 26: Create a PlanExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Create a Plan

Business ExampleThere are a variety of stakeholders in a business who need to participate in therisk management process. Some people will have a role in participating in the riskidentification process and the risk analysis process. Others, especially managers,might get involved in approving risk assessments or reported incidents. While yetothers could be assigned specific actions to take in response to a risk.

These people, who participate in the risk management process infrequently, oroccasionally, need help and prompting about when they need to take action andwhat they need to do. SAP BusinessObjects Risk Management supports users inthis way through the generation of workflows to remind them something needsattention in the risk management system, and provides a guided interface forexecuting that action.

Some workflows are triggered automatically by an event in the system such assubmitting an incident or proposing a new risk. In other cases the workflowgeneration can be customized to suit the risk management process by using thePlanner.

The Planner is a tool for the Risk Manager to generate the workflows for the usersand to keep track on the status of those workflows.

System DataSystem: Instructor will provide to classClient: Instructor will provide to classUser ID: GRC340-XX where XX is your student #Password: The initial password is initial1Set up instructions:


Task:Create a Plan

1. Choose GRC Risk Management → Risk Monitoring work center and selectPlanner.




2. Choose the Create push-button.

3. Create a Plan for a Risk Response Update as follows:

4. Choose the Next push-button to proceed to the next step.

Use the Expand All, Collapse All and Find push-button or click onthe organization node hierarchy to navigate to the require the requiredorganization unit: GRC340-XX-Org

5. Proceed to the next step in the guided procedure.

6. Select the Specific Responses radiobutton.

7. Highlight the required response XXXXXX and proceed to the next step.

8. View the plan selections and plan detail and then proceed to the next step.

9. Activate the Plan

10. Finish and return to the Planner summary window.



Solution 26: Create a PlanTask:Create a Plan

1. Choose GRC Risk Management → Risk Monitoring work center and selectPlanner.

a) This opens a popup window that displays the current plans.

2. Choose the Create push-button.

a) This opens a popup window that displays the Planner GuidedProcedure.

3. Create a Plan for a Risk Response Update as follows:

a) Select Create push-button. This opens a popup window.

b) Plan Name: GRC340-XX-Plan

c) Plan Activity: Perform Response Update

d) Start Date: Today

e) Due Date: Today plus one week

4. Choose the Next push-button to proceed to the next step.

Use the Expand All, Collapse All and Find push-button or click onthe organization node hierarchy to navigate to the require the requiredorganization unit: GRC340-XX-Org

a) Highlight the required organization unit.

5. Proceed to the next step in the guided procedure.

a) Choose the Next pushbutton.

6. Select the Specific Responses radiobutton.

a) The available responses display in the window.

7. Highlight the required response XXXXXX and proceed to the next step.

a) The response is highlighted. Choose the Next pushbutton to move tothe next step in the guided procedure.

8. View the plan selections and plan detail and then proceed to the next step.

a) Choose Show Details pushbutton.

Choose Close pushbutton to return to summary.

Choose Next to proceed to the next step.




9. Activate the Plan

a) Choose Activate Plan pushbutton. This moves to the next step.

10. Finish and return to the Planner summary window.

a) Choose Finish to return to the summary window.



Lesson Summary

You should now be able to:• Explain how the Planer works• Explain how to create a risk assessment workflow using the Planner


Unit Summary GRC340

Unit SummaryYou should now be able to:• Explain how the Planer works• Explain how to create a risk assessment workflow using the Planner


Unit 8271 My Home

In this unit you will learn the variety of tasks and functions available in the SAPBusinessObjects Risk Management My Home work center.

Unit OverviewIn this unit you will learn the variety of tasks and functions available in the SAPBusinessObjects Risk Management My Home work center.


• Explain the use of the Work Inbox• Execute a task in the Work Inbox• Explain the use of Propose a Risk• Explain the use of Report an Incident• Propose a Risk• Report an Incident• Understand that Reports can be run from the My Home work center• Run a Report• View a Dashboard• Explain the use of the Document Search• Search for a document using the Document Search

Unit ContentsLesson: Work Inbox ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281

Procedure: Executing a task in the Work Inbox ... . . . . . . . . . . . . . . . . . . . . .283Lesson: Ad Hoc Tasks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288

Procedure: Task: Propose a Risk ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289Procedure: Task: Report an Incident .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290


Unit 8: My Home GRC340

Exercise 27: Propose a Risk... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291Exercise 28: Report an Incident .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293

Lesson: Reports and Analytics.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296Procedure: Task: Run a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297Procedure: Task: View Analytics Dashboard ... . . . . . . . . . . . . . . . . . . . . . . . .299Exercise 29: Run a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301Exercise 30: View a Dashboard ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303

Lesson: Document Search ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306


GRC340 Lesson: Work Inbox

Lesson:273

Work InboxLesson Duration: 10 Minutes

Lesson OverviewIn this unit you will learn the tasks and activities available in the My Homework center.


• Explain the use of the Work Inbox• Execute a task in the Work Inbox


Business ExampleThose who participate in the risk management process often will do so due to aparticular task or role they have in the organization. For most of the time theyneed only to go to that area of the system to execute the tasks assigned to them.

SAP BusinessObjects Risk Management Work Inbox contains for each user thetasks and actions assigned specifically to them. The user need only click on theinstruction in the Work Inbox and they will immediately access a guided procedureto assist them to execute the steps needed to complete the action.

What is the Work InboxSAP BusinessObjects Work Inbox supports the following types of workflows:

• Validate Activity• Validate Opportunity• Validate Proposed Risk• Validate Risk• Validate Response• Validate Incident• Risk Analysis (referred to elsewhere as Opportunity Assessment)• Opportunity Analysis (referred to elsewhere as Opportunity Assessment)• Response Update



• Notification of assignment as Response Owner

There are six available validation types: Validate Activity, Validate Risk, ValidateProposed Risk, Validate Opportunty and Validate Response. Validation is theterm in the system user for “approvals” or to apply a 4-eyes principal to the riskmanagement process.

• Risk Validation: Used to approve an individual risk.• Opportunity Validation: Used to approve an individual opportunity.• Activity Validation: Used to approve a collection of risks under the

umbrella grouping of an activity which could include one or more risks andopportunities (for example, project, initiative, strategy).

• Proposed Risk Validation: Used to approve a risk that has been proposedprior to it being formally accepted into the risk portfolio.

• Response Validation: Used to approve a response prior to it being formallyaccepted as an action or task.

• Incident Validation: User to approve a reported incident prior to it beingformally accepted in the incident database.

There are three types of assessment: Risk Analysis, Opportunity Analysis andResponse Update. An Analysis is the review and update of the qualitative orquantitative assessment of the risk interms of its probability and impact forinherent risk, residual risk and residual risk planned, and it includes review andupdate of responses.

• Risk Analysis: Used to update risk analysis and responses.• Opportunity Analysis: Used to update opportunity analysis and

enhancement plans.• Response Update: Used to update the details of the response to a risk. No

changes are made to the risk itself.

There is one type of notification:

• Response Owner: Used to notify a user that they have been assigned as aResponse Owner for a particular response. The Response can be updatedand submitted from the workflow link. In this sense it is the same actionas Response Update.



275Executing a task in the Work Inbox

Figure 71: Work Inbox

1. Choose GRC Risk Management → My Home work center → Work Inbox.This opens a popup window that displays the work inbox.

2. Select the work item to be executed by clicking on the item Subject displaycolumn. This opens a popup window that displays the task to be executed.

Figure 72: Perform Risk Analysis - Analyze Risk




3. Step 1 - Analyze Risk. Enter Risk Analysis updates (as per Unit 4 RiskAnalysis) as follows:

1. Probability: XX%

4. Select Impact Category Allocation pushbutton. A popup window displaysthe impact categories.

5. Enter Impact.

6. Select Further Mitigations radio button: Yes. The task is moved to the nextstep NB: If No is selected, Further Mitigations step is skipped.

Figure 73: Perform Risk Analysis - Assign Mitigations

7. Step 2 - Assign Mitigations




8. Enter Risk Response updates (as per Unit 5 Risk Response) as follows:

1. Select Open pushbutton to open the response

a) Enter updated details2. Select Remove pushbutton to remove obsolete responses. NB: This can

only be performed if the response is in status Draft.3. Select Create pushbutton to create either a new response or propose

a new control.4. Select Assign pushbutton to assign a response or control to the risk.l5. Enter/Update Probability Reduction: XX%6. Select Impact Category Allocation pushbutton to update reduction;

mitigation effect information. Select Ok pushbutton to return toprevious window.

9. Choose Next pushbutton.

Figure 74: Perform Risk Analysis - Review

10. The Updated Risk Analysis is displayed for review. Select Finish pushbuttonto complete the risk update. OR select Previous pushbutton to return toa previous step.




Figure 75: Perform Risk Analysis

11. Choose Close pushbutton. This completes the task and moves to Step 3Review of the guided procedure.

12. The Work Inbox displays. Choose Refresh pushbutton to refresh the taskslist. Completed tasks disappear.



Lesson Summary

You should now be able to:• Explain the use of the Work Inbox• Execute a task in the Work Inbox

Related Information

• [Enter an optional reference using the URL tag to additional information thatlearner may find useful. Examples include websites or whitepapers. Deleteif not used.]



Lesson:280

Ad Hoc TasksLesson Duration: 5 Minutes

Lesson OverviewIn this unit you will learn about the tasks Propose a Risk and Report an Incidentavailable in the My Home work center.


• Explain the use of Propose a Risk• Explain the use of Report an Incident• Propose a Risk• Report an Incident


Business ExampleBusinesses have an operational need to allow employees to easily participate in therisk management process. Those who are closest to risk are best able to identifyand manage them. Tasks such as proposing a risk should be made easy as possiblefor employees. SAP BusinessObjects Risk Management My Home Propose a Riskfunctionality support the easy entry of risks into the system.

Similarly, being able to easily record when an incident occurs should encourageemployees to make this information available. Maintaining complete and accurateinformation about incidents contributes to improved decision-making about wherethe business is vulnerable to risks and is therefore better able to allocate scarceresources to mitigate them. SAP BusinessObjects Risk Management My HomeReport an Incident functionality support the easy reporting of incidents into thesystem. Incident Attributes are used to provide granularity to incident reportingand can be used as part of a route cause analysis exercise.


GRC340 Lesson: Ad Hoc Tasks

281Task: Propose a Risk

1. Choose GRC Risk Management → My Home work center → Ad Hock Taskswork center → Propose a risk. This opens a popup window that displaysthe Propose a Risk window.

Figure 76: Create a Risk Proposal

2. To create a new proposed risk, enter the details in the template:

1. Name: XXXX2. Organization Unit: Choose from available organizational unit nodes

using the dropdown picklist.3. Activity: (optional) Choose from available activities using the

dropdown picklist.4. Description: Free text to fully describe the risk5. Select Submit pushbutton to save the risk proposal. NB: Cancel

abandons the entry process.



282Task: Report an Incident

Figure 77: Report an Incident

1. Choose GRC Risk Management → My Home work center → Ad Hoc Tasks→ Report an Incident. This opens a popup window that displays the Reportan Incident window.

2. To create a new incident report, enter the details in the template:

1. Incident Name: Free text to describe the incident2. Organization Unit: Choose from available organizational unit nodes

using the dropdown picklist.3. Incident Date: XX/XX/XX4. Detection Date: XX/XX/XX5. Description: Free text to fully describe the risk

a) Depending on system setting the Incident Attributes will displayand may include default Values.

b) Attribute Severity: Select from dropdown picklist.c) Attribute Cause of Incident: Select from dropdown picklist.d) Attribute Recommendation: Select from dropdown picklist.

3. Select Submit pushbutton to save the reported incident.



283 Exercise 27: Propose a RiskExercise Duration: 5 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Propose a Risk

Business ExampleBusinesses have an operational need to allow employees to easily participate inthe risk management process. Those who are closest to risks are best able toidentify and manage them. Tasks such as proposing a risk should be made as easyas possible for employees. SAP BusinessObjects Risk Management My HomePropose a Risk functionality support the easy entry of risks into the system.



Task:Propose a Risk

1. Choose GRC Risk Management → My Home work center → Ad Hoc Tasks→ Propose a Risk.


3. Select Submit pushbutton to save the risk proposal.



Solution 27: Propose a RiskTask:Propose a Risk

1. Choose GRC Risk Management → My Home work center → Ad Hoc Tasks→ Propose a Risk.

a) This opens a popup window that displays the Propose a Risk window.


a) Name: GRC340-XX-Prop

b) Organization Unit: GRC340-XX-Org

c) Risk Category: GRC340-XX-Cat

d) Description: GRC340-XX-Proposal

3. Select Submit pushbutton to save the risk proposal.

a) Risk Proposal saved



285 Exercise 28: Report an IncidentExercise Duration: 5 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Report an Incident

Business ExampleWhen an incident occurs employees should be encouraged to make thisinformation available. maintaining complete and accurate information aboutincidents contributes to improved decision-making about where the business isvulnerable to risks and is therefore better able to allocate scarce resources tomitigate them.

SAP BusinessObjects Risk Management My Home Report an Incidentfunctionality support the easy reporting of incidents into the system. IncidentAttributes are used to provide granularity to incident reporting and can be used aspart of a route cause analysis exercise.



Task:Report an Incident

1. Choose GRC Risk Management → My Home work center → Ad Hoc Tasks→ Report an Incident.


3. Select Submit pushbutton to save the incident.



Solution 28: Report an IncidentTask:Report an Incident

1. Choose GRC Risk Management → My Home work center → Ad Hoc Tasks→ Report an Incident.

a) This opens a popup window that displays the Report an Incidentwindow.


a) Incident Name: GRC340-XX-Incident

b) Organization Unit: GRC340-XX-Org

c) Incident Date: XX/XX/XX

d) Detection Date: XX/XX/XX

e) Description: GRC340-XX-Incident

1. Depending on system setting the Incident Attributes will displayand may include default Values.

2. Attribute Severity: Select from dropdown picklist.3. Attribute Cause of Incident: Select from dropdown picklist4. Attribute Recommendation: Select from dropdown picklist.

3. Select Submit pushbutton to save the incident.

a) Incident is saved



Lesson Summary

You should now be able to:• Explain the use of Propose a Risk• Explain the use of Report an Incident• Propose a Risk• Report an Incident



Lesson:288

Reports and AnalyticsLesson Duration: 5 Minutes

Lesson OverviewIn this unit you will learn about the Reports and Analytics work center availablein the My Home work center.


• Understand that Reports can be run from the My Home work center• Run a Report• View a Dashboard


Business ExampleThe Report and Analytics work center includes a subject of reports and dashboardsavailable in the main Reporting and Analytics work center. This functionalityallows a user to quickly access reports and dashboards that are relevant for theirarea of responsibility. This streamlines the risk process and improves workerefficiency.


GRC340 Lesson: Reports and Analytics

289Task: Run a Report

1. Choose GRC Risk Management → My Home work center → Reports andAnalytics work center → Top Risks . This opens a popup window thatdisplays the report Input Selection window.

Figure 78: Report Input Selection

2. Enter the selection parameters to run the report:

1. Period:2. Year:3. Currency:4. Risk Classification:5. Organization:6. Activity:7. Report Settings:

a) Bypass Buffer: checkbox

3. Select Display Report pushbutton to run the report OR select Schedule aReport pushbutton to schedule when the report should be run.




Figure 79: Report - Schedule GRC Report

4. Enter the selection parameters to run the report:

1. To:2. CC:3. Subject:4. Message:5. User Name:6. Password:7. Enable Email Notification: checkboxes: Success, Failure

5. Select Schedule Report pushbutton to execute the scheduling of the report.



291Task: View Analytics Dashboard

Figure 80: Analytics Dashboard

1. Choose GRC Risk Management → My Home work center → Reports →Analytics work center → Analytics Dashboard. This opens a popup windowthat displays the dashboard window and displays the data based on defaultvalues.

2. Select:

1. Organization Unit: dropdown picklist2. Time Frame: dropdown picklist3. Year: dropdown picklist





293 Exercise 29: Run a ReportExercise Duration: 5 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Run a Report

Business ExampleThe Report and Analytics work center includes a subset of reports and dashboardsavailable in the main Reporting and Analytics work center. It is therefore aconvenient means of quickly accessing reports. This functionality allows auser to quickly access reports and dashboards that are relevant for their area ofresponsibility. This streamlines the risk process and improves worker efficiency.



Task:Run a Report

1. Choose GRC Risk Management → My Home work center → Reports andAnalytics work center → Run a Report.

2. Select parameter to run the report immediately using default values.



Solution 29: Run a ReportTask:Run a Report

1. Choose GRC Risk Management → My Home work center → Reports andAnalytics work center → Run a Report.

a) This opens a popup window that displays the Report Input Selectionwindow.

2. Select parameter to run the report immediately using default values.

a) Select Run Report pushbutton. The Report output displays in a popupwindow.



295 Exercise 30: View a DashboardExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• View a Dashboard

Business ExampleThe Report and Analytics work center includes a subset of reports and dashboardsavailable in the main Reporting and Analytics work center. It is therefore aconvenient means of quickly accessing a dashboards. This functionality allows auser to quickly access reports and dashboards that are relevant for their area ofresponsibility. This streamlines the risk process and improves worker efficiency.



Task:View Dashboards

1. Choose GRC Risk Management → My Home work center → Reports andAnalytics work center → Analytics Dashboard.

2. Use the available dropdown picklists on the dashboard to adjust the selectionparameters.



Solution 30: View a DashboardTask:View Dashboards

1. Choose GRC Risk Management → My Home work center → Reports andAnalytics work center → Analytics Dashboard.

a) This opens a popup window that displays the Analytics Dashboard.

2. Use the available dropdown picklists on the dashboard to adjust the selectionparameters.

a) The output adjusts on selection changes.



Lesson Summary

You should now be able to:• Understand that Reports can be run from the My Home work center• Run a Report• View a Dashboard



Lesson:298

Document SearchLesson Duration: 5 Minutes

Lesson OverviewIn this unit you will learn the tasks and activities available in the My Homework center.


• Explain the use of the Document Search• Search for a document using the Document Search


Business Example[Enter a business example that helps the learner understand the practical businessuse of this lesson.]

[Enter a title and the conceptual information about this lesson in this section.You can also include additional sections, graphics, demonstrations, procedures,and/or simulations.


GRC340 Lesson: Document Search

Lesson Summary

You should now be able to:• Explain the use of the Document Search• Search for a document using the Document Search

Related Information

• [Enter an optional reference using the URL tag to additional information thatlearner may find useful. Examples include websites or whitepapers. Deleteif not used.]


Unit Summary GRC340

Unit SummaryYou should now be able to:• Explain the use of the Work Inbox• Execute a task in the Work Inbox• Explain the use of Propose a Risk• Explain the use of Report an Incident• Propose a Risk• Report an Incident• Understand that Reports can be run from the My Home work center• Run a Report• View a Dashboard• Explain the use of the Document Search• Search for a document using the Document Search


Unit 9301 Roles and Authorizations

In this unit you will learn the way in which roles and authorizations are handled inSAP BuinessObjects Risk Management.

Unit OverviewIn this unit you will learn the way in which roles and authorizations are handled inSAP BuinessObjects Risk Management.


• Explain the contribution of SAP NetWeaver back-end, RM application, andEnterprise Portal to authorizations.

• Identify the roles delivered as standard Business Content• Explain the concepts of Delegation and Replacement

Unit ContentsLesson: Roles and Authorizations ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310


Unit 9: Roles and Authorizations GRC340

Lesson:302

Roles and AuthorizationsLesson Duration: 15 Minutes

Lesson OverviewThis lesson will show you how roles and authorizations are handled in SAPBusinessObjects Risk Management 3.0.


• Explain the contribution of SAP NetWeaver back-end, RM application, andEnterprise Portal to authorizations.

• Identify the roles delivered as standard Business Content• Explain the concepts of Delegation and Replacement


Business ExampleThe risk management process works well when all participants know andunderstand their particular role and are able to execute accordingly. SAPBusinessObjects Risk Management supports this through delivery of standardbusiness roles applicable to risk management and through an authorization conceptthat allows users to interact with the system according to their role. This ensuresthat users are given appropriate system access which maintains confidentiality ofdata and supports a streamlined system interaction.

What are Roles and Authorizations?Authorizations for an end-user to view and change risk management informationare determined in 3 areas

• SAP NetWeaver back-end• Risk Management application• SAP Enterprise Portal

Roles and Authorizations management extends SAP’s Users and RolesManagement from SAP NetWeaver to provide additional flexibility for the en-user.


GRC340 Lesson: Roles and Authorizations

SAP Roles OverviewThe Roles and Authorizations model from Risk Management includes 3 differentareas.

SAP NetWeaver back-end - Technical SAP Roles are maintained to operate theRisk Management application. Transaction PFCG defines Risk Managementspecific roles such as Risk Manager or Risk Owner. These roles contain theinformation about which actions and entities an en-user is allowed to performonce he/she is assigned the role. For example, Risk Owner (Business Role) cancreate and edit (actions) a risk (entity).

Risk Management application - Use the web front-end of the application toassign end-users to Business User roles and to entities such as risks, opportunities,and organizations. In the example above, Mr. Miller is assigned to be RiskManager for Organization Unit ABC.

SAP Enterprise Portal - The portal role assigned to the end-user determineshow and where the Risk Management specific information, such as the order andnumber of visible work center, is presented.

The following SAP Roles are applicable for the Risk Managementapplication:

Role Authorization

SAP_GRC_FN_BASE Technical base role

SAP_GRC_FN_ALL All authorizations

SAP_GRC_FN_DISPLAY View-only authorizations

SAP_GRC_FN_BUSINESS_USER Authorization dependent on BusinessUser Role assigned to user

The SAP Roles listed above contain the basic authorizations to operate the RiskManagement application.



A system administrator can use transaction PFCG in SAP User and RoleManagement to modify these role definitions:

• FN_BASE: is the basic (minimal) technical role required to operate the RiskManagement application. This role contains all necessary authorizations tomake the necessary customizing settings in IMG for the Risk Managementapplication. This role does not contain any authorizations for the portalinterface.

• FN_ALL: contains authorization for administrative functions in IMGcustomizing, as well as power user authorization in the application. Whenthis role is assigned to a user, the user becomes a power user.

• FN_DISPLAY: enables an end-user with this role to display all riskmanagement information. This role is useful for external auditors who wishto check the system settings and view content, but should not be able to makechanges to the application.

• FN_BUSINESS_USER: authorizes the suer to perform actions on onlyassigned entities in risk management.

Note: The rest of this lesson will explain this concept.

Business Unit Roles Overview

Unit Risk Manager (SAP_GRC_RM_API_RISK_MANAGER)

Actions/Entity ACTIVITY RISK INCIDENT

Create X X X

Read X X X

Update X X X

Delete X X

Note: X = Authorization granted to role

The table above shows the structure of a sample role. A user assigned to theBusiness User role of Unit Risk Manger is permitted to view (read), create, change(update) and delete risks and activities, for example, projects and processes in theapplication, but cannot delete an incident once it is created. A customer may usethis structure to ensure segregation of duties for the application.

Note: Authorization for “create”, “update”, “delete” always implies a“Read” authorization for corresponding entity.

Transaction SE11 in the back-end can be used to view the list of available entitiesfor SAP BusinessObjects Risk Management in database table GRCFNENTITY.



A set of sample roles is delivered as Business Content for the application. SAPUser and Role Management transaction PFCG can be used to modify the sampleroles and create new roles.

Business User Roles in PFCGBusiness user roles and authorization profiles are created and maintained intransaction PFCG. In addition to action (Activity), and entity, a Data Part can bemaintained to allow an even more granular authorization for entities.

Examples of Data Parts are DATA and ROLES_RM for an organizational unit(see above), which determine that the user is authorized to change data such asName, Description or the organization, as well as the assigned risk managementroles, such as CEO or CFO, for an entity.

You can use transaction SE11 to review the list of available Data Parts per entityin database table GRCFNDATAPART.

Sub-entity allows further distinction of entities. As this feature is primarily usedby SAP BusinessObjects Process Control, it is recommended to maintain “*”for Risk Management entities.

Assignment of Business User Roles to usersuse the web interface of the Risk Management application to assign users to roles.

It is possible to assign multiple users to a role, depending on the customizingsettings for GRC Authorizations in IMG.

The Roles tab enables assignment of users to roles, replacement of an assigneduser with a different user, or to remove a user from a role.

In general, available users are derived from information maintained in SAPUser & Role Management, transaction SU01 and subsequent. The exception isSecond-Level Authorizations.

Maintain Relevant Roles for EntitiesThe list of available roles for an entity is derived from the Entity Roles Assignmentmaintenance in IMG Customizing, SPRO → GRC Risk Management → GeneralSettings → Maintain Entity Role Assignment.

The Unique flag in customizing allows you to determine the assignment of rolesand names. When set, only one user can be assigned to the role for the entity. Ifthe flag is not set then multiple users can be assigned to a role.

2nd Level Authorizations for Business RolesThe concept of second level authorizations was introduced to support segregationof duties conflicts.



Once set in the IMG customizing

Special Authorizations

Actions Description

Reporting (PRINT) Enables print reporting

Reporting (DISPLAY) Enables online reporting

Post Enables “Ad-hoc Tasks”, such as “Record anIncident” or “Propose a Risk”

Own Delegation Allows delegation of own authorizations

Central Delegation Allows central maintenance of delegations

In contrast to Create, Read, Display and Delete authorization, which is grantedfor a specific entity (through assignment), some special authorizations can begranted for a role.

These actions are not limited to a specific entity, but enable functionality for arole, taking the individual authorization of an entity into account. For example,once granted Reporting (DISPLAY) authorization for a Unit Risk Manager, theassigned user can run online reports for the Risk Management application (specialauthorization). Once Executed, the report takes entity-specific authorizationsinto account; for example, the report shows only the risks (entities) to which theuser is assigned.

Effects of User-Role AssignmentThere are three immediate effects once a user is assigned to a role for an entity orobject such as a risk or organization:

1. Authorization for the object and below is granted per Business User roledefinition. For example, Mr. Smith can Display, Update, and Delete (perrole definition) the Risk 123.

2. The user receives relevant workflows depending on the Business Event setup.3. Menu items become visible to access the information from the web interface

of the Risk Management application in the SAP Enterprise Portal. In theexample above, the Risk and Opportunity Management start pages to giveMr. Smith the required entry point to the application

Business EventsBusiness Events define the recipients of a workflow task by mapping the workflowto one or multiple recipient roles.



Business Events allow flexible adjustment of the workflow task tocompany-specific characteristics, such as approval and validation processes.

The diagram below shows the general structure of a Business Even in the SAPBusinessObjects Risk Management 3.0 application.

Figure 81: Business Events

Business Event CustomizingThe table below provides an overview of customizing options for Business Eventsavailable in Risk Management IMG. The lists of available

Portal Role• The Portal Role maintained in SAP Enterprise Portal defines where and how

the Risk Management content is presented to the end-user• Each end-user needs to have a Portal Role assigned to access the Risk

Management application

A default portal role, com.sap.grc.rm.Role_All, for the Risk Managementapplication is shipped as SAP Enterprise Portal Content.

The role can be copied and/or adjusted to match the target portal and informationstructure, for example, remove or rename tabs from the default role.

Note: The number and visibility of the menu entries in the start pages ofthe Risk Management application is derived from the Business User rolesthat are assigned to the end-user.



Figure 82: Work Center structure is derived from assigned SAP EnterprisePortal role. Visibility of menu items is per assigned Business User role(authorizations).

Delegation• Delegation allows a user to act as delegate in the Risk Management

application for a second user• The delegate works on behalf of the second user, including all authorizations

and workflow assignments• Delegation can be given for own authorization or defined centrally depending

on the Special Authorization assigned to the Business User role

In the default SAP Enterprise Portal role the entries for Central Own Delegationcan be found in the “User Access” Work Center.

The delegation concept is primarily targeted for temporary redistribution andreassignment of work, for example, during vacation or maternity leave of anemployee. It also supports a permanent delegation of authorizations that might beapplicable for some roles, for example, Executive Assistant acting on behalf ofthe CEO/CFO in the risk management application.

These applications allow the definition of delegates through a step-by-stepprocedure. The delegate can change his current authorization he is working withby using “Change Delegation” on the upper right side of the Risk Managementstart pages. “Own Delegation” allows the definition of own delegates whereas“Central Delegation”



Figure 83: GRC Risk Management

Figure 84: Changing Delegation

Figure 85: User Access Delegation



Replacement• Replacement allows the permanent removal and reassignments of existing

authorizations

Replacement provides the ability to permanently remove a user and hisauthorizations from the Risk Management application and reassign them to oneor multiple users.

In contrast to the Removal of a user (see the Roles tab page forauthorization-relevant entities) where authorization assignment is delimitedwithout reassigning it, the Replacement mechanism automatically transfers allauthorization for an object from the Effective Date onwards to one or morereplacements, including the rerouting of workflow items.

The replacements can be accessed in the default SAP Enterprise Portal role fromUser Access - Replacement/Removal, as well as from the Roles tab page forauthorization-relevant entities, such as risks and activities.

Figure 86: GRC Risk Management User Access



Figure 87: GRC Risk Management Replace or Remove User

Ticket Based Authorization• Ticket-Based Authorization (TBA) ensures that the recipient is granted

sufficient authorization to successfully complete a workflow task• The (additional) authorization is assigned temporary as long as the workflow

item is available in the recipient’s Work Inbox• To avoid “deadlock” situations where a workflow recipient is asked to

complete a task but the recipient’s assigned role does not have sufficientauthorizations to complete the workflow item, the concept of “Ticket-BasedAuthorization” was added to the product.

• Ticket-Based Authorization ensures that workflow recipients are temporarygranted sufficient authorization to complete a workflow task for the relevantentity (for example, risk or opportunity)

• When the workflow item is completed the authorization for the entity isremoved from the user (One-Time Ticket)

• Ticket-Based Authorization minimizes the setup, customizing, andmaintenance effort required to operate the Risk Management application



Figure 88: Sample of delivered authorization profile and Business Eventsfor the role.

Sample Business User RolesThe table below gives an overview of sample Business User roles that aredelivered as Business Content for the Risk Management application.

Use transaction PFCG to review the detailed authorization profiles deliveredfor the sample roles. Please note that the given description varies for each riskmanagement organization, so this table can be seen as only sample definitionreflecting the delivered authorization profile and Business Events for the role.



Lesson Summary

You should now be able to:• Explain the contribution of SAP NetWeaver back-end, RM application, and

Enterprise Portal to authorizations.• Identify the roles delivered as standard Business Content• Explain the concepts of Delegation and Replacement


Unit Summary GRC340

Unit SummaryYou should now be able to:• Explain the contribution of SAP NetWeaver back-end, RM application, and

Enterprise Portal to authorizations.• Identify the roles delivered as standard Business Content• Explain the concepts of Delegation and Replacement


GRC340 Course Summary

Course SummaryYou should now be able to:

• Identify risks and opportunities in a business environment• Run the various types of risk analysis• Add responses to risks• Show what a Key Risk Indicator is and how SAP BusinessObjects Risk

Management uses them.


Course Summary GRC340


FeedbackSAP AG has made every effort in the preparation of this course to ensure theaccuracy and completeness of the materials. If you have any corrections orsuggestions for improvement, please record them in the appropriate place in thecourse evaluation.


Grc340 en Col93 Fv Inst a4

Documents