SAP BusinessObjects Risk Management 3.0 Response and Enhancement Plan

SAP BusinessObjects Risk Management 3.0

Business Blueprint Workshop

Response and Enhancement Plan

Version 1.0 Initial Release

SAP 2008 / Page 2

Business Blue Print Response and Enhancement Plan

Applies to:

SAP BusinessObjects Risk Management 3.0

Summary

This document is intended to explain the necessary steps required to configure Risk

Management 3.0.

Author(s): Customer Advisory Organization and Regional Implementation Group

Company: Governance, Risk, and Compliance

SAP BusinessObjects Division

Created on: August 2009

SAP 2008 / Page 3

1. Maintain Response and Enhancement Plan

Purpose


Completeness

3. Set Up Link from Control Results to RM

4. Convert Control Rating for RM Response

Field


Effectiveness

6. Maintain Enhancement Plan Types

7. Maintain Response Plan Types

The following IMG activities are covered in

this document

Each IMG activity has the following sections:

Business context: Summarizes the business purpose.

Solution functionality: Shows the related UI screens.

Configuration and data gathering: Shows the IMG table, suggested interview questions, and data capture area.

SAP 2008 / Page 4

1. Maintain Response and Enhancement Plan Purpose

2. Maintain Response and Enhancement Plan Completeness


4. Convert Control Rating for RM Response Field

5. Maintain Response and Enhancement Plan Effectiveness




this document

SAP 2008 / Page 5

Business Context

Response and Enhancement Plan Purpose

What is the Response and Enhancement Plan Purpose?

To maintain the overarching goal of the response tasks.

Why is Response and Enhancement Plan Purpose Important?

Defines the overall strategy for the response (e.g. Do we want to work on preventing the risk from occurring, or focus our effort on developing recovery plans knowing that we cant do anything to prevent the risk event.).

What are the Benefits of Response and Enhancement Plan Purpose?

Guides the response owner in shaping the response and subsequent actions to fit the needs

of the mitigation strategy.

Codifies the response plans to help determine if the response strategies be employed follow

specific patterns.

SAP 2008 / Page 6

Business Context

Example Response and Enhancement Plan Purpose

Recall, Risk Management has two sides to the same coin;

Risk = negative outcome

Opportunity = positive outcome

Thus, for many companies the purpose of response plans is either to prevent or

recover from a risk, or enrich or facilitate an opportunity.

For example, if your company has captured a risk relating to the potential for a

pandemic they may employ two potential response actions:

Prevent provide training to employees on how handle personal illness

Recover employ Business Continuity Plan relating to Pandemics

SAP 2008 / Page 7

Solution Functionality


Copy of UI

RM 3.0 allows you to configure the appropriate response types for your

company

SAP 2008 / Page 8

Configuration and Data Gathering


Maintain Response and Enhancement Plan PurposeIn this Customizing activity, you maintain the specific purposes of responses to risks or enhancement

plans for opportunities. For example, you can define the purpose of the response as being preventive or

corrective.

SAP 2008 / Page 9



When working with your response plans for risk how would you categorize the response

purposes for your company?

When working with your response plans for opportunities how would you categorize the

response purposes company?

SAP 2008 / Page 10

Configuration Requirements


Response Code Response Purpose Text

1

2

3

4

5

6

7

8

9

10

SAP 2008 / Page 11









this document

SAP 2008 / Page 12

Business Context

Response and Enhancement Plan Completeness

What is Response and Enhancement Plan Completeness?

Percentages used to indicate the how well a response is being managed with respect to a risk

or opportunity.

Why is Response and Enhancement Plan Completeness Important?

They provide an indication of whether or not response actions are actually being

implemented.

Response completeness is used to calculate the residual risk level (along with response

effectiveness).

What are the Benefits of Defining Response and Enhancement Plan Completeness?

Improved visibility into response progress.

Enable the tracking of the required work involved in performing the response plan.

Ensure a proactive response to managing risks by the Response Plan Owner

SAP 2008 / Page 13

Business Context

Example Response and Enhancement Plan Completeness

Risk Management 3.0 allows the user to set a default percentage completion for a

response plan based on the start date for the plan. Once the plan is complete and a

finished date is entered the completion percentage moves to 100%

For example, if the Response Plan for a Pandemic is to develop a Business Continuity Plan

(BCP) the completion percentage could default to 20% (based on a configuration table) once

the Actual Start Date for the Response Plan is entered in the system.

Once the BCP is completed the Response Owner can enter the Actual Finish Date for the

completion of the plan, resulting in a Completeness percentage of 100% (also based on the

configuration table)

It is also possible for the Response Owner to over-write the percentage of completeness

based on the configuration tables by using the provided checkbox

SAP 2008 / Page 14



Actual Start Date and Actual Finish Date use a configuration table to determine the

Completeness of a Response. The checkbox can be used to over-write these

settings

SAP 2008 / Page 15



Maintain Response and Enhancement Plan CompletenessIn this Customizing activity, you maintain the date at which the default start and finish of the

"response completeness" takes place, together with a percentage degree of completion for

the response completion start and finish. (Note that for a risk, you enter data for a response,

but for an opportunity, you are entering data for an enhancement plan.)

Note: The Start Completion will default to 20% once the Start Date is entered in the User

Entry Screen. The remaining 80% will be added to the percentage of completion when the

Actual Finished Date is entered. In the Configuration table the Start and Finish Dates must

= 100%. These settings are time sensitive and can be activated by using the radio button

SAP 2008 / Page 16



What date would you like your default completeness percentages to be activated on?

Once a Start Date is entered for a Response Plan what should be the Default Value for

Completeness?

The Percentage for the Finished Completion field is the difference between your default start

percentage and 100% (example: 100% - 20% = 80%). What is the result for your company?

SAP 2008 / Page 17



Date Start Completion Finished Completion

1

2

3

4

5

6

7

8

10

SAP 2008 / Page 18









this document

SAP 2008 / Page 19

Business Context

Link from Control Results to RM

What is the re Link from Control Results to RM?

The link between Risk Management and Process Controls for Response Plans

Why is the Link from Control Results to RM Important?

The link can be used to leverage existing Control Plans from PC to help manage risks.

What are the Benefits of Defining the Link from Control Results to RM?

You can leverage your existing controls (or Response Plans) to help manage your companies

risks. In this way multiple risks can be handled via a single control.

In addition you can use your Risk Management system to provide Process Controls with

information on the effectiveness of its controls.

SAP 2008 / Page 20

Business Context

Example Link from Control Results to RM

The Purchasing Organization may be maintaining multiple risks associated with the fraud

relating to vendors or employees

Fake vendors

Suspicious vendor selection

Missing Purchase Orders

Improper sign-offs

Each risk could be addressed uniquely within RM 3.0 with its own response plan. However, with the RM, PC link the user can leverage the existing Purchasing Controls within PC to

respond to the risks.

Finally, the Risk Management system could then be used to provide feedback to Process

Controls concerning the effectiveness of the control.

SAP 2008 / Page 21



RM 3.0 allows the User to create a Response, use and existing Response, or use a

Control from Process Controls

SAP 2008 / Page 22

Set Up Link from Control Results to RM

Use

In this Customizing activity, you set up a link to the control results from the Process Control

application, which can subsequently be used in the Risk Management application. The control

results are stored in SAP Records Management in the form of "cases". The following two

criteria are used for classification: Completeness and Effectiveness

TE = P/C effectiveness testing

CD = Control Design Assessment

CE = Control Self Assessment

CO = automated testing,

MO = automated monitoring

Case Type or Entity Types = high

level grouping in PC (G_TL=

testing, G_AS = assessment)

CL= Completeness, EF=

effectiveness

Pc gives case type, category, rating

(g,r,y). Also decide for CL and EF



SAP 2008 / Page 23



What Process Controls should be used in your RM 3.0 Application?

What Entity Types and Category combinations from Process Controls should be used to

retrieve the Controls?

SAP 2008 / Page 24



Case Type Category Field

SAP 2008 / Page 25









this document

SAP 2008 / Page 26

Business Context

Control Rating for RM Response Field

What is the Control Rating for RM Response Field?

Process Control maintains control ratings for each control depending on tests and

assessments. Each control is given a rating of Green (G), Yellow (Y), or Red (R) as to its Completeness and Effectiveness

Why is the Control Rating for RM Response Field Important?

The Control Rating is important because it is used in RM 3.0 to adjust the Completeness

Percentage field for each response.

What are the Benefits of Defining the Control Rating for RM Response Field?

By adjusting the Control Rating rules for RM 3.0 you can better manage the effectiveness of

the response plan for your risks.

SAP 2008 / Page 27

Business Context

Example Control Rating for RM Response Field

If you recall, the Purchasing Organization may be maintaining multiple risks associated with

the fraud relating to vendors or employees

Fake vendors

Suspicious vendor selection

Missing Purchase Orders

Improper sign-offs

Since these risks are using the Purchasing Controls as response strategies they are subject

to the effectiveness and completeness of the control.

As the Purchasing Control is tested/assessed and rated (G, Y, R) in PC, its ratings can be used to evaluate the effectiveness of the control for the risks being managed.

SAP 2008 / Page 28



RM 3.0 allows the User to create a Response, use and existing Response, or use a

Control from Process Controls

SAP 2008 / Page 29

Convert Control Rating for RM Response FieldIn this Customizing activity, you assign the completeness and effectiveness response fields

from Process Control, including the control rating, to a Risk Management response field. You

do this by specifying the percentage value with which the absolute control rating results from

Process Control are converted to a value in Risk Management.



SAP 2008 / Page 30



For each combination of Completeness and Effective with Green (G), Yellow (Y), Red what

should be the default Completion Percentage in RM 3.0?

Completeness: G =

Completeness: Y =

Completeness: R =

Effectiveness: G =

Effectiveness: Y =

Effectiveness: R =

SAP 2008 / Page 31



Field Rating Percentage

SAP 2008 / Page 32









this document

SAP 2008 / Page 33

Business Context

Response and Enhancement Plan Effectiveness

What is Response and Enhancement Plan Effectiveness?

A qualitative and quantitative factor used to indicate how well a response is being managed

with respect to a risk or opportunity.

Why is Response and Enhancement Plan Effectiveness Important?

Assists the Response Owner and/or Risk Manager in determining the current effectiveness of

the response plan so that corrective action can be taken if necessary (e.g. change the

response action).

Response effectiveness is used to calculate the residual risk level (along with response

completeness).

What are the Benefits of Defining Response and Enhancement Plan Effectiveness?

Increased management of risks.

Better response categorization and control of response plans

Automatically adjusts the Residual Risk amounts.

SAP 2008 / Page 34

Business Context

Example Response and Enhancement Plan Effectiveness

The owner of all of the Purchasing Organization risks can use the Response Plan Effectiveness

indicator to monitor how well the identified risks are being managed, adjust the residual risk,

and can take corrective action if necessary.

Risk Response

Effectiveness

Eff % Management Action

Fake

vendors

Very Effective 100% None. Risk is being managed effectively

Suspicious

vendor

selection

Effective 75% None. Risk is being managed effectively

Missing

Purchase

Orders

Ineffective 10% Response Plan is not working. Immediate

Attention required

Improper

sign-offs

Somewhat

Effective

50% Response Plan needs to reviewed

SAP 2008 / Page 35

Business Context

Example Response and Enhancement Plan Effectiveness

Based on the grid for effective % the Residual Risk for each would be adjusted accordingly

Risk Planned

Response

Reduction

Response

Effectiveness

Eff % Adj. Risidual %

(Eff% X Planned)

Fake vendors 100% Very Effective 100% 100%

Suspicious

vendor

selection

80% Effective 75% 60%

Missing

Purchase

Orders

95% Ineffective 10% 9.5%

Improper sign-

offs

100% Somewhat Effective 50% 50%

SAP 2008 / Page 36



SAP 2008 / Page 37



Maintain Response and Enhancement Plan EffectivenessIn this Customizing activity, you define levels for the effectiveness of responses to risks, as well

as the effectiveness of the enhancement plan for an opportunity. In this way you define how

effective your responses and enhancement plans are. The entries are user-defined.

Note: the effectiveness level is applied for risk responses as well as for enhancement plans for

opportunities.

Based on the selection, the associated Response Effectiveness Percentage is used to

calculate Residual Risks (Response Effectiveness % X Planned Probability)

SAP 2008 / Page 38



Consider what type of relationship you would like to maintain between the percentage of

effectiveness of a response plan and a descriptive text.

You may wish to define the text portion before applying percentages. For example:

Ineffective = %

Slightly effective = %

Somewhat effective = %

Effective = %

Very Effective = %

SAP 2008 / Page 39



Effective

Level

Response Effective

%Effectiveness Description

0

1

2

3

4

SAP 2008 / Page 40









this document

SAP 2008 / Page 41

Business Context

Enhancement Plan Types

What are Enhancement Plan Types?

Used to categorize responses for Opportunities (enhance, ignore, watch, share, research)

Why are Enhancement Plan Types Important?

Allow you to categorize the different responses based on the type, or level of management

action and/or non-action that should be taken when responding to an opportunity.

What are the Benefits of Defining Enhancement Plan Types?

Risk Manager can categorize the response plans for each opportunity and better assess, and

allocate resources to enhancement plans requiring active participation (example; enhancing a

plan requires activity and ignoring does not).

SAP 2008 / Page 42

Business Context

Example Enhancement Plan Types

Enhancement plan types can be used by the Purchasing Manager to better organize and

determine which opportunities will be allocated valuable resources.

For example, if there are two opportunities being managed:

1. Enhance supplier relationships

Response: Implement a Supply Chain Management system.

Response Type: Enhance

2. Build Strategic Buying Power

Response: Join internet buying consortium

Response type: Watch

Based on the Response Types the 1st opportunity would be prioritized higher than the 2nd

based on its Enhanced response type.

SAP 2008 / Page 43



SAP 2008 / Page 44



Maintain Enhancement Plan TypesIn this Customizing activity, you maintain enhancement plan types for opportunities.

SAP 2008 / Page 45



How would your company like to categorize responses for opportunities?

A traditional model would include:

Enhance

Watch

Ignore

Share

Research

SAP 2008 / Page 46



Type Description

SAP 2008 / Page 47









this document

SAP 2008 / Page 48

Business Context

Response Plan Types

What are Response Plan Types?

Used to categorize responses for Risks (accept, watch, research, transfer, mitigate)

Why are Response Plan Types Important?

Allow you to categorize the different responses based on the type, or level of management

action and/or non-action that should be taken when responding to a Risk.

What are the Benefits of Defining an Response Plan Types?

Risk Manager can categorize the response plans for each risk and better assess, and allocate

resources to risk response plans requiring active participation (example: mitigating a risk

requires activity and accepting does not).

SAP 2008 / Page 49

Business Context

Example Response Plan Types

Like Enhancement Plan Types, Response plan types can be used by the Purchasing

Manager to better organize and determine which risks will be managed first.

In this example there are two risks being managed:

1. Fictitious Vendor Creation

Response: Develop vendor creation policy.

Response Type: Mitigate

2. Sole Source Vendor Selection

Response: Develop purchasing policy requiring a minimum of three vendor quotations

Response type: Research

Again, based on the Response Types the 1st risk would be prioritized higher than the 2nd

based on its Mitigate response type.

SAP 2008 / Page 50


Response Plan Types

SAP 2008 / Page 51


Response Plan Types

Maintain Response Plan Types

In this Customizing activity you configure and maintain specific response types for the risks

defined.

SAP 2008 / Page 52


Response Plan Types

How would your company like to categorize responses for risks?

A traditional model would include:

Accept

Watch

Research

Transfer

Mitigate

SAP 2008 / Page 53


Response Plan Types

Type Description

SAP 2008 / Page 54

Comments and Feedback

Your feedback is very valuable and will enable us to improve our documents. Please

take a few moments to complete our feedback form. Any information you submit will

be kept confidential.

You can access the feedback form at:

http://www.surveymonkey.com/s.aspx?sm=stdoYUlaABrbKUBpE95Y9g_3d_3d

SAP BusinessObjects Risk Management 3.0 Response and Enhancement Plan

Documents

response plan typesthe

enhancement plan purpose2

enhancement plan completeness3

enhancement plan types7

benefits of response

response tasks

response strategies

response owner