Operational Risk Management - uni-frankfurt.de · SEM Risk Management Treasury ... ©SAP AG 2003, Title ofSAP AG2004, SAP Operational Risk Management, mySAP ERP 8 Presentation, Speaker

1

Overview about a planned newapplication for mySAP ERP

Operational Risk

Management

Solution Management mySAP ERP

© SAP AG 2003, Title of Presentation, Speaker Name / 2© SAP AG 2004, SAP Operational Risk Management, mySAP ERP 2

Agenda – Operational Risk Management

SAP’s two folded Offering

SAP’s planned Operational Risk Management (ORM)

Guiding Principles for ORM

External Requirements for Risk Management

Corporate Governance and Risk Management

SAP SEM Strategic Risk Management

ORM in Detail

2


Corporate Governance - Objectives

Compliance with rules and regulationsDetection of exceptions

Accurate, auditable Accountingunlimited access External / Internal

Fast CloseFast Transformation

Speed

Transparency

Compliance


Corporate Governance – external Requirements

RequirementsAccurate & auditable accountingParallel accountingTransparency of accounting figuresTimely availability of financial informationCompliance with accounting standardsCompliance with corporate governance std.Documentation of tax relevant informationTransparency in treasuryAuditable (operational) processesMid-term planningStrategy outlookTransparency of risk situation

CFO

Auditors

Public authorities(Tax,Regulators,

Stock Exchanges)

Creditors(Banks, Investors)

Analysts &Rating Agencies

Rules and regulations

US-GAAP, IAS, local GAAPs, Basel II, local tax regulations, Corp.Gov Codex, Sarbanes-Oxley Act, LSF, COSO, COSO II, KonTraG, ...

3


mySAP ERP supporting Corporate Governance

Built-in Control Principles of theSAP ArchitectureInherent ControlsConfigurable ControlsSecurity ControlsReporting Controls

→ SAP NetWeaver & mySAP ERP

System IntegrationReduce complexityReduce custom integrationIncrease company performance

→ SAP NetWeaver

Applications directly supportingCorporate GovernanceManagement of Internal ControlsAudit Information SystemWhistler Blower ComplaintsTransparency for Basel IIOperational Risk Management *

→ mySAP ERP

Additional Capabilities(New) General LedgerFast CloseSupport for IASTransfer PricingSEM Business ConsolidationSEM Business PlanningSEM Strategy & Performance Mgmt.SEM Risk ManagementTreasury

→ mySAP ERP* planned for mySAP ERP 2006


Analytics Strategic Enterprise Management Financial Analytics Operations Analytics Workforce Analytics

Financials Corporate GovernanceFinancial Accounting Management

AccountingFinancial Supply

Chain Management

Human Capital Management

Employee Relationship Management

Employee Lifecycle Management

Employee Transaction Management

Operations: Value Generation Purchasing Inventory

Management Manufacturing Distribution Sales OrderManagement

Service Order Management

Corporate Services Travel Management Environment, Health

and Safety

Incentive and Commission Management

Corporate Real Estate

SAP NetWeaver™ People Integration Information

Integration Process Integration Application Platform

Operations: Support

Product StructureManagement Project Management Quality Management Asset Management

WorkforceManagement

SEMBusiness ConsolidationStrategic RiskManagement Strategy ManagementPerformance MeasurementFinancial Statement Planning

Financial AnalyticsPlanning and Budgeting

Corporate GovernanceAudit Information SystemManagement of Internal ControlsWhistle BlowerOperational Risk Management *

Financial AccountingNew General LedgerFast CloseIAS

Management AccountingTransfer Pricing

* planned for mySAP ERP 2006

mySAP ERP Solution Map

SAP PrinciplesInherent ControlsConfigurable ControlsSecurity ControlsReporting Controls

mySAP ERP supporting Corporate Governance

FSCMTreasury

4









ORM in Detail


1) COSO I and Risk Management

Control Activities

Policies/procedures that ensure management directives are carried out.

Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.

Monitoring

Assessment of a control system’s performance over time.

Combination of ongoing and separate evaluation.

Management and supervisory activities.

Internal audit activities.

Control Environment

Sets tone of organization-influencing control consciousness of its people.

Factors include integrity, ethical values, competence, authority, responsibility.

Foundation for all other components of control.

Information and Communication

Pertinent information identified, captured and communicated in a timely manner.

Access to internal and externally generated information.

Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action.

Risk Assessment

Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities.

All five components must be in placefor a control to be effective.

5


Risk Assessment

A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent

The identification and analysis of relevant risks to achievement of the objectives

Forms a basis for determining how risks should be managed

Mechanisms are needed to identify and deal with the special risks associated with change

1) COSO I and Risk Management: Risk Assessment


Evaluate documentation and test significant controls at each location or

business unit.

Evaluate documentation and test controls over specific risks.

No further action required for such units.

Evaluate documentation and test entity wide controls over group.

Some testing of controls at individual locations or business units required.

Yes

Yes

Yes

Yes

No

No

No

No

1) COSO I and Risk Management: Scoping

Is location or business unit individually important?

Are there specific significant risks?

Are there locations or business units that are not important even when aggregated with others?

Are there documented entity wide controls over this group?

6


2) Sarbanes-Oxley Act and Risk Management

Rapid and current information on material changes in the financial condition or operations, including trend and qualitative information for protection of investors and in the public interest

409

Annual report should include a report by management on the effectiveness of internal control over financial reporting

404

Certification of contents of SEC reports by CEO and CFO302

RequirementSection

Contribution of a Risk Management system:

Transparency of business risks effecting business unit targets

Audit-proof Risk Management system identifies risks that must be included in disclosure

Drilldown into risk situation of multiple business units


COSO II and Risk Management: Definition

COSO II is the new framework for Enterprise Risk Management

DefinitionEnterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identifypotential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assuranceregarding the achievement ofentity objectives.

7


3) COSO II and Risk Management: Objective Categories

Objective Categories

Strategic – relating to high-level goals, aligned with and supporting the entity’s mission and vision.

Operations – relating to effectiveness and efficiency of the entity’s operations, including performance and profitability goals. They vary based on management’s choices about structure and performance.

Reporting – relating to the effectiveness of the entity’s reporting. They include internal and external reporting and may involve financial and non-financial information.

Compliance – relating to the entity’s compliance with applicable laws and regulations.


3) COSO II and Risk Management: Components

8


3) COSO II and Risk Management: Concepts

Fundamental concepts of Enterprise Risk Management

Is a process – it's a means to an end, not an end in itself Is effected by people – it's not merely policies, surveys and forms, but involves people at every level of an organization Is applied in strategy settingIs applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risksIs designed to identify events potentially affecting the entity and manage risk within its risk appetite Provides reasonable assurance to an entity's management and board Is geared to the achievement of objectives in one or more separate but overlapping categories.


3) COSO II and Risk Management

Event IdentificationManagement identifies potential events affecting an entity’s ability to successfully implement strategy and achieve objectives.

Events with a potentially negative impactrepresent risks, which require management’s assessment and response.

Events with a potentially positive impact may offset negative impacts or represent opportunities which get channeled back into the strategy and objective-setting processes.

A variety of internal and external factors give rise to events. When identifying potential events, management considers the full scope of the organization.

Management considers the context within which the entity operates and its risk tolerances.

9



Risk AssessmentRisk assessment allows an entity to consider the extent to which potential events might have an impact on achievement of objectives.

Management should assess events from two perspectives − likelihood and impact − and normally uses a combination of qualitative and quantitative methods.

The positive and negative impacts of potential events should be examined, individually or by category, across the entity.

Potentially negative events are assessed on both an inherent and a residual basis.



Risk ResponseHaving assessed relevant risks, management determines how it will respond.

Responses include risk avoidance, reduction, sharing and acceptance.

In considering its response, management considers costs and benefits, and selects a response that brings expected likelihood and impact within the desired risk tolerances.

10


Expanded responsibilities of the Executive Board according to §91 Abs. 2 AktG

Requirement to establish a control systemTake action to detect risks that endanger the existence of an enterprise as an early stage.

Inspection of the Risk Management System through external auditors according to §317 paragraph 4 HGB

Has action been taken according to § 91 Abs. 2 AktGIs the Risk Management System adequate for its purpose

Depiction in the audit report according to §321 paragraph 4 HGBAssessment of the Risk Management System in a separate chapter of the auditors reportAssessment if an enhancement of the Risk Management System is required.

4) German KonTraG and Risk Management









ORM in Detail

11


Two Complimentary Risk Management Applications in mySAP ERP

Strategic Risk Management Operational Risk Management *

Risk Quantification

OrganizationalUnits

Risks affect…

Unlimited number of hierarchy levelsBased on Balanced Scorecard Framework: One BSC represents one Organizational Unit

Unlimited number of hierarchy levelsOrg. Units represent legal entities, business units and departments.

… Performance Metrics of an Organizational UnitExamples: Net Sales, EBIT, …Performance Metrics can be linked to strategic objectives on the Org. Unit

… Activities within an Org. UnitActivities can be Processes, Projects and other activities

Based on “impact”, representing deviations from the Performance Metric target amount.Instead of Probability, the impact can be expressed in categories like “expectation value” and others

Impact is quantified as “Total Loss” in monetary unitsQualitative impacts can be expressedProbability of occurrence expressed as a percentage

* planned for mySAP ERP 2006


Strategic Risk Management based on SEM BSC

Risk Management

Risk CategoryRisk-Group A

Risk 1

Risk 2

Risk-Group BRisk 3


Risk 1

Risk 2

Risk-Group BRisk 3

Risk-Analysis

Risk-Assessment

Risk-Handling

Risk-Controlling

Early Warning

Quantification of Risksby specific methods

outside of SAP SEM.


outside of SAP SEM.

Early Warning Indicators (Measures)Early Warning Indicators (Measures)

Value Based Management

VBM KPIsROCE, DCF, EVA, etc


Generic Value Drivers

Revenues Growth, Margins, Tax Rates, WACC



Business specificValue Drivers


Balanced Scorecard

StrategyStrategy

ObjectivesObjectives

MeasuresFinancial Top-KPIs

Strategic Success Factors (SSF)



InitiativesInitiatives

Risks have an impact on theresults of KPIs

12


myS

AP

CR

Mm

ySAP

ERP

H R

mySAPERP

Management of internal Controls

Operational Risk Management

Entities Roles

Process

ORM Overview

RiskPlanning

Risk Identification

Risk Response

Risk Monitoring

Validator

AssessmentOwner

Risk Owner

Risks

OrganizationalUnits

Activities

Risk Analysis


ORM Overview

Risk 3

Process: Sales Order Entry

Risk n

Corporate

Sales

Europe

Americas

Total loss Probability Risklevel

Response cost

Expectedloss

100.000 €

150.000 €

30 %

10 %

30.000 €

15.000 €

2

3

250.000 € 45.000 €

70.000 € 35.000 €

320.000 € 80.000 €

… …

… …

800.000 € 230.000 € 65.000 €

…

…

20.000 €

10.000 €

6.000 €

4.000 €

10.000 €

R&D 300.000 € 100.000 € 30.000 €

…

Risk2: Key project members leaving

Risk1: Delayed kick-off

Project: New Distribution Center

13









ORM in Detail


Operational Risk Management

Purpose of Operational Risk Management

Get an overview on the Risk situation of organizational units by tracking Risks on activity level.

Get overview on the Risk situation based on the activities that are potentially carrying risks, especially Processes and Projects.

Understand priorities by performing quantitative and qualitative Risk assessments.

Manage Risks by assigning appropriate responses

14


Guiding Principles for the ORM Application

Risks are not assigned and analyzed at the level of Organizational Units, but on the level of Activities that take place within an Organizational Unit.

Risks can occurwithin business processesduring the course of a projectin other activities and objects that are neither processes nor projects

Within ORM, Risks will be identifiedassessedmanaged by applying appropriate response strategies

The ORM will provide defined Roles to support an appropriate authorization conceptWorkflows between Roles to support the necessary interaction when approvals are needed.

The ORM will provide predefined online ad-hoc analysis, as well as data warehouse structures for flexible multidimensional reporting


Entities within ORM – Overview –

Risks

OrganizationalUnits

Activitiesa specific operation that may lead to risks in an organization unitThree types of activities can be assigned to Organizational Units:

Processes: potentially all operational and admin processeswithin an enterprise

Projects: potentially all internal and customer projectsObjects: generic activity that is neither a project nor a

process (e.g. “Production Plant A”)

Arranged in an Org. Unit hierarchy, e.g. according to HR-OrgHeaded by a named Org. Unit ManagerMain entry point for analyzing the risk situation

named uncertain event or condition that has a negative effect onthe business.Risks are assigned to Processes Projects or Objects within a certain Organizational Unit

15


Building Blocks of the Operational Risk Management

1. Configuration and Structure set up:Set up Organizational UnitsCreate Common Activity Catalogs (Projects, Processes, Objects), Common Risk Catalog, Risk-ProposalsDetermine other settings like Risk Levels, Risk Priorities,…

2. Risk Assessment Process:Enter BU-specific ActivitiesDetect and enter Risks, assess impact, probability, time frame, calculate Risk Level, Risk Priority, …Interaction between roles supported by workflowPropose and execute Risk Responses

3. Risk Analysis and Reporting:View ad hoc reports of the risk situation of Organizational UnitsUse OLAP reporting for detailed multidimensional analysisCreate mandatory standard reports per Org. Unit


Roles within ORM

Validator

AssessmentOwner

Risk Owner

perform Risk Assessments: overall identification, analysis, and response planning of all Risks assigned to an Activity act at different organizational levels, with access only to those Activities and Risks with which he is personally involvedtypically: Line Managers, Project Managers, Internal Audit, and others assigned at the level of the specific Organization Unit

analyze Risks, initiate Risk response action and follow-up on Risk response actions. Usually nominated by the Assessment Owners if a special knowledge is required for Risk handling purposes. act independent of their organizational assignment but with access only to those responses where they are personally involved

validate and approve or reject the Risk Assessments, reject individual Risks, and set the “sensitivity level” of a Risk (access to the Risk and its details is then further restricted).check the risk documentation, analysis, response strategy, and individual responses of all risks of an activity the real person may be the organization unit manager who has thebudget responsibility for the response execution

16


Interaction between Roles: Example

Org. Unit Manager(acting as Validator)

Project Manager(acting as

AssessmentOwner)

Project member

(acting as Risk Owner)

Risk sent for

approval

Assess-ment sent

for approval

Response sent for approval

Initiate Response

Project sent for approval

Enter project as activity of Org. Unit

1

Approve or reject Project

Approve or reject Risk,

optional: set sensitivity

Enter Risk Response

Detect and enter Risk for the project

Perform Risk Assessment, select Response Owner

Approve or reject Response

Approve or reject Assessment

42

3


Interaction between Roles: Example

Org. Unit Manager(acting as Validator)

Project Manager(acting as

AssessmentOwner)

Project member

(acting as Risk Owner)

Risk sent for

approval

Assess-ment sent

for approval

Response sent for approval

Initiate Response

Project sent for approval

Enter project as activity under Org.

Unit

1

Approve or reject Project

Approve or reject Risk,

optional: set sensitivity

Enter Risk Response

Detect and enter Risk for the project created by project

manager

Perform Risk Assessment, select Response Owner

Approve or reject Response

Approve or reject Assessment

4 6 82

3

5

7

17









ORM in Detail


ORM Entities in Detail: Organizational Units

Corporate

Sales

Business Unit 1

Organizational Units structured in a hierarchyParallel hierarchies are possible to model matrix organizationsExample:

Production

Purchasing

R&D

…

Europe

Americas

Asia Pacific

Plant Spain

Plant Italy

18


Groupings for Reporting and OverviewsOperational Assignments

ORM Entities: Org. Units, Activities and Risks

Common Projects

Actual Risk 1

Actual Process 1

Common RisksOrganizational

Unit

Common Objects

Common Processes

Actual Object 1

Actual Project 1

Actual Risk 4

Actual Risk 3

Actual Risk 2

Actual Risk 3

Actual Process n

Actual Risk n

Actual Project n

Actual Risk m


Entity Relations - Example -Common Projects

Project Group 1

Project Group 11

Project 1

Project Group1 2

Project 2

Project 3

Project 4

Project 5

Common ProcessesProcess Group 1

Process Group 11

Proc. 1

Process Group12

Proc. 2

Proc. 3

Proc. 4

Proc. 5

Common ObjectsObject Group 1

Object Group 11

Object 1

Object Group 12

Object 2

Object 3

Object 4

Object 5

Organizational Units

Corporate

…

Business Unit

Process 2

Project 1

Object 3

Risk Category 1

Common Risk Catalog

Risk Group 1

„Exchange Rate“

Risk Group 2

Common Risk 2

Common Risk 3

Common Risk 4

Common Risk 5

„USD – EURO“

„USD – YEN“

BU specific Risk 3

BU specific Risk 4

BU specific Risk 5

BU specific Risk 6

BU specific Risk ...

19


Common Activity Catalogs: Project, Process, Object

Common Project CatalogProject Group 1

Project Group 11

Project 1

Project Group 12

Project 2

Project 3

Project 4

Project 5

Common Process CatalogProcess Group 1

Process Group 11

Process 1

Process Group 12

Process 2

Process 3

Process 4

Process 5

Common Object CatalogObject Group 1

Object Group 11

Object 1

Object Group 12

Object 2

Object 3

Object 4

Object 5

Common Projects, Processes and Objects are held in company wide catalogues. In those catalogues they can be grouped to any depth.

Corporate wide defined Risk Proposal Catalogues can be assigned to all sorts of Common Activities

For each organizational Unit, a Filter can be defined to propose and allow only specific sets of Projects, Processes and Objects

Common Activities mainly consist only of a technical name and a description


ORM Entities in Detail: Activity Master Data – 1 –

Activities *

comments added by the Validator of the activity while approving it. Can be used by the Activity Owner to send comments back to the Validator when the Activity is sent for validation.

Approval Comment

Validator for this ActivityValidator

Assessment Owner for this ActivityAssessment Owner

name for the new ActivityTitle

selected Common Activity IDCommon Activity

system assigned numeric Activity IDActivity ID

Creation date of the ActivityDate

* Activities can be Projects, Processes, Objects

20


ORM Entities in Detail: Activity Master Data – 2 –

Activities

optional, monetary, business-related opportunity value for the new Activity

Opportunity Value

frequency (predefined intervals) with which the Activity is to be assessed

Assessment Frequency

approval status of the Activity. Includes options like “Draft” and “To be validated”. For a new Activity, “Draft” is the default status setting.

Approval Status

display only, numeric ID of the Org. Unit to which the Activity is assigned

Organizational Unit

Project, Process, or ObjectActivity Type

default is the current date but can be changed to reflect the actual date on which the Activity was identified

Identification Date


ORM Entities in Detail: Risk Master Data – 1 –

Risks

Currency in which the risk values will be expressedCurrency

If during the Validation phase the Validator determines that this Risk is “sensitive”, she/he will mark it as such. This designation limits the viewing of this Risk to a select audience

Sensitivity

By default the user who created the Risk. Can be changedRisk Owner

Current “live cycle” status. Includes options like “Draft” and “Released for validation”, “Finished”, “Occurred”. For a new Risk, “Draft” is the default status setting.

Risk Status

Activity to which the Risk was assignedActivity ID

name for the new ActivityTitle

selected Common Risk IDCommon Risk

system assigned numeric Risk IDRisk ID

Creation date of the RiskDate

21


ORM Entities in Detail: Risk Master Data – 2 –

Risks

Free text. Additional detail about the RiskComment

Free text. Existing incident or action that influences the probability that a particular Risk event will occur

Event Driver

Free text. The possible negative outcome of the current condition that is creating uncertainty

Consequence

Free text. The key circumstance, situation, etc. that is causing concern, doubt, anxiety, or uncertainty

Condition

Marking a risk as external will exclude the Risk from reporting. This allows the capturing of risks that, for example, exist at a customer in a project context but that only impose an impact on the customer without impact on the own company.

External Risk Flag


Risk Assessment: Transactional data for Risks

Basic dataTotal Loss

Global qualitative Impact

Local qualitative Impact

Probability

Time Frame

System calculated/derived dataExpected Loss

Risk level

Risk Priority

Net Opportunity Value (especially useful for Projects)

22


E X A M

P L E S

Risk Assessment: Basic Data

Probability: „Probability that the impact associated with the Risk will materialize“.Given as a percentage from 0% to 99%Mapped into categories

Total Loss or Global Impact: Maximum loss in case the Risk will materializeGiven either as an amount or as a “level”

(see example here)Mapped into globally defined categories

Local Impact: Severity of Impact of the Risk on a Business Unit specific scale.Given as a “level”.Will often differ from the Global Impact category.

Time Frame: Period of time in which action is required to respond to a RiskGiven as a range (long, medium, short)

Time fram

e

6 month3 monthmedium

< 6 monthlong

3 month0 monthshort

tofromTime frame

Global Im

pact

>25.000.000

5.000.000

1.000.000

200.000

0

from €

Catastrophic5

Major25.000.0004

Moderate5.000.0003

Minor1.000.0002

Insignificant200.000 €1

classificationto €levelLocal Im

pact500.000 €

150.000 €

50.000 €

20.000 €

for info, Org..Unitspecific

>500.000 €

150.000 €

50.000 €

20.000 €

0

for info, Org. Unit specific

Catastrophic5

Major4

Moderate3

Minor2

Insignificant1

classificationlevel

Probability

Near certainty9981

Highly likely8061

Likely6041

Unlikely4021

remote200

classificationto %from %


Risk Assessment: Expected Loss

Calculated as Total Loss * Probability

Used for comparison with the response costs

Expected loss is aggregated over Common Activities and Organizational Units

23


Risk Assessment: Determination of Risk Level

Global Risk level is derived from Global qualitative Impact and ProbabilityLocal Risk level is derived from Local qualitative Impact and ProbabilityUser defined matrix identifies Risk LevelsRisk Level is later on used for Risk PrioritizationExample Matrix for derivation of Risk Level:

Medium risks… indicate that some disruption could occur. No immediate management action required for medium risks, but continuous risk monitoring has to be initiated and future action may be needed.

High risks:… are considered unacceptable risks where major disruption is likely. Priority management attention is usually required for high risks to bring the situation under control.

Impact level

MLLLL0-20%1

Probability

54321

MMLLL21-40%2

HMMLL41-60%3

HHMML61-80%4

HHHMM81-99%5

%level

Low risks… mean minimum impact where no management action is required.


Risk Assessment: Risk Prioritization

Prioritizing risks is important when it comes to the questions which risks should be dealt with first, especially when the allocation of significant resources is required to manage the risk.Derived from the combination of „Risk level“ and time frame, grouped in categories like

short (e.g. within 3 month), medium (e.g. within 6 month), long (e.g. within 9 month)

User defined Matrix identifies Risk Priority

Example Matrix for derivation of Risk Priority:

125short

Expected date of occurrence

347medium

689long

highmediumlow

Risk levelRisk Priority from 1 - 9

Based on the Risk Priority, a “Top N-Risks” – list could be produced as part of the Risk Reporting !

24


Risk Assessment: Net Opportunity Value

Activities – especially Projects – usually offer an opportunity, which can be expressed in a currency value.In this case, a Net Opportunity Value can be calculated, which is based on the Opportunity value of the activity and the Risk situation:

Opportunity Value- Expected Loss

= Net Opportunity Value

The Net Opportunity Value can be compared with other risk related values like Total Loss, Expected Loss or Response Costs to better understand the risk situation of an activity


Risk Assessmet: Overview of Data to be maintained

The magnitude of the actual loss value accrued when a risk event occurs, measured in a monetary amount

Total Loss

Counter measures to handle the Risk, described with:Risk Response type (Close, Accept, Watch, Research, Transfer, Delegate, Mitigate)Response OwnerAction dateResponse costResponse descriptionExpected Risk reduction (Probability and/or Quantitative and/or Qualitative Impact)Contingency Plan (Document attached to the risk holding the details of what are the consequences and subsequent actions when the risk response fails)

Risk Response

Timeframe is the period when action is required to respond to a risk. Will be given in intervals like (example): Short 1 – 3 monthMedium 3 – 6 monthLong 6 – 9 month...

Time Frame

The local impact level is an estimation of the consequences of a risk on the basis of a configurable qualitative scale. Given as a category from 1 to n which is mapped against a locally valid table containing the values for each category in currency amounts

Local Impact

The global impact level is an estimation of the consequences of a risk on the basis of a configurable qualitative scale. Given as a category from 1 to n which is mapped against a globally valid table containing the values for each category in currency amounts

Global Impact

Probability that the impact associated with the Risk will materialize. Given as a percentage.Probability

25


Risk Assessment: Risk Response

When assessing Risk, one or more responses can be created for each individual risk.

Main data entered for each response:Response strategy (Accept, Watch, Research, Transfer, Delegate, Mitigate, see next slide)Response costs later on considered in the overall analysisProbability percentage change to which extent does the response change the probability. Example: “decrease by 5%”Total Loss change to which extent does the response change the total loss. Example: “decrease by 200.000 $”Global Impact changeif not derived from total loss change: to which extent does the response change the global impact. Example: “decrease by 1 level”Local Impact changeto which extent does the response change the global impact. Example: “decrease by 1 level”


Risk Assessment: Response Strategies

AcceptRisk acceptance involves no initial action. The risk will be handled as a problem if it occurs.Watch Risk watch involves monitoring the risks and their attributes for early warning of critical changes in impact, probability, timeframe, or other aspects.Research Risk research is the investigation of a risk until enough detail is known to be able to plan mitigation.Transfer Risk transfer is the allocation of authority, responsibility, and accountability for a risk to another person or organization outside of SAP or the project. See also risk delegation above.DelegateRisk delegation involves the assignment of responsibility for a risk to another person or organization within SAP or the project. See also risk transfer.MitigateRisk mitigation eliminates or reduces the risk by developing strategies and actions for reducing (or eliminating) the impact, probability, or timeframe to some acceptable level. Risk mitigation usually involves the expenditure of resources.

26


Aggregations and Calculations

Simple aggregation

n/a

Derived from calculation

Simple aggregation

Simple aggregation

Activity

n/an/an/aDerived from calculationRisk Priority

Simple aggregation

Simple aggregation

Simple aggregation

Simple aggregationResponse Cost

Simple aggregation

Simple aggregation

Simple aggregationManual entryExpected Loss




Derived from calculationRisk level

Simple aggregation

Simple aggregation

Simple aggregationManual entryTotal Loss

Org. UnitCommon Activity

Common Risk

Risk

Type of Aggregation on level ofRisk quantification

data


Risk Analysis

Two ways of doing Risk Analysis:Based on predefined screens in the online ApplicationBased on predefined, yet flexible Reports form the SAP data warehouse (OLAP-reporting)

Online Analysis:Calculation and visualization of all relevant Risk data on aggregated and detail levelsAggregation along

Organizational HierarchiesCommon ActivitiesCommon Risks

Various predefined views like “local values”, “global values”, “Before Risk Response”, “After Risk Response”

OLAP-Reporting:Predefined business content delivered through the SAP data warehouse (InfoCubes, Extractors, Queries)Data is extracted from the online applicationFlexible reports as usual in the OLAP-world: slice and dice, flexible aggregation, custom calculations,…

27


ORM Online Analysis: Example based on Org. Units

Risk1: Delayed kick-off

Project: New Distribution Center

Risk2: Key project members leaving

Risk 3

Risk n

Corporate

Sales

Europe

Americas

Total loss Probability Risklevel

Response cost

Expectedloss

100.000 €

150.000 €

30 %

10 %

30.000 €

15.000 €

2

3

250.000 € 45.000 €

70.000 € 35.000 €

320.000 € 80.000 €

200.000 € 50.000 €

520.000 € 130.000 €

820.000 € 230.000 € 65.000 €

35.000 €

15.000 €

20.000 €

10.000 €

6.000 €

4.000 €

10.000 €

R&D 300.000 € 100.000 € 30.000 €

Contrib. value

50.000 € 50 % 25.000 € 3 7.000 €

20.000 € 50 % 10.000 € 3 3.000 €

3

2

500.000 €

250.000 €

150.000 €

100.000 €

200.000 €

High 60

Medium40

Low0

Risk levelFrom%

2

2

1

Process: Sales Order Entry


Risk Reporting based on BW

Basis of the OLAP reporting are two InfoCubes that are delivered as business content:

InfoCube 1: Data on level of Risk and Organizational UnitInfoCube 2: Data on level of Activity and Organizational UnitA combination of both for a drill down is possible through a „MultiCube Query“

InfoCubes are filled by various extractors for:Master data, including texts and attributesHierarchiesTransactional data

End-User access to the data through predefined Queries (Reports) which can be accessed using a web browser.

New queries can easily be createdCustom calculations if necessaryQueries can be presented in a Portal

28


Collaborative Risk Assessments

As Risks often might affect not only one Org. Unit, Activity or Risk Owner, the solution includes the following collaboration features:

1. Collaborative RisksIf a Risk in Org. Unit A is also relevant for activities in Org Unit B and has presumably also a negative impact on Org. Unit B, this is called a collaborative Risk

2. Linked RisksIf a risk in Org. Unit A is somehow influenced by activities in Org. Unit B, but the impact only hits Org. Unit A, this is called a Linked Risk

3. Invitations for collaborative Risk AssessmentsIf for a Risk in Org. Unit A another person then the original Assessment Owner can contribute a Risk Assessment, this person can be invited to give his/her opinion in a additional Risk Assessment.


Collaborative Risks

Collaborative RisksIf a Risk in Org. Unit A is also relevant for activities in Org Unit B and has presumably also a negative impact on Org. Unit B, this is called a collaborative Risk.

Org. Unit A

Activity 1

Org. Unit B

Risk 1

Activity 2

Risk 1Create collaborative Risk, which is accepted* by Org. Unit B.

* Proposed collaborative Risks can also be rejected, thus preventing that this Risk becomes valid for Org. Unit B

Impact of Risk 1 is shown as assessed by Risk Assessment

Owner of Activity 1 in Org. Unit A

Impact of Risk 1 is shown as assessed by Risk Assessment

Owner of Activity 2 in Org. Unit B

29


Linked Risks

Linked RisksIf a risk in Org. Unit A is somehow influenced by activities in Org. Unit B, but the impact only hits Org. Unit A, this is called a Linked Risk

Org. Unit A

Activity 1

Org. Unit B

Risk 1

Activity 2

Risk 1Create Linked Risk, which is accepted* by Org. Unit B.

Accumulated Impact of Risk 1 is shown as in the assessment by Risk Assessment Owner of Activity 1 in Org. Unit A plus Assessment of Risk Assessment Owner from Activity 2 in Org. Unit B.

Assessment is created for of Risk 1 by Risk Assessment

Owner of Activity 2 in Org. Unit B

* Proposed linked Risks can also be rejected, thus preventing that additional Assessments are done for Risk 1 by Risk Assessment Owner in Org. Unit B.


Risk Assessment invitation

Invitations for collaborative Risk AssessmentsIf for a Risk in Org. Unit A another person then the original Assessment Owner can contribute a Risk Assessment, this person can be invited to give his/her opinion in a additional Risk Assessment.

Org. Unit A

Activity 1

Risk 1Send invitations to other users (with roles RM or AO or AM) to create additional Risk Assessments

Impact of Risk 1 is shown as in the assessment by Risk Assessment Owner of Activity 1 in Org. Unit A.

Impacts from further assessments from invited users are shown separately as “additional…”.

User A

User B

User C

User …

30








Appendix: SAP SEM Strategic Risk Management

ORM in Detail


The Balanced Scorecard as Framework for VBM and Risk-Management

Risk Management


Risk 1

Risk 2

Risk-Group BRisk 3


Risk 1

Risk 2

Risk-Group BRisk 3

Risk-Analysis

Risk-Assessment

Risk-Handling

Risk-Controlling

Early Warning


outside of SAP SEM.


outside of SAP SEM.

Early Warning Indicators (Measures)Early Warning Indicators (Measures)

Value Based Management









Balanced Scorecard

StrategyStrategy

ObjectivesObjectives





InitiativesInitiatives

Risks have an impact on theresults of KPIs

31


SEM Risk Builder

Hierarchical grouping of Risks in the Risk Catalog byRisk Category

Risk GroupsRisks

Comprehensive definition of RiskCategories -Groups and Risks.

Possibility to attach documentsand www-pages.


Risk Management: Quantification of Risks

Risk-Quantification

Automated and / ormanual Status

calculation

Risk Assessmentsand Comments

32


Risk Controlling within the Scorecard

Automated calculation of Risk Status by comparing

Target Value <-> ExpectationValue

Expectation Valuesshow the impact of a Risk on an Measure

Simulation of Risk-Situation possible by comparing Target Value to „Best-Case“ or „Worst-Case“


Risk Reporting for the Risk-OwnerReporting of Risk-Situation by

Risk Categories

Risk Groups

Risks

Affected Measure

33


Annual Risk assessment including Risk reportAnnual Risk assessment including Risk report

Monthly / quarterly RiskanalysisActual / Plan deviationAssessment through Risk OwnersRisk ForecastingTake action based on assessments

Monthly / quarterly RiskanalysisActual / Plan deviationAssessment through Risk OwnersRisk ForecastingTake action based on assessments

Plan risk reducing activitiesPlan risk reducing activities

Estimate / calculate potential plan deviationsdue to the Risks

Estimate / calculate potential plan deviationsdue to the Risks

SAP SEM Risk-Management

Cataloging the Risks Cataloging the Risks

Selection of relevant Risks per business unitSelection of relevant Risks per business unit

Assign Risks to the target system for each business unit (which Risk impacts which Performance Metric)

Assign Risks to the target system for each business unit (which Risk impacts which Performance Metric)


Risk-Management Hierarchies

Legal entitiesLegal entitiesLegal entities

DepartmentsDepartmentsDepartments

Lines of BusinessLines of BusinessLines of Business

Holding LevelHolding LevelHolding Level

LOB 1LOB 1 LOB 2LOB 2 LOB 3LOB 3

HoldingHolding

Company ACompany A Company BCompany B Company CCompany C Company DCompany D

Department 1Department 1 Department 2Department 2

Implementation of Implementation of parallel hierarchies parallel hierarchies

without double without double maintenance maintenance

34


Risiko Drill-Down over Org. Units


Appendix

35


Risk Assessment: Example

Impact level

MLLLL0-20%1

Probability

54321

MMLLL21-40%2

HMMLL41-60%3

HHMML61-80%4

HHHMM81-99%5

%level

1. User enters total loss: 2.000.000 €Probability entered: 60% level 3 “likely”

2. System determines global impact level 3 = Moderate

Case 1: Total loss can be determined

3. User manually selects local impact level 5= Catastrophic

4. System determines Global Risk Level = “M”System determines Local Risk Level = “H”

Global Im

pact

>25.000.000

5.000.000

1.000.000

200.000

0

from €

Catastrophic5

Major25.000.0004

Moderate5.000.0003

Minor1.000.0002


classificationto €level

Local Impact500.000 €

150.000 €

50.000 €

20.000 €


>500.000 €

150.000 €

50.000 €

20.000 €

0


Catastrophic5

Major4

Moderate3

Minor2

Insignificant1

classificationlevel

Probability

Near certainty9981

Highly likely8061

Likely6041

Unlikely4021

remote200



Risk Assessment: Example

1. User enters global impact level 3 = ModerateProbability entered: 60% “likely”

2. Step 2 not needed !

Case 2: Total loss cannot be determined

3. User manually selects local impact level 5= Catastrophic

4. System determines Global Risk Level = “M”System determines Local Risk Level = “H”

Impact level

MLLLL0-20%1

Probability

54321

MMLLL21-40%2

HMMLL41-60%3

HHMML61-80%4

HHHMM81-99%5

%level

Global Im

pact

>25.000.000

5.000.000

1.000.000

200.000

0

from €

Catastrophic5

Major25.000.0004

Moderate5.000.0003

Minor1.000.0002


classificationto €level

Local Impact500.000 €

150.000 €

50.000 €

20.000 €


>500.000 €

150.000 €

50.000 €

20.000 €

0


Catastrophic5

Major4

Moderate3

Minor2

Insignificant1

classificationlevel

Probability

Near certainty9981

Highly likely8061

Likely6041

Unlikely4021

remote200


36


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.

IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.

ORACLE® is a registered trademark of ORACLE Corporation.

UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.

Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.

HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

JAVA® is a registered trademark of Sun Microsystems, Inc.

JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves information purposes only. National product specifications may vary.

Copyright 2004 SAP AG. All Rights Reserved


Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die aus-drückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankün-digung geändert werden.

Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten.

Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® und SQL Server® sind eingetragene Marken der Microsoft Corporation.

IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix und Informix® Dynamic ServerTM sind Marken der IBM Corporation in den USA und/oder anderen Ländern.

ORACLE® ist eine eingetragene Marke der ORACLE Corporation.

UNIX®, X/Open®, OSF/1® und Motif® sind eingetragene Marken der Open Group.

Citrix®, das Citrix-Logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® und andere hier erwähnte Namen von Citrix-Produkten sind Marken von Citrix Systems, Inc.

HTML, DHTML, XML, XHTML sind Marken oder eingetragene Marken des W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

JAVA® ist eine eingetragene Marke der Sun Microsystems, Inc.

JAVASCRIPT® ist eine eingetragene Marke der Sun Microsystems, Inc., verwendet unter der Lizenz der von Netscape entwickelten und implementierten Technologie.

MarketSet und Enterprise Buyer sind gemeinsame Marken von SAP AG und Commerce One.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver und weitere im Text erwähnte SAP-Produkte und –Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen Ländern weltweit. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte können länderspezifische Unterschiede aufweisen.

Copyright 2004 SAP AG. Alle Rechte vorbehalten

Documents

Operational Risk Management - uni-frankfurt.de · SEM Risk Management Treasury ... ©SAP AG 2003, Title ofSAP AG2004, SAP Operational Risk Management, mySAP ERP 8 Presentation, Speaker