SAP BusinessObjects Risk Management 3.0 Master Data Setup

SAP BusinessObjects Risk Management 3.0

Business Blueprint Workshop

Master Data Setup

Version 1.0 Initial Release

SAP 2008 / Page 2

Business Blue Print Master Data Setup

Applies to:

SAP BusinessObjects Risk Management 3.0

Summary

This document is intended to explain the necessary steps required to configure Risk

Management 3.0.

Author(s): Customer Advisory Organization and Regional Implementation Group

Company: Governance, Risk, and Compliance

SAP BusinessObjects Division

Created on: August 2009

SAP 2008 / Page 3

1. Maintain Impact Levels

2. Maintain Influence Strength

3. Maintain Activity Types

4. Maintain Objective Categories

5. Maintain Units of Measure

6. Maintain Risk Appetite

7. Organizational Hierarchies

The following IMG activities are covered in

this document

Each IMG activity has the following sections:

Business context: Summarizes the business purpose.

Solution functionality: Shows the related UI screens.

Configuration and data gathering: Shows the IMG table, suggested interview questions, and data capture area.

SAP 2008 / Page 4









this document

SAP 2008 / Page 5

Business Context

Impact Levels

What are Impact Levels?

An impact level is a descriptive category of impact. Impact Levels are linked to an impact unit of measurement and an impact value range. Typical, impact levels would be: Insignificant, Minor, Moderate, High, Catastrophic. Impact Levels combined with Probability Levels are used to create a Risk Heat Map. The same principle applies to the upside of risks, namely Benefits, and Benefit Levels. Benefit Levels are part of the configuration in this area. Similarly Mitigation Effects descriptions are also defined along side Impact Levels and Benefit Levels. Mitigation Effects give a meaningful description to the reduction of a response.

Why are Impact Levels Important?

Impact levels (and if use Benefit Levels) are an important building block of any risk management model. All risks are described in terms of Likelihood and Impact. Impact levels are used to give a real world description to the magnitude of a risk event. Benefit Levels give a real world description to the magnitude of a benefit.

What are the Benefits of Defining Impact Levels?

This is an essential element to any risk management model and is therefore a mandatory feature of the system. It will help users to analyse risks, and is a necessary step toward assigning an ordinal value to the impact, in terms of a units of measurement and monetary value.

SAP 2008 / Page 6

Business Context

Example Impact Levels

CRG Global Enterprises has defined 5 Impact Levels within their Risk Management

Model. These are:

1. Insignificant

2. Minor

3. Moderate

4. High

5. Catastrophic

These 5 descriptive levels are linked to quantitative values in the system based on each

node on the Organisation Unit Hierarchy. Below is an example of how this would work.

Impact Level Category Quantitative Impact Quantitative

1. Insignificant 0 200,000

2. Minor 200,001 400,000

3. Moderate 400,001 1,000,000

4. High 1,000,001 5,000,000

5. Catastrophic 5,000,001

SAP 2008 / Page 7

Business Context

Example Impact Levels

CRG Global Enterprises has defined 5 Benefit Levels within their Risk Management

Model. These are:

1. Insignificant

2. Modest

3. Moderate

4. Worthwhile

5. Significant

These 5 descriptive levels equate to the corresponding Impact Levels.

Impact Level Category Benefit Category Level Mitigation Effects

1. Insignificant 1. Insignificant Very Low

2. Minor 2. Modest Low

3. Moderate 3. Moderate Medium

4. High 4. Worthwhile High

5. Catastrophic 5. Significant Very High

SAP 2008 / Page 8

Solution Functionality

Impact Levels

Impact Level is used in the Risk Analysis.

GRC Risk Management->Risk and Opportunities. From the Query, select a Risk and move to

the Risk Analysis Tab

SAP 2008 / Page 9


Impact Levels

GRC Risk Management->Risk and Opportunities. From the Query, select a Risk and move to the Risk

Analysis Tab. Click Impact Category Allocation.

Where the Analysis Method selected is Qualitative the Impact Level can be selected to describe the

impact in qualitative terms.

Insignificant

Minor

Moderate

Major

Catastrophic

SAP 2008 / Page 10


Impact Levels Mitigation Effects Copy of UI

GRC Risk Management->Risk and Opportunities. From the Query, select a Risk and move to the Risk

Response Tab. Highlight a Risk Response or Control. Click Impact Category Allocation.

Where the Analysis Method is Qualitative the Mitigation Effect drop down pick list can be selected to

describe the reduction in the impact level using qualitative terms.

Very Low

Low

Medium

High

Very High

Medium

SAP 2008 / Page 11


Impact Levels Copy of UI

Copy of UI

The Impact Levels form the X axis, and the Probability Levels for the Y axis in this Risk

Heat Map.

SAP 2008 / Page 12

Configuration and Data Gathering

Impact Levels

Use

In this Customizing activity, you maintain the impact levels used in risk analysis, as well as the

benefit levels to be used in opportunity analysis.

An impact level is an estimation of the consequences of a particular risk on the basis of a

configurable scale. This scale can range, for example, from insignificant to catastrophic.

Activities

1. Click on New Entries and enter a number for the impact or benefit level you want to define.

2. Enter a text for the impact and benefit levels.

3. Enter a text for the reduction/improvement for this impact level.

4. Save your entry.

SAP 2008 / Page 13


Impact Levels

Interview questions.

Impact Levels

Have Impact Levels already been defined in your risk management model?

Are Impact Levels used consistently across your organisation? The system supports one

set of Impact Levels so it is important to agree internally what these should be.

Has the number of Impact Levels been defined in your risk management model (e.g. 3 or

5 or 6)?

Have the descriptions for the Impact Levels been agreed?

Benefit Levels

Have the corresponding terms been agreed for Benefits Levels (if these are part of the

risk management model). Please note that use of this aspect of the system is optional.

Mitigation Effects

Have the corresponding terms been agreed for Mitigation Effects. This applies to risks

with qualitatively expressed impacts. Bear in mind that Mitigation Effects will apply to

Impact reductions and Benefits improvements. Therefore the descriptive terms used

must be able to apply to both.

SAP 2008 / Page 14

Configuration Requirements

Impact Levels

Imp Level Impact Level Text Benefit Level Text Reduction/Improvement

1

2

3

4

5

6

7

8

9

10

SAP 2008 / Page 15









this document

SAP 2008 / Page 16

Business Context

Influence Strength

What is Influence Strength?

Influence strength describes the effect of one risk on another risk, or the relationship between

the two risks. An influence can be either in a negative direction i.e. the influenced risk make

the original risk worse, or it could be a positive influence, making the risk less severe. The

influence can either be on the likelihood of the risk occurring or on the impact of the risk if it

does occur.

Why is Influence Strength Important?

Influence strength is important for risks that are defined qualitatively. It is through use of the

influence strength that the effect on the original risk is described.

What are the Benefits of Defining Influence Strength?

This is a feature of the application available for describing the effect of one risk on another

when only qualitative measures are in use. Influence strengths are used when risks are

analysed using Scenario Analysis and Monte Carlo simulations.

SAP 2008 / Page 17

Business Context

Example Influence Strength

CRG Global Enterprises has defined 6 Influence Strength Levels within their Risk

Management Model. These are:

1. High Negative Influence

2. Moderate Negative Influence

3. Low Negative Influence

4. Low Positive Influence

5. Moderate Positive Influence

6. High Positive Influence

SAP 2008 / Page 18


Influence Strength

GRC Risk Management->Risk and Opportunities. From the Query, select a Risk and move to the

Influenced Risks Tab. Click Create Influence Factor.

SAP 2008 / Page 19


Influence Strength

In the Name field select the risk to be linked to. Note: A risk must exist in active state.

Select Evaluation Type Qualitative.

Click on the Correlation Strength drop down pick list to select the appropriate level and direction of

the influence between the original risk and the risk selected in the influenced risks tab.

SAP 2008 / Page 20


Influence Strength

Copy of UI

In the example below the risk Violations of emissions standards Highly Negatively influences the

risk Illegal arrangements.

SAP 2008 / Page 21

Use

In this Customizing activity, you maintain the strength of influenced risks. An influence can be defined as

strong or weak. You can relate two risks on the basis of the influence of one risk on another risk.

Activities

1. Execute the IMG activity Influence Strength and choose New Entries button.

2. Enter the following:

A numerical value in the Strength ID field

Description of influence strength in the Strength Text field

3. Choose Save. The values appear in the Influence Strength table.


Influence Strength

SAP 2008 / Page 22


Influence Strength

Interview questions.

Do you intend the model the relationships between risks and describe their effects on each

other?

Are you planning to use Scenario Analysis and/or Monte Carlo Simulation?

SAP 2008 / Page 23


Influence Strength

Strength Influence Strength Text

1

2

3

4

5

6

7

8

10

SAP 2008 / Page 24







7. Maintain Organizational Hierarchy


this document

SAP 2008 / Page 25

Business Context

Activity Types

What are Activity Types?

A means of classifying your organizations business activities.

Why are Activity Types Important?

Required if you want to attach risks to Work Breakdown Structures (WBS) elements.

What are the Benefits of Defining Activity Types?

Provides an added dimension for risk reporting.

Gives you insight into the areas of your business impacted by risks (or opportunities).

SAP 2008 / Page 26

Business Context

Example Activity Types

Business Process

Program / Project

Product

Service

Asset

SAP 2008 / Page 27


Activity Types

Activity Categories can be linked to

different Activity Types. In this way

you can maintain multiple Activity

Hierarchies by using the types

SAP 2008 / Page 28


Activity Types

The IMG table can be used to capture the Activity Types required to organize Activity

Structures

SAP 2008 / Page 29


Activity Types

Do you currently categorize risks by business activity?

What types of business activities are undertaken by your organization?

SAP 2008 / Page 30


Activity Types

Type Activity Type Name

01

02

03

04

05

06

07

08

09

10

SAP 2008 / Page 31









this document

SAP 2008 / Page 32

Business Context

Objective Categories

What are Objective Categories?

A means of classifying your organizations performance goals.

Why are Objective Categories Important?

Allows you to discuss risk in terms of whats important to the business.

What are the Benefits of Defining Objective Categories?

Provides an added dimension for risk reporting.

Gives you better insight into the areas of your business impacted by risks (or opportunities).

SAP 2008 / Page 33

Business Context

Example Objective Categories

Financial Objectives

Internal Business Process Objectives

Customer Objectives

Learning and Growth Objectives

SAP 2008 / Page 34



When Creating a new Objective in the Objectives Hierarchy functionality

you can use the objective categories to help categorize the objectives.

SAP 2008 / Page 35



This IMG Table is used to categorize your companys objectives

SAP 2008 / Page 36



Do you currently categorize business objectives?

What are the key categories of you business objectives?

SAP 2008 / Page 37



Objective Category ID Objective Category

SAP 2008 / Page 38









this document

SAP 2008 / Page 39

Business Context

Units of Measure

What are Units of Measure?

A means of converting type of impact to monetary value.

Why are Units of Measure Important?

This feature enables individual parts of the business to describe risk in units of measurement

that related more specifically to their role in the business and the associated performance

measures.

What are the Benefits of Defining Units of Measure?

Provides an added dimension for risk analysis.

Gives you better insight into the areas of your business impacted by risks (or opportunities).

SAP 2008 / Page 40

Business Context

Example Units of Measure

CRG Global Enterprises has defined 3 Units of Measure within their Risk

Management Model. These are:

Working Hours

Working Days

System Down Time Minutes

SAP 2008 / Page 41


Units of Measure used per Org Unit

For each pre-defined

Impact Category a

pre-defined Unit of

Measure is selected.

A conversion factor

to the base currency

of the system is

defined which will be

applicable for the

particular org unit

node.

GRC Risk Management->Risk Structure->Organisations. Select an org unit node from

the hierarchy.

Select the Unit of Measure Tab. Select an appropriate Impact Category. Click Create

button to add a Unit of Measure for an appropriate Impact Category to the org unit node.

SAP 2008 / Page 42


Units of Measure used in Risk Analysis

GRC Risk Management->Risk Analysis>Risk & Opportunities. Open a Risk and move to

the Risk Analysis Tab. Create a new Analysis and Click Impact Category Allocation.

Where an Impact Category used has a defined Unit of Measure for the org unit node the

Impact of the Risk can be entered and the Unit of Measure selected.

The system will convert the Impact to a Total Loss value according to the settings in the

Org unit node.

SAP 2008 / Page 43


Units of Measure using in risk analysis

The Total Loss value is shown on the Risk Analysis tab.

SAP 2008 / Page 44


Units of Measure

Use

In this Customizing activity, you maintain the units of measure for the impact categories to be used in Risk Management.

The unit of measure calculates the impact of a risk in non-monetary terms. Later, the SAP system converts these non-

monetary values into monetary values using the conversion factor you define in the RM portal.

Note: This is the list of all unit of measures, independent of the organizational units defined.

Requirements

You have configured the impact levels in the Customizing activity Maintain Impact Levels.

Activities

1. Execute the Customizing activity Maintain Unit of Measures for Organizational Unit and choose New Entries.

2. Enter the following:

An abbreviation for the unit of measure in the Abbreviation field, such as HRS

Description of the unit of measure in the Unit of Measure field, such as Working Hours

3. Choose Save. The values appear in the Unit of Measure table.

Example

Assume that you define a unit of measure as Working Hours (HRS) with the following condition:

1 Working Hour = 200 Euros

Now, you anticipate a risk that occurs due to the power outage of your of PCs for 8 working hours for 10 employees.

The non-monetary unit of measure will calculate the monetary impact of the risk as follows:

1 Employee = 8 Working Hours

10 Employees = 80 Working Hours

Therefore,

80 Working Hours = 1600 Euros (80 * 200)

SAP 2008 / Page 45


Units of Measure

IMG Table for Units of Measure

SAP 2008 / Page 46


Units of Measure

Interview questions .

What are the different measures used to describe and quantify risk?

What is the relationship between qualitative measures such as Hours, Days, System

Downtime, Emissions, etc and monetary value?

How does this relationship vary in different parts of the business.

SAP 2008 / Page 47


Units of Measure

Abbreviation Unit of Measure

SAP 2008 / Page 48









this document

SAP 2008 / Page 49

Business Context

Risk Appetite

What is Risk Appetite?

Reflects the amount of risk taking that is acceptable to your organization.

An organization with a high risk appetite would be willing to accept more uncertainty for a higher reward, while an organization with a low risk appetite would seek less uncertainty, for which it would accept a lower return.

Why is Risk Appetite Important?

Helps in understanding the relative significance of the risks faced by your organization and in prioritizing risk monitoring and control activities.

The better the understanding of risk appetite, the more efficient you will be in the allocation of resources capital across your organization.

What are the Benefits of Defining Risk Appetite Levels?

Provides clear boundaries regarding what is and is not acceptable to your organization.

Assists in the identification and prioritization of areas where additional resources or controls may be necessary to bring the risk into line with the stated risk appetite.

Helps determine the degree of control that needs to be applied to a particular risk. For example:

If the current exposure to a particular risk is considered to be acceptable there is usually little value, other than for efficiency reasons, in changing the extent of control (either in terms of using tighter controls or by increasing capital or the amount invested in risk control).

If the current exposure to a particular risk is considered unacceptable, a manager may decide that it needs to invest more capital and introduce more rigorous controls.

SAP 2008 / Page 50

Business Context

Example Risk Appetite

The success of a university depends on effectively managing key drivers of value (Students, Faculty, Academic Reputation, General Reputation, Financial Resources, Information Management, Buildings & Infrastructure) which in turn support the key strategic initiatives outlined in its Strategic Business Plan.

The University accepts an element of risk in almost every activity it undertakes. The critical question in establishing the Universitys risk appetite is How willing is the University to accept risk related to each key value driver?

The Universitys Risk Appetite levels are as follows:

High Risk Appetite: The University accepts opportunities that have an inherent high risk that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents of regulatory non-compliance, potential risk of injury to staff and students.

Moderate Risk Appetite: The University is willing to accept risks that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents of regulatory non-compliance, potential risk of injury to staff and students.

Modest Risk Appetite: The University is willing to accept some risks in certain circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents of regulatory non-compliance, potential risk of injury to staff and students.

Low Risk Appetite: The University is not willing to accept risks in most circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents of regulatory non-compliance, potential risk of injury to staff and students.

Zero Risk Appetite: The University is not willing to accept risks under any circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents of regulatory non-compliance, potential risk of injury to staff and students.

SAP 2008 / Page 51


Risk Appetite

SAP 2008 / Page 52


Risk Appetite

Max 10 characters

Max 60 characters

SAP 2008 / Page 53


Does your organization use Risk Appetite?

If No:

Are you intending to introduce the concept as part of your risk management program?

If Yes:

What are your current Risk Appetite definitions?

Do you use qualitative or quantitative Risk Appetite levels?

What would you like to see improved?

How is Risk Appetite used in deciding whether risks should be mitigated?

SAP 2008 / Page 54


Risk Appetite

Risk Appetite Risk Appetite Description

SAP 2008 / Page 55









this document

SAP 2008 / Page 56

Business Context

Organizational Hierarchies

What are the Organizational Hierarchies?

The various ways of representing your organization for risk reporting purposes.

Why are the Organizational Hierarchies Important?

Allows you to tailor your risk reporting by different organizational views (e.g. legal structure, geographic,

lines of business, etc)

What are the Benefits of Defining Organizational Hierarchies?

Flexible risk reporting to meet the requirements of different risk management stakeholders.

Improved risk transparency.

SAP 2008 / Page 57

Business Context

Example Organizational Hierarchies

SAP 2008 / Page 58



SAP 2008 / Page 59


Default Organizational Hierarchy

What are the required risk reporting structures in your organization?

Do you have copies of org charts?

SAP 2008 / Page 60



Capture org hierarchy discussions here

SAP 2008 / Page 61

Comments and Feedback

Your feedback is very valuable and will enable us to improve our documents. Please

take a few moments to complete our feedback form. Any information you submit will

be kept confidential.

You can access the feedback form at:

http://www.surveymonkey.com/s.aspx?sm=stdoYUlaABrbKUBpE95Y9g_3d_3d

Documents

SAP BusinessObjects Risk Management 3.0 Master Data Setup