Professional Documents
Culture Documents
Template SAPRiskManagement3.0 BusinessBlueprint 1.0
Template SAPRiskManagement3.0 BusinessBlueprint 1.0
Marko Hamel
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc 21.12.2010
Date
Name
Alteration Reason
24.08.9999
XXX
Template Finalized
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
Version
1.0
page 2/29
Table of Contents
1
Overview
1.1 Project Objectives
1.2 Technical Environment
1.2.1 System requirements
1.2.2 System Landscape
Use Cases
2.1 Use Cases: General
2.2 Use Cases: Risk Data Model
2.3 Use Cases: Risk Input
2.4 Use Cases: Risk Calculation
2.5 Use Cases: Risk Reporting
Processes
3.1 Business Processes
3.1.1 Process 1
3.2 Risk Management Process
3.2.1 Risk Planning
3.2.2 Risk Identification
3.2.3 Risk Analysis
3.2.4 Risk Response
3.2.5 Risk Monitoring
Organization Structure
4.1 Risk Management Organization
4.2 Activity Management
Risk Data Model
5.1 Risk Input Form Mapping
5.2 Risk Calculation at <CUSTOMER>
Risk Management Workflows
6.1 Workflows within the <CUSTOMER> Risk Management Process
6.1.1 Risk Planning Workflow
6.2 Workflows within SAP Risk Management
Roles and Responsibilities
7.1 RM: Risk Operations Manager
7.2 AM: Accountable Manager
7.3 RE: Risk Expert
7.4 AO: Assessment Owner
7.5 RV: Risk Validator
7.6 RO: Risk Owner
7.7 ReO: Response Owner
7.8 AA: Auditor and Analyzer
7.9 Authorization Matrix
Authorization Concept
8.1 ABAP Standard Roles
8.2 SAP NetWeaver Portal Role
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
5
5
5
5
5
6
6
6
7
7
7
8
8
8
8
8
9
9
9
9
10
10
10
11
11
12
14
14
14
15
16
16
16
16
16
17
17
17
17
17
18
18
19
page 3/29
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 4/29
Overview
The current blueprint document helps to streamline and collect the detailed requirements of <CUSTOMER>
including the specification of use cases for SAP BusinessObjects Risk Management. It is essential to gain a
comprehensive understanding of processes, roles and responsibilities, organization structure, risk calculation
model and risk workflows. This information is used as a source to specify and describe the customizing
settings that need to be implemented to achieve the project goals.
1.1
Project Objectives
1.2
Technical Environment
Application:
Add. Component 1:
Add. Component 2:
Add. Component 3:
Operating System:
Database:
1.2.1
System requirements
Optional Application
Component
Technology
Component
NetWeaver for ABAP 7.01 SP03 / Incl. SAP_ABA / SAP_BASIS / PI_BASIS / SAP_BW / IGS...
Optional Technology
Component
BOE Server: BOE XI 3.1 (Fixpack 1.2) / BOBJ SAP Integration Kit XI 3.1
Server
Application
Processor
RAM
4 GB (minimum), 8 GB (recommended)
HD
1.2.2
System Landscape
<to be defined.>
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 5/29
Use Cases
A detailed description of use cases will ensure a user-oriented and measurable implementation of the
requirements regarding a software-based Risk Management solution. For an easier handling the use cases
will be defined using the following categorization:
General
GEN
Risk Data Model
MDL
Risk Input
INP
Risk Calculation
CAL
Risk Reporting
REP
2.1
ID
Name
Description
GEN01
Portal Integration
GEN02
Role Concept
GEN03
2.2
ID
Name
Description
MDL01
Qualitative/Quantitative
Mapping
MDL02
Org.-Units
MDL03
Risk Categories
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 6/29
2.3
ID
Name
Description
INP01
Risk Forms
INP02
Online Input
After the initial upload of the offline forms all data needs to be
available for online maintenance.
2.4
ID
Name
Description
CAL01
Risk Calculation
2.5
ID
Name
Description
REP01
PDF Printout-Report
REP02
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 7/29
Processes
3.1
Business Processes
3.1.1
Process 1
3.2
The <CUSTOMER> Risk Management process is based on the internal Risk Management Methodology and
contains the following steps:
1. Risk Planning
2. Risk Identification
3. Risk Analysis
4. Risk Response
5. Risk Monitoring
6. Risk Reporting
Risk Management
Process Steps
Risk
Manager
(RM)
Risk
Expert
(RE)
1. Risk Planning
2. Risk Identification
Risk
Owner
(RO)
Assessment
Owner
1
(AO)
Accountable
Manager
(AM)
3. Risk Analysis
4. Risk Response
5. Risk Monitoring
6. Risk Reporting
Response
Owner
(ReO)
3.2.1
Risk Planning
During this step the approach how to perform risk management in each business area or project is
determined.
Activities:
Meet with the Risk Experts on a monthly basis
Discuss / Identify risk topics and areas.
Plan and align risk activities and goals for risk assessments
Presentation of updates
Contact business owners.
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 8/29
3.2.2
Risk Identification
The uncovering of risks to each business area or project before they turn into problems as well as the
initiation of the Risk Assessment are characteristics of this steps.
Activities:
Organization-/ Project-/ process interviews (risk survey)
Identification of KRIs (e.g. global, strategic, operational ...)
Identification of relevant / corresponding KPIs
Meet with business experts
Setup Risk Assessments according established Processes
3.2.3
Risk Analysis
The main objectives of this phase are the evaluation of risk attributes as well the prioritization of the risks.
Activities:
Perform the Risk Analysis in terms of: Condition, Indicator, Consequences
Probability of Occurrence
Impact in terms of quantity or on a qualitative scale
Timeline and mitigation (response) actions which must be realized to minimize / eliminate the risk
3.2.4
Risk Response
This phase closes the Risk Assessment by making the decision what should be done to mitigate handle the
risks. As a final step the risks are validated by management.
Activities:
Clarify the questions in terms of:
- Do we know enough about the risk?
- Can we live with the risk?
- Is it possible to do something against the risk?
- Are financial and timely efforts adequate in relation to the risk?
- Who is responsible to take the action?
3.2.5
Risk Monitoring
Keeping track of the risks and evaluating the effectiveness of the response actions is the essential task of the
monitoring.
Activities:
Check reporting needs in terms of:
o Are the identified risks still relevant?
o Is the analysis still valid?
o Are there any new risks?
o Are the response strategies actively taken effective?
o Do we have to escalate certain risks?
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 9/29
Organization Structure
4.1
The chart bellow describes the organization of the <CUSTOMER> unit from a risk management perspective:
<picture>
4.2
Activity Management
Since the work of the different UNITs inside the <CUSTOMER> unit is very project-driven, the usage of so
called Activities, as specific operations that may lead to actual risks in the different organization units will be
implemented within the PoC environment. As a consequence an Activity Owner (represented by the
Assessment Owner) is able to structure the risks within his unit based on processes, projects, initiatives or
planning objects with the main advantage of having a much better and granular reporting and control
possibility.
The Activity Management Process contains five main steps:
1. Create an Activity (by Risk Manager)
2. Create Risks (by Assessment Owner)
3. Update Risks (by Assessment Owner and /or Risk Owner)
4. Validate the Activity (Risk Validator role)
5. Close the finished or obsolete activity
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 10/29
The <customer> defines a risk as an uncertain event or condition that, if it occurs, has a negative aspect on
business or project objective. This part of the document describes how risks are collected, calculated and
managed via dedicated responses.
5.1
At the moment risks are collected offline using the Project Risk Register Tool (PRR) and Risk Forms (PPT).
In order to use Adobe Interactive Forms in combination with SAP BusinessObjects Risk Management 3.0 the
valid terms need to be mapped to the new terminology internally.
Used Term
Description
Title
Name
Common Risk ID
Risk Category
Organization Unit
Organization Unit
Condition
Risk Description
Indicator
Driver
Consequence
Impact
P%
Probability
IBR
Impact Level
Time
Speed of Onset
Total Loss
Total Loss
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 11/29
5.2
Inside SAP BusinessObjects Risk Management the probability as well as the quantitative/qualitative Impact
mapping will be implemented as described in the table below. The system is able to calculate the Total Loss if
the qualitative Impact Level is available and vice versa.
Probability
Qualitative Impact
1% 19% = Remote
1 = 0 200 k
1 = Insignificant
2 = 200 k 1,000 k
2 = Minor
3 = 1,000 k 5,000 k
3 = Moderate
4 = 5,000 k 25.000 k
4 = Major
5 = Catastrophic
The RM application will use the provided data to calculate the Risk Level and the Expected Loss.
PRR Term
Description
P*i
Risk Level
Expected Loss
Expected Loss
The defined Risk Levels rated as High (H), Medium (M) or Low (L) depend on the assessed Probability and
the Impact and will be implemented as highlighted in the Risk-Level-Matrix below.
Probability at
Analysis
Qualitative Impact
1
Level 1: 0119 %
Level 2: 2039 %
Level 3: 4059 %
Level 4: 6079 %
Level 5: 8099 %
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 12/29
After the calculation of the risk level a prioritization using the time input (Speed of Onset) needs to
be determined. The risk priority is defined with a numeric value indicating the urgency, where the
lowest number equals the highest priority. The defined risk priorities depend on the assessed
timeframe and the Risk Level during Analysis.
Risk Level during Analysis
Timeframe
L
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 13/29
6.1
6.1.1
<xxx>
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 14/29
6.2
There are two kinds of workflows in Risk Management 3.0: planner-based and event-based workflows.
Planner-based workflows are scheduled and triggered through the Planner, such as Update Risk or Risk
Survey. They reflect the organizations Risk Management Calendar to perform regular activities like updating
existing risk information or preparing for risk reportings. Event-based-workflows on the other side are
predefined end-to-end processes triggered by end-user action, such as Propose Risk.
In Risk Management so called Business Events are use used to map the different workflow tasks to one or
several recipients.
Workflow Name
Description
Activity Survey
Activity Validation
Opportunity Assessment
Opportunity Validation
Response Update
Risk Assessment
Risk Survey
Risk Validation
The Opportunity Assessment, Risk Assessment and Risk Survey will be routed to the Assessment Owner as
a first step. If no Assessment Owner is responsible, because the risk was not assigned to an activity it will be
sent to the Risk Expert.
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 15/29
The following roles are involved in the <CUSTOMER> Risk Management Process:
Risk Operations Manager (RM)
Accountable Manager (AM)
Risk Expert (RE)
Risk Assessment Owner (AO)
Risk Validate (RV)
Risk Owner (RO)
Response Owner (ReO)
Auditor and Analyzer (AA)
7.1
The Risk Operations Manager is a senior person responsible for all risk management activities in his
respective unit. He reports to the unit head.
Main Tasks:
Planning, coordination and aggregation of risk management activities inside the unit
Aggregation of reportings
Interface to Corporate Risk Management
Risk Management planning for the unit
Generation of risk reports (content, process compliance) on unit
7.2
The Accountable Manager is a manager responsible for an org unit or the delivery of a project.
7.3
Every unit has named a Risk Expert, who supports the UnitHead in his responsibility for risk management.
The Risk Expert has deep knowledge about risk management theory and the GRC Methodology.
Main Tasks:
Risk Management planning together with the UNIT Head and others
Schedule and organizing the initial risk assessment
Moderating risk assessments, including recording risk data in risk register (PPT; PRR)
Driving the risk monitoring process
Generating risk reports on UNIT level
Support project leads and others of the UNIT in driving risk management in their area of responsibility
7.4
The Assessment Owner defined in the general project data has primary accountability for the project risk
assessment. The Assessment Owner can change all project and risk data, including the creation of new risks.
The Assessment Owner is informed of his/her role via a work item notification once the project is created. For
projects the assessment owner can be the project lead or his/her delegate.
Remark: Inside the unit <XXX> a neutral person, the so called Risk Assessment Moderator, might support the
moderation of a Risk Assessment.
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 16/29
Main Tasks:
Execution of Risk and Change Management Process in the responsible area (Planning, Identification,
Analysis, Response and Monitoring)
Coordination and Participation of Risk Assessment
Ensure aggregation of results as well as risk validation
7.5
The Risk Validator is in charge of reviewing and approving the identified risks, the analysis, and the risk
response plans as well as deciding whether the assessment should be approved, rejected, or re-worked. The
Risk Validator should be at least one level higher in the management level than the Assessment Owner.
Responsibility for validation cannot be delegated.
Main Tasks:
Sign-Off and approval of single risks or risk assessment results
Rejection of risks (e.g. demand for better description, quality )
Determination of confidentiality level for risks
Proposes risks for area risk reporting as well as board risk reporting
7.6
A person identified during a risk assessment or in follow up of a risk assessment. The risk owner can be
different from the project lead that has the original responsibility for all project related risks (applies equally to
other tasks and entities). The role of the risk owner is to analyze risks, to initiate risk response action, and to
follow-up on risk response actions. He should always be able to provide the most up to date status of the risk.
Main Tasks:
Description and analysis of risks
Proposal of response strategies for mitigation
Initiation of response actions
Follow-Up of results
Set or verification of "Risk and Response" status.
7.7
A person identified during a risk assessment or in follow up of a risk assessment. The response owners
responsibility is to execute planned responses. He/she may report to the risk owner or others in that matter.
Main Tasks:
Execution of defined response measure
Reporting of response
Set of response status
7.8
This role will be assigned to Persons needing read-only access to a complete unit. This may be the Unit
Manager (if no data maintenance needed), GIAS or an external auditor.
7.9
Authorization Matrix
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 17/29
Authorization Concept
The Risk Management application is based on the SAP NetWeaver authorization model and assigns
authorizations to users based on roles. SAP Standard roles (PFCG basic roles) provide the technical
standard authorizations to the ABAP server. Portal roles provide application content, like order and number of
visible work centers, via the SAP NetWeaver Portal. The following table lists the application elements and
responsible roles for authorization:
Description
Navigation Menu
Portal role
Work Set
Portal role
Work Center
Portal role
Menu Group
Application role
Menu Item
Application role
As an additional aspect the Risk Management web-frontend (NW Portal) is used to assign end-users to
2
business user roles and to entities such as risks, opportunities and organizations based on so called
application roles. These application entities are structured in a hierarchy, providing top-down authorizations.
Roles and entities at a higher entitylevel have greater authorizations to perform tasks and greater access to
the application than roles at a lower entitylevel. The hierarchy also affects task assignments, work flows, and
business event processing.
Furthermore a usage of the so called Second-Level Authorization allows a restriction of the user selection for
entity-level role assignments. So only those users, who have been assigned the corresponding PFCG role in
their user profile, are available for an assignment. Consequently the Second-Level Authorization provides an
additional level of control. However in the PoC it was decided to de-activate this possibility and rely on the
entity authorization via the web-frontend, only.
8.1
Role Name
Description
SAP_GRC_FN_BASE
This is the basis backend role and is required by every user of Risk
Management.
SAP_GRC_FN_ALL
This role acts as a Power User role and provides full access to all
entities.
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 18/29
SAP_GRC_FN_DISPLAY
This role provides display access to all entities and can be used for
auditors.
SAP_GRC_FN_BUSINESS_USER
This is the standard end-user role. The access to the different entities
is maintained via the web-frontend application.
8.2
The GRC Risk Management role provides access to the Navigation Menu for Risk Management in the SAP
NetWeaver Portal as well as the following relevant Work Sets:
My Home
Risk Structure
Risk Assessment
Risk Monitoring
Reporting and Analytics
User Access
Please note that the number and visibility of menu entries is derived from the business user role that was
assigned over the frontend.
Role Name
Description
pcd:portal_content/com.sap.grc.rm.Enterprise_Risk_Management/com.sap.grc.
rm.roles/com.sap.grc.rm.Role_All
8.3
Application Roles
Application roles (PFCG model roles) grant detailed authorization to the Risk Management application and
refine the standard role authorizations. The following table maps the original SAP Roles to the customer
specific roles in Risk Management.
Role in RM
Example
Users
Role Name
Risk
Manager
(RM)
Central
Risk
Manager
Z_GRC_RM_API_RISK_MANAGER
SAP_GRC_RM_API_CENTRAL_RM
Risk Expert
(RE)
Unit Risk
Manager
Z_GRC_RM_API_RISK_EXPERT
SAP_GRC_RM_API_RISK_MANAGER
Accountable
Manager
(AM)
Org Unit
Manager
Z_GRC_RM_API_ACCOUNT_MAN
AGER
SAP_GRC_RM_API_ORG_OWNER
The role name in the web-frontend will be derived from the description of the ABAP role.
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 19/29
Assessment
Owner (AO)
Business
Unit
Manager/
Project
Manager/
Program
Manager
Z_GRC_RM_API_ASSESSMNT_O
WNER
SAP_GRC_RM_API_ACTIVITY_OWN
ER
Risk Owner
(RO)
Risk
Owner
Z_GRC_RM_API_RISK_OWNER
SAP_GRC_RM_API_RISK_OWNER
Response
Owner (ReO)
Respons
e Owner
Z_GRC_RM_API_RESPONSE_OW
NER
SAP_GRC_RM_API_RESPONSE_OW
NER
Risk
Validator
(RV)
CFO /
Unit
Head
Z_GRC_RM_API_RISK_VALIDATO
R
SAP_GRC_RM_API_CEO_CFO
Auditor &
Analyzer
(AA)
Internal
Auditor
Z_GRC_RM_API_AUDITOR_ANAL
YZER
SAP_GRC_RM_API_INTERNAL_AUD
8.4
The assignment of the responsible persons to the different Org.-Units can be maintained in tab Risk
Management -> Work Set: Risk Structure -> Menu Item: Organizations
Org-Init
Accountable Manager
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
Risk Expert
page 20/29
IMG Settings
9.1
Entity ID
9.2
Role
Unique
Use this customizing activity to specify which roles are relevant for a particular entity to be used in Risk
Management reporting.
Entity ID
9.3
Example Users
Specify the agent determination rules to identify the right workflow recipient for all business events to be used
in Risk Management.
Business Event: Is the event name for which a recipient role will be assigned.
Sort: Allows prioritization and grouping of business events.
Role: Assigned recipient role.
Entity ID: Entity associated with the business event.
Subtype: Subtype associated with the business event. (Not maintained)
Business Event Name: Description for the business event.
Business Event
9.4
S Role
Entity ID
Business Event
Name
Maintain activity types for an activity hierarchy in your organization. This enables you to group similar activity
categories under one activity type in the application.
Type
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 21/29
9.5
9.5.1
Maintain the impact levels used in risk analysis, as well as the benefit levels to be used in opportunity
analysis.
Imp Level
Reduction/Improvement
Insignificant
Insignificant
Very Low
Minor
Modest
Low
Moderate
Moderate
Medium
Major
Worthwhile
High
Catastrophic
Significant
Very High
9.5.2
Configure and maintain risk probability levels for Process Control and Risk Management.
Prob Level
Description
Remote
Unlikely
Likely
Highly Likely
Near Certainty
9.5.3
The speed of onset refers to the time horizon in which you expect the risk to occur. In this way, you can
specify values for the periods in which action is required to respond to a risk.
Speed of
Onset
Description
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 22/29
9.5.4
Configure and maintain risk probability levels for Process Control and Risk Management.
Prob Level
30
50
70
90
9.5.5
Maintain Risk and Opportunity Level Colour (IMG: Risk and Opportunity Analysis)
Maintain risk and opportunity levels, together with the colors for the various risk or opportunity levels. These
are used in the front-end application when working with risk scenarios or carrying out a risk analysis.
Level
Description
Position
High
Red
Red
Low
Green
Green
Medium
Yellow
Yellow
9.5.6
Maintain Risk and Opportunity Level Matrix (IMG: Risk and Opportunity Analysis)
A risk level refers to the level of severity for a risk and corresponds to a defined risk level value. The
combination of impact level x probability level should correspond to the defined risk level.
Probability
9.5.7
Impact Level
Level
Maintain Risk and Opportunity Priorities (IMG: Risk and Opportunity Analysis)
Risk Priority
Description
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 23/29
9.5.8
Maintain Risk and Opportunity Priority Matrix (IMG: Risk and Opportunity Analysis)
Specify the values for the speed of onset, the calculated risk level and the risk priorities.
Speed of Onset
9.5.9
Level
Risk Priority
The "three points" to be defined and then analyzed are the minimum loss, the average loss, and the
maximum loss, which you define in percentage format. Usage: (Minimum + Maximum + 4(Average))/6
Date
Min Loss
Avg Loss
Max Loss
Active
21.07.2009
16,6667
66,6666
16,6667
9.5.10
The following analysis profile options are available in this Customizing activity:
Impact Reduction: This refers to the reduction in the impact of a risk after risk response. If you do not set the
indicator, the impact reduction section does not appear on the Response tab of the RM UI.
Probability: Quantitative: In this option, the probability appears as in input field on the UI and you can enter
the probability percentage value.
Speed of Onset: Switch on the timeframe as the period of time that is available to decide on the risk
responses.
Impact Value: Mixed: In this option, both qualitative and quantitative options appear on the UI.
Profile ID
Impact
Reduction
Probability
Speed
of
Onset
Impact Value
Aggregation
Method
Active
0000000001
Quantitative
Mixed
Average
Allow free text for Benefit, Impact and Driver Categories (IMG: Risk and Opportunity
Attributes)
After a certain category was activated the field for entering the corresponding text is enabled and you can enter text
describing the object.
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 24/29
Category
9.5.12
Application
Active
Maintain activity types for an activity hierarchy in this organization. This enables you to group similar activity
categories under one activity type in the application.
Type
9.6
Maintain the specific purposes of responses to risks or enhancement plans for opportunities.
Response
9.6.2
Define levels for the effectiveness of responses to risks, as well as the effectiveness of the enhancement plan
for an opportunity.
Eff. Level
RespEff. %
Effectiveness desc.
50
Ineffective
75
Partly Effective
100
Effective
9.6.3
Configure and maintain specific response types for the risks defined.
Type
Description
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 25/29
10
Appendix
10.1
Term
Description
GRC
10.2
References
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 26/29
11
ID
Risk Categories
Common Risk
Financial Risks
Financial Reporting
Accounting Guidelines
Financial
Financial
Financial Misstatements
Financial
Internal Compliance
Financial
Treasury
Currency
Financial
Liquidity
Financial
Cost of Financing
Financial
Investment / Debt
Financial
Derivative Instruments
Financial
Cash Management
Financial
Controlling
Budgeting
Financial
Financial
Financial
Organizational Structure
Processes
Process Execution
Operational Risks
Intellectual Property Rights
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
Other Operational
page 27/29
Procurement
Vendor Selection
Other Operational
Vendor Monitoring
Other Operational
Vendor Dependency
Other Operational
Policy
Other Operational
Infrastructure Operations
Security Governance
Other Operational
Other Operational
Loss of Infrastructure
Other Operational
Unauthorized Access
Other Operational
Impairment of Personnel
Other Operational
Other Operational
Information and IT
Confidentiality
Other Operational
Availability
Other Operational
Technology
Other Operational
Integrity
Other Operational
Information & IT
Other Operational
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 28/29
12
Index of Tables
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc
page 29/29