Template SAP Risk Management 3.0 Business BluePrint - 1.0 PDF

SAP BusinessObjects Risk Management 3.
Template Business Blueprint
Marko Hamel
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc – 21.12.2010
PoC SAP BO Risk Management 3.0
Date Name Alteration Reason Version
24.08.9999 XXX Template Finalized 1.0
Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc page 2/29

Table of Contents
1 Overview 5
1.1 Project Objectives 5
1.2 Technical Environment 5
1.2.1 System requirements 5
1.2.2 System Landscape 5
2 Use Cases 6
2.1 Use Cases: General 6
2.2 Use Cases: Risk Data Model 6
2.3 Use Cases: Risk Input 7
2.4 Use Cases: Risk Calculation 7
2.5 Use Cases: Risk Reporting 7
3 Processes 8
3.1 Business Processes 8
3.1.1 Process 1 8
3.2 Risk Management Process 8
3.2.1 Risk Planning 8
3.2.2 Risk Identification 9
3.2.3 Risk Analysis 9
3.2.4 Risk Response 9
3.2.5 Risk Monitoring 9
4 Organization Structure 10
4.1 Risk Management Organization 10
4.2 Activity Management 10
5 Risk Data Model 11
5.1 Risk Input Form Mapping 11
5.2 Risk Calculation at <CUSTOMER> 12
6 Risk Management Workflows 14
6.1 Workflows within the <CUSTOMER> Risk Management Process 14
6.1.1 Risk Planning Workflow 14
6.2 Workflows within SAP Risk Management 15
7 Roles and Responsibilities 16
7.1 RM: Risk Operations Manager 16
7.2 AM: Accountable Manager 16
7.3 RE: Risk Expert 16
7.4 AO: Assessment Owner 16
7.5 RV: Risk Validator 17
7.6 RO: Risk Owner 17
7.7 ReO: Response Owner 17
7.8 AA: Auditor and Analyzer 17
7.9 Authorization Matrix 17
8 Authorization Concept 18
8.1 ABAP Standard Roles 18
8.2 SAP NetWeaver Portal Role 19

8.3 Application Roles 19

8.4 Assignment of users to Org-Units 20
9 IMG Settings 21
9.1 Maintain Entity Role Assignment (IMG: General Settings) 21
9.2 Maintain Users Responsibility for Entity (IMG: Reporting) 21
9.3 Maintain Custom Agent Determination Rules (IMG: Workflow Enabling) 21
9.4 Maintain Activity Types (IMG: Master Data Setup) 21
9.5 Risk Data Model and Calculation 22
9.5.1 Maintain Impact Levels (IMG: Master Data Setup) 22
9.5.2 Maintain Probability Levels (IMG: Risk and Opportunity Analysis) 22
9.5.3 Maintain speed of onset (IMG: Risk and Opportunity Analysis) 22
9.5.4 Maintain Probability Level Matrix (IMG: Risk and Opportunity Analysis) 23
9.5.5 Maintain Risk and Opportunity Level Colour (IMG: Risk and Opportunity Analysis) 23
9.5.6 Maintain Risk and Opportunity Level Matrix (IMG: Risk and Opportunity Analysis) 23
9.5.7 Maintain Risk and Opportunity Priorities (IMG: Risk and Opportunity Analysis) 23
9.5.8 Maintain Risk and Opportunity Priority Matrix (IMG: Risk and Opportunity Analysis) 24
9.5.9 Define Three-Point Analysis (IMG: Risk and Opportunity Analysis) 24
9.5.10 Maintain Analysis Profile (IMG: Risk and Opportunity Analysis) 24
9.5.11 Allow free text for Benefit, Impact and Driver Categories (IMG: Risk and Opportunity Attributes)24
9.5.12 Maintain Activity Types (Master Data Setup) 25
9.6 Response and Enhancement 25
9.6.1 Maintain Response and Enhancement purpose (Response and Enhancement Plan) 25
9.6.2 Maintain Response and Enhancement Plan Effectiveness (Response and Enhancement Plan) 25
9.6.3 Maintain Response Plan Types (Response and Enhancement Plan) 25
10 Appendix 26
10.1 Definitions and Abbreviations 26
10.2 References 26
11 Risk Categories 27
12 Index of Tables 29

1 Overview
The current blueprint document helps to streamline and collect the detailed requirements of <CUSTOMER>
including the specification of use cases for SAP BusinessObjects Risk Management. It is essential to gain a
comprehensive understanding of processes, roles and responsibilities, organization structure, risk calculation
model and risk workflows. This information is used as a source to specify and describe the customizing
settings that need to be implemented to achieve the project goals.
1.1 Project Objectives
The Proof-of-Concept should ensure the achievement of the following objectives:

…
1.2 Technical Environment

Application: SAP BusinessObjects Risk Management 3.0
Add. Component 1: T-Rex Search engine (Optional)
Add. Component 2: BusinessObjects Enterprise Server
Add. Component 3: Adobe Interactive Forms
Operating System: <xxx>
Database: <xxx>
1.2.1 System requirements
Solution Validation Landscape: Components Requirements (minimal)

Application GRCFND_A 300, GRC RM Portal 300
Component
Optional Application GRC Reporting Framework 3.0
Component
Technology NetWeaver for ABAP 7.01 SP03 / Incl. SAP_ABA / SAP_BASIS / PI_BASIS / SAP_BW / IGS...
Component
NetWeaver for Java 7.01 SP03 / Incl. Adobe Document Services
Optional Technology BOBJ SAP Integration Kit XI 3.1
Component
BOE Server: BOE XI 3.1 (Fixpack 1.2) / BOBJ SAP Integration Kit XI 3.1
Productive Landscape Hardware Requirements (minimal)

System Type Server
Application Risk Management 3.0**
Processor Two single core processors or one dual core processor
RAM 4 GB (minimum), 8 GB (recommended)
HD 100 GB minimum, swap space 2*RAM, 1.2 GB temporary space
1.2.2 System Landscape
<to be defined.>

2 Use Cases
A detailed description of use cases will ensure a user-oriented and measurable implementation of the
requirements regarding a software-based Risk Management solution. For an easier handling the use cases
will be defined using the following categorization:
General GEN
Risk Data Model MDL
Risk Input INP
Risk Calculation CAL
Risk Reporting REP
2.1 Use Cases: General

ID Name Description
GEN01 Portal Integration Integration of the Risk Management solution in a SAP

NetWeaver Portal as defined UI
GEN02 Role Concept All in the risk management process involved persons need to
be authorized following a role based approach.
GEN03 Risk Management Process The risk management process of <CUSTOMER> including
the following steps need to be implemented:
Risk Planning
Risk Identification (incl. Risk Survey)
Risk Analysis
Risk Response
Risk Monitoring
Risk Reporting
Table 1: Use Cases: General
2.2 Use Cases: Risk Data Model

ID Name Description
MDL01 Qualitative/Quantitative Risks are managed in qualitative as well as quantitative way.

Mapping Consequently the IMG needs to be customized to support this
mixed-mode using Probability (%), Impact Before and After
Response (level), Total Loss (€), Time (Priority) as input. The
Expected Loss (€) as well as the Risk Level (level) are calculated
based on a defined calculation matrix.
MDL02 Org.-Units Recording of risks in connection with the relevant Org.-Unit.

Consequently the Org.-Unit of <CUSTOMER> is an essential part
of the master data.
MDL03 Risk Categories Usage of the Common Risk ID’s as part of the „Project Risk
Register“ (PRR)
Table 2: Use Cases: Risk Data Model

2.3 Use Cases: Risk Input

ID Name Description
INP01 Risk Forms Simple input of new risks using survey-based offline-forms. The
layout of the Customer Standard should be utilized.
INP02 Online Input After the initial upload of the offline forms all data needs to be
available for online maintenance.
Table 3: Use Cases: Risk Input
2.4 Use Cases: Risk Calculation

ID Name Description
CAL01 Risk Calculation The current excel-based approach acts as the foundation for the
calculation of risks. For more details see Risk Data Model
Table 4: Use Cases: Risk Calculation
2.5 Use Cases: Risk Reporting

ID Name Description
REP01 PDF Printout-Report The report should show the most important attributes of an risk
like:
Description
Driver
Impact
Probability
Total loss
Expected loss
Risk level
Response details
REP02 Risk Dashboard / Heat Map The risk dashboard presents the most important risks based on a
chosen Org. Unit aggregating the levels below. Furthermore it is
important to show a heat map highlighting the distribution of risks
in reference to probability and impact.
Table 5: Use Cases: Risk Reporting

3 Processes
3.1 Business Processes
3.1.1 Process 1
The output of process 1 is …
3.2 Risk Management Process
The <CUSTOMER> Risk Management process is based on the internal Risk Management Methodology and
contains the following steps:
1. Risk Planning
2. Risk Identification
3. Risk Analysis
4. Risk Response
5. Risk Monitoring
6. Risk Reporting
Risk Risk Risk Response Assessment Accountable

Risk Management
Manager Expert Owner Owner Owner Manager
Process Steps 1
(RM) (RE) (RO) (ReO) (AO) (AM)
1. Risk Planning C R R A
2. Risk Identification C R A I
3. Risk Analysis C R A I
4. Risk Response C C R R A
5. Risk Monitoring R C R R A I
6. Risk Reporting C R R A
Table 6: Risk Management Process RACI
3.2.1 Risk Planning
During this step the approach how to perform risk management in each business area or project is
determined.
Activities:
Meet with the Risk Experts on a monthly basis
Discuss / Identify risk topics and areas.
Plan and align risk activities and goals for risk assessments
Presentation of updates
Contact business owners.
1
Project Manager or delegate

3.2.2 Risk Identification
The uncovering of risks to each business area or project before they turn into problems as well as the
initiation of the Risk Assessment are characteristics of this steps.
Activities:
Organization-/ Project-/ process interviews (risk survey)
Identification of KRI´s (e.g. global, strategic, operational ...)
Identification of relevant / corresponding KPI´s
Meet with business experts
Setup Risk Assessments according established Processes
3.2.3 Risk Analysis
The main objectives of this phase are the evaluation of risk attributes as well the prioritization of the risks.
Activities:
Perform the Risk Analysis in terms of: Condition, Indicator, Consequences
Probability of Occurrence
Impact in terms of quantity or on a qualitative scale
Timeline and mitigation (response) actions which must be realized to minimize / eliminate the risk
3.2.4 Risk Response
This phase closes the Risk Assessment by making the decision what should be done to mitigate handle the
risks. As a final step the risks are validated by management.
Activities:
Clarify the questions in terms of:
- Do we know enough about the risk?
- Can we live with the risk?
- Is it possible to do something against the risk?
- Are financial and timely efforts adequate in relation to the risk?
- Who is responsible to take the action?
3.2.5 Risk Monitoring
Keeping track of the risks and evaluating the effectiveness of the response actions is the essential task of the
monitoring.
Activities:
Check reporting needs in terms of:
o Are the identified risks still relevant?
o Is the analysis still valid?
o Are there any new risks?
o Are the response strategies actively taken effective?
o Do we have to escalate certain risks?

4 Organization Structure
The Org-Structure will be implemented using the following hierarchy:
<CUSTOMER> - Chief Executive Officer (CEO)

XXX
XXX
XXX
4.1 Risk Management Organization
The chart bellow describes the organization of the <CUSTOMER> unit from a risk management perspective:
<picture>
4.2 Activity Management
Since the work of the different UNIT’s inside the <CUSTOMER> unit is very project-driven, the usage of so
called Activities, as specific operations that may lead to actual risks in the different organization units will be
implemented within the PoC environment. As a consequence an Activity Owner (represented by the
Assessment Owner) is able to structure the risks within his unit based on processes, projects, initiatives or
planning objects with the main advantage of having a much better and granular reporting and control
possibility.
The Activity Management Process contains five main steps:

1. Create an Activity (by Risk Manager)
2. Create Risks (by Assessment Owner)
3. Update Risks (by Assessment Owner and /or Risk Owner)
4. Validate the Activity (Risk Validator role)
5. Close the finished or obsolete activity

5 Risk Data Model
The <customer> defines a risk as an uncertain event or condition that, if it occurs, has a negative aspect on
business or project objective. This part of the document describes how risks are collected, calculated and
managed via dedicated responses.
5.1 Risk Input Form Mapping
At the moment risks are collected offline using the Project Risk Register Tool (PRR) and Risk Forms (PPT).
In order to use Adobe Interactive Forms in combination with SAP BusinessObjects Risk Management 3.0 the
valid terms need to be mapped to the new terminology internally.
Used Term Description Mapping to SAP BO RM 3.0
Title Short name of a risk. Name
Common Risk ID Key attributes to classify a risk in detail. For more Risk Category
information see Appendix A
Organization Unit Specifies the Organization Unit a risk belongs to. Organization Unit
Condition The condition describes what is actually causing the Risk Description
concern that certain business, financial or strategic
objectives may not be achieved as planned.
Indicator Root cause leads to the situation a risk is actually Driver

occurring.
Consequence The consequence describes the negative impact(s) of Impact

the condition(s) on the business, financial or strategic
objectives of the related business activity.
P% The likelihood that risk will occur in %. Probability
IBR Impact Before Response: The qualitative impact Impact Level

before risk response actions are taken
Time The period when action is required to respond to a Speed of Onset

risk.
Total Loss The magnitude of the actual loss value accrued when Total Loss
a risk event occurs before the response actions are
implemented. It is also called the quantitative financial
impact.
Table 7: Risk Input Form

5.2 Risk Calculation at <CUSTOMER>
Inside SAP BusinessObjects Risk Management the probability as well as the quantitative/qualitative Impact
mapping will be implemented as described in the table below. The system is able to calculate the Total Loss if
the qualitative Impact Level is available and vice versa.
Probability Quantitative Impact (Total Loss) Qualitative Impact
1% – 19% = Remote 1 = 0€ – 200 k€ 1 = Insignificant
20% – 39% = Unlikely 2 = 200 k€ – 1,000 k€ 2 = Minor
40% – 59% = Likely 3 = 1,000 k€ – 5,000 k€ 3 = Moderate
60% – 79% = Highly Likely 4 = 5,000 k€– 25.000 k€ 4 = Major
80% – 99% = Near Certainty 5 = > 25.000.000 EUR 5 = Catastrophic
Table 8: Probability and Impact Level
The RM application will use the provided data to calculate the Risk Level and the Expected Loss.
PRR Term Description Mapping to SAP BO RM 3.0
P*i Calculates the Risk Level by multiplying Risk Level

Probability Level and Qualitative Impact under
consideration of the Risk Level Matrix
Expected Loss A measure of the loss associated with a risk, Expected Loss
taking into account the Probability of the risk
and the Total Loss in EUR (P*Total Loss).
Table 9: Risk Calculation Term
The defined Risk Levels rated as High (H), Medium (M) or Low (L) depend on the assessed Probability and
the Impact and will be implemented as highlighted in the Risk-Level-Matrix below.
Qualitative Impact
Probability at
Analysis
1 2 3 4 5
Level 1: 01–19 % L L L L M
Level 2: 20–39 % L L L M M
Level 3: 40–59 % L L M M H
Level 4: 60–79 % L M M H H
Level 5: 80–99 % L M H H H
Table 10: Risk Level Matrix

After the calculation of the risk level a prioritization using the time input (Speed of Onset) needs to
be determined. The risk priority is defined with a numeric value indicating the urgency, where the
lowest number equals the highest priority. The defined risk priorities depend on the assessed
timeframe and the Risk Level during Analysis.
Risk Level during Analysis

Timeframe
L M H
1: Long (12 months+) 9 8 6
2: Medium (3-12 months) 7 4 3
3: Short (less than 3 m) 5 2 1
Table 11: Risk Priority Matrix

6 Risk Management Workflows

6.1 Workflows within the <CUSTOMER> Risk Management Process
6.1.1 Risk Planning Workflow
<xxx>

6.2 Workflows within SAP Risk Management
There are two kinds of workflows in Risk Management 3.0: planner-based and event-based workflows.
Planner-based workflows are scheduled and triggered through the Planner, such as “Update Risk” or “Risk
Survey”. They reflect the organizations Risk Management Calendar to perform regular activities like updating
existing risk information or preparing for risk reportings. Event-based-workflows on the other side are
predefined end-to-end processes triggered by end-user action, such as “Propose Risk”.
In Risk Management so called Business Events are use used to map the different workflow tasks to one or
several recipients.
Workflow Name Description Role of Workflow Recipient
Activity Survey Identify new risks related to an activity by Assessment Owner (AO)
sending out survey questions.
Activity Validation Allows a planner to get sign-off and Risk Validator (RV)
confirmation on the current risk situation for
an activity (process or project).
Opportunity Assessment Supports Risk Managers to get an update for (1) Assessment Owner (AO)
opportunities in their area by sending out a
(2) Risk Expert (RE)
risk assessment work item.
Opportunity Validation Allows a planner to get sign-off and Risk Validator (RV)
confirmation on the current opportunity
(analyses and assigned enhancement plans).
Response Update Helps Risk Managers and Risk Owners to Response Owner (ReO)
keep track on the current state of the risk
responses by sending a work item to the
Response Owner.
Risk Assessment Supports Risk Managers to get an update for (1) Assessment Owner (AO)
risks in their area by sending out a risk
assessment work item.
Risk Survey Perform a risk survey in preparation to a (1) Assessment Owner (AO)
planned risk re-assessment through a set of
survey questions.
Risk Validation Allows a planner to get sign-off and Risk Validator (RV)
confirmation on the current risk (analyses
and assigned responses).
The Opportunity Assessment, Risk Assessment and Risk Survey will be routed to the Assessment Owner as
a first step. If no Assessment Owner is responsible, because the risk was not assigned to an activity it will be
sent to the Risk Expert.

7 Roles and Responsibilities
The following roles are involved in the <CUSTOMER> Risk Management Process:
Risk Operations Manager (RM)
Accountable Manager (AM)
Risk Expert (RE)
Risk Assessment Owner (AO)
Risk Validate (RV)
Risk Owner (RO)
Response Owner (ReO)
Auditor and Analyzer (AA)
7.1 RM: Risk Operations Manager
The Risk Operations Manager is a senior person responsible for all risk management activities in his
respective unit. He reports to the unit head.
Main Tasks:
Planning, coordination and aggregation of risk management activities inside the unit
Aggregation of reportings
Interface to Corporate Risk Management
Risk Management planning for the unit
Generation of risk reports (content, process compliance) on unit
7.2 AM: Accountable Manager
The Accountable Manager is a manager responsible for an org unit or the delivery of a project.
7.3 RE: Risk Expert
Every unit has named a Risk Expert, who supports the UnitHead in his responsibility for risk management.
The Risk Expert has deep knowledge about risk management theory and the GRC Methodology.
Main Tasks:
Risk Management planning together with the UNIT Head and others
Schedule and organizing the initial risk assessment
Moderating risk assessments, including recording risk data in risk register (PPT; PRR)
Driving the risk monitoring process
Generating risk reports on UNIT level
Support project leads and others of the UNIT in driving risk management in their area of responsibility
7.4 AO: Assessment Owner
The Assessment Owner defined in the general project data has primary accountability for the project risk
assessment. The Assessment Owner can change all project and risk data, including the creation of new risks.
The Assessment Owner is informed of his/her role via a work item notification once the project is created. For
projects the assessment owner can be the project lead or his/her delegate.
Remark: Inside the unit <XXX> a neutral person, the so called Risk Assessment Moderator, might support the
moderation of a Risk Assessment.

Main Tasks:
Execution of Risk and Change Management Process in the responsible area (Planning, Identification,
Analysis, Response and Monitoring)
Coordination and Participation of Risk Assessment
Ensure aggregation of results as well as risk validation
7.5 RV: Risk Validator
The Risk Validator is in charge of reviewing and approving the identified risks, the analysis, and the risk
response plans as well as deciding whether the assessment should be approved, rejected, or re-worked. The
Risk Validator should be at least one level higher in the management level than the Assessment Owner.
Responsibility for validation cannot be delegated.
Main Tasks:
Sign-Off and approval of single risks or risk assessment results
Rejection of risks (e.g. demand for better description, quality …)
Determination of confidentiality level for risks
Proposes risks for “area risk reporting” as well as “board risk reporting”
7.6 RO: Risk Owner
A person identified during a risk assessment or in follow up of a risk assessment. The risk owner can be
different from the project lead that has the original responsibility for all project related risks (applies equally to
other tasks and entities). The role of the risk owner is to analyze risks, to initiate risk response action, and to
follow-up on risk response actions. He should always be able to provide the most up to date status of the risk.
Main Tasks:
Description and analysis of risks
Proposal of response strategies for mitigation
Initiation of response actions
Follow-Up of results
Set or verification of "Risk and Response" status.
7.7 ReO: Response Owner
A person identified during a risk assessment or in follow up of a risk assessment. The response owner’s
responsibility is to execute planned responses. He/she may report to the risk owner or others in that matter.
Main Tasks:
Execution of defined response measure
Reporting of response
Set of response status
7.8 AA: Auditor and Analyzer
This role will be assigned to Persons needing read-only access to a complete unit. This may be the Unit
Manager (if no data maintenance needed), GIAS or an external auditor.
7.9 Authorization Matrix
The authorization matrix is defined in the excel sheet: “Entity_Authorizations_RM30_for_<CUSTOMER>.xls”.

8 Authorization Concept
The Risk Management application is based on the SAP NetWeaver authorization model and assigns
authorizations to users based on roles. SAP Standard roles (PFCG basic roles) provide the technical
standard authorizations to the ABAP server. Portal roles provide application content, like order and number of
visible work centers, via the SAP NetWeaver Portal. The following table lists the application elements and
responsible roles for authorization:
Description Access determined by Role Type
Navigation Menu Portal role
Work Set Portal role
Work Center Portal role
Menu Group Application role
Menu Item Application role
As an additional aspect the Risk Management web-frontend (NW Portal) is used to assign end-users to
2
business user roles and to entities such as risks, opportunities and organizations based on so called
application roles. These application entities are structured in a hierarchy, providing top-down authorizations.
Roles and entities at a higher entity–level have greater authorizations to perform tasks and greater access to
the application than roles at a lower entity–level. The hierarchy also affects task assignments, work flows, and
business event processing.
Furthermore a usage of the so called Second-Level Authorization allows a restriction of the user selection for
entity-level role assignments. So only those users, who have been assigned the corresponding PFCG role in
their user profile, are available for an assignment. Consequently the Second-Level Authorization provides an
additional level of control. However in the PoC it was decided to de-activate this possibility and rely on the
entity authorization via the web-frontend, only.
8.1 ABAP Standard Roles
Risk Management provides the following basis roles:
Role Name Description
SAP_GRC_FN_BASE This is the basis backend role and is required by every user of Risk
Management.
SAP_GRC_FN_ALL This role acts as a Power User role and provides full access to all
entities.
2
Table GRFNENTITY contains all available entities

SAP_GRC_FN_DISPLAY This role provides display access to all entities and can be used for
auditors.
SAP_GRC_FN_BUSINESS_USER This is the standard end-user role. The access to the different entities
is maintained via the web-frontend application.
8.2 SAP NetWeaver Portal Role
The GRC Risk Management role provides access to the Navigation Menu for Risk Management in the SAP
NetWeaver Portal as well as the following relevant Work Sets:
My Home
Risk Structure
Risk Assessment
Risk Monitoring
Reporting and Analytics
User Access
Please note that the number and visibility of menu entries is derived from the business user role that was
assigned over the frontend.
Role Name Description
pcd:portal_content/com.sap.grc.rm.Enterprise_Risk_Management/com.sap.grc. GRC Risk Management

rm.roles/com.sap.grc.rm.Role_All
8.3 Application Roles
Application roles (PFCG model roles) grant detailed authorization to the Risk Management application and
refine the standard role authorizations. The following table maps the original SAP Roles to the customer
specific roles in Risk Management.
3
Role in RM Example Role Name Original SAP Role
Users
Risk Central Z_GRC_RM_API_RISK_MANAGER SAP_GRC_RM_API_CENTRAL_RM

Manager Risk
(RM) Manager
Risk Expert Unit Risk Z_GRC_RM_API_RISK_EXPERT SAP_GRC_RM_API_RISK_MANAGER

(RE) Manager
Accountable Org Unit Z_GRC_RM_API_ACCOUNT_MAN SAP_GRC_RM_API_ORG_OWNER

Manager Manager AGER
(AM)
3
The role name in the web-frontend will be derived from the description of the ABAP role.

Assessment Business Z_GRC_RM_API_ASSESSMNT_O SAP_GRC_RM_API_ACTIVITY_OWN

Owner (AO) Unit WNER ER
Manager/
Project
Manager/
Program
Manager
Risk Owner Risk Z_GRC_RM_API_RISK_OWNER SAP_GRC_RM_API_RISK_OWNER

(RO) Owner
Response Respons Z_GRC_RM_API_RESPONSE_OW SAP_GRC_RM_API_RESPONSE_OW

Owner (ReO) e Owner NER NER
Risk CFO / Z_GRC_RM_API_RISK_VALIDATO SAP_GRC_RM_API_CEO_CFO

Validator Unit R
(RV) Head
Auditor & Internal Z_GRC_RM_API_AUDITOR_ANAL SAP_GRC_RM_API_INTERNAL_AUD

Analyzer Auditor YZER
(AA)
8.4 Assignment of users to Org-Units
The assignment of the responsible persons to the different Org.-Units can be maintained in tab Risk
Management -> Work Set: Risk Structure -> Menu Item: Organizations
Org-Init Accountable Manager Risk Expert

9 IMG Settings
9.1 Maintain Entity Role Assignment (IMG: General Settings)
The step is used to assign the entities to individual user roles.
Entity ID Role Unique
9.2 Maintain Users Responsibility for Entity (IMG: Reporting)
Use this customizing activity to specify which roles are relevant for a particular entity to be used in Risk
Management reporting.
Entity ID Example Users
9.3 Maintain Custom Agent Determination Rules (IMG: Workflow Enabling)
Specify the agent determination rules to identify the right workflow recipient for all business events to be used
in Risk Management.
Business Event: Is the event name for which a recipient role will be assigned.
Sort: Allows prioritization and grouping of business events.
Role: Assigned recipient role.
Entity ID: Entity associated with the business event.
Subtype: Subtype associated with the business event. (Not maintained)
Business Event Name: Description for the business event.

Business Event
Business Event S Role Entity ID Name
9.4 Maintain Activity Types (IMG: Master Data Setup)
Maintain activity types for an activity hierarchy in your organization. This enables you to group similar activity
categories under one activity type in the application.
Type Activity Type Name

9.5 Risk Data Model and Calculation
9.5.1 Maintain Impact Levels (IMG: Master Data Setup)
Maintain the impact levels used in risk analysis, as well as the benefit levels to be used in opportunity
analysis.
Imp Level Impact level Text Benefit level Text Reduction/Improvement
1 Insignificant Insignificant Very Low
2 Minor Modest Low
3 Moderate Moderate Medium
4 Major Worthwhile High
5 Catastrophic Significant Very High
9.5.2 Maintain Probability Levels (IMG: Risk and Opportunity Analysis)
Configure and maintain risk probability levels for Process Control and Risk Management.
Prob Level Description
1 Remote
2 Unlikely
3 Likely
4 Highly Likely
5 Near Certainty
9.5.3 Maintain speed of onset (IMG: Risk and Opportunity Analysis)
The speed of onset refers to the time horizon in which you expect the risk to occur. In this way, you can
specify values for the periods in which action is required to respond to a risk.
Speed of Description
Onset
1 Long (12 months +)
2 Medium (3-12 months)
3 Short (less than 3 months)

9.5.4 Maintain Probability Level Matrix (IMG: Risk and Opportunity Analysis)
Configure and maintain risk probability levels for Process Control and Risk Management.
Prob Value From Prob Level
1 1
30 2
50 3
70 4
90 5
9.5.5 Maintain Risk and Opportunity Level Colour (IMG: Risk and Opportunity Analysis)
Maintain risk and opportunity levels, together with the colors for the various risk or opportunity levels. These
are used in the front-end application when working with risk scenarios or carrying out a risk analysis.
Level Description Position Risk Level Color Opportunity Level Color
H High 1 Red Red
L Low 3 Green Green
M Medium 2 Yellow Yellow
9.5.6 Maintain Risk and Opportunity Level Matrix (IMG: Risk and Opportunity Analysis)
A risk level refers to the level of severity for a risk and corresponds to a defined risk level value. The
combination of impact level x probability level should correspond to the defined risk level.
Probability Impact Level Level
9.5.7 Maintain Risk and Opportunity Priorities (IMG: Risk and Opportunity Analysis)
Maintain numerical values for risk and opportunity priorities.
Risk Priority Description

9.5.8 Maintain Risk and Opportunity Priority Matrix (IMG: Risk and Opportunity Analysis)
Specify the values for the speed of onset, the calculated risk level and the risk priorities.
Speed of Onset Level Risk Priority
9.5.9 Define Three-Point Analysis (IMG: Risk and Opportunity Analysis)
The "three points" to be defined and then analyzed are the minimum loss, the average loss, and the
maximum loss, which you define in percentage format. Usage: (Minimum + Maximum + 4(Average))/6
Date Min Loss Avg Loss Max Loss Active
21.07.2009 16,6667 66,6666 16,6667 X
9.5.10 Maintain Analysis Profile (IMG: Risk and Opportunity Analysis)
The following analysis profile options are available in this Customizing activity:
Impact Reduction: This refers to the reduction in the impact of a risk after risk response. If you do not set the
indicator, the impact reduction section does not appear on the Response tab of the RM UI.
Probability: Quantitative: In this option, the probability appears as in input field on the UI and you can enter
the probability percentage value.
Speed of Onset: Switch on the timeframe as the period of time that is available to decide on the risk
responses.
Impact Value: Mixed: In this option, both qualitative and quantitative options appear on the UI.
Profile ID Impact Probability Speed Impact Value Aggregation Active

Reduction of Method
Onset
0000000001 X Quantitative X Mixed Average X
Customized: Probability = quantitative and impact value = quantitative result
The system converts the probability percentage value into a probability level. In addition, the system
calculates the impact level on the basis of minimum, average, and maximum impact amounts, after which the
system calculates the risk level.
9.5.11 Allow free text for Benefit, Impact and Driver Categories (IMG: Risk and Opportunity
Attributes)
After a certain category was activated the field for entering the corresponding text is enabled and you can enter text
describing the object.

Category Application Active
9.5.12 Maintain Activity Types (Master Data Setup)
Maintain activity types for an activity hierarchy in this organization. This enables you to group similar activity
categories under one activity type in the application.
Type Activity Type Name
9.6 Response and Enhancement
Enhancements are not in scope.
9.6.1 Maintain Response and Enhancement purpose (Response and Enhancement Plan)
Maintain the specific purposes of responses to risks or enhancement plans for opportunities.
Response Response Purpose Text
9.6.2 Maintain Response and Enhancement Plan Effectiveness (Response and

Enhancement Plan)
Define levels for the effectiveness of responses to risks, as well as the effectiveness of the enhancement plan
for an opportunity.
Eff. Level RespEff. % Effectiveness desc.
0 50 Ineffective
1 75 Partly Effective
2 100 Effective
9.6.3 Maintain Response Plan Types (Response and Enhancement Plan)
Configure and maintain specific response types for the risks defined.
Type Description

10 Appendix
10.1 Definitions and Abbreviations
Term Description
GRC Governance, Risk and Compliance
10.2 References
<CUSTOMER> Organization Structure
…

11 Risk Categories
ID Common Risk Focus Area Country Risk Report
Financial Risks
Financial Reporting
Accounting Guidelines Financial
Financial Market Regulations Financial
Financial Misstatements Financial
Internal Compliance Financial
Treasury
Currency Financial
Liquidity Financial
Cost of Financing Financial
Investment / Debt Financial
Derivative Instruments Financial
Cash Management Financial
Controlling
Budgeting Financial
Financial Planning and Forecasting Financial
Cost Center Reporting Financial
Organization and Governance
Corporate Governance Org. & Gov.
Organizational Structure Org. & Gov.
Processes Org. & Gov.
Process Execution Org. & Gov.
Internal Controls System Org. & Gov.
Operational Risks
Intellectual Property Rights Other Operational

Procurement
Vendor Selection Other Operational
Vendor Monitoring Other Operational
Vendor Dependency Other Operational
Policy Other Operational
Infrastructure Operations
Security Governance Other Operational
Facilities and Physical Security
Planning and Construction Other Operational
Loss of Infrastructure Other Operational
Unauthorized Access Other Operational
Impairment of Personnel Other Operational
Facilities and Physical Security Other Operational
Information and IT
Confidentiality Other Operational
Availability Other Operational
Technology Other Operational
Integrity Other Operational
Information & IT Other Operational
… … …

12 Index of Tables
Table 1: Use Cases: General .............................................................................................................................6
Table 2: Use Cases: Risk Data Model ...............................................................................................................6
Table 3: Use Cases: Risk Input ...........................................................................................................................7
Table 4: Use Cases: Risk Calculation .................................................................................................................7
Table 5: Use Cases: Risk Reporting ...................................................................................................................7
Table 6: Risk Management Process RACI ..........................................................................................................8
Table 7: Risk Input Form ...................................................................................................................................11
Table 8: Probability and Impact Level ...............................................................................................................12
Table 9: Risk Calculation Term .........................................................................................................................12
Table 10: Risk Level Matrix ...............................................................................................................................12
Table 11: Risk Priority Matrix.............................................................................................................................13

Template SAP Risk Management 3.0 Business BluePrint - 1.0 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Template SAP Risk Management 3.0 Business BluePrint - 1.0 PDF

Uploaded by

Copyright:

Available Formats

SAP BusinessObjects Risk Management 3.

Template Business Blueprint

Date Name Alteration Reason Version

24.08.9999 XXX Template Finalized 1.0

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc page 2/29

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc page 3/29

8.3 Application Roles 19

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc page 4/29

1.1 Project Objectives

The Proof-of-Concept should ensure the achievement of the following objectives:

1.2 Technical Environment

1.2.1 System requirements

Solution Validation Landscape: Components Requirements (minimal)

Productive Landscape Hardware Requirements (minimal)

Application Risk Management 3.0**

Processor Two single core processors or one dual core processor

RAM 4 GB (minimum), 8 GB (recommended)

HD 100 GB minimum, swap space 2*RAM, 1.2 GB temporary space

1.2.2 System Landscape

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc page 5/29

2.1 Use Cases: General

GEN01 Portal Integration Integration of the Risk Management solution in a SAP

Table 1: Use Cases: General

2.2 Use Cases: Risk Data Model

MDL01 Qualitative/Quantitative Risks are managed in qualitative as well as quantitative way.

MDL02 Org.-Units Recording of risks in connection with the relevant Org.-Unit.

Table 2: Use Cases: Risk Data Model

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc page 6/29

2.3 Use Cases: Risk Input

Table 3: Use Cases: Risk Input

2.4 Use Cases: Risk Calculation

Table 4: Use Cases: Risk Calculation

2.5 Use Cases: Risk Reporting

Table 5: Use Cases: Risk Reporting

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc page 7/29

The output of process 1 is …

3.2 Risk Management Process

Risk Risk Risk Response Assessment Accountable

Table 6: Risk Management Process RACI

3.2.1 Risk Planning

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc page 8/29

3.2.2 Risk Identification

3.2.3 Risk Analysis

3.2.4 Risk Response

3.2.5 Risk Monitoring

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc page 9/29

The Org-Structure will be implemented using the following hierarchy:

<CUSTOMER> - Chief Executive Officer (CEO)

4.1 Risk Management Organization

4.2 Activity Management

The Activity Management Process contains five main steps:

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc page 10/29

5 Risk Data Model

5.1 Risk Input Form Mapping

Used Term Description Mapping to SAP BO RM 3.0

Title Short name of a risk. Name

Indicator Root cause leads to the situation a risk is actually Driver

Consequence The consequence describes the negative impact(s) of Impact

P% The likelihood that risk will occur in %. Probability

IBR Impact Before Response: The qualitative impact Impact Level

Time The period when action is required to respond to a Speed of Onset

Table 7: Risk Input Form

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc page 11/29