SAP Risk Management 12.0 SP03

© 2019 SAP SE or an SAP affiliate company. All rights reserved.
PUBLIC
2019-09-05
SAP Risk Management 12.0 SP03
THE BEST RUN

Content
1 SAP Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Introduction to SAP Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
3 What's New in SAP Risk Management 12.0 SP03. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4 What's New History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4.1 What's New in SAP Risk Management 12.0 SP02. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.2 What's New in SAP Risk Management 12.0 SP01. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
4.3 What's New in SAP Risk Management 12.0 SP00. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.4 What's New in SAP Risk Management 10.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5 Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1 Integration with Process Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Reusing the PC Central Process Hierarchy in RM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Risk Harmonization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.2 Integration with Audit Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.3 Integration of KRIs with SAP S/4HANA Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6 Key Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
6.1 Risk Management Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
6.2 Levels of Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Standard Roles and Authorization Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Risk Management Application Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
6.3 Workflows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Agent Determination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
6.4 Analysis Automation: Integration with EH&S. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6.5 Customer-Defined Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Adding Customer-Defined Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.6 Risk-Related Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.7 Operational Data Provisioning in RM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
CDF Support in ODP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Search and Analytics Models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
7 Work Centers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

7.1 My Home. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Work Inbox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Ad Hoc Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324

2 PUBLIC Content
My Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Embedded Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
My Delegation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Additional User Experience Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
7.2 Master Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Organizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Regulations and Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Activities and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Risks and Responses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Forecasting Horizons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Risk Consistency Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Reports (Master Data). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
7.3 Rule Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Continuous Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
Key Risk Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
7.4 Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Surveys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Risk Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Incident Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Scenario Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Assessment Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Risk Control Self Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Reports (Assessments). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .515
7.5 Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .520
GRC Role Assignments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
7.6 Reports and Analytics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .533
Access Management Reports Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Incidents and Losses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Risks and Opportunities Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Working with Print Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
8 Operational Risk Management for Banking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

8.1 Master Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Mapping Master and Dependent Organization Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Mapping Master and Dependent Risk Category Hierarchies. . . . . . . . . . . . . . . . . . . . . . . . . . . 543
8.2 Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Loss Event Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
8.3 Reports and Analytics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
Loss Event Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

Content PUBLIC 3
9 Archiving in SAP Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563

4 PUBLIC Content
1 SAP Risk Management
Product Information
Product SAP Risk Management
Release 12.0 SP03
Based on SAP NetWeaver 7.52
Documentation published January 2019
Use
SAP Risk Management enables an enterprise-wide risk management process as mandated by certain legal
requirements and recommended by best practice management frameworks.
 Recommendation
If you have also licensed the SAP Process Control component, see the corresponding documentation at
https://help.sap.com/pc

SAP Risk Management PUBLIC 5
2 Introduction to SAP Risk Management
SAP Risk Management allows you to identify and assess risks and opportunities, determine a response
strategy, and monitor progress. With SAP Risk Management, you can do the following:
● Identify enterprise risks and align them with business processes that create value
● Assess and analyze risks in terms of likelihood and magnitude of impact
● Track risk management effectiveness with embedded reports and analytics
● Continuously monitor risks using SAP HANA-based key risk indicators (KRIs)
Implementation Considerations
Customizing for SAP Risk Management enables you to carry out the necessary configuration activities and
describes the administrative functions necessary to run the application.
 Note
For the graphical representation of activities and scenarios, you must install the latest version of Java
Runtime Environment (JRE version 7 or higher is recommended) on your front-end system. For more
information, see http://www.java.com .
Key Features
SAP Risk Management offers the following functional capabilities:
● Risk strategy and planning

Define risk-relevant business activities, set up your organizational risk hierarchy, and assign risk appetite,
risk owners, and responsibilities. Develop risk libraries to structure and report on risk assessment results –
and define your KRI framework to automate risk monitoring.
● Risk identification
Document the potential root causes and consequence of risks – and identify the relationship between risks
and events. Capabilities include: defining survey questions, documenting activities, proposing risks, and
documenting risks and opportunities.
● Risk analysis
Run quantitative and qualitative risk analysis to determine the likelihood of occurrence and the potential
impact of identified risks. Capabilities include: conducting assessments, building risk scenarios, scenario
analysis, performing Monte Carlo simulations, risk response, and documenting responses and
enhancement plans.
● Risk monitoring
Analyze and report on your company’s risk situation. Capabilities include: documenting incidents and
losses for risk events.

6 PUBLIC Introduction to SAP Risk Management
SAP Risk Management includes enterprise risk content and tools for industry-specific operational risk
management, such as the following:
● Graphical View
Supports the creation and analysis of risks using graphical view.
● Data Monitoring
Monitor application data from internal and external systems in real time.
● Workflow
Use workflow to automate processes.
● Starter kits
Controls starter kit: Library of standard business controls, basic regulations, and direct entity-level
controls.
ERM starter kit: Library of enterprise risks, risk drivers, and impacts
● Automated monitoring
CCM library: Automated continuous controls monitoring
KRI library: KRIs organized by risk drivers, risk categories, and industries
SAP Risk Management uses the various work centers of the GRC, in which you can carry out all SAP Risk
Management activities. For more information about SAP Risk Management activities, see the following work
center topics:
 Note
SAP Risk Management functions may be executed in the SAP NetWeaver Business Client (NWBC), or from
the SAP Fiori launchpad. For information about using NWBC, see https://help.sap.com/viewer/product/
SAP_NETWEAVER_AS_ABAP_752/7.52.2/en-US and https://help.sap.com/viewer/
53a5091ea9e945839b860232b7796747/1709%20001/en-US/a50e38fc-c66a-479e-b5ab-
b60cd41ea1cc.html.
● My Home [page 322]

● Master Data [page 341]
● Rule Setup [page 382]
● Assessments [page 405]
● Access Management [page 520]
● Reports and Analytics [page 527]

Introduction to SAP Risk Management PUBLIC 7
3 What's New in SAP Risk Management
12.0 SP03
Technical Data
Product Version 12.0 support package 03
Area SAP Risk Management
Country Relevance Valid for all countries
New and Enhanced Features
Ability to add attachments and links to ad-hoc incidents
It is now possible to upload attachments and add links to an incident created via Ad Hoc Tasks Incidents .
Scoring capability added to Manage Risk Assessment (Fiori)
You are now able to use the scoring method in the Fiori app Manage Risk Assessment for risk analysis.
Tooltip that shows organization structure
When creating a plan in the Planner, users are able to see a tooltip for each selected organizational unit that
shows its superior organization units structured as a hierarchy during the step Select Object(s). With this new
feature, it is easy to identify to which specific organization unit the plan refers when there are two or more
organization units with the same name.
Enhancements for Risk Proposal
● Secondary Organization Unit

Users can now enter a secondary organization unit for a risk proposal.
● Impact and response
When proposing a risk, you are allowed to add qualitative impact analysis and propose response to the risk.
● Risk proposal ID
When checking a proposed risk in Risk Assessments Proposed Risks and Opportunities , users can
see the ID of this proposed risk, making it easier to trace back to its original proposal.
To enable the features above, seeProposing a Risk [page 325] .

8 PUBLIC What's New in SAP Risk Management 12.0 SP03
Enhanced "Save Variants" functionality for reporting
SAP Risk Management provides powerful reporting capability. Now you can save not only your frequently-used
field selections but also personalization settings to reuse for your reports, instead of manually repeating the
configuration each time you create a report.
● Save as Selection variants

Selections in the fields under the Selection section, such as Year and Organization, can be saved as a
Selection variant.
● Save as Layout personalization variants
Report settings configured via the Personalize button can be saved as a Layout personalization variant.
● Save as selection and layout personalization variants
If you want to save your field selections and personalization settings as a whole, save them as a Selection
and Layout personalization variant.
● Global variants
If you save a variant as a global variant, it can be used across all report types.
Manually enable or disable response-related workflows

You can decide which response-related workflows are needed and which not, and manually enable or disable
the workflows. For more information, see Workflows for Responses [page 469].
More Information
For more information, see the application help for SAP Risk Management at http://help.sap.com/rm .

What's New in SAP Risk Management 12.0 SP03 PUBLIC 9
4 What's New History
Related Information
What's New in SAP Risk Management 10.1 [page 12]

What's New in SAP Risk Management 12.0 SP00 [page 11]
What's New in SAP Risk Management 12.0 SP01 [page 11]
4.1 What's New in SAP Risk Management 12.0 SP02
Technical Data
New Features
● The “Risk Trend” field is included in Heatmap report (Valid for the Web Dynpro version only).
● It's possible to see the details of a KRI instance when inputting the KRI value manually via work item in the
Work Inbox.
More Information

10 PUBLIC What's New History
Technical Data
New Features
● Underlying risk deep copy

When copying a risk to multiple organizations, it is now possible to copy all underlying risks to either the
target organizations or the source organizations, rather than just creating references to the source
underlying risks.
● Delegation harmonization between SAP Process Control, SAP Risk Management, and SAP Access Control
Customers who have licensed SAP Access Control 12.0 SP01 along with SAP Process Control 12.0 SP01
and/or SAP Risk Management 12.0 SP01 now have greater flexibility when delegating tasks.
More Information
Technical Data
Product Version 12.0

What's New History PUBLIC 11
New Features
● Automatic Risk Aggregation

The automatic aggregation of risk analyses can now be enabled, in which case the system calculates an
aggregated risk analysis from multiple input risks. Any change in one of the input risks automatically
updates this calculation. In this way, you can set up a hierarchy of risks, where the higher risks are
automatically synchronized with changes happening on the lower levels.
● Configurable Fiori Launchpad
The Fiori Launchpad offers users fast access to the apps linked to their role, along with options to
personalize and organize the launchpad depending on their requirements and the system set up.
What the user sees on the launchpad depends on their role. Default user roles are delivered, and you can
also configure new roles as required to enable users to open whichever apps and functions they need
directly from the launchpad.
For information on launchpad configuration and user roles, see Security Guide: SAP Risk Management
12.0 Business Catalog Roles for the SAP Fiori Launchpad at https://help.sap.com/rm
For general information on the SAP Fiori Launchpad, see SAP Fiori Launchpad
● Fresh UI look and feel
Updated UI theme provides an enhanced user experience.
More Information
4.4 What's New in SAP Risk Management 10.1
Technical Data
Product Version SAP Risk Management 10.1
Area GRC-RM SAP Risk Management

12 PUBLIC What's New History
SAP Risk Management 10.1 has been greatly expanded to include the following new and enhanced features:
● Adapted to meet the ISO 31000 standards - To comply with the ISO 31000 standards, a terminology
editing tool is provided to extend the current terminology customizing with the capability to edit
terminologies, and to upload and download terminologies in an Excel file. A new customizing option is also
provided to hide the Residual (Planned) analysis type which is not required by ISO 31000.
● Enhanced User Experience with Entry Page and Side Panel - Side Panels can be used to display
additional information about an application. A Side Panel for risk is provided to show the related control
information. A new Entry Page for risk manager is also provided which is generally a mashup combining
various relevant information. The Side Panel and Entry Page can be configured or personalized by the
customer using pre-delivered or self-developed CHIPs.
● Embedded Search for Business Entities and Documents – By leveraging the capability of SAP Netweaver
Embedded Search, now you can use a unified, comprehensive and real-time search function to search for
data and information.
● Operational Data Provisioning Enablement - Operational Data Provisioning provides a metadata layer
that allows a set of semantically connected DataSources to act as an InfoProvider. In this metadata layer a
DataSource can be enhanced by analytical properties to generate an Operational Data Provider (ODP).
When implemented, the interfaces enable the access to data for analytics purposes as well as for mass
data replication.
● Ad-hoc Escalation - The ad-hoc risk escalation process allows you to escalate a risk to dedicated
awareness and reporting process, when the risk exceeds a pre-defined threshold within the company.
● HANA-Based KRI - Now HANA Calculation View can also be used as KRI script if HANA connection is
available on GRC system. By using HANA based KRI, we bring more value to the customer’s HANA
investments. The connectivity with HANA opens the rich data availability. With data stored in HANA and
available to the KRI runtime, you will be able to calculate KRI with cross systems transaction data and with
great performance despite potentially large data volumes. We will also enable customers to reuse their
HANA analytics investments in time and content.
● KRI driven analysis - With the KRI driven analysis, probability and impact can be calculated automatically
by the KRI runtime, by linking number-type KRI instance to probability, and currency-type KRI instance to
impact.
● Context Sensitive Help – You can directly access the help topics for the process that you are executing
through the Help Center by clicking on the application screen or pressing F1.
More Information
For more information, see the application help for SAP Risk Management at http://help.sap.com/rm.

What's New History PUBLIC 13
5 Integration
Important Integration Information
The processes and user interfaces of the following applications are closely linked, as they have interconnected
features:
● SAP Access Control

● SAP Process Control
● SAP Risk Management
You can access the features and documentation of one or several of these products only after licensing and
installing the relevant products.
SAP Access Control 12.0, SAP NetWeaver 7.52 Support Package Stack 00
SAP Process Control 12.0, SAP NetWeaver 7.52 Support Package Stack 00
SAP Risk Management 12.0, SAP NetWeaver 7.52 Support Package Stack 00
The integration topics describe the integration scenarios that leverage 12.0 features across multiple
applications.
For more information, see the relevant integration topics.
Related Information
Integration with Process Control [page 14]

Integration with Audit Management [page 23]
5.1 Integration with Process Control
Use
Provided your company has licensed both the SAP Risk Management (RM) and SAP Process Control (RM)
applications, you can use a number of integrated functions as described below.

14 PUBLIC Integration
Features
Among other things, risk templates are common to both SAP Process Control and SAP Risk Management.
They can be defined and assigned from both applications.
Match-up of risk templates used in both Risk Management and Process Control
Common Menu Areas
The areas shared by both applications are:
● GRC Role Assignments [page 521]

● (in the application help of SAP Process Control)
● (in the application help of SAP Process Control)
● Planner – See Risk Management Planner [page 499] and (in the application help of SAP Process Control)
Other Functions Common to SAP Risk Management and SAP Process Control
Beyond the functions described above, the following are common areas for both SAP Risk Management and
SAP Process Control:
● The use of a central PC process hierarchy as part of an SAP Risk Management activity hierarchy. The PC
processes are structured into subprocesses; for each subprocess, controls are defined. Risks can be
defined for controls, and these controls can then mitigate the risks specified for them. For more
information, see Reuse of PC Central Process Hierarchy in RM [page 16] and (in the application help of
SAP Process Control).

Integration PUBLIC 15
● The reuse of existing PC subprocesses as SAP Risk Management activities. For more information, see
Reuse of PC Central Process Hierarchy in RM [page 16].
● The monitoring of PC assessment results: This conversion of traffic-light PC ratings to detailed RM
percentages enables you to automatically monitor the Process Control effectiveness and assessment
results. They are mapped directly to Risk Management response effectiveness and completeness values in
percentage form. For more information, see Monitoring Control Effectiveness and Assessment Results
[page 467].
● For control proposals, which are converted to controls, you can do the following:
○ You can create a control proposal as a risk response in SAP Risk Management.
○ If you are using SAP Process Control, the process control application can implement the defined
control, which is converted from the control proposal.
For more information, see Using PC Controls [page 466].
 Note
For more information about creating risks, see Risks and Opportunities [page 416].
● With risk harmonization activated, you can more closely integrate risks and subprocesses across SAP Risk
Management and SAP Process Control. For more information, see Risk Harmonization [page 18].
More Information
For more information about SAP Process Control, see https://help.sap.com/pc.
5.1.1 Reusing the PC Central Process Hierarchy in RM
Use
Provided you have licensed both the SAP Risk Management (RM) and the SAP Process Control (PC)
applications, you can use the central PC subprocesses as activity categories in SAP Risk Management.
Furthermore, you can use the local PC subprocesses as local activities in RM.
In this way, a defined RM activity category can later be used to assign (local) activities to it. Otherwise no direct
assignment of a (local) activity to the activity category is possible.
This enables you to structure your risk assessment and risk reporting processes, with the option of using the
activity hierarchy (containing the assigned categories) primarily as a reporting or an assessment structure, or
both.
 Note
You can enable a closer integration with SAP Process Control by activating the risk harmonization feature.
For more information, see Risk Harmonization [page 18].

Prerequisites
With both applications (SAP Process Control and SAP Risk Management) installed and running, the following
procedure must be carried out before you can display and use the PC process hierarchy in the SAP Risk
Management application in the activities screen:
Go to transaction GRFN_STR_CHANGE and make an entry corresponding to the one you have maintained in the
above maintenance view. Note that this transaction corresponds to the Customizing activity of SAP Process
Control called Set up Structure: Expert Mode and is documented there also. See the procedure below for the
exact steps.
Procedure
 Note
When you access the RM activity overview screen, there are different processing modes, depending on your
authorization:
● If you have SAP Risk Management authorization, the activities are available and can be edited.
● With the same authorization, however, the PC subprocesses only open in display mode. You need PC
authorization to change subprocesses. However, you can attach a risk to a subprocess and submit it.
To use the SAP Process Control central processes in SAP Risk Management:
1. Access the Master Data work center and click the Activity Hierarchy link under Activities and Processes.
2. The activity hierarchy overview screen opens. Select an activity category and make note of it.
3. Access transaction GRFN_STR_CHANGE in the back-end system and go to the section on activity
categories.
4. Below the activity category item, select Search Term to find the activity category that you are working with
in the application. The result list is displayed at the bottom left of the screen.
5. Select the activity category at the bottom left to see the data for it on the right-hand screen sections.
6. On the tab Activity Category Attributes (bottom section), access the Prefix field and select the Prefix ID
called PROCESS.
7. Save your entry.
8. The SAP Risk Management application now displays the SAP Process Control hierarchy, containing its
processes and subprocesses, in the lower section of the activities screen.
 Note
You may need to scroll in the Activity list to display the subprocesses in the list.

5.1.2 Risk Harmonization
Use
 Note
Risk harmonization is only relevant if you have licensed both SAP Risk Management and SAP Process
Control.
Risk harmonization allows both SAP Risk Management and SAP Process Control users to share a more unified
source of risk repository. The interchange of risk and control information between the two applications
facilitates a top-down, risk-based internal control approach with which risks in processes can now be
automatically identified and responses can be automatically provided.
If risk harmonization is not enabled, SAP Process Control (PC) and SAP Risk Management (RM) use separate
risk information objects and they are not fully integrated with each other. PC and RM share the same risk
catalogs and risk templates, but without risk harmonization the risks and risk assessment results from RM
cannot be used by PC users, nor can they be used to display harmonized risk and control information. In such a
case you can only link an RM risk to a PC subprocess through an RM activity.
The risk harmonization feature allows direct relationships to be established between RM risks and PC
subprocesses and controls. It also allows PC users to use RM risk assessment results and to display the
harmonized data in the frequently used reports.
With the risk harmonization feature activated, SAP Process Control users can add SAP Risk Management risks
to local SAP Process Control subprocesses. Subsequently, any controls added to these risks are automatically
recognized on the SAP Risk Management side as responses to the risks.
Related Information
Activating and Customizing Risk Harmonization [page 18]

Assigning RM Risks to Local PC Subprocesses [page 20]
Assigning PC Controls to RM Risks as Responses [page 21]
Assigning RM Risks to PC Controls [page 22]
Risk-Based Scoping [page 22]
5.1.2.1 Activating and Customizing Risk Harmonization
 Note
Control.

Activating Risk Harmonization
You can activate risk harmonization in Customizing for Governance, Risk and Compliance under Shared
Master Data Settings Activate the Risk Harmonization Feature .
Customizing Risk Harmonization
You maintain the mapping relationships between risk levels and risk scores in Customizing for Governance, Risk
and Compliance under Process Control Scoping Maintain Risk Score and Risk Level Mapping .
You choose which SAP Risk Management risk analysis type you want to use in SAP Process Control in
Customizing for Governance, Risk and Compliance under Process Control Scoping Maintain Risk Analysis
Type .
Email Notifications
You can define the recipient of email notifications for different business events in Customizing for Governance,
Risk and Compliance under General Settings Workflow Maintain Custom Agent Determination Rules .
You use the following agent slots to define which roles receive e-mail notifications:
Agent Slot Description
0RM_NOTIF_RESP_OWNER_CONTROL Notify control owner on assigning and removing control from

risk.
0RM_NOTIF_RESP_OWNER_RISK Notify risk owner on assigning and removing control from

risk.
Additional Authorization Settings
To allow the SAP Process Control internal control manager to be able to create and remove a PC control as an
activity or response under an RM risk, the following authorization settings need to be added to the relevant
roles:
Authorization Object Field Value
GRFN_API ACTVT 01 Create or generate
02 Change
03 Display
06 Delete

Authorization Object Field Value
GRC_DATAPT *
GRC_ENTITY ACTIVITY
RESPONSE
GRC_SUBTYP *
5.1.2.2 Assigning RM Risks to Local PC Subprocesses
Context
 Note
Control.
With the risk harmonization feature activated, SAP Process Control users can add SAP Risk Management risks
to local SAP Process Control subprocesses. Subsequently, any controls added to these risks are automatically
recognized on the SAP Risk Management side as responses to the risks.
Procedure
1. To allow risks to be assigned to a local subprocess in PC, you need to select the Allow Local Change option
when you assign a central subprocess to the organization.
2. In SAP Risk Management, create a risk, and in the Organization Unit field, choose the same organization
under whose subprocess you want to assign this risk.
3. In SAP Process Control, assign the risk to a local subprocess. Note that all risks from SAP Risk
Management have the source Inherent to Organization.
Related Information
Risk Harmonization [page 18]


5.1.2.3 Assigning PC Controls to RM Risks as Responses
Context
 Note
Control.
With risk harmonization, SAP Risk Management is able to automatically identify SAP Process Control controls
as responses to SAP Risk Management risks. The control-risk relationship works as follows:
● When a PC control is assigned to an RM risk as a response, the risk is automatically added to the control on
PC side.
● When an RM risk is assigned to a PC control, the control is automatically added to the risk as a response.
 Note
You must first assign these risks to the local subprocess under which the local controls are located, then
you are able to add the risks to the controls.
Procedure
1. In SAP Risk Management, open a risk, assign an SAP Process Control control to the risk as a response. You
can also remove an existing SAP Process Control control from the risk. Note: If you have enabled the email
notification feature for this activity, the system sends out a notification email to the relevant user when the
control is assigned to or removed from the risk as response.
2. In SAP Process Control, open the local control. The SAP Risk Management risk is automatically added to or
removed from the control.
Related Information


5.1.2.4 Assigning RM Risks to PC Controls
Context
 Note
Control.
With risk harmonization activated, you can assign SAP Risk Management Risks to SAP Process Control
controls.
Procedure
1. In SAP Process Control, open a local control and assign an SAP Risk Management risk to the control. You
can also remove an existing SAP Risk Management risk from the control. Note: If you have enabled the
email notification feature for this activity, the system sends out a notification email to the relevant user
when the risk is assigned to or removed from the local control.
2. In SAP Risk Management, open the risk. The SAP Process Control control has been automatically added to
or removed from the risk as a response.
Related Information

5.1.2.5 Risk-Based Scoping
 Note
Control.
As a result of shared risk and control information between SAP Process Control and SAP Risk Management,
the risk harmonization feature allows the use of SAP Risk Management risk assessment results in SAP Process
Control, so that the SAP Process Control user is able to perform risk-based scoping for control evaluation.

When you add an SAP Risk Management risk to an SAP Process Control local subprocess, and assign a control
to the risk, you are able to use the SAP Risk Management risk assessment result together with the control risk
assessment result to determine the test strategy for the control. To do so, proceed as follows:
1. In SAP Risk Management, create a risk.

2. Create a risk analysis for the risk.
3. In SAP Process Control, assign the risk to a local subprocess.
4. In SAP Process Control, assign a local control to the risk.
5. In the Planner, create a control risk assessment plan for the control and complete the assessment task.
6. Open the local control and, in the Level of Evidence field and the Control Risk field, select the Use System
Suggested option. The Level of Evidence value is automatically determined based on the risk analysis result
and the control risk assessment result.
5.1.2.6 Reporting
 Note
Control.
With the risk harmonization feature activated, you are able to monitor the risk coverage with the following
reports:
Report Location
Risk Control Matrix Master Data Reports
Risk Coverage Master Data Reports
Risk Coverage with Evaluations Assessments Reports
Risk Coverage with Ratings by Organization Assessments Reports
For example, you can use the Risk Coverage with Ratings by Organization report to monitor which risks have
been covered by controls with risk level information. You can also navigate to the SAP Risk Management risk
(with risk source Inherent to Organization) through the link, to see the details of the risk.
5.2 Integration with Audit Management
Master data can be imported from SAP Risk Management to SAP Audit Management. For more information,
see the application help of SAP Audit Management at https://help.sap.com/audit, choose the Application Help
and navigate to Master Data Importing Master Data .

5.3 Integration of KRIs with SAP S/4HANA Cloud
To set up the integration of key risk indicators in your on-premise SAP Risk Management system with SAP S/
4HANA Cloud, you must perform the following configuration steps.
Prerequisites
Scope item Key Risk Indicator Monitoring (2U2) must be active. You can check this in the Manage Your Solution
app under View Solution Scope.
A user must exist for creating a communication system in SAP S/4HANA Cloud to access the on-premise SAP
Risk Management system. This user must have the following privileges:
● SAP_GRC_FN_BASE: Base role to run GRC applications

● SAP_GRC_FN_ALL: GRC Power User
You must have a user with sufficient authorization in Customizing for SAP Risk Management, for example, GRC
System Administrator.
Activities
Set Up Cloud Connector
To enable communication via remote call between the on-premise and cloud systems, you need to enable SAP
Cloud Platform Cloud Connector (Cloud Connector) in your SAP S/4HANA Cloud environment and create a
communication arrangement for the scenario SAP_COM_0200
 Note
When configuring the access control list for the cloud to on-premise scenario, you need to specify function
modules (resources) which can be invoked on the on-premise host. The SAP Cloud Platform Cloud
Connector uses very strict whitelists for its access control.
Use GRFN as the function module name for the communication scenario SAP_COM_0230 (Process Control
& Risk Management Integration).
For more information, go to the SAP Help Portal and search for the SAP S/4HANA Cloud product page. In the
Product Assistance, navigate to the following chapter: SAP S/4HANA Cloud Generic Information General
Functions for the Key User Integration Scenarios How to Set Up SAP Cloud Platform Cloud Connector .
SAP S/4HANA Cloud Configuration
On the SAP S/4HANA Cloud side, you must perform the following tasks:
1. Create a communication user. You can do this using the Maintain Communication Users app.

 Note
To perform this step, you must have a role that contains the business catalog SAP_CORE_BC_COM
(Communication Management).
2. Create a communication system which defines the host name of the SAP Risk Management system and
handles users for both inbound and outbound communications. You can do this using the Communication
Systems app.
When creating the system, you must add the virtual host name for the SAP Risk Management system and
choose Use Cloud Connector.
In the Cloud Connector technical settings, you must enter the Instance Number and Client, which are
system connection parameters for the SAP Risk Management system.
Add the new inbound communication user that you created in step 1, and add a new outbound
communication user for communication back to the SAP Risk Management system. The outbound user is
used to log onto the SAP Risk Management system, so ensure it has sufficient authorization.
3. Creat a communication arrangement, which defines all the relevant information for communication with
the SAP Risk Management system. You can do this in the Communication Arrangements app.
Create the new communication arrangement with communication scenario SAP_COM_0230, and add the
communication system you created in step 2. Define the inbound communication user as the one created
in step 1.
SAP Risk Management Configuration
On the SAP Risk Management side, you must perform the following tasks:
1. Create an RFC connector to communicate with the SAP S/4HANA Cloud system.
You can do this in Customizing for Governance, Risk and Compliance under Common Component
Settings Integration Framework Create Connectors .
The RFC destination of the created connector must be the system ID of the SAP S/4HANA Cloud system
and the connection type must be 3 (ABAP Connection).
You must also add the target SCC host name and instance number, and for the logon details you include
the user name you created on the SAP S/4HANA side above.
2. Define the connection types that are used when connecting to the SAP S/4HANA Cloud system.
Settings Integration Framework Maintain Connectors and Connection Types .
For the new connector, define the following:
○ Target connector: Provide the RFC destination created in step 1.
○ Connection type: SAPTABLES4
○ Source connector: Provide the RFC destination of the current client of the SAP Risk Management
system.
○ Logical port: Again, provide the RFC destination of the current client of the SAP Risk Management
system.
3. Maintain scripts to be used when reading tables in the SAP system.
You can do this in Customizing for Governance, Risk and Compliance under Risk Management Key Risk
Indicators Connectivity Maintain Scripts for SAP Table .
Create a new entry with the following details:
○ Script: The ID of the script for reading the table of the SAP system
○ Script Name: The name of the script
○ Table Name: The name of the SAP system table to be read

4. Maintain the whitelist to indicate the tables that the SAP S/4HANA Cloud system is allowed to read.
Settings Continuous Monitoring Maintain Whitelist for S/4HANA Integration .
Create new entries with the tables that you want to whitelist in SAP S/4HANA Cloud.

6 Key Concepts
The key concepts explained in this documentation for Risk Management are:
● Risk Management Process [page 27]

● Levels of Authorization [page 29]
● Workflows [page 33]
● Integration with Process Control [page 14]
● Customer-Defined Fields [page 39]
● Risk-Related Terminology [page 40]
● Operational Data Provisioning in RM [page 42]
● User Experience Enhancement [page 337]
6.1 Risk Management Process
Use
The basic risk management process, as suggested by most risk management frameworks, involves the steps
described below. You can use this process to step through all risk management activities, from Customizing to
user processing, up until the reporting phase.
Prerequisites
You have made the corresponding settings in Customizing for Governance, Risk and Compliance under Risk
Management.
Process
1. Risk Planning
In the planning phase, you define and document your company's risk management framework. This allows
the implementation of risk management programs on a large scale, and enables you to streamline and
reduce duplicate efforts in the company’s different organizational units. The following steps are involved in
risk planning:
○ Initial definition and assignment of roles and responsibilities. For more information, see Risk
Management Application Roles [page 31].
○ Setup of the organizational hierarchy and organizational views to be used.

Key Concepts PUBLIC 27
○ Definition of risk-relevant business activities (such as processes, projects, or other company assets).
○ Creation of a risk classification structure, so that you can structure and report on risk assessment
results.
○ Definition of a key risk indicator (KRI) framework to automate and reduce risk monitoring efforts.
2. Risk Identification
In this phase, you carry out the following tasks:
○ Identify and collect information on your company’s risks, such as the risk drivers, potential impacts
and the relationships between risk events.
○ Define and assign key risk indicators for the risks. For more information, see Key Risk Indicators [page
383].
○ Document the relationships between risks and create surveys for risks, activities, and risk indicators.
For more information, see .
3. Risk Analysis
In this phase, you assess risks and review historical losses in the following way:
○ Qualitatively and/or quantitatively analyze the likelihood of occurrence of company risks and the
potential impacts of the identified risks, so that you can determine the necessary responses and
investments to mitigate or control the risks. For more information, see Risk Analysis [page 423].
○ Collaborate with business stakeholders to collect risk analysis data, or create surveys or other
workflows to help in collecting and interpreting risk analysis data. This enables you to build risk
scenarios and simulations, as well as precisely determine your risk exposure. You can also group
similar risks. For more information, see:
○ Scenario Management [page 488]
○ Incident Management [page 484]
○
4. Risk Response
In this phase, you carry out the following tasks:
○ Document the response measures taken to manage the risks and their current status. You do this by
taking measures to actively mitigate the probability or potential impact of the risk, such as defining the
risk assessment and approval or review cycles for risks and their responses, and assigning response
ownership and actions.
○ If you have installed and possess a license for the SAP Process Control application, you can also
propose and assign internal controls from SAP Process Control. For more information, see Using PC
Controls [page 466] and, in the application help for SAP Process Control, .
For more information about responses, see Creating a Response or Enhancement Plan [page 459].
5. Risk Monitoring
In this phase, you carry out the following steps to evaluate your organization's risk exposure:
○ Analyze and report on your company's risk situation. This step includes documentation of incidents
and losses for occurred risk events, to track the effectiveness of mitigation measures such as
responses and controls. For more information about documenting incidents, see Incident Management
[page 484].
○ You can also monitor the effectiveness and completeness of the responses that were used to mitigate
your risks.
○ Furthermore, to enable the continuous monitoring of risks, in this phase you run the reports for risks
and their history, as well as for key risk indicators defined for these risks. For more information, see
Reporting and Analytics [page 535] and Dashboards (Heatmap, Overview, Top Risks, and Other) [page
529].

28 PUBLIC Key Concepts
6.2 Levels of Authorization
Use
Risk Management uses different levels of authorization, depending on user profiles and the system used, for
the following reasons:
● The back-end system uses different roles than the SAP NetWeaver Portal. A detailed list is provided below.
● The standard SAP authorization concept does not cover the authorization needs of Risk Management, so
RM-specific application roles have been developed. This has the additional advantage that authorizations
can be differentiated according to the entity level involved. One risk manager, for example, can be
responsible for all entities (such as activities, risks, opportunities, and incidents) in one organizational unit,
and another risk manager can be responsible for the same entities in another organizational unit. Each
manager then accesses the risks for which they are responsible, and not all risks in the entire company.
Features
Before it is possible to work with Risk Management, the following kinds of roles must be accessed and
activated:
● The NetWeaver portal role is called com.sap.grc.rm.Role_All

This role enables you to configure the portal navigation structures and menu tabs. This role should be
assigned to all Risk Management users directly or via a group in the portal. The superuser must ensure
that the portal interface can be accessed with the correct level of authorization by all other users.
Subsequently, the user can access the Risk Management work centers in the portal.
● Standard or back-end roles
These roles define the authorizations in the back-end system, where, for example, Customizing is done.
This kind of role should be assigned to users with a back-end user profile. Every RM user should have the
role SAP_GRC_FN_BASE assigned, since this is the basic role used to run the Risk Management
applications. For more information and further back-end roles, see Standard Roles and Authorization
Objects [page 30].
● Application roles
For all business users, the Risk Management application roles should be assigned as well. For more
information, see Risk Management Application Roles [page 31].
 Note
Standard roles are also referred to as basic roles, and application roles are also referred to as model
roles.
After the application roles have been defined, they can be assigned to different users and different entities
within the RM application, as described in Assigning Roles to Risks and Activities [page 523].

6.2.1 Standard Roles and Authorization Objects
Use
The authorization concept of SAP NetWeaver assigns authorizations to users on the basis of roles. Some
general SAP standard roles are delivered with SAP Risk Management as described below.
You can copy and adjust these default roles in Customizing under SAP NetWeaver Application Server
System Administration Users and Authorizations Maintain Authorizations and Profiles using Profile
Generator Maintain Roles (transaction PFCG).
In the SAP Risk Management application, the power user can assign these roles to the corresponding entities.
Features
The standard roles that are delivered with the SAP Risk Management application are:
● Basic Role (SAP_GRC_FN_BASE): The basic technical role for a user who wants to use either SAP Risk
Management or SAP Process Control. This role contains all necessary authorizations to make the
necessary Customizing settings for this application. This role does not contain any authorizations for the
portal interface.
● Business User (SAP_GRC_FN_BUSINESS_USER): A user with this role is only authorized to perform
operations on assigned entities in SAP Risk Management. We recommend that a user with this role also be
assigned a portal role for SAP Risk Management in order to use the web interface of the application.
● Power User (SAP_GRC_FN_ALL): In addition to the authorizations of the business user, a power user also
has authorization for administrative functions in Customizing, such as the definition of organizational
units.
● Display User (SAP_GRC_FN_DISPLAY): A user with this role can display all risk data in the portal. This role
is useful for external auditors, for example. We recommend using this role in addition to the business user
role.
 Note
For more information, see the documentation on the individual roles in transaction PFCG.
 Note
If you want to access the functions of SAP Risk Management through the SAP Fiori launchpad, then the
appropriate launchpad role is required. For more information on SAP Fiori configuration, see the SAP Risk
Management 12.0 Security Guide, available at https://help.sap.com/rm.

Activities
To work with user roles, the following steps are necessary:
1. The system administrator assigns the basic role SAP_GRC_FN_BASE to all users working with the SAP Risk
Management application. This role contains the technical authorizations required to run the application.
Without this role, assigned users cannot run the application.
2. The system administrator copies the delivered power user role SAP_GRC_FN_ALL, makes any necessary
adjustments, and assigns the modified copy of the standard role to a user who then becomes a power user
for the application. Alternatively, the delivered standard role can be used directly.
3. The system administrator copies the delivered display user role SAP_GRC_FN_DISPLAY, makes any
necessary adjustments, and assigns the modified copy of the standard role to other users who become
display users for the application. Alternatively, the delivered standard role can be used directly.
4. The system administrator copies the delivered business user role SAP_GRC_FN_BUSINESS_USER, makes
any necessary adjustments, and assigns the modified copy of the standard role to other users who become
business users for the application. Alternatively, the delivered standard role can be used directly. The
business users' authorizations within the application can be defined further by the application roles.
 Note
For more information about application roles, see Risk Management Application Roles [page 31].
5. The portal administrator copies the delivered roles, makes any necessary adjustments, and assigns the
modified copy of the enterprise portal roles to the end users to grant them the required access to the SAP
Risk Management application. Alternatively, the delivered standard role can be used directly.
6.2.2 Risk Management Application Roles
Definition
A large number of users – who may frequently change – perform operations related to risk management in
different functions. The roles and authorization concept ensures the required flexibility for the end user. In
addition to the general SAP standard roles that are maintained by the system administrator in transaction
PFCG, application-specific roles are also available in transaction PFCG, defining the set of operations, and
detailed authorizations for an end-user.
 Note
For a list and information on the standard roles delivered with SAP Risk Management, see Standard Roles
and Authorization Objects [page 30].
Use
The application-specific roles defined in transaction PFCG refine the authorizations delivered in the Business
User role (SAP_GRC_FN_BUSINESS_USER). An application-specific role consists of operations (such as create,

edit, delete) for different entities in the application (for example, for an organizational unit or a risk). For more
information, see Assigning Roles to Risks and Activities [page 523]
 Recommendation
To ensure sufficient transparency and oversight for the authorizations currently granted in this application
and for the entities stored for it, a set of predefined authorization reports is also provided. These include a
check to ensure that the segregation of duties is adhered to during the assignment of the SAP default and
application-specific roles.
Defining users, roles, and assignments to authorization objects
SAP Risk Management Sample Application Roles
The following sample application roles are available for use in the SAP Risk Management application:
SAP_GRC_RM_API_ACTIVITY_OWNER Activity owner
SAP_GRC_RM_API_CENTRAL_RM Risk template manager
SAP_GRC_RM_API_CEO_CFO CEO/CFO
SAP_GRC_RM_API_INCIDENT_EDITOR Incident editor

SAP_GRC_RM_API_INTERNAL_AUD Internal auditor
SAP_GRC_RM_API_LIAISON System administrator
SAP_GRC_RM_API_OPP_OWNER Opportunity owner
SAP_GRC_RM_API_ORG_OWNER Organizational unit owner
SAP_GRC_RM_API_RISK_MANAGER Unit risk manager
SAP_GRC_RM_API_RISK_OWNER Risk owner
Steps Involved in Role Creation
You can copy roles to your user namespace and change them, or create other roles according to your
organization's needs. For example, you can define a new validator role, or a reporting role for occasional users
who want to report a risk. For more information, see .
To assign users, proceed as follows:
1. Call transaction PFCG and copy the general SAP roles described above to your user namespace.
2. Adjust the authorizations in these roles to suit the requirements of your system.
3. Assign the adjusted roles to the appropriate users.
4. Save your entries.
 Note
After users have been assigned to roles, an authorized user or system administrator needs to check that
there is a segregation of duties for SAP Risk Management. This is done via the corresponding authorization
report in the application, called Entity Authorization Analysis, and found under Reports and Analytics
Access Management .
6.3 Workflows
Use
The SAP Risk Management application is shipped with a set of workflows that enable collaboration on risk
management activities within a company by making use of the standard SAP workflow functionality.
SAP workflows are based on the guided procedures that walk users through a risk management activity or
process. Workflow examples include the validation of risk reassessments, validation of assessment results, or
the review of a newly-documented risk in the application.
Workflows in SAP Risk Management can be classified according to whether they are:
● Event-based workflows: These are predefined end-to-end processes triggered by user actions such as
proposing a risk.

Event-based workflows are defined using business events: A business event involves the assignment of a
workflow task to a recipient, which is also known as agent determination [page 36]. For example, the risk
validation workflow is assigned to the recipient called Risk Manager.
● Planner-based workflows: These are workflows that are planned and triggered through the SAP Risk
Management Planner function, such as updating a risk or creating a risk survey.
 Note
Although most workflows are based on the SAP Risk Management Planner [page 499] functions, the
workflows for proposing risks and reporting incidents are handled differently. For these, you must access
the Ad Hoc Tasks section in the My Home work center. For more information, see and Workflow for
Recording Incidents [page 329].
Prerequisites
The following workflow Customizing activities must be carried out before you can work with SAP workflows:
Customizing Activity Description
Maintain Custom Agent Determination Rules Specifies the agent determination rules to be used for busi
ness events in Risk Management
Perform Automatic Workflow Customizing Assigns customer notification messages to workflow recipi
ents
Perform Task-Specific Customizing Makes the settings required to adapt SAP workflows to SAP
Risk Management
Features
A workflow is triggered when you schedule a reassessment or validation and includes the following steps:
1. The workflow goes to all recipients that were defined for it, and appears as a task in the recipients' worklist
in the Work Inbox [page 323].
2. The recipients complete the workflow item by accessing the corresponding application to process the data.
The SAP Risk Management application contains the following workflows, carried out using the Planner:
Workflow name Description
Activity validation Allows a planner (for example, a risk manager) to obtain

sign-off and confirmation for the current risk situation for an
activity (such as a process, project, or company asset). For
information, see Activity Validation [page 479].

Workflow name Description
Risk validation Enables the risk manager to obtain sign-off and confirmation
for the current risk (including the assigned responses). For
information, see Risk Validation Workflow [page 421].
Opportunity validation Enables the risk manager to obtain sign-off and confirmation
for the current opportunity (including analysis and assigned
enhancement plans).
Risk assessment Supports risk managers by providing an update for risks in

their areas of responsibility by sending out risk assessment
work items. For more information, see Workflow for Collabo
rative Risk Assessments [page 442].
Opportunity assessment Supports the risk manager by providing an update for oppor
tunities by sending out an opportunity assessment work
item.
Response update Enables risk managers and risk owners to keep track of cur
rent risk responses by sending work items to the validator's
work inbox. For more information, see Working with Re
sponse Workflows [page 469].
Furthermore, there are the following event-based workflows:
Workflow name Description Trigger
Risk proposal Ensures that users review a (potential) Risk proposed. For information, see
risk entered through the Propose Risk Proposing a Risk [page 325].
function and rework it if needed before
it is stored in the risk database.
Incident validation Ensures that users check a reported in Incident posted. For information, see
cident for completeness and accuracy Working with Incidents [page 485].
before it is stored in the incident data
base.
KRI implementation request Ensures the proper configuration and KRI implementation request. For infor
system setup for Key Risk Indicator mation, see Workflow for KRI Imple
(KRI)-related data, which should be mentation Request [page 394].
available for risk monitoring.
KRI localization request Optional adjustment of an assigned KRI KRI localization request. For informa
with respect to risk-specific settings. tion, see Workflow for KRI Instance Lo
calization Request [page 395].

Workflow name Description Trigger
Propose control (for users of both SAP Allows users (for example, risk manag Risk mitigation using controls. For infor
Risk Management and SAP Process ers) to propose a control to mitigate a mation, see Using PC Controls [page
Control) risk. If you have installed and possess a 466] and Sample Workflow: Control
license for SAP Process, Control, the Proposal Notification [page 468].
proposed control becomes part of the
regular monitoring activities in SAP
Process Control.
6.3.1 Agent Determination
Use
Agent determination is the system process that assigns users to workflows. The entity-based authorization
concept in SAP Risk Management is used for agent determination in workflow processing or for surveys. For
each usage of agent determination, a business event is determined. A business event is a placeholder for
recipient determination in workflow-driven scenarios or surveys, and the workflow processor or survey
recipient is considered the agent.
For agent determination, the implementation team maps the SAP Risk Management roles to the business
events in Customizing. The assignment of business events to SAP Risk Management roles in Customizing is
optional. If no Customizing has been defined here, the default system behavior is applied.
When the workflow or survey requires the agent, it triggers the agent determination rule with the
corresponding business event and object ID.
Features
Besides using the SAP-delivered rules and workflows, you can also create your own rules. The customer-
specific rules override the delivered default rules.
More Information
See Workflows [page 33].

6.4 Analysis Automation: Integration with EH&S
Use
Some enterprise risks are related to environmental and worker safety. SAP has a separate solution,
Environment, Health and Safety Management (EH&S), where such risks can be processed by the solution-
specific mechanisms absent in operational risk management. Integrating EH&S using analysis automation
allows you to track all enterprise risks using one application (Risk Management).
Analysis automation creates EH&S risk assessments from risk analyses in Risk Management, tracking their
probability and severity values, and copying those values to the corresponding analysis parameters according
to rules predefined in Customizing.
Risk managers are not required to have any EH&S background to create an EH&S risk assessment from a risk
analysis. EH&S risk assessments are intended to be processed by an EH&S manager or other responsible user.
Risk managers can use a specific report that runs in the background to track the current probability and impact
levels of the EH&S-related risks that they create (see prerequisite number 9 below).
Prerequisites
Before using analysis automation (integration with EH&S), ensure that the following conditions have been met:
1. The remote system (EH&S) is known, and the logical system has been created for it (transaction SM30,
record in view V_TBDLS).
2. The user is authorized to create risk assessments in the EH&S remote system, and the user's logon
credentials are known.
3. Log object GRRM and log sub-object ANLS_AUTOMATION have been created (transaction SLG0).
4. The RFC destination for the EH&S remote system has been created.
5. RM and EH&S probability and severity level values have been mapped in Customizing under Risk
Management Risk and Opportunity Analysis Map Probability and Severity Values from EH&S and RM .
6. Context dimensions have been created for the EH&S agent, EH&S work area, and material in Customizing
under Risk Management Risk and Opportunity Analysis Map Probability and Severity Values from
EH&S and RM . Use dimension types EHSAGENT, EHSWA, and MATERIAL within the logical system
mentioned in step 1 and the RFC destination created in step 4.
7. Context dimensions have been assigned to a risk and risk category entity in Customizing under Risk
Management Master Data Setup Assign Dimension to Entity . Assign the dimensions created in step 6
to the entities RISK and CRGROUP.
8. Context dimensions have been set as allowed for the risk category you will use when creating a risk. In the
Risk Management application, go to Master Data Risks and Responses Risk Catalog . Open the
desired risk category, go to tab Allowed dimensions, and add the dimensions created in step 6.
9. You have scheduled the report GRRM_ANLS_AUTOM_STATUS_UPDATE to run with a period of 1 hour.

Process
1. In the Assessments work center, open Risk and Opportunities.

2. Create a new risk [page 416].
3. Enter the risk name and specify the risk category (see step 8 of prerequisites).
4. Create an impact for the risk.
5. Go to the Analysis tab and create a new analysis.
6. Go to the Context tab and link the EH&S work area and EH&S agent to a risk as context objects.
 Note
Instead of an EH&S agent, you can use a material (depending on conditions and requirements).
 Caution
Be sure that no risk assessment with the specified combination of work area and agent/material
already exists in EH&S. Such an existing risk assessment will not be overwritten by the new risk
assessment (in other words, the new risk assessment will not be created).
7. Submit the risk.

Result
A new risk assessment is created in the EH&S application of the remote system to be processed by the EH&S
manager or other responsible user. The EH&S risk assessment will be assigned probability and severity values.
A background job (step 9 of prerequisites) replicates these values as probability and impact level values for the
corresponding risk analysis in Risk Management.
6.5 Customer-Defined Fields
Customer organizations can add their own fields to the applications they have licensed.
For more information, see the corresponding Customizing section and Adding Customer-Defined Fields [page
39].
6.5.1 Adding Customer-Defined Fields
Use
You can add customer-defined (user-specific) fields in the following areas:
● For HR entities:
○ Risk, risk template, risk category
○ Opportunity, opportunity template, opportunity category
○ Activity and activity category
○ Response template
● For non-HR entities:
○ Response
○ Enhancement plan
○ Incident
Customer-defined fields can be defined as mandatory, read-only, or hidden. You can also define a specific input
check for customer-defined fields.
Prerequisites
You must have the S_DEVELOP authorization profile or the equivalent.

Procedure
To add customer-specific fields to screens of the Risk Management application, proceed as follows:
1. Call up the Customizing for Risk Management and carry out the activities under the corresponding section
of User-Defined Fields.
2. Access SAP Note number 1470670 and its attachments for more detailed information.
 Caution
You must test all changes in the development system before transporting them to the test and production
systems.
Adding Customer-Defined Fields via Risk Template
Via the copy or assignment procedure, customer-defined fields that were created for a risk template are copied
into a risk. For more information on risk template creation, see Creating a Risk Template [page 368].
6.6 Risk-Related Terminology
The SAP Risk Management, SAP Process Control, and SAP Access Control applications use several risk-related
terms that may need an explanation. The following table provides an overview of risk terms with their
definitions and the location in the applications where they are used.
Term Explanation Location in Application
SAP Risk Management SAP NetWeaver application for manag Entire SAP Risk Management applica
ing enterprise-wide risks tion
Risk An uncertain event or condition that, if Entire SAP Risk Management applica
it occurs, has a negative impact on tion
business objectives
Risk assessment The evaluation of risks through defini- Assessments work center
tion and mitigation via responses
Risk template A template to be used for creating ac Master Data work center, Risk Catalog
tual risks
Primary risk A risk used in a scenario, which has no Assessments work center, Scenario
risks influencing it Management
Top risks A report containing user-defined risks Reports and Analytics work center,
that are very significant to management Management section
Influenced risk A risk influenced by another risk Assessments work center, Risks and
Opportunities

Affected risk A risk affected by a response Assessments work center, Responses
Risk event A risk that has not occurred Assessments work center, Incident
Management
Inherent risk Overall risk before response Assessments work center, Risks and
Opportunities, Analysis tab of a risk
Residual risk Overall risk after response Assessments work center, Risks and
Proposed risk, risk proposal A risk proposed by a casual user My Home work center, Ad-hoc tasks
Risk appetite Level of risk to be supported, which can Master Data work center, Organizations
be described qualitatively and quantita
tively
Underlying risk Risk defined on lower level of organiza Assessments work center, Risks and
tion Opportunities
Risk category User-defined category of risk Master Data work center, Risks and
Responses, Risk Catalog
Parent risk category A high-level user-defined risk category Master Data work center, Risks and
Responses, Risk Catalog
Risk incident An incident entered directly for a risk Assessments work center, Risks and
Opportunities, Risk Incidents tab, and
Incident Management section
Risk level Specifies degree of risk using traffic Assessments work center, Risks and
light icons Opportunities
Risk factor Synonym of influence factor, a risk with Assessments work center, Risks and
probability and impact data attached Opportunities
Risk summary A report summarizing all risks per pe Reports and Analytics work center
riod, organization, and so on
Risk analysis Analysis of one risk Assessment work center, Risks and
Risk scenario A scenario containing several risks to Assessments work center, Scenario
be analyzed and evaluated Management
Risk aspect A field in reports evaluating risks. By Reports and Analytics work center,
checkmarking this field in reports, the Risks per Organizational Unit
user can see how an impact level would
be rated if the risk were seen from the
perspective (aspect) of a different or
ganizational unit.

Risk instance A risk template applied to an individual Assessments work center, Risks and
risk is considered as an instance of the Opportunities, Analysis tab
risk template, or risk instance.
Local risk The same as a risk instance Assessments work center, Risks and
Opportunities, Analysis tab
Access risk A risk defined for the SAP Access Con Access Management work center,
trol application, specifying the severity Access Risk Analysis section
of an irregularity related to Segregation
of Duties (SOD) risks.
SOD risk The same as an access risk Access Management work center,
Access Risk Analysis section
6.7 Operational Data Provisioning in RM
Use
The structure contains the documents that describe operational reporting for Governance, Risk, and
Compliance based on Operational Data Provisioning (ODP). ODP is a metadata concept in SAP NetWeaver that
provides a technical infrastructure that you can use to support application scenarios such as data replication
and operational analytics. You can use operational reporting for real-time analysis of data. You can access the
data in your system directly without having to replicate it into a separate BW system.
In GRC, predefined search and analysis models are delivered for reporting and enterprise search. You can use
these models directly or create your own models in the modelling environment.
For more information about ODP and models, see the documentation at http://help.sap.com , under SAP
NetWeaver AS for ABAP 7.52 Application Help SAP NetWeaver Library: Function-Oriented View Search
and Operational Analytics Operational Data Provisioning .
More Information
Authorization [page 43]
CDF Support in ODP [page 44]
Search and Analytics Models [page 45]

6.7.1 Authorization
An authorization allows a user to perform a specific action on a specific object. You can define authorization
checks to be performed for the nodes in a business object by adding authorization objects to the node. In this
way, you can configure that only authorized users can access the data in search results or reporting.
To assign an authorization object to a PFCG role:
1. Go to transaction PFCG, enter the role name and choose Change.

2. In the Authorization tab, assign the authorization object in Maintain Authorization Data and Generate
Profiles.
In GRC, the following types of authorization objects are available:
Authorization Object Description
GRFN_ODP Authorization check for HR objects based on entity and ob

ject ID
GRFN_ODP_C Authorization check for special HR objects with complex IDs
GRFN_ODP_E Entity level authorization check for non-HR objects
GRFN_ODP_R Authorization check for regulation specific entities
GRFN_ODPRC Authorization check for complex ID and regulation specific

entities
 Note
Ad-hoc Issue and Policy use role-user assignment authorization. The assignment information is stored in
table GRFNROLEASSNMT.
Special HR Objects with Complex ID
Some objects contain special entity IDs that cover two HR object types. In such cases, the object ID length of
these entities are extended to 9, allowing one extra character for identification. These objects use the special
complex ID authorization check GRFN_AUTH_C. The following is a list of special HR objects that uses complex
ID authorization check.
Object Type Object ID Format Example Description
8 digit number + S 50****01S Activities mapped from sub

process
Activity
8 digit number 50****01 Newly created activities

Object Type Object ID Format Example Description
8 digit number + X 50****01X Activity categories mapped

from subprocess
Activity Category
8 digit number 50****01 Newly created activity cate
gories
L + 8 digit number L50****01 Local change allowed con

trols
Control
8 digit number 50****01 Local change not allowed
controls
8 digit number + X 50****01X Risk template

Risk
8 digit number 50****01 Local risk
6.7.2 CDF Support in ODP
Use
This chapter discusses how to add customer defined fields (CDF) in ODP models which has BW data source.
Prerequisites
You have implemented CDF support to the master data used in the ODP model.
Procedure
To add a customer defined field in an ODP model:
1. Go to transaction RSA6, find your data source and choose Enhance Extraction Structure.
2. Enter the structure name and choose continue to create a new structure.
3. Enter the necessary fields according to the CDF definition. Make sure the field name completely matches
the CDF structure. Now the BI structure should have the newly created structure appended.

 Note
As the data source extractor always pass values according to the field name, normally this should work
and return the CDF value in the data source. If not, check if the datamart is filled with the CDF.
4. Go to the ODP modeler, open the corresponding model and update the node. The newly appended field
appears. Adjust the related settings and generate the ODP again.
For more information, see SAP NetWeaver help document at http://help.sap.com under SAP NetWeaver
AS for ABAP 7.52 Application Help SAP NetWeaver Library: Function-Oriented View Search and
Operational Analytics Creating Search and Analysis Models Creating or Extending Search and Analysis
Models
6.7.3 Search and Analytics Models
A search and analytic model reflects a business entity consisting of segments modeled via nodes. Nodes can
be connected to other nodes by means of composition or association relationships using foreign-key
dependencies.
The following structure contains both common models and product specific models.
Related Information
Search and Analytics Models (Common) [page 45]

Search and Analytics Model (SAP Risk Management) [page 168]
6.7.3.1 Search and Analytics Models (Common)
The following structure contains the common search and analytics models shared by both the SAP Process
Control and SAP Risk Management applications.
Related Information
Ad-Hoc Issue [page 46]

Business Rule [page 50]
Data Source [page 55]
Organization Unit [page 60]
Organization Hierarchy [page 84]
Policy [page 86]

Risk [page 90]
Timeframe [page 101]
Timeframe Frequency [page 124]
Timeframe Year [page 146]
6.7.3.1.1 Ad-Hoc Issue
Use
Search and Analytics Model: 0GFN_AI
This search and analytics model is used to get the ad-hoc issue data.
Technical Data
Model Usage Application Model
Software Component for Search and Analytics GRCFND_A
Root Node: GRC Ad-Hoc Issue Attributes
Technical Name 0GFN_AI_ATTR
DataSource 0GFN_AI_ATTR
Operational Data Provider: GRC Ad-Hoc Issue Attributes
Technical Name 0GFN_AI
ODP-Semantics Master Data Attributes
View Data Extraction
Direct Access Enabled Yes
Operational Data Provider: GRC Ad-Hoc Issue Text

Technical Name 0GFN_AI
ODP-Semantics Texts
Authorization Checks
Check ID ABAP Authorization Object Description
CN_IS GRFN_ODP_C GRC ODP authorization for complex ID
IELC_IS GRFN_ODP GRC ODP authorization
SP_IS GRFN_ODP GRC ODP authorization
Node Relationship: GRC Ad-Hoc Issue Text
Node 0GFN_AI_TEXT
Association
Cardinality Arbitrary
Reverse Cardinality Exactly One
Sub-query No
Foreign Key
Attribute of Parent Value Attribute of Child Value Join-Operator

Node Node
GUID GUID Equal
TF_FREQ TF_FREQ Equal
TF_YEAR TF_YEAR Equal
TIMEFRAME TIMEFRAME Equal

Node Relationship: GRC Ad-Hoc Issue Priority Text
Node 0GFN_AIPRIO.0GFN_AI_PRIORITY_TEX
Association 0GFN_AI_ATTR20GFN_AI_PRIORITY_TE
Sub-query No
Foreign Key

Node Node
AI_PRIORITY ATTR Equal
Node Relationship: GRC Ad-Hoc Issue Status Text
Node 0GFN_AI_STATUS.0GFN_AI_STATUS_TEXT
Association 0GFN_AI_ATTR20GFN_AI_STATUS_TEXT
Sub-query No
Foreign Key

Node Node
AI_STATUS ATTR Equal
Node Relationship: GRC Timeframe
Node 0GFN_TF.0GFN_TF_ATTR

Association 0GFN_AI_ATTR20GFN_TF_ATTR
Cardinality Exactly One
Reverse Cardinality Arbitrary
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Timeframe Year
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GFN_AI_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Timeframe Year Frequency
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GFN_AI_ATTR20GFN_TF_FREQ

Sub-query No
Foreign Key

Node Node
6.7.3.1.2 Business Rule
Use
Search and Analytics Model: 0GFN_BR
This search and analytics model is used to get the business rule data.
Technical Data
Root Node: GRC Business Rule Attributes
Technical Name 0GFN_BR_ATTR
DataSource 0GFN_BR_ATTR
Operational Data Provider: GRC Business Rule Attribute
Technical Name 0GFN_BR

Operational Data Provider: GRC Business Rule Texts
Technical Name 0GFN_BR
ODP-Semantics Texts
EO GRFN_ODP GRC ODP authorization
Node Relationship: GRC Business Rule Texts
Node 0GFN_BR_TEXT
Association
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal

Association 0GFN_BR_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GFN_BR_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association 0GFN_BR_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Data Source Attribute
Node 0GFN_EO.0GFN_DS_ATTR
Association 0GFN_BR_ATTR20GFN_DS_ATTR
Sub-query No
Foreign Key

Node Node
EO_ID OBJID Equal
Node Relationship: GRC Business Rule Analysis Type Text
Node 0GFN_BRANTY.0GFN_BR_ANYSTYPE_TEX
Association 0GFN_BR_ANYSTYPE_TEX20GFN_BR_ATT

Sub-query No
Foreign Key

Node Node
BR_ANYSTYPE ATTR Equal
Node Relationship: GRC Business Rule Category Texts
Node 0GFN_BRCATE.0GFN_BR_CATEGORY_TEX
Association 0GFN_BR_CATEGORY_TEX20GFN_BR_ATT
Sub-query No
Foreign Key

Node Node
BR_CATEGORY ATTR Equal
Node Relationship: GRC Business Rule Status Text
Node 0GFN_BRSTAT.0GFN_BR_STATUS_TEXT
Association 0GFN_BR_STATUS_TEXT20GFN_BR_ATTR
Sub-query No

Foreign Key

Node Node
BR_STATUS ATTR Equal
Node Relationship: GRC Job Steps Attribute
Node 0GFN_JP.0GFN_JP_ATTR
Association 0GFN_JP_ATTR20GFN_BR_ATTR
Sub-query No
Foreign Key

Node Node
OBJID BR_ID Equal
6.7.3.1.3 Data Source
Use
Search and Analytics Model: 0GFN_EO
This search and analytics model is used to get the data source attributes.

Technical Data
Root Node: GRC Data Source Attribute
Technical Name 0GFN_DS_ATTR
DataSource 0GFN_DS_ATTR
Operational Data Provider: GRC Data Source Attribute
Technical Name 0GFN_EO
Operational Data Provider: GRC Data Source Texts
Technical Name 0GFN_EO
ODP-Semantics Texts
EO GRFN_ODP GRC ODP authorization
Node Relationship: GRC Data Source Texts
Node 0GFN_DS_TEXT

Association
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Association 0GFN_DS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_DS_ATTR20GFN_TF_ATTR

Sub-query No
Foreign Key

Node Node
Association 0GFN_DS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Data Source Sub-scenario Text
Node 0GFN_EOSUBS.0GFN_DS_SUBSCENARIO
Association 0GFN_DS_ATTR20GFN_DS_SUBSCENARIO
Sub-query No

Foreign Key

Node Node
DS_SUBSCENARIO ATTR Equal
Node Relationship: GRC Data Source Connection Type Text
Node 0GFN_EOCOTP.0GFN_DS_CONN_TYPE
Association 0GFN_DS_ATTR20GFN_DS_CONN_TYPE
Sub-query No
Foreign Key

Node Node
DS_CONNECTTYPE ATTR Equal
Node Relationship: GRC Data Source Connector Texts
Node 0GFN_EOCONN.0GFN_DS_CONNECTOR_TE
Association 0GFN_DS_ATTR20GFN_DS_CONNECTOR_T
Sub-query No
Foreign Key

Node Node

DS_CONNECTOR ATTR Equal
Node Relationship: GRC Business Rule Attribute
Node 0GFN_BR.0GFN_BR_ATTR
Association 0GFN_BR_ATTR20GFN_DS_ATTR
Sub-query No
Foreign Key

Node Node
OBJID EO_ID Equal
6.7.3.1.4 Organization Unit
Use
Search and Analytics Model: 0GFN_OU
This search and analytics model is used to get the organization unit attributes.
Technical Data

Root Node: GRC Organization Attributes
Technical Name 0GFN_OU_ATTR
DataSource 0GFN_OU_ATTR
Operational Data Provider: GRC Organization Attributes
Technical Name 0GFN_OU
Operational Data Provider: GRC Organization Texts
Technical Name 0GFN_OU
ODP-Semantics Texts
OU GRFN_ODP GRC ODP authorization
Node Relationship: GRC Organizations Texts
Node 0GFN_OU_TEXT
Association

Sub-query Yes
Foreign Key

Node Node
OBJID OBJID Equal
Node Relationship: GRC Org. Unit Qualitative Appetite Texts
Node 0GFN_OUQAPP.0GFN_OU_QAPP_TEXT
Association 0GFN_OU_ATTR20GFN_OU_QAPP_TEXT
Sub-query No
Foreign Key

Node Node
OU_QUALITY_APP ATTR Equal
Node Relationship: Region (State, Province, County)
Node 0GFN_REGION.0REGION_TEXT
Association 0GFN_OU_ATTR20REGION_TEXT

Sub-query No
Foreign Key

Node Node
OU_REGION BLAND Equal
OU_REGION_CNTY LAND1 Equal
Node Relationship: Country
Node 0GFN_COUNTRY.0COUNTRY_TEXT
Association 0GFN_OU_ATTR20COUNTRY_TEXT
Sub-query No
Foreign Key

Node Node
OU_COUNTRY LAND1 Equal
Association 0GFN_OU_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GFN_OU_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_OU_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node

Node Relationship: GRC Entity Type Text
Node 0GFN_ENTTYP.0GFN_ENTTYP_TEXT
Association 0GFN_OU_ATTR20GFN_ENTTYP_TEXT
Sub-query No
Foreign Key

Node Node
ENTITY_ID ATTR Equal
Node Relationship: GRC Organization Attributes
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GFN_OU_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_PARENT OBJID Equal

Node Relationship: Org. Unit In Scope
Node 0GPC_OUINSC.0GPC_OUINSC_TEXT
Association 0GFN_OU_ATTR20GPC_OUINSC
Sub-query No
Foreign Key

Node Node
OU_IN_SCOPE ATTR Equal
Node Relationship: Org. Unit Is Provider
Node 0GPC_OUISPR.0GPC_OUISPR_TEXT
Association 0GFN_OU_ATTR20GPC_OUISPR
Sub-query No
Foreign Key

Node Node
OU_SPROVIDER ATTR Equal
Node Relationship: GRC User Texts
Node 0GFN_USER_TEXT.0GFN_USER_TEXT

Association 0GFN_OU_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key

Node Node
OU_RESP_USER ATTR Equal
Node Relationship: Validate iELC Assessment
Node 0GFN_OUVAMC.0GFN_OUVAMC_TEXT
Association 0GFN_OU_ATTR20GFN_OUVAMC
Sub-query No
Foreign Key

Node Node
OU_VAL_EC_ASS ATTR Equal
Node Relationship: Validate iELC Effectiveness Test
Node 0GFN_OUVAMT.0GFN_OUVAMT_TEXT
Association 0GFN_OUVAMT.0GFN_OUVAMT_TEXT

Sub-query No
Foreign Key

Node Node
OU_VAL_EC_TEST ATTR Equal
Node Relationship: Retest iELC Assessment
Node 0GFN_OUREMC.0GFN_OUREMC_TEXT
Association 0GFN_OU_ATTR20GFN_OUREMC
Sub-query No
Foreign Key

Node Node
OU_RTS_EC_ASS ATTR Equal
Node Relationship: Retest iELC Effectiveness Test
Node 0GFN_OUREMT.0GFN_OUREMT_TEXT
Association 0GFN_OU_ATTR20GFN_OUREMT
Sub-query No
Foreign Key

Node Node
OU_RTS_EC_TEST ATTR Equal
Node Relationship: GRC PC Risk Coverage from all sources
Node 0GPC_RSCN.0GPC_SP_RS_CN_ALL
Association 0GPC_SP_RS_CN_ALL20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC PC Subprocess Attributes
Node 0GPC_SPSRC.0GPC_SP_RS_SOURCE_AT
Association 0GPC_SP_RS_SOURCE_AT20GFN_OU_ATT
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC PC Process Attributes
Node 0GPC_PR.0GPC_PR_ATTR
Association 0GPC_PR_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC PC Control and Risk Matrix Attributes
Node 0GPC_CN_RS.0GPC_CN_RS_ATTR
Association 0GPC_CN_RS_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC PC Control Attributes
Node 0GPC_CN.0GPC_CN_ATTR
Association 0GPC_CN_ATTR20GFN_OU_ATTR_1
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM OU-Activity-Risk assignment
Node 0GRM_OU_AC_RS.0GRM_OU_AC_RS
Association 0GRM_OU_AC_RS20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM OU-Activity-Opportunity assignment
Node 0GRM_OU_AC_OR.0GRM_OU_AC_OR
Association 0GRM_OU_AC_OR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM OU-Activity-Opportunity-Enhancement Plan
Node 0GRM_OU_AC_OR_EP.0GRM_OU_AC_OR_RP
Association 0GRM_OU_AC_OR_RP20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM OU-Activity-Risk-Response assignment
Node 0GRM_OU_AC_RS_RP.0GRM_OU_AC_RS_RP
Association 0GRM_OU_AC_RS_RP20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM OU-Activity-Risk-Incident assignment
Node 0GRM_OU_AC_RS_IN.0GRM_OU_AC_RS_IN
Association 0GRM_OU_AC_RS_IN20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC PC Test Step Attributes
Node 0GPC_V0.0GPC_V0_ATTR
Association 0GPC_V0_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC PC Indirect Enitity-Level Control Group Attributes
Node 0GPC_EG.0GPC_EG_ATTR
Association 0GPC_EG_ATTR20GFN_OU_ATTR
Reverse Cardinality Up to One
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC PC Indirect Enitity-Level Control Attributes
Node 0GPC_EC.0GPC_EC_ATTR
Association 0GPC_EC_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC Job Steps Attribute
Node 0GFN_JP.0GFN_JP_ATTR
Association 0GFN_JP_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Association 0GPC_CN_ATTR20GFN_OU_ATTR_2
Sub-query No
Foreign Key

Node Node
OBJID CN_SS_OU Equal
Node Relationship: GRC RM Enhancement Plan Attributes
Node 0GRM_EP.0GRM_EP_ATTR
Association 0GRM_EP_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM Opportunity Attributes
Node 0GRM_OR.0GRM_OR_ATTR
Association 0GRM_OR_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node 0GPC_SP.0GPC_SP_ATTR
Association 0GPC_SP_ATTR20GFN_OU_ATTR_O
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node 0GPC_SP.0GPC_SP_ATTR
Association 0GPC_SP_ATTR20GFN_OU_ATTR_SS
Sub-query No
Foreign Key

Node Node
OBJID SP_SS_ORGUNIT Equal
Node Relationship: Hierarchy nodes
Node 0GFN_OU_HIER.HIERARCHY_ELEMENT
Association HIERARCHY_ELEMENT20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID SP_SS_ORGUNIT Equal
Node Relationship: GRC RM KRI (Key Risk Indicator) Values
Node 0GRM_KN_KRI_VALUES.0GRM_KN_KRI_VALUES
Association 0GRM_KN_KRI_VALUES20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM Activity Attributes
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_AC_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Node Relationship: GRC RM Loss Attributes
Node 0GRM_IL.0GRM_IL_ATTR
Association 0GRM_IL_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM Incident Attributes
Node 0GRM_IN.0GRM_IN_ATTR
Association 0GRM_IN_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM Incident-Loss-Impact Category assignment
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GRM_IN_IL_IC20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM KRI Instance Attributes
Node 0GRM_KN.0GRM_KN_ATTR
Association 0GRM_KN_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM Response Attributes
Node 0GRM_RP.0GRM_RP_ATTR
Association 0GRM_RP_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: Forecasting Horizon Analysis Attributes
Node 0GRM_W5_ATTR.0GRM_W5_ATTR
Association 0GRM_W5_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU Equal
Node Relationship: GRC RM Analysis Attributes
Node 0GRM_AL.0GRM_AL_ATTR
Association 0GRM_AL_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node 0GPC_M3.0GPC_CN_ATTR
Association M3 CTRL: ORGANIZATION
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
6.7.3.1.5 Organization Hierarchy
Use
Search and Analytics Model: 0GFN_OU_HIER
This search and analytics model is used to get the organization hierarchy attributes.
Technical Data
Root Node: Hierarchy header
Technical Name HIERARCHY_HEADER
DataSource 0GFN_OU_GFNH_HIER
Node HIERARCHY_ELEMENT

Association
Sub-query Yes
Foreign Key

Node Node
HEADERID HEADERID Equal
Node Relationship: Node texts
Node HIERARCHY_FOLDERTEXT
Association
Sub-query No
Foreign Key

Node Node
FOLDERNAME FOLDERNAME Equal
Association HIERARCHY_ELEMENT20GFN_OU_ATTR

Cardinality Up to One
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Node Relationship: Header texts
Node HIERARCHY_HEADERTEXT
Association
Sub-query No
Foreign Key

Node Node
6.7.3.1.6 Policy
Use
Search and Analytics Model: 0GFN_PO

This search and analytics model is used to get the policy data.
Technical Data
Root Node: GRC Policy Attributes
Technical Name 0GFN_PO_ATTR
DataSource 0GFN_PO_ATTR
Operational Data Provider: GRC Policy Attributes
Technical Name 0GFN_PO
Operational Data Provider: GRC Policy Text
Technical Name 0GFN_PO
ODP-Semantics Texts
PO GRFN_ODP_E GRC ODP authorization for entity level

Node Relationship: GRC Policy Text
Node 0GFN_PO_TEXT
Association
Sub-query No
Foreign Key

Node Node
GUID GUID Equal
Node Relationship: GRC Policy Category Text
Node 0GFN_POCATEG.0GFN_PO_CATEG_TEXT
Association 0GFN_PO_ATTR20GFN_PO_CATEG_TEXT
Sub-query No
Foreign Key

Node Node
PO_POLICY_CATEG ATTR Equal

Node Relationship: GRC Policy Status Text
Node 0GFN_POSTATUS.0GFN_PO_STATUS_TEXT
Association 0GFN_PO_ATTR20GFN_PO_STATUS_TEXT
Sub-query No
Foreign Key

Node Node
PO_POLICY_STATUS ATTR Equal
Node Relationship: GRC Policy Type Text
Node 0GFN_POTYPE.0GFN_PO_TYPE_TEXT
Association 0GFN_PO_ATTR20GFN_PO_TYPE_TEXT
Sub-query No
Foreign Key

Node Node
PO_POLICY_TYPE ATTR Equal

6.7.3.1.7 Risk
Use
Search and Analytics Model: 0GFN_RS
This search and analytics model is used to get the risk data.
Technical Data
Root Node: GRC Risk Attributes
Technical Name 0GFN_RS_ATTR
DataSource 0GFN_RS_ATTR
Operational Data Provider: GRC Risk Attributes
Technical Name 0GFN_RS
Operational Data Provider: GRC Risk Texts
Technical Name 0GFN_RS
ODP-Semantics Texts

RS GRFN_ODP_C GRC ODP authorization for complex ID
Node Relationship: GRC Risk Texts
Node 0GFN_RS_TEXT
Association
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Node Relationship: GRC RM Risk Level Texts
Node 0GRM_RSL.0GRM_RSL_TEXT
Association 0GFN_RS_ATTR20GRM_RSL_TEXT
Sub-query No
Foreign Key

Node Node
RS_RSA_RSL ATTR Equal
Node Relationship: GRC Risk Status Texts
Node 0GFN_RSSTAT.0GFN_RS_STATUS_TEXT
Association 0GFN_RS_ATTR20GFN_RS_STATUS_TEXT
Sub-query No
Foreign Key

Node Node
RS_STATUS ATTR Equal
Association 0GFN_RS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node

Association 0GFN_RS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_RS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM Probability Level Texts
Node 0GRM_PBL.0GRM_PBL_TEXT

Association 0GFN_RS_ATTR20GRM_PBL_TEXT
Sub-query No
Foreign Key

Node Node
RS_RSA_PRL ATTR Equal
Association 0GFN_RS_ATTR20GPC_SP_RS_CN_ALL
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GPC_CN_RS_ATTR

Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_OU_AC_RS
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal

Association 0GFN_RS_ATTR20GRM_OU_AC_RS_RP
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_OU_AC_RS_IN
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal

Association 0GFN_RS_ATTR20GRM_KN_KRI_VALUES
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_IL_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal

Association 0GFN_RS_ATTR20GRM_IN_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_IN_IL_IC
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal

Association 0GFN_RS_ATTR20GRM_KN_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_RP_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal

Association 0GFN_RS_ATTR20GRM_W5_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS Equal
Association 0GFN_RS_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key

Node Node
RS_RESP_USER ATTR Equal

Association 0GRM_AL_ATTR20GFN_RS_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
6.7.3.1.8 Timeframe
Use
Search and Analytics Model: 0GFN_TF
This search and analytics model is used to get the timeframe attributes.
Technical Data

Root Node: GRC Timeframe
Technical Name 0GFN_TF_ATTR
DataSource 0GFN_TF_ATTR
Operational Data Provider: GRC Timeframe
Technical Name 0GFN_TF
Operational Data Provider: GRC Timeframe Texts
Technical Name 0GFN_TF
ODP-Semantics Texts
Node Relationship: GRC Timeframe Texts
Node 0GFN_TF_TEXT
Association
Sub-query Yes
Foreign Key

Node Node

Node Relationship: Organization Attributes for Enterprise Search
Node 0GFN_OU_ESH.0GFN_OU_ATTR_ESH
Association 0GFN_OU_ATTR_ESH20GFN_TF_TEXT
Sub-query No
Foreign Key

Node Node
Node Relationship: PC Control Objective Attributes
Node 0GPC_COBJ.0GPC_COBJ_ATTR
Association 0GPC_COBJ_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC FS Account Group Attributes
Node 0GPC_AG.0GPC_AG_ATTR

Association 0GPC_AG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Indirect Entity-Level Control Attributes
Association 0GPC_EC_ATTR20GFN_TF_ATTR_1
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Test Plan Attributes
Node 0GPC_TP.0GPC_TP_ATTR
Association 0GPC_TP_ATTR20GFN_TF_ATTR

Sub-query No
Foreign Key

Node Node
Association 0GFN_OU_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GFN_BR_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Testing (Testlog) Attributes
Node 0GPC_TL.0GPC_TL_ATTR
Association 0GPC_TL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GFN_DS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node

Node Relationship: GRC RM Central Opportunity Texts
Node 0GRM_OC.0GRM_OC_TEXT
Association 0GRM_OC_TEXT20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OR_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node

Association 0GRM_OU_AC_OR_RP20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS_IN20GFN_TF_ATTR

Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS_RP20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_KRI_VALUES20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_IN_IL_IC20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Regulation
Node 0GPC_RE.0GPC_RE
Association 0GPC_RE20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node

Node Relationship: GRC PC Indirect Entity-Level Control Attributes All Regs
Node 0GPC_EC_REG.0GPC_EC_ATTR_ALL_REG
Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_ATT
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Organizations Attributes All Regulations
Node 0GFN_OU_REG.0GFN_OU_ATTR_ALL_REG
Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_ATT
Sub-query No
Foreign Key

Node Node

Association 0GPC_EG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM Risk Category (Risk Group)
Node 0GRM_RG.0GRM_RG_ATTR
Association 0GRM_RG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_EP_ATTR20GFN_TF_ATTR

Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Assessment Attributes
Node 0GPC_AS.0GPC_AS_ATTR
Association 0GPC_AS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_ATTR20GFN_TF_ATTR_1
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Control Attributes All Regulations
Node 0GPC_CN_REG.0GPC_CN_ATTR_ALL_REG
Association 0GPC_CN_ATTR_ALL_REG20GFN_TF_ATT
Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_RS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node

Association M3 CTRL: TIMEFRAME
Sub-query No
Foreign Key

Node Node
Association 0GPC_V0_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Ad-Hoc Issue Attributes
Node 0GFN_AI.0GFN_AI_ATTR

Association 0GFN_AI_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GPC_SP_RS_CN_ALL20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node 0GPC_H2E.0GPC_EC_ATTR
Association H2E IELC: TIMEFRAME

Sub-query No
Foreign Key

Node Node
Association 0GRM_AC_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_IL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_IN_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM Activity Category Attributes
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_CA_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node

Association 0GRM_KN_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_RP_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM KRI Template Attributes
Node 0GRM_KT.0GRM_KT_ATTR

Association 0GRM_KT_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_OR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM Opportunity Category Attributes
Node 0GRM_OG.0GRM_OG_ATTR
Association 0GRM_OG_ATTR20GFN_TF_ATTR

Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Remediation Plan Attributes
Node 0GPC_PL.0GPC_PL_ATTR
Association 0GPC_PL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM Org. Unit Objective Attributes
Node 0GRM_OB.0GRM_OB_ATTR
Association 0GRM_OB_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Risk Attributes
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_AL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node

Node 0GPC_F5.0GPC_TL_ATTR
Association F5 TESTLOG: TIMEFRAME
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Issue Attributes
Node 0GPC_IS.0GPC_IS_ATTR
Association 0GPC_IS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Account Group Assertion Attributes
Node 0GPC_AG_ASSERTION.0GPC_V9_ATTR

Association 0GPC_V9_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
6.7.3.1.9 Timeframe Frequency
Use
Search and Analytics Model: 0GFN_TF_FREQ
This search and analytics model is used to get the timeframe frequency attributes.
Technical Data
Root Node: GRC Timeframe Year Frequency
Technical Name 0GFN_TF_FREQ
DataSource 0GFN_TF_FREQ
Operational Data Provider: GRC Timeframe Year Frequency

Operational Data Provider: GRC Timeframe Frequency Texts
ODP-Semantics Texts
Node Relationship: GRC Timeframe Frequency Texts
Node 0GFN_TFFRQ_TEXT
Association
Sub-query Yes
Foreign Key

Node Node
Node Relationship: GRC PC Control Objective Attributes
Association 0GPC_COBJ_ATTR20GFN_TF_FREQ

Sub-query No
Foreign Key

Node Node
Association 0GPC_AG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_EC_ATTR20GFN_TF_FREQ_1
Sub-query No

Foreign Key

Node Node
Association 0GPC_TP_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GFN_OU_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node

Association 0GFN_BR_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_TL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node

Association 0GFN_DS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OR_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node

Association 0GRM_OU_AC_OR_RP20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_AC_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS20GFN_TF_FREQ

Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS_IN20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS_RP20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_KRI_VALUES20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_KT_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node

Association 0GRM_CA_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_IN_IL_IC20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node

Association 0GPC_RE20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_FRE
Sub-query No
Foreign Key

Node Node
Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_FRE

Sub-query No
Foreign Key

Node Node
Association 0GPC_EG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_RG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OC_TEXT20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_EP_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node

Association 0GPC_AS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_ATTR20GFN_TF_FREQ_1
Sub-query No
Foreign Key

Node Node

Association 0GPC_CN_ATTR_ALL_REG20GFN_TF_FRE
Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_RS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association M3 CTRL: TIMEFRAME FREQ

Sub-query No
Foreign Key

Node Node
Association 0GPC_V0_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GFN_AI_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_SP_RS_CN_ALL20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association H2E IELC: TIMEFRAME FREQ
Sub-query No
Foreign Key

Node Node

Association 0GRM_IL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_IN_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node

Association 0GRM_KN_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_RP_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_OR20GFN_TF_FREQ

Sub-query No
Foreign Key

Node Node
Association 0GRM_OG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_PL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OB_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GFN_RS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node

Association 0GRM_AL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association F5 TESTLOG: FREQUENCY
Sub-query No
Foreign Key

Node Node

Association 0GPC_IS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_V9_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
6.7.3.1.10 Timeframe Year
Use
Search and Analytics Model: 0GFN_TF_YEAR
This search and analytics model is used to get the timeframe year attributes.

Technical Data
Root Node: GRC Timeframe Year
Technical Name 0GFN_TF_YEAR
DataSource 0GFN_TF_YEAR
Operational Data Provider: GRC Timeframe Year
Technical Name 0GFN_TF_YEAR
Node Relationship: GRC PC Control Objective Attributes
Association 0GPC_COBJ_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association 0GPC_AG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_EC_ATTR20GFN_TF_YEAR_1
Sub-query No
Foreign Key

Node Node

Association 0GPC_TP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_OU_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_BR_ATTR20GFN_TF_YEAR

Sub-query No
Foreign Key

Node Node
Association 0GPC_TL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_DS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OC_TEXT20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OR_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association 0GRM_OU_AC_OR_RP20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association 0GRM_OU_AC_RS_IN20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS_RP20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_KRI_VALUES20GFN_TF_YEAR

Sub-query No
Foreign Key

Node Node
Association 0GRM_IN_IL_IC20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_RE20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_YEA
Sub-query No
Foreign Key

Node Node
Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_YEA
Sub-query No
Foreign Key

Node Node

Association 0GPC_EG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_RG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association 0GRM_EP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_AS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_ATTR20GFN_TF_YEAR_1

Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_ATTR_ALL_REG20GFN_TF_YEA
Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_RS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association M3 CTRL: TIMEFRAME YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_V0_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association 0GFN_AI_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_SP_RS_CN_ALL20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association H2E IELC: TIMEFRAME YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_AC_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Node Relationship: Organization Attributes for Enterprise Search
Node 0GFN_OU_ESH.0GFN_OU_ATTR_ESH
Association 0GFN_OU_ATTR_ESH20GFN_TF_YEAR

Sub-query No
Foreign Key

Node Node
Association 0GRM_IL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_IN_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_CA_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association 0GRM_RP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_KT_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association 0GRM_OU_AC_OR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_PL_ATTR20GFN_TF_YEAR

Sub-query No
Foreign Key

Node Node
Association 0GRM_OB_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_RS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_AL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association F5 TESTLOG: YEAR
Sub-query No
Foreign Key

Node Node

Association 0GPC_IS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_V9_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
6.7.3.2 Search and Analytics Model (SAP Risk

Management)
The following structure contains search and analytics models used in SAP Risk Management.

Related Information
Activity [page 170]

Activity Category [page 178]
Activity Category Hierarchy [page 186]
Analysis [page 188]
Analysis with Forecasting Horizon Result [page 194]
Central Opportunity [page 197]
Enhancement Plan Attributes [page 199]
Enterprise Search: Activity [page 206]
Enterprise Search: Incident [page 207]
Enterprise Search: Response [page 207]
Enterprise Search: Risk [page 208]
Forecasting Horizon Attributes [page 209]
Incident Attributes [page 213]
Impact Category [page 216]
Incident [page 218]
Incident-Loss-Impact Category Assignment [page 224]
KRI Instance [page 231]
KRI Instance Values [page 237]
KRI Template [page 243]
Loss Attributes [page 249]
Objective [page 254]
Opportunity Category [page 258]
Opportunity Hierarchy [page 263]
Opportunity [page 265]
OU-Activity-Opportunity Assignment [page 272]
OU-Activity-Opportunity-Enhancement Plan [page 277]
OU-Activity-Risk Assignment [page 283]
OU-Activity-Risk-Incident Assignment [page 288]
OU-Activity-Risk-Response Assignment [page 293]
Response [page 299]
Risk-Impact Category Assignment [page 306]
Risk Category [page 312]
Risk Category Hierarchy [page 319]

6.7.3.2.1 Activity
Use
Search and Analytics Model:GRM_AC
This search and analytics model is used to get the activity data.
Technical Data
Root Node: GRC RM Activity Attributes
Technical Name 0GRM_AC_ATTR
DataSource 0GRM_AC_ATTR
Operational Data Provider: GRC RM Activity Attributes
Technical Name 0GRM_AC
Operational Data Provider: GRC RM Activity Texts
Technical Name 0GRM_AC
ODP-Semantics Texts

AC GRFN_ODP_C GRC ODP Authorization for complex ID
Node Relationship: GRC RM Activity Texts
Node 0GRM_AC_TEXT
Association
Sub-query Yes
Foreign Key
Attribute of Parent Value Attribute of Child Value Join Operator

Node Node
AC_ID AC_ID Equal
Association 0GRM_AC_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_AC_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Association 0GRM_AC_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Association 0GRM_AC_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
AC_RESP_USER ATTR Equal
Node Relationship: GRC Organizations Attributes
Association 0GRM_AC_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OBJID Equal

Association 0GRM_AC_ATTR20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal
Association 0GRM_OU_AC_RS20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal

Association 0GRM_OU_AC_OR20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Association 0GRM_OU_AC_OR_RP20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal

Association 0GRM_OU_AC_RS_RP20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Association 0GRM_OU_AC_RS_IN20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal

Association 0GRM_KN_KRI_VALUES20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Association 0GRM_IN_IL_IC20GRM_AC_ATTR
Sub-query No
Foreign Key

AC_ID AC_ID Equal
6.7.3.2.2 Activity Category
Use
Search and Analytics Model: 0GRM_CA
This search and analytics model is used to get the Activity Category data.
Technical Data
Root Node: GRC RM Activity Category Attributes
Technical Name 0GRM_CA_ATTR
DataSource 0GRM_CA_ATTR
Operational Data Provider: GRC RM Activity Category Attributes
Technical Name 0GRM_CA

Operational Data Provider: GRC RM Activity Category Texts
Technical Name 0GRM_CA
ODP-Semantics Texts
CA GRFN_ODP_C GRC ODP Authorization for complex ID
Node Relationship: GRC RM Activity Category Texts
Node 0GRM_CA_TEXT
Association
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal

Association 0GRM_CA_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_CA_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_KRI_VALUES20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal
Node 0GRM_CA_HIER.HIERARCHY_ELEMENT

Association HIERARCHY_ELEMENT20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal
Association 0GRM_AC_ATTR20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal

Association 0GRM_IN_IL_IC20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal
Association 0GRM_OU_AC_OR20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal

Association 0GRM_OU_AC_OR_RP20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal
Association 0GRM_OU_AC_RS20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal

Association 0GRM_OU_AC_RS_IN20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal
Association 0GRM_OU_AC_RS_RP20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal

6.7.3.2.3 Activity Category Hierarchy
Use
Search and Analytics Model: 0GRM_CA_HIER
This search and analytics model is used to get the Activity Category data.
Technical Data
Root Node: Hierarchy Header
DataSource 0GRM_CA_GRMH_HIER
Association
Sub-query No
Foreign Key

Node Node
Association
Sub-query No
Foreign Key

Node Node
Association 0GRM_CA.0GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node

CA_ID CA_ID Equal
Sub-query No
Foreign Key

Node Node
6.7.3.2.4 Analysis
Use
Search and Analytics Model: GRM_AL
This search and analytics model is used to get the analysis data.
Technical Data

Root Node: GRC RM Analylsis Attributes
Technical Name 0GRM_AL_ATTR
DataSource 0GRM_AL_ATTR
Operational Data Provider: GRC RM Analysis Attributes
Technical Name 0GRM_AL
OR GRFN_ODP GRC ODP authorization
RS GRFN_ODP GRC ODP authorization
Association 0GRM_AL_ATTR20GRM_OR_ATTR
Sub-query Yes
Foreign Key

Node Node
OR_ID OBJID Equal
Association 0GRM_AL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_AL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_AL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_AL_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal

Node Node
Association 0GRM_AL_ATTR20GFN_RS_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Node Relationship: Analysis Status Text
Node 0GRM_AL_STATUS_TEXT.0GRM_AL_STATUS_TEXT
Association 0GRM_AL_STATUS_TEXT.0GRM_AL_STATUS_TEXT
Sub-query No
Foreign Key

Node Node
AL_STATUS ATTR Equal
Association 0GRM_AL_ATTR20GFN_USER_TEXT1
Sub-query No
Foreign Key
AL_CREATED_BY ATTR Equal
Sub-query No
Foreign Key
AL_CHANGED_BY ATTR Equal

Sub-query No
Foreign Key
AL_RESP_USER ATTR Equal
6.7.3.2.5 Analysis with Forecasting Horizon Result
Use
Search and Analytics Model: 0GRM_W5_ATTR
This search and analytics model is used to get the Forecasting Horizon Analysis attributes.
Technical Data
Root Node: Forecasting Horizon Analysis Attributes
Technical Name 0GRM_W5_ATTR

DataSource 0GRM_W5_ATTR
Operational Data Provider: Forecasting Horizon Analysis Attributes
Technical Name 0GRM_W5_ATTR
ODP-Semantics Transaction Data
W5 GRFN_ODP_E GRC ODP authorization for entity

level
Association 0GRM_W5_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU OBJID Equal

Node Relationship: Forecasting Horizon Attributes
Node 0GRM_FH.0GRM_FH_ATTR
Association 0GRM_W5_ATTR20GRM_FH_ATTR
Sub-query No
Foreign Key

Node Node
FH_ID FH_ID Equal
Association 0GFN_RS_ATTR20GRM_W5_ATTR
Sub-query No
Foreign Key

Node Node
RS RS_ID Equal

6.7.3.2.6 Central Opportunity
Use
Search and Analytics Model: 0GRM_OC
This search and analytics model is used to get the Central Opportunity data.
Technical Data
Root Node: GRC RM Central Opportunity Texts
Technical Name 0GRM_OC_TEXT
DataSource 0GRM_OC_TEXT
Operational Data Provider: GRC RM Central Opportunity Texts
Technical Name 0GRM_OC
ODP-Semantics Texts
OC GRFN_ODP GRC ODP authorization

Association 0GRM_OC_TEXT20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OC_TEXT20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association 0GRM_OC_TEXT20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
6.7.3.2.7 Enhancement Plan Attributes
Use
Search and Analytics Model: 0GRM_EP
This search and analytics model is used to get the enhancement plan attributes.
Technical Data
Root Node: GRC RM Enhancement Plan Attributes
Technical Name 0GRM_EP_ATTR
DataSource 0GRM_EP_ATTR
Operational Data Provider: GRC RM Enhancement Plan Attributes

Technical Name 0GRM_EP
EP GRFN_ODP_E GRC ODP authorization for entity

level
Node Relationship: GRC RM Enhancement Plan Texts
Node 0GRM_EP_TEXT
Association
Sub-query No
Foreign Key

Node Node
GUID GUID Equal
Association 0GRM_EP_ATTR20GFN_TF_ATTR

Sub-query No
Foreign Key

Node Node
Association 0GRM_EP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_EP_ATTR20GFN_TF_FREQ
Sub-query No

Foreign Key

Node Node
Association 0GRM_EP_ATTR20GFN_USER_T1
Sub-query No
Foreign Key

Node Node
RP_CREATED_BY ATTR Equal
Sub-query No
Foreign Key

Node Node

RP_CHANGED_BY ATTR Equal
Sub-query No
Foreign Key

Node Node
RP_RESP_USER ATTR Equal
Sub-query No
Foreign Key

Node Node
RP_PROCESSOR ATTR Equal

Association 0GRM_EP_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
Node Relationship: GRC RM Response Status Texts
Node 0GRM_RP_ST.0GRM_RP_STATUS_TEXT
Association 0GRM_EP_ATTR20GRM_RP_STATUS_TEXT
Sub-query No
Foreign Key

Node Node
RP_STATUS ATTR Equal

Sub-query No
Foreign Key

Node Node
RP_WF_PROCESSOR ATTR Equal
Node Relationship: GRC RM Enhancement Plan Type Texts
Node 0GRM_EP_TYPE_TEXT.0GRM_EP_RESP_TYPE_TE
Association 0GRM_EP_ATTR20GRM_EP_RESP_TYPE_T
Sub-query No
Foreign Key

Node Node
EP_RESP_TYPE ATTR Equal

Association 0GRM_OU_AC_OR_RP20GRM_EP_ATTR
Sub-query No
Foreign Key

Node Node
GU_ID RP_ID Equal
6.7.3.2.8 Enterprise Search: Activity
Use
Search and Analytics Model: 0GRM_ESH_ACTIVITY
This search and analytics model is used to get the Activity data for Enterprise Search.
Technical Data
Root Node: Activity
Technical Name ACTIVITY

DataSource GRRM_S_ESH_AC
6.7.3.2.9 Enterprise Search: Incident
Use
Search and Analytics Model: 0GRM_ESH_INCIDENT
This search and analytics model is used to get the Incident data for Enterprise Search.
Technical Data
Root Node: Incident
Technical Name INCIDENT
DataSource GRFN_S_IN_ATTR
6.7.3.2.10 Enterprise Search: Response
Use
Search and Analytics Model: 0GRM_ESH_RESPONSE
This search and analytics model is used to get the Response data for Enterprise Search.

Technical Data
Root Node: Response for enterprise search
Technical Name RESPONSE
DataSource GRRM_S_ESH_RESPONSE
6.7.3.2.11 Enterprise Search: Risk
Use
Search and Analytics Model: 0GRM_ESH_RISK
This search and analytics model is used to get the Risk data for Enterprise Search.
Technical Data
Root Node: Risk
Technical Name RISK
DataSource GRRM_S_ESH_RS

6.7.3.2.12 Forecasting Horizon Attributes
Use
Search and Analytics Model: 0GRM_FH
This search and analytics model is used to get the Forecasting Horizon data.
Technical Data
Root Node: Forecasting Horizon Attributes
Technical Name 0GRM_FH_ATTR
DataSource 0GRM_FH_ATTR
Operational Data Provider: Forecasting Horizon Attributes
Technical Name 0GRM_FH
Operational Data Provider: GRC RM Forecasting Horizon Text
Technical Name 0GRM_FH
ODP-Semantics Texts

FH GRFN_ODP_E GRC ODP authorization for entity

level
Node Relationship: GRC RM Forecasting Horizon Text
Node 0GRM_FH_TEXT
Association
Sub-query No
Foreign Key

Node Node
FH_ID ATTR Equal
Association 0GRM_FH_ATTR20GFN_USER_TEXT1
Sub-query No
Foreign Key

Node Node

OPENED_BY ATTR Equal
Sub-query No
Foreign Key

Node Node
CLOSED_BY ATTR Equal
Sub-query No
Foreign Key

Node Node
ARCHIVED_BY ATTR Equal

Association 0GRM_FH_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key

Node Node
CHANGED_BY ATTR Equal
Node Relationship: Forecasting Horizon Status Text
Node 0GRM_FH_STATUS_TEXT.0GRM_FH_STATUS_TEXT
Association 0GRM_FH_STATUS_TEXT20GRM_FH_ATTR
Sub-query No
Foreign Key

Node Node
FH_STATUS FH_STATUS Equal

Association 0GRM_W5_ATTR20GRM_FH_ATTR
Sub-query No
Foreign Key

Node Node
FH_ID FH_ID Equal
6.7.3.2.13 Incident Attributes
Use
Search and Analytics Model: 0GFN_IA
This search and analytics model is used to get incident attributes.
Technical Data
Root Node: GRC RM Incident Attr. Attributes
Technical Name 0GRM_IA_ATTR
DataSource 0GRM_IA_ATTR
Operational Data Provider: GRC RM Incident Attr. Attributes

Technical Name 0GRM_IA
Association 0GRM_IA
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
Association 0GRM_IA_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_IA_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_IA_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association 0GRM_IA_ATTR20GRM_IN_ATTR
Sub-query No
Foreign Key

Node Node
IN_ID IN_ID Equal
6.7.3.2.14 Impact Category
Use
Search and Analytics Model: 0GRM_IC
This search and analytics model is used to get the Impact Category data.
Technical Data

Root Node: GRC RM Impact Category
Technical Name 0GRM_IC_ATTR
DataSource 0GRM_IC_ATTR
Operational Data Provider: GRC RM Impact Category
Technical Name 0GRM_IC
Operational Data Provider: GRC RM Loss Impact Category Texts
Technical Name 0GRM_IC
ODP-Semantics Texts
IC GRFN_ODP_E GRC ODP authorization for entity

level
Node Relationship: GRC RM Loss Impact Category Texts
Node 0GRM_IC_CATEGORY_TEX
Association
Sub-query No
Foreign Key

Node Node
IMP_CATG ATTR Equal
Association 0GRM_IN_IL_IC20GRM_IC_ATTR
Sub-query No
Foreign Key

Node Node
IMP_CATG IC_CATEGORY Equal
6.7.3.2.15 Incident
Use
Search and Analytics Model: 0GRM_IN
This search and analytics model is used to get the Incident data.
Technical Data

Root Node: GRC RM Incident Attributes
Technical Name 0GRM_IN_ATTR
DataSource 0GRM_IN_ATTR
Operational Data Provider: GRC RM Incident Attributes
Technical Name 0GRM_IN
Operational Data Provider: GRC RM Incident Texts
Technical Name 0GRM_IN
ODP-Semantics Texts
IN GRFN_ODP_E GRC ODP authorization for entity

level
Node Relationship: GRC RM Incident Texts
Node 0GRM_IN_TEXT
Association

Sub-query No
Foreign Key

Node Node
IN_ID IN_ID Equal
Association 0GRM_IN_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_IN_ATTR20GFN_TF_FREQ

Sub-query No
Foreign Key

Node Node
Association 0GRM_IN_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_IN_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
Association 0GRM_IN_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key

Node Node
IN_RESP_USER ATTR Equal
Association 0GRM_OU_AC_RS_IN20GRM_IN_ATTR
Sub-query No
Foreign Key

Node Node
IN_ID IN_ID Equal
Association 0GRM_IN_IL_IC20GRM_IN_ATTR
Sub-query No
Foreign Key

Node Node
IN_ID IN_ID Equal
Association 0GRM_IL_ATTR20GRM_IN_ATTR

Sub-query No
Foreign Key

Node Node
IN_ID IN_ID Equal
Association 0GFN_RS_ATTR20GRM_IN_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
6.7.3.2.16 Incident-Loss-Impact Category Assignment
Use
Search and Analytics Model: 0GRM_IN_IL_IC

This search and analytics model is used to get the Risk Management Incident, Loss and Impact Category
assignment data.
Technical Data
Root Node: GRC RM Incident-Loss-Impact Category assignment
Technical Name 0GRM_IN_IL_IC
DataSource 0GRM_IN_IL_IC
Operational Data Provider: GRC RM Incident-Loss-Impact Category assignment
Technical Name 0GRM_IC_T01
IC GRFN_ODP_E GRC ODP authorization for entity

level
IL GRFN_ODP_E GRC ODP authorization for entity

level
IN GRFN_ODP_E GRC ODP authorization for entity

level

Association 0GRM_IN_IL_IC20GRM_IN_ATTR
Sub-query No
Foreign Key

Node Node
IN_ID IN_ID Equal
Association 0GRM_IN_IL_IC20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node

Association 0GRM_IN_IL_IC20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_IN_IL_IC20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM Impact Category
Node 0GRM_IC.0GRM_IC_ATTR

Association 0GRM_IN_IL_IC20GRM_IC_ATTR
Sub-query No
Foreign Key

Node Node
IC_CATEGORY IMP_CATG Equal
Association 0GRM_IN_IL_IC20GRM_IL_ATTR
Sub-query No
Foreign Key

Node Node
IL_ID IL_ID Equal
Association 0GRM_IN_IL_IC20GFN_OU_ATTR

Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
TIMEFRAME TIMEFRAME
Association 0GRM_IN_IL_IC20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal

Association 0GRM_IN_IL_IC20GRM_AC_ATTR
Sub-query No
Foreign Key

Node Node
AC_ID AC_ID Equal
Association 0GRM_IN_IL_IC20GRM_RG_ATTR
Sub-query No
Foreign Key

Node Node
IN_ID IN_ID Equal

Association 0GFN_RS_ATTR20GRM_IN_IL_IC
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
6.7.3.2.17 KRI Instance
Use
Search and Analytics Model: 0GRM_KN
This search and analytics model is used to get the KRI Instance data.
Technical Data

Root Node: GRC RM KRI Instance Attributes
Technical Name 0GRM_KN_ATTR
DataSource 0GRM_KN_ATTR
Operational Data Provider: GRC RM KRI Instance Attributes
Technical Name 0GRM_KN
Operational Data Provider: GRC RM KRI Instance Texts
Technical Name 0GRM_KN
ODP-Semantics Texts
KN GRFN_ODP GRC ODP authorization
Node Relationship: GRC RM KRI Instance Texts
Node 0GRM_KN_TEXT
Association
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Association 0GRM_KN_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal

Association 0GRM_KN_ATTR20GFN_USER_TEXT1
Sub-query No
Foreign Key

Node Node
KN_REQUESTOR ATTR Equal
Association 0GRM_KN_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key

Node Node
KN_PROCESSOR ATTR Equal

Node Relationship: GRC RM KRI Instance Status Texts
Node 0GRM_KN_STATUS.0GRM_KN_STATUS_TEXT
Association 0GRM_KN_STATUS_TEXT20GRM_KN_ATTR
Sub-query No
Foreign Key

Node Node
KN_STATUS ATTR Equal
Association 0GRM_KN_KRI_VALUES20GRM_KN_ATTR
Sub-query No
Foreign Key

Node Node
OBJID KN_ID Equal
TF_FREQ TF_FREQ

Association 0GFN_RS_ATTR20GRM_KN_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
6.7.3.2.18 KRI Instance Values
Use
Search and Analytics Model: 0GRM_KN_KRI_VALUES
This search and analytics model is used to get the KRI instance values.
Technical Data

Root Node: GRC RM KRI (Key Risk Indicator) Values
Technical Name 0GRM_KN_KRI_VALUES
DataSource 0GRM_KN_KRI_VALUES
Operational Data Provider: GRC RM KRI (Key Risk Indicator) Values
Technical Name 0GRM_KRI_T01
KN GRFN_ODP GRC ODP authorization
RS4 GRFN_ODP_C GRC ODP authorization for complex

ID
Association 0GRM_KN_KRI_VALUES20GRM_KN_ATTR
Sub-query No
Foreign Key

Node Node
KN_ID OBJID Equal

Association 0GRM_KN_KRI_VALUES20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_KRI_VALUES20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node

Association 0GRM_KN_KRI_VALUES20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_KRI_VALUES20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
TIMEFRAME TIMEFRAME

Association 0GRM_KN_KRI_VALUES20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal
Association 0GRM_KN_KRI_VALUES20GRM_AC_ATTR
Sub-query No
Foreign Key

Node Node
AC_ID AC_ID Equal

Association 0GRM_KN_KRI_VALUES20GRM_KT_ATTR
Sub-query No
Foreign Key

Node Node
KT_ID OBJID Equal
Association 0GRM_KN_KRI_VALUES20GRM_RG_ATTR
Sub-query No
Foreign Key

Node Node
RG_ID OBJID Equal
Association 0GFN_RS_ATTR20GRM_KN_KRI_VALUES
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
6.7.3.2.19 KRI Template
Use
Search and Analytics Model: 0GRM_KT
This search and analytics model is used to get the KRI template data.

Technical Data
Root Node: GRC RM KRI Template Attributes
Technical Name 0GRM_KT_ATTR
DataSource 0GRM_KT_ATTR
Operational Data Provider: GRC RM KRI Template Attributes
Technical Name 0GRM_KT
Operational Data Provider: GRC RM KRI Template Texts
Technical Name 0GRM_KT
ODP-Semantics Texts
KT GRFN_ODP GRC ODP authorization
Node Relationship: GRC RM KRI Template Texts
Node 0GRM_KT_TEXT

Association
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Association 0GRM_KT_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node

Association 0GRM_KT_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_KT_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM KRI Template Status Texts
Node 0GRM_KT_STATUS.0GRM_KT_STATUS_TEXT
Association 0GRM_KT_STATUS_TEXT20GRM_KT_ATTR

Sub-query No
Foreign Key

Node Node
KT_STATUS ATTR Equal
Node Relationship: GRC RM KRI Template System Texts
Node 0GRM_KT_SYSTEM.0GRM_KT_SYSTEM_TEXT
Association 0GRM_KT_SYSTEM_TEXT20GRM_KT_ATTR
Sub-query No
Foreign Key

Node Node
KT_SYSTEM ATTR Equal
Node Relationship: GRC RM KRI Template Component Texts
Node 0GRM_KT_COMP.0GRM_KT_COMP_TEXT
Association 0GRM_KT_COMP_TEXT20GRM_KT_ATTR
Sub-query No
Foreign Key

Node Node
KT_COMP ATTR Equal
Node Relationship: GRC RM KRI Template Business Process Texts
Node 0GRM_KT_BUSPROC.0GRM_KT_BUSPROC_TEXT
Association 0GRM_KT_BUSPROC_TEXT20GRM_KT_ATT
Sub-query No
Foreign Key

Node Node
KT_BUSPROC ATTR Equal
Association 0GRM_KN_KRI_VALUES20GRM_KT_ATTR
Sub-query No
Foreign Key

Node Node
OBJID KT_ID Equal

6.7.3.2.20 Loss Attributes
Use
Search and Analytics Model: 0GRM_IL
This search and analytics model is used to get the Loss Attributes data.
Technical Data
Root Node: GRC RM Loss Attributes
Technical Name 0GRM_IL_ATTR
DataSource 0GRM_IL_ATTR
Operational Data Provider: GRC RM Loss Attributes
Technical Name 0GRM_IL
Operational Data Provider: GRC RM Loss Texts

Technical Name 0GRM_IL
ODP-Semantics Texts
IL GRFN_ODP_E GRC ODP authorization for entity

level
Node Relationship: GRC RM Loss Texts
Node 0GRM_IL_TEXT
Association
Sub-query No
Foreign Key

Node Node
IL_ID IL_ID Equal
Association 0GRM_IL_ATTR20GFN_TF_ATTR

Sub-query No
Foreign Key

Node Node
Association 0GRM_IL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_IL_ATTR20GFN_TF_YEAR
Sub-query No

Foreign Key

Node Node
Association 0GRM_IL_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
Association 0GRM_IL_ATTR20GRM_IN_ATTR
Sub-query No
Foreign Key

Node Node
IN_ID IN_ID Equal
Association 0GRM_IN_IL_IC20GRM_IL_ATTR
Sub-query No
Foreign Key

Node Node
IL_ID IL_ID Equal
Association 0GFN_RS_ATTR20GRM_IL_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
6.7.3.2.21 Objective
Use
Search and Analytics Model: 0GRM_OB
This search and analytics model is used to get the Objective data.
Technical Data
Root Node: GRC RM Org. Unit Objective Attributes
Technical Name 0GRM_OB_ATTR
DataSource 0GRM_OB_ATTR
Operational Data Provider: GRC RM Org. Unit Objective Attributes
Technical Name 0GRM_OB

Operational Data Provider: GRC RM Org. Unit Objective Texts
Technical Name 0GRM_OB
ODP-Semantics Texts
OB GRFN_ODP GRC ODP authorization
Node Relationship: GRC RM Org. Unit Objective Texts
Node 0GRM_OB_TEXT
Association
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal

Association 0GRM_OB_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OB_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association 0GRM_OB_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Opportunity Attributes
Association 0GRM_OR_ATTR20GRM_OB_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal

6.7.3.2.22 Opportunity Category
Use
Search and Analytics Model: 0GRM_OG
This search and analytics model is used to get the Opportunity Category data.
Technical Data
Root Node: GRC RM Opportunity Category Attributes
Technical Name 0GRM_OG_ATTR
DataSource 0GRM_OG_ATTR
Operational Data Provider: GRC RM Opportunity Category Attributes
Technical Name 0GRM_OG
Operational Data Provider: GRC RM Opportunity Category Texts
Technical Name 0GRM_OG
ODP-Semantics Texts

OG GRFN_ODP GRC ODP authorization
Node Relationship: GRC RM Opportunity Category Texts
Node 0GRM_OG_TEXT
Association
Sub-query No
Foreign Key

Node Node
OG_ID OBJID Equal
Association 0GRM_OG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node

Node 0GRM_OG_HIER.HIERARCHY_ELEMENT
Association HIERARCHY_ELEMENT20GRM_OG_ATTR
Sub-query No
Foreign Key

Node Node
OG_ID OBJID Equal
Node Relationship: GRC Opportunity Attributes
Association 0GRM_OR_ATTR20GRM_OG_ATTR
Sub-query No
Foreign Key

Node Node
OG_ID OG_ID Equal

Association 0GRM_OU_AC_OR20GRM_OG_ATTR
Sub-query No
Foreign Key

Node Node
OG_ID OG_ID Equal
Association 0GRM_OU_AC_OR_RP20GRM_OG_ATTR
Sub-query No
Foreign Key

Node Node
OG_ID OG_ID Equal

6.7.3.2.23 Opportunity Hierarchy
Use
Search and Analytics Model: 0GRM_OG_HIER
This search and analytics model is used to get the Opportunity Hierarchy data.
Technical Data
DataSource 0GRM_OG_GRMH_HIER
Association
Sub-query No
Foreign Key

Node Node
Association
Sub-query No
Foreign Key

Node Node
Association HIERARCHY_ELEMENT20GRM_OG_ATTR
Sub-query No
Foreign Key

Node Node

OBJID OG_ID Equal
Association
Sub-query No
Foreign Key

Node Node
6.7.3.2.24 Opportunity
Use
Search and Analytics Model: 0GRM_OR
This search and analytics model is used to get the Opportunity data.
Technical Data

Root Node: GRC RM Opportunity Attributes
Technical Name 0GRM_OR_ATTR
DataSource 0GRM_OR_ATTR
Operational Data Provider: GRC RM Opportunity Attributes
Technical Name 0GRM_OR
Operational Data Provider: GRC RM Opportunity Texts
Technical Name 0GRM_OR
ODP-Semantics Texts
Node Relationship: GRC RM Opportunity Texts
Node 0GRM_OR_TEXT
Association

Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Association 0GRM_OR_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OR_ATTR20GFN_TF_YEAR

Sub-query No
Foreign Key

Node Node
Association 0GRM_OR_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OR_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
Association 0GRM_OB.0GRM_OB_ATTR
Sub-query No
Foreign Key

Node Node
OB_ID OBJID Equal
Association 0GRM_OR_ATTR20GRM_OG_ATTR
Sub-query No
Foreign Key

Node Node
OG_ID OG_ID Equal
Association 0GRM_OR_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key

Node Node
OR_RESP_USER ATTR Equal
Association 0GRM_OU_AC_OR.0GRM_OU_AC_OR
Sub-query No
Foreign Key

Node Node
OBJID OR_ID Equal
Association 0GRM_OU_AC_OR_RP20GRM_OR_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OR_ID Equal
Association 0GRM_AL_ATTR20GRM_OR_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OR_ID Equal
6.7.3.2.25 OU-Activity-Opportunity Assignment
Use
Search and Analytics Model: 0GRM_OU_AC_OR
This search and analytics model is used to get the Activity and Opportunity assignment data.
Technical Data
Root Node: GRC RM OU-Activity-Opportunity assignment
Technical Name 0GRM_OU_AC_OR
DataSource 0GRM_OU_AC_OR
Operational Data Provider: GRC RM OU-Activity-Opportunity assignment
Technical Name 0GRM_OR_T01

AC GRFN_ODP_C GRC ODP authorization for complex

ID
Association 0GRM_OU_AC_OR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
Association 0GRM_OU_AC_OR20GRM_AC_ATTR

Sub-query No
Foreign Key

Node Node
AC_ID AC_ID Equal
Association 0GRM_OU_AC_OR20GRM_OR_ATTR
Sub-query No
Foreign Key

Node Node
OR_ID OBJID Equal

Association 0GRM_OU_AC_OR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_OR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_OR20GFN_TF_FREQ

Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_OR20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal
Association 0GRM_OU_AC_OR20GRM_OG_ATTR
Sub-query No

Foreign Key

Node Node
OG_ID OG_ID Equal
6.7.3.2.26 OU-Activity-Opportunity-Enhancement Plan
Use
Search and Analytics Model: 0GRM_OU_AC_OR_EP
This search and analytics model is used to get the Activity and Opportunity enhancement plan data.
Technical Data
Root Node: GRC RM OU-Activity-Opportunity-Enhancement Plan
Technical Name 0GRM_OU_AC_OR_RP
DataSource 0GRM_OU_AC_OR_RP
Operational Data Provider: GRC RM OU-Activity-Opportunity-Enhancement Plan
Technical Name 0GRM_RP_T01


ID
RP GRFN_ODP_E GRC ODP authorization for entity

level
Association 0GRM_OU_AC_OR_RP20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal

Association 0GRM_OU_AC_OR_RP20GRM_AC_ATTR
Sub-query No
Foreign Key

Node Node
AC_ID AC_ID Equal
Association 0GRM_OU_AC_OR_RP20GRM_OR_ATTR
Sub-query No
Foreign Key

Node Node
OR_ID OBJID Equal

Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_OR_RP20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association 0GRM_OU_AC_OR_RP20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_OR_RP20GRM_EP_ATTR
Sub-query No
Foreign Key

Node Node
RP_ID GUID Equal

Association 0GRM_OU_AC_OR_RP20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal
Association 0GRM_OU_AC_OR_RP20GRM_OG_ATTR
Sub-query No
Foreign Key

Node Node
OG_ID OG_ID Equal

6.7.3.2.27 OU-Activity-Risk Assignment
Use
Search and Analytics Model: 0GRM_OU_AC_RS
This search and analytics model is used to get the Activity and Risk assignment data.
Technical Data
Root Node: GRC RM OU-Activity-Risk assignment
Technical Name 0GRM_OU_AC_RS
DataSource 0GRM_OU_AC_RS
Operational Data Provider: GRC RM OU-Activity-Risk assignment
Technical Name 0GRM_RS_T01

ID


ID
Association 0GRM_OU_AC_RS20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
Association 0GRM_OU_AC_RS20GRM_AC_ATTR
Sub-query No
Foreign Key

Node Node
AC_ID AC_ID Equal
Association 0GRM_OU_AC_RS20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal

Association 0GRM_OU_AC_RS20GRM_RG_ATTR
Sub-query No
Foreign Key

Node Node
RG_ID OBJID Equal
Association 0GFN_RS_ATTR20GRM_OU_AC_RS
Sub-query No
Foreign Key

Node Node

RS_ID RS_ID Equal
6.7.3.2.28 OU-Activity-Risk-Incident Assignment
Use
Search and Analytics Model: 0GRM_OU_AC_RS_IN
This search and analytics model is used to get the Activity, Risk, and Incident assignment data.
Technical Data
Root Node: GRC RM OU-Activity-Risk-Incident assignment
Technical Name 0GRM_OU_AC_RS_IN
DataSource 0GRM_OU_AC_RS_IN
Operational Data Provider: GRC RM OU-Activity-Risk-Incident assignment
Technical Name 0GRM_IN_T01


ID

ID
Association 0GRM_OU_AC_RS_IN20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
Association 0GRM_OU_AC_RS_IN20GRM_AC_ATTR
Sub-query No

Foreign Key

Node Node
AC_ID AC_ID Equal
Association 0GRM_OU_AC_RS_IN20GRM_IN_ATTR
Sub-query No
Foreign Key

Node Node
IN_ID IN_ID Equal
Association 0GRM_OU_AC_RS_IN20GFN_TF_ATTR

Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS_IN20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS_IN20GFN_TF_YEAR
Sub-query No

Foreign Key

Node Node
Association 0GRM_OU_AC_RS_IN20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal
Association 0GRM_OU_AC_RS_IN20GRM_RG_ATTR
Sub-query No
Foreign Key

Node Node
RG_ID OBJID Equal
Association 0GFN_RS_ATTR20GRM_OU_AC_RS_IN
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
6.7.3.2.29 OU-Activity-Risk-Response Assignment
Use
Search and Analytics Model: 0GRM_OU_AC_RS_RP
This search and analytics model is used to get the Activity, Risk, and Response assignment data.

Technical Data
Root Node: GRC RM OU-Activity-Risk-Response assignment
Technical Name 0GRM_OU_AC_RS_RP
DataSource 0GRM_OU_AC_RS_RP
Operational Data Provider: GRC RM OU-Activity-Risk-Response assignment
Technical Name 0GRM_RP_T02

ID

level

ID
Association 0GRM_OU_AC_RS_RP20GFN_OU_ATTR

Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
Association 0GRM_OU_AC_RS_RP20GRM_AC_ATTR
Sub-query No
Foreign Key

Node Node
AC_ID AC_ID Equal

Association 0GRM_OU_AC_RS_RP20GRM_RP_ATTR
Sub-query No
Foreign Key

Node Node
RP_ID GUID Equal
Association 0GRM_OU_AC_RS_RP20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node

Association 0GRM_OU_AC_RS_RP20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS_RP20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node

Association 0GRM_OU_AC_RS_RP20GRM_CA_ATTR
Sub-query No
Foreign Key

Node Node
CA_ID CA_ID Equal
Association 0GRM_OU_AC_RS_RP20GRM_RG_ATTR
Sub-query No
Foreign Key

Node Node
RG_ID OBJID Equal

Association 0GFN_RS_ATTR20GRM_OU_AC_RS_RP
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
6.7.3.2.30 Response
Use
Search and Analytics Model: 0GRM_RP
This search and analytics model is used to get the Response data.
Technical Data

Root Node: GRC RM Response Attributes
Technical Name 0GRM_RP_ATTR
DataSource 0GRM_RP_ATTR
Operational Data Provider: GRC RM Response Attributes
Technical Name 0GRM_RP
Operational Data Provider: GRC RM Response Texts
ODP-Semantics Texts

level
Node Relationship: GRC RM Response Texts
Node 0GRM_RP_TEXT
Association
Sub-query No
Foreign Key

Node Node
GUID GUID Equal
Association 0GRM_RP_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_RP_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_RP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_RP_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal

Association 0GRM_RP_ATTR20GFN_USER_TEXT1
Sub-query No
Foreign Key

Node Node
RP_CREATED_BY ATTR Equal
Sub-query No
Foreign Key

Node Node
RP_CHANGED_BY ATTR Equal

Sub-query No
Foreign Key

Node Node
RP_RESP_USER ATTR Equal
Association 0GRM_RP_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key

Node Node
RP_PROCESSOR ATTR Equal
Node Relationship: GRC RM Response Status Texts
Node 0GRM_RP_ST.0GRM_RP_STATUS_TEXT

Association 0GRM_RP_STATUS_TEXT20GRM_RP_ATTR
Sub-query No
Foreign Key

Node Node
RP_STATUS ATTR Equal
Association 0GRM_OU_AC_RS_RP20GRM_RP_ATTR
Sub-query No
Foreign Key

Node Node
GUID RP_ID Equal

Association 0GFN_RS_ATTR20GRM_RP_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
6.7.3.2.31 Risk-Impact Category Assignment
Use
Search and Analytics Model: 0GRM_RS_IC
This search and analytics model is used to get the risk and impact category assignment data.
Technical Data
Root Node: GRC RM Risk and Impact Category
Technical Name 0GRM_RS_IC

DataSource 0GRM_RS_IC
Operational Data Provider: GRC RM Risk and Impact Category
Association 0GRM_RS_IC20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node 0GRM_RS_IC20GFN_TF_ATTR
Association 0GRM_RS_IC20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_RS_IC20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_RS_IC20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal

Node Relationship: GRC RM Impact Category Text
Node 0GRM_RS_IC_TEXT.0GRM_RS_IC_TEXT
Association 0GRM_RS_IC_TEXT.0GRM_RS_IC_TEXT
Sub-query No
Foreign Key

Node Node
IR_ID IR_ID Equal
Association 0GRM_RS_IC20GFN_RS_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal

Node Relationship: GRC RM Impact LevelTexts
Node 0GRM_IML.0GRM_IML_TEXT
Association 0GRM_RS_IC20GRM_IML_TEXT0
Sub-query No
Foreign Key

Node Node
IR_INH_IML ATTR Equal
Sub-query No
Foreign Key

Node Node

Sub-query No
Foreign Key

Node Node
Sub-query No
Foreign Key

Node Node
IR_RSA_IML ATTR Equal

Association 0GRM_RS_IC20GRM_IML_TEXT
Sub-query No
Foreign Key

Node Node
IR_RSP_IML ATTR Equal
6.7.3.2.32 Risk Category
Use
Search and Analytics Model: 0GRM_RG
This search and analytics model is used to get the Risk Category data.
Technical Data
Root Node: GRC RM Risk Category (Risk Group)
Technical Name 0GRM_RG_ATTR
DataSource 0GRM_RG_ATTR
Operational Data Provider: GRC RM Risk Category (Risk Group)

Technical Name 0GRM_RG
Operational Data Provider: GRC RM Risk Category Texts
Technical Name 0GRM_RG
ODP-Semantics Texts
RG GRFN_ODP GRC ODP authorization
Node Relationship: GRC RM Risk Category Texts
Node 0GRM_RG_TEXT
Association
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal

Association 0GRM_RG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_RG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node

Association 0GRM_RG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Node 0GRM_RG_HIER.HIERARCHY_ELEMENT
Association HIERARCHY_ELEMENT20GRM_RG_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Association 0GRM_IN_IL_IC20GRM_RG_ATTR

Sub-query No
Foreign Key

Node Node
OBJID RG_ID Equal
Association 0GRM_KN_KRI_VALUES20GRM_RG_ATTR
Sub-query No
Foreign Key

Node Node
OBJID RG_ID Equal

Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Sub-query No
Foreign Key

Node Node
OBJID RG_ID Equal

Association 0GRM_OU_AC_RS_IN20GRM_RG_ATTR
Sub-query No
Foreign Key

Node Node
OBJID RG_ID Equal
Association 0GRM_OU_AC_RS_RP20GRM_RG_ATTR
Sub-query No
Foreign Key

Node Node
OBJID RG_ID Equal

6.7.3.2.33 Risk Category Hierarchy
Use
Search and Analytics Model: 0GRM_RG_HIER
This search and analytics model is used to get the Risk Category Hierarchy data.
Technical Data
DataSource 0GRM_RG_GRMH_HIER
Association
Sub-query No
Foreign Key

Node Node
Association
Sub-query No
Foreign Key

Node Node
Association HIERARCHY_ELEMENT20GRM_RG_ATTR
Sub-query No
Foreign Key

Node Node

OBJID OBJID Equal
Association
Sub-query No
Foreign Key

Node Node

7 Work Centers
Work centers provide a central access point for the entire GRC functionality. They are organized to provide easy
access to application activities, and contain menu groups and links to further activities.
This documentation is structured according to the structures within the individual work centers, and contains
links to further documentation for the menu groups and links.
 Note
The application provides a standard set of work centers. However, your system administrator can
customize them according to your organization's internal structures. Depending on the product or
products that you have licensed, different areas of the GRC application are displayed (SAP Access Control,
SAP Process Control, SAP Risk Management).
7.1 My Home
Use
The My Home work center provides a central location to view and act on your assigned tasks, and accessible
objects: organizations, processes, subprocesses, controls.
The My Home work center contains the following sections:
● Work Inbox [page 323]

●
●
●
●
 Note
The My Home work center is shared by the SAP Access Control, SAP Process Control, and SAP Risk
Management applications. The menu groups and quick links available on the screen are determined by the
applications you have licensed. The content in this topic covers the functions specific to SAP Risk
Management. If you have licensed additional products, such as SAP Access Control or SAP Process
Control, refer to the relevant topics below for the application-specific functions.

322 PUBLIC Work Centers
Activities
The My Home work center allows you to:
● View, access, and address workflow tasks assigned to you, including completed reports that you
scheduled.
● Search for objects and documents for which you have authorization.
● Assign delegates to perform your tasks or activities.
● View and process your user data.
More Information
SAP Process Control-specific topics
Also see the My Home Work Center topic in the documentation for SAP Access Control.
7.1.1 Work Inbox
Use
The Work Inbox lists the tasks you need to process using GRC applications.
Activities
To process a task, choose a hyperlink in the table. The appropriate workflow window appears. Process the task
as required.
The STANDARDVIEW displays the columns.
To change the displayed columns, choose Settings, maintain the columns as required, and save the view.
The new view appears in the View dropdown list.
7.1.1.1 Risk Management Work Inbox
Use
The Work Inbox displays a user's SAP Risk Management task list.

Work Centers PUBLIC 323
Prerequisites
The SAP Risk Management workflow-enabling activities in Customizing for Governance, Risk and Compliance
under General Settings Workflow must be maintained.
Features
The SAP Risk Management tasks contain notifications, alerts, and workflows that are triggered at various
stages of the risk management process. You can click on any task in the list to complete the workflow.
More Information
Workflows [page 33]
7.1.2 Ad Hoc Tasks
Use
From the My Home work center, the Ad Hoc Tasks section enables you to process risk proposals, incidents, and
issues, depending on the applications you have licensed.
Related Information
Proposing a Risk [page 325]

Ad Hoc Risk Escalation [page 326]
Creating Response Proposals [page 327]
Reporting an Ad Hoc Incident [page 328]
Issues [page 331]

7.1.2.1 Proposing a Risk
Use
Proposing risks for an organizational unit or an activity makes sense for users who are not risk experts, that is,
casual users. An employee self-service function is used for this.
In the Propose Risk section, you access a restricted data view for risks and risk categories defined for particular
activity categories. This reduces complexity and helps streamline risk management activities within a
company.
 Note
The Propose Risk function represents a limited set of risk data. For information on the full set of risk data,
see Creating a Risk [page 416].
Procedure
1. In the My Home work center, select Ad Hoc Tasks Risk Proposals .

2. Enter the name of the risk, the organizational unit, secondary organizational unit and risk category to be
assigned to the risk and a description. If necessary, specify the activity.
3. You may also add qualitative impact analysis and propose response to the risk.
 Note
To add the fields Secondary organization unit, Impact and Response to the screen, go to the
customizing activity Governance, Risk and Compliance Risk Management Master Data Setup
Activate Risk/Opportunity Proposal and/or Ad-hoc Escalation .
4. Choose Submit.
5. The system now sends a workflow item to the appropriate user/role for processing. The risk is stored in the
list of system risks with the risk type Proposal and the status Pending Approval.
Working with Risk Proposals
The type of a proposed risk is Proposal until it is converted to a real risk, after which the status changes to Draft
for a saved risk or Active when the risk is submitted. A proposed risk can also be rejected altogether. Proceed
as follows:
1. You can work directly with proposed risks by choosing a risk of the type Proposal from the risk list.
2. In the Risk Proposal screen, you can see the risk that was proposed, and you can choose either the Approve
or the Reject pushbutton.
3. You receive a confirmation of the risk approval or rejection.
○ If approved, the risk is displayed in the list of risks with status Approved.
○ If rejected, the risk is no longer displayed in the list of risks.

 Note
A list of proposed risks is displayed in the user's personal object worklist (POWL) under a separate tab,
Proposed Risks.
7.1.2.2 Ad Hoc Risk Escalation
Use
Ad hoc risk escalation is similar to the risk proposal functionality. It enables analysis and direct response when
creating the risk proposal. Based on the analysis data, the escalation is triggered by comparing with the
thresholds defined in the organizational unit hierarchy. It is possible to create a new risk (Activate Risk) from
the proposal, and also associate the proposal with an existing risk (Transfer to Risk). When activating or
transferring, you can also generate an analysis and responses.
A personal object work list (POWL) implements the reporting for this functionality.
Prerequisites
You have completed the following customization tasks:
● Set the Validate Risk Proposal task as a general task and activate the work flow linkage:
1. Choose Governance Risk and Compliance General settings Workflow Perform Task Specific
Customizing .
2. Expand the GRC node.
3. Select the GRC-RM subnode and choose Assign Agents.
4. Select the Validate Risk Proposal task and choose Attributes....
5. Select General Task and choose Transfer.
6. Choose Back and return to the Task Customizing Overview screen.
7. Select the GRC-RM subnode and choose Activate Event Linking.
8. Expand the Risk Proposal WF node and choose Detail View.
9. Choose Event linkage activated and Continue.
● Enable Ad-hoc Risk Escalation:
1. Choose Governance, Risk and Compliance Risk Management Master Data Setup Activate Risk
Proposal and/or Ad-hoc Escalation .
2. Activate RISK_ADHOC_ESCAL.
Features
You create an ad hoc risk escalation from My Home Ad-hoc Risk Escalation .

When you Submit a completed Ad-hoc Risk Escalation screen, the system compares the escalation analysis
data with the thresholds defined for the organizational unit. If the impact exceeds the escalation level, the
escalation is automatically forwarded to the upper organizational unit (in some cases, this can be the corporate
organizational unit). The escalation is then sent to the recipient determined by evaluation of the agent slot
0RM_RISK_PROPOSE.
When you, as the nominated agent open the work item in your Work Inbox, the status changes from Created to
In Process.
In the Ad-hoc Risk Escalation screen that opens, you have the following options:
● Forward
This opens the Forward Ad-hoc Risk Escalation screen, in which you can change the organizational unit. The
escalation is then forwarded to the recipient determined by evaluation of the agent slot
0RM_RISK_PROPOSE for the changed organizational unit.
You can add an explanatory note before forwarding the escalation.
● Reject
When you Submit the Reject Ad-hoc Risk Escalation screen, you must add an explanatory note.
● Transfer
If you want to transfer the escalation to an existing risk, you select the risk and you can also take over some
of the proposed responses. By selecting the responses, you are asked to enter the Response Type and,
optionally, the Purpose. The responses are new responses for the risk.
You can also enter an explanatory note.
● Activate
If you decide to take over the analysis, you must specify the risk category to which it is assigned. Based on
the actual analysis profile, the probability and impact is converted to required representation based on the
customization and threshold set up.
However, if it is a corporate risk escalation, you can decide selectively for which forecasting horizons you
want to use. You can also define the impact, but it is not mandatory. Based on analysis type the impact and
probability is converted if required to values based on the customization and the threshold definition.
In either case, you can also enter an explanatory note.
More Information
● Forecasting Horizons [page 372]
7.1.2.3 Creating Response Proposals
Use
Users can suggest ways to address risks by creating response proposals and submitting them to those
responsible for risk mitigation.

Procedure
To create a response proposal:
1. Go to My Home Ad Hoc Tasks Response Proposals .

2. Enter the following information in the Create Response Proposal window:
○ Title (mandatory)
○ Org[anizational] unit
○ Risk
○ Type (mandatory)
○ Purpose
○ Automation type
○ Description
○ Steps
3. Click on Submit.
After the response proposal is submitted, the creator of the proposal receives an e-mail confirmation that the
proposal was successfully submitted — that is, delivered to the work inbox of the person responsible for
mitigating the specified risk. This person can then approve or reject the response proposal.
 Note
Users who are assigned as agents via 0RM_RESPONSE_PROPOSE are authorized to receive and approve or
reject response proposals. The approver can create a response or response template from the response
proposal after approving it. For more information, see Creating a Response or Enhancement Plan [page
459] and Working with Response Templates [page 458].
The creator of the response proposal is notified by e-mail when the response proposal is approved or rejected.
Submitted proposals (including their current status — waiting for approval, approved, or rejected) are listed in
the Proposed Responses tab found in work center Assessments Risk Assessments Responses and
Enhancement Plans . Click on the name of the response proposal to review its contents.
7.1.2.4 Reporting an Ad Hoc Incident
Context
In the My Home work center, you can report incidents in an ad hoc manner if they are urgent or need
immediate attention. You can enter or post incidents; however, in the case of ad hoc incidents, you access a
simplified user interface for posting an individual incident. The full functionality for creating incidents can be
accessed from the Incident Management section of the Assessments work center.

 Note
An ad hoc risk proposal or posting of an incident might affect an organization's ability to continue as a
going concern. In this case, the monetary effect of the respective losses (due to an incurred risk) would be
high, and might require immediate action.
Procedure
1. Call the My Home work center and then choose the Incidents link under Ad Hoc Tasks.
2. In the Report Incident screen, enter the incident name, select an organization, and enter the incident date
and the detection date.
 Note
For the full processing of incidents and the prerequisites involved, see Working with Incidents [page
485]
3. If necessary, enter a description and the incident attributes.

4. If you checkmark Define Loss, the lower screen section displays loss details and loss impact data that you
can make entries for. At the right, you can add loss attributes if necessary.
5. Make the necessary entries and choose the Submit pushbutton.
6. The incident has been submitted and goes through the necessary workflow processing. For more
information, see Workflow for Recording Incidents [page 329].
7.1.2.4.1 Workflow for Recording Incidents
Prerequisites
The following prerequisites must be fulfilled before you can use the workflow functionality for incidents:
● An incident or incidents must exist in the system.

● Incident and loss attributes must be maintained and assigned to the corresponding organizational unit in
Customizing under Risk Management Incident Loss Database .
● The corresponding roles and workflow enabling must be maintained in Customizing under General
Settings Workflow .
Procedure
The procedure for recording incidents is as follows:
1. The incident is created with the initial status Draft.

2. After the incident is submitted, it has the status To Be Validated and the workflow goes to the incident
validator or validators defined for Risk Management.
3. The incident validator is identified via agent determination [page 36], which can lead to one or multiple
groups of validators being determined.
4. The incident is sent to the members of one group after the other.
5. As soon as one validator of a group validates the incident, it goes to the next group of validators for
validation. This continues until one member of each group has validated the incident. Once the incident is
validated by all groups, it goes to status Accepted.
6. If one validator sends the incident for rework, the validation process is interrupted and the incident needs
to be reworked by the user specified by the validator sending for rework. The status is To Be Reworked.
7. After the reworker has resubmitted the incident, the validation process restarts with the first group of
validators.
8. The reworker also has the option of refusing the incident, which sets the incident at status Canceled.
Incident Validation Workflow

7.1.2.5 Issues
Use
Issues that did not arise from an evaluation-based test can be a question, action item, or planned task. An issue
can be prompted by compliance or business events or result from identifying a problem area. An issue can be
created for any object, depending on the configuration done through the Customizing activities.
If an Issue Owner or an object has not been identified, the issue is sent to the Issue Administrator. This person
can then assign an owner, an object or both. The Issue Administrator or the designee then processes the issue.
Prerequisites
Complete the Customizing activities at Governance, Risk and Compliance Common Component Settings
Ad Hoc Issues .
Procedure
1. Navigate to My Home Ad Hoc Tasks Issues

2. Select Create and enter the Issue Details:
○ Issue Name (required)
○ Description (required) – Provide any details about the issue.
○ Priority (required) – Options are high, medium, or low.
○ Object Type – Select the correct object type.
○ Object Name
○ Owner – Enter the object owner name, or use the search functionality to select the owner.
 Note
An object owner is not required. If this field is left blank, the issue is routed to the issue
administrator.
○ Source
○ Issue Date (required)
○ Due Date
○ Notes
3. If you need to gather information, save your issue as a draft and return to complete it later.
4. Choose Add to select a regulation from the dialog box on the Regulation tab.
5. Attach files or links on the Attachment and Links tab.
6. Choose Save Draft to save changes or Cancel to abort the session. If the issue was raised in error, you can
void the issue.

7. Choose Submit after you have completed all information.
Ad Hoc Issue Web Service
Web service GRFNAHISSUEIN is provided to create ad hoc issues and trigger workflows to the issue admin.
The following parameters are defined in the web service:
Type Parameter Description
Input Parameters IvIssueName Issue name
IvIssueDesc Issue description
IvIssueReporter Name of the issue reporter
Output Parameters RvCode Returns value “0” if the issue is generated

successfully, and value “4” if not
EtMessage Returns a message about the information of

issue generation
7.1.3 My Objects
Use
 Note
The My Objects section is shared by the SAP Risk Management and SAP Process Control applications.
Based on the applications you have licensed, you may see only a subset of the objects listed below.
You can view and manage objects to which you have access using the My Objects section of the My Home work
center. Specifically, you can view and maintain the following objects:
● My Processes: View and maintain all local organizations, processes, subprocesses, and controls for which
you are responsible
● My Risks: View all risks for which you are the owner or for which you have change authorization
● My Responses: View and maintain all responses for which you are the author or processor, or for which you
have change authorization
● My Incidents: View and maintain all incidents for which you have change authorization
● My iELCs: View and maintain all local indirect entity-level control groups (iELC groups) and indirect entity-
level controls (iELCs) for which you are responsible
● My Policies: View all policies that pertain to your responsibilities, including policies that were either created
by you or require your review or approval
● Open Issues: View all open issues on objects for which you have reporting authorization, including
evaluation test issues and ad hoc issues

● Open Remediation Plans: View all open remediation plans and corrective and preventive action (CAPA)
plans for which you have reporting authorization
More Information
My Risks [page 333]
My Responses [page 333]
My Incidents [page 333]
My Policies [page 334]
7.1.3.1 My Risks
Under the My Home work center, you can see all the risks for which you are the owner and for which you have
change authorization under My Objects My Risks .
Related Information
Risks and Opportunities [page 416]
7.1.3.2 My Responses
Under My Responses, you can maintain all the responses for which you have change authorization.
For more information, see Risk Responses and Enhancement Plans [page 455].
7.1.3.3 My Incidents
Under My Incidents, you can maintain all the incidents for which you have change authorization.
For more information, see Incident Management [page 484].

7.1.3.4 My Policies
Use
The My Policies section contains the policies that pertain to your responsibilities (either created by you or
requiring your review or approval).
Under the My Home work center, you can see all the policies with your involvement under My Objects My
Policies .
More Information
●
●
●
●
●
●
●
● Using a Policy as a Risk Response [page 475]
7.1.4 Embedded Search
Use
The Embedded Search function in SAP Process Control and SAP Risk Management allows you to search for
objects and documents in a browser-based user interface. The search results include basic information of
objects and documents with hyperlinks, through which you can directly access the related applications and
documents.

Features
In SAP Process Control and SAP Risk Management, the following objects are available for search:
 Note
SAP Process Control objects and functions are only available if you have licensed the SAP Process Control
application in addition to SAP Risk Management.
● Account Group
● Activity
● Ad-hoc Issue
● Assessment
● Business Rule
● Control
● Documents
● Incident
● Indirect Entity-Level Control
● Issue
● Objective
● Organization
● Policy
● Process
● Response
● Risk
● Subprocess
● Test History
You can configure Embedded Search by activating and deactivating these objects in Customizing activity Open
Administration Cockpit under Governance, Risk and Compliance General Settings Search .
Activities
To use the Embedded Search:
1. Go to My Home Search Embedded Search .

2. Enter your search query and choose Search.
You can use the advanced search function to specify the search scope, save your search terms, and hide/show
search criteria. You can filter the search results by choosing the categories on the left side.

7.1.5 My Delegation
Context
You can authorize another business user to perform your tasks, exercise your access rights, and specify the
duration of the delegation.
 Caution
Authorization granted to power users through the role SAP_GRC_FN_ALL cannot be delegated to business
users. If power users needs to delegate their authorization to others, they must ask the IT department to
assign the PFCG role SAP_GRC_FN_ALL to specified users. This delegation is not entity-dependent.
Procedure
To delegate your tasks and access rights to another user, proceed as follows:
1. From the My Home work center, choose Delegation My Delegation .
The Assign Own Delegate screen displays your existing delegations. You can create a new delegation, open
and edit an existing delegation, or delete a delegation.
2. To create a new delegation, choose Create.
The Own Delegation screen displays.

3. In the Delegate User field, select the value help pushbutton to display the User List dialog box. Enter or
search for a user name.
 Note
Wildcards (*) are supported in a search.
4. Select a user name and choose OK. The system completes the Delegator and User ID fields.
5. For the Delegation Period the following points apply:
○ The Start Date field defaults to the date the delegation is created. You can change this field.
○ The End Date field defaults to unlimited (December 31, 9999). You can change this field. If you accept
the default of an unlimited End Date, you can change the date later or delete the delegation when it is
no longer needed.
To edit an existing delegation, proceed as follows:
6. Choose the delegation assignment.
7. Choose Open.
The Own Delegation screen appears. You can only change the End Date.
8. Choose Save.
To delete an existing delegation, proceed as follows:

9. Choose the delegation assignment and choose Delete.
The system prompts you to confirm the deletion.

10. Choose Yes.
7.1.6 Additional User Experience Features
These features allow you to access the most commonly used applications, view user-specific entity data and
status, search for objects, and perform various other tasks.
SAP Process Control and SAP Risk Management provide the following features:
● Entry Page [page 337]

● Side Panel [page 338]
●
7.1.6.1 Entry Page
Use
Entry page is a role-based Web Dynpro home page that provides user-specific contents and easy access to the
most commonly accessed work center items. Entry page can be configured according to specific user
behaviors. Entry page consists of containers and Collaborative Human Interface Parts (CHIPs). You can
personalize the entry page by adding or removing containers and CHIPs.
Entry page is available for the following roles:
 Note
SAP Process Control roles are only valid if you have also installed and possess a license for the SAP Process
Control application).
● Internal Audit Manager (SAP Process Control)

● Internal Control Manager (SAP Process Control)
● Corporate Risk Manager (SAP Risk Management)
● Operational Risk Manager (SAP Risk Management)
More Information
For more information about available SAP Risk Management CHIPs, see GRC CHIP Catalog [page 338]

7.1.6.2 Side Panel
Use
 Note
The following information is only relevant if you have licensed SAP Process Control.
Side panel is a CHIP-based widget-type panel that can be accessed from an existing Web Dynpro application. It
provides additional information and easy access to work center items.
In SAP Process Control, side panel is user-specific. It is available for the following users:
● Internal Audit Manager

● Internal Control Manager
● Organization Unit Owner
In Process Control, you can configure the side panel for My Processes for a single role or a group of roles using
the Customizing activity Configure Side Panel for My Process under Governance, Risk and Compliance >
General Settings > UI Settings.
More Information
GRC CHIP Catalog [page 338]
7.1.6.3 GRC CHIP Catalog
Use
A CHIP (Collaborative Human Interface Part) is a small, widget-type, encapsulated, stateful piece of software
that can be combined in a layout with other CHIPs to form a page or a panel. Entry page and side panel are both
implemented using the CHIP technology.
The following CHIPs are available in SAP Risk Management (and in SAP Process Control, if you have installed
and possess a license for the SAP Process Control application):
CHIP Technical Name Description Use Suggestion
Ad Hoc Issues for Audit Ac GRFN_ACTION_ADIS Display a list of ad hoc issues Use in entry page
tions SUE_LIST_CHIP for audit actions

Audit Action and Ad Hoc Is GRFN_ACTION_ISSUE_CHIP Allows you to view ad hoc is Use in side panel
sue sues under specified audit
actions
Audit Dashboard GRFN_DAB_AUDITA Provides risks and audit pro Use in entry page
BLE_CHIP posal information in graphics
Audit Dashboard: Risks by GRFN_DAB_AUDITA Provides risk information by Use in entry page
Auditable Entities BLE_RISKS auditable entities in graphics
Audit Dashboard: Audit Pro GRFN_DAB_AUDITA Provides audit proposal infor Use in entry page
posals by Auditors BLE_APA mation by auditors in graph
ics
Audit Dashboard: Audit Pro GRFN_DAB_AUDITA Provides audit proposal infor Use in entry page
posals by Auditable Entities BLE_APAE mation by auditable entities
in graphics
Audit Plan Proposal GRFN_UIBB_AP_CHIP Displays the information of a Use in side panel
specific audit plan proposal
Audit Proposal GRFN_UIBB_AU_CHIP Displays the information of a Use in side panel

specific audit proposal
Criteria Data CRITERIA_CHIP_4_EN Used together with other Use in entry page
TRY_PAGE CHIPs to provide criteria data
for entry page
Evaluation Status (Pie View) GRPC_CHIP_EVAL_STAT Presents the status of evalu Use in side panel
ations in graphics
Evaluation Status (Column GRPC_CHIP_EVAL_STAT_CO Presents the status of evalu Use in entry page
View) LUMN ations in graphics
Issue Status (Pie View) GRPC_CHIP_ISSUE_STAT Presents the status of issues Use in side panel
in graphics
Issue Status (Column View) GRPC_CHIP_IS Presents the status of issues Use in entry page
SUE_STAT_COLUMN in graphics
Open Issues GRFN_OPEN_ISSUE_CHIP Displays open issues accord Use in side panel
ing to a specific object, such
as subprocess, control, etc.
POWL Wrapper GRFN_WD_POWL_CHIP Common POWL Wrapper Use in entry page
POWL List GRFN_POWL_LIST_CHIP POWL List CHIP Use in entry page

Risk Heatmap GRRM_CHIP_HEATMAP Displays risks by level and Use in entry page
impact in matrix
Subprocess/Control GRFN_SP_CONTROL_CHIP Displays information of a sin Use in side panel

gle subprocess or control
Timeframe Filter GRFN_TIMEFRAME_FIL A filter used together with Use in entry page
TER_CHIP other CHIPs
Passed/failed of Control GRRM_CHIP_PASS_FAIL_CN Displays the passed/failed Use in the side panel of risk
TL status of controls that are OIF
used in risks as response
Open Issues GRRM_CHIP_OPEN_ISSUE Displays the ad-hoc issues Use in entry page
New Entered Risks in the last GRRM_CHIP_NEW_RISKS Displays newly entered risks Use in entry page
14 days in the last 14 days
Risk heat map GRRM_CHIP_HEATMAP Displays risk heat map Use in entry page
Incomplete Response GRRM_CHIP_INCOMP_RE Displays incomplete re Use in entry page

SPONSE sponses
Planner GRRM_CHIP_PLANNER Displays the planner tasks Use in entry page

status
Scope Selection GRRM_CHIP_SCOPE Provides the selection of date Use in entry page
and organization, which will
be used as a scope for other
chips in the entry page
Top Risks GRRM_CHIP_TOP_RISKS User report CHIP Top Risks This chip is not used in the
(Variant of GRRM_R5) to get default delivery
the top risks
Workflow Monitor GRRM_CHIP_WI_MONITOR Monitors all the work inbox This chip is not used in the
tasks for all users in the sys default delivery
tem. Only the power user
who has the authorization is
allowed to do this activity.
Recent Loss Events GRRM_OB_CHIP_RE Displays the recent Loss Use in entry page
CENT_LOSSES Events from Banking created
during the last 14 days
Top Losses GRRM_OB_CHIP_TOP_LOSS Risk Banking Top Losses dis Use in entry page
ES plays the Top 5 loss events
comparing with Estimated
Loss

Loss Event Workflow Pipeline GRRM_OB_CHIP_WF_PIPE Displays the Loss Event Use in entry page
LINE Workflow in the form of Pipe
line and table list
More Information
For more information about standard SAP CHIPs, see .
For more information about creating CHIPs, see .
7.2 Master Data
Use
The Master Data work center provides a central location to manage and view the organization structure,
regulation and policies, catalog of objectives, and catalog of risks and responses.
The Master Data work center contains the following sections:
● Organizations [page 342]

● Regulations and Policies [page 350]
● Objectives [page 359]
● Activities and Processes [page 361]
● Risks and Responses [page 365]
● Consistency Checks [page 376]
● Reports [page 380]
 Note
The Master Data work center is shared by the SAP Access Control, SAP Process Control, and SAP Risk
Management applications in the SAP governance, risk and compliance (GRC) solutions. The menu groups
and quick links available on the screen are determined by the applications you have licensed. The content in
this topic covers the functions specific to SAP Risk Management. If you have licensed additional products,
such as SAP Access Control or SAP Process Control, refer to the relevant topics in the respective
application help for the application-specific functions.

More Information
: SAP Process Control-specific topics
7.2.1 Organizations
Definition
Use
You can use the functions on the Organizations screen to create and maintain an organizational structure within
the application that mirrors the organizations in your company.
Integration
● If you have licensed SAP Risk Management, SAP Process Control and SAP Access Control and want to use
them for the same organization, the application must share a common organizational view. Complete the
Customizing activity Maintain Organization Views, under Governance, Risk, and Compliance General
Settings Workflow
● To create the root organization and its first child organization in the specified organization view, complete
the Customizing activity Create Root Organization Hierarchy, under Governance, Risk, and Compliance
General Settings Workflow
More Information
See the Organizations topic in the application help for SAP Access Control.
Process Control – .
Working with Organizational Units [page 343]

7.2.1.1 Working with Organizational Units
Use
In the Organizations area of the Master Data work center, you can maintain the organizational structure for your
company. This includes setting up initial roles and responsibilities and the initial definition of certain risk
management details for the respective organizational unit, such as line of business, country, and legal entity.
 Note
If you have licensed both SAP Risk Management and SAP Process Control, and want to use them for the
same organization, both applications must share a common organizational hierarchy.
Prerequisites
The following prerequisites must be fulfilled before you can work with organizational units:
● You must define the following in Customizing:

○ Parent organization
○ Currency
○ Units of measure
○ Risk appetite
○ Impact categories / impact levels
● To assign roles, you must carry out the Customizing activity Maintain Entity Role Assignment, under
General Settings Authorizations . For more information, see Entering Risk-Specific Organization Data
[page 345].
● If you want to maintain objectives, a hierarchy of objectives must exist in the Risk Management application.
● If you want the Issues tab to display for organizational units, you must also carry out the Customizing
activity Enable Ad Hoc Issues by Object Type, under Common Component Settings Ad Hoc Issues .
● If you are using SAP workflow functions, you must ensure that the corresponding roles are assigned to
specific agent slots (business events) in the Customizing activity Maintain Custom Agent Determination
Rules, under General Settings Workflow . For more information, see Workflows [page 33].
Procedure
Adding or Copying Organizations
1. Open the Organizations screen under Master Data Organizations .

2. On the Organizations screen, you can create a hierarchy with organizations and carry out various functions
for them.

 Note
The View field enables you to switch between different views of the organizational entities in a hierarchy
by making a selection in this dropdown field. You can also select by date to see organizational units that
were created on an earlier date.
3. To create an organization in the hierarchy, put the cursor on the parent organization or on the organization
for which you wish to create a child organization. The screen of the organization opens.
4. Choose Add. You are prompted to specify whether you want to create a new organization or reuse an
existing organization:
○ If you create a new organization, proceed as described in the section Working with the Organization
Tabs below.
○ If you want to reuse an existing organization, choose Reuse existing organization. Then select the
organization that you want to reuse and choose OK. After this, select the organization in the overview
screen and proceed as described below.
Working with the Organization Tabs
1. On the General tab, enter a name for the organization and the currency that your organization uses. This is
the consolidation currency to be used for risk aggregation. Change the valid-to date if necessary.
2. On the Policies tab, you can see the policies that have been created for this organization. For more
information about policies, see .
3. On the Objectives tab, add the objectives that correspond to your company strategy. For more information,
see Business Objectives Hierarchy [page 359].
4. On the Key Risk Indicators tab, specify the Assigned Key Risk Indicators and Business Rules for the
organization.
When creating Assigned Key Risk Indicators, you can choose to add a Standard KRI Instance, a Score-based
KRI Instance, or a Manual KRI Instance. For more information, see Managing Organizational Key Risk
Indicators [page 346].
5. On the Units of Measure tab, you must specify the unit of measure to be used in your organization. This is
necessary for defining conversion factors for each impact category defined in Customizing. Select an
impact category from the dropdown field. Then choose Create and choose the unit of measure. The
abbreviation field populates automatically. Enter the conversion factor to be used if you are not using a
monetary unit of measure.
6. On the Risk Appetite tab, select the degree of risk-taking that is to be applied when individual risks are
entered into the system. If desired, you can specify a monetary value as the upper limit for this.
7. On the Risk Thresholds tab, you can see the various risk thresholds with their impact levels. Here you can
specify the lower and upper limit for each impact level in monetary terms. For more information, see
Entering Risk-Specific Organization Data [page 345].
 Note
You must enter the lower and upper limits per impact level in ascending order. This means that the
greater the impact level, the higher the quantitative/monetary effect.
8. On the Roles tab, you can assign users to individual roles, as well as replace or remove them. For more
information, see Entering Risk-Specific Organization Data [page 345].
9. When you are finished, save the data for your organization.

7.2.1.1.1 Entering Risk-Specific Organization Data
Use
On the Organizations screen under Master Data Organizations , you can enter the following risk-specific
data for your organization:
● Business objectives
● Risk appetite
● Risk thresholds (referring to risk impact levels and monetary values)
● Risk-specific roles
Prerequisites
The following Customizing activities must be carried out:
● Maintain Objective Categories

● Maintain Risk Appetite
● Maintain Impact Categories
● Maintain Impact Levels
● Maintain Entity Role Assignment (to assign risk-specific roles to the organization)
Procedure
Specify Business Objectives
1. In the Objective tab, add the objectives that correspond to your company strategy.
Fore more information on objectives, see Objectives Hierarchy [page 359].
Specify the Risk Appetite
For your organization, you can specify the degree of risk-taking that is to be applied when individual risks are
entered into the system.
1. On the Risk Appetite tab, select the qualitative appetite from the dropdown options.
2. If desired, you can specify a monetary value as the upper limit for the qualitative appetite.
Define Risk Thresholds per Impact Level
On the Risk Thresholds tab, you can see the various risk thresholds with their impact levels. Here you can
specify the lower and upper limit for each impact level in monetary terms.
1. Put the cursor on an impact level line and enter the values in the fields below this table, moving from the
lowest to the highest impact level.

2. If necessary, enter a description for each impact level you define.
4. When finished, you can see that the lowest limit remains at zero and the uppermost limit stays blank.
Assign Risk-Specific Roles
On the Roles tab, you can assign users to individual roles, as well as replace or remove them.
 Note
These roles are added to the organizational unit during implementation and Customizing. For more
information, see Risk Management Application Roles [page 31].
Before assigning roles, check that the roles you want to assign exist in the Customizing activity Maintain Entity
Role Assignment.
 Note
If you are using SAP Workflow, you must also ensure that the roles you assign have also been assigned to
specific agent slots (business events) in the Customizing activity Maintain Custom Agent Determination
Rules.
To assign users to an organizational unit in the application, proceed as follows:
1. Access Master Data Organizations Organizations . The list of organizations is displayed.

2. Make sure that the Date field contains the current or a future date. If necessary, change it and choose the
Apply pushbutton.
 Note
Role assignment for the past is not permitted.
3. Open the organization to which you want to assign roles.

4. On the Roles tab of the organization screen, select the line of the role to which you want to assign a user.
5. Then choose the Assign pushbutton. In the dialog box that displays, you can now search for and select the
user to be assigned to this role. You can also remove or replace the role for a user by choosing the
corresponding pushbuttons.
7.2.1.1.2 Managing Organizational Key Risk Indicators
Use
You can assign one or more key risk indicators (KRI) to an organization. This is known as a KRI instance. In this
way, you can automatically identify risks in organizations and escalate them to risk owners for immediate
attention if necessary.

Prerequisites
● You have created a KRI implementation.

● You have maintained the corresponding activities for timeframes and frequencies in Customizing under
Governance, Risk and Compliance General Settings Key Attributes .
Procedure
Creating Standard KRI Instances
1. When managing an organization, choose the Key Risk Indicators tab and choose Create Standard KRI
Instance in the Assigned Key Risk Indicators section.
The Create KRI Instance dialog appears.
2. In the KRI Instance Name field, type the name of the KRI instance that you want to create.
3. In the KRI Implementation field, type or select the KRI implementation for the instance.
4. In the Monitor Frequency field, choose the frequency at which you want the KRI to monitor your system.
5. In the Data Time Frame field, choose the appropriate value using the drop-down list.
6. In the Next Execution Date and Last Execution Date fields, choose the corresponding execution dates using
the drop-down lists.
7. In the History Review Required field, select the Yes radio button to have the previous KRI values maintained
in the database. By default, the Yes radio button is selected.
8. In the Selection Table, modify the KRI implementation settings, as required.
9. In the Attachments and Links tab, specify the attachments and links for the KRI instance.
1. To add an attachment, choose the Add pushbutton and select Add File using the drop-down menu.
Specify the title and the file name of the attachment, and choose the OK pushbutton.
2. To add a link, choose the Add pushbutton and select Add Link using the drop-down menu.
Specify the title and the path of the link, and choose the OK pushbutton.
10. Choose the OK pushbutton to have the system check the data and set the status as Draft for the KRI
instance.
Alternatively, choose from among the following options:
○ Choose the Activate pushbutton to set the status as Active for the KRI instance.
○ Choose the Request Localization pushbutton to have the KRI workflow go to the workflow processor
(to the KRI liaison defined in the Risk Management workflows, for example). The dialog closes and the
Status column displays Localization Requested for the assigned KRI.
After you save the data, a workflow is triggered. When the localization processor has processed the
workflow item, it returns to your inbox for processing or approval, among other options. For more
information, see Workflow for KRI Instance Localization Request [page 395].
11. Choose the Show History pushbutton to view a graphic display of how the KRI value develops over time.
12. Choose the Show Surveys pushbutton to see which surveys are defined for the KRI instance.
Creating Score-Based KRI Instances
1. Choose the Key Risk Indicators tab and choose Create Score-based KRI Instance in the Assigned Key
Risk Indicators section.

3. In the KRI Template field, type or select the KRI template for the instance.
4. In the Last Execution Date field, choose the appropriate execution date using the drop-down lists.
6. Choose the Rule tab to specify the business rule for the KRI instance.
Using the Mapping and Expression tabs, enter the calculation parameters for the KRI business rule.
You can specify the Expression as either a Formula or a Decision Table using the Rule Type drop-down
menu. After you are finished, you can check the syntax, test the rule, or access the SAP NetWeaver
BRFplus workbench (see https://help.sap.com/viewer/9737050ef01843f19572591b42128f1b/7.40.18/en-
US).
instance.
Alternatively, choose the Activate pushbutton to set the status as Active for the KRI instance.
Creating Manual KRI Instances
1. Choose the Key Risk Indicators tab and choose Create Manual KRI Instance in the Assigned Key Risk
Indicators section.
4. In the Input Allowed Until field, type or select the appropriate date using the drop-down list.
instance.
More Information
For more information about specifying business rules, see Creating KRI Business Rules [page 393].

7.2.1.2 Threshold Browser
Use
The thresholds browser is a tool to browse and maintain thresholds on organizational units, activities, and risk
categories. For organizational units, it allows the maintenance of the standard impact thresholds, the risk
summary thresholds and risk appetite. For activities and risk categories, you can only maintain the risk
summary thresholds.
These thresholds are used in the ad-hoc risk escalation process. For more information, see Ad Hoc Risk
Escalation [page 326].
Prerequisites
To maintain the risk summaries in the threshold browser, the appropriate entity must have a Determination
Attribute of Individual Value in SAP Customizing Governance, Risk and Compliance Risk Management
Master Data Setup Risk Summary Settings . If the Determination Attribute is Central Value for a particular
entity, the risk summary is read-only in the threshold browser for that entity.
Activities
In the threshold browser navigation pane, you can select the organizational unit, activity, or risk category from a
list or an hierarchical tree.
In the right-hand pane, you can maintain the risk thresholds, risk summary thresholds, and risk appetite. Once
you have defined the thresholds and appetite, you have the option to copy them to:
● The clipboard
● All children of the current entity
● All entities on the same level
● All entities
If you copy the thresholds to the clipboard, you can navigate to another entity and the Paste option is valid to
enter the copied thresholds for this entity.
In the header area, you can save and cancel all changes that have been made. You can also change the focus
date for which all data is displayed and maintained. If you change the focus date, all changes are saved or
discarded. If you change the focus date to a date in the past, changes are no longer allowed and all threshold
data is shown in read-only mode.

More Information
● Ad Hoc Risk Escalation [page 326]
7.2.2 Regulations and Policies
Use
Regulations and Policies give you visibility into your compliance landscape.
Related Information
Regulations [page 350]

Policies [page 351]
7.2.2.1 Regulations
Definition
Use
In the regulation hierarchy, you document which compliance initiatives your company supports. For each
compliance initiative, you can document the regulation and its requirements. After defining a new regulation,
you specify the subprocesses and controls that are relevant to that regulation.
Structure
The Regulations section allows you to:
● Review and document your compliance initiatives in one place

● Organize your compliance initiatives into groups

Example
You have a group of financial compliance initiatives that could include SOX, J-SOX, and IDS or a group of
operational compliance initiatives that include FDA and Life Sciences regulations.
Maintain your regulation hierarchy to the individual requirement level. For example, you can maintain SOX
compliance down to the regulation requirement SOX 302. If you maintain regulation requirements, you can
assign them to controls and track the affected requirements at the control level.
Related Information
Policies [page 351]
7.2.2.2 Policies
Use
A policy is a set of principles, rules, and guidelines that are formulated or adopted by an organization to reach
its long-term goals. Policies are designed to influence major decisions and actions, and all activities take place
within the boundaries set by them. They are used in both the SAP Process Control and SAP Risk Management
applications.
A policy contains a written description of an organization's position on important subjects and its response to
specific situations. Policies support managerial decision-making, to help the company achieve its objectives.
Policies are an element of a complete governance process. This process involves an analysis of regulations,
best practices, and corporate business objectives, after which they are codified into policies affecting the
business actions of all employees.
Policies need to be created, reviewed, approved, and distributed; there is an ongoing process of policy
acknowledgment, self-assessment, and updates. Policies must be managed throughout their lifecycle.
Prerequisites
According to your business needs, complete the Customizing activities under Governance, Risk, and
Compliance Common Component Settings Policy Management .

Related Information
Creating a Policy Group [page 352]

Creating a Policy [page 353]
Reviewing a Policy [page 355]
Approving a Policy [page 357]
Publishing a Policy [page 358]
7.2.2.2.1 Creating a Policy Group
Procedure
You must create a policy group before you can create a policy.
1. Choose Master Data Regulations and Policies Policies

2. Choose Create Policy Group .
The Policy Group screen displays.
3. Complete the following fields:
Policy Group fields
Field Name Description
Group Name (required) Create a distinctive Group Name.
Description (optional) Enter information to tell users the contents of the Policy
Group.
Approval Survey (required) Select the survey from the dropdown.
 Note
You must have previously created an Approval Survey
in the Survey Library.
Valid From (required) Enter the starting date.
Valid To (required) Enter the ending date.
4. Choose Save and Close.

Related Information

7.2.2.2.2 Creating a Policy
Prerequisites
You must create a policy group before you can create a policy.
Context
Policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term
goals.
 Example
A Global Travel Policy is one example of a business policy. The goal might be to reduce costs and increase
efficiency by mandating that everyone in the company adhere to this policy.
Procedure
1. Choose Master Data Regulations and Policies Policies

2. Choose the Policy Group where you want to add the policy.
3. Choose Create Policy

4. Select a Policy Object Type and choose OK.
 Note
The Policy Object Types are configured during the Customizing activity Maintain Policy Types and
Distribution Methods under Governance, Risk, and Compliance Common Component Settings
Policy Management .

5. Complete the fields on the General tab.
Policy — General tab
Field Name Description
Name (required) Create a distinctive policy name.
Description (optional) Enter information to tell users the contents of the policy.
Distribution Methods (required) Select Acknowledgement, Quiz or Survey. If you choose

Quiz or Survey, you must specify a template from the
Survey Library. An e-mail is sent to the recipients with a
PDF attachment, showing the required actions.
Purpose (required) State the reason for the policy.
Policy Category (optional) Select the categories this policy belongs to.
Date (optional) Enter the date.
Assignment Method (optional) Select Assign Directly, Inherited, Localized, or Superseded.
Responsible Organization (required) Enter the organization responsible for the policy.
Created by (optional) The default is the person who created the policy.
Created On (optional) The default is today's date.
Valid From (required) Enter the first date of effectiveness for the policy.
Valid To (required) Enter the last day of effectiveness for the policy.
Date for Next Revision (optional) Enter the date for the next revision. This date must be be
tween the Valid From and Valid To dates.
Note (optional) Enter any material that might be helpful to approvers or

reviewers.
6. Select the Policy Document tab. Attach the actual policy documents (word files, excel files, images) that
contain the written policy. The policy documents may reside in SAP Document Management Systems
(DMS) or you may include links to documents residing in external DMSl.
7. Select the Policy Scope tab.
You document who is in scope and subject to the policy. You may also explicitly specify who is excluded
from the scope of this policy. Define which Organizations, Processes (contained in the Organization),
Activities, People (can be roles, user groups, or specific users) or Exclusions you want to identify (text field).
This is who receives the policy when it is published.
8. Select the Risks tab.
This is the risk associated with the nonadherence to the policy. If the company is not compliant with the
policy, this is the risk that could occur.
9. Select the Controls tab.

Assign the controls or indirect entity-level controls that pertain to the policy.
10. Select the Policy Sources tab.
Specify the sources or the reasons and motivations behind the creation of the policy. There are defaults
choices provided. Add or remove sources as needed.
 Note
The Policy Sources are configured during the Customizing activity Maintain Policy Source Categories
under Governance, Risk, and Compliance Common Component Settings Policy Management .
11. Select the Issues tab.
If there are any ad hoc issues related to this policy that need to be addressed, they will be displayed in this
tab.
12. On the Roles tab you can assign users to individual roles (such as Policy Owner, Policy Approver and Policy
Reviewer), as well as replace or remove them. To assign a user, select the line of the role to which you want
to assign a user. Then choose Assign. In the dialog box then displayed, you can search for and select the
user to be assigned to this role. You can assign multiple approvers and reviewers.
13. Select the Review and Approval tab to view the status or the approvals. If you did not assign specific
reviewers or approvers, the Default Approvers (usually the Organization Owner — the owner of the
organization specified in the Policy Scope tab) are asked to approve the policy.
14. Choose Save.
15. Decide if you can immediately Submit for Approval or if you need to Send for Review.
Next Steps
●
●
●
●
● Please also see the Using a Policy as a Risk Response topic in the documentation for SAP Risk
Management.
7.2.2.2.3 Reviewing a Policy
Prerequisites
Policy reviewers were set up by the policy owner (author of the policy).

Context
After the policy owner submits the newly created policy for review, the policy review workflow is sent to the
reviewer. If the policy owner has set up more than one reviewer, then a parallel policy review workflow is sent to
all the reviewers at once.
Procedure
1. Choose My Home Work Inbox .

2. Select a policy to review. You see the same tabs that are used to create a policy. Read the material
contained in the tabs to understand the scope, history, and potential risks of the policy.
3. Submit comments as needed for specific tabs.
4. Review any comments on the Review and Approval tab. Add any general comments here. You have virtually
unlimited text.
 Note
If you accept the policy draft with no changes, then comments are optional. Before submitting the
comments, the reviewer can delete comments he or she has entered. The reviewer cannot delete
comments entered by other reviewers. Once a reviewer submits a comment, it cannot be modified or
deleted.
5. After the comments have been submitted, the policy owner can see all comments in a compiled format.
The policy owner revises the policy draft based on the review comments. As long as the policy owner does
not submit the policy for approval, reviewers can continue to enter comments by selecting the Review
Policy link in their Work Inbox.
Related Information

Using a Policy as a Risk Response [page 475]

7.2.2.2.4 Approving a Policy
Prerequisites
The policy approvers must be set up by the policy owner or the default approvers may be determined by the
workflow engine (based on the organizations and processes assigned to the policy).
 Note
● If the policy applies to an organization, then that organization owner becomes the default approver.
Since all the users in the organization are subject to this new policy, the organization owner must
approve it.
● If the policy applies to a certain process and/or subprocess, then the respective owner becomes the
default approver. Since all the users in the process and/or subprocess are subject to this new policy,
the process/subprocess owners must approve it.
● There may be other roles assigned to the policy approver role in the configuration, for a certain
organization, process or subprocess, who also receive the approval workflow.
Context
After the policy owner ensures that all the review comments have been incorporated, the owner submits the
final draft of the policy for approval. One or more approvers may be responsible for this policy, as determined
by the workflow engine and as specified by the policy owner. The defined approvers receive the approval
workflow in their GRC Inbox.
Procedure
1. Choose My Home Work Inbox .

2. Select a policy to approve. You see the same tabs used to create a policy. Read the material contained in
the tabs to understand the scope, history, and potential risks of the policy.
3. Review any comments on the Review and Approval tab. If an Approval Survey has been created, it is located
here and requires answers. Add any general comments here.
4. Decide if you need to Save Draft, Close, Send Back for Rework, Reject or Approve the policy.
5. You now have the following options:
○ Approve: The approver may (optionally) provide comments to the policy owner. The approver may also
attach supporting documents or links. The policy owner is notified that the policy has been approved.
If this policy receives approvals from all approvers, then the policy is ready to be published directly. Or,
this setting can be modified through the Customizing activities so that instead of all approvers, only
one approver is required for the policy to be approved and published to the policy library.

○ Reject: The approver has to provide comments to the policy owner. The approver may also attach
supporting documents or links. The policy owner is notified that the policy has been rejected. The only
choice for the policy owner is to create a new policy and start again.
○ Send Back for Rework: The approver has to provide comments to the policy owner. The approver must
provide suggestions (for example, a structured list) for improving the policy and any expected
changes. The approver may also attach supporting documents or links. The policy owner is notified
that the policy has been sent for rework. The policy owner has to amend the policy and resubmit it for
approval.
○ Save Draft: Save your comments or attachments and complete the approval process at a later time.
○ Close: Close the policy and complete actions at a later time. No Changes are saved.
6. Select Close.
Related Information

7.2.2.2.5 Publishing a Policy
Prerequisites
The policy must have been reviewed by the policy reviewers and approved by the policy approvers. After
approval, the policy is published directly.
Context
A new policy is published to the Policy Library and is then available to all authorized users for viewing and is
available for distribution and policy attestation.
Procedure
1. Navigate to the Assessments work center.

2. Select the Planner to schedule the policy distribution.
 Note
The Distribution Method (Quiz, Survey, or Acknowledgement) is also defined when the policy is
created.
Related Information

7.2.3 Objectives
Depending on the applications you have licensed, in the Objectives section of the Master Data work center, you
can maintain control objectives and business objectives.
For more information about control objectives, see the corresponding topic in the SAP Process Control
application help, .
Related Information
Business Objectives Hierarchy [page 359]
7.2.3.1 Business Objectives Hierarchy
Use
Managing and assessing risks across the organization are important tasks for companies that must adhere to
legal compliance requirements or use management best practice frameworks with risk management
methodologies. Business practice has shown that the connection between risks and objectives provides
greater visibility for the management team during risk reporting. By creating a hierarchy of your company's
objectives, you can link or associate the objectives with impact categories defined for risks.
In the same way as the vision and mission of an organization describe the top-level desired state of the
organization, objectives describe critical, actionable, and measurable components of that desired state within
the context of organizational perspectives.

In SAP Risk Management, you can create a strategy to describe your company's primary and dependent
objectives, which are defined in a time-dependent manner. By structuring your objectives in a hierarchy, you
can obtain a clear breakdown on the business side of your company's strategic and operational objectives.
Prerequisites
● You have maintained the corresponding objective categories in Customizing.

● To create a hierarchy of objectives, you must first create the objective strategy.
Procedure
After you create an objective strategy, you can create individual objectives to assign to this strategy. Proceed
as follows:
1. Call Master Data Objectives Business Objectives .

2. The Objectives Hierarchy window displays, with a list of the defined objectives.
3. First create a strategy for your objectives by choosing Create Strategy . Enter a name for the
strategy, select an objective category and describe the objective, then save it.
 Note
You cannot assign an organizational unit to the objective here. Instead, you must assign existing
objectives when you create an organizational unit. These are displayed in the Objectives screen after
saving. For more information, see Entering Risk-Specific Organization Data [page 345].
4. Now choose this strategy again from the list and choose Create Objective . Create an objective for
the strategy, and save the strategy. This procedure can be repeated as frequently as necessary.
5. Save the objective.
More Information
See SAP Strategy Management documentation in the SAP Help Portal at https://help.sap.com by searching for
SAP Strategy Management and choosing Application Help for SAP Strategy Management. In the application
help, choose Administration Connectors .

7.2.4 Activities and Processes
The Activities and Processes section in the Master Data work center is where you maintain your company's
activities, business processes, subprocesses, and controls. Depending on what applications you have licensed,
it contains the following links:
●
●
● Activity Hierarchy [page 362]
7.2.4.1 Activities
Use
An activity is any project, process, or an object within your business or organization that might be affected by a
specific risk.
After creating activity categories structured in an activity hierarchy, you can create individual activities for the
activity types defined in Customizing and assign them to the activity categories in the hierarchy. At defined
intervals, for example, the activities affected by specific risks can subsequently be evaluated per activity
category in reporting.
Typical types of activities are:
● Processes: Potentially all operational and administrative processes within an enterprise.

● Projects: Potentially all internal and customer projects.
● Objects: Refers to generic activities that are neither a project nor a process.
You can define all the activities that need to be monitored through dedicated risk management procedures, in
this way structuring risk management in different areas of the business. These structures can later be used for
reporting.
You must assign all activities to an activity category.
Prerequisites
Activity types must have been maintained in Customizing under Risk Management Master Data Setup .
Features
For each activity, you can do the following:
● Specify the activity category and validity period, as well as enter relevant constraints and assumptions for
the activity.

● Assign users/roles responsible for processing the activity.
● Link the corresponding risks and opportunities identified for that activity.
● Display any surveys to be executed for the activity.
● Display and print out a PDF fact sheet with relevant activity information.
 Note
Activities are time-dependent objects. If the valid-to date has elapsed, you do not see these activities in the
corresponding list, since they have expired. However, you can still evaluate them in reporting.
More Information
● Creating Activity Categories [page 364]
● Creating an Activity [page 478]
7.2.4.1.1 Activity Hierarchy
Use
In the Activities and Processes section of the Master Data work center, you can define a hierarchy to structure
the activities in your organization that involve risks. In this way, you can define the scope of risk management
activities within your company, making them transparent, in particular for reporting purposes. You do this by
defining risk-relevant activity categories. The research and development projects of your organization could be
one activity category, for example.
 Note
If you have also licensed the SAP Process Control application and you want to see the processes of SAP
Process Control in the SAP Risk Management activity hierarchy, proceed as described in Reuse of PC
Central Process Hierarchy in RM [page 16].
Prerequisites
In Customizing, you must maintain activity types for your organization.

Features
In the Activity Hierarchy section, you can do the following:
● Create and delete activity categories

● View and edit activity category details
● Assign risk and opportunity categories to an activity category
Example
Sample global activity hierarchy showing assigned risks
The above example shows how risks are assigned. First, the activity type defined in Customizing called
business processes is used to create an activity category called Financials. Then for Organizational Unit 1, this
activity category is used to define the two activities of budgeting and consolidation. The budgeting activity has
two risks allocated to it: Overspending and Budget not approved.

More Information
For more information about activity creation, see:
● Activities [page 477]
7.2.4.1.2 Creating Activity Categories
Use
By creating activity categories and structuring them in an activity hierarchy, you can group your business
processes or other planning objects. You can subsequently use these activity types to structure your activity
hierarchy and activity reports.
Prerequisites
The Customizing activity Maintain Activity Types must be maintained.
Procedure
To maintain the activity hierarchy, choose Master Data Activities and Processes Activity Hierarchy . The
Activity Hierarchy screen appears. In the dropdown box at the top left, you can see the different activity types
maintained in Customizing.
 Note
If you have implemented both the SAP Risk Management and SAP Process Control applications, the
activity hierarchy selection screen contains the defined SAP Risk Management activity hierarchies as well
as the SAP Process Control processes, which you can access in display mode.
Proceed as follows to create an activity hierarchy:
1. From the dropdown list, select an activity type to be used for creating the activity category, and then
choose the Create pushbutton.
2. In the screen that opens, enter the name of the activity category and if necessary a description.
3. If you want to allow the assignment of activities to this activity category, set the corresponding indicator at
Yes.
4. On the Risk Classification tab, you can assign risk categories to this activity category by clicking the Assign
pushbutton.
5. On the Opportunity Classification tab, you can assign opportunity categories to this activity category in the
same way.

6. Save your data. The activity category is included in your activity hierarchy.
7.2.5 Risks and Responses
Definition
The Risks and Responses section of the Master Data work center enables you to maintain your organization's
risk, opportunity, and response catalogs. It contains the following Quick Links:
● Risk Catalog
● Opportunity Catalog
● Response Catalog
Related Information
Risk Catalog [page 365]

Opportunity Catalog [page 370]
Classifying Risks, Opportunities, and Responses [page 366]
7.2.5.1 Risk Catalog
Use
Classifying risks within a catalog containing a clear risk hierarchy provides you with a structured view of all risks
of your company. You can classify risks according to the categories of risks that you wish to track, and carry out
reporting, for example, to evaluate the risks per risk category defined for your company.
Features
For each risk category you define, you can define individual risk templates. You can use this template when
actual risks are created. Risk templates only have drivers and impacts defined for them, but no further data.
You can subsequently carry out reporting, for example, to evaluate the risks per risk category.
The graphic below shows some risk templates and their assignment to user-defined risk categories.

In the Risks and Responses section of the Master Data work center, you can work with the following features:
● Create and delete risk templates and risk categories.

● View and edit risk template and risk category details.
● Specify driver and impact categories for a risk template, and assign KRIs.
For more information about risk catalogs, see Classifying Risks, Opportunities, and Responses [page 366].
 Note
The risk categories created can also be used for Risk Management reporting.
7.2.5.1.1 Classifying Risks, Opportunities, and Responses
Use
By structuring your organization's risks, opportunities and responses into individual categories, you can obtain
a clear structure of all enterprise-wide objects created. The following types of catalogs can be created; the
documentation below describes risk catalog maintenance, and opportunity and response catalog maintenance
is carried out similarly.

● Risk Catalog [page 365]: A Classification Hierarchy is provided by the system, below which you can define
individual risk categories. You can also create risk templates [page 368] to assign to the risk categories you
have defined. These risk templates are used to capture the most important reusable risk data in your
organization.
● Opportunity Catalog [page 370]: The same kind of structure enables you to create opportunity categories,
and within them, opportunity templates to be used for repetitive opportunities created in the system.
● Response Catalog: In this catalog, you create response templates [page 458] to be used for responses that
are entered frequently.
 Note
When you create a risk with a template in the risk application itself, you are accessing the risks created in
the Risk Catalog. A risk template has no analysis and no responses linked to it, and is to be used when
creating the actual risks in the risk application.
Prerequisites
Drivers and impact categories for risks must be maintained in Customizing.
Procedure
To maintain the risk catalog, choose Master Data Risks and Responses Risk Catalog . The Risk Catalog
screen appears. Then proceed as follows:
Creating a Risk Category
1. To add a risk category to the hierarchy, select a node of the classification hierarchy as the level you want to
create the category in. Then choose Create Risk Category .
2. In the dialog box, enter the name and description of the risk category, and decide whether to allow
assignment of this risk category to an activity category.
3. On the KRI Template tab, you can assign an existing KRI template to this risk category.
4. On the Allowed Dimensions tab, you can specify the dimensions and context values to be used with this risk
category. For more information, see Working with Contexts [page 480].
5. Save the risk category.
Creating a Risk Template
1. To create a risk template, select a risk category from the Risk Catalog Classification overview screen and
choose Create Risk Template . For more information, see Creating a Risk Template [page 368].
2. When finished, save your data.

More Information
● Creating a Risk [page 416]

● Creating KRI Templates [page 384]
● Working with Contexts [page 480]
7.2.5.1.2 Creating a Risk Template
Use
A risk template is used to streamline the risk assessment process and reduce manual effort during risk
identification. A risk template has no analysis and no responses linked to it, and serves as a model for actual
risk creation. It is useful if you have several similar risks to create.
 Note
You create an opportunity template in the same way as you create a risk template.
Prerequisites
● Risk drivers and impact categories have been maintained in Customizing.

● A parent risk category has been maintained in the risk classification application.
● A risk analysis profile must be maintained in Customizing.
Procedure
To create a risk template, proceed as follows:
1. Call the Master Data work center and then choose Risk Assessments Risks and Responses Risk
Catalog .
 Note
To create an opportunity template, choose the Opportunity Catalog link.
2. In the Risk Catalog screen, click Create Risk Template . Note that the cursor must first be on a risk
category and may not be on the uppermost Classification Hierarchy node if there are no categories below it.
3. In the General tab, enter the Event Name (the name of the risk template you are creating), then change the
valid-to date and enter a comment if necessary.
4. Add the necessary drivers and impacts in the lower screen section.

 Note
If you create a risk using a risk template, existing customer-defined fields can also be taken over into
the template.
5. The next tab, Risk Instances, has no fields ready for input. It displays the risks that were created using this
template, so it can only be accessed after you have created at least one risk with this template. If risks
exist, the Open pushbutton enables you to call the risk directly from this tab, after you have put your cursor
on the line of the risk.
6. In the Response Templates tab, you can assign or remove a response template to be used with the risk
template.
7. In the Central Controls tab, you can assign or remove a control from SAP Process Control to a template (if
you also have a license for SAP Process Control. A central control is a control assigned to a central
subprocess. A central subprocess and central control can be assigned to different organizations for
different regulations. For more information about working with controls, see the SAP Process Control
application help topic . After assignment, the control can be used as a response to a risk in the shared risk
catalog.
8. In the Context tab, you can specify the dimensions and context values that link the risk template with other
areas or system objects. You can select to view the context attributes in table form, graphic form, or as
Crystal reports. For more information, see Working with Contexts [page 480].
9. When finished, save the risk template. It is now ready for use with your risks.
Result
The risk template has been created for use when you create individual risks in the application.
More Information

● Creating a Risk from a Template [page 419]
● Distributing a Risk Template [page 369]
7.2.5.1.3 Distributing a Risk Template
Procedure
You can use a risk template with several different kinds of objects, such as Risk Management activities or
organizational units defined for Risk Management. In this way, you can create an instance of the risk template.
1. From the Risk Catalog screen under Master Data Risks and Responses , open the classification
hierarchy to a lower level and choose a risk template.

2. Choose Actions Distribute .
3. A guided procedure is displayed in which you enter the validity dates for which this distribution is to be
applied.
4. Select a distribution method as follows:
○ Copy: Any risk field can be changed after the template has been copied to the risk.
○ Reference: Some risk fields are read-only, since they are only referenced and not copied.
5. After choosing Next, you select the targets — that is, the organizational units — for which the risk template
is to be used. Depending on where you position the cursor, you can select a higher-level or a lower-level
organizational unit.
6. Choose Next again. You can see your selection in the lower section and must confirm it via the Finish
pushbutton.
Result
The risk template has been distributed for use over the corresponding objects and is ready for use.
7.2.5.2 Opportunity Catalog
Use
You can create a hierarchy to structure your company's opportunities into opportunity categories within an
opportunity catalog. An opportunity can be regarded as the upside of a risk.
Besides maintaining an opportunity hierarchy, you can also define individual opportunity categories and
opportunity templates to be used when defining opportunity categories.
Prerequisites
You must have maintained the corresponding benefit and driver categories in Customizing.
Features
When you create an opportunity category, you also allow assignment to an activity category. Note the following:
● An opportunity category is similar to a risk category and is assigned to an individual opportunity.

● An opportunity template can be used when you create an individual opportunity. An opportunity template
has drivers and benefits assigned to it, which can be passed on to the opportunities you create.

More Information
Creating an Opportunity [page 454]
7.2.5.2.1 Creating an Opportunity Category and Template
Use
You create opportunity categories and templates in the Risk and Responses section in the Master Data work
center.
Procedure
1. From the Master Data work center, choose Risks and Responses Opportunity Catalog .
2. On the Opportunity Catalog screen that appears, choose Create Opportunity Category .
3. On the General tab, enter the following:
○ Mandatory information:
○ Name
○ Valid from date
○ Valid to date
○ Optional information:
○ You can enter a description for the opportunity category.
○ You can choose whether an assignment of opportunities is allowed for this opportunity category.
○ You can assign the opportunity category to an analysis profile.
You create or modify analysis profiles in Customizing under Risk Management Risk and
Opportunity Analysis Maintain Analysis Profile .
 Note
You can review the attributes of existing analysis profiles by choosing the Analysis Profile Detail
link adjacent to the Analysis Profile dropdown menu.
4. On the Attachments and Links tab, you can attach documents and web links.
5. On the Allowed Dimensions tab, you can assign a context to be used with this opportunity category.
Creating an Opportunity Template
 Note
You create an opportunity template only from an existing opportunity category.
1. From the Master Data work center, choose Risks and Responses Opportunity Catalog .

2. Choose an existing opportunity category in the list.
3. Choose Create Opportunity Template . The opportunity template creation screen appears.
4. On the General tab, enter the following information:
○ Name
○ Description
○ Valid from date
○ Valid to date
○ Benefits and drivers, if any
5. On the Opportunity Instances tab, you can see the list of opportunity instances that have been created
based on this opportunity template.
6. On the Allowed Dimensions tab, you can assign a context to use with this opportunity template.
7. On the Attachments and Links tab, you can attach documents and web links.
7.2.6 Forecasting Horizons
Use
The forecasting horizon defines the period for which a forecast is prepared, that is, the interpretation context
for the risk assessment, with respect to the current date.
Depending on the legal requirements a risk management organization has to fulfill, a risk assessment along an
adequate forecasting horizon might be required. The definition for an adequate forecasting horizon varies,
depending on the type of risk (going concern, substantial), the customer’s business and the industry (for
example, process or project oriented).
This function allows you to maintain your forecasting horizons.
More Information
● Maintaining Forecasting Horizons [page 372]

● Leading Forecasting Horizon for Risk Categories [page 375]
7.2.6.1 Maintaining Forecasting Horizons
Use
Forecasting horizon maintenance includes the creation, editing and deletion of forecasting horizons. Once
created, you can define which forecasting horizons are to be opened or closed. Closed forecasting horizons can
be archived.

The Overview Screen
Choose Master Data Forecasting Horizons Forecasting Horizon Maintenance .
For each forecasting horizon, the overview screen displays the following:
● Horizon name
● Status
The following statuses are possible:
Status Meaning
Draft You can change the text and delete the forecasting horizon
in this status.
Open The forecasting horizon is used for analysis input. Opened

forecasting horizons are ready for input and analysis; the
mandatory field is considered.
Closed The forecasting horizon is no longer used for input, but it

is still displayed (read only) on the analysis tab.
Archived The forecasting horizon is not longer visible on the analy

sis tab, but it is still available for reporting.
The status can only change only in the sequence Draft to Open to Closed to Archived. Each change is valid
immediately it is saved.
● Analysis Mode
This defines whether the evaluation of the forecasting horizon is Quantitative or Qualitative.
● Mandatory
This refers to whether the forecasting horizon is mandatory for input when used in DRS-5 (Deutscher
Rechnungslegungs Standard – German accounting regulations – Number 5) analysis.
For maintaining forecasting horizons, on the overview screen you can perform the following functions:
● Create or Edit
Opens a dialog box where you can enter or change the Horizon name, the optional Description and select
the Mandatory check box for a forecasting horizon with a Draft status.
● Delete a draft forecasting horizon
● Open or Close a forecasting horizon
See working with forecasting horizons, below
● Archive a closed forecasting horizon
● Send an e-mail Notification to a list of recipients, which is a collection of agents determined by the agent
slot 0RM_RISK_ASSESSMENT for all risks of type DRS-5
● Display an Action Log of all forecasting horizon maintenance
The action log shows all the actions executed together with a time stamp and user, who executed each
action.

Procedure
Working with Forecasting Horizons
In the overview screen, choose Open and Close. The Open and Close Forecasting Horizons guided activity
opens:
1. Close Horizons.
The system displays a list of open forecasting horizons. Choose the forecasting horizons to close by
selecting the appropriate check box in the Close column.
Choose Next.
2. Open Horizons.
The system displays a list of draft forecasting horizons. Choose the forecasting horizons to open by
selecting the appropriate check box in the Open column.
Choose Next.
3. Roll forward.
This step determines how each forecasting horizon initializes after Open and Close. The system lists all
currently-open forecasting horizons as Target Horizons. Use the dropdown lists to select Source Horizons
for each.
Choose Next.
4. Execution.
This step determines how and when to execute the Open and Close. You can choose immediate execution
or you can schedule for a specific date and time. If you choose immediate (online) execution, the
operations occur immediately after the confirmation step. Scheduling the job for a specific time means
that you can shift the forecasting horizons overnight or at weekends.
Choose Next.
5. Review.
Review your changes and any error or other messages that are displayed. You can use Previous to go back
and make any necessary changes.
Choose Next.
 Note
Changes that you make become effective immediately and cannot be reversed.
6. Confirmation.
If you have chosen immediate execution, the operation stars immediately. Any error messages are
displayed directly on the Confirmation screen. For example, when opening and closing forecasting
horizons, it is possible that some leading forecasting horizons, defined on Risk Categories, are no longer
valid. You can start the correction report directly from the Confirmation screen.
Error messages are also written to the Action Log for later processing. If you choose to schedule the
operation, messages are only written to the Action Log.
 Note
From the business point of view, it is not reasonable to execute more than one shifting a day. This is
because reporting occurs only once a day and no history can be kept of multiple changes.
If you have scheduled an Open and Close, the maintenance transaction is locked to prevent the changing of
draft forecasting horizons. The only actions that are available on the Overview screen are:
● Cancel Job to cancel the scheduled job

● Notification
● Action Log
More Information

● Leading Forecasting Horizon for Risk Categories [page 375]
7.2.6.2 Leading Forecasting Horizon for Risk Categories
Use
This option provides an overview of selected leading forecasting horizon for risk categories. You can easily
identify if some risk categories are using, for example, archived horizons, which is not allowed, or missing
horizons.
Activities
Choose Master Data Forecasting Horizons Leading Forecasting Horizon for Risk Categories .
The Leading Forecasting Horizon Consistency Check for Risk Categories report is displayed. You can use the
Filter, to limit the display to include only forecasting horizons that are:
● Open
● Closed
● Closed and Archived
● Not defined
If you identify any inconsistencies in the report, choose Edit, which opens the Edit Leading Forecasting Horizon
for Risk Categories screen. In this screen, you can propose a different leading forecasting horizon where
required. You can do this individually for each risk category or select multiple risk categories and use the mass
selection option in the toolbar to change all the selected risk categories.
Choose Save and the entered values are checked for consistency.
More Information

● Maintaining Forecasting Horizons [page 372]

7.2.7 Risk Consistency Reports
Use
You can review the quality and structure of your organization's risks via a set of comprehensive predefined
reports. You can carry out a consistency check for your Risk Management data, and you can make sure that the
reports defined do not violate the segregation of duties (SoD).
 Note
The term segregation of duties refers to the concept of requiring more than one person to complete a task.
Under SoD, no single person has control over two or more phases of a transaction or operation, so the risk
of fraud or unintentional error is mitigated. An example of this would be that one user cannot be both the
risk owner and the risk validator.
Consistency checks are a set of reports targeting solution and application consultants to support an initial
implementation project. They ensure the completeness and logical consistency of the provided master data in
the Risk Management application. This can be checked during implementation or also later when the system is
in productive use.
Reports that check the completeness of the provided data focus on mandatory and non-mandatory
information in the checked master data. Missing information might either create inconsistencies in data
storage, or affect the behavior of certain parts of the application, such as reporting.
The checks can also be used in the running system to ensure continuous quality of the maintained master data
of the application.
Features
In the Master Data work center, you can carry out a check of the RM data objects in the application as well as of
the corresponding Customizing settings. For more information, see Working with the RM Consistency Checker
[page 376].
7.2.7.1 Working with the RM Consistency Checker
Use
The consistency checker enables you to check all your Risk Management data for consistency and
completeness.

Procedure
1. Call Master Data Consistency Checks Consistency Checks . A new window with the RM
Consistency Checker is displayed. You have two options:
○ Select the individual item you want to check and press Execute.
○ If you want to check all items at once, press Execute Full Pass. This function executes all checks
successively and presents the results in a table.
2. In the Results table, you can drill down to the exact application or Customizing data involved to make direct
changes to the individual data objects in the application or to the Customizing activities. The table has the
following columns:
Column name Meaning
Check The name of the specific check report
Error count The number of errors for an individual check
Warning count The number of warnings issued for an individual check
Status Red for critical, yellow for warning, green for OK
3. Choosing the individual checks produces the following results, showing you how to resolve individual data
consistency issues:
Name of Check Description What to Do
1. List of organizational units without Lists all organizational units for which Choosing the Execute pushbutton pro
currency no currency is maintained. duces a list of organizational units with
no currency. Choosing one organiza
tional unit opens the corresponding
screen, in which you can assign a cur
rency.
2. Check number of probability levels Lists the probability levels as they are Displays all the probability levels with
maintained in Customizing. the percentage of probability main
tained in Customizing. To make
changes, access the corresponding
Customizing activities.
3. List root nodes Lists all corporate nodes (top organiza Execute produces a list of organiza
tional units). tional units. Choosing one takes you to
the General tab of an organization with
no parent organization.
4. List activity categories without risk or Lists activity categories that do not have Status column: The red stop sign
opportunity categories specific risk and opportunity categories means that no risk or opportunity cate
assigned to them. gories are assigned.

5. Check organizational unit threshold Lists the organizational unit relation Clicking on the parent or the child ID in
relationships ships (parent and child) for which the the output list takes you to the screen
risk threshold settings do not match the where you can maintain the risk thresh
relationship. olds in the corresponding tab.
6. Check the documents Checks for documents with an invalid Dialog box asking whether documents
parent or child object. with invalid parent or child entities
should be deleted. Click the Automatic
Fix pushbutton under the list to auto-
correct the missing values.
7. List of organizational units without Lists all organizational units that do not Clicking the Execute pushbutton produ
thresholds have risk threshold values maintained. ces a list of organizational units with no
risk threshold values. Clicking on one
line opens the organizational unit
screen. Navigate to the Risk Thresholds
tab to maintain the thresholds.
8. Check probability level matrix Checks the probability/timeframe ma Messages:

trix in Customizing and displays the
● Missing: No Customizing value set
missing settings.
in the matrix for the given time
frame and probability.
● All: The probability values found
are valid for ALL timeframes.
● Timeframes defined: Should be
displayed instead of All if there is
no timeframe.
9. List organizational units without ob Lists all organizational units that do not Execute produces a list of organiza
jectives have objectives maintained for them. tional units. Clicking on one takes you
to the organization screen, where you
maintain the Objective tab.
10. List responses without effective- Lists all risks and responses that do not Clicking on a response produces a list
ness / completion values have effectiveness / completion values of responses with missing values. Click
maintained. ing on a line in the Response Title col
umn enables you to enter effectiveness
and/or completion values for a re
sponse.

11. Check role assignment Checks for role errors and warnings, Messages:
such as double assignments.
● User initial: Shows whether a user
name is blank or empty
● Role initial: Shows whether a role
is blank or empty.
● User and role initial: Shows
whether role and user name are
still blank or empty.
● Double role assignment: Shows
whether a user has the same role
twice for the same object in an
overlapping time span.
● Obsolete role assignment: Shows
whether roles are assigned to ob
jects for which they are not rele
vant.
● Unique role assigned multiple
times: Shows whether unique
roles are assigned more than once
to the same object using overlap
ping timeframes.
12. Check role definitions Checks for invalid role definitions. Message No title assigned: Returns a
string that shows the user that the title
is missing.
13. Benefit / impact / driver categories Lists the benefit, impact, and driver cat This check displays the benefit, impact,
egories that are maintained in Custom and driver categories in the application.
izing. To make changes, access the corre
sponding Customizing activities in the
backend system.
14. Check risk level matrix Checks the probability / impact matrix Message Not Assigned (N/A): The
in Customizing, displays the risk levels items show which risk or combination
that are assigned, and shows whether is not assigned.
all levels are used.
15. List organizational units without Lists all organizational units that do not Execute: Produces a list of organiza
units of measure have their own units of measure main tional units. Clicking on one takes you
tained. to the organization screen, where you
maintain the Unit of Measure tab.
16. List risks and responses without Lists all risks and responses that do not Clicking on the link of a risk or re
owner have an owner assigned to them. sponse takes you to the corresponding
screen, where you can maintain the
owner in the Roles tab.

17. Incidents / losses without manda Lists all incidents and losses where You have the following options:
tory attributes mandatory attributes have no values.
● Click the Automatic Fix pushbut
ton under the list to auto-correct
the missing values of all incidents/
losses.
● Depending on the status of the in
cident, clicking on a line of the out
put screen takes you to the inci
dent screen, where you can main
tain the attributes.
7.2.8 Reports (Master Data)
This topic lists the reports available under the Reports section of the Master Data work center.
 Note
The Reports section is shared by the SAP Risk Management and SAP Process Control applications. Based
on the applications you have licensed, you may see only a subset of the reports.
Report Description
Risk and Control Matrix This report provides information on control and risk matrix.
You can find out what risks specific controls are covering,
under different risk models (Subprocess – Accounts Group
and Assertions – Risk – Control; Subprocess – Control Ob
jective – Risk – Control; Subprocess – Risk – Control).
Risk Coverage This report provides visibility into the coverage of risks by
controls by organization and process. For each risk associ
ated with a subprocess, it shows the list of controls as
signed. You can review this report and understand the risk
gaps to determine if new controls are needed.
Organization and Process Structure This report provides visibility into the organization - process
- subprocess - control hierarchy. You can review this report
and understand what controls and processes are assigned
under each of the business entities.

Report Description
Indirect Entity-Level Control (iELC) Structure This report provides visibility into the organization - indirect
entity-level control structure. You can review this report and
understand what indirect entity-level controls are imple
mented under each business entity and determine if new
iELCs are needed.
Test Plan by Control This report provides visibility into the coverage of test plans
by controls by organization and process. For each control, it
shows the list of test plans assigned. You can review this re
port and determine if test plans have been assigned properly
to all controls to be tested.
Change Analysis This report provides visibility into all process control object
changes and details within a selected time period. You can
review this report and find out what changes (creation, mod
ification, removal, and role assignment) have been per
formed to each object.
Audit Log This report shows chronologically all changes to local and
central objects within a time period. You can review this re
port and find out what changes have been performed to
each central or local object.
Risk-Based Compliance Management This report provides visibility into the coverage of both Risk
Management and Process Control risks by organization and
process. For each risk, it shows the list of controls assigned
as well as the control design and testing status. You can re
view this report and understand the risk gaps to determine if
new controls are needed.
Policies by Regulation This report provides a method to access all policies, proce
dures, work instructions, and so on, that the company has in
place to address a certain regulation and/or requirement.
Policies Versions This report provides the capability to look at the different
versions of a policy, procedure, work instruction, and so
forth, to provide an idea of how the policy has progressed
and evolved over time. This report also shows the docu
ments (with the version numbers) that were attached to the
policy object in its different versions. The ownership and cre
ation information for each of the versions is also available in
this report.
Risks Associated with Policies This report provides the ability to access the local Risk Man
agement risks associated with a certain policy, procedure,
work instruction, and so on. It also can retrieve a report that
lists all the policies, procedures, work instructions, and so
forth, that the company associated with a risk.

Report Description
Processes and Controls with Policies This report details the processes that are impacted by a cer
tain policy. It also lists which controls are in place to ensure
compliance with the policy.
Regulation/Policy Requirement-Control Coverage This report provides visibility into the coverage of controls by
requirement by regulation or policy. For each regulation re
quirement, it shows the list of controls assigned. You can re
view this report and determine whether further controls are
needed.
Control-Regulation/Policy Requirement Coverage This report provides visibility into the coverage of require
ments by controls by organization and process. For each
control, it shows the list of requirements assigned. You can
review this report and determine whether further require
ments could be covered by a specific control.
7.3 Rule Setup
Use
The Rule Setup work center provides a central location to set up automated tests and monitor controls,
maintain schedules for continuous control monitoring, and perform legacy automated monitoring.
The Rule Setup work center contains the following sections:
● Continuous Monitoring [page 383]

● Key Risk Indicators [page 383]
 Note
The Rule Setup work center is shared by the SAP Access Control, SAP Process Control, and SAP Risk
Management applications in the SAP governance, risk and compliance (GRC) solutions. The menu groups
and quick links available on the screen are determined by the applications you have licensed. The content in
this topic covers the functions specific to SAP Risk Management. If you have licensed additional products,
such as SAP Access Control or SAP Process Control, refer to the relevant topics below for the application-
specific functions.
More Information
– SAP Process Control-specific topics
See the Rule Setup topic in the application help for SAP Access Control.

7.3.1 Continuous Monitoring
Definition
Depending on the applications you have licensed, the Continuous Monitoring section of the Rule Setup work
center gives you access to all or a subset of the following:
●
●
●
More Information
in the application help for SAP Process Control.
7.3.2 Key Risk Indicators
Use
Key risk indicators (KRI) are scores used to quantify risks and make them transparent on a cross-organization
basis. Based on a combination of organization and risk category, KRIs represent the current state of the
business.
Key risk indicators therefore represent a rational and quantitative measure of a particular risk at a particular
time. Risk indicators previously entered provide the risk owner with a series of “warning lights” that help the
owner comprehend the current risk the company is taking. One important application is to use risk data to
calculate KRIs for early indications of your organization's strategic target achievement.
You can enter key risk indicators manually or automatically. The system can also calculate the scores using
other KRIs. You can further automate your analysis by defining aggregation hierarchies based on organizations
or risk categories, which are available for display using the KRI Aggregation report.
 Note
Key risk indicators differ from Key Performance Indicators (KPI) in that the latter are intended to show how
well something is being done by measuring past performance. KRIs, in contrast, are an indicator of the
possibility of a future adverse impact on the organization.
Key risk indicators can be used in the following areas:
● In Management Accounting
○ To ensure there is no budget overrun (evaluation by cost centers, internal orders, projects)

○ To collect all posting reversals
● In Liquidity & Cash Management
○ To obtain a liquidity forecast
○ To evaluate cash positions
● In Treasury & Risk Management
○ To monitor overdue payments
● In Financial Supply Chain Management
○ To evaluate DSO (days sales outstanding)
○ To evaluate by risk class (of all customers within a credit segment, weighted by credit exposure)
○ To evaluate credit limit utilization (percentage of credit exposure compared to the approved credit limit
of customers within a credit segment)
Features
The following functions are available with key risk indicators:
● Creating KRI Templates [page 384]

● Creating KRI Implementations [page 386] of a template
● Assigning KRIs to a Risk [page 391]
● Using workflows for KRI implementation requests [page 394] and KRI instance localization requests [page
395]
● Creating KRI Business Rules [page 393]
 Example
A budget overrun is defined as the planned budget minus the actual budget costs. If the result is less than
zero, the budget has been overrun and represents a risk. If the budget overrun is defined as a key risk
indicator, a calculation to this effect is stored in the system. When the budget is then overrun, the risk
manager receives a message on it. It is possible to define, for example, that:
● The KRI compares the actual and planned costs per cost center.
● The system checks the balance against a threshold previously defined for the KRI.
7.3.2.1 Creating KRI Templates
Prerequisites
You can optionally define the systems, business processes, and components used for key risk indicators in
Customizing.

Context
You can set up predefined key risk indicators (KRI) for your company by creating KRI templates. For each
template, you can then create several different KRI implementations.
Procedure
1. Choose Rule Setup Key Risk Indicators KRI Templates .
The KRI Template Catalog screen appears displaying the existing KRI templates.
2. Choose the Create pushbutton.
The Create KRI Template screen appears.

3. In the General tab, specify the general template information.
1. In the KRI Template Name field, type the name of the KRI template.
2. In the Description field, type a description of the KRI template.
3. In the Value Type field, type or select a value type.
You can select from among the following types:
○ Number
○ Currency
○ Quantity
○ Score
4. In the Risk Category field, type or select the risk category associated with the KRI template.
This field is only required if you select Score as the Value Type.
5. In the System field, type or select the system associated with the KRI template.
6. In the Valid from field, type or select the date from which the KRI template is valid.
7. In the Valid to field, type or select the date to which the KRI template is valid.
4. In the Attachments and Links tab, specify the attachments and links for the KRI template.
5. Choose the Save pushbutton.
Results
After defining KRI templates, you can assign the templates to individual risk templates or risk categories. You
can subsequently use this information when you create a KRI instance for a risk, enabling you to obtain a
selection of available KRI implementations.
For more information about creating implementations, see Creating KRI Implementations [page 386].

 Note
You can also assign a KRI template to a risk category when you create the risk classification hierarchy. For
more information, see Classifying Risks, Opportunities, and Responses [page 366].
 Example
For the risk Potential employee accidents belonging to the risk category Environmental health & safety risks,
only the key risk indicators related to this risk category are available for use. Examples of this would be
categories such as Near misses or Number of security violations.
7.3.2.2 Creating KRI Implementations
Use
A key risk indicator (KRI) implementation is the actual application of a KRI template. For each implementation,
you can have several KRI instances (a KRI implementation assigned to a specific risk). The prerequisite for
creating a KRI instance is a saved KRI implementation.
 Note
You create a KRI instance for a specific risk. For more information, see Assigning KRIs to a Risk [page 391].
Prerequisites
You need to fulfill the following prerequisites before you can create a KRI implementation:
● Complete the Customizing activities for system connectivity for key risk indicators, so that the KRI system
knows from which system the data is to be taken.
● Create the KRI template with which to implement the KRI. For more information, see Creating KRI
Templates [page 384].
Procedure
1. Choose Rule Setup Key Risk Indicators KRI Implementations .

The KRI Implementation Catalog screen appears displaying the existing KRI implementations.
The Create KRI Implementation screen appears.
3. In the General tab, specify the general implementation information.
1. In the KRI Implementation Name field, type the name of the KRI implementation.
2. In the KRI Template field, type or select the name of the KRI template.

3. In the Description field, type a description of the KRI implementation.
4. In the Connector Type field, type or select a connector type.
You can select from among the following types:
○ HANA
○ SAP BW Query
○ SAP Query
○ SAP Table
○ Web Service
5. In the Connector field, choose the connector associated with the KRI implementation using the drop-
down list.
To test the connector, choose the Test Connector pushbutton.
6. In the Script field, choose the script associated with the KRI implementation using the drop-down list.
To test the script, choose the Test Script pushbutton.
7. In the Valid from field, type or select the date from which the KRI implementation is valid.
8. In the Valid to field, type or select the date to which the KRI implementation is valid.
4. In the Implementation Detail tab, specify the implementation details for the KRI implementation.
1. In the Value Column field, choose the value column using the drop-down list.
2. In the Aggregation Function field, choose aggregation function using the drop-down list.
3. In the Selection Table, specify the selection criteria by adding or removing selection entries.
5. In the Attachments and Links tab, specify the attachments and links for the KRI template.
 Note
For more information about how to work with queries, see Technical Requirements for BW Queries [page
387] and Technical Requirements for SAP Queries [page 388].
Related Information
Technical Requirements for HANA View
7.3.2.2.1 Technical Requirements for BW Queries
You can use the SAP NetWeaver Business Warehouse (BW) Query functionality for key risk indicators in Risk
Management, or for automated controls in Process Control. However, you must observe specific technical
requirements regarding the Query Designer in the Business Warehouse. These are described in the table below.

Technical Requirement Description
Hierarchies off The data-oriented queries do not need the collapse-and-expand fea
ture. The query is expected to return only the fixed given level and no
virtual aggregation nodes above it. The best way to accomplish this is
to switch off the hierarchies in the hierarchical characteristics.
Results rows: Always suppress Aggregation is done on the Risk Management side, which means that
there is no way to differentiate between data rows and subtotal rows,
leading to the double itemizing of some of the output figures.
Restricted filtering options Risk Management and Process Control currently support only optional
single values and select-options. Other possibilities supported by the
Query Designer, such as interval values or multiple single values, are
not supported.
Key figures only in columns The current key figures are not supported in the individual rows. This
means that some kinds of 0MEASURE-based queries are not sup
ported. For PC usage, there should be only ONE key figure assigned in
columns area, which is then considered as the deficiency field of the
corresponding automated control.
Characteristics in columns If characteristics are in a column, the values must be fixed in the Query
Designer so that the number of columns remains stable and Risk Man
agement or Process Control can use the columns for reference and for
further settings. In Process Control, the characteristics cannot be in
the columns area, but only in the rows area.
 Note
When working with BW queries, do not make use of the queries designed for end users. Instead, create a
new query by making a copy of an existing BW query definition, making sure to observe the requirements
above.
7.3.2.2.2 Technical Requirements for SAP Queries
Concept
Instead of using the queries designed for end users, for KRIs you must create a new SAP query by making a
copy of an existing SAP query definition.
Prerequisites
● There is no support for ranked list and statistics output. This means that the RFC used does not return the
content of ranked lists and statistics output for an SAP query.

● There is no support for the aggregation (totaling field) and sort fields in the basic list output, so that the RFC
used does not return the results of aggregation or output sorted fields.
● In the InfoSet, the Additional fields function is not supported. In Process Control, a rule criterion is based
on the back-end field containing technical details, which can be described as table (structure) fields.
However, Additional fields in the InfoSet do not reveal such technical details.
7.3.2.2.3 Using External Web Services
Prerequisites
You must complete the following Customizing activities found under Governance, Risk and Compliance
Risk Management Key Risk Indicators Connectivity :
● Maintain Connectors
● Maintain Scripts for Web Service
Context
You can use external Web services to implement key risk indicators (KRI). The SAP Web Service Connector
enables you to interact with all Web services, regardless of the implementation technology used, as long as it is
compliant with the provided WSDL (Web Services Description Language) file.
Procedure
1. Access a WSDL file in the SAP MIME repository. This is used to implement the correct Web service
interface.
2. Create the Web service implementation according to this WSDL file, using any available technology.
3. Using transaction SOAMANAGER, connect this implementation to the consumer proxy
CO_GRFN_CCI_WEBSERVICE.
 Note
For more information, see Configuring a Consumer Proxy in Application Development on AS ABAP
(https://help.sap.com/viewer/7bfe8cdcfbb040dcb6702dada8c3e2f0/7.5.5/en-US).
4. Make note of the logical port you have created. In the Maintain Connectors Customizing activity, enter it as
the remote system. In the Connector Type field, choose the type WEBSERVICE. In the Remote System field,
enter the logical port you have just created. Save your entry.
5. Access the second Customizing activity, Maintain Scripts for Web Service. When you register the script, the
script data must correspond to the script ID in the service implementation. Save your entry.

Results
Your external Web service is ready for use. If required, search the SAP Developer Network for further
information and details.
7.3.2.2.4 Technical Requirements for HANA View
You can use SAP HANA-based KRIs, which use the capability of SAP HANA to analyze large volumes of data
and find out the potential risk quickly. This allows you to consolidate enterprise risks from multiple systems
through SAP HANA.
Prerequisites
The SAP HANA database connection and RFC must be defined.
To create the SAP HANA database connection, use transaction code DBCO.
To create the RFC connection (with the same name as the SAP HANA database connection), use transaction
SM59.
Activities
Customizing
1. Maintain categories for connectors and scripts.
1. In Customizing for Governance, Risk and Compliance, go to Risk Management Key Risk Indicators
Connectivity Maintain Categories for Connectors and Scripts .
2. Create a new category or modify an existing one.
Categories are optional for scripts and connectors, and can be used to structure scripts and
connectors in different versions or industries.
2. Maintain connectors.
Connectivity Maintain Connectors .
2. Create a new connector or modify an existing one, as follows:
○ Connector ID: The connector ID
○ Connector Type: HANA
○ Category: categories are optional for scripts and connectors and they can be used to structure
scripts or connectors in different versions and/or industries
○ Name: Descriptive name of this HANA connector
○ Remote System: The RFC name of this HANA connector

3. Maintain scripts for HANA.
Connectivity Maintain Scripts for HANA .
2. Create a new script for HANA or modify on an existing one, as follows:
○ Script: The script ID
○ Script Name: Specify the script name
○ Schema Name: HANA schema name
○ View Name: HANA view name
3. Assign the script to a category.
Creating HANA-Based KRI

HANA-based KRI templates are created the same as other KRI templates. For more information, see Creating
KRI Templates [page 384].
You create a HANA-based KRI implementation as follows:
1. When creating the KRI implementation, for the Connector Type, select HANA.
2. Select the HANA connector.
3. Select the HANA script.
4. Define the implementation detail.
 Note
For general instructions about creating a KRI implementation, see Creating KRI Implementations [page
386].
When creating or modifying a risk, create a KRI instance from the Key Risk Indicators tab, assign the KRI
implementation, and create a rule for the instance.
In the Risk Evaluation tab, choose the connection icon in the KRI column to connect the instance to the risk
analysis.
7.3.2.3 Assigning KRIs to a Risk
Use
When you enter a new risk, you can assign one or more key risk indicators (KRI) to the risk. This is known as a
KRI instance. In this way, you can automatically identify risks in business processes and escalate them to risk
owners for immediate attention if necessary.
Prerequisites
● You have created a KRI implementation.

● You have maintained the corresponding activities for timeframes and frequencies in Customizing under
Governance, Risk and Compliance General Settings Key Attributes .

Procedure
1. After creating a new risk, choose the Key Risk Indicators tab and choose Create Standard KRI
Instance in the Assigned Key Risk Indicators section.
3. In the KRI Implementation field, type or select the KRI implementation for the instance.
4. In the Monitor Frequency field, choose the frequency at which you want the KRI to monitor your system.
5. In the Data Time Frame field, choose the appropriate value using the drop-down list.
6. In the Next Execution Date and Last Execution Date fields, choose the corresponding execution dates using
the drop-down lists.
8. In the Selection Table, modify the KRI implementation settings, as required.
instance.
Alternatively, choose from among the following options:
○ Choose the Activate pushbutton to set the status as Active for the KRI instance.
○ Choose the Request Localization pushbutton to have the KRI workflow go to the workflow processor
(to the KRI liaison defined in the Risk Management workflows, for example). The dialog closes and the
Status column displays Localization Requested for the assigned KRI.
After you save the data, a workflow is triggered. When the localization processor has processed the
workflow item, it returns to your inbox for processing or approval, among other options. For more
information, see Workflow for KRI Instance Localization Request [page 395].
11. Choose the Show History pushbutton to view a graphic display of how the KRI value develops over time.
12. Choose the Show Surveys pushbutton to see which surveys are defined for the KRI instance.
13. In the Business Rules section, create a KRI business rule, if required.
For more information, see Creating a KRI Business Rule [page 393].
14. Save the risk data.
Creating Manual KRI Instances
1. After creating a new risk, choose the Key Risk Indicators tab and choose Create Manual KRI Instance
in the Assigned Key Risk Indicators section.
4. In the Input Allowed Until field, type or select the appropriate date using the drop-down list.

instance.
7.3.2.3.1 Creating KRI Business Rules
Prerequisites
● The GRC Customizing activity on workflow notification messages, found under General Settings
Workflow , must be maintained if you wish to use settings other than those in the default system.
● A KRI instance for a risk must exist.
Context
A business rule is a formula containing a mathematical calculation that is entered for a defined KRI instance,
that is, one individual implementation of a KRI template. Such business rules provide standard calculations for
both management and legal consolidation reporting.
 Example
When monitoring your expenses, you would like to know whether the current monthly expenses are much
higher than the values of the last three months. You define a business rule for this, and an email is
automatically sent via workflow to the risk owner or owners, who can then review the risk and decide on the
proper response to it.
Procedure
1. Navigate to My Home My Objects My Risks and select a risk in the table.
Alternatively, navigate to Master Data Organizations Organizations , select an organization, and

choose the Open pushbutton.
2. Choose the Key Risk Indicators tab, and select the Assigned Key Risk Indicator for which you want to create
a rule.

 Note
The assigned key risk indicator status must be marked active for you to proceed. You can change the
status by opening the assigned KRI and choosing the Activate pushbutton.
3. In the Business Rules section, choose the Create pushbutton.
The KRI Business Rule dialog appears.

4. In the Title field, type the title of the new business rule.
5. Using the Mapping and Expression tabs, enter the calculation parameters for the KRI business rule.
You can specify the Expression as either a Formula or a Decision Table using the Rule Type drop-down
menu. After you are finished, you can check the syntax, test the rule, or access the NetWeaver Business
Rule Framework plus Workbench (see https://help.sap.com/doc/
7b784763728810148a4b1a83b0e91070/1.0%20SP04/en-US/pdf.sap_BRFplus_en.pdf).
6. Specify the Actions for the KRI business rule using the corresponding radio buttons.
You can specify whether a risk assessment workflow is to be triggered, whether an email notification is to
be sent to the risk owner, and whether the risk is to be flagged.
 Note
You should flag the risk if the corresponding KRI business rule has been violated. After you have flagged
this risk, a yellow lightning symbol appears on the KRI tab of the Risk application. You can reset the
alert by choosing the Reset KRI Violation Status pushbutton.
7. Choose OK pushbutton. The new business rule appears in the list of rules assigned to the risk.
8. Save the risk data.
Next Steps
For more information about the syntax of business rules, see Creating a Formula Expression in https://
help.sap.com/doc/7b784763728810148a4b1a83b0e91070/1.0%20SP04/en-US/pdf.sap_BRFplus_en.pdf.
7.3.2.4 Using Workflow to Create KRI Implementation

Requests
Use
You can use the SAP workflow functionality to create a KRI implementation request. This workflow enables you
to create one or several KRI implementations.

Prerequisites
You must fulfill the following prerequisites before you can use the workflow functionality for KRIs:
● A KRI template must exist for each implementation request. For more information, see Creating KRI
Templates [page 384].
● Risk Management roles must be configured. For more information, see .
Procedure
When you edit a KRI template, you can request one or more implementations for it.
1. Under Rule Setup Continuous Monitoring , choose KRI Templates to access the KRI template catalog.
2. Open the KRI template for which you want to create an implementation request and choose the
Implementations tab.
3. Select the Request view and create a new KRI implementation request by using the Create button. Enter a
Notes text if necessary.
4. Save the request and access the My Home work center. The new workflow displays in the Work Inbox.
5. In the work inbox, choose the work item to see the KRI implementation request for it.
6. In the lower screen section of the work inbox, you can create an implementation. Note that the template
field may be prefilled. In the Implementation Detail tab, make the necessary entries. When you have
finished entering the data, choose OK.
The buttons at the top of the screen mean the following:
○ Complete: The status changes to completed. After the request creator confirms the request, it is
removed from the inbox.
○ Save: This does not change the workflow status.
○ Cancel: The changes you made are canceled.
○ Confirm: This confirms a completed workflow.
 Note
When you choose Complete, the work item is returned to the inbox of the workflow processor. When
you call it up again from the inbox, you see the Confirm pushbutton.
For more information, see Creating KRI Implementations [page 386].
7.3.2.5 Using Workflow to Create KRI Instance Localization

Requests
Use
You can use the SAP workflow functionality to create a KRI instance localization request.

Prerequisites
The following prerequisites must be fulfilled before you can use the workflow:
● A KRI instance must exist for each KRI instance localization request. For more information, see Assigning
KRIs to a Risk [page 391].
● Risk Management roles must be configured.
Procedure
When you create or edit a KRI instance, you can request a localization for it. To process the request, proceed as
follows:
1. Access the work inbox in the My Home work center. Select the work item to see the KRI instance
localization request for it.
 Note
The fields in the upper section cannot be changed.
2. In the lower screen section, you can adjust the selection table with respect to the risk-specific settings. The
buttons have the following meanings:
○ Complete: The status changes to completed. After the request creator confirms the request, it is
removed from the inbox.
○ Save: This does not change the workflow status.
○ Cancel: The changes you made are canceled.
○ Confirm: This confirms a completed workflow.
3. When you are finished, call up the work inbox to view the work item.
 Note
When you choose Complete, the work item is returned to the inbox of the request. When you call it up again
from the inbox, you see the Confirm pushbutton.
7.3.2.6 Managing KRI Value Inputs
Use
You can manually input values for key risk indicator (KRI) instances (that are not scored) using the KRI Manual
Value Input screen. When inputting values, you can select the instances directly or using a combination of KRI
templates and organization units. In the former case, the input is a simple list; in the latter case, the input
consists of a matrix with each cell representing a single instance.
 Note
Alternatively, you can input values using an XML-format file.

There is an activity in the Planner, Perform KRI Manual Entry, that creates a workflow task in the user's inbox to
manually update the KRI value. For more information about the Planner, see Risk Management Planner [page
499]
Procedure
1. Choose Rule Setup Key Risk Indicators KRI Value Input .

The KRI Manual Value Input screen appears.
2. In Step 1: Select KRIs, specify the input and selection modes.
1. In the Input Mode field, select the Manual Input radio button.
2. In the Selection Mode field, select either the KRI Instances or KRI Template + Organization Unit radio
button.
3. If you selected the KRI Instances radio button, choose the KRI Instances link.
The Select KRI Instances dialog appears.
1. In the Find field, type the search terms and choose the Search pushbutton.
2. Select one or more entries in the Available table, and choose the right arrow pushbutton to include
the entries in the Selected table.
3. To change the sequence of the instances, choose the arrow pushbuttons directly below the
Selected table.
4. Choose the OK pushbutton.
4. If you selected the KRI Template + Organization Unit radio button, do the following:
1. Choose the KRI Templates link.
The Select KRI Templates dialog appears.
3. Select one or more entries in the Available table, and choose the right arrow pushbutton to include
the entries in the Selected table.
4. To change the sequence of the instances, choose the arrow pushbuttons directly below the
Selected table.
6. Choose the KRI Organizational Units link.
The Organizations dialog appears.
8. Select one or more entries in the Available table, and choose the Add or Add with children
pushbutton to include the entry in the Selected table.
9. To change the sequence of the organizations, choose the arrow pushbuttons directly below the
Selected table.
5. Choose the Next pushbutton.
 Note
If you select the Allow Date Input checkbox, you can manually add the update date of the KRI value in
the next step, which will then be displayed as the KRI timestamp value.
3. In Step 2: Provide Values, specify the values for the entries by choosing the Browse pushbutton, selecting
the upload file, and choosing the Upload pushbutton.

You can download the XML template for the upload file by choosing the Get XML Template pushbutton and
saving the file to your local machine.
5. In Step 3: Review, review the values.
6. Choose the Finish pushbutton.
7. Choose the Close pushbutton.
Inputting Values Using a File Upload
1. Choose Rule Setup Key Risk Indicators KRI Value Input .

The KRI Manual Value Input screen appears.
2. In Step 1: Select KRIs, select the Input via File Upload radio button, and choose the Next pushbutton.
3. In Step 2: Provide Values, specify the values by choosing the Browse pushbutton and selecting the upload
file.
5. In Step 3: Review, review the values.
7. Choose the Close pushbutton.
7.3.2.7 KRI Aggregation Hierarchy
You can use KRI aggregation hierarchies, based on organizations or risk categories, to automate your analysis,
the results of which are available for display using the KRI Aggregation report.
When managing KRI aggregation hierarchies, you can complete the following tasks:
● Searching KRI Aggregation Hierarchies [page 398]

● Creating KRI Aggregation Hierarchies [page 399]
● Modifying KRI Aggregation Hierarchies [page 400]
● Deleting KRI Aggregation Hierarchies [page 401]
7.3.2.7.1 Searching KRI Aggregation Hierarchies
Context
You can search KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen. When defining a
query (known as a worklist), you can either create a new worklist or base your worklist on an existing query.

Procedure
1. Choose Rule Setup Key Risk Indicators KRI Aggregation Hierarchy .
The KRI Aggregation Hierarchies screen appears displaying the existing aggregation hierarchies.
2. Choose the New Worklist pushbutton.
The New Worklist dialog appears with KRI Aggregation Hierarchies automatically selected in the Select
Object Type field.
3. To base your new worklist on an existing query, choose a query using the Select Existing Query as Template
drop-down list.
5. In the Hierarchy Type ID fields, type or select the range of hierarchy types.
Choose the Preview pushbutton to display the table of aggregation hierarchies based on the current
criteria. Choose the Close pushbutton to dismiss the preview, and choose the Next pushbutton.
6. In the Enter Query Description field, type a short description of the worklist.
7. Optionally, select the Activate Query checkbox to make the query available as a link or tab.
The query results appear.
Next Steps
Creating KRI Aggregation Hierarchies [page 399]
Modifying KRI Aggregation Hierarchies [page 400]
Deleting KRI Aggregation Hierarchies [page 401]
7.3.2.7.2 Creating KRI Aggregation Hierarchies
Use
You can create KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen. You can also create a
new aggregation hierarchy by copying an existing hierarchy and modifying the appropriate settings.
Procedure


2. Choose the Create pushbutton, and select one of the following options using the drop-down menu:
○ KRI Organization Hierarchy
○ KRI Risk Category Hierarchy
The Create Aggregation Hierarchy screen appears.
3. In the Title field, type the title of the aggregation hierarchy.
4. In the Description field, type a description of the aggregation hierarchy.
5. In the Hierarchy focus date field, type or select a date, and choose the Apply pushbutton.
6. In the Organization view or Risk Category view field, choose a view using the drop-down list and complete
the Excluded and Aggregation Rule settings in the table.
7. To save the aggregation hierarchy as a draft, choose the Save Draft pushbutton
8. To save and activate the aggregation hierarchy, choose the Save and Activate pushbutton
Creating an Aggregation Hierarchy by Copying an Existing Hierarchy
1. Select an aggregation hierarchy in the table, and choose the Copy pushbutton.
The Copy Aggregation Hierarchy screen appears.
2. In the Title field, modify the name of the aggregation hierarchy.
3. Review the current settings and modify, as required.
4. Choose the Save and Activate or Save Draft pushbutton, as appropriate.
More Information
Searching KRI Aggregation Hierarchies [page 398]
7.3.2.7.3 Modifying KRI Aggregation Hierarchies
Context
You can modify specific KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen.
Procedure

2. Choose the title of the aggregation hierarchy you want to modify.
The Change Aggregation Hierarchy screen appears allowing you to modify the settings.
3. Modify the aggregation hierarchy settings, as required.
Next Steps
7.3.2.7.4 Deleting KRI Aggregation Hierarchies
Context
You can delete existing KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen.
Procedure
2. Select one or more aggregation hierarchies that you need to delete.
3. Choose the Delete pushbutton.
A confirmation dialog appears.

4. Choose Yes to delete the selected aggregation hierarchies; choose No to dismiss the dialog without
deleting the selected aggregation hierarchies.
Next Steps

7.3.2.8 KRI Aggregation Run
You can use the KRI Aggregation Run quick link to manage KRI aggregation runs, including completing the
following tasks:
● Searching KRI Aggregation Hierarchies [page 398]

● Creating KRI Aggregation Hierarchies [page 399]
● Modifying KRI Aggregation Hierarchies [page 400]
● Deleting KRI Aggregation Hierarchies [page 401]
7.3.2.8.1 Searching KRI Aggregation Runs
Context
You can search KRI aggregation runs using the KRI Aggregation Run Management screen. When defining a
Procedure
1. Choose Rule Setup Key Risk Indicators KRI Aggregation Run .
The KRI Aggregation Run Management screen appears displaying the existing aggregation runs.
The New Worklist dialog appears with KRI Aggregation Runs automatically selected in the Select Object
Type field.
drop-down list.
5. In the Aggregation Type field, choose Key Risk Indicator using the drop-down list.
Choose the Preview pushbutton to display the table of aggregation runs based on the current criteria.
Choose the Close pushbutton to dismiss the preview, and choose the Next pushbutton.

Next Steps
Creating KRI Aggregation Runs [page 403]
Modifying KRI Aggregation Runs [page 404]
Deleting KRI Aggregation Runs [page 405]
7.3.2.8.2 Creating KRI Aggregation Runs
Use
You can create KRI aggregation runs using the KRI Aggregation Run Management screen. You can also create a
new aggregation run by copying an existing run and modifying the appropriate settings.
Procedure

2. Choose the Create pushbutton, and select KRI Aggregation Run using the drop-down menu.
The Create Aggregation Run screen appears.
3. In the Name field, type the name of the aggregation run.
4. In the Description field, type a description of the aggregation run.
5. In the Owner field, type or select the owner of the aggregation run.
6. In the Start Date field, type or select the start date for the aggregation run.
7. In the Due Date field, type or select the due date for the aggregation run.
8. In the End Date field, type or select the end date for the aggregation run.
9. In the Organization based hierarchy field, choose the organization hierarchy using the drop-down list.
10. In the Risk Category based hierarchy field, choose the risk category using the drop-down list.
11. In the Execution Mode field, select either the Manual or Automatic radio button.
12. To save the aggregation run, choose the Save pushbutton
13. To publish the results, choose the Publish Results pushbutton.
14. To publish the results and close the run, choose the Publish Results and Close Run pushbutton.
15. To perform ad-hoc calculations, choose the Ad-hoc Aggregation Calculation pushbutton, and select the
appropriate organization hierarchy or risk category hierarchy using the drop-down menu.
Creating a KRI Aggregation Run by Copying an Existing Run
1. Select an aggregation run in the table, and choose the Copy pushbutton.
The Copy Aggregation Run screen appears.
2. In the Name field, modify the name of the aggregation plan.

More Information
Searching KRI Aggregation Runs [page 402]
7.3.2.8.3 Modifying KRI Aggregation Runs
Context
You can modify specific KRI aggregation runs using the KRI Aggregation Run Management screen.
Procedure
2. Choose the name of the aggregation run you want to modify.
The Edit Aggregation Run screen appears allowing you to modify the settings.
3. Modify the aggregation run settings, as required.
Next Steps

7.3.2.8.4 Deleting KRI Aggregation Runs
Context
You can delete existing KRI aggregation runs using the KRI Aggregation Run Management screen.
Procedure
2. Select one or more aggregation runs that you need to delete.

4. Choose Yes to delete the selected aggregation runs; choose No to dismiss the dialog without deleting the
selected aggregation runs.
Next Steps
7.4 Assessments
Use
The Assessments work center provides a central location to view and manage surveys, test plans, and risks and
opportunities. You can also use the work center to maintain incidents and plan evaluations, as well as simulate
risks using scenarios.
The Assessments work center contains the following sections:
●
● Risk Assessments [page 415]

● Incident Management [page 484]
● Scenario Management [page 488]
● Assessment Planning [page 499]
● Risk Control Self Assessments [page 502]
● Assessment Reports [page 515]
 Note
The Assessments work center is shared by the SAP Access Control, SAP Process Control, and SAP Risk
Management applications in the GRC solutions. The menu groups and quick links available on the screen
are determined by the applications you have licensed. The content in this topic covers the functions
specific to SAP Risk Management. If you have licensed additional products, such as SAP Access Control or
SAP Process Control, refer to the relevant topics below for the application-specific functions.
More Information
SAP Process Control-specific topics
7.4.1 Surveys
Use
A survey is a structured list of questions. Within GRC, surveys are used to obtain information about the
existence and evaluation of risks (SAP Risk Management) or the design or operational adequacy of controls (if
you also have a license for SAP Process Control). Surveys are used to carry out assessments of objects such as
risks, activities, or policies, for example. These assessments are defined via plans in the Risk Management
Planner [page 499].
Surveys are created and maintained in the and sent via the workflow (which can be routed to an inbox and/or e-
mail).
For more information, see the corresponding topic in the application help of SAP Process Control:
Prerequisites
● To send e-mails with interactive PDF survey data, complete the Customizing activity Maintain Inbound E-
Mail Settings for Survey under Governance, Risk, and Compliance General Settings Workflow .

● Users who receive survey PDFs by e-mail must have stored their e-mail address in the GRC back-end
system (SU01) under System User Profile Own Data (Address Tab) .
● If you are creating a survey for a collaborative assessment, the role Contributor to Collaborative
Assessment must be maintained for the user in the Roles tab of the risk or risks involved.
● For risk assessment surveys, complete the Customizing activity Implement New Survey Valuation under
Governance, Risk, and Compliance Common Component Settings Surveys .
● The e-mail addresses of all users to whom the system sends a survey must be maintained.
● The role assignments must be maintained:
○ Business users who receive survey responses and post responses in the system need the roles
SAP_GRC_FN_BASE and SAP_GRC_FN_BUSINESS_USER.
○ The SAPCONNECT user configures the e-mail notification settings in the back-end system, so the roles
SAP_GRC_FN_BASE and SAP_GRC_FN_ALL are required.
For more information, see the SAP Risk Management 12.0 Security Guide on the product page for SAP Risk
Management at https://help.sap.com/viewer/p/SAP_RISK_MANAGEMENT .
● For workflow functions, maintain the Customizing activities under Governance, Risk, and Compliance
General Settings Workflow .
● If you want to be able to change the subject or body of the survey e-mail, then you must also make entries
in the Workflow Customizing activity Maintain Custom Notification Messages.
Related Information
Creating Surveys [page 412]

Creating Questions for Surveys [page 408]
Survey Library [page 411]
Question Library [page 407]
7.4.1.1 Question Library
Definition
The Question Library lists the user-defined questions that you can use within your surveys. Each question
comprises the following information:
● Category: The category of the question.

● Question: The text of the question.
● Active: Specifies whether the question is active or inactive. Only active questions are available for use in
surveys.
● Answer Type: The type of answer (yes/no/NA, rating, and so on) expected from the person taking the
survey.

● Created By
● Created On
Use
Using the Question Library, you can do the following:
● Create new questions. You can create a new question, or copy and change an existing question.
● Open questions for editing. You can only edit questions that are not being used in a survey.
● Delete questions. You can only delete questions that have not been assigned to any survey.
● Upload questions from a file stored on your local machine.
You can use the questions defined in the Question Library with the surveys listed in the Survey Library.
More Information
7.4.1.1.1 Creating Questions for Surveys
Use
For each type of survey, you can create user-defined questions to be attached. You can create questions in the ,
or you can open a specific survey in the and create questions for it. Furthermore, you can define your own
answer types, which you can attach to question or survey categories if necessary.
 Note
If a question is already being used in a survey, you cannot change any data for it, but you can deactivate it.

Prerequisites
Complete the Customizing activity Define Ratings for Survey Questions, found under Governance, Risk, and
Compliance Common Component Settings Surveys .
Procedure
To create a question:
1. Go to Assessments Surveys Question Library .

2. A list of all existing questions is displayed. When you choose Create, a dialog box opens in which you can
create your own question.
3. Select the category of the question from the dropdown options and enter text describing the question.
4. Specify whether the question is active or not. Active means that it can be used in a survey.
 Note
If you are not finished formulating the question, or if you want to make a question obsolete, deactivate
the question. You cannot delete questions that are already used in surveys.
5. Enter one of the following answer types (answer types vary based upon the survey category):
Answer Type Meaning & Type of Entry Required
Rating Requires the entry of a rating type. If you select this an
swer type, you are asked if the answer requires a com
ment.
Yes / No / NA Requires a Yes, No, or Not Applicable (NA) answer. If you

select this answer type, you are asked if the answer re
quires a comment.
Text Requires a text entry by user.
Percentage Requires the entry of a percentage.
Amount Requires the entry of an amount.
Choice A user-defined question in which you can define the an

swer options and the scores. If you select this answer
type, you are asked if the answer requires a comment.
Probability Level Requires the entry of a probability level. If you select this
answer type, you are asked if the answer requires a com
ment.

Answer Type Meaning & Type of Entry Required
Impact Level Requires the entry of an impact level. If you select this an
swer type, you are asked if the answer requires a com
ment.
Speed of Onset Requires the entry of a speed of onset value. If you select
this answer type, you are asked if the answer requires a
comment.
 Note
The answer types Yes/No/NA, Rating and Choice support user-defined scoring for each answer option.
A number score is assigned to each answer option at the design time. At runtime, users receive the
scores according to their selections. A final score is based on aggregating the scores from each
question.
○ For the answer type Rating, scores are defined during the Customizing activity, Define Ratings for
Survey Questions, located under Governance, Risk and Compliance Common Component
Settings Surveys .
○ For the answer type Choice, scores can be defined in the frontend, or they can be defined in the
corresponding column of the survey upload Excel file.
○ For the answer type Yes/No/NA, question scores are defined when the survey is defined.
 Recommendation
6. If you are creating a question directly from a survey, choose Actions Create Question . On the Create
Question screen, you can specify if the question is local (only used for this survey). If you choose No, the
question can be used in other surveys.
7. Save your data.
Result
You have created a question for use in the survey.
 Note
If you want to upload new questions from your hard disk, you can do so by choosing Actions Upload .
The format of the file must be .csv, which can be created from a Microsoft Excel spreadsheet. For Choice
type questions, this spreadsheet can define the scores given to each choice, using the CHOICE_SCORE
column.

7.4.1.2 Survey Library
Definition
The Survey Library lists the user-defined surveys that you can use to obtain information on the existence and
evaluation of risks (RM) or the adequacy of controls (PC). Each survey comprises the following information:
● Category: The category of the survey.

● Title: The title of the survey.
● Description: An optional description of the survey and its purpose.
● Active: Specifies whether the survey is active or inactive. Only active surveys are available for use.
● Questions: The questions that comprise the survey.
● Created By
● Created On
Use
Using the Survey Library, you can do the following:
● Create new surveys. You can create a new survey, or copy and change an existing survey.
● Open surveys for editing. You can only edit surveys that have not been scheduled.
● Delete surveys. You can only delete surveys that have not been scheduled.
You can use the questions defined in the Question Library with the surveys listed in the Survey Library.
More Information

7.4.1.2.1 Creating Surveys
Prerequisites
See .
Procedure
To create a survey:
1. Choose Assessments Surveys Survey Library .

2. Choose Create. The Create Survey dialog box appears.
3. On the General tab, select a survey category, a title for the survey, and a description (optional).
4. If necessary, specify the valuation type. The entries defined here are used for surveys, question categories,
and answer types.
 Note
Using valuation for risk analyses requires additional settings through the Customizing activities.
Complete the activities listed under Governance, Risk, and Compliance Common Component
Settings Surveys .
5. Specify whether the survey is to be activated or not.
 Note
You cannot activate a survey without first creating one or more questions for it.
6. In the lower screen section, you can add questions as follows:

○ Choose Add to add questions that were previously defined.
○ Under the Actions menu, you can navigate within the questions (if there are many) or create a new
question.
7. Set the valuation or scoring, if used, for the survey questions. For more information, see Score-Based
Valuation for Surveys and Questions [page 414].
○ Answer types Yes/No/NA, Rating and Choice support reconfiguring user-defined scores. If you select
score based valuation for Valuation, you can view and change the predefined scores for each question.
Select the Set Score link in the Set Score column.
○ The total score of one survey is the sum of scores for each question.
 Example
Survey A has two questions (Q1 and Q2). The answers and scores are defined as following:
○ Question 1: Answers: 1.1 = 50; Answer 1.2 = 0
○ Question 2: Answers: 2.1 = 0; Answer 2.2 = 0; Answer 2.3 = 50

The total score of the survey is the sum of all the answers. In the example, a submission with
answers Q1 – Answer 1.1 + Q2 – Answer 2.1 = 50 as a total score. The highest possible score for
this survey would be 100.
8. Save the survey. Your survey can now be included in a plan when you call up the .
 Note
○ Your survey becomes visible on the Survey tab of the Risk or Activity screen after you create a plan
in the Planner and have sent out the survey.
○ You can display the results of the survey by running the Survey Results report under Reports and
Analytics Compliance .
More Information
7.4.1.3 Survey Category
SAP Risk Management currently provides the following categories of surveys in the Survey Library for
evaluations of different purposes:
● Activity Survey
● Activity Validation
● Collaborative Risk Assessment
● Opportunity Assessment
● Opportunity Validation
● RCSA
● Response Update
● Risk Assessment
● Risk Consolidation [page 413]
● Risk Indicator Survey
● Risk Survey
● Risk Validation
7.4.1.3.1 Risk Consolidation
Risk consolidation allows you to evaluate the risks of different organization levels in a company from bottom
up, and consolidate them at the corporate level. You can choose the risks to be consolidated from a lower level
organization unit, and submit them to the upper level organization unit, until all risks reach the corporate level.

Risk consolidation can be planned through the Planner:
1. Go to Assessment Assessment Planning Planner .

2. Choose Perform Risk Consolidation as the plan activity, and enter the required details for the plan.
3. Select the organizations you want to perform risk consolidation, and set the due dates.
4. Activate the plan.
For more information about the Planner, see .
7.4.1.4 Score-Based Valuation for Surveys and Questions
Use
You can use the valuation and scoring function built into survey and question creation to assist in risk analysis
and process control evaluation.
● Surveys can be created with the type No Valuation or Score-Based Valuation. If you choose Score-Based
Valuation, a Set Score link appears on the right side of each line for all score-based questions that you have
created or that you have added from the .
 Note
Certain question types, such as those requiring a text entry, cannot be scored. The Set Score link will
not appear next to these kinds of questions. For more information about the different question types,
see .
● When you choose the Set Score link, an Override Question Score window appears. You can choose to use
any maintained values that were preset through the Customizing activities, or you can override those
values with those of your own choosing.
 Note
If you override the preset values, the values you enter are valid only for this instance of the question. If
you use the same question type for another question in a survey, the default values are assigned to it
unless you override them again.
● For Score-Based Valuation surveys, the scores of responses are displayed alongside the responses in the
Survey Browser.
● If you wish to revert to the values set in the Customizing activities, click the Reset button in the Override
Question Score window.
● You can indicate whether a question is to be local (one-time only for a survey) or if it is to be global (stored
in the Question Library after creation). The default setting is global.

More Information
7.4.2 Risk Assessments
Use
The Risk Assessments section of the Assessments work center enables you to create activities to be evaluated
for risks and opportunities, such as projects or business processes. These are assigned to risks and
opportunities that you create. Besides specifying risks and opportunities, you can also:
● Analyze the risks and enter the appropriate responses to mitigate these risks.
● Document risks that have occurred (called incidents).
● Define specific risk scenarios.
● Run risk assessment surveys.
Prerequisites
You have been assigned the appropriate roles and authorizations.
Features
In this work center, you can carry out the following functions:
● Manage your risks and opportunities.

You can create and assess a risk or an opportunity, with or without a template. For more information, see
Risks and Opportunities [page 416].
● Manage your risk scenarios.

You can define detailed scenarios with influenced risks and carry out testing and simulation functions for
your risk scenario. For more information, see Scenario Management [page 488].
● Enter responses to risks or opportunities.

A risk response determines what you should do either to prevent a risk from occurring or to limit the risk's
impact if it does occur. For more information, see Creating a Response or Enhancement Plan [page 459].
● Create activities such as business processes, projects or assets, for which you wish to capture risks. For
more information, see Activities [page 477].
● Document risks that have occurred, called incidents, together with the losses incurred for an incident. For
more information, see Incident Management [page 484].

● Create dedicated workflows for risk assessment using the Risk Management Planner [page 499].
● Create and run your own risk assessment reports. For more information, see Risk Assessment Reports
[page 484].
7.4.2.1 Risks and Opportunities
Use
In the section Risks and Opportunities of the Assessments Risk Assessment work center, you can enter
risks as well as opportunities for your organization. Risks and opportunities are defined as follows:
● A risk is any event that can prevent management from meeting the business goals of an organization.
● An opportunity represents an uncertain event or condition that, if it occurred, would have a positive impact
on business objectives. An opportunity can therefore be regarded as a positive aspect of a risk as defined in
Risk Management.
Both a risk and an opportunity can be defined with or without a template.
Features
Opportunity Management refers to the analysis of opportunities, to be able to make the best possible use of
them. The process involves the following steps:
● Identifying and documenting the opportunities in an organization.

● Analyzing the expected benefits of an opportunity.
● Viewing and understanding any possible trade-offs between risks and opportunities.
When you click the Risk and Opportunity Management link, a query screen opens, displaying all maintained
risks and opportunities. Here you can view all existing risks and opportunities or create a new risk or
opportunity.
For more information, see Creating a Risk [page 416] and Creating an Opportunity [page 454].
7.4.2.1.1 Creating a Risk
Use
After defining a risk classification structure, you can begin creating risks in the Risk Management application.

Prerequisites
The following prerequisites apply before you can create a risk:
● Risk impacts and drivers must be maintained in Customizing. You may also need to make entries in the
Maintain Influence Strength Customizing activity, found under Governance, Risk and Compliance Risk
Management Master Data Setup .
● If you want to conduct a risk assessment, the analysis profile must be maintained in Customizing under
Governance, Risk and Compliance Risk Management Risk and Opportunity Analysis .
● If you want to add KRIs to your risk, you must have maintained a KRI implementation in the Risk
Management application. For more information, see Creating KRI Implementations [page 386].
● You must maintain a risk classification structure containing individual risk categories in the risk catalog
[page 365].
Procedure
To create an individual risk, proceed as follows:
1. From the Assessments work center, choose Risk Assessments Risks and Opportunities .
2. In the overview screen that appears, choose Create. You have the following options:
○ You can create a risk with or without a risk template. You create a risk template during risk
classification.
 Note
For more information about risk template creation, see Classifying Risks, Opportunities, and
Responses [page 366] and Creating a Risk Template [page 368].
To create a risk from a template, see Creating a Risk from a Template [page 419].
○ You can create a risk in the standard application or using the graphical view. You also have the option to
create a risk with or without a risk template. For more information, see Graphical View Risk Creation
[page 447].
3. If you are creating a risk in the standard application, the Create Risk dialog box appears in which you enter
information in the following tabs:
○ General tab: Enter the name of the event or risk you want to create, as well as the organizational unit
and the risk category used to classify it. The validity period is preset, but you can change it to your
relevant dates.
○ In the lower screen section, you can enter the impacts and drivers that would affect this risk if it
occurred. If so specified, there may be customer-defined fields ready for input displayed in this
tab.
○ Roles: Assign a user or users to the Risk Owner role by choosing the Assign pushbutton.
○ Key Risk Indicators tab: You can enter KRI instances and business rules for a KRI, to use when
evaluating the risk. For more information, see Key Risk Indicators [page 383] and Assigning KRIs to a
Risk [page 391].
In the lower section, you can create a business rule for the Key Risk Indicator in the upper section. For
more information, see Creating a KRI Business Rule [page 393].

 Note
The prerequisite for creating a KRI instance is an active KRI implementation, and the prerequisite
for creating a KRI business rule is an active KRI instance.
○ Analysis tab: You can view the history of all past and present risk analyses, and you can also create new
risk analysis data. For more information, see Risk Analysis [page 423].
○ Response Plans tab: You can create a new risk response, assign an existing response, or assign a
control proposal from Process Control. For more information, see Creating a Response or
Enhancement Plan [page 459]. You have the following options:
○ If you have licensed Risk Management, you can create a new response or assign an existing
response. For more information, see Assigning a Response [page 463].
○ If you have licensed Process Control, you can also create a control proposal or policy, or assign a
control or a policy on this tab. For more information, see Using PC Controls [page 466].
After submitting the control, it is displayed in the Response tab of the risk as a response of the type
Control. Note that you must first save the risk.
○ Using the Remove pushbutton, you can delete a response from the list, but only if it has Draft
status.
○ Using the Print Version pushbutton, you can create a print version of the results list in PDF format.
○ On the Risk Incidents tab, you can report new risk incidents (that is, risks that have occurred), or open
existing incidents for further processing. For more information, see Working with Incidents [page 485].
○ On the Influenced Risks tab, you can use the Create Influence Factor button to enter other risks (called
influenced risks) and the corresponding influence factors that may increase or decrease the
probability and/or impact of the influenced risk.
 Note
You use the chain of influenced risks in the Risk Management Scenario Analysis and Monte Carlo
simulation. For more information, see Scenario Management [page 488] and Scenario Analysis
using Monte Carlo [page 495].
First enter the influenced risk itself. Then you can define the influence factors for the risk either in
quantitative or qualitative form, but not both.
○ If you define a quantitative evaluation type, you make entries for the evaluation type as follows:
○ Influence factor on impact: You enter a factor value between 0.01 and 999.99. This factor
represents the increase (for a factor greater than 1.00) or decrease (for a factor smaller than
1.00) of the total loss of the influenced risk. The condition is that the primary risk — that you
are currently working with — has already occurred.
○ Influence factor on probability: You enter a factor value between 0.01 and 999.99. This factor
represents the increase (for a factor greater than 1.00) or decrease (for a factor smaller than
1.00) of the probability of the influenced risk. The condition is that the primary risk — the one
that you are currently working with — has already occurred.
○ If you specify a qualitative evaluation type, you can define the influence strength in the Strength
field. Select a value from the dropdown options, which refer to the degree and type of influence of
the primary risk on the influenced risk.
 Note
The conversion of the influence strength into individual influence factors on impact and
probability is defined in Customizing (see the Prerequisites section above).

○ On the Underlying Risks tab, you can select and group similar underlying risks defined for lower-level
organizational units.
○ On the Surveys tab, you can display any surveys in which this risk is used. For more information about
surveys, see .
○ On the Issues tab, you can create issues relating to this risk. For more information, see Creating an
Issue for a Risk, Opportunity, or Response [page 482].
○ On the Context tab, you can enter further information relating to issues and contexts. For more
information, see Working with Contexts [page 480].
○ On the Policies tab, you can access the policies that were assigned to this risk in the Response tab. For
more information about assigning a policy as a response to a risk, see:
○
○ Using a Policy as a Risk Response [page 475]
4. When you are finished maintaining the risk data, you can save it as a draft for further user processing, or
submit it for system processing. When you submit the risk, the status of the risk is changed from Draft to
Active. Note that all mandatory fields must be filled to successfully submit the risk.
If, however, you want to delete a risk that you just created, note that this causes system inconsistency. For
more information, see Deleting a Risk [page 420].
 Note
After saving your risk data, you can choose the Print Fact Sheet pushbutton to obtain a document with risk
data in PDF format for printing.
7.4.2.1.1.1 Creating a Risk from a Template
Use
You can use a risk template to create a risk with default data maintained for your organizational unit. The risk
template can also have been distributed over several organizational units and can be used in them as the basis
for creating risks.
Prerequisites
A risk template must have been created for use with the new risk.
Procedure
To create a risk using a risk template, proceed as follows:
1. Access the risk creation screen under Assessments Risk Assessments Risks and Opportunities
and choose Create Create with Risk Template in the Risk and Opportunity Management screen. You

can also create a risk with a template using the Graphical View risk creation function. For more information,
see Graphical View Risk Creation [page 447].
2. A dialog box opens with a selection of risk templates and distribution methods to be used.
3. You can filter the selection to find the correct risk template.
4. Select a distribution method to be used from the template. You have two options:
○ Copy: Any risk field can be changed after the template has been copied to the risk.
○ Distribute: Some risk fields are read-only, since they are referenced.
5. Choose the Create pushbutton. A new window with the created local risk appears.
6. Process the risk by entering the necessary information in the tabs. For more information about creating
risks, see Creating a Risk [page 416].
7. After finishing, you can submit or save the risk. In both cases, it appears in the overview list (POWL).
 Note
Two columns referring to risk templates are displayed in the overview list:
○ Distribution Method: The risk template data is either copied, and can be changed in the risk, or it is
merely referenced, and the risk template data cannot be changed.
○ Risk Template: The template used to create the risk is displayed.
Result
The values of the template, including the data of customer-defined fields, are copied into the risk.
More Information
● Creating a Risk Template [page 368]

● Distributing a Risk Template [page 369]
7.4.2.1.1.2 Risk Deletion
Use
Sometimes it may be necessary to delete a risk. However, due to time-dependency constraints in the system,
you cannot delete a risk on the same day that you created it.
Features
If you created a risk on the current date and activated it the same day, it cannot be deleted without losing the
ability to track and audit this risk in the Risk Management database. In normal processing, deletion sets the

end of validity period for the risk as equal to yesterday. However, this is not possible for the risks created on the
current date. If you wait one day, then this deletion rule applies.
 Note
You can delete a risk with Draft status, but note that it will truly be deleted from the database, without any
auditable trace left in the system.
You have two options:
● Wait at least one day before deleting this risk. Note, however, that this risk remains in the system as a valid
risk, with a validity period lasting just one day.
● If you activated the risk by accident (that is, you did not intend to submit it, but it was submitted
nevertheless), you can contact your system administrator, who can delete your risk in the back-end
system.
7.4.2.1.1.3 Copying Risks
You can copy an existing risk to a single or multiple organization units.
A risk ("source risk") can be copied to multiple organization units ("target organization units") at a time.
If you want the copies of the source risk to share its underlying risks, by default you have the following two
options:
● Reference
The copies of the source risk reference its underlying risks.
● Copy
The underlying risks are copied to the target organization units as well.
You can also enable the further subdivision of the "Copy" option into "Copy To Target" and "Copy To Source".
● Copy To Target
The underlying risks are copied and the copies are assigned to the target organization units.
● Copy To Source
The underlying risks are copied but the copies are assigned to the source organization units.
To do so, enter transaction SM30, open view V_GRPCCUST1, and activate UL_COPY_TO_SOURCE.
7.4.2.1.2 Risk Validation Workflow
Use
The validation of risks by risk managers is an essential task for proper risk management in your company. It
enables risk managers to obtain proper sign-off and confirmation for the current risk situation with respect to
activities such as company processes or new projects.

Prerequisites
Workflow management and personal object worklist (POWL) activities in Customizing under Governance,
Risk and Compliance General Settings Workflow and POWL for Work Inbox must have been carried out.
To be able to create a new risk validation directly from the screen of the corresponding risk, you must must
activate this feature in Customizing for Governance, Risk and Compliance under Risk Management Risk
and Opportunity Analysis Enable Risk Validation from Risk .
Features
Using the SAP Risk Management Planner, you can trigger a validation workflow for risks entered in the system.
Each risk has the attributes Validated by and Validated on, which are updated after validation. Once you have
accessed your inbox and validated the risk, the validation timestamp refers to the date when the risk was
validated. You see the status with a link to comments, and the name and date of the validator.
The workflow is as follows:
1. The workflow task goes to the risk owner for validation. The task includes the numbers of incidents and
mitigations, and the validator can click these to drill down to their details.
2. The unit risk manager or validator then approves or rejects the risk as follows:
○ If the validator approves the risk, the risk application displays the validation status Approved and the
validation timestamp.
○ If the validator rejects the risk, the validation status changes to Rework.
Activities
There are two ways you can create a new risk validation.
You can create a new risk validation directly on the screen of the corresponding risk, by choosing Save and New
Validation.
 Note
You can only do this if you have enabled the feature in Customizing. See the Prerequisites above for details.
Alternatively, you can create a new validation in the Planner as follows:
1. Access the Risk Monitoring work center and then the Planner section.
2. Choose the Planner link and proceed as follows in the next screen:
3. Choose the Create pushbutton to enter the plan name and select the plan activity Perform Risk Validation.
4. Enter a name for the plan and the due date.
5. Choose Next and select the organization with which you are working. Choose Next again.
6. In the step Perform Selection, you can choose to work with all risks or limit the selection to one risk or to
specific risks by entering various attributes.

 Note
You can see the risks with the defined workflow recipients (in this case, these are the risk owners) by
choosing the Show Detail pushbutton.
7. After choosing Next again, you are in the Review step. You can now choose the Activate Plan button, after
which you receive confirmation that the plan has been saved and activated.
8. Choose Finish to end the guided procedure or choose Create New Plan if you want to create another plan.
If you choose Finish, your plan is displayed in the list of plan activities.
7.4.2.1.3 Risk Analysis
Use
Risk analysis involves analyzing your risks to determine the impact and probability of a potential risk occurring.
The Analysis tab on the Risk application provides users with the flexibility of defining the type of analysis
performed, either qualitative or quantitative, depending on the nature of the risk event. The outcome is the
determination of the risk level (probability level X impact level).
 Note
Risks that are initially analyzed are called inherent risks. After analysis and response/mitigation of the risk,
the term residual risk [page 424] is used to denote the degree of risk left.
Prerequisites
Drivers, impacts and analysis data from Customizing must exist before you can analyze a risk. For further
prerequisites, see Creating a Risk Analysis [page 427].
Features
You can carry out the following types of risk analysis:
● Qualitative
This analysis includes determining the risk level on the basis of the probability and impact levels of the risk.
The result of the analysis is a qualitative view of the risk level, such as high, medium, and low.
● Quantitative
Using this analysis form, you can assess the probability of a risk happening using percentage values and
the impacts per impact category assigned to the risk. The analysis results include the expected loss, total
impact, and risk level, which is based on the total loss and probability values.
○ Three-point analysis
This type of quantitative analysis is based on the range of Total Loss Values (Minimum Loss, Average
Loss, and Maximum Loss).

● Scoring
This analysis method enables you to enter impacts and probability as numeric values. For more
information, see Risk Analysis Using Scoring [page 432].
More Information
For more information about working with risk analysis, see:
● Creating a Risk Analysis [page 427]

● Collaborative Risk Assessment [page 438]
7.4.2.1.3.1 Residual Risk Calculation
Use
All companies face a variety of internal and external risks that can impact the success of their business
strategies, goals, and objectives, as a part of doing business. You can proactively manage risks using the
following four-step process:
1. Planning
2. Risk identification and assessment
3. Risk response
4. Monitoring
Carry out these steps to gain better visibility into your organization's risk exposure.
Features
By carrying out the above four steps, you perform and consolidate the analytical results of a risk analysis. The
risk analysis is an assessment of the likelihood that the risk is going to occur, and of the impact to the company
if the risk occurs. The result of the risk analysis is also referred to as the risk exposure.
If the risk exposure is unacceptable, you can document risk responses, which are aimed at reducing the
likelihood that the risk will occur or lowering the impact of the risk if it occurs (this is called risk mitigation
[page 453]). Examples of risk responses include actions to reduce the risk, control the risk with internal
policies and processes, transfer the risk to third parties, or accept or watch the risk.
Once a response has been implemented, you can then carry out a second risk analysis, showing the mitigated
probability and impact of the risk, whose values should be lower than those in the initial risk analysis. This new
risk analysis information is referred to as the residual risk exposure.
Residual risk calculation deals with the influence that responses have on the risk exposure. The change in the
risk exposure from the initial exposure to the residual exposure depends on a number of factors related to the
individual risk responses. Furthermore, the effect of the response on the risk exposure changes over time, is

subject to synergistic effects, and may depend on how much of the response has been implemented and on
how effective the response is.
To solve this problem, the influence of the response on the risk exposure can be considered as the result of the
following three independent factors:
● Mitigating reduction: This refers to the mitigating reductions of all the responses associated with the risk
when applied to the initial analysis. The result is the calculated residual risk analysis.
● Completeness of the response: Describing how much of the response has been implemented, this value is
calculated together with the effectiveness of the response.
● Effectiveness of the response: These figures are maintained by response owners, independently of the
actual risk analysis, describing how effective a particular response is at reducing a risk.
Once the responses have been entered, the system calculates both the actual and target residual risk
exposure. After the responses have been implemented and completed, the planned residual risk level should be
low.
Taken together, these steps enable the continuous evolution of the residual risk analysis based on the ever-
changing effectiveness and completeness of the responses. The final result is the calculation of the actual
residual risk exposure.
The final step in the process is to monitor the risk exposure on an ongoing basis. This includes the ongoing
calculation and recalculation of the actual and planned (target) residual risk, based on the response
effectiveness, completeness, and mitigation reduction values.
7.4.2.1.3.2 Background Information on Risk Analysis
Concept
Carrying out a risk analysis means taking different factors into consideration, in particular the Customizing
settings involved. These can vary greatly, depending on the type of risk analysis you want to carry out.
Prerequisites
You must make several GRC Customizing settings, the most important of which are in the activity Maintain
Analysis Profile, found under Risk Management Risk and Opportunity Analysis . For more information
about prerequisites, see the linked topics below.

Structure
The following table provides an overview of the most important risk analysis fields and how to use them. The
Customizing settings referred to are those made in the Customizing activity Maintain Analysis Profile:
Field Available Options User Action / Results
Probability Quantitative The user enters the percentage proba

bility; the probability level and the score
are calculated using the Customizing
settings.
Qualitative The user selects a probability level from

the dropdown options; the score and
probability percentage are calculated
using the Customizing settings.
Scoring The user enters the score and the prob

ability level; the probability percentage
is calculated using the Customizing set
tings.
Disabled The Probability field is not displayed in

the analysis application.
 Note
If the probability is disabled, the
risk score equals the total impact,
and the risk level corresponds to
the following formula: Impact level
x highest probability level value (at
least one probability level must be
maintained in Customizing).
Impact Allocation Quantitative The user enters the amount (in the cur
rency of the organizational unit or in the
maintained unit of measure); the proba
bility level and the score are calculated
using the Customizing settings.
Qualitative The user selects a probability level from

the dropdown options; the score is cal
culated using the Customizing settings.
Scoring The user enters the score; the probabil

ity level is calculated using the Custom
izing settings.

Field Available Options User Action / Results
Impact Aggregation Customizing setting In the Analysis Profile (Customizing),

you define how a particular impact
analysis is aggregated into the overall
risk impact – sum, average, or maxi
mum aggregation.
Application: Overwrite checkbox Aggregated values can be overwritten

by the user.
Total loss The total loss is calculated by the sys

tem using all quantitative impacts.
Expected loss The expected loss is calculated by the

system, using the probability percent
age X the total loss.
Analysis Comment User-defined text The user can enter a text-based com
ment on the overall risk analysis.
Risk Level Calculated by the system The risk level is calculated by the sys
tem from the impact level and the prob
ability level.
Risk Score Calculated by the system The risk score is calculated from the
probability and impact scores using the
aggregation type specified in Customiz
ing.
Risk Priority Calculated by the system The risk priority is calculated by the
system using the speed of onset and
the risk level.
More Information
● Creating a Risk Analysis [page 427]

● Risk Analysis Using Scoring [page 432]
7.4.2.1.3.3 Creating a Risk Analysis
Use
You can carry out a risk analysis both for a risk you have just created and for an existing risk.

 Note
To carry out a collaborative risk analysis involving the participation of several risk managers or users, see
Collaborative Risk Assessment [page 436] and Creating a Collaborative Risk Assessment from a Risk [page
440].
Prerequisites
The following Customizing activities must be carried out before you can carry out a risk analysis:
● Shared Master Data Settings, Risk, and Opportunity Attributes:

○ Maintain Impact Categories
● Risk Management Master Data Setup:
○ Maintain Impact Levels
● Risk and Opportunity Analysis:
○ Define Three-Point Analysis
○ Maintain Speed of Onset
○ Maintain Probability Levels
○ Maintain Probability Level Matrix
○ Maintain Risk and Opportunity Level Matrix
○ Maintain Analysis Profile
Procedure
To carry out a risk analysis, proceed as follows:
1. Choose Assessments Risk Assessments Risks and Opportunities . In the Risk and Opportunity
Management screen, create a new risk or select an existing risk by clicking on its name in the Risk /
Opportunity column.
2. Make sure that risk impacts for the selected risk have been maintained in the lower screen section. After
saving, these are also listed in the Analysis tab of the risk.
3. Choose the Analysis tab. If no analysis exists, choose Create Analysis or Create Collaborative
Assessment .
4. If you choose Create Analysis , you see the following screen sections:
○ Analysis section: Here you can create a new analysis for this risk as described below.
○ Analysis history section: See Historical Risk Analysis Report [page 435] for further information.
○ If you choose Create Collaborative Assessment , you receive a list of all users, or contributors
who are collaborating on assessing the risk, together with further data about the assessment. You can
continue to modify the list and the data up until you submit the collaborative risk assessment.
5. Analysis section: You can see all the analyses that were run up until now.

 Note
You cannot make any changes to analyses that have already run.
Depending on the settings made in Maintain Analysis Profile in Customizing under Governance, Risk and
Compliance Risk Management Risk and Opportunity Analysis , you see the following column headers:
Column Meaning
Analysis Type The following analysis types exist:
○ Inherent: The overall risk before response

○ Residual: The overall risk after response
○ Planned residual: The residual risk after mitigation,
assuming full effectiveness and completeness of all
implemented risk responses.
 Note
○ If impact reduction in the Analysis Profile activity
in Customizing is switched on, you should enter
values for the inherent risk. The residual and re
sidual planned risk values are calculated using
the responses assigned to the risk.
○ If impact reduction is not switched on in the
Analysis Profile, you must enter the inherent and
residual risk data manually.
Probability % Quantitative: You enter a percentage probability up to

100%.
Probability Level Textual description of levels defined in Customizing.
Probability Score You enter a numeric score, limits defined in Customizing.
Speed of Onset The speed of onset refers to the time horizon in which you
expect the risk to occur. This time horizon changes over
time, becoming less as the risk event comes nearer.
Speed of Onset (SoO) Score The score for the speed of onset is determined as per the
Customizing settings. The longer the speed of onset, the
higher the score.
Total Loss The total loss in monetary terms, per type of risk. See
Expected Loss below.
Impact Level An estimation of the consequences of a particular risk on

the basis of a configurable scale. This scale can range, for
example, from insignificant to catastrophic.

Column Meaning
Impact Score A value that expresses the impact or impact level, defined
in Customizing.
Expected Loss The expected and total loss are calculated only if there is
at least one quantitative impact.
Risk Level The degree of the risk, based on the probability and im
pact data.
Risk Score A score calculated from the probability score and the im
pact score using the risk score aggregation method de
fined in Customizing.
6. Click the Total Loss link. The Impact Allocation screen section opens below.
7. Make settings in the Impact Allocation section. Depending on what you select here, the fields that are
displayed may differ.
 Note
The conversion from quantitative to qualitative impact is carried out using the settings made in
Customizing for Analysis Profile.
The risk thresholds are defined for impacts within an organization. For more information, see Working
with Organizational Units [page 343].
8. First make settings for the impact values to be used with this risk analysis. For this, select an Analysis
Method from the dropdown options. For example, if you select the Quantitative analysis method, you enter
the impact in the Impact column.
Analysis method Fields ready for input
Quantitative Impact amount (dependent on unit of measure)
Qualitative Impact level (text-based), as defined in Customizing
Scoring Impact score
Three-Point Analysis Best case, average case, worst case monetary values
9. In the Impact Level column, you can see the impact level that was calculated using the values entered
previously, according to the Customizing settings. Depending on the analysis method selected, this is
either calculated by the system or entered manually.
10. Below this, you can set the Overwrite Overall Impact indicator if necessary. This enables you to overwrite
the impact level and score, depending on the analysis method selected above. The impact level is derived
from the impact score and is displayed below it.
11. Finally, enter the unit of measure to be used for impact calculation.
12. Save the analysis data for the risk.

More Information
Risk Analysis Using Scoring [page 432]
7.4.2.1.3.3.1 Quantitative Risk Analysis
Use
The quantitative risk analysis method is used to quantitatively analyze the likelihood of risk occurrence and the
potential impacts, so that you can determine which follow-up actions, such as risk responses, are required.
Prerequisites
Impact levels and risk analysis attributes must be defined in Customizing under Governance, Risk and
Compliance Risk Management Risk and Opportunity Analysis , and impacts must be defined for a risk.
Procedure
To create a quantitative risk analysis:
1. Go to Assessments Risk Assessments Risks and Opportunities and select the risk you want to
analyze by clicking on its name in the Risk / Opportunity column.
2. In the Analysis tab of the risk screen, choose the Create New Analysis pushbutton.
3. Select the date from which the analysis is to be valid and choose OK.
 Note
An analysis cannot be created for a date in the past.
4. The Analysis tab contains an analysis of the inherent risk, which is valid from the date you specified.
Depending on the analysis profile set in Customizing, you can overwrite the probability percentage or the
impact of the risk. If it contains a value, the expected loss is now updated in the corresponding column.
5. Choosing a line of the inherent risk and clicking a linked Total Loss or Impact Level column of the risk leads
to the Impact Allocation section displaying below it.
6. If necessary, use the dropdown options to change the Analysis Method to Quantitative.
7. Enter the impact and change the unit of measure if necessary. You can see the total loss in the column to
the right. If you have set the scoring approach, the system calculates the qualitative impact level, and the
impact score is calculated according to the formula Impact x Probability (%) = Impact Score
8. Carry out the above step for each impact and then save the risk.
9. The Impact Score column now contains the aggregated total of all scores for this risk, and for all specified
analysis methods.

 Note
If the Mitigation field in the Analysis tab has been activated in the back-end, you can see all of the mitigation
results for the responses to the selected risk, including the calculated sums for probability and for
particular impacts. For more information, see Risk Mitigation [page 453].
More Information
Risk Analysis Using Scoring [page 432]
7.4.2.1.3.3.2 Risk Analysis Using Scoring
Use
The scoring method of risk analysis enables risk managers to use a point-based system to assess the risks of
their organization.
The system assesses the drivers and impacts you define, either qualitatively, with results translated into point
values, or quantitatively without conversion into currency. The results of the scoring approach are the defined
risk score and risk level. The following types of scores are calculated and then combined into an overall score:
● Speed of onset score, set in Customizing

● Probability score, set in Customizing
● Risk score, calculated in the RM application
Prerequisites
The following Governance, Risk and Compliance Customizing activities under must be carried out before
scoring can be used:
● Maintain Impact Levels, under Risk Management Master Data Setup

● Maintain Speed of Onset, under Risk Management Risk and Opportunity Analysis
● Maintain Probability Levels, under Risk Management Risk and Opportunity Analysis
● Maintain Analysis Profile, under Risk Management Risk and Opportunity Analysis
 Note
The risk score calculation method differs if the probability is enabled in the Maintain Analysis Profile
Customizing activity.
○ If the probability is enabled, the risk score = probability X impact.
○ If the probability is disabled, the risk score = sum of all impact values.

Features
Using RM scoring methodology, you can carry out the following types of risk analyses:
● Qualitative Risk Analysis Using Scoring [page 434]

● Quantitative Risk Analysis Using Scoring [page 433]
● Collaborative Risk Assessment [page 436]
7.4.2.1.3.3.2.1 Quantitative Risk Analysis Using Scoring
Prerequisites
● The Maintain Analysis Profile Customizing activity, found under Governance, Risk and Compliance Risk
Management Risk and Opportunity Analysis , must have the following settings:
○ Probability and Impacts must be set at Quantitative.
○ The aggregation method for impacts and the risk score should be set at Summation.
○ The Expected Loss and Scoring checkboxes must be selected.
● You must maintain the Customizing activity Maintain Risk and Opportunity Level Matrix.
Context
Using the scoring method, you can carry out a quantitative risk analysis using a user-defined, point-based
approach.
Procedure
1. Open a risk you have created with drivers and impacts, as follows: Assessments Risk Assessments
Risks and Opportunities , and click on its name in the Risk / Opportunity column.
2. From the Analysis tab of the risk screen, choose Create Analysis .
4. The Analysis tab now contains an analysis valid from the date you specified. Enter the probability
percentage of the inherent risk by overwriting the zero value. The expected loss, as a percentage of the
total loss, as well as the risk level, are updated in the corresponding columns.
5. Choosing an inherent risk by placing the cursor on its line and clicking a linked Total Loss or Impact Level
leads to the Impact Allocation section appearing below. Here you can do the following:
○ You can select another analysis method for an impact, as defined in Customizing.

○ You can change the respective impact amount for quantitative analyses, the score for the scoring
analysis type, or the impact level for the qualitative analysis type.
○ You can change the unit of measure.
6. If necessary, use the dropdown options to change the Analysis Method to Quantitative.
7. Now enter the impact. You can see the changed total loss in the column to the right.
8. Save the risk.
7.4.2.1.3.3.2.2 Qualitative Risk Analysis Using Scoring
Use
A qualitative risk analysis is carried out using a text-based analysis evaluation. For example, the impact level of
a risk can be minor, major, or catastrophic. To have the system translate the qualitative values into quantitative
values, you can use the scoring method. The system converts the entered probability levels into the
corresponding number of scoring points, as defined in the Customizing activity for probability levels. The
following steps are carried out in this process:
● The system calculates the total impact for the risk based on the aggregation method defined in the
Customizing activity Maintain Analysis Profile, found under Governance, Risk and Compliance Risk
Management Risk and Opportunity Analysis .
● The system identifies the overall impact level based on the risk thresholds defined for the organizational
unit.
● The system derives the risk level based on the probability and impact levels defined in Customizing.
● The system calculates the risk score according to the Customizing settings made for risk score
aggregation.
Prerequisites
Impact levels and risk analysis attributes must be defined in Customizing, and impacts must be defined for
each risk to be analyzed. Impact levels are found under Governance, Risk and Compliance Risk
Management Master Data Setup .
Procedure
To create a quantitative risk analysis, proceed as follows:
1. Go to Assessments Risk Assessments Risks and Opportunities and click on the name of the risk in
the Risk / Opportunity column.
2. From the Analysis tab of the risk screen, choose the Create New Analysis pushbutton.

4. The Analysis tab now contains an analysis valid from the date you specified. You can overwrite the
probability percentage of the inherent risk if necessary. The expected loss is now updated in the
corresponding column.
5. Place the cursor in a line of the inherent risk and click the linked Total Loss or Impact Level so that the
Impact Allocation section appears below.
6. If necessary, use the dropdown options to change the Analysis Method to Qualitative. The impact level
column is now displayed in qualitative (text) form. You can select another impact level from the dropdown
options. The impact score changes accordingly.
7.4.2.1.3.3.3 Historical Risk Analysis Report
Use
In the Analysis history section of the Analysis tab, you can see a graphical display of the analysis. You can
specify how you want to view the risk analysis by selecting from one of the following dropdown options:
● By probability of the risk happening, or by a text-based probability level (certain, likely, and so on)
● By impact score (point-based) or impact level (text-based)
● By risk score (point-based) or risk level (text-based)
● By the total or expected financial loss that is incurred if the risk happens
Prerequisites
You must have created at least one risk analysis to obtain historical risk data.
Procedure
To run a historical risk analysis report:
1. Go to Assessments Risk Assessments Risks and Opportunities and click on the name of the risk in
the Risk / Opportunity column.
2. In the Analysis history section in the Risk Analysis tab of the risk, choose the Start Report pushbutton.
3. A new subscreen opens with further analysis data that you can enter. Enter the dates to be used and if
necessary, the user assessing the data. After choosing the Go pushbutton, a list of historical risk data is
displayed.
4. The data displayed in the report varies, depending on the risk analysis data used.

7.4.2.1.3.4 Collaborative Risk Assessment
Use
Collaborative risk assessment enables more than one risk manager or risk owner to participate in a risk
assessment for one or more risks. This is a workflow-driven activity triggered by the . The individual
assessments are later consolidated into a single analysis for the risk, either automatically or with the help of
the reviewing user.
Collaborative risk assessment recipients and consolidators are determined based on business events (agent
slots) linked via workflows. In this way, risk recipients can determine which risks are in scope for the
collaborative assessment work.
● You can create a collaborative risk assessment from the Analysis tab of the risk, or by using the Planner. For
more information, see Risk Management Planner [page 499] and Creating a Collaborative Risk
Assessment from a Risk [page 440].
● Collaborative risk assessments can be carried out using surveys, which you can use to determine the
probability and impact of specific risks. For more information, see .
 Note
You must use the Valuation method to carry out a survey.
Prerequisites
The following GRC Customizing activities must be carried out:
● Maintain Custom Agent Determination Rules, under General Settings Workflow .

● Maintain Entity Role Assignment, under General Settings Authorizations .
Furthermore, the contributors of the collaborative risk assessment must be defined in the Roles tab of the
organizational unit.
Features
Participants of collaborative risk assessment can assess a risk by using:
● A quantitative assessment of the probability and impact

● A qualitative assessment of the probability and impact.
● The scoring method, which involves numeric-based evaluation.
● A survey with valuation.

The collaborative risk assessment process has the following steps:
1. The risk manager or risk owner determines whether an assessment is to be carried out for an inherent risk
or a residual risk. For more information about the types of risks that exist, see Risk Management
Terminology [page 40].
 Note
The GRC Customizing settings in the activity Maintain Analysis Profile, under Risk Management
Risk and Opportunity Analysis , determine whether the risk assessment conducted is for an inherent
or a residual risk:
○ If the Impact Reduction setting is enabled in the analysis profile, only inherent risks can be
assessed.
○ If Impact Reduction is disabled, then both inherent risks and residual risks can be assessed.
2. Depending on the level of authorization, the risk manager or risk owner can carry out the following tasks:
○ Determine the risks that are in scope for a collaborative assessment.
○ Activate and trigger the workflows for the collaborative assessment to the workflow recipients.
3. As part of the workflow, you receive the results notification for each response, or after all responses have
been completed. After receiving the workflow item, a workflow recipient completes the collaborative
assessment workflow. When the assessment is submitted, the workflow item is no longer displayed in the
recipient's work inbox.

4. The risk manager or owner provides consolidated reporting on the applied results across all risks and
opportunities for an organizational unit. The consolidator can monitor the progress via monitoring in the
work inbox.
5. The risk manager reviews the assessment results for a risk and can use a predefined aggregation method,
the weighted average, to calculate the results or to override the values. This aggregation method is the
weighted average, and the system-based calculated averages are summed to equal 1. The risk manager
then applies the assessment results to the current risk analysis.
More Information
Creating a Collaborative Risk Assessment [page 438]
7.4.2.1.3.4.1 Creating a Collaborative Risk Assessment
Use
Collaborative risk assessment involves sending surveys to several participants. You can carry out collaborative
risk assessment with and without surveys. Furthermore, you can create a collaborative risk assessment from
the Analysis tab of the risk, or using the Planner functions. If you create a collaborative risk assessment from
the Analysis tab, you no longer need to create a separate plan for it.
 Note
For more information, see Creating a Collaborative Risk Assessment from a Risk [page 440].
You can carry out a collaborative risk assessment in one of the following ways:
● Online: By processing a work item sent to a user's work inbox.

● Offline: By receiving an e-mail with an interactive Adobe PDF form attached to it, which you return to the
sender after filling it out.
 Note
The procedure below describes the creation of a collaborative risk assessment using the Planner. For more
information, see Risk Management Planner [page 499].
Prerequisites
The following prerequisites apply:
● You must define the contributor and consolidator roles, either in the Organizational Unit or the Risk screen.
● RM Customizing activities for risk analysis must be carried out. For more information, see the Prerequisites
section of Creating a Risk Analysis [page 427].

● The following GRC Customizing activities for workflow enabling must be carried out:
○ Define Probability and Maximum Score, under Common Component Settings Surveys
○ Perform Automatic Workflow Customizing, under General Settings Workflow
○ Perform Task-Specific Customizing, under General Settings Workflow
Procedure
To create a collaborative risk assessment using the Planner:
1. Call Assessments Assessment Planning Planner .

2. Choose the Create pushbutton. A Guided Procedure displays.
3. Enter the plan name and select the plan activity Perform Collaborative Risk Assessment from the dropdown
options. Alternatively, you can select Perform Collaborative Risk Assessment via Survey if you want to use a
survey for the assessment.
 Note
If you want to have the survey sent to you via e-mail, select the Delivery: Via E-Mail checkbox.
Otherwise, the survey is sent to your work inbox.
4. Specify the following mandatory data:

○ Period to be assessed
○ Year
○ Start date
○ Due date
5. Enter the date on which the analysis is to be run (Analysis Date).
 Note
You can create only one analysis per risk for a given date. If you create another analysis for the same
risk on the same day, the analysis must be run on a different date.
6. Choose Next and select the organization to be assessed.

7. In the Select Objects step, you have the following selection options:
○ Select all risks
○ Select by risk attributes
○ Select specific risks
8. In the Review step, you can check the risks that were selected in the View Objects pushbutton. You can
choose to display all objects, or only the objects without recipients.
9. Choose the Activate Plan pushbutton to confirm that your plan was saved. By choosing Finish, you add the
plan to the list of plans in the Planner.
10. If you want to check any possible warnings or errors that occurred when the plan was running, return to the
overview list after the plan is completed and call up the plan again. In the Events tab, you can see a list of
any and all messages that the system has about the execution of this plan.

Result
You have scheduled the collaborative risk analysis and started the corresponding workflow.
7.4.2.1.3.4.2 Creating a Collaborative Risk Assessment from a

Risk
Use
You can create a collaborative risk assessment from the Analysis tab of a risk, instead of using the Planner.
 Note
If you create a collaborative risk assessment from a risk, you cannot use the Planner Monitor to keep track
of the status of the collaborative risk assessment. For the consolidator and the contributor(s), the only
means of tracking is through each participant's My Home Work Inbox .
Prerequisites
The same prerequisites apply as for Creating a Collaborative Risk Assessment [page 438].
Procedure
Proceed as follows:
1. Go to Assessments Risk Assessments Risks and Opportunities and click on the name of an existing
risk in the Risk / Opportunity column.
2. In the Analysis tab, choose Create Collaborative Assessment.
3. In the dialog box that appears, enter the valid-from date and specify whether the collaborative assessment
should be carried out using a survey. If you select this checkbox, the Survey Template field appears below
it. Here, select a survey from the dropdown options.
4. Select the user who is to be the consolidator of the collaborative risk assessment.
5. In the lower section, you can add or delete the users who are the contributors to this collaborative
assessment.
6. Choose OK. Now the application displays a new pushbutton called Collaborative Assessment Details.
7. If you choose this pushbutton, a new dialog box appears in the lower section, with the entire set of
collaborative assessment data for each contributor (assessor).
8. Choosing the link in a line opens up the read-only impact allocation section below it. You cannot make any
changes here. The assessment data is sent to you, either as a work inbox item or as an e-mail attachment
containing an interactive PDF to fill out.

9. You can change the display type by selecting either Tabular or MARCI in the View field.
10. By choosing the Calculate pushbutton, you can have the system recalculate the changed data.
11. When finished, choose the Close pushbutton and save the changed risk data.
7.4.2.1.3.4.3 Consolidating Collaborative Risk Assessment

Results
Use
After a risk has been assessed (either directly or via a survey) and the results have been returned, the risk
manager needs to consolidate them.
The results can be displayed in table form or graphical form. The risk manager carrying out the consolidation
can do the following:
● Review the answers that were provided.

● Look at the calculation of the expected risk assessment results based on participant answers.
● Overwrite or change the aggregated results if needed, for example, with respect to participant weighting,
and store the results in the final risk analysis.
● Exclude participants if necessary.
Procedure
To consolidate the risk assessments of several participants:
1. From the My Home work center, call the Work Inbox and open the work item Consolidate Collaborative Risk
Assessment. Each line contains a link to a risk, which reaches the inbox after all participants have finished
entering their data or after a work item has been canceled.
2. The collaborative risk assessment consolidation screen appears. Here you can see all the participants who
responded to the assessment, as well as the participants who were excluded during the execution.
 Note
If you are in the Analysis tab of the risk, you can also choose the Collaborative Risk Assessment Details
pushbutton to access this screen.
3. In the View field, you can switch the display from a table form to a MARCI chart. This provides you with a
graphical display of the individual users, each represented by a colored bubble, as well as a blue Overall
bubble. Each bubble reflects the rating given by a respondent for a risk.
4. From among the dropdown options of the Risk field, you can choose one of the following:
○ Inherent and residual risk
○ Only inherent risk
○ Only residual risk
5. You can customize and work with the output of the risk assessment as follows:
○ Select the display options for this view. For example, for the graphical display, you can specify that you
want to see the risk level on the y-axis.

○ In the graphical display (MARCI chart), you can see the risk assessments for all the participants.
 Note
The blue bubble represents an average value.
○ You can carry out simulations by changing the weighting of an assessment in the Weight column and
then choosing the Calculate pushbutton at the top right of this screen.
6. Choose the Submit pushbutton to store the results and conclude the workflow.
7. To see the overall result, call up the graphical representation again. You can access the results at a later
date from the Analysis tab of the Risk screen, where the results are displayed in updated form.
8. When done, choose the Close pushbutton.
Result
The collaborative analysis data is now stored for this risk and the item has been removed from the work inbox.
7.4.2.1.3.4.4 Workflow for Collaborative Risk Assessments
Use
When users create collaborative risk assessments, two modes of processing are available. In the Online
processing mode, a work item is sent to a user's work inbox. If you are the risk owner, you can access the
results in your work inbox after all participants have provided feedback, or if the work item was canceled.
Prerequisites
See Creating a Collaborative Risk Assessment [page 438].
Activities
The steps are as follows:
1. Go to Assessments Risk Assessments Risks and Opportunities , and click on the name of the risk in
the Risk / Opportunity column. In the Analysis tab of that risk, choose the Collaborative Assessment Details
pushbutton.
2. In the window that appears, you can see the processors and contributors to this risk assessment. These
users receive a work item in their work inbox.
3. Open your work inbox and call the work item for processing. There are three different types of work items:
○ Monitoring the progress of work items: Here you can exclude contributors if necessary.

○ Performing the risk assessment itself.
○ Consolidating the risk assessment data.
4. In the window that appears, choose the corresponding work item. For the risk assessment data, you can
overwrite the values as necessary. When finished, select the Completed checkbox and then choose the
Submit pushbutton.
5. You return to the overview screen. After you choose Refresh, the item is no longer displayed in the list.
6. If you are using a survey, choose the corresponding items to access a window in which you enter answers
and add comments relating to your risk assessment.
7. By choosing a work item for consolidation, you access the consolidation screen, where you can complete
the assessment data and change the weighting data in the right-hand column.
○ You can change the impact scores for each contributor or assessor, and the result is then reflected in
the Overall line.
○ If one participant has more knowledge than another, for example, that person can receive a higher
weighting.
8. When finished, choose the Complete pushbutton to finish the process.
7.4.2.1.3.5 KRI Driven Analysis
Use
The KRI driven analysis feature allows you to perform risk analysis based on key risk indicators (KRI). You can
link risk probability to number-type KRI instances, and risk impact to currency-type KRI instances, then risk
probability and impact can be calculated automatically by the KRI runtime.
Prerequisites
● You have set up the analysis profile under SPRO > Governance, Risk and Compliance > Risk Management >
Risk and Opportunity Analysis > Maintain Analysis Profile.
● You have activated the KRI evaluation type under SPRO > Governance, Risk and Compliance > Risk
Management > Master Data Setup > Activate Risk and Opportunity Types.
● You have maintained the necessary KRI IMG settings under SPRO > Governance, Risk and Compliance >
Risk Management > Key Risk Indicators.
● You have created manual KRI instances.
Procedure
You can perform KRI driven analysis on a risk through the following steps:
1. Go to Assessments Risk Assessments Risks and Opportunities , and create a new risk or open an
existing risk from the list.

2. In the Analysis tab, choose Create Analysis to create analysis for the risk.
 Note
You must maintain the risk thresholds for the organization before you can create an analysis. For more
information, see Entering Risk-Specific Organization Data [page 345].
3. Go to the Risk Evaluation tab and choose Create New KRI Evaluation. A list of risk factors are displayed.
Click on the link icon in the KRI column, select a KRI instance from the popup list and choose OK. The KRI
instance is now linked to the risk factor.
4. Select Automatic or Manual analysis update mode, and choose Update Analysis, the KRI values will be
propagated to the analysis.
5. Save the risk.
More Information
Managing KRI Value Inputs [page 396]
7.4.2.1.3.6 Analysis Automation: Integration with EH&S
Use
Some enterprise risks are related to environmental and worker safety. SAP has a separate solution,
Environment, Health and Safety Management (EH&S), where such risks can be processed by the solution-
specific mechanisms absent in operational risk management. Integrating EH&S using analysis automation
allows you to track all enterprise risks using one application (Risk Management).
Analysis automation creates EH&S risk assessments from risk analyses in Risk Management, tracking their
probability and severity values, and copying those values to the corresponding analysis parameters according
to rules predefined in Customizing.
Risk managers are not required to have any EH&S background to create an EH&S risk assessment from a risk
analysis. EH&S risk assessments are intended to be processed by an EH&S manager or other responsible user.
Risk managers can use a specific report that runs in the background to track the current probability and impact
levels of the EH&S-related risks that they create (see prerequisite number 9 below).
Prerequisites
Before using analysis automation (integration with EH&S), ensure that the following conditions have been met:
1. The remote system (EH&S) is known, and the logical system has been created for it (transaction SM30,
record in view V_TBDLS).
2. The user is authorized to create risk assessments in the EH&S remote system, and the user's logon
credentials are known.

3. Log object GRRM and log sub-object ANLS_AUTOMATION have been created (transaction SLG0).
4. The RFC destination for the EH&S remote system has been created.
5. RM and EH&S probability and severity level values have been mapped in Customizing under Risk
Management Risk and Opportunity Analysis Map Probability and Severity Values from EH&S and RM .
6. Context dimensions have been created for the EH&S agent, EH&S work area, and material in Customizing
under Risk Management Risk and Opportunity Analysis Map Probability and Severity Values from
EH&S and RM . Use dimension types EHSAGENT, EHSWA, and MATERIAL within the logical system
mentioned in step 1 and the RFC destination created in step 4.
7. Context dimensions have been assigned to a risk and risk category entity in Customizing under Risk
Management Master Data Setup Assign Dimension to Entity . Assign the dimensions created in step 6
to the entities RISK and CRGROUP.
8. Context dimensions have been set as allowed for the risk category you will use when creating a risk. In the
Risk Management application, go to Master Data Risks and Responses Risk Catalog . Open the
desired risk category, go to tab Allowed dimensions, and add the dimensions created in step 6.
9. You have scheduled the report GRRM_ANLS_AUTOM_STATUS_UPDATE to run with a period of 1 hour.
Process
1. In the Assessments work center, open Risk and Opportunities.

2. Create a new risk [page 416].
3. Enter the risk name and specify the risk category (see step 8 of prerequisites).
4. Create an impact for the risk.
5. Go to the Analysis tab and create a new analysis.
6. Go to the Context tab and link the EH&S work area and EH&S agent to a risk as context objects.
 Note
Instead of an EH&S agent, you can use a material (depending on conditions and requirements).
 Caution
Be sure that no risk assessment with the specified combination of work area and agent/material
already exists in EH&S. Such an existing risk assessment will not be overwritten by the new risk
assessment (in other words, the new risk assessment will not be created).
7. Submit the risk.

Result
A new risk assessment is created in the EH&S application of the remote system to be processed by the EH&S
manager or other responsible user. The EH&S risk assessment will be assigned probability and severity values.
A background job (step 9 of prerequisites) replicates these values as probability and impact level values for the
corresponding risk analysis in Risk Management.
7.4.2.1.3.7 Automatic Risk Aggregation
In automatic risk aggregation, the system calculates an aggregated risk from multiple input risks. Any change
in one of the input risks automatically updates this calculation. In this way, you can set up a hierarchy of risks,
where the higher risks are automatically synchronized with changes happening on the lower levels.
Automatic aggregation only covers the analysis part of the risk. Analyses of the input risks are combined using
defined calculation rules to generate an updated analysis of the aggregate risk. The way in which the
calculation of aggregate risks is performed depends on customizing settings.

There is a standard (default) calculation mechanism provided by SAP. This mechanism can aggregate
operational risks quantitative or qualitative based analysis into an operational risk. Target analysis is calculated
by combining all underlying analyses in one of the following ways:
● Sum
● Average
● Maximum
● Minimum
Activities
To enable the automatic aggregation of risk analysis, when editing a risk in the Risks and Opportunities work
center, set the mode to Automatic Analysis Aggregation under the Underlying Risks tab.
You can also set the type of aggregation method used in the Aggregation tab. The aggregation methods
available to select here are defined in Customizing for Governance, Risk and Compliance under Risk
Management Risk and Opportunity Analysis Automatic Risk Aggregation Settings .
After you save the risk, under the Analysis tab you can now find a section Auto-Aggregated Analysis, which
contains the risk analysis aggregated from the underlying risks.
For operational risk, the following situations are dealt with as follows:
● If the aggregated and/or parent risks have different consequences to each other, the consequences of all
underlying risks are appended to the consequences of the parent risk.
● If the aggregated and/or parent risks have different analysis profiles to each other, the results of automatic
aggregation will fit the parent risk's analysis profile, with conversion between the values of different
assessment methods being performed where necessary.
With automatic analysis aggregation enabled, any changes to the underlying risks are automatically calculated
in the analysis of the parent risk.
Manual Overwriting
You may edit and overwrite the results of automatically aggregated analysis. Once overwritten, the analysis
results are considered as a new manual analysis.
7.4.2.2 Graphical View Risk Creation
Use
To centrally store risk-related information on an organization's risks and to simplify working with Risk
Management, the application contains several functions enabling you to work in a graphical and easy-to-use
interface.

The graphical view can be accessed by users of SAP applications (referred to as the source applications) and by
casual users as well. Casual users can carry out a risk analysis and mitigation without actually having to access
the Risk Management application. The Risk Management phases involved in this process are the risk
identification, the risk assessment, and the risk mitigation phases.
 Note
The graphical view is an alternative and simplified way of performing risk-related operations using a
graphical user interface. This is a flex-based graphical interface of Adobe Flash Player, or SAP UI5 if the
enhanced graphical view is activated. It is provided as an alternative to the standard Web Dynpro screens,
in particular for casual users from other company departments who need to report on company risks. For
more information about the enhanced graphical view, see Enhanced Graphical View [page 453].
Features
The graphical view has the following functions:
● Summary: This is a read-only section that provides overview information about the risk.
● Identify Risk: You define the risk with all its dependent information using drag and drop. For more
information, see Identifying Risk Data [page 448].
● Assess Risk: You assess the risk by entering or editing information about risk drivers, impacts, and other
objects, which you can drag to the working area of the screen. For more information, see Assessing a Risk
[page 449].
● Mitigate Risk: You can mitigate the risk by proposing new mitigation measures, existing responses,
controls, or policies. For more information, see Mitigating a Risk in the Graphical View [page 452].
7.4.2.2.1 Identifying Risk Data
Use
Prerequisites
For prerequisites, see Creating a Risk [page 416].
Procedure
To graphically create and evaluate risks, call Assessments Risk Assessments Risks and Opportunities .
In the overview screen that opens, choose Create Using Graphical View .
1. Enter the name of the risk in the center of the risk bubble that appears.

2. You can associate the following risk data with the risk by choosing Identify Risk and then using drag and
drop to pull the following items from the left to the right screen section:
○ Organizational units: If primary and secondary organizational units are used at your company, they
mean the following:
○ Primary organizational unit: This reflects the legal structure of your organization and also contains
the necessary authorizations on each level of the organization
○ Secondary organizational unit: This is used to reflect a business structure for your organization.
○ Activities
○ Risk categories: You can assign only one risk category to a risk.
○ Drivers: You can assign one or several drivers to the risk.
○ Impacts: You can assign one or several impacts to the risk.
3. Open a node on the left side at the level that contains the object that you want to use.
4. Assign the object to the right side of the screen using drag and drop. The objects are now displayed there.
5. For the objects that need a title (such as for impacts and drivers), you are prompted to enter one after
dragging them to the right side of the screen.
6. When finished, choose the Save pushbutton at the top right to save the data.
 Note
The completion bar shows you the percentage of completed data for this risk. The quick info text
displays further status data about the progress of your risk.
7. If you need to remove an object from the right side, click on the X at the top right of the object. The object
is then no longer displayed.
8. After you have saved your data, proceed to the next step, Assessing a Risk [page 449].
7.4.2.2.2 Assessing a Risk
Use
The third step of working with risks in the graphical view is the assessment of a risk and its impacts.
Prerequisites
● Risk analysis data must be defined in the corresponding Customizing activities.

● The organizational unit you are using must have a currency defined for it.
● To assess a risk in the graphical view, the corresponding risk data must be identified and assigned to the
risk in the Identify Risk section.

Procedure
To work with risk assessment data in the graphical view, proceed as follows:
1. After defining a risk in the Identify Risk section, choose the Assess Risk pushbutton in the left section.
2. The sections and pushbuttons at the top of the Assess Risk screen provide you with the following options:
○ New: Choose this pushbutton to create a new assessment.
○ Delete: You can delete an existing assessment and create a new one.
 Note
The system displays only one assessment at a time.
3. The right side of the screen has the following sections to work with:
○ A calendar frame enabling you to choose the time frame for which you want to assess the risk data.
 Note
You can choose each box in this frame that has a colored dot in it, which means that an assessment
exists for that month or date.
○ The Previous (<) and Next (>) pushbuttons enable you to select the previous or next date from the
available assessments.
○ Below this, you can see the following further risk data:
○ Risk analysis data: The bar chart shows the probability, along with the initial, actual (residual), and
planned risk assessment data, with respect to the following:
○ Total loss / expected loss
○ Risk level
○ Individual impact values: For each impact, you can specify the type of risk analysis to be
carried out, as well as change the default impact type and the unit of measure. Depending on
the impact type that you select directly above the Impact field, you can see the loss values by
carrying out the following types of risk assessments:
○ Quantitative: Enter a value in the unit of measure, for example, the currency, and press
Enter to see the changed value.
○ Qualitative: Move the slider to indicate the severity of the risk.
○ Scoring: Enter a value in the left field or use the numeric stepper to increase the value.
The impact values for all types of assessments are shown to the right of the impact.
○ Impact category distribution data: This is a pie chart showing the impact data for the current
assessment. Each impact value represents one portion of the pie.
The following table describes the maximum possible sections that appear, depending on the
Customizing settings made for the analysis profile. For more information, see Background Information
on Risk Analysis [page 425].
Section Description
Calendar frame A calendar frame enabling you to choose the time pe
riod for which you want to assess the risk data.

Section Description
Risk analysis data How the risk analysis is to be carried out:
○ By probability of the risk happening.

○ By total loss incurred if the risk happens.
○ By expected loss for the risk.
○ By risk level, that is, the level of severity for a risk
that corresponds to a defined risk level value, such
as H (high), M (medium), or L (low).
Probability slider In the Probability section, you can use the percentage
slider to decrease or increase the probability in percent
age that the risk will occur.
Analysis data per impact category For each impact, you can specify the type of risk analy
sis to be carried out, as well as change the default im
pact and the unit of measure.
4. Change the risk values as follows:

○ Probability: The probability can be quantitative, qualitative, or scoring, depending on the analysis
profile selected in Customizing.
○ Impact: For each impact category listed, the impact can be quantitative, qualitative, or scoring. You can
change the default impact and the impact value by clicking the Up and Down arrows to the right of the
impact.
5. Choose OK to save the assessment data, or Delete if you want to discard the assessment data. At this
point, the Save pushbutton becomes active, and you can save the entire risk data set by clicking it.
6. You can now proceed to Mitigating a Risk in the Graphical View [page 452].
 Note
You can see how far the risk processing has progressed in the Progress Bar at the top. By passing your
mouse over the progress bar, the quick info callout Risk Specification Progress appears, containing all the
risk data you have defined up to then.
This quick info callout contains the number of impacts, drivers, and so on, that were assessed, along with a
slash separating the number of impacts that were added. So if you added three impacts, but assessed only
two, you will see the numbers 2/3 after this item.
More Information
To see the documentation for the standard risk analysis user interface, see Creating a Risk Analysis [page 427].

7.4.2.2.3 Mitigating a Risk in the Graphical View
Use
After assessing a risk, you can mitigate it in the graphical view similarly to the normal application processing.
Risks can be mitigated by adding:
● Responses from Risk Management. For more information, see Risk Responses [page 455].
● A control or controls from Process Control. For more information, see .
● A policy or policies from Risk Management. For more information, see Using a Policy as a Risk Response
[page 475].
Prerequisites
A risk must have been identified and assessed before it can be mitigated, and mitigation procedures such as
responses or controls must exist in the back-end system.
Procedure
To mitigate a risk in the graphical view, proceed as follows:
1. Call up a risk that has been assessed, choose the Switch to Graphical View pushbutton, and then choose
the Mitigate Risk pushbutton.
2. On the left side, you can use existing responses and controls, or propose new mitigation objects:
○ Responses
○ Controls
○ Procedures
3. Pull the necessary mitigation objects to the right side using drag and drop. To see the detail data, choose
the link inside the box. A section opens in the lower part of the screen with the following detail data for this
mitigation object:
○ Name and type of mitigation object
○ Percentage of completeness
○ Start and finish dates, that is, the validity period of the mitigation object
○ Costs of the risk if it happens
○ Effective from and to dates
○ Current effectiveness value
4. If you have assessed the risk and then chosen the Mitigate pushbutton, the Mitigate Risk screen appears.
5. On the Mitigate Risk screen, you can change the impact values as necessary. The graphs on the left side
then change accordingly.
6. Choose Close to return to the Mitigation screen.
7. When you are finished with the mitigation steps, choose Save.

7.4.2.2.4 Enhanced Graphical View
It is possible to enable an SAP UI5-based version of the graphical view instead of the Flash-based one. Doing so
allows the following additional features:
● Assignment of risk response to impacts and drivers

● Assignment of IELC and policies as risk responses
● Display of analysis guidance during assessment phase
● Comment field added to the analysis page
● Display of control proposal
● Support for customizing terminology (from Terminology Editor)
● Customizable color scheme
● Ability to display graphical view in full screen for printing purposes
● Summary of risk responses available by choosing the Response Summary button on the Summary page
● Response mitigation directly accessible in Access Risk section, allowing you to edit mitigation effort of each
response individually
Activities
You can enable the enhanced graphical view in Customizing for Governance, Risk and Compliance under Risk
Management General Settings Enable Enhanced Risk Graphic View .
The color scheme is customizable in Customizing for Governance, Risk and Compliance under Risk
Management General Settings Set Colors for Graphical View Elements .
7.4.2.3 Risk Mitigation
If your company's risk exposure is unacceptable, you can document risk responses, which are aimed at
reducing the likelihood that the risk will occur or lowering the impact of the risk if it occurs. This is called risk
mitigation.
Risks can be mitigated by adding:
● Responses from Risk Management. For more information, see Risk Responses and Enhancement Plans
[page 455].
● One or more controls from Process Control. For more information, see .
● A policy or policies from Risk Management. For more information, see Using a Policy as a Risk Response
[page 475].
Mitigation can be maintained on both the Response Plans tab and the Analysis tab.
 Note
You can also maintain mitigation in the Graphical View. For more information, see Mitigating a Risk in the
Graphical View [page 452].

Risk Mitigation on the Response Plans Tab
Mitigation for individual responses can be maintained on the Response Plans tab. Although this has the
advantage of allowing you to focus on one specific mitigation factor at a time, there is no way to see the
cumulated value for all the responses at one time, and it is this cumulated value that the back-end system uses
to calculate Residual and Planned Residual values.
Risk Mitigation on the Analysis Tab
If the Mitigation field in the Analysis tab has been activated in the back-end, you can see all of the mitigation
results for the responses to the selected risk, including the calculated sums for probability and for particular
impacts.
 Note
To activate this function, you must run the report GRRM_RESPONSE_MITIGATION_UI in the back-end
system.
You also have the possibility to overwrite the calculated sums by using the Click to Overwrite link. If you use this
option, the Overall Calculated values are still available, but only for information purposes. The manually-entered
values are used for Analysis mitigation.
7.4.2.4 Creating an Opportunity
Prerequisites
Benefits and drivers for opportunities must have been maintained in Customizing under Governance, Risk
and Compliance Risk Management Risk and Opportunity Analysis .
Context
You can create an opportunity with or without a template. For information on creating opportunity templates,
see Creating an Opportunity Category and Template [page 371].

Procedure
1. From the Assessments work center, choose Risk Assessments Risks and Opportunities . The POWL
screen for risks and opportunities appears.
2. On the Opportunities tab, choose Create Opportunity , with or without a template. If necessary,
select the template and choose OK.
3. In the Opportunity screen, enter the following information in the General tab:
○ Name of the opportunity and organizational unit
○ Opportunity category
○ In the lower screen section, you can assign benefits and drivers to the selected opportunity
4. On the Roles tab, you can assign roles to be used with this opportunity category. The procedure is the same
as when assigning user roles to risks. For information, see Assigning Roles to Risks and Activities [page
523].
5. On the Analysis tab, you can choose the Report pushbutton to view the following historical analysis data for
this opportunity:
○ Probability
○ Total gain
○ Expected gain
○ Opportunity level
 Note
You conduct an opportunity analysis in a similar way to conducting a risk analysis. For more
information, see Risk Analysis [page 423].
6. On the Enhancement Plans tab, you can create new enhancement plans, assign existing enhancement
plans, or remove them from the list. For more information about enhancement plans, see Creating a
Response or Enhancement Plan [page 459].
7. In the Issues tab, you can create issues that might affect this opportunity. For more information, see
Creating an Issue for a Risk, Opportunity, or Response [page 482]
8. On the Context tab, you can specify the contexts that you are working with for this opportunity. For more
information, see Working with Contexts [page 480].
9. On the Policies tab, you can see any policies that have been created for this opportunity. You cannot create
policies here. For more information, see:
○
○ Using a Policy as a Risk Response [page 475]
10. When finished, save the opportunity data.
7.4.2.5 Risk Responses and Enhancement Plans
Use
A risk response is any counter-measure taken to mitigate a risk. Risk responses are planned and/or executed
within the context of the given risk, and have the intention of reducing the risk exposure.

Documenting and managing response strategies helps to proactively manage risks in your organization.
Responses can be used to lower the chance of the risk occurring (that is, the probability) or to lower the
potential impact of the risk event if it occurs.
 Note
An enhancement plan can be considered as the response to an opportunity. It enables you to define how
your organization intends to respond to an opportunity. The processing is the same for both types of
objects.
Process
The influence of the response on the risk exposure is split into the following three independent factors:
● Mitigating reduction of all responses, leading to the calculated residual risk analysis.
● Entering a value for the completeness of the response
● Entering a value for the effectiveness of the response
The following three steps are essential to reducing the probability or impact of risks defined for an organization:
1. Define impact and probability data in Customizing under Governance, Risk and Compliance Risk
Management Master Data Setup and Risk and Opportunity Analysis.
2. Reduce the impact and probability of the risk by creating responses and controls, enabling you to mitigate
the risk and monitor the costs.
3. Carry out a risk analysis [page 423] to view the results of the risk mitigation measures that were
implemented, and make additional resources available if necessary.
 Note
Once a risk response has been implemented, you can carry out a new risk analysis, showing the
mitigated probability and impact of the risk, which should then be lower than for the initial risk analysis.
This new risk analysis information is referred to as the residual risk exposure.

Response Status Tracking
Example
Your company wants to mitigate its risk of fire. It carries out the following two activities and creates the
corresponding responses for them in the Risk Management application:
● It takes out a fire insurance policy. This reduces the impact of the risk, but does not reduce the probability
of the risk (a fire) happening.
● It installs a fire alarm system. This reduces the probability of the risk happening, since the fire alarm
notifies someone who extinguishes the fire, and so the risk may not happen at all or only minimally.
Taken together, these two responses appropriately mitigate the inherent risk of fire at the company. The
residual risk is further analyzed and is determined to be acceptable.
More Information
Creating a Response or Enhancement Plan [page 459]

7.4.2.5.1 Working with Response Templates
Use
For responses that are used frequently, it is advisable to create standard response templates that you can use
when entering responses. This reduces the manual effort of unit risk managers during risk creation. You create
response templates in the Response Catalog.
Prerequisites
The GRC Customizing activity Maintain Response Types must be maintained in Risk Management
Response and Enhancement Plan .
Procedure
To create a response template:
1. Call Master Data Risks and Responses Response Catalog .

2. The Response Catalog screen appears. Choose the Create pushbutton.
3. The Response Template screen appears.
4. Enter a name for the response template, and a description in the fields below it.
5. Change the valid-to date if necessary.
6. Specify the response type to be used with this template.
7. If necessary, specify the purpose.
8. Finally, if you are using the response automation function, enter a type of automation to be used for the
response template.
 Note
For more information about response automation functions, see Working with Response Automation
[page 471].
9. When you are finished, save the response template.
 Note
In the Response Instances tab of the Response application, you can see the responses that were
created using this template. Note that you must first finish creating the template and then assign it to a
risk template before you can see any entries in this screen.
Assigning a Response Template to a Risk Template
To use a response template for a risk:
1. Call Master Data Risks and Responses Risk Catalog .

2. To open the corresponding risk template, navigate to the lower level and put the cursor on the line of the
Type called Risk Template, and choose Open. The risk template screen appears.
3. Choose the Response Templates tab.
4. Choose the Assign pushbutton to search for and assign a specific response template to the risk template.
5. Save the risk template.
Assigning a Response Template to a Risk
You can assign a response template directly to a risk as follows:
1. Call Assessments Risk Assessments Risks and Opportunities .

2. Open the risk to which you want to assign a response template.
3. Choose the Response Plans tab.
4. Choose Create Response using template .
5. A dialog box opens in which you can search for the corresponding response template.
6. After selecting the response template from the lower section and choosing OK, the corresponding
response using this template is now displayed in the list of the Response Plans tab.
7. Save the updated risk data.
More Information
Risk Responses and Enhancement Plans [page 455]
7.4.2.5.2 Creating a Response or Enhancement Plan
Use
Documenting and managing response strategies helps to successfully mitigate risks in your organization.
 Note
Creating an enhancement plan is similar to creating a response, so the following steps apply to it as well.
Prerequisites
The following Customizing activities, found under Governance, Risk and Compliance Risk Management
Response and Enhancement Plan , must be carried out:
● Maintain Response and Enhancement Plan Purpose

● Maintain Response and Enhancement Plan Completeness
● Maintain Response and Enhancement Plan Effectiveness

● Maintain Response Plan Types
● If you want to maintain responses to risks for which response automation has been set up for the SAP
Business Suite applications, you also need to make entries in the following Response and Enhancement
Plan Customizing activities under Response Automation:
○ Maintain Response Implementation Classes for Automation
○ Maintain Response Automation Types
 Note
If you are working with automated responses sent to other applications in the SAP Business Suite, see
Working with Response Automation [page 471].
Features
The Risk Management application contains the following two types of responses:
● A risk response determines how to prevent a risk, limit its impact, or reduce the probability of its
occurrence. For more information about assigning responses, see Assigning a Response [page 463].
● The response to an opportunity is called an enhancement plan. It enables you to define a strategy to
respond to an opportunity.
To mitigate risks, the Process Control application also provides the option of defining controls. For more
information about this, see Using PC Controls [page 466].
Activities
To create and maintain responses and enhancement plans:
1. From the Assessments work center, choose Risk Assessments Risks and Opportunities Responses
and Enhancement Plans .
2. In the next screen, you can see a list of all responses entered in the system. If the desired risk response
already exists and is allowed for sharing, you can select and use it without making any changes, or change
it as required. For more information, see Assigning a Response [page 463].
3. If the desired risk response does not exist, then choose menu path Create → Response to enter a new
response. To create an enhancement plan, choose Create → Enhancement Plan .
4. Under the General tab, enter the response name, the organizational unit, the response owner, and type
(mandatory fields).
5. If desired, you can enter the response details in text form, as well as the response purpose and whether the
response is to be shared between various users or requires your approval.
○ If you want to specify another response owner, enter the user's name in the Owner field. A dialog box
appears in which you can enter the due date for the new owner and any comments for the new owner
that you wish to make. Then choose OK. The response is automatically saved with the new data.
○ If you want to share the response with another user, you can specify whether it requires your approval
or not via the corresponding dropdown.
6. If you make a selection in the Automation field, the submitted response is sent to an application of the SAP
Business Suite, for example, to SAP Plant Maintenance.

 Note
The Automation Status field is updated after saving. For more information about using Risk
Management Response Automation, see Working with Response Automation [page 471].
7. In the General tab, you can also carry out the following actions:
○ Notification section: For work items sent per workflow to the response owners, you can enter
information on response notification as follows:
○ On Due Date: If you checkmark this field, the system sends out a notification on the due date of the
response.
○ Due Date: You can specify the date that the response is due.
○ Due Date Offset: You can the set the number of days ahead of the due date by which the
notification is to be sent.
The work item is then displayed in the corresponding user's work inbox under the Home work center.
○ Response Details section: Here you can enter a text describing any response steps or actions that
were taken, including the following information:
○ Distribution Method: This is only displayed if the response is created from a response template —
as a copy or as a reference. (For information about creating a response from a response template,
see Working with Response Templates [page 458].)
○ Enter the Start Date and the Finish Date for the response. Since you are providing information
about a response that was already carried out, the finish date cannot be in the future. You should
enter the start and finish values on the actual dates on which the implementation of the response
was started and finished.
○ When you enter the start date of the response, and choose Enter, the start completeness
percentage that was maintained in the corresponding Customizing activity is displayed in the
Completeness field.
○ When you enter the finish date of the response, and choose Enter, the finish completeness
percentage from the corresponding Customizing activity is added to the start completeness
percentage.
○ Completeness: By setting the Calculate Completeness indicator, you can automatically calculate
the percentage of the completeness of the response.
 Note
The Calculate Completeness indicator is inactive and switched off by default. This feature
becomes active after you enter a start date and finish date. Then you must explicitly activate
the feature by selecting the Calculate Completeness checkbox.
This feature remains inactive if response automation is used.
If you switch on the Calculate Completeness feature, no manual entry is needed. The value of
the completeness is automatically calculated based on the values set in Customizing under
Governance, Risk and Compliance Risk Management Response and Enhancement Plan
Maintain Response and Enhancement Plan Completeness .
○ Response Effectiveness: You can provide information on the current effectiveness of the response
and change the validity period for the response effectiveness data. When you select an entry for
the current effectiveness, the corresponding quantitative value (in percentage form) is stored and
is further used in the risk analysis calculation.
8. In the Affected Risks tab, the risks that are affected by this response are displayed. Using the Assign
pushbutton, you can also assign existing risks to this response.

 Note
The prerequisite to assigning a risk to a response is that the response must be shared. For this, select
one of the two Shared options from the dropdown options of the Shared Response field on the General
tab:
9. In the Context tab, you can add context data. For more information, see Working with Contexts [page 480].
10. In the Issues tab, you can create or display issues that affect this response. For more information, see
Creating an Issue for a Risk, Opportunity, or Response [page 482].
 Note
If you want to create an issue for a response, you must first carry out the corresponding organizational
Customizing activities on maintaining responses for issues.
11. When finished, save your data as a draft or submit it for processing. After submission, the response status
changes from Draft to Active.
Example
Response effectiveness: Hiring new employees is a response provided for the risk of employee loss. However,
the new employees lack the necessary expertise, so this response is initially considered as less effective. This
means that you have implemented a response, but it was not fully effective. So you first enter the effectiveness
level as moderately effective. After three months of employee training, you can then change the response to
very effective.
Response completeness: To avoid the risk of fire in a leather factory, a response is provided by installing fire
safety equipment. However, it takes a month to install this equipment. So at the start of the month,
completeness is lower, but gradually the completeness increases, until the equipment is fully installed and you
can enter the response completeness as 100%.
7.4.2.5.3 Creating Response Proposals
Use
Users can suggest ways to address risks by creating response proposals and submitting them to those
responsible for risk mitigation.
Procedure
To create a response proposal:
1. Go to My Home Ad Hoc Tasks Response Proposals .

2. Enter the following information in the Create Response Proposal window:
○ Title (mandatory)
○ Org[anizational] unit
○ Risk
○ Type (mandatory)
○ Purpose
○ Automation type
○ Description
○ Steps
3. Click on Submit.
After the response proposal is submitted, the creator of the proposal receives an e-mail confirmation that the
proposal was successfully submitted — that is, delivered to the work inbox of the person responsible for
mitigating the specified risk. This person can then approve or reject the response proposal.
 Note
Users who are assigned as agents via 0RM_RESPONSE_PROPOSE are authorized to receive and approve or
reject response proposals. The approver can create a response or response template from the response
proposal after approving it. For more information, see Creating a Response or Enhancement Plan [page
459] and Working with Response Templates [page 458].
The creator of the response proposal is notified by e-mail when the response proposal is approved or rejected.
Submitted proposals (including their current status — waiting for approval, approved, or rejected) are listed in
the Proposed Responses tab found in work center Assessments Risk Assessments Responses and
Enhancement Plans . Click on the name of the response proposal to review its contents.
7.4.2.5.4 Assigning a Response
Use
 Note
Any SAP Process Control functions mentioned below require a license for the SAP Process Control
application.
Instead of creating a new response to a risk, you can use the existing responses in the system if they meet the
mitigation requirements. You can create individual responses or responses shared among two or more users
(shared responses). There are the following types of risk responses:
● Responses created for a single risk

● Responses created using a response template
● Responses created from a control (SAP Process Control)
● Responses created from a policy (SAP Process Control)

 Note
The workflow for sharing a response involves the following options:
● If the response to be used is defined as Shared, requires approval, the status of this response is Pending
approval. A response workflow item then goes to the response owner for approval. When the response
owner approves the response, the status changes to Sharing approved, after which this response can
be used for risk reduction through analysis.
● However, if the owner of the response to be used and the person requesting the response are the same
person, the status changes directly to Sharing approved and no workflow is triggered. This response
can be used immediately for risk reduction through analysis.
● If the response to be used is defined as Shared, does not require approval, the status of the response
becomes Sharing approved. The response can be used immediately for risk reduction through analysis.
Prerequisites
Probability levels must be maintained in Customizing under Governance, Risk and Compliance Risk
Management Risk and Opportunity Analysis , and the response to be used must have the status Active.
Procedure
By accessing Assessments Risk Assessments Responses and Enhancement Plans , you can create
responses directly and link them to the corresponding risks.
 Note
For information on assigning specific kinds of risk responses to drivers and impacts, see Assigning Risk
Responses to Drivers and Impacts [page 465].
Conversely, you can also define an existing response for a risk. For this, proceed as follows:
1. From the Assessment work center, choose Risk Assessments Risks and Opportunities .
2. From the list of risks, by clicking on the name in the Risk / Opportunity column, select and open the risk to
which you want to assign a response.
3. In the Response Plans tab for this risk, you can see any existing responses associated with this risk.
4. In the lower section called Mitigation, you can change the current probability reduction percentage value
and change the score reduction value for each impact defined for the risk.
 Note
To see the changes you made in the Mitigation section, save the risk and then return to the Analysis tab.
5. To assign a new response to your risk, choose Assign Response . You can also assign a control or a
policy from SAP Process Control here in the same way.
6. In the window that displays, search for the response, control, or policy to be used and click OK.

 Note
If you are working with response automation in SAP Risk Management and select one of the
corresponding response types, more information is available on this under Working with Response
Automation [page 471].
7. The response is now in the list of responses. Save your risk.
Related Information
Assigning Risk Responses to Drivers and Impacts [page 465]

7.4.2.5.4.1 Assigning Risk Responses to Drivers and Impacts
In many risk management frameworks, including ISO 31000, preventive risk responses are linked to the drivers,
and corrective responses are linked to the impacts. This can also be enabled in SAP Risk Management. Risk
responses can be linked with impacts and drivers depending on the response type. This assignment is reflected
in the response mitigation UI.
It’s delivered via SAP Note https://launchpad.support.sap.com/#/notes/2015139 .
Activities
Activating the Feature
You can activate the functionality in Customizing for Governance, Risk and Compliance under Risk
Management Response and Enhancement Plan -> Enable Response Impact/Driver Assignment .
Defining Response Types

The response types can be set up to be used for probability mitigation, impact mitigation and driver
assignment. You can define the response types in Customizing for Governance, Risk and Compliance under
Risk Management Response and Enhancement Plan -> Maintain Response Types .
The response type maintenance contains three new columns:
1. Mitigation on Probability – This attribute determines whether the probability mitigation is allowed. Possible
values are as follows:
1. Enabled – Responses of this type are used to mitigate probability. The analysis mitigation UI shows
probability mitigation.
2. Disabled – Responses of this type aren’t used to mitigate probability. The analysis mitigation UI hides
probability mitigation.

2. Mitigation on Impact – The attribute determines behavior of the risk response impact assignment. Possible
values are as follows:
1. Set Individually - Responses of this type are used for impact mitigation. The risk impacts are assigned
to the response individually by the end user. The analysis mitigation UI shows only impacts assigned to
the response.
2. Enabled – the responses of this type are used for impact mitigation. All risk impacts are assigned to
the response and this assignment can’t be changed by the end user. The analysis mitigation UI shows
all impacts.
3. Disabled - Responses of this type aren’t used for impact mitigation. All risk impacts are de-assigned
from the response and this de-assignment can’t be changed by end user. The analysis mitigation UI
hides all impacts.
3. Drivers– The attribute determines behavior of the risk response driver assignment. Possible values are as
follows:
1. Set Individually – Risk drivers are assigned to the response individually by the end user.
2. Enabled – All risk drivers are assigned to the response and this assignment can’t be changed by the
end user.
3. Disabled - All risk drivers are de-assigned from the response and this de-assignment can’t be changed
by the end user.
7.4.2.5.5 Using PC Controls
Use
In addition to working with risk responses, you can also work with the controls of the Process Control (PC)
application. A control is a policy, implemented through processes and procedures and directed by an
organization's corporate executives, which supports compliance with operational objectives. These objectives
can be operational efficiency, reliability of financial reporting and disclosures, and compliance with applicable
laws and regulations, such as the Sarbanes-Oxley laws.
In the Response application, you have the following two options:
● Button Create Control Proposal . In this case, you propose a new control, so that the Process Control
processor can create the corresponding control. The workflow is then applied as described in Sample
Workflow: Control Proposal Notification [page 468].
● Button Assign Control . In this case, you assign an existing control to mitigate this risk.
Procedure
To create a control proposal, proceed as follows:
1. Go to Assessments Risk Assessments Risks and Opportunities , and by clicking on the name in the
Risk / Opportunity column, select the risk to which you want to respond by using a control proposal.
2. Access the Response Plans tab of the risk creation screen.
3. Choose the Create button and then choose Control Proposal. The control proposal window opens.

4. Specify the regulation or policy to be used for the control.
5. Enter the organizational unit and the control name, and change the validity dates if necessary (mandatory
data). The organizational unit differs depending on the regulation or policy you have chosen.
6. Change the other default settings if necessary.
7. Submit the control proposal.
8. The system puts the control proposal into the list of responses on the Response screen with the status
Proposed.
 Note
To assign an existing control, choose Assign Control . In the dialog box, select Regulation and
search for an existing PC control. To use it, choose OK. The selected control is added to the list of
responses. The status for an assigned control is Active.
7.4.2.5.5.1 Monitoring Control Effectiveness and Assessment

Results
Use
You can convert the Process Control ratings entered for a control to response data in Risk Management. This
links the selected control rating results – roughly defined as three traffic light colors specified for Process
Control – to the completeness and effectiveness data of the corresponding responses defined in percentages.
In this way, the three-state rating values of Process Control are converted to more exact percentage ratings in
Risk Management.
This step enables you to automatically monitor the effectiveness and control assessment results of controls
defined and managed in Process Control, and map the results directly to Risk Management response
effectiveness and completeness fields.
Prerequisites
The following Customizing activities must be carried out as described in the Procedure section below:
● Set Up Link from Control Results to RM, under Governance, Risk and Compliance Risk Management
Response and Enhancement Plan
● Convert Control Rating to Response Fields, also under Governance, Risk and Compliance Risk
Management Response and Enhancement Plan
● Maintain Custom Agent Determination Rules, under Governance, Risk and Compliance General Settings
Workflow .

Procedure
To convert the results, proceed as follows:
1. Carry out the above prerequisite Customizing activities as described in the corresponding documentation.
2. In the first Customizing activity Set up Link from Control Results to RM, you set up a link to the results
generated in Process Control, which are stored in the form of SAP Records Management cases. For both
the response and the completeness, you must enter the case type and category to be used.
3. When creating the conversion entries in the second Customizing activity, Convert Control Rating to
Response Fields, you create three entries for response effectiveness and another three entries for response
completion, each one corresponding to a Process Control color rating. For each of the three entries, select
one of the color-coded ratings available. In the percentage field, you can enter a user-defined percentage
value for each entry.
 Note
When the Process Control assessment and testing results are published, the corresponding response
fields for completeness and effectiveness in Risk Management are updated. An e-mail notification on
the completeness and effectiveness update is sent to the users assigned to the agent slot/business
event 0RM_NOTIF_ON_CONTROL_CHANGE.
7.4.2.5.5.2 Sample Workflow: Control Proposal Notification
Definition
When you create a control proposal, the Risk Management application sends a notification to the processor
defined for the Process Control (PC) application.
Concept
Process
The workflow is processed as follows:
1. The Risk Management user (“RM”) opens the risk for which a control proposal is to be created and selects
the Response Plans tab.
2. User RM now reviews the list of existing responses and searches through the available list of controls that
can be assigned to this risk.
3. User RM cannot find the desired control and proposes a new control. This user enters the appropriate
control information, including the mandatory information on the organizational unit and regulation, and the
optional information on the process/subprocess and name of the control.
4. User RM submits the proposed control request, after which the control workflow goes to Process Control.

5. The Process Control user (“PC”) opens the request and reviews the details of the proposed control.
6. User PC now decides whether to accept or reject the control proposal request. In either case, a notification
is sent back to the requestor in Risk Management, user RM.
7. User PC accepts the control request and creates the corresponding control. Subsequently, the workflow
sends a notification to the requestor's inbox (that is, to user RM), and the control becomes active in the
Risk Management application and has the status Active.
7.4.2.5.6 Workflows for Responses
Use
There are several workflows that you can use to process responses in the Risk Management application. Some
of them are linked to Process Control workflows.
Prerequisites
The following prerequisites must be fulfilled before you can use the workflows defined for Risk Management:
● Risk Management roles must be configured. For more information, see .

● Workflow activities in Customizing, under General Settings Workflow , must be carried out.
Features
The table below describes the workflows available for responses:
Workflow Description
Response update Using the Planner function, the unit risk manager or activity
owner receives a notification to validate a response. The
main purpose of this workflow is to remind response owners
to process overdue responses. For more information, see
Risk Management Planner [page 499].

Workflow Description
Response notification on due date You can send out a notification workflow if the response due
date has been reached and the response completeness is
lower than 100%. As a result, the response owner receives a
work item in the work inbox. When the work item is opened,
the response maintenance screen displays, where the re
sponse owner can maintain the missing information.
The notification is triggered by report

GRRM_NOTIF_ON_RESPONSE_DUEDATE. You can schedule it
as a background job.
To set up this task, carry out the Customizing activity
Schedule Notification on Response Due Date, under Risk
Management Response and Enhancement Plan .
Response sharing for approval or rejection If a shared response for which permission is required is as
signed to a risk, the owner of the shared response receives
the workflow for approval or rejection of request sharing.
Shared responses are specified when you create a response.
For more information, see Creating a Response or Enhance
ment Plan [page 459] and Assigning a Response [page 463].
Response delegation If the current response owner is changed to a new one, the
new response owner receives this delegation workflow to
process the response.
Process Control proposal notification If a control is proposed to PC, a notification of the approval
or rejection of the proposal is sent to the requestor.
Process Control changes notification When assessment or testing results for a linked control are
published, the corresponding risk or response owner on the
RM side receives the notification of changes.
Enable and Disable Workflows
To manually enable or disable a response workflow, go to the Customizing activity Governance, Risk and
Compliance Risk Management Response and Enhancement Plan Enable Response Related Workflows .

7.4.2.5.7 Working with Response Automation
Use
The process for automating risk responses to carry out actions in the SAP Business Suite applications
supports the following scenario:
Risk Management triggers and monitors the progress of response actions in an SAP Business Suite
application. This scenario does not require any add-on modules or coding from the SAP Business Suite
solution. This type of scenario is used in Plant Maintenance (PM) notifications, or to set up a project in the
Project System (PS), or to trigger a workflow.
Response automation creates, according to automation type, the following objects in other applications:
● PM notifications
● Project definitions in PS
● Workflow items
 Note
The response automation function can also be used for enhancement plans.
Prerequisites
The same prerequisites apply as for Creating a Response or Enhancement Plan [page 459]. Furthermore, the
following Customizing activities and Business Add-Ins (BAdIs), found under Risk Management Response
and Enhancement Plan Response Automation , must be maintained.
● Maintain Implementation Classes for Response Automation

● Maintain Response Automation Types
● Map Response Automation to Response Types (relevant for types PM notifcation and Project definition in
PS only)
● Map Business Suite Object Status to Response Completeness (relevant for types PM notifcation and
Project definition in PS only)
● Maintain Attributes for Workflow Automation (relevant for type Workflow triggering only)
● Map Workflow Status to Response Completeness (relevant for type Workflow triggering only)
● Business Add-Ins:
○ Maintain Additional Parameters for PM Notification
○ Maintain Additional Parameters for Project Definition in PS
○ Maintain Additional Parameters for Workflow Triggering
Furthermore, a risk response must have the status Active to work with response automation.

Procedure
Response Automation Statuses
If you are working with response automation, which sends and receives risk responses to/from the SAP
Business Suite, you must select an option from the Automation field at the bottom of the response screen. The
Automation Status field is populated automatically. One or several of the following statuses is displayed:
Application Status Meaning
Plant Maintenance (PM) Outstanding notification The notification was created.
Notification In process The notification was put in process.
Notification postponed The notification was postponed.
Order assigned The PM order is assigned to the notifi-

cation.
Outstanding tasks exist The notification has tasks assigned.
All tasks completed All the tasks assigned to the notification

are complete.
Notification complete The notification was created and proc

essing finished.
Deletion flag The deletion flag is set for the notifica-

tion.
Project System (PS) Project definition: Created The project definition was created.
Project definition: Released The project definition was released.
Project definition: Partially released Not all WBS elements of the project
definition are released.
Project definition: Locked The project definition was locked.
Project definition: Master data locked The project was created by means of
master data replication from the
project system.
Project definition: Rescheduling re Rescheduling is required for the project.

quired
Project definition: Technically com All project costs have been settled.
pleted
Project definition: Closed The project has been closed.

Application Status Meaning
Project definition: Deletion flag The deletion flag is set for project defi-
nition.
Workflow (WF) Completed Self-descriptive
Error Self-descriptive
Ready Self-descriptive
In Process Self-descriptive
Waiting Self-descriptive
Generic automation statuses Automation initiated A response with the assigned automa
tion type was created, but the status of
the automated object from the remote
Business Suite application has yet not
been assigned to a response.
Automation failed The Business Suite object was not cre

ated due to errors.
Automation finished The notification status tracking is fin-

ished.
Working with Response Automation
1. Go to Assessments Risk Assessments Risks and Opportunities and call up a risk by clicking on its
name in the Risk / Opportunity column. Access the Response Plans tab. Create a response to a risk that is
used for automation.
 Note
Specify the automation-specific response type if there are any available (see prerequisite Map
Response Automation to Response Types above).
2. If necessary, you can maintain the dimension objects to be fetched from the remote application in the
Contexts tab. For more information, see Working with Contexts [page 480].
 Note
For the automation type PM Notification, you can specify the technical object (functional location or
equipment) and the material in the Context tab. For the automation type Workflow Triggering, you can
specify the objects that are involved in the workflow.
3. Close the response and submit the risk. This sets the status of the response to Active, and the response is
sent to the remote application.
4. When the corresponding processor from the remote application has changed the status of the automated
object, the automation status and completeness are updated for the response accordingly.
5. When the status of the automated object is set to complete or closed or finished, an e-mail is sent to the
original processor stating that response was completed automatically.

Example
Example: Response Automation for Plant Maintenance [page 474]
7.4.2.5.7.1 Example: Response Automation for Plant

Maintenance
Definition
Response automation for plant maintenance involves sending a response request from the Risk Management
application to the corresponding application in the SAP Business Suite, in this case the Plant Maintenance
application.
Concept
Prerequisites
You must have the SAP Business Suite application Plant Maintenance configured and running.
Activities
In the Risk Management application, a risk called "Risk of Overheating of Boiler" has been defined. A
background job was created for it, which proceeds according to the following steps between Risk Management
(RM) and Plant Maintenance (PM):
Step. Action Action Initiator Automation Status (displayed

on Response screen)
1 Boiler overheats – Status not assigned yet
2 Risk response is created with auto Risk Manager Status not assigned yet
matic PM notification
PM notification created Notification saved automatically Status not assigned yet

in RM in response screen
PM notification status read by sys Automatically in RM, within re Status set to Outstanding
tem sponse-saving program notification

Step. Action Action Initiator Automation Status (displayed
on Response screen)
3 (optional) PM notification postponed Plant Maintenance processor Status set to Outstanding

notification
4 (if step 3 was PM notification status read by sys Automatically in Risk Manage Status Notification postponed
executed) tem ment, with periodic background
job
5 PM notification processed man Plant Maintenance processor Status Outstanding notification

ually by PM processor (tr. IW22) (if steps 3 and 4 were not exe
cuted ) and Status Notification
postponed (if steps 3 and 4 were
executed)
6 PM notification status read by sys Automatically in RM, inside peri Status Notification In Process
tem odic background job
7 Boiler temperature lowered man Plant Maintenance processor Status Notification In Process
ually by processor
8 PM notification complete Plant Maintenance processor Status Notification In Process
9 PM notification status read by sys Automatically in RM, inside peri Status Notification Complete
tem odic background job
10 Response effectiveness is assigned Risk Manager Status Automation Finished: Sta

and risk is mitigated tus of corresponding PM notifi-
cation is no longer tracked &
copied to response.
7.4.2.5.8 Using a Policy as a Risk Response
Use
Besides a specific risk response and a control, you can also use a policy from the Process Control policy library
to respond to a risk. A policy is a statement of objective, direction, or standard that acts as guidance for a
company’s interactions and operations. It can be regarded as an internal mandate established by a company to
regulate the conduct of its work with respect to the regulations it must observe.
 Note
For more information about assigning a response, see Assigning a Response [page 463].
Once assigned to a risk, a policy can be used as a risk response. This enables users to mitigate a risk by
proposing or documenting a policy for their area of responsibility, including the documentation of the response
effectiveness, impact reduction, and probability reduction.

 Note
If defined, policies are displayed in the Organization screen in a separate tab.
Prerequisites
In Customizing for GRC under Risk Management Response and Enhancement Plan :
● Both Process Control and Risk Management must be installed and running, and the corresponding
Customizing activity Link Policy Status and Response Completeness must be carried out.
● Under Responses for Policies, the organizational Customizing activities Set Up Response Notification
Recipient for Policy and Set Up Policy Response Notification Text must be carried out.
In Customizing for GRC under Common Component Settings Policy Management :
● You must define policy types in the Customizing activities Maintain Policy Types and Distribution Methods
and Policy Types for Response Creation.
Under General Settings Activate applications in client :
● You must activate Process Control and Risk Management components (transaction SPRO).
Procedure
Creating a Policy from a Risk to Use as a Response
Proceed as follows:
1. Call up a risk and then choose the Response Plans tab to create a policy. For more information about
creating responses directly, see Creating a Response or Enhancement Plan [page 459].
2. Choose Create Policy .
3. The dialog box for policy creation displays. Select a policy group and a policy category.
4. The policy screen displays, in which you create the policy itself. Enter the necessary policy information in
the corresponding tabs.
5. Save the policy. You can send the policy for review or submit it for approval.
6. Close the policy. You can see that the response based on the new policy has been created.
7. Save the updated risk.
 Note
If you have entered risks in the Policy screen, they are displayed in the Policy tab of the Risk screen.
Creating a Response Using a Policy

Besides creating a response in the Risk screen, you can also create a response using a policy from the
Response screen. To do so:
1. Select an existing risk and then choose the Response Plans tab to create a policy. For more information
about creating responses directly, see Creating a Response or Enhancement Plan [page 459].
2. Choose Create Policy .
3. A dialog box for the selection of a policy appears. Select a policy and confirm the selection.
4. After confirmation, you are returned to the Response tab, where the new response is displayed.
Setting Up E-mail Notifications about Policy-Based Responses
To notify authorized users by e-mail about the completeness of a risk response created by a policy:
1. Open the response and go to the Notification section of the General tab.
2. Set the Notification on Policy Status Change indicator.
3. Save the response.
7.4.2.6 Activities
Use
An activity is any project, process, or an object within your business or organization that might be affected by a
specific risk.
After creating activity categories structured in an activity hierarchy, you can create individual activities for the
activity types defined in Customizing and assign them to the activity categories in the hierarchy. At defined
intervals, for example, the activities affected by specific risks can subsequently be evaluated per activity
category in reporting.
Typical types of activities are:
● Processes: Potentially all operational and administrative processes within an enterprise.

● Projects: Potentially all internal and customer projects.
● Objects: Refers to generic activities that are neither a project nor a process.
You can define all the activities that need to be monitored through dedicated risk management procedures, in
this way structuring risk management in different areas of the business. These structures can later be used for
reporting.
You must assign all activities to an activity category.
Prerequisites
Activity types must have been maintained in Customizing under Risk Management Master Data Setup .

Features
For each activity, you can do the following:
● Specify the activity category and validity period, as well as enter relevant constraints and assumptions for
the activity.
● Assign users/roles responsible for processing the activity.
● Link the corresponding risks and opportunities identified for that activity.
● Display any surveys to be executed for the activity.
● Display and print out a PDF fact sheet with relevant activity information.
 Note
Activities are time-dependent objects. If the valid-to date has elapsed, you do not see these activities in the
corresponding list, since they have expired. However, you can still evaluate them in reporting.
More Information
● Creating an Activity [page 478]
7.4.2.6.1 Creating an Activity
Use
Since any activity can be risk-related, you must define meaningful activities that are meaningful to your
organization in the activity hierarchy to be used for Risk Management.
Prerequisites
Activity types must be maintained in GRC Customizing under Risk Management Master Data Setup .
Procedure
To create an activity, proceed as follows:
1. Go to Assessments Risk Assessments Activities .

2. In the subscreen that opens, choose Create. The Create New Activity dialog box opens.
3. Under the General tab, you maintain the following activity data:
○ Activity name and description
○ Organizational unit of the activity
○ Activity category to which the activity is to be assigned
○ Valid-from and valid-to dates
○ If necessary, enter any constraints and assumptions in user-defined text format.
4. Before proceeding, save the activity data with the Save Draft pushbutton.
5. In the Roles tab, you next enter the roles to be used in Risk Management when users are working with
activities. For more information on assigning roles to activities see Assigning Roles to Activities [page 523].
6. In the Risks and Opportunities tab, enter the risks and/or opportunities for this activity, and if necessary,
attach any files or links to it. For more information about risks, see Creating a Risk [page 416].
7. Under the Surveys tab, you can view the surveys that exist for this activity. However, when you are creating
a new activity or risk, a created survey will not be visible in the Surveys tab until after you create a plan in
the Planner and have sent out the surveys. For more information about surveys, see .
8. In the Issues tab, you can create issues relating to the activity. For more information, see .
9. When you are finished, save the activity.
 Note
To see the activity in graphical form, choose the Switch to Graphical View pushbutton. By clicking the Print
Fact Sheet pushbutton, you can also generate a PDF called Activity Fact Sheet, which contains all risk
information relevant to this activity.
More Information
For more information about activity categories, see Activity Hierarchy [page 362].
7.4.2.6.2 Activity Validation Workflow
Use
The workflow for activity validation workflow is carried out using the Planner function of SAP Risk
Management. The activity owner is the user that triggers this workflow. The term validation refers to another
user's verifying that the details of an activity, and its associated risks if required, have been entered accurately.
Prerequisites
● An activity must exist.

● Users must have the authorization to use the Planner.
● Workflow enabling must be maintained.
For the system to automatically trigger additional risk validation for risks associated with the activity, this
feature must be enabled in Customizing for Governance, Risk and Compliance under Risk Management
General Settings Include Additional Risk Validators in Activity Validation .
Features
Workflow processing for activities is carried out as follows:
1. Access the Planner by going to: Assessments work center Assessment Planning Planner .
2. Choose the Create button to access the guided procedure for creating a plan for performing activity
validation.
3. In Step 1, Enter Plan Details, enter the mandatory data: Plan name, activity, and the start and finish dates.
Then choose Next.
4. In Step 2, Select Organizations, select the organization, and choose Next.
5. In Step 3, Perform Selection, specify whether you want to create a plan for all activities or only specific
ones. You can also select by activity attributes.
6. In Step 4, Review, check to see that the selection you made is correct. The Show Detail button gives you a
list of the activities and their owners.
7. Now choose the Activate Plan button. If you select Finish, the window closes and your activity is included in
the list of activities. Alternatively, you can create a new plan from this window.
When triggered, the owner of the activity nor receives an activity validation work item, which they can approve
or reject. If the additional risk validation feature is enabled in Customizing, the owners of any associated risks
also receive risk validation work items to approve or reject.
If risk owners have not yet validated their risks, the activity validator can use the Remind button to remind them
of the incomplete risk validation work item.
More Information
For more information about the Planner, see Risk Management Planner [page 499].
7.4.2.7 Working with Contexts
Use
Contexts in Risk Management enable you to store data from other networked applications, such as those in the
SAP Business Suite. This data is then used to carry out assessments in SAP Risk Management, and to link SAP
Web Services for use with SAP Risk Management.

The context of a risk describes the environment in which a risk can occur. The environment can be, for
example, a business area of an organization. In this way, you can group risks according to the context in which
they are found. The same applies to an opportunity.
A context is made up of dimensions and their corresponding values. When you select a dimension, you more
closely define the environment or context of the risk. A risk can, for example, occur at a functional location of a
plant. You use the dimension values to more closely define the functional location that is being referred to.
The focus is on integration with the following areas:
● SAP Enterprise Asset Management (SAP EAM)

● SAP Environment, Health, and Safety Management (SAP EH&S)
● SAP Management of Change
● SAP Supply Chain Management (SAP SCM)
You can also use contexts to define your own customer-specific content. The following areas contain Context
tabs that you can use to enter context data. Note that in some of these areas, the tab is called Allowed
Dimensions.
● Risks, risk templates, risk categories

● Opportunities, opportunity templates, opportunity categories
● Responses, response templates, enhancement plans
● Risk Management reporting, where context dimensions can be used as reporting filters.
Prerequisites
Dimensions and contexts must be maintained in Customizing in the Master Data Setup section.
Procedure
To define context information for a risk, proceed as follows:
1. Open the risk and choose the Context tab.

2. From the dropdown options of the first column, select one or more dimensions.
3. Select a Context Value Text from the dropdown options of the second column. You can add up to 1000
Context Values in the Context tab.
 Note
If you have personalized the columns using the Settings pushbutton, the Context Value is displayed in
the third column.
 Note
Objects from SAP EAM and SAP EHS Management that can be added to a risk appear in the Context
Value Text column as clickable links. Clicking them opens the details of the object.
4. Save the risk. The SAP Risk Management system is now linked via RFC with the dimension objects you
have selected.

 Note
To see whether any dimension texts were changed manually, choose the Check pushbutton. You
receive an error message for each line in which the dimension value is incorrect. You can select a
correct one from the corresponding dropdown options.
5. If you want to print out the list, use the Print Version pushbutton. Note that the RFC connection must be
active in this case.
More Information
For more information on how to work with contexts, see the following areas of SAP Risk Management:
● Classifying Risks, Opportunities, and Responses [page 366]

● Creating a Response or Enhancement Plan [page 459]
 Example
One dimension selected from the context list is the system object Plant. The context value for it is 0001,
referring to the ID of the plant selected. The context value text is displayed in the corresponding column as
Plant 0001.
7.4.2.8 Creating an Issue for a Risk, Opportunity, or

Response
Use
For every risk, you can create one or several ad hoc issues in the Issues tab of the risk, opportunity, or response
screen. These issues are then displayed in the corresponding tab of the risk screen.
Prerequisites
● The Customizing activity Enable Ad Hoc Issues by Object Type, under Governance, Risk and Compliance
Common Component Settings Ad Hoc Issues , must be carried out.
● The two organizational RM Customizing activities, Set Up Response Notification Recipient for Issue and Set
Up Issue Response Notification Text, under Governance, Risk and Compliance Risk Management
Response and Enhancement Plan Responses for Issues , must be carried out.

Procedure
Proceed as follows:
1. Go to Assessements Risk Assessments and select either Risks and Opportunities or Responses and
Enhancement Plans. Click on the name or the risk or opportunity or response, and then choose the Issues
tab.
2. In the Issues screen, choose Create. You are led to the issue creation screen. Here, enter the name, priority,
and description of the issue. Add a regulation in the corresponding tab if necessary, and submit the issue.
3. Choose Close. You return to the Risk or Response screen.
4. To see the updated issue list in the Issues tab of the Risk screen, choose the Refresh List pushbutton.
5. Save the risk or response.
6. If you are in the Response screen, call the Regulations tab to add any regulations from Process Control that
are relevant to this issue.
 Note
After you create an issue for a response, a work item is sent to the issue processor. When the issue
processor closes the issue, it receives the status Closed and the response completeness is updated in
the response screen.
The rule for completeness calculation is:
(Number of closed issues for the response / number of all issues for the response) * 100
7. On the General tab, a checkbox called On Issue Status Change is displayed in the Notification section. If you
want an e-mail notification to be sent out when response completeness reaches 100%, based on the issue
status involved, set this indicator.
 Note
If you set this indicator, the issue is processed independently of the response and receives the status
Closed.
8. Submit the issue or save it as a draft.

9. If you want the notification to be sent out, set the indicator in the checkbox and save the response.
More Information
in Process Control

7.4.2.9 Risk Assessment Reports
Use
In the Risk Assessment Reports section of the Risk Assessment work center, you can run various reports to
review the results of your risk assessment process. You can run separate reports to evaluate your top risks and
the incidents that occurred within a specific period.
More Information
For more information about the individual reports, see Reporting and Analytics [page 535].
7.4.3 Incident Management
Use
Risks that occur are called incidents. For each recorded incident, you can also record individual losses.
Documenting incidents provides historical information to identify and analyze the drivers of risks, and enables
you to design response actions for risks that have characteristics similar to the documented incidents.
The process of managing incidents involves recording them and includes validation to ensure that incident data
is correct and properly states the impact of the incident. In this way, you can analyze, control, and understand
your losses, so that you can decide on how to reduce them. You can use the workflow functions to carry out an
analysis of your losses, and provide an audit trail for incidents leading to losses. The systematic recording of
incidents enables you to:
● Better predict your organization's risk exposure.

● Anticipate new losses.
● Monitor and mitigate existing risks.
● Adjust existing risk practices where necessary.
 Note
The Reports work center contains a report for the evaluation of incidents called Overview on Incidents for
Risks. For more information, see Risk Management Reports [page 535].
Prerequisites
● Roles and authorizations for Risk Management must be assigned.

● Customizing for incidents and losses must be maintained.

● Risks for which incidents are to be recorded must be active (not in draft status).
Process
In the incident management process, you document and save each incident, which then triggers a workflow
item for the validator. The objective of the validation step is to ensure that the documented incident data is
correct and represents an accurate impact on the organization.
More Information
To enter an incident in the system, see Working with Incidents [page 485].
7.4.3.1 Working with Incidents
Use
By documenting incidents, which can be defined as risks that have occurred, you can record and follow up on
negative events and the associated losses for the organization. There are two ways to create incidents:
● You can create an incident directly from a risk. For more information, see Creating a Risk [page 416].
● You can create an incident in the Incident Management section of the Assessments work center.
 Note
For the occasional user, the My Home work center provides a separate entry screen with limited
functionality for recording incidents in the Ad Hoc Tasks section. This data can also be entered in an
Employee Self-Service screen. However, here the full functionality for recording incidents in the Risk
Assessment work center is described.
Prerequisites
You must have carried out the following Customizing activities for incidents, losses, and their impact, found
under Risk Management Incident Loss Database :
● Maintain number range for incidents.

● Maintain impact levels.
● Maintain both driver and impact categories.
● Maintain and activate incident and loss attributes.
● Assign incident/loss attributes to your organizational unit.

● Optional: Make workflow processor specifications in the workflow activity Maintain Custom Agent
Determination Rules, under General Settings Workflow . Here you must maintain the roles for the
business event 0RM_INCIDENT_VALIDATE.
Procedure
To enter an incident in the system, proceed as follows:
1. From the Assessments work center, access the section Incident Management and choose the link with the
same name.
2. The incident selection screen opens, with a display of the incidents that were already created. If the table is
empty, no incidents have yet been reported.
3. To create an incident, choose the Create pushbutton.
4. In the General tab, enter the following:
○ Incident name
○ Organization
○ Incident date
○ Date that the incident was detected (which may differ from the incident date)
5. If necessary, enter a description of the incident and add the attribute data for the incident on the right side.
To do this, choose the Add pushbutton and select the incident attributes that apply to this incident.
 Note
The Loss Summary section displays the losses entered in the Loss tab.
6. Choose the Loss tab. To enter the loss data for this incident, choose the Add pushbutton. After selecting a
line in the upper Loss section, a detail section below it opens. You can enter information in the following
tabs:
○ Under the General tab, the loss name already entered is displayed. You can change the dates, add a
description, and add further loss attributes.
○ Under the Impact Categories tab, you can assign impact categories and enter further data for each
impact category. When you choose Add, a new line appears for which you must first select an impact
category. Then specify the specific loss value for this impact in monetary terms (Monetary Impact
Value) in the field below it.
 Note
Depending on the unit of measure specified here (which must have previously been defined in
Customizing for your organizational unit), the impact is calculated differently. If, for example, you
set the working hours as the unit of measure, the system quantifies the loss in terms of working
hours and not in financial terms. The system then converts the value of the Unit of Measure field
using the conversion factor and the currency specified in Customizing for your organizational unit.
○ Under the Loss Drivers tab, you can add the drivers that led to this loss.
7. In the third tab of the upper section, Risk Event Allocation, you can assign risks to this incident. Proceed as
follows:
○ Choose the Add button. The system now adds an undefined risk line.
○ Choose the dropdown options to the right of this column. The risk selection screen opens. Select the
risk you want to assign to this incident.

○ In the right-hand column, you can enter a percentage specifying the partial percentage reflecting the
degree to which this risk negatively affects your organization, by overwriting the 100% default value in
this column.
 Note
The sum of the risks allocated to an incident should total 100%. Otherwise you receive a warning
when you call up the incident again.
8. In the Issues tab, you can create issues for the incident if necessary. For more information, see Creating an
Issue for a Risk, Opportunity, or Response [page 482].
9. When finished, you can save the incident in draft form or submit it for processing. When an incident is
submitted, workflow then sends the incident to the defined workflow recipient for approval. See the section
below for further information on the workflow.
 Note
You must choose Refresh to see the saved or submitted data.
More Information
Workflow for Recording Incidents [page 329]
7.4.3.2 Workflow for Recording Incidents
Prerequisites
The following prerequisites must be fulfilled before you can use the workflow functionality for incidents:
● An incident or incidents must exist in the system.

● Incident and loss attributes must be maintained and assigned to the corresponding organizational unit in
Customizing under Risk Management Incident Loss Database .
● The corresponding roles and workflow enabling must be maintained in Customizing under General
Settings Workflow .
Procedure
The procedure for recording incidents is as follows:
1. The incident is created with the initial status Draft.

2. After the incident is submitted, it has the status To Be Validated and the workflow goes to the incident
validator or validators defined for Risk Management.

3. The incident validator is identified via agent determination [page 36], which can lead to one or multiple
groups of validators being determined.
4. The incident is sent to the members of one group after the other.
5. As soon as one validator of a group validates the incident, it goes to the next group of validators for
validation. This continues until one member of each group has validated the incident. Once the incident is
validated by all groups, it goes to status Accepted.
6. If one validator sends the incident for rework, the validation process is interrupted and the incident needs
to be reworked by the user specified by the validator sending for rework. The status is To Be Reworked.
7. After the reworker has resubmitted the incident, the validation process restarts with the first group of
validators.
8. The reworker also has the option of refusing the incident, which sets the incident at status Canceled.
Incident Validation Workflow
7.4.4 Scenario Management
Use
In Scenario Management, you can define scenarios to be used for Risk Management. Scenarios are events that
link risks in a logical way and then show the effect of a scenario change on these events. After defining a
scenario containing individual linked risks, you can use the scenarios that you have defined for simulation and
testing.

Features
Scenarios can be managed by corporate risk managers, unit risk managers, or other risk owners. The tasks
involved in scenario management are as follows:
● Classifying and grouping scenarios via classifications and if necessary, scenario subclassifications if a
detailed structure is needed.
● Deciding what organizational units, activity categories and risk categories are affected by each scenario.
● Providing an initial estimate of the impact of the scenario on the organization.
● Defining the risks and modeling their dependencies via the inclusion of influenced risks within the scenario.
● Forwarding this information to a group of risk owners, after which each risk can be documented by the risk
owner to whom it belongs.
All users responsible for risks can change the loss values for primary (that is, non-influenced) risks and see the
results on influenced risks and on the scenario.
For information about defining and using scenarios, see:
More Information
● Working with Scenario Analysis [page 489]

● Scenario Analysis using Monte Carlo [page 495]
7.4.4.1 Working with Scenario Analysis
Use
By defining individual scenarios (scenario cases), you can link risks within a specific scenario. In this way, you
can build a complete diagram of your company-specific risks, and view the result in a transparent form.
Scenarios are always linked to a scenario classification.
Prerequisites
You have maintained the corresponding risks in the portal application and have carried out the following GRC
Customizing activities:
● Under Risk Management Risk and Opportunity Analysis , you have maintained probability levels (that
is, the likelihood of a risk occurring) and impact categories for risks and opportunities.
● Under Risk Management Master Data Setup , you have maintained the influence strength, or the
degree of influence that risks have.

Procedure
You work with scenario analysis as follows:
1. In the Scenario Management section of the Assessments work center, choose the Scenarios quick link.
2. If you have not created any scenarios yet, you must first create a scenario classification and a
subclassification. Select a line from the parent scenario screen section and choose Create
Classification .
 Note
You can also create a scenario subclassification below a classification. For this, select a classification
line and then select Scenario Subclassification.
3. If you have created scenarios already, you can select a line from the parent scenario classification and
choose Create Case . To create a case, you need to select a row with both the parent classification
and the subclassification filled.
Then step through the following screens in the individual Scenario Case tabs:
○ Maintain general scenario data on the Component [page 490] tab.
○ Maintain scenario assumptions on the Assumption [page 491] tab.
○ Enter responses to the scenario on the Response [page 493] tab.
○ View the effects of your data input on the Result and Sensitivity [page 494] tabs.
4. When you are finished, save your scenario data.
Result
You have transparency in the risk and opportunity scenarios that you have defined, enabling you to manage
your risk and benefit landscape in an appropriate manner.
7.4.4.1.1 Maintaining Scenario Component Data
Context
On the Component tab under Assessments Scenario Management Scenarios <name of existing
scenario> or via Create button Case , you maintain the general data to be used for your risk scenario.
 Note
After creating your scenario, you can view it in graphic form by using the Switch to Graphic View button.

Procedure
1. Enter the name of your scenario and the currency (mandatory fields). Enter a descriptive text for the
scenario if necessary.
2. Make a selection in the Likelihood field.
3. For the option you have chosen in the Likelihood field, you can enter a user-defined text in the Rationale for
Likelihood field, enabling you to justify the likelihood option you selected.
4. In the Cause field, you can enter a textual description of the root cause or the factors that might cause the
scenario to become a reality.
5. The lower screen section displays all risks involved in this scenario, together with the activity and risk
category assigned. Here you can assign the risk events that might occur in this scenario as follows:
○ By choosing the Assign button, you can search for all related risks (called influenced risks) to assign
them to the scenario. To be able to assign a risk, it must contain a quantitative analysis, or it cannot be
taken into account, since no calculation is done with qualitative analyses here.
○ By choosing the Open button, you can access the risk screen with all the corresponding risk data.
 Note
You cannot change the risk data in the scenario screen. You can only change it from the risk and
opportunity management application. When you open a risk from the scenario screen, the
information is displayed in read-only mode.
○ By choosing the Remove button, you can delete some of these influenced risks if you don’t want them
in the scenario.
 Note
Influenced risks are linked with percentage probabilities to define influence factors. For more
information about the creation of influence factors, see the corresponding section of the
documentation for Creating a Risk [page 416].
7.4.4.1.2 Working with Assumption Data
Use
On the Assumption tab for a scenario, you can make entries for your assumed risk values to be used in the
scenario.

Procedure
1. Make entries for your assumed risk values, which affect all the risks in the screen section below them, in
the following columns:
Column Description
Overall Change on Impact Enter a percentage probability for the change affecting the
Adjusted Impact column in the lower section.
Overall Change on Probability Enter another percentage rate for the probability of this
scenario happening, which affects the Adjusted Probability
column in the lower section.
Overall Benefit from Scenario Specify the overall financial benefit to be derived from us
ing this scenario.
 Note
Choosing the Apply Overall Changes button applies the entries you have made in the above fields to the
risks listed in the lower screen section, and choosing the Reset button resets these entries again.
However, this does not apply to influenced risks, which are displayed as indented compared to the
primary risks you define.
2. In the screen section below this, the following column values are displayed for each risk. Note that you can
change the values of two columns, representing a manual form of simulation, as described below:
Column Description
Probability (%) Percentage probability of the risk happening.
Adjusted Impact (currency) Adjusted monetary impact of the risk happening. The
value in this field changes when you make an entry in the
above Overall Change on Impact field. Note that in this col
umn, you can enter a different monetary value for the fi-
nancial impact of this risk if it occurs. The formula used is
Impact x Influence Factor = Adjusted Impact.
Adjusted Probability (%) Adjusted probability of the risk happening. The formula
used is Probability x Influence Factor on Probability =
Adjusted Probability. The value in this field changes when
you make an entry in the above Overall Change on
Probability field. This formula is only applicable to influ-
enced risks, not for primary risks. Note that in this col
umn, you can enter a different percentage for the proba
bility of the risk occurring.
Impact (currency) Impact of the risk in monetary terms.

Column Description
Influence Factor on Impact This value is a multiplier used in the formula Impact x In
fluence Factor = Adjusted Impact. For more information
about influence factors, see Creating a Risk [page 416].
Note that this formula can only be used for influenced
risks.
Influence Factor on Probability This value is a multiplier used in the formula Probability
(%) x Influence Factor = Adjusted Probability, forming
part of the calculation in this screen. For more information
about influence factors, see Creating a Risk [page 416].
 Note
The expected impact is calculated according to the formula used by fields in this screen: Probability
(%) x Impact Value = Expected Impact. However, note that the expected impact itself is displayed on
the Result tab and not in the Assumption tab.
3. In the list of risks, there is a checkbox for the Impact Category Allocation: By selecting this field, the lower
screen section displays the following information for the risks in the upper screen section.
Column Description
Impact Category Impact category previously defined in Customizing
Impact Allocation (currency) Monetary impact of the risk
Impact Allocation (%) Percentage to which this impact affects the risk. The total
of all impact allocation percentages is 100%.
 Note
You can overwrite the monetary value in the Impact Allocation column, after which the value in the Adjusted
Impact (currency) column changes.
7.4.4.1.3 Creating a Scenario Response
Use
In the Response screen of a scenario, you can specify responses to the scenario which would mitigate the
effects of the risks in the scenario if they occurred. You can also maintain the percentage probability and
impact reduction figures for the response.

Prerequisites
Impact categories must be maintained in Customizing and a scenario with at least one risk must exist.
Procedure
On the scenario tab, you can do the following:
● You can create a new response, or remove an existing response.

● You can assign an existing response and change it before saving it.
● You can change the Probability Reduction (%) and Impact Reduction (Currency) to be achieved through a
response by overtyping the figures in the corresponding columns of the response.
To create or assign a response, proceed as follows.
1. To create a new response, see Creating a Response or Enhancement Plan [page 459]
2. To assign an existing response, choose the Assign button. Select an existing response and press OK. Fore
more information see, Assigning a Response [page 463].
3. Save your data. The system places your saved response in the response section of this screen.
By putting your cursor on a response line and selecting the Impact Reduction Breakdown field at the bottom of
the screen, a list of the impact categories defined for the individual responses displays in the lower screen
section. For each impact category, the calculated planned monetary and percentage figures of the impact
reduction are displayed.
7.4.4.1.4 Scenario Result and Sensitivity Analysis
Use
The Result and Sensitivity Analysis tabs of the scenario application enable you to view and interpret the effects
of impact and probability changes on scenarios.
Features
On the Result screen for scenario analysis, you can view the calculated result per impact category in monetary
figures. These monetary results are listed for the following three situations:
● Without scenario use

● With scenario use before mitigation/response
● With scenario use after mitigation/response

In the list of impact categories on the Result tab, the following additional lines containing further impact
categories are displayed (beyond the above-mentioned impact categories defined in Customizing):
● Total Impact: The calculated total of the monetary impact for all impact categories.
● Expected Impact: The value calculated from the Assumption tab (see Working with Assumption Data [page
491]).
The Sensitivity Analysis tab contains an overview of all risks in the scenario, together with the Impact Category,
the Impact Adjustment in monetary terms and the Risk Variance, the latter both in monetary terms.
The system outputs simulation data for each risk, showing what happens when the impact is adjusted by only
1%. That is, the Impact Adjustment field contains a value that is 1% of the impact allocation value for the
corresponding impact category on the Assumption tab.
 Note
You cannot change any data on the Result and Sensitivity Analysis tabs.
7.4.4.2 Scenario Analysis using Monte Carlo
Use
The Monte Carlo simulation is a method for calculating the value at risk (VaR). This refers to the total risk
exposure in monetary terms. Using a predefined sampling technique, this stochastic process contains
computational algorithms that rely on repeated random sampling to compute the results.
Scenario analysis using Monte Carlo enables you to select a list of risks, assign them to a random distribution,
and decide on a distribution method for the number of losses involved (frequency). In this way, the system
estimates the total aggregated loss (the sum) at risk for your simulation.
These are the steps involved in working with the Monte Carlo simulation:
● Designing/creating the scenario for which you want to perform a simulation.

● Assigning specific risks to the scenario.
● If necessary, later adding risks on an ad hoc basis to improve, extend, or model the risk landscape.
● Assigning a frequency distribution algorithm to the risks. The frequency distribution shows the number of
times each value appears in the simulation result.
● Selecting the number of runs you want to use during the Monte Carlo simulation.
Prerequisites
The following prerequisites are necessary to use the Monte Carlo simulation:
● Active risks have been created and are available.

● The Customizing activity on maintaining simulation percentiles must be maintained under Governance,
Risk and Compliance Risk Management Master Data Setup .

● The most current version of JAVA Runtime must be installed.
Procedure
In the Scenario Management section of the Assessments work center, you can carry out a simulation for your
scenario as follows:
1. Choose the Monte Carlo quick link.

The columns in the next screen have the following meanings:
Column name Description
Simulation The user-defined name of the simulation.
Number of Runs How often you want the simulation to be carried out.
Certainty (%) Percentage value used to calculate the degree of certainty

for the simulation result.
Worst-Case Simulation Result The result of simulation in monetary terms. This field con
tains the value zero until after the simulation run.
Currency The currency used for the simulation.
Created by / Created on The user creating the simulation and the date of creation.
2. In the dialog box that opens, choose Create.

3. On the Component tab, enter a name for the simulation, as well as the currency to be used, and the
certainty value. Note: The value must be greater than 50%.
4. Next, assign the corresponding risks to be used for the simulation in the lower screen section. Choose
Assign and select a risk from the selection screen. Only risks with quantitative analysis data are displayed.
If you are analyzing several risks, you must select them individually. When you leave the selection screen,
these risks are transferred to the lower screen section of the Assumption tab.
5. Now enter information on the number of simulation runs and the frequency distribution — that is, how
often the risk is to be simulated for each risk. You can also view but not change the risk or risks you
specified, their probability in percentage, and the impact in monetary terms.
6. With the cursor on a risk and by choosing Open, the risk data appears. Furthermore, the bottom screen
section appears, containing the impact categories allocated to this risk. By selecting individual risks, you
now specify the severity distribution for each impact category in the corresponding column. For more
information about the different types of severity distribution, see Monte Carlo Probability Distribution
[page 498].
7. Choose the Simulate pushbutton to start the simulation run. If the simulation was carried out successfully,
you receive a message to this effect.

 Recommendation
For performance reasons you should not set the number of simulation runs at more than 100,000. The
number of simulation runs is linked to the simulation percentile (see above) as follows:
○ For a 10% simulation percentile, 1,000 simulation runs are sufficient to produce results, but your
degree of certainty would be very low.
○ For a 1% simulation percentile, 10,000 simulation runs produce fairly realistic results.
○ For a 0.1% simulation percentile, you need 100,000 simulation runs to obtain results
representative of a Monte Carlo simulation.
8. On the Result tab, you can see the results of your simulation in graphic form, together with the total
simulated losses per type of impact (average case, worst case) involved. At the bottom of the screen you
can see the monetary effects of the simulation per impact category.
9. On the Issues tab, you can create any issues relating to this simulation. For more information about
creating issues, see Creating Issues for Risks, Opportunities, and Responses [page 482].
10. Finally, you can save the simulation you have created. The simulation window closes and you return to the
overview screen. To see the updated results, choose the Update pushbutton.
 Note
You can export the simulation data, including risks and their frequency distributions, impact categories
and severity distributions, in the form of an XML file. You can display the data in table format by
importing it into MS Excel. To do so, use the Export pushbutton.
11. In the list of simulations, you can choose Refresh to see the total of all worst-case simulation results for all
impact categories involved in the simulation run.
 Note
If you want to see your scenario and the results of your simulation in graphic form, use the Switch to
Graphic View pushbutton. However, if you close the simulation screen and access it a second time, the
results graph no longer contains graphic data, although the final result was saved to the database. If you
want to see the graph again, you must execute the simulation again.
More Information
Example: Monte Carlo Simulation [page 499]

7.4.4.2.1 Monte Carlo Probability Distribution
Use
To correctly run the Monte Carlo simulation, you must maintain probability distribution values so that the
graphic curve is generated correctly during simulation. There are two kinds of distribution:
● Frequency distribution: This refers to how often the risk is simulated in one simulation run, and is a
numeric value entered by the user.
● Severity distribution: This refers to the type of distribution used in the simulation run, and is a dropdown
option on the Assumption tab of the Monte Carlo Simulation screen.
Prerequisites
A simulation percentile must be maintained in Customizing under Risk Management Master Data Setup .
Features
Risk Management makes use of the following severity distributions, which you can see in the Assumption tab of
the Monte Carlo simulation screen. You have the following options:
● Continuous distribution: Variables in a continuous uniform distribution can occur randomly.

For this option, enter the minimum and maximum values of the financial impact for the impact category in
the popup window.
● Discrete distribution: Uniform distribution with equal probability that the number is between the first and
the last values entered.
For this option, add parameters for the percentage probability and the financial impact in the popup
window.
 Note
The probability percentage values you enter here must total 100%.
● Lognormal distribution: A skewed bell curve is generated. Lognormal distributions are similar to normal
distributions. However, the lognormal distribution is characterized by a large number of independent,
identically-distributed variables, whereas the natural log for the variable results in a normal curve (see
below).
For this option, enter the standard deviation and the mean value in the popup window.
● Normal distribution: The bell curve, or normal distribution, is based on random results that are weighted
by a predetermined average or mean, and a standard deviation. The standard deviation is a measure of
variability from the mean.
For this option, enter the standard deviation and the mean value in the popup window.

7.4.4.2.2 Example: Monte Carlo Simulation
A global manufacturer wants to calculate the risk involved for Asian production plants due to a widespread bird
flu pandemic, which has now affected many workers in the plants. The manufacturer defines the risks as
follows:
● The top risk, or primary risk, is the pandemic itself. This leads to:
○ High sickness rate and lower productivity in the plants where the pandemic has hit.
○ Lower sales of products due to low production rates.
These are known as influenced risks, affected by the primary risk. The first influenced risk, the high
sickness rate, results in the following further influenced risks:
○ Shipments are not delivered on time.
○ This may lead to the further risk of fraud, since if most colleagues are out of the office because of
sickness, the segregation of duties principle may be violated.
○ This again may lead to a higher impact of the risk if it happens.
By structuring risks in a risk hierarchy and running the Monte Carlo scenario on it, you can determine more
precisely what the final risk will be, in terms of both probability and impact.
7.4.5 Assessment Planning
In the Assessment Planning section of the Assessments work center, you have the following options:
●
●
●
7.4.5.1 Risk Management Planner
Use
Using the Planner, you can plan risk assessments, collaborative risk assessments, risk surveys, activity survey,
risk indicator surveys, opportunity assessments, and risk and activity validation.
 Note
For more information about Risk Management workflows, see Workflows [page 33].

Prerequisites
To use the Planner in Risk Management, the following prerequisites must be fulfilled:
● Risk Management role assignments must be maintained in Customizing.

● The corresponding roles must be maintained in the Roles tab of the Organization screen.
● For surveys, the question library and the survey library must be maintained.
● The workflows and surveys are determined by agent slots and/or business events that you specify in
further Customizing activities.
More Information
To read more about the Planner, see .
To create a plan in Risk Management, see Creating a Plan with the Planner [page 500].
To work with Risk Management surveys, see .
7.4.5.1.1 Creating a Plan with the Planner
1. Call Assessments Assessment Planning Planner .

2. Choose Create. The guided procedure screen for creating a plan opens.
3. In the guided procedure, enter the name of the plan and select a Plan Activity. Depending on the selection
you make here, the fields below it vary. If you want to carry out an activity survey, for example, you can
specify whether to include the corresponding risks or not.
 Note
To carry out a collaborative risk assessment, select the plan activity Perform Collaborative Risk
Assessment. This creates a risk assessment using e-mails. If you want to carry out a collaborative risk
assessment via surveys, select the plan activity Perform Collaborative Risk Assessment Via Survey and
set the Via E-Mail indicator in the Delivery field.
4. Enter the plan name and select a plan activity.

5. If you want to use a survey for the plan, select it from the dropdown list.
6. For some plans that involve the sending of PDF questionnaires, you must set the Delivery: Via E-Mail
indicator. This means that you receive a survey in Offline Mode. Otherwise, you receive a work item in your
work inbox, which is considered as the Online Mode.
7. Enter the start and due dates, and for assessments, the analysis date.
 Note
The due date cannot be the same as the start date, it must be at least one day later. However, for risk
analyses, the analysis date can be the same as the start date.

8. Choose Next and proceed to the Select Organizations step of the guided procedure. Expand this window to
see all the fields. Choose the line of the organization for which you want to carry out the plan activity and
then choose Next.
9. In the third step, Select Objects, you can further narrow down the selection criteria. If you are creating a
risk survey, for example, you specify whether to select all risks, select risks by attributes, or select only
specific risks. For example, you can select the risk for which you have carried out an analysis.
For an activity validation, you have the following options:
○ If you select all activities, all existing activities in the organization are used in the plan.
○ If you select by activity attributes, for example, you can specify the activity category and type, and the
number of risks to be included. In particular, you can specify the inherent and residual risk levels, as
well as enter a validity period for the plan.
○ If you select specific activities, you must specify which ones are to be included in the plan.
10. After choosing Next, you access the Review section of the guided procedure, where you can check whether
the plan details and the selections you made are correct. If you choose the View Objects pushbutton, the
system outputs a list of the selected objects and the corresponding e-mail recipient or recipients. This is
the risk manager or the risk owner or owners. However, these may change at runtime.
11. Choose the Activate Plan pushbutton to save the plan.
12. The last step, Confirmation, is triggered automatically, and the system confirms that your plan was saved.
13. To conclude the procedure, choose the Finish pushbutton. Alternatively, you can create a new plan from
the corresponding link in this section.
14. The plan you created is now listed in the overview screen. If you call up the plan again from the list, you can
see the scheduling events for this plan in the Events tab.
15. In the overview screen, the meanings of the statuses set by the system are:
○ Planning: The plan has been created but has not been executed.
○ In process: The plan is being processed but is not completed.
○ Completed: The plan has been executed successfully.
○ Error: The plan has been executed but an error occurred.
 Note
If you receive the status Error for your plan, you can see the reason in the Events tab of the plan. In
this case, you must check the application log using transaction SLG1.
Copying a Plan
1. From the Planner overview list, put your cursor on the plan to be copied and choose the Copy pushbutton.
2. A guided procedure for copying the plan appears.
3. You can change the plan details by entering other data. Note that the start date cannot be in the past.
4. The steps to be followed for copying are the same as for creation (see steps 5 through 9 above).
Deleting or Splitting a Plan
A plan can be deleted or split over several organizational units. In the latter case, you can use one plan for all
organizations or have the plan replicated for each organization.

1. From the Planner overview list, put your cursor on the plan to be deleted or split and choose the
corresponding pushbutton.
 Note
You can only delete or split a plan that has not been executed yet. Only a plan whose status is Planning
and whose start date is the next day or later can be deleted or split. Furthermore, to split a plan, you
must have previously selected at least two different organizational units over which the plan will be
split.
2. The plan is either split or deleted. If it is split, two lines are displayed in the list. If deleted, the line for this
plan no longer appears.
7.4.6 Risk Control Self Assessments
Risk Control Self Assessment (RCSA) is a process that enables you to coordinate the distribution and analysis
of surveys. To complete a Risk Control Self Assessment, you need to create an RCSA plan, which specifies the
organizations and risk categories covered by specific surveys.
 Note
You can define recipients directly in an RCSA plan, or have the recipients determined in the Planner, by
agent slot evaluation.
After creating an RCSA plan, you can use the Planner to distribute the related surveys, and RCSA Plans to
monitor the progress of the Risk Control Self Assessment. After successful completion, you can use the RCSA
Survey Compare report to analyze the results.
You can further automate your analysis using survey valuations, defined using the Survey Library, which
enables you to convert survey answers to scores. This allows you to create aggregates based on organizations
and risk categories, available using the RCSA Aggregation report.
7.4.6.1 RCSA Plans
Context
Risk Control Self Assessment (RCSA) plans specify the organizations and risk categories covered by specific
surveys. When managing RCSA plans, you can complete the following tasks:
● Search RCSA plans

● Create RCSA plans
● Modify existing RCSA plans
● Monitor RCSA plans

● Delete existing RCSA plans
7.4.6.1.1 Searching RCSA Plans
Context
You can search RCSA plans using the RCSA Plan Management screen. When defining a query (known as a
worklist), you can either create a new worklist or base your worklist on an existing query.
Procedure
1. Choose Assessments Risk Control Self-Assessments RCSA Plans .
The RCSA Plan Management screen appears displaying the existing RCSA plans.
The New Worklist dialog appears with RCSA Plans automatically selected in the Select Object Type field.
drop-down list.
5. In the Entity field, choose Organization/Risk Category using the drop-down list.
Choose the Preview pushbutton to display the table of RCSA plans based on the current criteria. Choose
the Close pushbutton to dismiss the preview, and choose the Next pushbutton.
Next Steps
Creating RCSA Plans [page 504]
Modifying RCSA Plans [page 505]
Monitoring RCSA Plans [page 506]
Deleting RCSA Plans [page 507]

7.4.6.1.2 Creating RCSA Plans
Use
You can create RCSA plans using the RCSA Plan Management screen. You can also create a new RCSA plan by
copying an existing plan and modifying the appropriate settings.
Procedure

The Create RCSA Plan screen appears.
3. In Step 1: General, specify the general RCSA plan information.
1. In the RCSA Date field, type or select the date for the RCSA plan.
2. In the RCSA Plan Name field, type the name of the RCSA plan.
3. In the RCSA Plan Descr field, type a description of the RCSA plan.
4. In Step 2: Organizations, specify the organizations for the RCSA plan.
1. Select one or more entries in the Available table, and choose the Add or Add with children pushbutton
to include the entry in the Selected table.
2. To change the sequence of the organizations, choose the arrow pushbuttons directly below the
Selected table.
5. In Step 3: Risk Categories, specify the risk categories for the RCSA plan.
1. Select one or more entries in the Available table, and choose the Add or Add with children pushbutton
to include the entry in the Selected table.
2. To change the sequence of the risk categories, choose the arrow pushbuttons directly below the
Selected table.
6. In Step 4: Surveys, choose a survey using the drop-down list and choose the Set Survey for Selected Rows
or Columns pushbutton.
Choose the Next pushbutton.
7. In Step 5: Recipients, select a recipient and choose the Set Recipient for Selected Rows or Columns
pushbutton.
Choose the Next pushbutton.
8. In Step 6: Review, review your settings.
Creating an RCSA Plan by Copying an Existing Plan
1. Select an RCSA plan in the table, and choose the Copy pushbutton.
The Copy RCSA Plan screen appears.
2. In the RCSA Plan Name field, modify the name of the RCSA plan.

3. In each step, review the current settings and modify, as required. Choose the Next pushbutton.
4. Choose the Save pushbutton after you have modified the appropriate settings.
More Information
Searching RCSA Plans [page 503]
Monitoring RCSA Plans [page 506]
7.4.6.1.3 Modifying RCSA Plans
Context
You can modify specific RCSA plans using the RCSA Plan Management screen.
Procedure
2. Choose the name of the RCSA plan you want to modify.
The Edit RCSA Plan screen appears allowing you to modify the settings.
3. Modify the RCSA plan settings, as required.
Next Steps

7.4.6.1.4 Monitoring RCSA Plans
Context
You can monitor RCSA plans using the RCSA Monitor screen, including displaying statistics and other relevant
information.
Procedure
2. Select an RCSA plan in the table, and choose the Monitor pushbutton.
The RCSA Monitor screen appears.

3. To display statistics related to the RCSA plan, choose the Statistics pushbutton.
The Statistics dialog appears displaying the matrix coverage and a status overview. Choose the Close
pushbutton to dismiss the dialog.
4. To display planner information related to the RCSA plan, choose the Planner pushbutton.
The RCSA Monitor dialog appears displaying the information. Choose the Cancel pushbutton to dismiss the
dialog.
5. To select another RCSA plan to monitor, choose the Select Other Plan pushbutton.
The RCSA Plan dialog appears allowing you to choose another plan. Select a plan, and choose the OK
pushbutton.
6. Choose the Close pushbutton to close the RCSA Plan Management screen.
Next Steps

7.4.6.1.5 Deleting RCSA Plans
Context
You can delete existing RCSA plans using the RCSA Plan Management screen.
Procedure
2. Select one or more RCSA plans that you need to delete.

4. Choose Yes to delete the selected RCSA plans; choose No to dismiss the dialog without deleting the
selected RCSA plans.
Next Steps
7.4.6.2 RCSA Aggregation Hierarchy
When managing RCSA aggregation hierarchies, you can complete the following tasks:
● Search RCSA aggregation hierarchies

● Create RCSA aggregation hierarchies
● Modify existing RCSA aggregation hierarchies
● Delete RCSA aggregation hierarchies

7.4.6.2.1 Searching RCSA Aggregation Hierarchies
Context
You can search RCSA aggregation hierarchies using the RCSA Aggregation Hierarchies screen. When defining a
Procedure
1. Choose Assessments Risk Control Self-Assessments RCSA Aggregation Hierarchy .
The RCSA Aggregation Hierarchies screen appears displaying the existing aggregation hierarchies.
The New Worklist dialog appears with RCSA Aggregation Hierarchies automatically selected in the Select
Object Type field.
drop-down list.
5. In the Hierarchy Type ID fields, type or select the range of hierarchy types.
Choose the Preview pushbutton to display the table of aggregation hierarchies based on the current
criteria. Choose the Close pushbutton to dismiss the preview, and choose the Next pushbutton.
Next Steps
Creating RCSA Aggregation Hierarchies [page 509]
Modifying RCSA Aggregation Hierarchies [page 510]
Deleting RCSA Aggregation Hierarchies [page 510]

7.4.6.2.2 Creating RCSA Aggregation Hierarchies
Use
You can create RCSA aggregation hierarchies using the RCSA Aggregation Hierarchies screen. You can also
create a new aggregation hierarchy by copying an existing hierarchy and modifying the appropriate settings.
Procedure

2. Choose the Create pushbutton, and select one of the following options using the drop-down list:
○ RCSA Organization Hierarchy
○ RCSA Risk Category Hierarchy
The Create Aggregation Hierarchy screen appears.
3. In the Title field, type the title of the aggregation hierarchy.
4. In the Description field, type a description of the aggregation hierarchy.
5. In the RCSA Plan field, choose an RCSA plan using the drop-down list.
6. In the Hierarchy focus date field, type or select a date, and choose the Apply pushbutton.
7. In the Organization view or Risk Category view field, choose a view using the drop-down list and complete
the Excluded and Aggregation Rule settings in the table.
8. To save the aggregation hierarchy as a draft, choose the Save Draft pushbutton
9. To save and activate the aggregation hierarchy, choose the Save and Activate pushbutton
Creating an Aggregation Hierarchy by Copying an Existing Hierarchy
1. Select an aggregation hierarchy in the table, and choose the Copy pushbutton.
The Copy Aggregation Hierarchy screen appears.
2. In the Title field, modify the name of the aggregation hierarchy.
More Information
Searching RCSA Aggregation Hierarchies [page 508]

7.4.6.2.3 Modifying RCSA Aggregation Hierarchies
Context
You can modify specific RCSA aggregation hierarchies using the RCSA Aggregation Hierarchies screen.
Procedure
2. Choose the title of the aggregation hierarchy you want to modify.
The Change Aggregation Hierarchy screen appears allowing you to modify the settings.
3. Modify the aggregation hierarchy settings, as required.
Next Steps
7.4.6.2.4 Deleting RCSA Aggregation Hierarchies
Context
You can delete existing RCSA aggregation hierarchies using the RCSA Aggregation Hierarchies screen.

Procedure
2. Select one or more aggregation hierarchies that you need to delete.

4. Choose Yes to delete the selected aggregation hierarchies; choose No to dismiss the dialog without
deleting the selected aggregation hierarchies.
Next Steps
7.4.6.3 RCSA Aggregation Run
Context
When managing RCSA aggregation runs, you can complete the following tasks:
● Search RCSA aggregation runs

● Create RCSA aggregation runs
● Modify existing RCSA aggregation runs
● Delete existing RCSA aggregation runs
7.4.6.3.1 Searching RCSA Aggregation Runs
Context
You can search RCSA aggregation runs using the RCSA Aggregation Run Management screen. When defining a

Procedure
1. Choose Assessments Risk Control Self-Assessments RCSA Aggregation Run .
The RCSA Aggregation Run Management screen appears displaying the existing aggregation runs.
The New Worklist dialog appears with RCSA Aggregation Runs automatically selected in the Select Object
Type field.
drop-down list.
5. In the Aggregation Type field, choose Risk Control Self Assessment using the drop-down list.
Choose the Preview pushbutton to display the table of aggregation runs based on the current criteria.
Choose the Close pushbutton to dismiss the preview, and choose the Next pushbutton.
Next Steps
Creating RCSA Aggregation Runs [page 512]
Modifying RCSA Aggregation Runs [page 513]
Deleting RCSA Aggregation Runs [page 514]
7.4.6.3.2 Creating RCSA Aggregation Runs
Use
You can create aggregation runs using the RCSA Aggregation Run Management screen. You can also create a
new aggregation run by copying an existing run and modifying the appropriate settings.
Procedure


2. Choose the Create pushbutton, and select RCSA Aggregation Run using the drop-down menu.
The Create Aggregation Run screen appears.
3. In the Name field, type the name of the aggregation run.
4. In the Description field, type a description of the aggregation run.
5. In the Owner field, type or select the owner of the aggregation run.
6. In the Start Date field, type or select the start date for the aggregation run.
7. In the Due Date field, type or select the due date for the aggregation run.
8. In the End Date field, type or select the end date for the aggregation run.
9. In the Organization based hierarchy field, choose the organization hierarchy using the drop-down list.
10. In the Risk Category based hierarchy field, choose the risk category using the drop-down list.
11. In the Execution Mode field, select either the Manual or Automatic radio button.
12. To save the aggregation run, choose the Save pushbutton
13. To publish the results, choose the Publish Results pushbutton.
14. To publish the results and close the run, choose the Publish Results and Close Run pushbutton.
15. To perform ad-hoc calculations, choose the Ad-hoc Aggregation Calculation pushbutton, and select the
appropriate organization hierarchy or risk category hierarchy using the drop-down menu.
Creating an RCSA Aggregation Run by Copying an Existing Run
1. Select an aggregation run in the table, and choose the Copy pushbutton.
The Copy Aggregation Run screen appears.
2. In the Name field, modify the name of the aggregation run.
More Information
Searching RCSA Aggregation Runs [page 511]
7.4.6.3.3 Modifying RCSA Aggregation Runs
Context
You can modify specific RCSA aggregation runs using the RCSA Aggregation Run Management screen.

Procedure
2. Choose the name of the aggregation run you want to modify.
The Edit Aggregation Run screen appears allowing you to modify the settings.
3. Modify the aggregation run settings, as required.
Next Steps
7.4.6.3.4 Deleting RCSA Aggregation Runs
Context
You can delete existing RCSA aggregation runs using the RCSA Aggregation Run Management screen.
Procedure
2. Select one or more aggregation runs that you need to delete.

4. Choose Yes to delete the selected aggregation runs; choose No to dismiss the dialog without deleting the
selected aggregation runs.

Next Steps
7.4.7 Reports (Assessments)
Assessment reports pertain to all design assessments and tests of effectiveness. Which reports are available
varies by person, based upon the role assigned.
 Note
The Case Selection field is used in several Assessment Reports. Use this field to see evaluation cases of:
● All in reporting timeframe: The report shows all evaluation cases per evaluation type that occurred in
the reporting timeframe.
● One per evaluation timeframe: The report only shows one evaluation case per evaluation type for each
evaluation timeframe, according to the setting in Include Assessment.
● One per reporting timeframe: The report only shows one evaluation case per evaluation type for the
reporting timeframe, according to the setting in Include Assessment.
 Example
If there are three control effectiveness tests:
Case 1: planned for timeframe January 2012, performed on 2012.1.10
Case 2: planned for timeframe January 2012, performed on 2012.1.20
Case 3: planned for timeframe Year 2012, performed on 2012.1.30 and Include Assessments is set to Most
Recent Assessments/Tests in Timeframe. Run report in timeframe Year 2012, regarding to different
selections in Case selection:
● If All in reporting timeframe, all three cases are shown.

● If One per evaluation timeframe, case 2 and case 3 are shown, because they are planned for different
evaluation timeframes.
● If One per reporting timeframe, case 1 is shown, because it is the most recent in the reporting
timeframe.

The following are assessment reports:
Assessment Report Description
Evaluation Results by Organization This report provides a hierarchical view into the evaluation results of
different types of organizations. You can review this report to under
stand the evaluation status of controls and subprocesses for each
evaluation type. You can focus on failed controls and processes and
drilldown to see if further remediation actions must be taken.
Evaluation Management This report provides a list of organizations that have not yet per
formed certain evaluations in a specific timeframe. You can review
this report to understand the evaluation coverage gaps to see if fur
ther assessments or tests must be planned.
Indirect Entity-Level Control (iELC) Evaluations This report provides indirect entity-level control evaluation results
by iELCs by organization. You can review this report to understand
the evaluation status of iELCs for each evaluation type. You can fo
cus on failed iELCs and drilldown to see if further remediation ac
tions must be taken.
Indirect Entity-Level Control (iELC) Evaluations by This report provides a hierarchical view of indirect entity-level con
Organization trol evaluation results by organization. You can review this report to
understand the evaluation status of iELCs for each evaluation type.
You can focus on failed iELCs and drilldown to see if further reme
diation actions must be taken.
Subprocess Design Assessment This report provides visibility into subprocess design assessment by
organization and process. For each subprocess, it shows the results
of the performed subprocess design assessment. You can review
this report and focus on failed subprocesses and drilldown to see if
further remediation actions must be taken.
Control Ratings This report provides visibility into the control evaluation results of
different evaluation types by organization and process. You can re
view this report to understand the evaluation status of controls for
each control evaluation type. You can focus on failed controls and
drilldown to see if further remediation actions must be taken.
Control Test History with Ratings This report provides visibility into control testing results by controls
by organization and process for multiple periods (if available). You
can review this report to understand the testing status of controls.
You can focus on controls that failed the effectiveness test and drill
down to see if further remediation actions must be taken.
Test Step Status This report provides visibility into the test step details of control
testing results for each organization and process. For each effective-
ness test, it shows results for each test step. You can review this re
port to understand what step failures contribute to the overall test
deficiency.

Risk Coverage with Evaluations This report focuses on evaluation results with risk coverage by con
trols by organization and process. You can review this report to un
derstand, for each risk, whether or not the control assigned for miti
gation is designed and executed correctly. This could help see if an
other control is needed or further remediation actions must be
taken.
Risk Coverage with Ratings by Organization This report shows evaluation results risk coverage in a hierarchical
layout. You can review this report to understand, for each risk,
whether or not the control assigned for mitigation is designed and
executed correctly. This could help determine if another control is
needed or further remediation actions must be taken.
Assessment Survey Results This report provides visibility into assessment results of each evalu
ation type by control for each organization and process. For each
control or subprocess, it shows the evaluation results of the per
formed subprocess design, control design, and self-assessment.
You can review this report and focus on failed subprocesses and
controls. You can drilldown to see if further remediation actions
must be taken.
Issue Status This report provides visibility into issue statuses of each evaluation
type. You can review this report to find out whether there are open
issues under specific organizations, processes, subprocesses, or
controls and drilldown to open the issue details.
CAPA Status This report provides visibility into CAPA plan statuses of each evalu
ation type, if applicable. You can review this report to check whether
all addressed CAPA plans are processed in a timely fashion. You can
also drilldown to see the CAPA plan details.
 Recommendation
Remediation Status This report shows the status of the remediation plan for each evalu
ation type. You can review this report to see whether all addressed
remediation plans are processed in a timely fashion and drilldown to
see remediation plan details.
Test Status by Organization This report provides a hierarchical view into high level statistics on
evaluation status by organization. For each organization, it shows
the total number of key controls as well as the evaluation pass rate
of each evaluation type. You can review this report to compare inter
nal control compliance status among different organizations.

Test Status by Process This report provides a hierarchical view into high-level statistics on
evaluation status by process. For each organization and process, it
shows the total number of key controls as well as the evaluation
pass rate on each evaluation type. You can review this report to
compare the internal control compliance status among different
processes.
Scoping Coverage This report provides a hierarchical view into the result of consoli
dated materiality analysis by accounts group. For each central ac
counts group, it shows the consolidated accounts group signifi-
cance decisions together with account groups balance and material
ity threshold. Additionally, this report shows the overall scoping cov
erage status, in terms of scope control numbers and risk coverage.
You can review this report to see if more account groups must be
added to the scope.
Organization-Level Materiality Analysis Results This report provides a hierarchical view into the result of organiza
tion-level materiality analysis by organization and accounts group.
For each local accounts group, it shows the organization-level ac
counts group significance decisions together with the accounts
group balance and materiality threshold. You can review this report
to see if further accounts group, process, and controls must be
added to the scope.
Testing Strategy by Control This report provides visibility into the results of control risk assess
ment results by control by organization and process. For each con
trol, it shows the value of control risk rating from assessment as well
as the level of evidence calculation result. A use could review this re
port and understand the decisions of testing strategy suggestion to
each control following the risk-based compliance approach.
Risk Assessment Results This report provides visibility into the results of risk assessment re
sults by risk by organization and process. For each risk, it shows the
assessed value of probability, impact level, and overall risk level. You
can review this report and use its output as evidence for risk-based
compliance.
Organizational Sign-off Status This report provides visibility into the status of sign-off by organiza
tion. You can review this report to find out whether business owners
have performed the sign-off for their areas of responsibility. You can
drilldown for the detailed sign-off results.
Aggregation of Deficiency (AOD) Status This report provides visibility into the status of aggregation of defi-
ciency by organization. You can review this report to find out
whether business owners have performed aggregation of deficiency
for their areas of responsibility and drilldown to check the detailed
AOD results.

Policy Profile This report provides an overall summary of the policy, its current
status and where it is currently in the workflow.
Policy Distribution Survey Results This report provides visibility into the results of policy distribution on
question and answer level. You can review this report for audit trail
purpose or you can perform analytics on the feedback from specific
survey questions.
Policy and Issue Status This report provides an overall summary of all issues (both evalua
tion and ad hoc) related to a specific policy. You can review this re
port to help evaluate the effectiveness of a policy based on the eval
uation issues of controls in the policy scope or on the ad hoc issues
of the policy.
Ad Hoc Issue Report This report provides an overall summary of the ad hoc issues.
survey questions.
of the policy.
survey questions.
of the policy.
survey questions.
of the policy.

survey questions.
of the policy.
7.5 Access Management
Use
The Access Management work center provides a central location to maintain role assignments that control user
access to application data and functions.
The Access Management work center contains the GRC Role Assignments [page 521] section.
 Note
The Access Management work center is shared by the Access Control, Process Control, and Risk
Management products in the GRC Application. The menu groups and quick links available on the screen are
determined by the applications you have licensed. The content in this topic covers the functions specific to
Risk Management. If you have licensed additional products, such as Access Control or Process Control,
refer to the relevant topics below for the application-specific functions.
More Information
For more information, see the topic Access Management Work Center in the documentation for SAP Access
Control.
– Process Control specific topics

7.5.1 GRC Role Assignments
Use
In the GRC Role Assignments section of the Access Management work center, you can maintain the role
assignments that control user access to application data and functions.
The GRC Role Assignments section contains the following quick links:
● Organizations [page 343]

● Risk, Opportunities, and Activities [page 523]
● Replacements [page 524]
● Central Delegation [page 526]
 Note
The GRC Role Assignments section of the Access Management work center is shared by the Access Control,
Process Control, and Risk Management products in the GRC Application. The quick links available on the
screen are determined by the applications you have licensed. The content in this topic covers the functions
specific to Risk Management. If you have licensed additional products, such as Access Control or Process
Control, refer to the relevant topics below for the application-specific functions.
More Information
– Process Control specific topic
7.5.1.1 Assigning Corporate and Organization Roles
Context
You can use this function to assign users to roles for corporate and organization objects. You typically perform
this task during initial setup, when organizations or roles (corporate or organization) are added, or when
multiple users are assigned to roles.
To assign users to roles at the corporate and organization levels, perform the steps in the following categories:
1. Select a timeframe
2. Select organizations
Choose the corporate and organization-level roles that you want to assign.
3. Assign roles
Choose the users that you want to assign to the roles.

4. Review selection
Review the users assigned to selected roles.
5. Confirm selection
Confirm the role assignments.
Procedure
1. Navigate to Access Management Organizations . The Assign Corporate and Organization Roles screen
appears.
2. The guided activity screen appears. Perform the following steps:
○ Step 1 – Select a timeframe
○ Step 2 – Select Organizations
1. Enter search criteria in the Find field to filter valid organizations based on your parameters. Otherwise,
leave the field blank to show all valid organizations based on the timeframe displayed, and choose Go.
2. Select the organizations and use the arrow buttons to move them from the Available to the Selected
pane. If no organizations are selected, all organizations are considered.
 Recommendation
To select multiple fields, press the CTRL key. To select consecutive fields, press the SHIFT key.
3. Select Next. The Assignments table displays the selected organizations and the respective corporate
and organization-level roles.
○ Step 3 – Assign Roles

1. Select a cell beneath a role to assign a user to the role. You can either enter the user’s name in the cell
or select the value help button to search for user names. Disabled cells indicate that an assignment
exists. For information about changing existing assignments, see Replacements [page 524].
 Note
Some roles allow multiple users to be assigned. If a role allows multiple assignments, it always
presents an editable cell for additional assignments, whether or not an assignment already exists.
2. To copy the same users to multiple roles, select the entire row you want to copy.
3. Select Copy Action and choose either:
○ Copy to ALL – to copy the user to all editable fields (whether empty or not), or
○ Copy to Empty – to copy the user to only empty editable fields.
4. The Copy Assignment screen appears. Select All roles or Only selected roles for roles to which you want
the users copied. Select OK. The Assignments table populates based on your selection.
 Example
The copy action is based upon assignments made in the selected row. For example, a row might
contain the process-level role assignments for Process Owner as Denise Smith and Tester as Oleg
Kopp. Choosing Copy to Empty and then All Roles copies Denise Smith to all empty Process Owner
cells and Oleg Kopp to all empty Tester cells. However, choosing Only selected roles and choosing
Tester copies just Oleg Kopp to all empty Tester cells.

5. Select Next. The Proposed Changes screen displays the assignments to be made.
3. Step 4 - Review
Review your selections in the Proposed Changes results table. Select Previous to go back and make any
changes, if desired. Otherwise, choose Next (the Confirmation screen appears) or select Finish.
4. Step 5 - Confirm
Confirm your selection and select Finish. Your assignments have been made, and any changes require a
replacement or removal.
Next Steps
●
● SAP Access Control 10.1 / Process Control 10.1 / Risk Management 10.1 Security Guide at http://
help.sap.com/grc
7.5.1.2 Assigning Roles to Risks and Activities
Use
To use the Risk Management and workflow applications, you need to assign user roles to the various risks and
activities defined for your organization.
Prerequisites
You have defined roles in the back-end system using transaction PFCG. For more information, see Standard
Roles and Authorization Objects [page 30].
 Note
Overview information on Risk Management roles is provided in Risk Management Application Roles [page
31].
Procedure
From the Access Management work center, choose GRC Role Assignments Risks, Opportunities and
Activities .

In the guided procedure that displays next, proceed as follows:
1. First select the evaluation timeframe from the dropdown options and then choose the Apply pushbutton.
2. In Step 1, you select the activities, risks and/or opportunities to which you want to assign user roles. In the
Filters section, you can specify in greater detail the set of objects to be filtered for role assignment:
○ Organization
○ Activity category
○ Risk/opportunity category
○ Role
3. By choosing Next, you access Step 2 of the procedure, which is to assign users to roles for the objects
selected in Step 1. Some of these fields may be user-defined from Customizing, or they may be master
data objects in Risk Management. You can display all the roles, or only the roles not yet assigned to an
object.
 Note
In the list that appears, you can see white fields ready for input, and read-only blue fields that are
already filled with role data.
The pushbuttons mean the following:

○ Copy to Empty — If you choose this pushbutton, the role you select is assigned only to the empty lines.
○ Copy to All — If you choose this pushbutton, the role you select is assigned to all lines.
4. Choose Next to review the proposed changes to user roles in Step 3, Review. Here you confirm the
selection of user assignments to roles and save your data by choosing Finish.
5. Choose Next to receive a confirmation message that the data has been saved in the final step,
Confirmation.
7.5.1.3 Replacements
Use
The Replacement function allows you to remove a user from a role or to replace a user in a role. You use this
function when employee status changes due to job transfers, new hires, or terminations. This changes the role
assignments and transfers the open workflow from the user being replaced to his or her replacement.
Features
1. Navigate to Access Management GRC Role Assignments Replacements . The Replacements and
Removals screen appears.
2. Since you select a user in the upper pane, the lower pane shows role replacements or removals for the
highlighted user. This listing is display-only.

 Note
In the lower pane, Level represents the authorization level of the role and Object pertains to the object
(such as process, subprocess, control) to which the role has access.
3. Select the desired year and period in the timeframe fields, and choose Go. The earliest possible date for a
replacement is tomorrow (that is, system date plus one day).
4. To replace or remove a user from a role, select Replace or Remove. The Role Replacement and Removal
screen displays a guided activity.
5. Select user
○ In the Find field, enter the name or user ID of the user you want to replace or remove. Choose Go. Wild
cards (*) are not supported on this screen.
○ Select the row of the user to be replaced or removed and select Next. The Assignments table displays
the current role assignments for the user selected.
6. Define Replacement
○ To replace a user in a role, select the Replacement field of the role for which you want to enter a
replacement.
○ Enter the user name or select the value help to search by user or user ID. Provide a partial user name
or user, using wild cards (*) as needed. Select the row containing the desired replacement and choose
OK.
○ In the Effective Date field, enter the date that you want the replacement to take effect. Optionally, leave
the field blank to default to the earliest possible date, usually the following day.
○ Continue selecting roles and making replacements until all desired roles have replacements.
○ To copy a user name and effective date to multiple roles (rows), select the source row for the copy and
choose Copy Action. If you have not selected a row, Copy Action is disabled.
○ Choose any of the following options from the Copy Action dropdown:
○ Copy to ALL – to copy to all Replacement and Effective Date fields (whether target cells are empty
or not). If the fields are not empty, the fields are overwritten with the new user and effective date.
○ Copy to Empty – to copy to only empty Replacement and Effective Date fields. If these fields are
populated with a different user/date, the fields retain the user/date content and are not replaced.
○ To remove a user from a role without replacing him or her, select the user name and select Remove.
This is useful when a role allows multiple users to be assigned.
 Note
If your removal causes a role assignment to become empty, the system displays a warning.
○ Select Next. The Proposed Changes screen displays the changes to be made.
7. Review your selections in the Proposed Changes results table. Select Previous to go back and make
changes. Otherwise, choose Next or select Finish. The Confirmation screen appears.
8. Confirm your selection and choose Finish. Your replacements and removals are effective on the date you
provided. For replacements, the system reroutes open workflow tasks to the replacements on that date.

7.5.1.4 Central Delegation
Use
You authorize users to perform tasks and exercise access rights on behalf of other users. The system
administrator must grant you authorization to perform central delegation.
● You can authorize a user (the delegate) to perform the tasks and to exercise the access rights of another
user (the delegator).
● You delegate access rights by creating a new delegation in which you designate one user as the delegator
and another as the delegate. The delegator’s access rights and tasks become accessible to the delegate for
the validity period that you specify.
 Recommendation
Companies limit access to Central Delegation because it authorizes users to access all delegations and to
delegate on another user’s behalf.
 Caution
Authorization granted to power users through the role SAP_GRC_FN_ALL cannot be delegated to business
users. If a power user needs to delegate his or her authorization to others, he or she must ask the IT
department to assign the PFCG role SAP_GRC_FN_ALL to that user. This delegation is not entity-
dependent. For more information, see and https://help.sap.com/viewer/
f77342ea45c24d3f81032575e6f50d8b/10.1.19/en-US/98d94d2a26904cb8b42f0120c33183da.html.
Prerequisites
You have authorization for central delegation. For more information, see the SAP Process Control 12.0 Security
Guide at https://help.sap.com/pc.
Procedure
To delegate the access rights of one user to another, follow the steps below.
To create a new delegation
1. Select Access Management work center, choose GRC Role Assignments Central Delegation
The Central Delegation screen displays all existing delegations. From here, you can create a new delegation,
open and edit an existing delegation, or delete a delegation.
2. To create a new delegation, choose Create.
The Central Delegation screen displays.
3. Enter the information as follows:
1. In the Delegator User field, select the value help to display the User List dialog box.

2. Enter, or search for, the user name. Select a user name and choose OK.
The Delegator and User ID fields are automatically filled when you select a user.
 Note
You can use wildcards (*) in a search.
3. In the Delegate User field, select the delegate in the same manner as you selected a delegator.
The system fills in the Full Name field when you select a user.
4. In the Delegation Period field, adjust the defaults as needed.
○ The Start Date defaults to the date the delegation is created.
Enter the date you want the delegation to begin.
○ The End Date defaults to unlimited (December 31, 9999).
Enter the date you want the delegation to end. If you accept the default of an unlimited End Date,
you can change the date later, or delete the delegation when it is no longer needed.
To edit an existing delegation
1. To edit an existing delegation, choose a delegation assignment and then Open.

The Central Delegation screen appears. You can change only the End Date.
2. Choose Save to save your changes.
To delete an existing delegation
1. Choose the delegation assignment and then Delete.

You are prompted to confirm the deletion. Please note you can only delete a delegation that hasn't started
yet.
2. Choose Yes.
To terminate an ongoing delegation
To terminate an ongoing delegation,
1. Execute the transaction SE38 and launch GRPC_USER_DELEGATION_DEL.

2. Find the delegation you want to terminate by the delegate's user ID and enter the date of termination.
3. By checking the Mass Delimit, you can terminate all the delegations of the delegate at a time.
7.6 Reports and Analytics
Use
The Reports and Analytics work center provides a central location to display reports and dashboards related to
Risk Management, such as alerts, user analysis, and audit reports, among other information.
The Reports and Analytics work center contains the following sections:
● Management [page 528]

● Compliance [page 533]
● Access Management [page 534]
● Incidents and Losses [page 535]

● Risks and Opportunities [page 535]
● Print Reports [page 538]
 Note
The Reports and Analytics work center is shared by the Access Control, Process Control, and Risk
Management products in the GRC Application. The menu groups and quick links available on the screen are
Risk Management. If you have licensed additional products, such as Access Control or Process Control,
refer to the relevant topics below for the application-specific functions.
More Information
– Process Control-specific topics
For more information, see the Reports and Analytics topic in the documentation for SAP Access Control.
7.6.1 Management
Definition
The Management section of the Reports and Analytics work center contains the heatmap and dashboards for
use by corporate-level management:
● Heatmap: The heatmap provides graphical overview data on the risks defined for your organization. For
more information, see Using the Heatmap [page 530].
● Overview: This dashboard provides an overview of all risks defined for an organization. For more
information, see Using the Overview Dashboard [page 531].
● Top Risks: This report provides information for a user-defined number of the organization's most important
risks.
More Information
● Dashboards (Heatmap, Overview, Top Risks, and Other) [page 529]

● Working with the Loss Dashboards [page 532]
● Risks and Opportunities Reports [page 535]

7.6.1.1 Dashboards (Heatmap, Overview, Top Risks, and
Other)
Use
Risk Management provides visual displays of analysis risk data in your organization in the form of dashboards
and a heatmap. These are found in the Reports and Analytics work center.
Features
Although a dashboard and a heat map provide users with graphical information, they are different in their
structure and content:
● A dashboard provides a graphic display of the most important information needed to accomplish one or
more objectives. These are consolidated and arranged on a single screen, so the information can be
monitored at a glance.
Dashboards enable a company to evaluate risk data on an aggregated basis, in this way fulfilling the risk
reporting needs of senior managers and line managers. Some of the features are:
○ A matrix of the possible risk levels involved
○ Navigation between the different sections of the dashboard
○ Drilldown to perform data analysis
○ Scoring functionality for risk analysis
● A heatmap is a graphical representation of data for which the values used by the variables are represented
as colors in a two-dimensional map.
Dashboards in the Management Section
The following are dashboards in the Management section of the Reports and Analytics work center:
● Heatmap: For more information, see Using the Heatmap [page 530].
● Overview dashboard: Contains an overview of all risk data across an organization's risk structures and
dependencies. For more information, see Using the Overview Dashboard [page 531].
● Top Risks dashboard: Displays information about the top risks, defined per activity, for an organization. You
can specify the number of risks that you consider to be top risks.
Dashboards in Other Sections
● The Overall Compliance Status Dashboard in the Compliance section allows you to view the status of the
following compliance metrics:
○ Risk control coverage
○ Control assessment/evaluation
○ Issue and remediation
○ Organization certification
● For information about dashboards in the Incidents and Losses section, see Working with the Loss
Dashboards [page 532].

7.6.1.1.1 Using the Heatmap
Use
A heatmap is a type of dashboard that uses colors in a two-dimensional map to graphically represent data
values for variables.
Prerequisites
To use the heatmap, you must maintain the following Customizing activities:
● Maintain Impact Levels (X-axis values), under Risk Management Master Data Setup .
The following Customizing activities are found under Risk Management Risk and Opportunity Analysis :
● Maintain Probability Levels (Y-axis values)

● Maintain Risk and Opportunity Levels (user-defined heatmap colors)
● Maintain Risk and Opportunity Level Matrix (risk and opportunity levels)
Procedure
To access the heatmap, go to Reports and Analytics. In the Management section of this screen, choose the
Heatmap link.
To work with heatmaps, proceed as follows:
1. Choose the Heatmap link. A heatmap window opens, containing the risks for your organizational unit.
2. To display the heatmap for a different organizational unit, select the organization in the Org. Unit field.
3. To see further selection options, choose the Toggle Advanced Selection Options in double-angle brackets to
the right of this section. You can choose to display only certain activities or risk categories displayed, or
you can filter by Aspect.
 Note
If a risk contains underlying risks, that is, risks defined on lower levels of the organization, you can view
them by selecting the Deep checkbox (dropdown text: Include Subordinate Org. Units). A triangle will
then appear to the right of a risk that has underlying risks assigned to it. However, these underlying
risks are not considered during the calculation, which means that the bar chart does not include them
in the sums displayed.
4. By putting the cursor on a column, the quick info text display the loss data in monetary terms. On the right
side, the color coding corresponds to the severity of the risks involved, as defined in Customizing.
5. The numbers in the boxes represent how many risk events correspond to this category. By clicking on a
number, you can see the risk events in the lower section containing the corresponding risk event, whose
data you can display by selecting the relevant line. You can also change the risk data in the window that
opens.

More Information
Dashboards (Heatmap, Overview, Top Risks, and Other) [page 529]
7.6.1.1.2 Using the Overview Dashboard
Use
The Overview dashboard is the entry point for all dashboards. It provides general information on your
organization's risk structures and dependencies, filtered according to time frame and organizational unit. In
this way, you can display an aggregated overview of all risks and their dependent objects, as chosen using the
values in the top selection panel.
Procedure
To use the Overview dashboard:
1. In the selection panel, select the organizational unit, the time frame, and the year for which you want to
evaluate the risks. To the right of these selection fields, you can switch on the toggle for advanced selection
options. If you do this, a checkbox for including all subordinate organizational units becomes available for
input.
2. The lower sections now display the requested data. Note the following:
○ Clicking on the square box at the top right enlarges a section.
○ Passing the mouse over the risk exposure columns provides further data on the risk losses involved.
3. To access an individual risk, choose the risk link in the Risk Event column at the bottom. You cannot change
any risk data in the risk screen that appears.
 Note
To change the currency displayed in the bottom section, choose the Personalize link at the top right of
the screen.
The Overview dashboard also contains the following elements:
● Selection Panel: The selection panel at the top is enables you to select the organizational unit, and the
timeframe/year to be evaluated in the dashboard.
● The following summarizes specific risk information about the selected values for risks:
○ Risk Level by Risk Category: This component displays the structure of the classification of risks. It also
displays the distribution of risk colors (red, yellow, green), showing the hierarchical dependencies of
underlying categories. You can select from inherent risks, planned residual risks, and residual risks.
 Note
If you select the Drill Up pushbutton, the risks are summarized in one column.

○ Risk Exposure: The risk exposure component gives the user general information about the distribution
of total and expected losses.
○ Risks per Driver Category: Displays the number of risks for each driver category (there is a 1:n
relationship between risk and risk driver).
○ Risks per Impact Category: Displays the number of risks for each impact category.
 Note
For both the risks per impact category and the risks per driver category, you can put the cursor on
a specific wedge to see the quick-info text with further information about these categories.
○ The lower section has the same layout as the risk heatmap [page 530], containing risk events that you
can select, together with the activity, risk category, and different risk levels and loss data.
7.6.1.1.3 Working with the Loss Dashboards
Use
For graphically depicting losses, Risk Management has the following two dashboards:
● Loss Overview: This dashboard displays an overview of all losses in the organization for a particular period.
It also shows the loss distribution per quarter and the losses structured according to risk category.
● Loss Structure: This dashboard displays the structure of losses across various organizational units.
Prerequisites
Loss data must exist.
Procedure
1. Access the dashboards under Reports and Analytics Incidents and Losses.
 Note
If you are using a dashboard for the first time, you are prompted to select a currency to be used with
this dashboard, which is saved in your user personalization data.
2. If necessary, you can change the currency displayed by choosing the Personalize link. If you want to
maximize the screen section, choose the Zoom-In button at the top right of each section. To work with the
dashboards, proceed as described in the following sections:
Loss Overview Dashboard
1. Specify the time frame for the evaluation and choose the Refresh pushbutton.

2. The Loss History upper screen section displays the loss in bar chart form. By passing the cursor over the
graph, the loss amount is displayed.
3. In the lower section, you can see the loss distribution per calendar quarter and by risk category.
Loss Structure Dashboard
1. Specify the time frame for the evaluation and choose the Refresh pushbutton.
2. The columns in the Loss Structure section mean the following:
Column Meaning
Organizational Unit The organizational unit or part of the organization for

which you are displaying the losses.
Number of Losses The number of losses found in the specified time frame.
Total Amount The total financial amount of the loss, expressed in the
specified currency.
Currency The currency used. By choosing the Personalize pushbut

ton at the top right of the screen, you can change the cur
rency.
Percentage For this loss, the percentage with respect to all losses in
the organization (all losses total 100%).
 Note
By clicking on the triangle to the right of a column header, you can reverse the order of display of the
items in the list.
3. To the right, you can see the losses per organizational unit in pie-chart form.
4. If you choose a line in the upper section, the graphical displays on the right and in the lower section
change. The axes in the lower chart are:
○ X-axis: Loss amount in currency used
○ Y-axis: Number of losses
7.6.2 Compliance
The following reports are contained in the Reports and Analytics work center in the Compliance section.
Report Description
Evaluation Status Dashboard Shows a high-level picture of the overall status of corporate
compliance throughout different business entities and pro
vides analytics and drilldown capabilities to view data on dif
ferent levels and dimensions.

Report Description
Overall Compliance Status Dashboard Shows a high-level picture of the overall status of corporate
compliance throughout different business entities and pro
vides analytics and drilldown capabilities to view data on dif
ferent levels and dimensions.
Survey Results Displays the results of surveys.
Datasheet Provides comprehensive information on master data, evalu

ation, and remediation activities for subprocesses and con
trols.
 Recommendation
7.6.3 Access Management Reports Overview
The Access Management section of the Reports and Analytics work center provides reports for managing user
access. Some of the reports provided are:
Report Name Description
Access Analytics Displays all access management data.
Change Log Report Displays all configuration changes that a system administra
tor makes in super user privilege management for SOX com
pliance.
User Authorization Analysis Displays information on the authorizations that a specific

user has.
Entity Authorization Analysis Displays information on the authorizations granted for a par
ticular entity.
Role Authorization Analysis Displays information on the authorizations assigned to a

particular role.
Object Authorization Analysis Displays information on the authorizations granted for a par
ticular object.

7.6.4 Incidents and Losses
The following reports and dashboards are accessed via the Incidents and Losses section in the Reporting and
Analytics work center.
Report/Dashboard Section & Name Description
Incidents on Risks Displays information on the incidents and their losses that have occurred
in your organization, per risk category.
Incidents on Organizational Units Displays a list of incidents per organizational unit.
Loss Matrix Analysis Enables you to select whether impact or risk categories are to be used for
the loss matrix, and analyzes the losses for specific organizations and im
pact/risk categories for a specific time period. For more information, see
the corresponding Customizing activity and documentation on Web Dyn
pro ABAP for standard colors for table cells, WDUI_TABLE_CELL_DE
SIGN.
Loss Overview (dashboard) Provides an overview of losses in graphic form, including the financial
loss amount, the loss distribution per period, and the loss by risk cate
gory.
Loss Structure (dashboard) Provides an overview in graphic form of all losses per organizational unit,
including loss amount and the number of losses.
7.6.5 Risks and Opportunities Reports
Use
In the Risks and Opportunities section of the Reports and Analytics work center, there is a series of predefined
reports for risks, activities, and incidents, as well as for printing report data in PDF format. Each report allows
for the input of specific selection criteria. You can further summarize the report contents for more detailed
analysis.
Features
All reports are delivered with a standard report layout. However, each report allows you to define and save
multiple user-specific settings, providing different views of the data. You can modify reports by adding and
removing columns, perform sorting, and export the structure to an Excel spreadsheet for regrouping and
displaying of hierarchies.
The following two tables describe Risk Management reports in the various areas of the application. The first
table is specific to Risks and Opportunities; the second table describes the reports in the other sections of the
Reports and Analytics work center.

Risks and Opportunities
Report Name Description
Risk Catalog Displays information on risks for a selected risk category.
Risks per Activity Category Displays information on risks for a selected activity category.
Risks per Objective Displays information on risks based on the objectives and objective strat
egies defined for an organization.
Risks per Organizational Unit Displays information on all risks specified for an organization.
 Note
The risk aspect enables you to see how an impact level would be
rated if the risk were seen from the perspective (aspect) of a differ-
ent organizational unit.
Risk Impact Details Displays detailed information per impact category for selected risks.
Risk Mitigation Details Displays information about the mitigation/response measures taken for
risks.
Risk Summary Displays all risk information in summarized form per defined period.
Opportunities per Opportunity Category Displays information about all opportunities for an opportunity category.
Opportunity Benefit Displays information on the benefits of individual opportunities.
Opportunities and Enhancement Plans Displays all enhancement plans for an opportunity per organizational unit
and/or activity.
Activity History Displays information about the history and associated changes for an ac
tivity. It displays only those activities that contain risks.
Risk History Displays information on your company's risk history and on the changes
associated with specific risks, enabling you to view the changing assess
ments for a particular risk.
KRI for Risk Displays information on all KRIs for an individual risk.
KRI History Displays information on the history of individual KRIs.
Influence Factors Displays information on given risks that influence other risks.
RCSA Aggregation Report Displays aggregated RCSA scores by organizational unit and risk cate
gory hierarchies.
KRI Aggregation Report Displays aggregated KRI scores by organizational unit and risk category
hierarchies.

Report Section & Name Description
Management
Heatmap Displays the graphical heatmap with assigned risk events, which can be
changed.
Overview Provides a graphical and color-coded overview of all risk information, to
gether with a graphical display of a what-if analysis for the top risks. A
separate print function is available with a graphical output function.
Top Risks Displays information on the top risks, defined per activity, for an organi
zation. You can specify the number of risks that you consider to be the
top risks.
Compliance
Overall Compliance Status Dashboard
Risk-Based Compliance Management Contains PC-specific compliance contents for various compliance frame
works, such as Sarbanes-Oxley.
Survey Results Displays the results of surveys that have been carried out.
 Note
The risk aspect function enables you to see how a survey would be
rated if the risk were seen from the perspective (aspect) of a differ-
ent organizational unit.
Datasheet
ZCustomizing Datasheet
Incidents and Losses — The following reports are displayed in the Incidents and Losses section
Incidents on Risks Displays information on the incidents and their losses that have occurred
in your organization, per risk category.
Incidents on Organizational Units Displays a list of incidents per organizational unit.
Loss Matrix Analysis Enables you to select whether impact or risk categories are to be used for
the loss matrix and analyzes the losses for specific organizations and im
pact/risk categories for a specific time period. For more information, see
the corresponding Customizing activity and the documentation on Web
Dynpro ABAP on standard colors for table cells, WDUI_TABLE_CELL_DE
SIGN.
Loss Overview Loss Overview: Provides an overview of losses in graphic form, including
the financial loss amount, the loss distribution per period, and the loss by
risk category.

Report Section & Name Description
Management
Loss Structure Loss Structure: Provides an overview in graphic form of all losses per or
ganizational unit, including loss amount and the number of losses.
Print Reports
Print Reports Enables you to create printable PDF fact sheets for risks, activities, and
opportunities.
Miscellaneous
Risks Associated with Policies Displays all risks for a period per policy category and type.
 Note
This report is located in the Master Data work center.
Activities
To access and execute the reports, choose Risk Management Reporting and Analytics . Note that all
reports can be generated immediately, or run in the background (recommended for large amounts of data) by
choosing the Schedule pushbutton.
More Information
For more information about Risk Management dashboards, see Dashboards (Heatmap, Overview, Top Risks,
and Other) [page 529].
For more information about printing PDF fact sheets for reports, see Working with Print Reports [page 538].
7.6.6 Working with Print Reports
Use
The Print Reports application is used to print the following fact sheets:
● Activity Fact Sheet

● Risk Fact Sheet
● Opportunity Fact Sheet

 Note
The Print Fact Sheet pushbutton in the risk and activity application screens prints only the current data for
the selected risk, activity, or opportunity. By using the Print Report function, however, you can select more
than one risk, activity, or opportunity with all or some sections for printing to PDF.
Procedure
To use this guided procedure:
1. Choose Reports and Analytics Print Reports Print Reports . A guided procedure appears.
2. In Step 1, Select Report, enter a user-defined name for the report and select the type of report you want to
print, together with the year and the period to be used for the selection.
 Note
Choosing the Reset pushbutton resets the entries of the report name and type fields.
3. Choose Next to select the organizational (mandatory) and activity data (optional) to be used as selection
criteria.
4. Choose Next to access the Choose Report Details step. You now select the objects to be included in the fact
sheet report.
○ If you choose the Preview Report pushbutton, you can preview the report in PDF format.
○ If you want to save an online copy in the application, choose Save Report.
5. Choose Next to complete the report creation. You are prompted to either open or save the PDF file that was
generated. If you select Open, the PDF opens for display. You can print it directly, or save it to your hard
disk.
6. If you make changes, choose the Update Report pushbutton to update the report definition.
7. By selecting New Report, you return to Step 1 of the guided procedure, and can define a new print report.
 Note
After you have created your print reports, they appear in the bottom section of the guided procedure
screen when you call it up again. You can directly access the PDF printing function by selecting the line of
the desired report.

8 Operational Risk Management for
Banking
Use
Operational Risk Management for Banking allows SAP customers to manage and evaluate operational risks in
the banking and financial services sectors.
 Note
For banks, operational risk management principally involves recording and analyzing loss events. The loss
event management functions available in Operational Risk Management for Banking are similar to the
incident management features in Risk Management, but offer more detailed recording and reporting
capabilities. Therefore, it is recommended that you use either loss event management or incident
management, but not both.
Features
The following functions are available to authorized users:
● You can manage loss events, including creating, modifying, and deleting events, as well as manage loss
event drivers and related risks, as required. For more information, see Loss Event Management [page
545].
● You can group multiple loss events together and manage the group as a single loss event for recording,
management, or modeling purposes. For more information, see Managing Grouped Loss Events [page
549].
● You can upload loss events, as required. You can also display the loss event history, as well as download
loss events and scenario losses. For more information, see Uploading Loss Events [page 558],
Downloading Loss Events [page 555], and Downloading Scenario Losses [page 557] respectively.
● You can reassign loss events between organization units (following an organizational restructure, for
example). For more information, see Reassigning Loss Events [page 559].
● You can map master and dependent organization views, allowing you to map your internal organizational
view to an external view compatible with either the Operational Riskdata eXchange Association (ORX) or
the Basel II accord. You can also map your internal risk category hierarchy to an external hierarchy
compatible with ORX. For more information, see Mapping Master and Dependent Organization Views [page
541] and Mapping Master and Dependent Risk Category Hierarchies [page 543] respectively.
● You can display a series of reports related to loss events, as well as perform loss event matrix analysis. For
more information, see Loss Event Reports [page 560] and Loss Event Matrix Analysis [page 561]
respectively.

540 PUBLIC Operational Risk Management for Banking
More Information
● Loss Event Assessments [page 544]

● Loss Event Reports [page 560]
8.1 Master Data
The Master Data work center provides a central location to manage and view the organization structure,
regulation and policies, catalog of objectives, and catalog of risks and responses.
The Master Data work center for Operational Risk Management for Banking contains the following additional
quick links:
● Organizations
○ Mapping Master and Dependent Organization Views [page 541]
● Risks and Responses
○ Mapping Master and Dependent Risk Category Hierarchies [page 543]
 Note
The Master Data work center is shared by the Access Control, Process Control, and Risk Management
products in the GRC application. The menu groups and quick links available on the screen are determined
by the applications you have licensed. The content in this topic covers the functions specific to Operational
Risk Management for Banking.
8.1.1 Mapping Master and Dependent Organization Views
Context
You can use the Master and Dependent Organization Views Mapping screen to map your internal organizational
view to an external view compatible with either the Operational Riskdata eXchange Association (ORX) or the
Basel II accord.
 Note
In this procedure, the master and dependent views refer to the internal and external organizational views
respectively.

Operational Risk Management for Banking PUBLIC 541
Procedure
1. Choose Master Data Organizations Master and Dependent Organization Views Mapping .
The Master and Dependent Organization Views Mapping screen appears.

2. In the Date field, select the appropriate date and choose the Apply pushbutton.
3. In the View field on the left, choose the view using the drop-down list.
4. In the View field on the right, choose the appropriate view using the drop-down list.
Choosing ORX or Basel II allows you to map your organizational view to an external view compatible with
the Operational Riskdata eXchange Association (ORX) or the Basel II accord respectively.
 Note
You can specify the organization views that appear in this list using the Mapping Hierarchy in Risk
Management type in the Governance, Risk and Compliance Shared Master Data Settings
Maintain Organization Views customizing activity.
5. To display a summary of an organization unit or loss event, select the item in the Organizations hierarchy.
Information about the entry appears in the Details panel.

6. To display details about an organization unit or loss event, select the item in the Organizations hierarchy,
and choose the Open pushbutton.
The Organization Unit dialog appears showing details about the entry.
7. To map an organization unit or loss event from the master hierarchy to the dependent hierarchy, select the
entry in the master Organizations hierarchy on the left and drag and drop it to the correct location in the
dependent Organizations hierarchy on the right.
Alternatively, you can highlight the correct location in the dependent Organizations hierarchy on the right,
select the entry in the master Organizations hierarchy on the left, and choose the Add pushbutton.
The organization unit or loss event appears in the dependent Organizations hierarchy on the right.
8. To remove a mapping, select the entry in the dependent Organizations hierarchy on the right and choose
the Remove pushbutton.
9. Review your mappings in the Mappings Overview table at the bottom of the screen.
Optionally, select a mapping in the Mapping Overview table and choose the Open pushbutton to display
details about the mapping.
10. Choose the Save pushbutton to save the mappings.
 Note
The mappings are not saved until you choose the Save pushbutton.
Next Steps
Mapping Master and Dependent Risk Category Hierarchies [page 543]

8.1.2 Mapping Master and Dependent Risk Category
Hierarchies
Context
You can use the Master and Dependent Risk Category Hierarchies Mapping screen to map your internal risk
category hierarchy to an external hierarchy compatible with the Operational Riskdata eXchange Association
(ORX).
 Note
In this procedure, the master and dependent risk categories refer to the internal and external risk
categories respectively.
Procedure
1. Choose Master Data Risks and Responses Master and Dependent Risk Category Hierarchies
Mapping .
The Master and Dependent Risk Classification Hierarchies Mapping screen appears.
2. In the Date field, select the appropriate date and choose the Apply pushbutton.
3. In the View field on the left, choose a risk category using the drop-down list.
4. To display a summary of a risk category, select the item in the Classification hierarchy.

5. To display details about a risk category, select the item in the Classification hierarchy, and choose the Open
pushbutton.
The Risk Category dialog appears showing details about the entry.
6. To map a risk category from the master hierarchy to the dependent hierarchy, select the entry in the
master Classification hierarchy on the left and drag and drop it to the correct location in the dependent
Classification hierarchy on the right.
Alternatively, you can highlight the correct location in the dependent Classification hierarchy on the right,
select the entry in the master Classification hierarchy on the left, and choose the Add pushbutton.
The risk category appears in the dependent Classification hierarchy on the right.
7. To remove a mapping, select the entry in the dependent Classification hierarchy on the right and choose
the Remove pushbutton.
8. Review your mappings in the Mappings Overview table at the bottom of the screen.
Optionally, select a mapping in the Mapping Overview table and choose the Open pushbutton to display
details about the mapping.

9. Choose the Save pushbutton to save the mappings.
 Note
The mappings are not saved until you choose the Save pushbutton.
Next Steps
Mapping Master and Dependent Organization Views [page 541]
8.2 Assessments
The Assessments work center provides a central location to view and manage surveys, test plans, and risks and
opportunities. You can also use the work center to maintain incidents and plan evaluations, as well as simulate
risks using scenarios.
The Assessments work center for Operational Risk Management for Banking contains the following additional
section and quick links:
● Loss Event Assessments [page 544]

○ Loss Event Management [page 545]
○ Uploading Loss Events [page 558]
○ Reassigning Loss Events [page 559]
 Note
The Assessments work center is shared by the Access Control, Process Control, and Risk Management
products in the GRC application. The menu groups and quick links available on the screen are determined
by the applications you have licensed. The content in this topic covers the functions specific to Operational
Risk Management for Banking.
8.2.1 Loss Event Assessments
An operational risk loss event is an event that leads to a business process outcome that differs from the
expected outcome. This can result from inadequate or failed internal processes, people, and systems, or from
the occurrence of external events. Loss events include legal risks, but exclude strategic and reputation risks.
Loss events are therefore a central component of operational risk management in the banking and other
financial services sectors.
You can complete the following tasks using the Loss Event Assessments group:
● Manage loss events, including grouping loss events and managing related risks
● Upload loss events using an XML-based file

● Reassign loss events
8.2.1.1 Loss Event Management
You can use the Loss Event Management quick link to create, modify, and delete loss events, as required, as well
as manage loss event drivers and related risks. You can also group multiple loss events together and manage
the group as a single loss event for recording, management, or modeling purposes.
Specifically, when performing loss event management, you can complete the following tasks:
● Search loss events

● Create and modify loss events
● Manage grouped loss events
● Manage loss event drivers
● Manage related risks
● Display the loss event history
● Download loss events
● Download scenario losses
● Delete loss events
8.2.1.1.1 Searching Loss Events
Use
You can search loss events using the Loss Event Management screen. When defining a query (known as a
worklist), you can either create a new worklist or base your worklist on an existing query. You can also modify
an existing worklist, as required.
Procedure
1. Choose Assessments Loss Event Assessments Loss Event Management .

The Loss Event Management screen appears displaying the existing loss events.
The New Worklist dialog appears with Loss Events automatically selected in the Select Object Type field.
drop-down list.
5. Specify the criteria for the query, and choose the Preview pushbutton to display the table of loss events
based on the current criteria.
Choose the Close pushbutton to dismiss the preview. Refine the query criteria, as required, and choose the
Next pushbutton.

To modify a worklist
1. Choose the Change Worklist pushbutton.

The Change Worklist dialog appears.
2. Modify the criteria for the query, and choose OK.
The updated query results appear.
More Information
Creating Loss Events [page 546]
Modifying Loss Events [page 548]
Managing Grouped Loss Events [page 549]
Deleting Loss Events [page 557]
8.2.1.1.2 Creating Loss Events
Prerequisites
You can use the Governance, Risk and Compliance Risk Management Operational Risk Management for
Banking Industry Loss Event Management Define Loss Event Types and Workflow Configuration Loss
Event Types customizing activity to manage the loss effect types.
Context
You can create loss events using the Loss Event Management screen.
Procedure

The Loss Event section appears at the bottom of the screen.

3. In the Name field, type the name of the new loss event.
4. In the Organizational Unit field, type or select the organizational unit for the loss event.
5. Optionally, specify the following information in the Loss Details section:
○ Occurrence Date — The date on which the loss event occurred.
○ Type — The loss event type, as defined using the Define Loss Event Types and Workflow Configuration
customizing activity (described in the Prerequisites).
○ Country — The country for the loss event.
○ Global Event — Indicates whether the loss event is global.
○ Estimated Probability — An estimate of the probability that the same loss event occurs in the future.
○ Estimated Loss — The estimated exposure for the loss event, expressed as a monetary value.
○ Potential Loss — The potential exposure for the loss event, expressed as a monetary value.
6. Choose the Effects tab and specify the loss event effects and corresponding allocations, as required.
To add a new effect, choose the Add pushbutton and specify the Effect Name, Effect Type, Effect Amount,
Ins. Policy Number, and the Settlement Date. You can also specify the loss and capital allocations
associated with the effect.
An effect is a positive or negative quantifiable impact on the Profit & Loss (P&L) of an organization due to
an operational risk loss event.
You can distribute the monetary value of an effect as a loss allocation or a capital allocation. A loss
allocation is a distribution of the amount specified in the effect to organizational units, expressed as a
percentage. A capital allocation, in contrast, is a division of the financial resources necessary as a result of
the effect (for mitigation of the effect, for instance), expressed as a monetary value.
 Note
The system automatically calculates the Gross Loss Amount, Net Loss Amount, and Capital Amount
fields based on the effects and allocations amounts. The gross loss amount is the sum of all negative
effects, while the net loss amount is the gross loss amount minus the sum of all positive effects. The
capital amount, in contrast, is the sum of all capital allocations of all effects.
7. Choose a tab (such as Responsibility or Dates, among others), and enter appropriate values in the
corresponding fields.
8. To validate your settings, choose the Validate pushbutton.
This verifies that the new loss event is consistent.

Choose Refresh List to refresh the table of loss events.
Next Steps
Searching Loss Events [page 545]

8.2.1.1.3 Modifying Loss Events
Context
You can modify specific loss events using the Loss Event Management screen.
Procedure
2. Select the loss event in the table.
The Loss Event section appears at the bottom of the screen showing details of the loss event.
3. Modify the loss events details, as required.
4. To validate the settings, choose the Validate pushbutton.
This verifies that the updated loss event is consistent.

Choose Refresh List to refresh the table of loss events.
Next Steps

8.2.1.1.4 Managing Grouped Loss Events
Use
In certain circumstances, it is advantageous to group multiple loss events together and manage the group as a
single loss event for recording, management, or modeling purposes.
Common situations for grouping loss events include the following:
● Loss events caused by a common operational loss event.

You can group and enter these events into the loss calculation as a single loss based on your organization’s
internal loss data policy for risk management and capital modeling. When grouping these events, apply
your organization’s policy regarding thresholds and dates, for example, assigning the date of the first loss
in the group, or using the latest date (to ensure that the grouped loss is not prematurely discarded).
Examples of when you might consider grouping loss events caused by a common operational loss event
include natural disasters that cause losses in multiple locations or across an extended period of time, or a
programming error that results in the inclusion of customers across multiple transactions and types of
transactions over an extended period of time.
Another example could involve a breach of security that results in the disclosure of confidential customer
information. In this case, multiple customers could incur fraud-related losses that your organization must
reimburse. This can also be accompanied by remediation expenses such as credit card re-issue or credit
history monitoring services.
● Small loss events with no causal relationship.
You can group these loss events for data collection and registration purposes, which are then generally
excluded from loss calculations. In cases when the loss events are included in the loss calculation, you
should demonstrate that using this type of grouped loss event does not materially distort the capital
calculation.
In this scenario, your organization remains informed of these small losses for risk management purposes,
but without the overhead of individually recognizing and registering small losses.
Examples of when you might consider grouping small loss events with no causal relationship include credit
card fraud-related losses discovered during a period, or losses smaller than $100 or €100 in a particular
business line (losses over $100 or €100 can remain as single events).
When grouping loss events, you can complete the following tasks:
● Group multiple loss events into a single group

● Add a loss event to an existing group
● Remove a loss event from a group
 Note
By default, the organization unit of a grouped loss event is a lowest parent of all organization units from the
losses included in the group. All monetary attributes of a grouped loss event represent sums of the
corresponding attributes of all single losses included in the grouped loss event.
More Information
Creating Grouped Loss Events [page 550]

Adding Loss Events to a Group [page 551]
Removing Loss Events from a Group [page 551]
8.2.1.1.4.1 Creating Grouped Loss Events
Context
In certain circumstances, it is advantageous to group multiple loss events together and manage the group as a
single loss event for recording, management, or modeling purposes.
 Note
For grouped loss events, all monetary attributes represent the sums of corresponding monetary attributes
from the individual loss events.
You can group specific loss events using the Loss Event Management screen.
Procedure
1. Choose Assessments Loss Event Assessments Loss Event Management. .
2. Select the loss events that you want to group, and choose Group Create New Group .

3. Choose the Yes pushbutton. The Loss Event section appears at the bottom of the screen.
4. In the Name field, type a name for the group.
Next Steps

8.2.1.1.4.2 Adding Loss Events to a Group
Context
You can add loss events to a group using the Loss Event Management screen.
Procedure
1. Choose Assessments Loss Event Assessments Loss Event Management. .
2. Select a loss event in the table.
3. Choose Group Assign to existing group .

4. Choose the Yes pushbutton.
A dialog appears allowing you to select the grouped loss event.

5. Select the grouped loss event, and choose the OK pushbutton.
Next Steps
8.2.1.1.4.3 Removing Loss Events from a Group
Context
You can remove loss events from a group, as required, using the Loss Event Management screen.

Procedure
2. Select the grouped loss event in the table.
The Loss Event section appears at the bottom of the screen showing details of the loss event group.
3. Choose the Group tab.
4. Select a loss event in the table, and choose the Remove pushbutton.
The selected loss event is removed from the group.

Next Steps
8.2.1.1.5 Managing Loss Event Drivers
Prerequisites
You can use the Governance, Risk and Compliance Shared Master Data Settings Risk and Opportunity
Attributes Maintain Driver Categories customizing activity to manage the driver categories.
Context
Drivers describe the circumstances or conditions that cause a particular loss event. You can manage loss event
drivers using the Loss Event Management screen.

Procedure
2. Select a loss event in the table.
The Loss Event section appears at the bottom of the screen showing details of the loss event. Alternatively,
you can manage drivers when creating a new loss event.
3. Choose the Drivers tab.
4. Choose the Add pushbutton.
The Add Driver dialog appears.

5. In the Category field, choose a category for the driver using the drop-down list.
6. In the Driver Name field, type the name of the driver.
The driver appears in the Drivers table.

8.2.1.1.6 Managing Related Risks
Use
In general, risks represent uncertain events or conditions that, if they occur, have a negative impact on
business objectives. You should consider generating a risk for loss events that are likely to occur either
repeatedly or again in the future. Alternatively, you can link an existing risk to a loss event.
 Note
When you generate a risk, the system uses the same organizational unit and risk category as the loss event,
by default.
Procedure

2. Select the loss event in the table. The Loss Event section appears at the bottom of the screen showing
details of the loss event. Alternatively, you can manage related risks when creating a new loss event.
3. Choose the Categories tab.
4. In the Risk Category field, type or select the risk category.
5. Choose the Affected Risks tab, and choose the Generate pushbutton.
The Create Risk dialog appears.

6. Specify the risk information, and choose the Submit pushbutton.
The risk appears in the Affected Risks table.
7. Choose the Assign pushbutton.
The Select Risk dialog appears.
8. Specify the risk selection criteria, as appropriate, and choose the Go pushbutton.
Risks matching the selection criteria appear in the Risks table.
9. Select one or more risks in the table and choose the OK pushbutton.
The risks appear in the Affected Risks table.
To remove related risks
1. Choose Assessments Loss Event Assessment Loss Event Management .

3. Choose the Affected Risks tab.
The associated risks appear in the Affected Risks table.
4. Choose the Assign pushbutton.
The Select Risk dialog appears.
5. Select one or more risks in the table and choose the Remove pushbutton.
The risks are removed from the Affected Risks table.
8.2.1.1.7 Displaying Loss Event History
Context
Every time a loss event is saved, the system creates a version of the event to enable change tracking and
reporting. You can display the historical versions of loss events using the Versions section of the Loss Event
Management screen.
Procedure
The Loss Event section appears at the bottom of the screen showing details of the loss event. The Up to
date and User fields display the current date and the name of the current user respectively. A drop-down
list containing all current versions is also available.

3. In the Up to date field, type or select a date.
The version drop-down list updates to display all versions saved before the specified date.
4. In the User field, type or select a user name.
The version drop-down list updates to display all versions saved by the specified user.
5. Choose a version using the drop-down list.
The version appears as read-only information.

6. Choose Active version using the drop-down list to return to the current version.
Next Steps
Downloading Loss Events [page 555]
Downloading Scenario Losses [page 557]
8.2.1.1.8 Downloading Loss Events
Context
You can download loss events using the Loss Event Management screen. When downloading loss events, you
can save the data in the following formats:
● XML
● QRR Excel
● QRR plain text
● ORX report — Downloads reports compliant with the Operational Riskdata eXchange Association
● EBA report — Downloads reports compliant with the European Banking Authority
Procedure
2. Select one or more loss events that you need to download.
3. Choose the Download pushbutton, and choose a download format from the drop-down menu.
The sample ORX Business Add-In implementation retrieves and downloads the following loss attributes:
○ Reference ID Number, which is the loss event identifier

○ Business Line Code, which is the organization unit from the ORX secondary hierarchy to which the loss
event is mapped using Static Data Management
○ Event Category, which is the risk category from the ORX secondary hierarchy to which the loss event is
mapped using Static Data Management
○ Country (ISO Code)
○ Credit Related, C if the credit risk share of the loss is greater than 0%, N if the credit risk share of the
loss is 0%
○ Related Event Reference ID, which is the ID of the grouped loss (if the loss event is grouped)
○ Date of Occurrence
○ Date of Discovery
○ Date of Recognition
○ Gross Loss Amount
○ Direct Recovery
○ Indirect Recovery
○ Gross Income
The sample EBA Business Add-In implementation retrieves and downloads the following loss attributes:
○ Internal Reference Number, which is the loss event identifier
○ Of Which: Unrealized
○ Status: Ended?
○ Direct Recovery
○ Indirect Recovery
○ Potential Recovery
○ Related to CR or MKR
○ Breakdown of Gross Loss (%) by Business Lines
○ Risk Event Type
○ Occurrence
○ Recognition
○ First Payment from Risk TM
○ Last Payment from Risk TM
Next Steps
Displaying Loss Event History [page 554]
Downloading Scenario Losses [page 557]

8.2.1.1.9 Downloading Scenario Losses
Context
You can download scenario losses, which are risks that are interpreted as losses, using the Loss Event
Management screen. When downloading scenario losses, the system saves the data in the standard XML
format for losses.
 Note
You can specify that a risk is to be considered as a scenario loss by selecting the Risk Used As Scenario
Loss check box in the General tab in Assessments Risk Assessment Risks and Opportunities .
Procedure
2. Choose the Download Scenario Losses pushbutton.
Specify the location for the download file and choose the Save pushbutton.
Next Steps
Displaying Loss Event History [page 554]
Downloading Loss Events [page 555]
8.2.1.1.10 Deleting Loss Events
Context
You can delete existing loss events using the Loss Event Management screen.

Procedure
2. Select one or more loss events that you need to delete.

4. Choose Yes to delete the selected loss events; choose No to dismiss the dialog without deleting the
selected loss events.
Next Steps
8.2.1.2 Uploading Loss Events
Context
You can upload loss events using the Upload Loss Events screen.
Procedure
1. Choose Assessments Loss Event Assessments Upload Loss Events .
The Upload Loss Events screen appears displaying the first step of the upload wizard.
2. In Step 1: Upload file, choose the Browse pushbutton and select the file to upload.
Choose the Continue pushbutton to advance to the next step of the wizard. The contents of the upload file
appear allowing you to review the loss events.
3. In Step 2: Check content, review the loss events to be uploaded.
1. In the Upload mode field, choose the appropriate option using the drop-down list.
2. Choose the Continue pushbutton.
4. In Step 3: Upload progress, choose the Continue pushbutton, if necessary, after the upload completes to
advance to the next step of the wizard.

 Note
Step 3 only appears in cases when you upload a large number of loss events.
5. In Step 4: Check results, verify the upload results and choose the Submit pushbutton to save the loss
events to the database.
Alternatively, choose the Cancel pushbutton to exit the wizard without saving the loss events to the
database.
8.2.1.3 Reassigning Loss Events
Context
You can use the Loss Events: Organization Unit Reassignment screen to reassign loss events between
organization units. You might need to do this following an organizational restructure, for example.
 Note
In this procedure, the current loss event assignments appear on the left while the reassigned loss events
appear in the hierarchy on the right.
Procedure
1. Choose Assessments Loss Event Assessments Reassignment of Loss Events .
The Loss Events: Organization Unit Reassignment screen appears.

2. In the Date field, select the date on which the loss event reassignments are to become effective, and
choose the Apply pushbutton.
 Note
You cannot select a date in the past.
3. To display a summary of an organization unit or loss event, select the item in the Organizations hierarchy.

4. To display details about an organization unit or loss event, select the item in the Organizations hierarchy,
and choose the Open pushbutton.
The Organization Unit dialog appears showing details about the entry.
5. To reassign loss events, select the entries in the Organizations hierarchy on the left and drag and drop the
events to the correct location in the Organizations hierarchy on the right.

Alternatively, you can highlight the correct location in the Organizations hierarchy on the right, select the
entry in the Organizations hierarchy on the left, and choose the Assign pushbutton.
You can also reassign all loss events from one organization unit to another by dragging and dropping the
entire organizational unit. The reassigned loss events appear in the Organizations hierarchy on the right.
6. Review your reassignments in the Reassignment Overview table at the bottom of the screen.
Optionally, select a reassignment in the Reassignment Overview table, and choose the Open pushbutton to
display details about the reassignment.
7. Choose the Save pushbutton to save the reassignments.
The reassignments are not saved until you choose the Save pushbutton.
 Note
If you reassign a loss event more than once (for a specific date), only the last reassignment is
maintained.
8.3 Reports and Analytics
The Reports and Analytics work center provides a central location to display reports and dashboards related to
Risk Management, such as alerts, user analysis, and audit reports, among other information.
Operational Risk Management for Banking adds the Loss Event Reports [page 560] section and associated
quick links to the Reports and Analytics work center.
 Note
The Reports and Analytics work center is shared by the Access Control, Process Control, and Risk
Management products in the GRC application. The menu groups and quick links available on the screen are
Operational Risk Management for Banking.
8.3.1 Loss Event Reports
The following reports are available in the Loss Event Reports section of the Reports and Analytics work center.
Report Description
Loss Event Matrix Analysis Displays aggregated loss events as a matrix of organizational units, proc
esses, or products (in the first dimension) and risk categories (in the sec
ond dimension), allowing you to analyze the distribution of the losses.

Report Description
Loss Event Overview Displays a dashboard showing loss events and their development over
time using bar charts.
Loss Event Structure Displays a dashboard showing the loss event distribution, across organi
zational units, in bar and pie charts.
Top Loss Events Displays loss events, based on the selection criteria, with the highest
amount values.
Gross Loss Amount by Organizational Unit Displays the summarized value of gross loss amounts from all loss events
assigned to select organizational units.
Loss Events by Organizational Unit Displays loss event data by organizational unit.
Loss Events by Risk Category Displays loss event data by risk category.
Insurance Payments by Organizational Unit Displays all effects considered as insurance payments (based on the ef
fect type and certain loss event data related to the effects).
Loss Effect Allocations by Organizational Unit Displays all allocations of loss event effects, with the associated
amounts.
8.3.1.1 Loss Event Matrix Analysis
Context
You can use the Loss Matrix Analysis screen to display losses, within a specified scope, and organized as a
matrix.
Procedure
1. Choose Reports and Analytics Loss Event Reports Loss Event Matrix Analysis .
The Loss Matrix Analyzer screen appears.

2. In Step 1: Select Focus, specify the focus, dimensions, observed figures, and matrix comparison options.
Select the focus for the loss matrix.
1. In the Effective Date field, type or select the effective date for the analysis.

2. In the Amount field, choose from among the following options using the drop-down list:
○ Estimated Loss
○ Potential Loss
○ Total Loss Amount
○ Net Loss Amount
○ Recovery Gross Loss Amount
3. In the Currency field, select or type the currency for the analysis.
4. In the Loss Ratio field, choose from among the following options using the drop-down list:
○ Total
○ Operational Risk
○ Credit Risk
○ Market Risk
The system multiplies the percentage values for each loss with the amount you select the Amount field
to calculate the actual loss values for the matrix.
5. Choose the Advanced Select Options link to specify advanced options for the analysis.
Select the dimensions for the analysis.

1. In the Leading Dimension field, choose from among the following options using the drop-down list:
○ Organizational Units
○ Processes
○ Products
2. To swap the matrix dimensions, select the Swap Dimensions check box.
3. In the Vertical View field, choose an option using the drop-down list.
This is only applicable if you choose Organizational Units as the Leading Dimension.
4. Choose the Organizations, Processes, or Products link to specify your selections for the vertical
dimension.
5. In the Horizontal RC View field, choose an option using the drop-down list.
6. Choose the Risk Categories link to specify the risk categories for the horizontal dimension.
Select the observed figures and matrix comparison for the analysis.
1. Specify the observed figures by selecting the corresponding check boxes, from among the following:
○ Number of Losses
○ Total Amount
○ Maximum Single Loss
○ Percentage
2. Select the Keep previous matrices check box, if appropriate.
The system collects all losses related to your selections, taking into account the loss mappings,
organizational units, and risk categories by which losses can be reported using different hierarchies. The
system then calculates the losses and percentages using the two matrix dimensions, highlighting cells
using a color coding scheme that you can customize.
4. In Step 2: Analyze Loss Matrix, review the loss matrix.
5. To download the loss matrix analysis, choose the Download link, and choose the Save button in the dialog
that appears to save the XML document to your local system.

9 Archiving in SAP Risk Management
You can use transaction AOBJ to create archiving objects. You can specify archiving objects for preprocessing,
writing, and deleting activities. For more information, see Customizing for SAP NetWeaver under Application
Server System Administration Data Archiving Archiving Object-Specific Customizing . Archiving for SAP
Risk Management is carried out with the help of archiving objects. The following table gives an overview of the
available archiving objects and respective monitors:
Objects in SAP Risk Management Archiving Object Documentation
Planner and Planner Monitor GRFNPLAN Risk Management Planner [page 499]
You can also extend these standard archiving objects to suit your own business requirements. You can specify
the database tables from which the system archives the information for the archiving object.
You can use transaction SARA to schedule when the system executes the preprocessing, writing, and deleting
activities for an archiving object. For more information, see SAP Easy Access Tools Administration
SARA - Data Archiving . You can use the following features in transaction SARA:
● Preprocessing
We provide each business object with separate selection criteria to identify the instances of the business
object that are ready for archiving. We provide each query with the same logic. The query selects the
instances that are ready and calls the CHECK_ARCHIVABILITY action. The action checks the residence
period and sets the archiving status to Archiving in Process. The action only runs across the relevant
business object.
You can control the memory used during archive preprocessing by specifying the package size, and
describing the number of documents being processed together in one SAP Logical Unit of Work (SAP
LUW) . Before the next package is selected and processed, allocated memory is released to keep the
memory consumption for the preprocessing batch job constant.
● Writing
The system selects all instances of a business object that have the archiving status Archiving in Process. It
copies the instances into the archive. You can control the memory used during writing in the same way as
for preprocessing.
● Deleting
The system deletes all records that are archived from the registered database tables.
● Deleting from Archive
All SAP Risk Management archiving objects are ILM-enabled. For more information about SAP Information
Lifecycle Management (SAP ILM), seehttp://help.sap.com/erpInformation published on SAP site SAP
ERP Cross-Application Functions Cross-Application Components SAP Information Lifecycle
Management .

Archiving in SAP Risk Management PUBLIC 563
You can load archived documents into the standard SAP Risk Management screens. The system uses only the
display mode for these archived documents. We provide each business object in SAP Risk Management with
the following settings:
● Individual archiving object

● Archiving status: Statuses include Not Archived, Archiving in Process, and Archived.
● CHECK_ARCHIVABILITY action
● Programs for each of the preprocessing, write, and delete steps
● Individual query to select business objects for the preprocessing step
● POWL for archived documents
Features
Why Archive?
Archiving data from the production database makes the production database faster as it is carrying less
unproductive data. Searching archived documents is possible via the provided POWLs for archived documents.
From there it is possible to open archived documents in the standard SAP NFE UIs in display mode, as if they
were in the production database.
Archiving Dependent Objects
The system archives charge information, address information, or information from texts or attachments when
you archive a business object. It also archives other objects that are used in business objects for tendering. It
does not archive master data objects in general (with the exception of business partner master).
Index Criteria
You can specify database indexes to enable a query to search for data records efficiently. Ideally, you should
have no more than 8 indexes defined for a database table; otherwise the performance of the query decreases.
The database indexes in SAP NFE improve the performance of active business queries, and not archiving
queries. For example, you usually do not search the database table for a product ID in forwarding order items
for business reasons. For this reason, we do not provide database indexes for archiving. The system in general
performs a full table scan during preprocessing.
More Information
For more information about the Archive Information System, see SAP Library for SAP NetWeaver on SAP Help
Portal at http://help.sap.com/nw . Under Application Help for Function-Oriented View, open SAP Library and
choose Solution Life Cycle Management Data Archiving Data Archiving in the ABAP Application System
Data Archiving with Archive Development Kit (ADK) Archive Information System .
For more information about tables and archiving objects, see SAP Library for SAP NetWeaver on SAP Help
Portal at http://help.sap.com/nw . Under Application Help for Function-Oriented View, open SAP Library and
choose Solution Life Cycle Management Data Archiving Data Archiving in the ABAP Application System
Data Archiving with Archive Development Kit (ADK) Archive Administration Tables and Archiving Objects .

564 PUBLIC Archiving in SAP Risk Management
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

Important Disclaimers and Legal Information PUBLIC 565
www.sap.com/contactsap
© 2019 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.
THE BEST RUN

SAP Risk Management 12.0 SP03

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP Risk Management 12.0 SP03

Uploaded by

Copyright:

Available Formats

© 2019 SAP SE or an SAP affiliate company. All rights reserved.