Professional Documents
Culture Documents
PUBLIC
2019-09-05
5 Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1 Integration with Process Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Reusing the PC Central Process Hierarchy in RM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Risk Harmonization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.2 Integration with Audit Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.3 Integration of KRIs with SAP S/4HANA Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6 Key Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
6.1 Risk Management Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
6.2 Levels of Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Standard Roles and Authorization Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Risk Management Application Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
6.3 Workflows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Agent Determination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
6.4 Analysis Automation: Integration with EH&S. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6.5 Customer-Defined Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Adding Customer-Defined Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.6 Risk-Related Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.7 Operational Data Provisioning in RM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
CDF Support in ODP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Search and Analytics Models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Product Information
Use
SAP Risk Management enables an enterprise-wide risk management process as mandated by certain legal
requirements and recommended by best practice management frameworks.
Recommendation
If you have also licensed the SAP Process Control component, see the corresponding documentation at
https://help.sap.com/pc
SAP Risk Management allows you to identify and assess risks and opportunities, determine a response
strategy, and monitor progress. With SAP Risk Management, you can do the following:
● Identify enterprise risks and align them with business processes that create value
● Assess and analyze risks in terms of likelihood and magnitude of impact
● Track risk management effectiveness with embedded reports and analytics
● Continuously monitor risks using SAP HANA-based key risk indicators (KRIs)
Implementation Considerations
Customizing for SAP Risk Management enables you to carry out the necessary configuration activities and
describes the administrative functions necessary to run the application.
Note
For the graphical representation of activities and scenarios, you must install the latest version of Java
Runtime Environment (JRE version 7 or higher is recommended) on your front-end system. For more
information, see http://www.java.com .
Key Features
● Graphical View
Supports the creation and analysis of risks using graphical view.
● Data Monitoring
Monitor application data from internal and external systems in real time.
● Workflow
Use workflow to automate processes.
● Starter kits
Controls starter kit: Library of standard business controls, basic regulations, and direct entity-level
controls.
ERM starter kit: Library of enterprise risks, risk drivers, and impacts
● Automated monitoring
CCM library: Automated continuous controls monitoring
KRI library: KRIs organized by risk drivers, risk categories, and industries
SAP Risk Management uses the various work centers of the GRC, in which you can carry out all SAP Risk
Management activities. For more information about SAP Risk Management activities, see the following work
center topics:
Note
SAP Risk Management functions may be executed in the SAP NetWeaver Business Client (NWBC), or from
the SAP Fiori launchpad. For information about using NWBC, see https://help.sap.com/viewer/product/
SAP_NETWEAVER_AS_ABAP_752/7.52.2/en-US and https://help.sap.com/viewer/
53a5091ea9e945839b860232b7796747/1709%20001/en-US/a50e38fc-c66a-479e-b5ab-
b60cd41ea1cc.html.
Technical Data
It is now possible to upload attachments and add links to an incident created via Ad Hoc Tasks Incidents .
You are now able to use the scoring method in the Fiori app Manage Risk Assessment for risk analysis.
When creating a plan in the Planner, users are able to see a tooltip for each selected organizational unit that
shows its superior organization units structured as a hierarchy during the step Select Object(s). With this new
feature, it is easy to identify to which specific organization unit the plan refers when there are two or more
organization units with the same name.
More Information
For more information, see the application help for SAP Risk Management at http://help.sap.com/rm .
Related Information
Technical Data
New Features
● The “Risk Trend” field is included in Heatmap report (Valid for the Web Dynpro version only).
● It's possible to see the details of a KRI instance when inputting the KRI value manually via work item in the
Work Inbox.
More Information
For more information, see the application help for SAP Risk Management at http://help.sap.com/rm .
Technical Data
New Features
More Information
For more information, see the application help for SAP Risk Management at http://help.sap.com/rm .
Technical Data
New Features
More Information
For more information, see the application help for SAP Risk Management at http://help.sap.com/rm .
Technical Data
● Adapted to meet the ISO 31000 standards - To comply with the ISO 31000 standards, a terminology
editing tool is provided to extend the current terminology customizing with the capability to edit
terminologies, and to upload and download terminologies in an Excel file. A new customizing option is also
provided to hide the Residual (Planned) analysis type which is not required by ISO 31000.
● Enhanced User Experience with Entry Page and Side Panel - Side Panels can be used to display
additional information about an application. A Side Panel for risk is provided to show the related control
information. A new Entry Page for risk manager is also provided which is generally a mashup combining
various relevant information. The Side Panel and Entry Page can be configured or personalized by the
customer using pre-delivered or self-developed CHIPs.
● Embedded Search for Business Entities and Documents – By leveraging the capability of SAP Netweaver
Embedded Search, now you can use a unified, comprehensive and real-time search function to search for
data and information.
● Operational Data Provisioning Enablement - Operational Data Provisioning provides a metadata layer
that allows a set of semantically connected DataSources to act as an InfoProvider. In this metadata layer a
DataSource can be enhanced by analytical properties to generate an Operational Data Provider (ODP).
When implemented, the interfaces enable the access to data for analytics purposes as well as for mass
data replication.
● Ad-hoc Escalation - The ad-hoc risk escalation process allows you to escalate a risk to dedicated
awareness and reporting process, when the risk exceeds a pre-defined threshold within the company.
● HANA-Based KRI - Now HANA Calculation View can also be used as KRI script if HANA connection is
available on GRC system. By using HANA based KRI, we bring more value to the customer’s HANA
investments. The connectivity with HANA opens the rich data availability. With data stored in HANA and
available to the KRI runtime, you will be able to calculate KRI with cross systems transaction data and with
great performance despite potentially large data volumes. We will also enable customers to reuse their
HANA analytics investments in time and content.
● KRI driven analysis - With the KRI driven analysis, probability and impact can be calculated automatically
by the KRI runtime, by linking number-type KRI instance to probability, and currency-type KRI instance to
impact.
● Context Sensitive Help – You can directly access the help topics for the process that you are executing
through the Help Center by clicking on the application screen or pressing F1.
More Information
For more information, see the application help for SAP Risk Management at http://help.sap.com/rm.
The processes and user interfaces of the following applications are closely linked, as they have interconnected
features:
You can access the features and documentation of one or several of these products only after licensing and
installing the relevant products.
SAP Access Control 12.0, SAP NetWeaver 7.52 Support Package Stack 00
SAP Process Control 12.0, SAP NetWeaver 7.52 Support Package Stack 00
SAP Risk Management 12.0, SAP NetWeaver 7.52 Support Package Stack 00
The integration topics describe the integration scenarios that leverage 12.0 features across multiple
applications.
Related Information
Use
Provided your company has licensed both the SAP Risk Management (RM) and SAP Process Control (RM)
applications, you can use a number of integrated functions as described below.
Among other things, risk templates are common to both SAP Process Control and SAP Risk Management.
They can be defined and assigned from both applications.
Match-up of risk templates used in both Risk Management and Process Control
Other Functions Common to SAP Risk Management and SAP Process Control
Beyond the functions described above, the following are common areas for both SAP Risk Management and
SAP Process Control:
● The use of a central PC process hierarchy as part of an SAP Risk Management activity hierarchy. The PC
processes are structured into subprocesses; for each subprocess, controls are defined. Risks can be
defined for controls, and these controls can then mitigate the risks specified for them. For more
information, see Reuse of PC Central Process Hierarchy in RM [page 16] and (in the application help of
SAP Process Control).
Note
For more information about creating risks, see Risks and Opportunities [page 416].
● With risk harmonization activated, you can more closely integrate risks and subprocesses across SAP Risk
Management and SAP Process Control. For more information, see Risk Harmonization [page 18].
More Information
Use
Provided you have licensed both the SAP Risk Management (RM) and the SAP Process Control (PC)
applications, you can use the central PC subprocesses as activity categories in SAP Risk Management.
Furthermore, you can use the local PC subprocesses as local activities in RM.
In this way, a defined RM activity category can later be used to assign (local) activities to it. Otherwise no direct
assignment of a (local) activity to the activity category is possible.
This enables you to structure your risk assessment and risk reporting processes, with the option of using the
activity hierarchy (containing the assigned categories) primarily as a reporting or an assessment structure, or
both.
Note
You can enable a closer integration with SAP Process Control by activating the risk harmonization feature.
For more information, see Risk Harmonization [page 18].
With both applications (SAP Process Control and SAP Risk Management) installed and running, the following
procedure must be carried out before you can display and use the PC process hierarchy in the SAP Risk
Management application in the activities screen:
Go to transaction GRFN_STR_CHANGE and make an entry corresponding to the one you have maintained in the
above maintenance view. Note that this transaction corresponds to the Customizing activity of SAP Process
Control called Set up Structure: Expert Mode and is documented there also. See the procedure below for the
exact steps.
Procedure
Note
When you access the RM activity overview screen, there are different processing modes, depending on your
authorization:
● If you have SAP Risk Management authorization, the activities are available and can be edited.
● With the same authorization, however, the PC subprocesses only open in display mode. You need PC
authorization to change subprocesses. However, you can attach a risk to a subprocess and submit it.
To use the SAP Process Control central processes in SAP Risk Management:
1. Access the Master Data work center and click the Activity Hierarchy link under Activities and Processes.
2. The activity hierarchy overview screen opens. Select an activity category and make note of it.
3. Access transaction GRFN_STR_CHANGE in the back-end system and go to the section on activity
categories.
4. Below the activity category item, select Search Term to find the activity category that you are working with
in the application. The result list is displayed at the bottom left of the screen.
5. Select the activity category at the bottom left to see the data for it on the right-hand screen sections.
6. On the tab Activity Category Attributes (bottom section), access the Prefix field and select the Prefix ID
called PROCESS.
7. Save your entry.
8. The SAP Risk Management application now displays the SAP Process Control hierarchy, containing its
processes and subprocesses, in the lower section of the activities screen.
Note
You may need to scroll in the Activity list to display the subprocesses in the list.
Use
Note
Risk harmonization is only relevant if you have licensed both SAP Risk Management and SAP Process
Control.
Risk harmonization allows both SAP Risk Management and SAP Process Control users to share a more unified
source of risk repository. The interchange of risk and control information between the two applications
facilitates a top-down, risk-based internal control approach with which risks in processes can now be
automatically identified and responses can be automatically provided.
If risk harmonization is not enabled, SAP Process Control (PC) and SAP Risk Management (RM) use separate
risk information objects and they are not fully integrated with each other. PC and RM share the same risk
catalogs and risk templates, but without risk harmonization the risks and risk assessment results from RM
cannot be used by PC users, nor can they be used to display harmonized risk and control information. In such a
case you can only link an RM risk to a PC subprocess through an RM activity.
The risk harmonization feature allows direct relationships to be established between RM risks and PC
subprocesses and controls. It also allows PC users to use RM risk assessment results and to display the
harmonized data in the frequently used reports.
With the risk harmonization feature activated, SAP Process Control users can add SAP Risk Management risks
to local SAP Process Control subprocesses. Subsequently, any controls added to these risks are automatically
recognized on the SAP Risk Management side as responses to the risks.
Related Information
Note
Risk harmonization is only relevant if you have licensed both SAP Risk Management and SAP Process
Control.
You can activate risk harmonization in Customizing for Governance, Risk and Compliance under Shared
Master Data Settings Activate the Risk Harmonization Feature .
You maintain the mapping relationships between risk levels and risk scores in Customizing for Governance, Risk
and Compliance under Process Control Scoping Maintain Risk Score and Risk Level Mapping .
You choose which SAP Risk Management risk analysis type you want to use in SAP Process Control in
Customizing for Governance, Risk and Compliance under Process Control Scoping Maintain Risk Analysis
Type .
Email Notifications
You can define the recipient of email notifications for different business events in Customizing for Governance,
Risk and Compliance under General Settings Workflow Maintain Custom Agent Determination Rules .
You use the following agent slots to define which roles receive e-mail notifications:
To allow the SAP Process Control internal control manager to be able to create and remove a PC control as an
activity or response under an RM risk, the following authorization settings need to be added to the relevant
roles:
02 Change
03 Display
06 Delete
GRC_DATAPT *
GRC_ENTITY ACTIVITY
RESPONSE
GRC_SUBTYP *
Context
Note
Risk harmonization is only relevant if you have licensed both SAP Risk Management and SAP Process
Control.
With the risk harmonization feature activated, SAP Process Control users can add SAP Risk Management risks
to local SAP Process Control subprocesses. Subsequently, any controls added to these risks are automatically
recognized on the SAP Risk Management side as responses to the risks.
Procedure
1. To allow risks to be assigned to a local subprocess in PC, you need to select the Allow Local Change option
when you assign a central subprocess to the organization.
2. In SAP Risk Management, create a risk, and in the Organization Unit field, choose the same organization
under whose subprocess you want to assign this risk.
3. In SAP Process Control, assign the risk to a local subprocess. Note that all risks from SAP Risk
Management have the source Inherent to Organization.
Related Information
Context
Note
Risk harmonization is only relevant if you have licensed both SAP Risk Management and SAP Process
Control.
With risk harmonization, SAP Risk Management is able to automatically identify SAP Process Control controls
as responses to SAP Risk Management risks. The control-risk relationship works as follows:
● When a PC control is assigned to an RM risk as a response, the risk is automatically added to the control on
PC side.
● When an RM risk is assigned to a PC control, the control is automatically added to the risk as a response.
Note
You must first assign these risks to the local subprocess under which the local controls are located, then
you are able to add the risks to the controls.
Procedure
1. In SAP Risk Management, open a risk, assign an SAP Process Control control to the risk as a response. You
can also remove an existing SAP Process Control control from the risk. Note: If you have enabled the email
notification feature for this activity, the system sends out a notification email to the relevant user when the
control is assigned to or removed from the risk as response.
2. In SAP Process Control, open the local control. The SAP Risk Management risk is automatically added to or
removed from the control.
Related Information
Context
Note
Risk harmonization is only relevant if you have licensed both SAP Risk Management and SAP Process
Control.
With risk harmonization activated, you can assign SAP Risk Management Risks to SAP Process Control
controls.
Procedure
1. In SAP Process Control, open a local control and assign an SAP Risk Management risk to the control. You
can also remove an existing SAP Risk Management risk from the control. Note: If you have enabled the
email notification feature for this activity, the system sends out a notification email to the relevant user
when the risk is assigned to or removed from the local control.
2. In SAP Risk Management, open the risk. The SAP Process Control control has been automatically added to
or removed from the risk as a response.
Related Information
Note
Risk harmonization is only relevant if you have licensed both SAP Risk Management and SAP Process
Control.
As a result of shared risk and control information between SAP Process Control and SAP Risk Management,
the risk harmonization feature allows the use of SAP Risk Management risk assessment results in SAP Process
Control, so that the SAP Process Control user is able to perform risk-based scoping for control evaluation.
5.1.2.6 Reporting
Note
Risk harmonization is only relevant if you have licensed both SAP Risk Management and SAP Process
Control.
With the risk harmonization feature activated, you are able to monitor the risk coverage with the following
reports:
Report Location
For example, you can use the Risk Coverage with Ratings by Organization report to monitor which risks have
been covered by controls with risk level information. You can also navigate to the SAP Risk Management risk
(with risk source Inherent to Organization) through the link, to see the details of the risk.
Master data can be imported from SAP Risk Management to SAP Audit Management. For more information,
see the application help of SAP Audit Management at https://help.sap.com/audit, choose the Application Help
and navigate to Master Data Importing Master Data .
To set up the integration of key risk indicators in your on-premise SAP Risk Management system with SAP S/
4HANA Cloud, you must perform the following configuration steps.
Prerequisites
Scope item Key Risk Indicator Monitoring (2U2) must be active. You can check this in the Manage Your Solution
app under View Solution Scope.
A user must exist for creating a communication system in SAP S/4HANA Cloud to access the on-premise SAP
Risk Management system. This user must have the following privileges:
You must have a user with sufficient authorization in Customizing for SAP Risk Management, for example, GRC
System Administrator.
Activities
To enable communication via remote call between the on-premise and cloud systems, you need to enable SAP
Cloud Platform Cloud Connector (Cloud Connector) in your SAP S/4HANA Cloud environment and create a
communication arrangement for the scenario SAP_COM_0200
Note
When configuring the access control list for the cloud to on-premise scenario, you need to specify function
modules (resources) which can be invoked on the on-premise host. The SAP Cloud Platform Cloud
Connector uses very strict whitelists for its access control.
Use GRFN as the function module name for the communication scenario SAP_COM_0230 (Process Control
& Risk Management Integration).
For more information, go to the SAP Help Portal and search for the SAP S/4HANA Cloud product page. In the
Product Assistance, navigate to the following chapter: SAP S/4HANA Cloud Generic Information General
Functions for the Key User Integration Scenarios How to Set Up SAP Cloud Platform Cloud Connector .
On the SAP S/4HANA Cloud side, you must perform the following tasks:
1. Create a communication user. You can do this using the Maintain Communication Users app.
To perform this step, you must have a role that contains the business catalog SAP_CORE_BC_COM
(Communication Management).
2. Create a communication system which defines the host name of the SAP Risk Management system and
handles users for both inbound and outbound communications. You can do this using the Communication
Systems app.
When creating the system, you must add the virtual host name for the SAP Risk Management system and
choose Use Cloud Connector.
In the Cloud Connector technical settings, you must enter the Instance Number and Client, which are
system connection parameters for the SAP Risk Management system.
Add the new inbound communication user that you created in step 1, and add a new outbound
communication user for communication back to the SAP Risk Management system. The outbound user is
used to log onto the SAP Risk Management system, so ensure it has sufficient authorization.
3. Creat a communication arrangement, which defines all the relevant information for communication with
the SAP Risk Management system. You can do this in the Communication Arrangements app.
Create the new communication arrangement with communication scenario SAP_COM_0230, and add the
communication system you created in step 2. Define the inbound communication user as the one created
in step 1.
On the SAP Risk Management side, you must perform the following tasks:
1. Create an RFC connector to communicate with the SAP S/4HANA Cloud system.
You can do this in Customizing for Governance, Risk and Compliance under Common Component
Settings Integration Framework Create Connectors .
The RFC destination of the created connector must be the system ID of the SAP S/4HANA Cloud system
and the connection type must be 3 (ABAP Connection).
You must also add the target SCC host name and instance number, and for the logon details you include
the user name you created on the SAP S/4HANA side above.
2. Define the connection types that are used when connecting to the SAP S/4HANA Cloud system.
You can do this in Customizing for Governance, Risk and Compliance under Common Component
Settings Integration Framework Maintain Connectors and Connection Types .
For the new connector, define the following:
○ Target connector: Provide the RFC destination created in step 1.
○ Connection type: SAPTABLES4
○ Source connector: Provide the RFC destination of the current client of the SAP Risk Management
system.
○ Logical port: Again, provide the RFC destination of the current client of the SAP Risk Management
system.
3. Maintain scripts to be used when reading tables in the SAP system.
You can do this in Customizing for Governance, Risk and Compliance under Risk Management Key Risk
Indicators Connectivity Maintain Scripts for SAP Table .
Create a new entry with the following details:
○ Script: The ID of the script for reading the table of the SAP system
○ Script Name: The name of the script
○ Table Name: The name of the SAP system table to be read
The key concepts explained in this documentation for Risk Management are:
Use
The basic risk management process, as suggested by most risk management frameworks, involves the steps
described below. You can use this process to step through all risk management activities, from Customizing to
user processing, up until the reporting phase.
Prerequisites
You have made the corresponding settings in Customizing for Governance, Risk and Compliance under Risk
Management.
Process
1. Risk Planning
In the planning phase, you define and document your company's risk management framework. This allows
the implementation of risk management programs on a large scale, and enables you to streamline and
reduce duplicate efforts in the company’s different organizational units. The following steps are involved in
risk planning:
○ Initial definition and assignment of roles and responsibilities. For more information, see Risk
Management Application Roles [page 31].
○ Setup of the organizational hierarchy and organizational views to be used.
Use
Risk Management uses different levels of authorization, depending on user profiles and the system used, for
the following reasons:
● The back-end system uses different roles than the SAP NetWeaver Portal. A detailed list is provided below.
● The standard SAP authorization concept does not cover the authorization needs of Risk Management, so
RM-specific application roles have been developed. This has the additional advantage that authorizations
can be differentiated according to the entity level involved. One risk manager, for example, can be
responsible for all entities (such as activities, risks, opportunities, and incidents) in one organizational unit,
and another risk manager can be responsible for the same entities in another organizational unit. Each
manager then accesses the risks for which they are responsible, and not all risks in the entire company.
Features
Before it is possible to work with Risk Management, the following kinds of roles must be accessed and
activated:
Note
Standard roles are also referred to as basic roles, and application roles are also referred to as model
roles.
After the application roles have been defined, they can be assigned to different users and different entities
within the RM application, as described in Assigning Roles to Risks and Activities [page 523].
Use
The authorization concept of SAP NetWeaver assigns authorizations to users on the basis of roles. Some
general SAP standard roles are delivered with SAP Risk Management as described below.
You can copy and adjust these default roles in Customizing under SAP NetWeaver Application Server
System Administration Users and Authorizations Maintain Authorizations and Profiles using Profile
Generator Maintain Roles (transaction PFCG).
In the SAP Risk Management application, the power user can assign these roles to the corresponding entities.
Features
The standard roles that are delivered with the SAP Risk Management application are:
● Basic Role (SAP_GRC_FN_BASE): The basic technical role for a user who wants to use either SAP Risk
Management or SAP Process Control. This role contains all necessary authorizations to make the
necessary Customizing settings for this application. This role does not contain any authorizations for the
portal interface.
● Business User (SAP_GRC_FN_BUSINESS_USER): A user with this role is only authorized to perform
operations on assigned entities in SAP Risk Management. We recommend that a user with this role also be
assigned a portal role for SAP Risk Management in order to use the web interface of the application.
● Power User (SAP_GRC_FN_ALL): In addition to the authorizations of the business user, a power user also
has authorization for administrative functions in Customizing, such as the definition of organizational
units.
● Display User (SAP_GRC_FN_DISPLAY): A user with this role can display all risk data in the portal. This role
is useful for external auditors, for example. We recommend using this role in addition to the business user
role.
Note
For more information, see the documentation on the individual roles in transaction PFCG.
Note
If you want to access the functions of SAP Risk Management through the SAP Fiori launchpad, then the
appropriate launchpad role is required. For more information on SAP Fiori configuration, see the SAP Risk
Management 12.0 Security Guide, available at https://help.sap.com/rm.
1. The system administrator assigns the basic role SAP_GRC_FN_BASE to all users working with the SAP Risk
Management application. This role contains the technical authorizations required to run the application.
Without this role, assigned users cannot run the application.
2. The system administrator copies the delivered power user role SAP_GRC_FN_ALL, makes any necessary
adjustments, and assigns the modified copy of the standard role to a user who then becomes a power user
for the application. Alternatively, the delivered standard role can be used directly.
3. The system administrator copies the delivered display user role SAP_GRC_FN_DISPLAY, makes any
necessary adjustments, and assigns the modified copy of the standard role to other users who become
display users for the application. Alternatively, the delivered standard role can be used directly.
4. The system administrator copies the delivered business user role SAP_GRC_FN_BUSINESS_USER, makes
any necessary adjustments, and assigns the modified copy of the standard role to other users who become
business users for the application. Alternatively, the delivered standard role can be used directly. The
business users' authorizations within the application can be defined further by the application roles.
Note
For more information about application roles, see Risk Management Application Roles [page 31].
5. The portal administrator copies the delivered roles, makes any necessary adjustments, and assigns the
modified copy of the enterprise portal roles to the end users to grant them the required access to the SAP
Risk Management application. Alternatively, the delivered standard role can be used directly.
Definition
A large number of users – who may frequently change – perform operations related to risk management in
different functions. The roles and authorization concept ensures the required flexibility for the end user. In
addition to the general SAP standard roles that are maintained by the system administrator in transaction
PFCG, application-specific roles are also available in transaction PFCG, defining the set of operations, and
detailed authorizations for an end-user.
Note
For a list and information on the standard roles delivered with SAP Risk Management, see Standard Roles
and Authorization Objects [page 30].
Use
The application-specific roles defined in transaction PFCG refine the authorizations delivered in the Business
User role (SAP_GRC_FN_BUSINESS_USER). An application-specific role consists of operations (such as create,
Recommendation
To ensure sufficient transparency and oversight for the authorizations currently granted in this application
and for the entities stored for it, a set of predefined authorization reports is also provided. These include a
check to ensure that the segregation of duties is adhered to during the assignment of the SAP default and
application-specific roles.
The following sample application roles are available for use in the SAP Risk Management application:
SAP_GRC_RM_API_CEO_CFO CEO/CFO
You can copy roles to your user namespace and change them, or create other roles according to your
organization's needs. For example, you can define a new validator role, or a reporting role for occasional users
who want to report a risk. For more information, see .
1. Call transaction PFCG and copy the general SAP roles described above to your user namespace.
2. Adjust the authorizations in these roles to suit the requirements of your system.
3. Assign the adjusted roles to the appropriate users.
4. Save your entries.
Note
After users have been assigned to roles, an authorized user or system administrator needs to check that
there is a segregation of duties for SAP Risk Management. This is done via the corresponding authorization
report in the application, called Entity Authorization Analysis, and found under Reports and Analytics
Access Management .
6.3 Workflows
Use
The SAP Risk Management application is shipped with a set of workflows that enable collaboration on risk
management activities within a company by making use of the standard SAP workflow functionality.
SAP workflows are based on the guided procedures that walk users through a risk management activity or
process. Workflow examples include the validation of risk reassessments, validation of assessment results, or
the review of a newly-documented risk in the application.
Workflows in SAP Risk Management can be classified according to whether they are:
● Event-based workflows: These are predefined end-to-end processes triggered by user actions such as
proposing a risk.
Note
Although most workflows are based on the SAP Risk Management Planner [page 499] functions, the
workflows for proposing risks and reporting incidents are handled differently. For these, you must access
the Ad Hoc Tasks section in the My Home work center. For more information, see and Workflow for
Recording Incidents [page 329].
Prerequisites
The following workflow Customizing activities must be carried out before you can work with SAP workflows:
Maintain Custom Agent Determination Rules Specifies the agent determination rules to be used for busi
ness events in Risk Management
Perform Automatic Workflow Customizing Assigns customer notification messages to workflow recipi
ents
Perform Task-Specific Customizing Makes the settings required to adapt SAP workflows to SAP
Risk Management
Features
A workflow is triggered when you schedule a reassessment or validation and includes the following steps:
1. The workflow goes to all recipients that were defined for it, and appears as a task in the recipients' worklist
in the Work Inbox [page 323].
2. The recipients complete the workflow item by accessing the corresponding application to process the data.
The SAP Risk Management application contains the following workflows, carried out using the Planner:
Risk validation Enables the risk manager to obtain sign-off and confirmation
for the current risk (including the assigned responses). For
information, see Risk Validation Workflow [page 421].
Opportunity validation Enables the risk manager to obtain sign-off and confirmation
for the current opportunity (including analysis and assigned
enhancement plans).
Opportunity assessment Supports the risk manager by providing an update for oppor
tunities by sending out an opportunity assessment work
item.
Response update Enables risk managers and risk owners to keep track of cur
rent risk responses by sending work items to the validator's
work inbox. For more information, see Working with Re
sponse Workflows [page 469].
Risk proposal Ensures that users review a (potential) Risk proposed. For information, see
risk entered through the Propose Risk Proposing a Risk [page 325].
function and rework it if needed before
it is stored in the risk database.
Incident validation Ensures that users check a reported in Incident posted. For information, see
cident for completeness and accuracy Working with Incidents [page 485].
before it is stored in the incident data
base.
KRI implementation request Ensures the proper configuration and KRI implementation request. For infor
system setup for Key Risk Indicator mation, see Workflow for KRI Imple
(KRI)-related data, which should be mentation Request [page 394].
available for risk monitoring.
KRI localization request Optional adjustment of an assigned KRI KRI localization request. For informa
with respect to risk-specific settings. tion, see Workflow for KRI Instance Lo
calization Request [page 395].
Propose control (for users of both SAP Allows users (for example, risk manag Risk mitigation using controls. For infor
Risk Management and SAP Process ers) to propose a control to mitigate a mation, see Using PC Controls [page
Control) risk. If you have installed and possess a 466] and Sample Workflow: Control
license for SAP Process, Control, the Proposal Notification [page 468].
proposed control becomes part of the
regular monitoring activities in SAP
Process Control.
Use
Agent determination is the system process that assigns users to workflows. The entity-based authorization
concept in SAP Risk Management is used for agent determination in workflow processing or for surveys. For
each usage of agent determination, a business event is determined. A business event is a placeholder for
recipient determination in workflow-driven scenarios or surveys, and the workflow processor or survey
recipient is considered the agent.
For agent determination, the implementation team maps the SAP Risk Management roles to the business
events in Customizing. The assignment of business events to SAP Risk Management roles in Customizing is
optional. If no Customizing has been defined here, the default system behavior is applied.
When the workflow or survey requires the agent, it triggers the agent determination rule with the
corresponding business event and object ID.
Features
Besides using the SAP-delivered rules and workflows, you can also create your own rules. The customer-
specific rules override the delivered default rules.
More Information
Use
Some enterprise risks are related to environmental and worker safety. SAP has a separate solution,
Environment, Health and Safety Management (EH&S), where such risks can be processed by the solution-
specific mechanisms absent in operational risk management. Integrating EH&S using analysis automation
allows you to track all enterprise risks using one application (Risk Management).
Analysis automation creates EH&S risk assessments from risk analyses in Risk Management, tracking their
probability and severity values, and copying those values to the corresponding analysis parameters according
to rules predefined in Customizing.
Risk managers are not required to have any EH&S background to create an EH&S risk assessment from a risk
analysis. EH&S risk assessments are intended to be processed by an EH&S manager or other responsible user.
Risk managers can use a specific report that runs in the background to track the current probability and impact
levels of the EH&S-related risks that they create (see prerequisite number 9 below).
Prerequisites
Before using analysis automation (integration with EH&S), ensure that the following conditions have been met:
1. The remote system (EH&S) is known, and the logical system has been created for it (transaction SM30,
record in view V_TBDLS).
2. The user is authorized to create risk assessments in the EH&S remote system, and the user's logon
credentials are known.
3. Log object GRRM and log sub-object ANLS_AUTOMATION have been created (transaction SLG0).
4. The RFC destination for the EH&S remote system has been created.
5. RM and EH&S probability and severity level values have been mapped in Customizing under Risk
Management Risk and Opportunity Analysis Map Probability and Severity Values from EH&S and RM .
6. Context dimensions have been created for the EH&S agent, EH&S work area, and material in Customizing
under Risk Management Risk and Opportunity Analysis Map Probability and Severity Values from
EH&S and RM . Use dimension types EHSAGENT, EHSWA, and MATERIAL within the logical system
mentioned in step 1 and the RFC destination created in step 4.
7. Context dimensions have been assigned to a risk and risk category entity in Customizing under Risk
Management Master Data Setup Assign Dimension to Entity . Assign the dimensions created in step 6
to the entities RISK and CRGROUP.
8. Context dimensions have been set as allowed for the risk category you will use when creating a risk. In the
Risk Management application, go to Master Data Risks and Responses Risk Catalog . Open the
desired risk category, go to tab Allowed dimensions, and add the dimensions created in step 6.
9. You have scheduled the report GRRM_ANLS_AUTOM_STATUS_UPDATE to run with a period of 1 hour.
Note
Instead of an EH&S agent, you can use a material (depending on conditions and requirements).
Caution
Be sure that no risk assessment with the specified combination of work area and agent/material
already exists in EH&S. Such an existing risk assessment will not be overwritten by the new risk
assessment (in other words, the new risk assessment will not be created).
A new risk assessment is created in the EH&S application of the remote system to be processed by the EH&S
manager or other responsible user. The EH&S risk assessment will be assigned probability and severity values.
A background job (step 9 of prerequisites) replicates these values as probability and impact level values for the
corresponding risk analysis in Risk Management.
Customer organizations can add their own fields to the applications they have licensed.
For more information, see the corresponding Customizing section and Adding Customer-Defined Fields [page
39].
Use
● For HR entities:
○ Risk, risk template, risk category
○ Opportunity, opportunity template, opportunity category
○ Activity and activity category
○ Response template
● For non-HR entities:
○ Response
○ Enhancement plan
○ Incident
Customer-defined fields can be defined as mandatory, read-only, or hidden. You can also define a specific input
check for customer-defined fields.
Prerequisites
To add customer-specific fields to screens of the Risk Management application, proceed as follows:
1. Call up the Customizing for Risk Management and carry out the activities under the corresponding section
of User-Defined Fields.
2. Access SAP Note number 1470670 and its attachments for more detailed information.
Caution
You must test all changes in the development system before transporting them to the test and production
systems.
Via the copy or assignment procedure, customer-defined fields that were created for a risk template are copied
into a risk. For more information on risk template creation, see Creating a Risk Template [page 368].
The SAP Risk Management, SAP Process Control, and SAP Access Control applications use several risk-related
terms that may need an explanation. The following table provides an overview of risk terms with their
definitions and the location in the applications where they are used.
SAP Risk Management SAP NetWeaver application for manag Entire SAP Risk Management applica
ing enterprise-wide risks tion
Risk An uncertain event or condition that, if Entire SAP Risk Management applica
it occurs, has a negative impact on tion
business objectives
Risk assessment The evaluation of risks through defini- Assessments work center
tion and mitigation via responses
Risk template A template to be used for creating ac Master Data work center, Risk Catalog
tual risks
Primary risk A risk used in a scenario, which has no Assessments work center, Scenario
risks influencing it Management
Top risks A report containing user-defined risks Reports and Analytics work center,
that are very significant to management Management section
Influenced risk A risk influenced by another risk Assessments work center, Risks and
Opportunities
Risk event A risk that has not occurred Assessments work center, Incident
Management
Inherent risk Overall risk before response Assessments work center, Risks and
Opportunities, Analysis tab of a risk
Residual risk Overall risk after response Assessments work center, Risks and
Opportunities, Analysis tab of a risk
Proposed risk, risk proposal A risk proposed by a casual user My Home work center, Ad-hoc tasks
Risk appetite Level of risk to be supported, which can Master Data work center, Organizations
be described qualitatively and quantita
tively
Underlying risk Risk defined on lower level of organiza Assessments work center, Risks and
tion Opportunities
Risk category User-defined category of risk Master Data work center, Risks and
Responses, Risk Catalog
Parent risk category A high-level user-defined risk category Master Data work center, Risks and
Responses, Risk Catalog
Risk incident An incident entered directly for a risk Assessments work center, Risks and
Opportunities, Risk Incidents tab, and
Incident Management section
Risk level Specifies degree of risk using traffic Assessments work center, Risks and
light icons Opportunities
Risk factor Synonym of influence factor, a risk with Assessments work center, Risks and
probability and impact data attached Opportunities
Risk summary A report summarizing all risks per pe Reports and Analytics work center
riod, organization, and so on
Risk analysis Analysis of one risk Assessment work center, Risks and
Opportunities, Analysis tab of a risk
Risk scenario A scenario containing several risks to Assessments work center, Scenario
be analyzed and evaluated Management
Risk aspect A field in reports evaluating risks. By Reports and Analytics work center,
checkmarking this field in reports, the Risks per Organizational Unit
user can see how an impact level would
be rated if the risk were seen from the
perspective (aspect) of a different or
ganizational unit.
Local risk The same as a risk instance Assessments work center, Risks and
Opportunities, Analysis tab
Access risk A risk defined for the SAP Access Con Access Management work center,
trol application, specifying the severity Access Risk Analysis section
of an irregularity related to Segregation
of Duties (SOD) risks.
SOD risk The same as an access risk Access Management work center,
Access Risk Analysis section
Use
The structure contains the documents that describe operational reporting for Governance, Risk, and
Compliance based on Operational Data Provisioning (ODP). ODP is a metadata concept in SAP NetWeaver that
provides a technical infrastructure that you can use to support application scenarios such as data replication
and operational analytics. You can use operational reporting for real-time analysis of data. You can access the
data in your system directly without having to replicate it into a separate BW system.
In GRC, predefined search and analysis models are delivered for reporting and enterprise search. You can use
these models directly or create your own models in the modelling environment.
For more information about ODP and models, see the documentation at http://help.sap.com , under SAP
NetWeaver AS for ABAP 7.52 Application Help SAP NetWeaver Library: Function-Oriented View Search
and Operational Analytics Operational Data Provisioning .
More Information
An authorization allows a user to perform a specific action on a specific object. You can define authorization
checks to be performed for the nodes in a business object by adding authorization objects to the node. In this
way, you can configure that only authorized users can access the data in search results or reporting.
Note
Ad-hoc Issue and Policy use role-user assignment authorization. The assignment information is stored in
table GRFNROLEASSNMT.
Some objects contain special entity IDs that cover two HR object types. In such cases, the object ID length of
these entities are extended to 9, allowing one extra character for identification. These objects use the special
complex ID authorization check GRFN_AUTH_C. The following is a list of special HR objects that uses complex
ID authorization check.
Use
This chapter discusses how to add customer defined fields (CDF) in ODP models which has BW data source.
Prerequisites
You have implemented CDF support to the master data used in the ODP model.
Procedure
1. Go to transaction RSA6, find your data source and choose Enhance Extraction Structure.
2. Enter the structure name and choose continue to create a new structure.
3. Enter the necessary fields according to the CDF definition. Make sure the field name completely matches
the CDF structure. Now the BI structure should have the newly created structure appended.
As the data source extractor always pass values according to the field name, normally this should work
and return the CDF value in the data source. If not, check if the datamart is filled with the CDF.
4. Go to the ODP modeler, open the corresponding model and update the node. The newly appended field
appears. Adjust the related settings and generate the ODP again.
For more information, see SAP NetWeaver help document at http://help.sap.com under SAP NetWeaver
AS for ABAP 7.52 Application Help SAP NetWeaver Library: Function-Oriented View Search and
Operational Analytics Creating Search and Analysis Models Creating or Extending Search and Analysis
Models
A search and analytic model reflects a business entity consisting of segments modeled via nodes. Nodes can
be connected to other nodes by means of composition or association relationships using foreign-key
dependencies.
The following structure contains both common models and product specific models.
Related Information
The following structure contains the common search and analytics models shared by both the SAP Process
Control and SAP Risk Management applications.
Related Information
Use
This search and analytics model is used to get the ad-hoc issue data.
Technical Data
DataSource 0GFN_AI_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GFN_AI_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_AIPRIO.0GFN_AI_PRIORITY_TEX
Association 0GFN_AI_ATTR20GFN_AI_PRIORITY_TE
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_AI_STATUS.0GFN_AI_STATUS_TEXT
Association 0GFN_AI_ATTR20GFN_AI_STATUS_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GFN_AI_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GFN_AI_ATTR20GFN_TF_FREQ
Foreign Key
Use
This search and analytics model is used to get the business rule data.
Technical Data
DataSource 0GFN_BR_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GFN_BR_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GFN_BR_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GFN_BR_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_EO.0GFN_DS_ATTR
Association 0GFN_BR_ATTR20GFN_DS_ATTR
Sub-query No
Foreign Key
Node 0GFN_BRANTY.0GFN_BR_ANYSTYPE_TEX
Association 0GFN_BR_ANYSTYPE_TEX20GFN_BR_ATT
Sub-query No
Foreign Key
Node 0GFN_BRCATE.0GFN_BR_CATEGORY_TEX
Association 0GFN_BR_CATEGORY_TEX20GFN_BR_ATT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_BRSTAT.0GFN_BR_STATUS_TEXT
Association 0GFN_BR_STATUS_TEXT20GFN_BR_ATTR
Cardinality Arbitrary
Sub-query No
Node 0GFN_JP.0GFN_JP_ATTR
Association 0GFN_JP_ATTR20GFN_BR_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the data source attributes.
DataSource 0GFN_DS_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GFN_DS_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GFN_DS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GFN_DS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GFN_DS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_EOSUBS.0GFN_DS_SUBSCENARIO
Association 0GFN_DS_ATTR20GFN_DS_SUBSCENARIO
Sub-query No
Node 0GFN_EOCOTP.0GFN_DS_CONN_TYPE
Association 0GFN_DS_ATTR20GFN_DS_CONN_TYPE
Sub-query No
Foreign Key
Node 0GFN_EOCONN.0GFN_DS_CONNECTOR_TE
Association 0GFN_DS_ATTR20GFN_DS_CONNECTOR_T
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_BR.0GFN_BR_ATTR
Association 0GFN_BR_ATTR20GFN_DS_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the organization unit attributes.
Technical Data
DataSource 0GFN_OU_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GFN_OU_TEXT
Association
Cardinality Arbitrary
Sub-query Yes
Foreign Key
Node 0GFN_OUQAPP.0GFN_OU_QAPP_TEXT
Association 0GFN_OU_ATTR20GFN_OU_QAPP_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_REGION.0REGION_TEXT
Association 0GFN_OU_ATTR20REGION_TEXT
Cardinality Arbitrary
Foreign Key
Node 0GFN_COUNTRY.0COUNTRY_TEXT
Association 0GFN_OU_ATTR20COUNTRY_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GFN_OU_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GFN_OU_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GFN_OU_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_ENTTYP.0GFN_ENTTYP_TEXT
Association 0GFN_OU_ATTR20GFN_ENTTYP_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GFN_OU_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GPC_OUINSC.0GPC_OUINSC_TEXT
Association 0GFN_OU_ATTR20GPC_OUINSC
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_OUISPR.0GPC_OUISPR_TEXT
Association 0GFN_OU_ATTR20GPC_OUISPR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Sub-query No
Foreign Key
Node 0GFN_OUVAMC.0GFN_OUVAMC_TEXT
Association 0GFN_OU_ATTR20GFN_OUVAMC
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_OUVAMT.0GFN_OUVAMT_TEXT
Association 0GFN_OUVAMT.0GFN_OUVAMT_TEXT
Cardinality Arbitrary
Foreign Key
Node 0GFN_OUREMC.0GFN_OUREMC_TEXT
Association 0GFN_OU_ATTR20GFN_OUREMC
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_OUREMT.0GFN_OUREMT_TEXT
Association 0GFN_OU_ATTR20GFN_OUREMT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_RSCN.0GPC_SP_RS_CN_ALL
Association 0GPC_SP_RS_CN_ALL20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_SPSRC.0GPC_SP_RS_SOURCE_AT
Association 0GPC_SP_RS_SOURCE_AT20GFN_OU_ATT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_PR.0GPC_PR_ATTR
Association 0GPC_PR_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_CN_RS.0GPC_CN_RS_ATTR
Association 0GPC_CN_RS_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_CN.0GPC_CN_ATTR
Association 0GPC_CN_ATTR20GFN_OU_ATTR_1
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS.0GRM_OU_AC_RS
Association 0GRM_OU_AC_RS20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR.0GRM_OU_AC_OR
Association 0GRM_OU_AC_OR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR_EP.0GRM_OU_AC_OR_RP
Association 0GRM_OU_AC_OR_RP20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_RP.0GRM_OU_AC_RS_RP
Association 0GRM_OU_AC_RS_RP20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_IN.0GRM_OU_AC_RS_IN
Association 0GRM_OU_AC_RS_IN20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_V0.0GPC_V0_ATTR
Association 0GPC_V0_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_EG.0GPC_EG_ATTR
Association 0GPC_EG_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_EC.0GPC_EC_ATTR
Association 0GPC_EC_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_JP.0GFN_JP_ATTR
Association 0GFN_JP_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_CN.0GPC_CN_ATTR
Association 0GPC_CN_ATTR20GFN_OU_ATTR_2
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_EP.0GRM_EP_ATTR
Association 0GRM_EP_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OR.0GRM_OR_ATTR
Association 0GRM_OR_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_SP.0GPC_SP_ATTR
Association 0GPC_SP_ATTR20GFN_OU_ATTR_O
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_SP.0GPC_SP_ATTR
Association 0GPC_SP_ATTR20GFN_OU_ATTR_SS
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_OU_HIER.HIERARCHY_ELEMENT
Association HIERARCHY_ELEMENT20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_KN_KRI_VALUES.0GRM_KN_KRI_VALUES
Association 0GRM_KN_KRI_VALUES20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_AC_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IL.0GRM_IL_ATTR
Association 0GRM_IL_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IN.0GRM_IN_ATTR
Association 0GRM_IN_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GRM_IN_IL_IC20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_KN.0GRM_KN_ATTR
Association 0GRM_KN_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_RP.0GRM_RP_ATTR
Association 0GRM_RP_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_W5_ATTR.0GRM_W5_ATTR
Association 0GRM_W5_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
OBJID OU Equal
Node 0GRM_AL.0GRM_AL_ATTR
Association 0GRM_AL_ATTR20GFN_OU_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_M3.0GPC_CN_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the organization hierarchy attributes.
Technical Data
DataSource 0GFN_OU_GFNH_HIER
Node HIERARCHY_ELEMENT
Cardinality Arbitrary
Sub-query Yes
Foreign Key
Node HIERARCHY_FOLDERTEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association HIERARCHY_ELEMENT20GFN_OU_ATTR
Sub-query No
Foreign Key
Node HIERARCHY_HEADERTEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
6.7.3.1.6 Policy
Use
Technical Data
DataSource 0GFN_PO_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GFN_PO_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_POCATEG.0GFN_PO_CATEG_TEXT
Association 0GFN_PO_ATTR20GFN_PO_CATEG_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_POSTATUS.0GFN_PO_STATUS_TEXT
Association 0GFN_PO_ATTR20GFN_PO_STATUS_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_POTYPE.0GFN_PO_TYPE_TEXT
Association 0GFN_PO_ATTR20GFN_PO_TYPE_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the risk data.
Technical Data
DataSource 0GFN_RS_ATTR
ODP-Semantics Texts
Node 0GFN_RS_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_RSL.0GRM_RSL_TEXT
Association 0GFN_RS_ATTR20GRM_RSL_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_RSSTAT.0GFN_RS_STATUS_TEXT
Association 0GFN_RS_ATTR20GFN_RS_STATUS_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GFN_RS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GFN_RS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GFN_RS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GRM_PBL.0GRM_PBL_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_RSCN.0GPC_SP_RS_CN_ALL
Association 0GFN_RS_ATTR20GPC_SP_RS_CN_ALL
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_CN_RS.0GPC_CN_RS_ATTR
Association 0GFN_RS_ATTR20GPC_CN_RS_ATTR
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS.0GRM_OU_AC_RS
Association 0GFN_RS_ATTR20GRM_OU_AC_RS
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_RP.0GRM_OU_AC_RS_RP
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_IN.0GRM_OU_AC_RS_IN
Association 0GFN_RS_ATTR20GRM_OU_AC_RS_IN
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_KN_KRI_VALUES.0GRM_KN_KRI_VALUES
Association 0GFN_RS_ATTR20GRM_KN_KRI_VALUES
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IL.0GRM_IL_ATTR
Association 0GFN_RS_ATTR20GRM_IL_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IN.0GRM_IN_ATTR
Association 0GFN_RS_ATTR20GRM_IN_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GFN_RS_ATTR20GRM_IN_IL_IC
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_KN.0GRM_KN_ATTR
Association 0GFN_RS_ATTR20GRM_KN_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_RP.0GRM_RP_ATTR
Association 0GFN_RS_ATTR20GRM_RP_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_W5_ATTR.0GRM_W5_ATTR
Association 0GFN_RS_ATTR20GRM_W5_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
RS_ID RS Equal
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GFN_RS_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
Node 0GRM_AL.0GRM_AL_ATTR
Association 0GRM_AL_ATTR20GFN_RS_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
6.7.3.1.8 Timeframe
Use
This search and analytics model is used to get the timeframe attributes.
Technical Data
DataSource 0GFN_TF_ATTR
ODP-Semantics Texts
Node 0GFN_TF_TEXT
Association
Cardinality Arbitrary
Sub-query Yes
Foreign Key
Node 0GFN_OU_ESH.0GFN_OU_ATTR_ESH
Association 0GFN_OU_ATTR_ESH20GFN_TF_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_COBJ.0GPC_COBJ_ATTR
Association 0GPC_COBJ_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_AG.0GPC_AG_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_EC.0GPC_EC_ATTR
Association 0GPC_EC_ATTR20GFN_TF_ATTR_1
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_TP.0GPC_TP_ATTR
Association 0GPC_TP_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GFN_OU_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_BR.0GFN_BR_ATTR
Association 0GFN_BR_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_TL.0GPC_TL_ATTR
Association 0GPC_TL_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_EO.0GFN_DS_ATTR
Association 0GFN_DS_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OC.0GRM_OC_TEXT
Association 0GRM_OC_TEXT20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OR.0GRM_OR_ATTR
Association 0GRM_OR_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR_EP.0GRM_OU_AC_OR_RP
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS.0GRM_OU_AC_RS
Association 0GRM_OU_AC_OR_RP20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_IN.0GRM_OU_AC_RS_IN
Association 0GRM_OU_AC_RS_IN20GFN_TF_ATTR
Cardinality Arbitrary
Foreign Key
Node 0GRM_OU_AC_RS_RP.0GRM_OU_AC_RS_RP
Association 0GRM_OU_AC_RS_RP20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_KN_KRI_VALUES.0GRM_KN_KRI_VALUES
Association 0GRM_KN_KRI_VALUES20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GRM_IN_IL_IC20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_RE.0GPC_RE
Association 0GPC_RE20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_EC_REG.0GPC_EC_ATTR_ALL_REG
Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_ATT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_OU_REG.0GFN_OU_ATTR_ALL_REG
Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_ATT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_EG.0GPC_EG_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_RG.0GRM_RG_ATTR
Association 0GRM_RG_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_EP.0GRM_EP_ATTR
Association 0GRM_EP_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Foreign Key
Node 0GPC_AS.0GPC_AS_ATTR
Association 0GPC_AS_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_CN.0GPC_CN_ATTR
Association 0GPC_CN_ATTR20GFN_TF_ATTR_1
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_CN_REG.0GPC_CN_ATTR_ALL_REG
Association 0GPC_CN_ATTR_ALL_REG20GFN_TF_ATT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_CN_RS.0GPC_CN_RS_ATTR
Association 0GPC_CN_RS_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_M3.0GPC_CN_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_V0.0GPC_V0_ATTR
Association 0GPC_V0_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_AI.0GFN_AI_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_RSCN.0GPC_SP_RS_CN_ALL
Association 0GPC_SP_RS_CN_ALL20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_H2E.0GPC_EC_ATTR
Cardinality Arbitrary
Foreign Key
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_AC_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IL.0GRM_IL_ATTR
Association 0GRM_IL_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IN.0GRM_IN_ATTR
Association 0GRM_IN_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_CA_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_KN.0GRM_KN_ATTR
Association 0GRM_KN_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_RP.0GRM_RP_ATTR
Association 0GRM_RP_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_KT.0GRM_KT_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR.0GRM_OU_AC_OR
Association 0GRM_OU_AC_OR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OG.0GRM_OG_ATTR
Association 0GRM_OG_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Foreign Key
Node 0GPC_PL.0GPC_PL_ATTR
Association 0GPC_PL_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OB.0GRM_OB_ATTR
Association 0GRM_OB_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_AL.0GRM_AL_ATTR
Association 0GRM_AL_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_F5.0GPC_TL_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_IS.0GPC_IS_ATTR
Association 0GPC_IS_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_AG_ASSERTION.0GPC_V9_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the timeframe frequency attributes.
Technical Data
DataSource 0GFN_TF_FREQ
ODP-Semantics Texts
Node 0GFN_TFFRQ_TEXT
Association
Cardinality Arbitrary
Sub-query Yes
Foreign Key
Node 0GPC_COBJ.0GPC_COBJ_ATTR
Association 0GPC_COBJ_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GPC_AG.0GPC_AG_ATTR
Association 0GPC_AG_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_EC.0GPC_EC_ATTR
Association 0GPC_EC_ATTR20GFN_TF_FREQ_1
Cardinality Arbitrary
Sub-query No
Node 0GPC_TP.0GPC_TP_ATTR
Association 0GPC_TP_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GFN_OU_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_BR.0GFN_BR_ATTR
Association 0GFN_BR_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_TL.0GPC_TL_ATTR
Association 0GPC_TL_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_EO.0GFN_DS_ATTR
Association 0GFN_DS_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OR.0GRM_OR_ATTR
Association 0GRM_OR_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR_EP.0GRM_OU_AC_OR_RP
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_AC_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS.0GRM_OU_AC_RS
Association 0GRM_OU_AC_RS20GFN_TF_FREQ
Cardinality Arbitrary
Foreign Key
Node 0GRM_OU_AC_RS_IN.0GRM_OU_AC_RS_IN
Association 0GRM_OU_AC_RS_IN20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_RP.0GRM_OU_AC_RS_RP
Association 0GRM_OU_AC_RS_RP20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_KN_KRI_VALUES.0GRM_KN_KRI_VALUES
Association 0GRM_KN_KRI_VALUES20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_KT.0GRM_KT_ATTR
Association 0GRM_KT_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_CA_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GRM_IN_IL_IC20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_RE.0GPC_RE
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_EC_REG.0GPC_EC_ATTR_ALL_REG
Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_FRE
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_OU_REG.0GFN_OU_ATTR_ALL_REG
Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_FRE
Cardinality Arbitrary
Foreign Key
Node 0GPC_EG.0GPC_EG_ATTR
Association 0GPC_EG_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_RG.0GRM_RG_ATTR
Association 0GRM_RG_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OC.0GRM_OC_TEXT
Association 0GRM_OC_TEXT20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_EP.0GRM_EP_ATTR
Association 0GRM_EP_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_AS.0GPC_AS_ATTR
Association 0GPC_AS_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_CN.0GPC_CN_ATTR
Association 0GPC_CN_ATTR20GFN_TF_FREQ_1
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_CN_REG.0GPC_CN_ATTR_ALL_REG
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_CN_RS.0GPC_CN_RS_ATTR
Association 0GPC_CN_RS_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_M3.0GPC_CN_ATTR
Cardinality Arbitrary
Foreign Key
Node 0GPC_V0.0GPC_V0_ATTR
Association 0GPC_V0_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_AI.0GFN_AI_ATTR
Association 0GFN_AI_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_RSCN.0GPC_SP_RS_CN_ALL
Association 0GPC_SP_RS_CN_ALL20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_H2E.0GPC_EC_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IL.0GRM_IL_ATTR
Association 0GRM_IL_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IN.0GRM_IN_ATTR
Association 0GRM_IN_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_KN.0GRM_KN_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_RP.0GRM_RP_ATTR
Association 0GRM_RP_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR.0GRM_OU_AC_OR
Association 0GRM_OU_AC_OR20GFN_TF_FREQ
Cardinality Arbitrary
Foreign Key
Node 0GRM_OG.0GRM_OG_ATTR
Association 0GRM_OG_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_PL.0GPC_PL_ATTR
Association 0GPC_PL_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OB.0GRM_OB_ATTR
Association 0GRM_OB_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_AL.0GRM_AL_ATTR
Association 0GRM_AL_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_F5.0GPC_TL_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_IS.0GPC_IS_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_AG_ASSERTION.0GPC_V9_ATTR
Association 0GPC_V9_ATTR20GFN_TF_FREQ
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the timeframe year attributes.
DataSource 0GFN_TF_YEAR
Node 0GPC_COBJ.0GPC_COBJ_ATTR
Association 0GPC_COBJ_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_AG.0GPC_AG_ATTR
Association 0GPC_AG_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_EC.0GPC_EC_ATTR
Association 0GPC_EC_ATTR20GFN_TF_YEAR_1
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_TP.0GPC_TP_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GFN_OU_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_BR.0GFN_BR_ATTR
Association 0GFN_BR_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Foreign Key
Node 0GPC_TL.0GPC_TL_ATTR
Association 0GPC_TL_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_EO.0GFN_DS_ATTR
Association 0GFN_DS_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OC.0GRM_OC_TEXT
Association 0GRM_OC_TEXT20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OR.0GRM_OR_ATTR
Association 0GRM_OR_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR_EP.0GRM_OU_AC_OR_RP
Association 0GRM_OU_AC_OR_RP20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS.0GRM_OU_AC_RS
Association 0GRM_OU_AC_RS20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_IN.0GRM_OU_AC_RS_IN
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_RP.0GRM_OU_AC_RS_RP
Association 0GRM_OU_AC_RS_RP20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_KN_KRI_VALUES.0GRM_KN_KRI_VALUES
Association 0GRM_KN_KRI_VALUES20GFN_TF_YEAR
Cardinality Arbitrary
Foreign Key
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GRM_IN_IL_IC20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_RE.0GPC_RE
Association 0GPC_RE20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_EC_REG.0GPC_EC_ATTR_ALL_REG
Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_YEA
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_OU_REG.0GFN_OU_ATTR_ALL_REG
Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_YEA
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_EG.0GPC_EG_ATTR
Association 0GPC_EG_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_RG.0GRM_RG_ATTR
Association 0GRM_RG_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_EP.0GRM_EP_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_AS.0GPC_AS_ATTR
Association 0GPC_AS_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_CN.0GPC_CN_ATTR
Association 0GPC_CN_ATTR20GFN_TF_YEAR_1
Cardinality Arbitrary
Foreign Key
Node 0GPC_CN_REG.0GPC_CN_ATTR_ALL_REG
Association 0GPC_CN_ATTR_ALL_REG20GFN_TF_YEA
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_CN_RS.0GPC_CN_RS_ATTR
Association 0GPC_CN_RS_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_M3.0GPC_CN_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_V0.0GPC_V0_ATTR
Association 0GPC_V0_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_AI.0GFN_AI_ATTR
Association 0GFN_AI_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_RSCN.0GPC_SP_RS_CN_ALL
Association 0GPC_SP_RS_CN_ALL20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_H2E.0GPC_EC_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_AC_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_OU_ESH.0GFN_OU_ATTR_ESH
Association 0GFN_OU_ATTR_ESH20GFN_TF_YEAR
Cardinality Arbitrary
Foreign Key
Node 0GRM_IL.0GRM_IL_ATTR
Association 0GRM_IL_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IN.0GRM_IN_ATTR
Association 0GRM_IN_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_CA_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_KN.0GRM_KN_ATTR
Association 0GRM_KN_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_RP.0GRM_RP_ATTR
Association 0GRM_RP_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_KT.0GRM_KT_ATTR
Association 0GRM_KT_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR.0GRM_OU_AC_OR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OG.0GRM_OG_ATTR
Association 0GRM_OG_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_PL.0GPC_PL_ATTR
Association 0GPC_PL_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Foreign Key
Node 0GRM_OB.0GRM_OB_ATTR
Association 0GRM_OB_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_AL.0GRM_AL_ATTR
Association 0GRM_AL_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_F5.0GPC_TL_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_IS.0GPC_IS_ATTR
Association 0GPC_IS_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GPC_AG_ASSERTION.0GPC_V9_ATTR
Association 0GPC_V9_ATTR20GFN_TF_YEAR
Cardinality Arbitrary
Sub-query No
Foreign Key
The following structure contains search and analytics models used in SAP Risk Management.
Use
This search and analytics model is used to get the activity data.
Technical Data
DataSource 0GRM_AC_ATTR
ODP-Semantics Texts
Node 0GRM_AC_TEXT
Association
Cardinality Arbitrary
Sub-query Yes
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_AC_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_AC_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_AC_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_AC_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_AC_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_AC_ATTR20GRM_CA_ATTR
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Node 0GRM_OU_AC_RS.0GRM_OU_AC_RS
Association 0GRM_OU_AC_RS20GRM_AC_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Node 0GRM_OU_AC_OR.0GRM_OU_AC_OR
Association 0GRM_OU_AC_OR20GRM_AC_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Node 0GRM_OU_AC_OR_EP.0GRM_OU_AC_OR_RP
Association 0GRM_OU_AC_OR_RP20GRM_AC_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Node 0GRM_OU_AC_RS_RP.0GRM_OU_AC_RS_RP
Association 0GRM_OU_AC_RS_RP20GRM_AC_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Node 0GRM_OU_AC_RS_IN.0GRM_OU_AC_RS_IN
Association 0GRM_OU_AC_RS_IN20GRM_AC_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Node 0GRM_KN_KRI_VALUES.0GRM_KN_KRI_VALUES
Association 0GRM_KN_KRI_VALUES20GRM_AC_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GRM_IN_IL_IC20GRM_AC_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the Activity Category data.
Technical Data
DataSource 0GRM_CA_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GRM_CA_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_CA_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_CA_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GRM_KN_KRI_VALUES.0GRM_KN_KRI_VALUES
Association 0GRM_KN_KRI_VALUES20GRM_CA_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_CA_HIER.HIERARCHY_ELEMENT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_AC_ATTR20GRM_CA_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GRM_IN_IL_IC20GRM_CA_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR.0GRM_OU_AC_OR
Association 0GRM_OU_AC_OR20GRM_CA_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR_EP.0GRM_OU_AC_OR_RP
Association 0GRM_OU_AC_OR_RP20GRM_CA_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS.0GRM_OU_AC_RS
Association 0GRM_OU_AC_RS20GRM_CA_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_IN.0GRM_OU_AC_RS_IN
Association 0GRM_OU_AC_RS_IN20GRM_CA_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_RP.0GRM_OU_AC_RS_RP
Association 0GRM_OU_AC_RS_RP20GRM_CA_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the Activity Category data.
Technical Data
DataSource 0GRM_CA_GRMH_HIER
Node HIERARCHY_ELEMENT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node HIERARCHY_FOLDERTEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_CA.0GRM_CA_ATTR
Cardinality Up to One
Sub-query No
Foreign Key
Node HIERARCHY_HEADERTEXT
Association 0GRM_CA_ATTR20GFN_TF_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
6.7.3.2.4 Analysis
Use
This search and analytics model is used to get the analysis data.
Technical Data
DataSource 0GRM_AL_ATTR
Authorization Checks
Node 0GRM_OR.0GRM_OR_ATTR
Association 0GRM_AL_ATTR20GRM_OR_ATTR
Sub-query Yes
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_AL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_AL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_AL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_AL_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GRM_AL_ATTR20GFN_RS_ATTR
Sub-query No
Foreign Key
Node 0GRM_AL_STATUS_TEXT.0GRM_AL_STATUS_TEXT
Association 0GRM_AL_STATUS_TEXT.0GRM_AL_STATUS_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_AL_ATTR20GFN_USER_TEXT1
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_AL_ATTR20GFN_USER_TEXT2
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_AL_ATTR20GFN_USER_TEXT3
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
Use
This search and analytics model is used to get the Forecasting Horizon Analysis attributes.
Technical Data
Authorization Checks
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_W5_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OU OBJID Equal
Node 0GRM_FH.0GRM_FH_ATTR
Association 0GRM_W5_ATTR20GRM_FH_ATTR
Sub-query No
Foreign Key
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GRM_W5_ATTR
Sub-query No
Foreign Key
RS RS_ID Equal
Use
This search and analytics model is used to get the Central Opportunity data.
Technical Data
DataSource 0GRM_OC_TEXT
ODP-Semantics Texts
Authorization Checks
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_OC_TEXT20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_OC_TEXT20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the enhancement plan attributes.
Technical Data
DataSource 0GRM_EP_ATTR
Authorization Checks
Node 0GRM_EP_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_EP_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_EP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_EP_ATTR20GFN_TF_FREQ
Sub-query No
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_EP_ATTR20GFN_USER_T1
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_EP_ATTR20GFN_USER_T2
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_EP_ATTR20GFN_USER_T3
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_EP_ATTR20GFN_USER_T4
Sub-query No
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_EP_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GRM_RP_ST.0GRM_RP_STATUS_TEXT
Association 0GRM_EP_ATTR20GRM_RP_STATUS_TEXT
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_EP_ATTR20GFN_USER_T5
Sub-query No
Foreign Key
Node 0GRM_EP_TYPE_TEXT.0GRM_EP_RESP_TYPE_TE
Association 0GRM_EP_ATTR20GRM_EP_RESP_TYPE_T
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR_EP.0GRM_OU_AC_OR_RP
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the Activity data for Enterprise Search.
Technical Data
Use
This search and analytics model is used to get the Incident data for Enterprise Search.
Technical Data
DataSource GRFN_S_IN_ATTR
Use
This search and analytics model is used to get the Response data for Enterprise Search.
DataSource GRRM_S_ESH_RESPONSE
Use
This search and analytics model is used to get the Risk data for Enterprise Search.
Technical Data
DataSource GRRM_S_ESH_RS
Use
This search and analytics model is used to get the Forecasting Horizon data.
Technical Data
DataSource 0GRM_FH_ATTR
ODP-Semantics Texts
Node 0GRM_FH_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_FH_ATTR20GFN_USER_TEXT1
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_FH_ATTR20GFN_USER_TEXT2
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_FH_ATTR20GFN_USER_TEXT3
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_FH_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
Node 0GRM_FH_STATUS_TEXT.0GRM_FH_STATUS_TEXT
Association 0GRM_FH_STATUS_TEXT20GRM_FH_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_W5_ATTR.0GRM_W5_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
Technical Data
DataSource 0GRM_IA_ATTR
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_IA
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_IA_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_IA_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_IA_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GRM_IN.0GRM_IN_ATTR
Association 0GRM_IA_ATTR20GRM_IN_ATTR
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the Impact Category data.
Technical Data
DataSource 0GRM_IC_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GRM_IC_CATEGORY_TEX
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GRM_IN_IL_IC20GRM_IC_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
6.7.3.2.15 Incident
Use
This search and analytics model is used to get the Incident data.
Technical Data
DataSource 0GRM_IN_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GRM_IN_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_IN_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_IN_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_IN_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_IN_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_IN_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_IN.0GRM_OU_AC_RS_IN
Association 0GRM_OU_AC_RS_IN20GRM_IN_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GRM_IN_IL_IC20GRM_IN_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IL.0GRM_IL_ATTR
Association 0GRM_IL_ATTR20GRM_IN_ATTR
Cardinality Arbitrary
Foreign Key
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GRM_IN_ATTR
Sub-query No
Foreign Key
Use
Technical Data
DataSource 0GRM_IN_IL_IC
Authorization Checks
Node 0GRM_IN.0GRM_IN_ATTR
Association 0GRM_IN_IL_IC20GRM_IN_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_IN_IL_IC20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_IN_IL_IC20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_IN_IL_IC20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GRM_IC.0GRM_IC_ATTR
Sub-query No
Foreign Key
Node 0GRM_IL.0GRM_IL_ATTR
Association 0GRM_IN_IL_IC20GRM_IL_ATTR
Sub-query No
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_IN_IL_IC20GFN_OU_ATTR
Sub-query No
Foreign Key
TIMEFRAME TIMEFRAME
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_IN_IL_IC20GRM_CA_ATTR
Sub-query No
Foreign Key
Node 0GRM_AC.0GRM_AC_ATTR
Sub-query No
Foreign Key
Node 0GRM_RG.0GRM_RG_ATTR
Association 0GRM_IN_IL_IC20GRM_RG_ATTR
Sub-query No
Foreign Key
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GRM_IN_IL_IC
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the KRI Instance data.
Technical Data
DataSource 0GRM_KN_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GRM_KN_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_KN_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_KN_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_KN_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_KN_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_KN_ATTR20GFN_USER_TEXT1
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_KN_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
Node 0GRM_KN_STATUS.0GRM_KN_STATUS_TEXT
Association 0GRM_KN_STATUS_TEXT20GRM_KN_ATTR
Sub-query No
Foreign Key
Node 0GRM_KN_KRI_VALUES.0GRM_KN_KRI_VALUES
Association 0GRM_KN_KRI_VALUES20GRM_KN_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
TF_FREQ TF_FREQ
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GRM_KN_ATTR
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the KRI instance values.
Technical Data
DataSource 0GRM_KN_KRI_VALUES
Authorization Checks
Node 0GRM_KN.0GRM_KN_ATTR
Association 0GRM_KN_KRI_VALUES20GRM_KN_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_KN_KRI_VALUES20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_KN_KRI_VALUES20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_KN_KRI_VALUES20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_KN_KRI_VALUES20GFN_OU_ATTR
Sub-query No
Foreign Key
TIMEFRAME TIMEFRAME
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_KN_KRI_VALUES20GRM_CA_ATTR
Sub-query No
Foreign Key
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_KN_KRI_VALUES20GRM_AC_ATTR
Sub-query No
Foreign Key
Node 0GRM_KT.0GRM_KT_ATTR
Association 0GRM_KN_KRI_VALUES20GRM_KT_ATTR
Sub-query No
Foreign Key
Node 0GRM_RG.0GRM_RG_ATTR
Association 0GRM_KN_KRI_VALUES20GRM_RG_ATTR
Sub-query No
Foreign Key
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GRM_KN_KRI_VALUES
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the KRI template data.
DataSource 0GRM_KT_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GRM_KT_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_KT_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_KT_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GRM_KT_STATUS.0GRM_KT_STATUS_TEXT
Association 0GRM_KT_STATUS_TEXT20GRM_KT_ATTR
Foreign Key
Node 0GRM_KT_SYSTEM.0GRM_KT_SYSTEM_TEXT
Association 0GRM_KT_SYSTEM_TEXT20GRM_KT_ATTR
Sub-query No
Foreign Key
Node 0GRM_KT_COMP.0GRM_KT_COMP_TEXT
Association 0GRM_KT_COMP_TEXT20GRM_KT_ATTR
Sub-query No
Foreign Key
Node 0GRM_KT_BUSPROC.0GRM_KT_BUSPROC_TEXT
Association 0GRM_KT_BUSPROC_TEXT20GRM_KT_ATT
Sub-query No
Foreign Key
Node 0GRM_KN_KRI_VALUES.0GRM_KN_KRI_VALUES
Association 0GRM_KN_KRI_VALUES20GRM_KT_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the Loss Attributes data.
Technical Data
DataSource 0GRM_IL_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GRM_IL_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_IL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_IL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_IL_ATTR20GFN_TF_YEAR
Sub-query No
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_IL_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GRM_IN.0GRM_IN_ATTR
Association 0GRM_IL_ATTR20GRM_IN_ATTR
Sub-query No
Foreign Key
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GRM_IN_IL_IC20GRM_IL_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GRM_IL_ATTR
Sub-query No
Foreign Key
6.7.3.2.21 Objective
Use
This search and analytics model is used to get the Objective data.
Technical Data
DataSource 0GRM_OB_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GRM_OB_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_OB_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_OB_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GRM_OR.0GRM_OR_ATTR
Association 0GRM_OR_ATTR20GRM_OB_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the Opportunity Category data.
Technical Data
DataSource 0GRM_OG_ATTR
ODP-Semantics Texts
Node 0GRM_OG_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_OG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_OG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_OG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GRM_OG_HIER.HIERARCHY_ELEMENT
Association HIERARCHY_ELEMENT20GRM_OG_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OR.0GRM_OR_ATTR
Association 0GRM_OR_ATTR20GRM_OG_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR.0GRM_OU_AC_OR
Association 0GRM_OU_AC_OR20GRM_OG_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR_EP.0GRM_OU_AC_OR_RP
Association 0GRM_OU_AC_OR_RP20GRM_OG_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the Opportunity Hierarchy data.
Technical Data
DataSource 0GRM_OG_GRMH_HIER
Node HIERARCHY_ELEMENT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node HIERARCHY_FOLDERTEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OG.0GRM_OG_ATTR
Association HIERARCHY_ELEMENT20GRM_OG_ATTR
Cardinality Up to One
Sub-query No
Foreign Key
Node HIERARCHY_HEADERTEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
6.7.3.2.24 Opportunity
Use
This search and analytics model is used to get the Opportunity data.
Technical Data
DataSource 0GRM_OR_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GRM_OR_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_OR_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_OR_ATTR20GFN_TF_YEAR
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_OR_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_OR_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GRM_OB.0GRM_OB_ATTR
Association 0GRM_OB.0GRM_OB_ATTR
Sub-query No
Foreign Key
Node 0GRM_OG.0GRM_OG_ATTR
Association 0GRM_OR_ATTR20GRM_OG_ATTR
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_OR_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR.0GRM_OU_AC_OR
Association 0GRM_OU_AC_OR.0GRM_OU_AC_OR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_OR_EP.0GRM_OU_AC_OR_RP
Association 0GRM_OU_AC_OR_RP20GRM_OR_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_AL.0GRM_AL_ATTR
Association 0GRM_AL_ATTR20GRM_OR_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the Activity and Opportunity assignment data.
Technical Data
DataSource 0GRM_OU_AC_OR
Authorization Checks
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_OU_AC_OR20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_OU_AC_OR20GRM_AC_ATTR
Sub-query No
Foreign Key
Node 0GRM_OR.0GRM_OR_ATTR
Association 0GRM_OU_AC_OR20GRM_OR_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_OU_AC_OR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_OU_AC_OR20GFN_TF_FREQ
Foreign Key
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_OU_AC_OR20GRM_CA_ATTR
Sub-query No
Foreign Key
Node 0GRM_OG.0GRM_OG_ATTR
Association 0GRM_OU_AC_OR20GRM_OG_ATTR
Sub-query No
Use
This search and analytics model is used to get the Activity and Opportunity enhancement plan data.
Technical Data
DataSource 0GRM_OU_AC_OR_RP
Authorization Checks
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_OU_AC_OR_RP20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_OU_AC_OR_RP20GRM_AC_ATTR
Sub-query No
Foreign Key
Node 0GRM_OR.0GRM_OR_ATTR
Association 0GRM_OU_AC_OR_RP20GRM_OR_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_OU_AC_OR_RP20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_OU_AC_OR_RP20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_OU_AC_OR_RP20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GRM_EP.0GRM_EP_ATTR
Association 0GRM_OU_AC_OR_RP20GRM_EP_ATTR
Sub-query No
Foreign Key
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_OU_AC_OR_RP20GRM_CA_ATTR
Sub-query No
Foreign Key
Node 0GRM_OG.0GRM_OG_ATTR
Association 0GRM_OU_AC_OR_RP20GRM_OG_ATTR
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the Activity and Risk assignment data.
Technical Data
DataSource 0GRM_OU_AC_RS
Authorization Checks
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_OU_AC_RS20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_OU_AC_RS20GRM_AC_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_OU_AC_RS20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_OU_AC_RS20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_OU_AC_RS20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_OU_AC_RS20GRM_CA_ATTR
Sub-query No
Foreign Key
Node 0GRM_RG.0GRM_RG_ATTR
Association 0GRM_OU_AC_RS20GRM_RG_ATTR
Sub-query No
Foreign Key
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GRM_OU_AC_RS
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the Activity, Risk, and Incident assignment data.
Technical Data
DataSource 0GRM_OU_AC_RS_IN
Authorization Checks
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_OU_AC_RS_IN20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_OU_AC_RS_IN20GRM_AC_ATTR
Sub-query No
Node 0GRM_IN.0GRM_IN_ATTR
Association 0GRM_OU_AC_RS_IN20GRM_IN_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_OU_AC_RS_IN20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_OU_AC_RS_IN20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_OU_AC_RS_IN20GFN_TF_YEAR
Sub-query No
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_OU_AC_RS_IN20GRM_CA_ATTR
Sub-query No
Foreign Key
Node 0GRM_RG.0GRM_RG_ATTR
Association 0GRM_OU_AC_RS_IN20GRM_RG_ATTR
Sub-query No
Foreign Key
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GRM_OU_AC_RS_IN
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the Activity, Risk, and Response assignment data.
DataSource 0GRM_OU_AC_RS_RP
Authorization Checks
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_OU_AC_RS_RP20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_OU_AC_RS_RP20GRM_AC_ATTR
Sub-query No
Foreign Key
Node 0GRM_RP.0GRM_RP_ATTR
Association 0GRM_OU_AC_RS_RP20GRM_RP_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_OU_AC_RS_RP20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_OU_AC_RS_RP20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_OU_AC_RS_RP20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GRM_CA.0GRM_CA_ATTR
Sub-query No
Foreign Key
Node 0GRM_RG.0GRM_RG_ATTR
Association 0GRM_OU_AC_RS_RP20GRM_RG_ATTR
Sub-query No
Foreign Key
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GRM_OU_AC_RS_RP
Sub-query No
Foreign Key
6.7.3.2.30 Response
Use
This search and analytics model is used to get the Response data.
Technical Data
DataSource 0GRM_RP_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GRM_RP_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_RP_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GRM_RP_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_RP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_RP_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_RP_ATTR20GFN_USER_TEXT1
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_RP_ATTR20GFN_USER_TEXT2
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_RP_ATTR20GFN_USER_TEXT3
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_RP_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
Node 0GRM_RP_ST.0GRM_RP_STATUS_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_RP.0GRM_OU_AC_RS_RP
Association 0GRM_OU_AC_RS_RP20GRM_RP_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_RS.0GFN_RS_ATTR
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the risk and impact category assignment data.
Technical Data
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_RS_IC20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GRM_RS_IC20GFN_TF_ATTR
Association 0GRM_RS_IC20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_RS_IC20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GRM_RS_IC20GFN_OU_ATTR
Sub-query No
Foreign Key
Node 0GRM_RS_IC_TEXT.0GRM_RS_IC_TEXT
Association 0GRM_RS_IC_TEXT.0GRM_RS_IC_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GRM_RS_IC20GFN_RS_ATTR
Sub-query No
Foreign Key
Node 0GRM_IML.0GRM_IML_TEXT
Association 0GRM_RS_IC20GRM_IML_TEXT0
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IML.0GRM_IML_TEXT
Association 0GRM_RS_IC20GRM_IML_TEXT1
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IML.0GRM_IML_TEXT
Association 0GRM_RS_IC20GRM_IML_TEXT1
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IML.0GRM_IML_TEXT
Association 0GRM_RS_IC20GRM_IML_TEXT1
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IML.0GRM_IML_TEXT
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the Risk Category data.
Technical Data
DataSource 0GRM_RG_ATTR
ODP-Semantics Texts
Authorization Checks
Node 0GRM_RG_TEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GRM_RG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GRM_RG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GRM_RG_HIER.HIERARCHY_ELEMENT
Association HIERARCHY_ELEMENT20GRM_RG_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GRM_IN_IL_IC20GRM_RG_ATTR
Sub-query No
Foreign Key
Node 0GRM_KN_KRI_VALUES.0GRM_KN_KRI_VALUES
Association 0GRM_KN_KRI_VALUES20GRM_RG_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS.0GRM_OU_AC_RS
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS.0GRM_OU_AC_RS
Association 0GRM_OU_AC_RS20GRM_RG_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_IN.0GRM_OU_AC_RS_IN
Association 0GRM_OU_AC_RS_IN20GRM_RG_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_OU_AC_RS_RP.0GRM_OU_AC_RS_RP
Association 0GRM_OU_AC_RS_RP20GRM_RG_ATTR
Cardinality Arbitrary
Sub-query No
Foreign Key
Use
This search and analytics model is used to get the Risk Category Hierarchy data.
Technical Data
DataSource 0GRM_RG_GRMH_HIER
Node HIERARCHY_ELEMENT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node HIERARCHY_FOLDERTEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Node 0GRM_RG.0GRM_RG_ATTR
Association HIERARCHY_ELEMENT20GRM_RG_ATTR
Cardinality Up to One
Sub-query No
Foreign Key
Node HIERARCHY_HEADERTEXT
Association
Cardinality Arbitrary
Sub-query No
Foreign Key
Work centers provide a central access point for the entire GRC functionality. They are organized to provide easy
access to application activities, and contain menu groups and links to further activities.
This documentation is structured according to the structures within the individual work centers, and contains
links to further documentation for the menu groups and links.
Note
The application provides a standard set of work centers. However, your system administrator can
customize them according to your organization's internal structures. Depending on the product or
products that you have licensed, different areas of the GRC application are displayed (SAP Access Control,
SAP Process Control, SAP Risk Management).
7.1 My Home
Use
The My Home work center provides a central location to view and act on your assigned tasks, and accessible
objects: organizations, processes, subprocesses, controls.
Note
The My Home work center is shared by the SAP Access Control, SAP Process Control, and SAP Risk
Management applications. The menu groups and quick links available on the screen are determined by the
applications you have licensed. The content in this topic covers the functions specific to SAP Risk
Management. If you have licensed additional products, such as SAP Access Control or SAP Process
Control, refer to the relevant topics below for the application-specific functions.
● View, access, and address workflow tasks assigned to you, including completed reports that you
scheduled.
● Search for objects and documents for which you have authorization.
● Assign delegates to perform your tasks or activities.
● View and process your user data.
More Information
Also see the My Home Work Center topic in the documentation for SAP Access Control.
Use
The Work Inbox lists the tasks you need to process using GRC applications.
Activities
To process a task, choose a hyperlink in the table. The appropriate workflow window appears. Process the task
as required.
To change the displayed columns, choose Settings, maintain the columns as required, and save the view.
Use
The Work Inbox displays a user's SAP Risk Management task list.
The SAP Risk Management workflow-enabling activities in Customizing for Governance, Risk and Compliance
under General Settings Workflow must be maintained.
Features
The SAP Risk Management tasks contain notifications, alerts, and workflows that are triggered at various
stages of the risk management process. You can click on any task in the list to complete the workflow.
More Information
Use
From the My Home work center, the Ad Hoc Tasks section enables you to process risk proposals, incidents, and
issues, depending on the applications you have licensed.
Related Information
Use
Proposing risks for an organizational unit or an activity makes sense for users who are not risk experts, that is,
casual users. An employee self-service function is used for this.
In the Propose Risk section, you access a restricted data view for risks and risk categories defined for particular
activity categories. This reduces complexity and helps streamline risk management activities within a
company.
Note
The Propose Risk function represents a limited set of risk data. For information on the full set of risk data,
see Creating a Risk [page 416].
Procedure
Note
To add the fields Secondary organization unit, Impact and Response to the screen, go to the
customizing activity Governance, Risk and Compliance Risk Management Master Data Setup
Activate Risk/Opportunity Proposal and/or Ad-hoc Escalation .
4. Choose Submit.
5. The system now sends a workflow item to the appropriate user/role for processing. The risk is stored in the
list of system risks with the risk type Proposal and the status Pending Approval.
The type of a proposed risk is Proposal until it is converted to a real risk, after which the status changes to Draft
for a saved risk or Active when the risk is submitted. A proposed risk can also be rejected altogether. Proceed
as follows:
1. You can work directly with proposed risks by choosing a risk of the type Proposal from the risk list.
2. In the Risk Proposal screen, you can see the risk that was proposed, and you can choose either the Approve
or the Reject pushbutton.
3. You receive a confirmation of the risk approval or rejection.
○ If approved, the risk is displayed in the list of risks with status Approved.
○ If rejected, the risk is no longer displayed in the list of risks.
A list of proposed risks is displayed in the user's personal object worklist (POWL) under a separate tab,
Proposed Risks.
Use
Ad hoc risk escalation is similar to the risk proposal functionality. It enables analysis and direct response when
creating the risk proposal. Based on the analysis data, the escalation is triggered by comparing with the
thresholds defined in the organizational unit hierarchy. It is possible to create a new risk (Activate Risk) from
the proposal, and also associate the proposal with an existing risk (Transfer to Risk). When activating or
transferring, you can also generate an analysis and responses.
A personal object work list (POWL) implements the reporting for this functionality.
Prerequisites
● Set the Validate Risk Proposal task as a general task and activate the work flow linkage:
1. Choose Governance Risk and Compliance General settings Workflow Perform Task Specific
Customizing .
2. Expand the GRC node.
3. Select the GRC-RM subnode and choose Assign Agents.
4. Select the Validate Risk Proposal task and choose Attributes....
5. Select General Task and choose Transfer.
6. Choose Back and return to the Task Customizing Overview screen.
7. Select the GRC-RM subnode and choose Activate Event Linking.
8. Expand the Risk Proposal WF node and choose Detail View.
9. Choose Event linkage activated and Continue.
● Enable Ad-hoc Risk Escalation:
1. Choose Governance, Risk and Compliance Risk Management Master Data Setup Activate Risk
Proposal and/or Ad-hoc Escalation .
2. Activate RISK_ADHOC_ESCAL.
Features
You create an ad hoc risk escalation from My Home Ad-hoc Risk Escalation .
When you, as the nominated agent open the work item in your Work Inbox, the status changes from Created to
In Process.
In the Ad-hoc Risk Escalation screen that opens, you have the following options:
● Forward
This opens the Forward Ad-hoc Risk Escalation screen, in which you can change the organizational unit. The
escalation is then forwarded to the recipient determined by evaluation of the agent slot
0RM_RISK_PROPOSE for the changed organizational unit.
You can add an explanatory note before forwarding the escalation.
● Reject
When you Submit the Reject Ad-hoc Risk Escalation screen, you must add an explanatory note.
● Transfer
If you want to transfer the escalation to an existing risk, you select the risk and you can also take over some
of the proposed responses. By selecting the responses, you are asked to enter the Response Type and,
optionally, the Purpose. The responses are new responses for the risk.
You can also enter an explanatory note.
● Activate
If you decide to take over the analysis, you must specify the risk category to which it is assigned. Based on
the actual analysis profile, the probability and impact is converted to required representation based on the
customization and threshold set up.
However, if it is a corporate risk escalation, you can decide selectively for which forecasting horizons you
want to use. You can also define the impact, but it is not mandatory. Based on analysis type the impact and
probability is converted if required to values based on the customization and the threshold definition.
In either case, you can also enter an explanatory note.
More Information
Use
Users can suggest ways to address risks by creating response proposals and submitting them to those
responsible for risk mitigation.
After the response proposal is submitted, the creator of the proposal receives an e-mail confirmation that the
proposal was successfully submitted — that is, delivered to the work inbox of the person responsible for
mitigating the specified risk. This person can then approve or reject the response proposal.
Note
Users who are assigned as agents via 0RM_RESPONSE_PROPOSE are authorized to receive and approve or
reject response proposals. The approver can create a response or response template from the response
proposal after approving it. For more information, see Creating a Response or Enhancement Plan [page
459] and Working with Response Templates [page 458].
The creator of the response proposal is notified by e-mail when the response proposal is approved or rejected.
Submitted proposals (including their current status — waiting for approval, approved, or rejected) are listed in
the Proposed Responses tab found in work center Assessments Risk Assessments Responses and
Enhancement Plans . Click on the name of the response proposal to review its contents.
Context
In the My Home work center, you can report incidents in an ad hoc manner if they are urgent or need
immediate attention. You can enter or post incidents; however, in the case of ad hoc incidents, you access a
simplified user interface for posting an individual incident. The full functionality for creating incidents can be
accessed from the Incident Management section of the Assessments work center.
An ad hoc risk proposal or posting of an incident might affect an organization's ability to continue as a
going concern. In this case, the monetary effect of the respective losses (due to an incurred risk) would be
high, and might require immediate action.
Procedure
1. Call the My Home work center and then choose the Incidents link under Ad Hoc Tasks.
2. In the Report Incident screen, enter the incident name, select an organization, and enter the incident date
and the detection date.
Note
For the full processing of incidents and the prerequisites involved, see Working with Incidents [page
485]
Prerequisites
The following prerequisites must be fulfilled before you can use the workflow functionality for incidents:
Procedure
Use
Issues that did not arise from an evaluation-based test can be a question, action item, or planned task. An issue
can be prompted by compliance or business events or result from identifying a problem area. An issue can be
created for any object, depending on the configuration done through the Customizing activities.
If an Issue Owner or an object has not been identified, the issue is sent to the Issue Administrator. This person
can then assign an owner, an object or both. The Issue Administrator or the designee then processes the issue.
Prerequisites
Complete the Customizing activities at Governance, Risk and Compliance Common Component Settings
Ad Hoc Issues .
Procedure
Note
An object owner is not required. If this field is left blank, the issue is routed to the issue
administrator.
○ Source
○ Issue Date (required)
○ Due Date
○ Notes
3. If you need to gather information, save your issue as a draft and return to complete it later.
4. Choose Add to select a regulation from the dialog box on the Regulation tab.
5. Attach files or links on the Attachment and Links tab.
6. Choose Save Draft to save changes or Cancel to abort the session. If the issue was raised in error, you can
void the issue.
Web service GRFNAHISSUEIN is provided to create ad hoc issues and trigger workflows to the issue admin.
7.1.3 My Objects
Use
Note
The My Objects section is shared by the SAP Risk Management and SAP Process Control applications.
Based on the applications you have licensed, you may see only a subset of the objects listed below.
You can view and manage objects to which you have access using the My Objects section of the My Home work
center. Specifically, you can view and maintain the following objects:
● My Processes: View and maintain all local organizations, processes, subprocesses, and controls for which
you are responsible
● My Risks: View all risks for which you are the owner or for which you have change authorization
● My Responses: View and maintain all responses for which you are the author or processor, or for which you
have change authorization
● My Incidents: View and maintain all incidents for which you have change authorization
● My iELCs: View and maintain all local indirect entity-level control groups (iELC groups) and indirect entity-
level controls (iELCs) for which you are responsible
● My Policies: View all policies that pertain to your responsibilities, including policies that were either created
by you or require your review or approval
● Open Issues: View all open issues on objects for which you have reporting authorization, including
evaluation test issues and ad hoc issues
More Information
7.1.3.1 My Risks
Under the My Home work center, you can see all the risks for which you are the owner and for which you have
change authorization under My Objects My Risks .
Related Information
7.1.3.2 My Responses
Under My Responses, you can maintain all the responses for which you have change authorization.
For more information, see Risk Responses and Enhancement Plans [page 455].
7.1.3.3 My Incidents
Under My Incidents, you can maintain all the incidents for which you have change authorization.
Use
The My Policies section contains the policies that pertain to your responsibilities (either created by you or
requiring your review or approval).
Under the My Home work center, you can see all the policies with your involvement under My Objects My
Policies .
More Information
●
●
●
●
●
●
●
● Using a Policy as a Risk Response [page 475]
Use
The Embedded Search function in SAP Process Control and SAP Risk Management allows you to search for
objects and documents in a browser-based user interface. The search results include basic information of
objects and documents with hyperlinks, through which you can directly access the related applications and
documents.
In SAP Process Control and SAP Risk Management, the following objects are available for search:
Note
SAP Process Control objects and functions are only available if you have licensed the SAP Process Control
application in addition to SAP Risk Management.
● Account Group
● Activity
● Ad-hoc Issue
● Assessment
● Business Rule
● Control
● Documents
● Incident
● Indirect Entity-Level Control
● Issue
● Objective
● Organization
● Policy
● Process
● Response
● Risk
● Subprocess
● Test History
You can configure Embedded Search by activating and deactivating these objects in Customizing activity Open
Administration Cockpit under Governance, Risk and Compliance General Settings Search .
Activities
You can use the advanced search function to specify the search scope, save your search terms, and hide/show
search criteria. You can filter the search results by choosing the categories on the left side.
Context
You can authorize another business user to perform your tasks, exercise your access rights, and specify the
duration of the delegation.
Caution
Authorization granted to power users through the role SAP_GRC_FN_ALL cannot be delegated to business
users. If power users needs to delegate their authorization to others, they must ask the IT department to
assign the PFCG role SAP_GRC_FN_ALL to specified users. This delegation is not entity-dependent.
Procedure
To delegate your tasks and access rights to another user, proceed as follows:
The Assign Own Delegate screen displays your existing delegations. You can create a new delegation, open
and edit an existing delegation, or delete a delegation.
2. To create a new delegation, choose Create.
Note
4. Select a user name and choose OK. The system completes the Delegator and User ID fields.
5. For the Delegation Period the following points apply:
○ The Start Date field defaults to the date the delegation is created. You can change this field.
○ The End Date field defaults to unlimited (December 31, 9999). You can change this field. If you accept
the default of an unlimited End Date, you can change the date later or delete the delegation when it is
no longer needed.
To edit an existing delegation, proceed as follows:
6. Choose the delegation assignment.
7. Choose Open.
The Own Delegation screen appears. You can only change the End Date.
8. Choose Save.
To delete an existing delegation, proceed as follows:
These features allow you to access the most commonly used applications, view user-specific entity data and
status, search for objects, and perform various other tasks.
SAP Process Control and SAP Risk Management provide the following features:
Use
Entry page is a role-based Web Dynpro home page that provides user-specific contents and easy access to the
most commonly accessed work center items. Entry page can be configured according to specific user
behaviors. Entry page consists of containers and Collaborative Human Interface Parts (CHIPs). You can
personalize the entry page by adding or removing containers and CHIPs.
Note
SAP Process Control roles are only valid if you have also installed and possess a license for the SAP Process
Control application).
More Information
For more information about available SAP Risk Management CHIPs, see GRC CHIP Catalog [page 338]
Use
Note
The following information is only relevant if you have licensed SAP Process Control.
Side panel is a CHIP-based widget-type panel that can be accessed from an existing Web Dynpro application. It
provides additional information and easy access to work center items.
In SAP Process Control, side panel is user-specific. It is available for the following users:
In Process Control, you can configure the side panel for My Processes for a single role or a group of roles using
the Customizing activity Configure Side Panel for My Process under Governance, Risk and Compliance >
General Settings > UI Settings.
More Information
Use
A CHIP (Collaborative Human Interface Part) is a small, widget-type, encapsulated, stateful piece of software
that can be combined in a layout with other CHIPs to form a page or a panel. Entry page and side panel are both
implemented using the CHIP technology.
The following CHIPs are available in SAP Risk Management (and in SAP Process Control, if you have installed
and possess a license for the SAP Process Control application):
Ad Hoc Issues for Audit Ac GRFN_ACTION_ADIS Display a list of ad hoc issues Use in entry page
tions SUE_LIST_CHIP for audit actions
Audit Action and Ad Hoc Is GRFN_ACTION_ISSUE_CHIP Allows you to view ad hoc is Use in side panel
sue sues under specified audit
actions
Audit Dashboard GRFN_DAB_AUDITA Provides risks and audit pro Use in entry page
BLE_CHIP posal information in graphics
Audit Dashboard: Risks by GRFN_DAB_AUDITA Provides risk information by Use in entry page
Auditable Entities BLE_RISKS auditable entities in graphics
Audit Dashboard: Audit Pro GRFN_DAB_AUDITA Provides audit proposal infor Use in entry page
posals by Auditors BLE_APA mation by auditors in graph
ics
Audit Dashboard: Audit Pro GRFN_DAB_AUDITA Provides audit proposal infor Use in entry page
posals by Auditable Entities BLE_APAE mation by auditable entities
in graphics
Audit Plan Proposal GRFN_UIBB_AP_CHIP Displays the information of a Use in side panel
specific audit plan proposal
Criteria Data CRITERIA_CHIP_4_EN Used together with other Use in entry page
TRY_PAGE CHIPs to provide criteria data
for entry page
Evaluation Status (Pie View) GRPC_CHIP_EVAL_STAT Presents the status of evalu Use in side panel
ations in graphics
Evaluation Status (Column GRPC_CHIP_EVAL_STAT_CO Presents the status of evalu Use in entry page
View) LUMN ations in graphics
Issue Status (Pie View) GRPC_CHIP_ISSUE_STAT Presents the status of issues Use in side panel
in graphics
Issue Status (Column View) GRPC_CHIP_IS Presents the status of issues Use in entry page
SUE_STAT_COLUMN in graphics
Open Issues GRFN_OPEN_ISSUE_CHIP Displays open issues accord Use in side panel
ing to a specific object, such
as subprocess, control, etc.
Risk Heatmap GRRM_CHIP_HEATMAP Displays risks by level and Use in entry page
impact in matrix
Timeframe Filter GRFN_TIMEFRAME_FIL A filter used together with Use in entry page
TER_CHIP other CHIPs
Passed/failed of Control GRRM_CHIP_PASS_FAIL_CN Displays the passed/failed Use in the side panel of risk
TL status of controls that are OIF
used in risks as response
Open Issues GRRM_CHIP_OPEN_ISSUE Displays the ad-hoc issues Use in entry page
New Entered Risks in the last GRRM_CHIP_NEW_RISKS Displays newly entered risks Use in entry page
14 days in the last 14 days
Risk heat map GRRM_CHIP_HEATMAP Displays risk heat map Use in entry page
Scope Selection GRRM_CHIP_SCOPE Provides the selection of date Use in entry page
and organization, which will
be used as a scope for other
chips in the entry page
Top Risks GRRM_CHIP_TOP_RISKS User report CHIP Top Risks This chip is not used in the
(Variant of GRRM_R5) to get default delivery
the top risks
Workflow Monitor GRRM_CHIP_WI_MONITOR Monitors all the work inbox This chip is not used in the
tasks for all users in the sys default delivery
tem. Only the power user
who has the authorization is
allowed to do this activity.
Recent Loss Events GRRM_OB_CHIP_RE Displays the recent Loss Use in entry page
CENT_LOSSES Events from Banking created
during the last 14 days
Top Losses GRRM_OB_CHIP_TOP_LOSS Risk Banking Top Losses dis Use in entry page
ES plays the Top 5 loss events
comparing with Estimated
Loss
Loss Event Workflow Pipeline GRRM_OB_CHIP_WF_PIPE Displays the Loss Event Use in entry page
LINE Workflow in the form of Pipe
line and table list
More Information
Use
The Master Data work center provides a central location to manage and view the organization structure,
regulation and policies, catalog of objectives, and catalog of risks and responses.
Note
The Master Data work center is shared by the SAP Access Control, SAP Process Control, and SAP Risk
Management applications in the SAP governance, risk and compliance (GRC) solutions. The menu groups
and quick links available on the screen are determined by the applications you have licensed. The content in
this topic covers the functions specific to SAP Risk Management. If you have licensed additional products,
such as SAP Access Control or SAP Process Control, refer to the relevant topics in the respective
application help for the application-specific functions.
7.2.1 Organizations
Definition
Use
You can use the functions on the Organizations screen to create and maintain an organizational structure within
the application that mirrors the organizations in your company.
Integration
● If you have licensed SAP Risk Management, SAP Process Control and SAP Access Control and want to use
them for the same organization, the application must share a common organizational view. Complete the
Customizing activity Maintain Organization Views, under Governance, Risk, and Compliance General
Settings Workflow
● To create the root organization and its first child organization in the specified organization view, complete
the Customizing activity Create Root Organization Hierarchy, under Governance, Risk, and Compliance
General Settings Workflow
More Information
See the Organizations topic in the application help for SAP Access Control.
Process Control – .
Use
In the Organizations area of the Master Data work center, you can maintain the organizational structure for your
company. This includes setting up initial roles and responsibilities and the initial definition of certain risk
management details for the respective organizational unit, such as line of business, country, and legal entity.
Note
If you have licensed both SAP Risk Management and SAP Process Control, and want to use them for the
same organization, both applications must share a common organizational hierarchy.
Prerequisites
The following prerequisites must be fulfilled before you can work with organizational units:
Procedure
The View field enables you to switch between different views of the organizational entities in a hierarchy
by making a selection in this dropdown field. You can also select by date to see organizational units that
were created on an earlier date.
3. To create an organization in the hierarchy, put the cursor on the parent organization or on the organization
for which you wish to create a child organization. The screen of the organization opens.
4. Choose Add. You are prompted to specify whether you want to create a new organization or reuse an
existing organization:
○ If you create a new organization, proceed as described in the section Working with the Organization
Tabs below.
○ If you want to reuse an existing organization, choose Reuse existing organization. Then select the
organization that you want to reuse and choose OK. After this, select the organization in the overview
screen and proceed as described below.
1. On the General tab, enter a name for the organization and the currency that your organization uses. This is
the consolidation currency to be used for risk aggregation. Change the valid-to date if necessary.
2. On the Policies tab, you can see the policies that have been created for this organization. For more
information about policies, see .
3. On the Objectives tab, add the objectives that correspond to your company strategy. For more information,
see Business Objectives Hierarchy [page 359].
4. On the Key Risk Indicators tab, specify the Assigned Key Risk Indicators and Business Rules for the
organization.
When creating Assigned Key Risk Indicators, you can choose to add a Standard KRI Instance, a Score-based
KRI Instance, or a Manual KRI Instance. For more information, see Managing Organizational Key Risk
Indicators [page 346].
5. On the Units of Measure tab, you must specify the unit of measure to be used in your organization. This is
necessary for defining conversion factors for each impact category defined in Customizing. Select an
impact category from the dropdown field. Then choose Create and choose the unit of measure. The
abbreviation field populates automatically. Enter the conversion factor to be used if you are not using a
monetary unit of measure.
6. On the Risk Appetite tab, select the degree of risk-taking that is to be applied when individual risks are
entered into the system. If desired, you can specify a monetary value as the upper limit for this.
7. On the Risk Thresholds tab, you can see the various risk thresholds with their impact levels. Here you can
specify the lower and upper limit for each impact level in monetary terms. For more information, see
Entering Risk-Specific Organization Data [page 345].
Note
You must enter the lower and upper limits per impact level in ascending order. This means that the
greater the impact level, the higher the quantitative/monetary effect.
8. On the Roles tab, you can assign users to individual roles, as well as replace or remove them. For more
information, see Entering Risk-Specific Organization Data [page 345].
9. When you are finished, save the data for your organization.
Use
On the Organizations screen under Master Data Organizations , you can enter the following risk-specific
data for your organization:
● Business objectives
● Risk appetite
● Risk thresholds (referring to risk impact levels and monetary values)
● Risk-specific roles
Prerequisites
Procedure
1. In the Objective tab, add the objectives that correspond to your company strategy.
2. Save your entries.
For your organization, you can specify the degree of risk-taking that is to be applied when individual risks are
entered into the system.
1. On the Risk Appetite tab, select the qualitative appetite from the dropdown options.
2. If desired, you can specify a monetary value as the upper limit for the qualitative appetite.
3. Save your entries.
On the Risk Thresholds tab, you can see the various risk thresholds with their impact levels. Here you can
specify the lower and upper limit for each impact level in monetary terms.
1. Put the cursor on an impact level line and enter the values in the fields below this table, moving from the
lowest to the highest impact level.
On the Roles tab, you can assign users to individual roles, as well as replace or remove them.
Note
These roles are added to the organizational unit during implementation and Customizing. For more
information, see Risk Management Application Roles [page 31].
Before assigning roles, check that the roles you want to assign exist in the Customizing activity Maintain Entity
Role Assignment.
Note
If you are using SAP Workflow, you must also ensure that the roles you assign have also been assigned to
specific agent slots (business events) in the Customizing activity Maintain Custom Agent Determination
Rules.
Note
Use
You can assign one or more key risk indicators (KRI) to an organization. This is known as a KRI instance. In this
way, you can automatically identify risks in organizations and escalate them to risk owners for immediate
attention if necessary.
Procedure
1. When managing an organization, choose the Key Risk Indicators tab and choose Create Standard KRI
Instance in the Assigned Key Risk Indicators section.
The Create KRI Instance dialog appears.
2. In the KRI Instance Name field, type the name of the KRI instance that you want to create.
3. In the KRI Implementation field, type or select the KRI implementation for the instance.
4. In the Monitor Frequency field, choose the frequency at which you want the KRI to monitor your system.
5. In the Data Time Frame field, choose the appropriate value using the drop-down list.
6. In the Next Execution Date and Last Execution Date fields, choose the corresponding execution dates using
the drop-down lists.
7. In the History Review Required field, select the Yes radio button to have the previous KRI values maintained
in the database. By default, the Yes radio button is selected.
8. In the Selection Table, modify the KRI implementation settings, as required.
9. In the Attachments and Links tab, specify the attachments and links for the KRI instance.
1. To add an attachment, choose the Add pushbutton and select Add File using the drop-down menu.
Specify the title and the file name of the attachment, and choose the OK pushbutton.
2. To add a link, choose the Add pushbutton and select Add Link using the drop-down menu.
Specify the title and the path of the link, and choose the OK pushbutton.
10. Choose the OK pushbutton to have the system check the data and set the status as Draft for the KRI
instance.
Alternatively, choose from among the following options:
○ Choose the Activate pushbutton to set the status as Active for the KRI instance.
○ Choose the Request Localization pushbutton to have the KRI workflow go to the workflow processor
(to the KRI liaison defined in the Risk Management workflows, for example). The dialog closes and the
Status column displays Localization Requested for the assigned KRI.
After you save the data, a workflow is triggered. When the localization processor has processed the
workflow item, it returns to your inbox for processing or approval, among other options. For more
information, see Workflow for KRI Instance Localization Request [page 395].
11. Choose the Show History pushbutton to view a graphic display of how the KRI value develops over time.
12. Choose the Show Surveys pushbutton to see which surveys are defined for the KRI instance.
1. Choose the Key Risk Indicators tab and choose Create Score-based KRI Instance in the Assigned Key
Risk Indicators section.
The Create KRI Instance dialog appears.
1. Choose the Key Risk Indicators tab and choose Create Manual KRI Instance in the Assigned Key Risk
Indicators section.
The Create KRI Instance dialog appears.
2. In the KRI Instance Name field, type the name of the KRI instance that you want to create.
3. In the KRI Template field, type or select the KRI template for the instance.
4. In the Input Allowed Until field, type or select the appropriate date using the drop-down list.
5. In the History Review Required field, select the Yes radio button to have the previous KRI values maintained
in the database. By default, the Yes radio button is selected.
6. In the Attachments and Links tab, specify the attachments and links for the KRI instance.
1. To add an attachment, choose the Add pushbutton and select Add File using the drop-down menu.
Specify the title and the file name of the attachment, and choose the OK pushbutton.
2. To add a link, choose the Add pushbutton and select Add Link using the drop-down menu.
Specify the title and the path of the link, and choose the OK pushbutton.
7. Choose the OK pushbutton to have the system check the data and set the status as Draft for the KRI
instance.
Alternatively, choose the Activate pushbutton to set the status as Active for the KRI instance.
More Information
For more information about specifying business rules, see Creating KRI Business Rules [page 393].
Use
The thresholds browser is a tool to browse and maintain thresholds on organizational units, activities, and risk
categories. For organizational units, it allows the maintenance of the standard impact thresholds, the risk
summary thresholds and risk appetite. For activities and risk categories, you can only maintain the risk
summary thresholds.
These thresholds are used in the ad-hoc risk escalation process. For more information, see Ad Hoc Risk
Escalation [page 326].
Prerequisites
To maintain the risk summaries in the threshold browser, the appropriate entity must have a Determination
Attribute of Individual Value in SAP Customizing Governance, Risk and Compliance Risk Management
Master Data Setup Risk Summary Settings . If the Determination Attribute is Central Value for a particular
entity, the risk summary is read-only in the threshold browser for that entity.
Activities
In the threshold browser navigation pane, you can select the organizational unit, activity, or risk category from a
list or an hierarchical tree.
In the right-hand pane, you can maintain the risk thresholds, risk summary thresholds, and risk appetite. Once
you have defined the thresholds and appetite, you have the option to copy them to:
● The clipboard
● All children of the current entity
● All entities on the same level
● All entities
If you copy the thresholds to the clipboard, you can navigate to another entity and the Paste option is valid to
enter the copied thresholds for this entity.
In the header area, you can save and cancel all changes that have been made. You can also change the focus
date for which all data is displayed and maintained. If you change the focus date, all changes are saved or
discarded. If you change the focus date to a date in the past, changes are no longer allowed and all threshold
data is shown in read-only mode.
Use
Regulations and Policies give you visibility into your compliance landscape.
Related Information
7.2.2.1 Regulations
Definition
Use
In the regulation hierarchy, you document which compliance initiatives your company supports. For each
compliance initiative, you can document the regulation and its requirements. After defining a new regulation,
you specify the subprocesses and controls that are relevant to that regulation.
Structure
You have a group of financial compliance initiatives that could include SOX, J-SOX, and IDS or a group of
operational compliance initiatives that include FDA and Life Sciences regulations.
Maintain your regulation hierarchy to the individual requirement level. For example, you can maintain SOX
compliance down to the regulation requirement SOX 302. If you maintain regulation requirements, you can
assign them to controls and track the affected requirements at the control level.
Related Information
7.2.2.2 Policies
Use
A policy is a set of principles, rules, and guidelines that are formulated or adopted by an organization to reach
its long-term goals. Policies are designed to influence major decisions and actions, and all activities take place
within the boundaries set by them. They are used in both the SAP Process Control and SAP Risk Management
applications.
A policy contains a written description of an organization's position on important subjects and its response to
specific situations. Policies support managerial decision-making, to help the company achieve its objectives.
Policies are an element of a complete governance process. This process involves an analysis of regulations,
best practices, and corporate business objectives, after which they are codified into policies affecting the
business actions of all employees.
Policies need to be created, reviewed, approved, and distributed; there is an ongoing process of policy
acknowledgment, self-assessment, and updates. Policies must be managed throughout their lifecycle.
Prerequisites
According to your business needs, complete the Customizing activities under Governance, Risk, and
Compliance Common Component Settings Policy Management .
Procedure
You must create a policy group before you can create a policy.
Description (optional) Enter information to tell users the contents of the Policy
Group.
Note
You must have previously created an Approval Survey
in the Survey Library.
Prerequisites
You must create a policy group before you can create a policy.
Context
Policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term
goals.
Example
A Global Travel Policy is one example of a business policy. The goal might be to reduce costs and increase
efficiency by mandating that everyone in the company adhere to this policy.
Procedure
Note
The Policy Object Types are configured during the Customizing activity Maintain Policy Types and
Distribution Methods under Governance, Risk, and Compliance Common Component Settings
Policy Management .
Description (optional) Enter information to tell users the contents of the policy.
Policy Category (optional) Select the categories this policy belongs to.
Responsible Organization (required) Enter the organization responsible for the policy.
Created by (optional) The default is the person who created the policy.
Valid From (required) Enter the first date of effectiveness for the policy.
Valid To (required) Enter the last day of effectiveness for the policy.
Date for Next Revision (optional) Enter the date for the next revision. This date must be be
tween the Valid From and Valid To dates.
6. Select the Policy Document tab. Attach the actual policy documents (word files, excel files, images) that
contain the written policy. The policy documents may reside in SAP Document Management Systems
(DMS) or you may include links to documents residing in external DMSl.
7. Select the Policy Scope tab.
You document who is in scope and subject to the policy. You may also explicitly specify who is excluded
from the scope of this policy. Define which Organizations, Processes (contained in the Organization),
Activities, People (can be roles, user groups, or specific users) or Exclusions you want to identify (text field).
This is who receives the policy when it is published.
8. Select the Risks tab.
This is the risk associated with the nonadherence to the policy. If the company is not compliant with the
policy, this is the risk that could occur.
9. Select the Controls tab.
Specify the sources or the reasons and motivations behind the creation of the policy. There are defaults
choices provided. Add or remove sources as needed.
Note
The Policy Sources are configured during the Customizing activity Maintain Policy Source Categories
under Governance, Risk, and Compliance Common Component Settings Policy Management .
If there are any ad hoc issues related to this policy that need to be addressed, they will be displayed in this
tab.
12. On the Roles tab you can assign users to individual roles (such as Policy Owner, Policy Approver and Policy
Reviewer), as well as replace or remove them. To assign a user, select the line of the role to which you want
to assign a user. Then choose Assign. In the dialog box then displayed, you can search for and select the
user to be assigned to this role. You can assign multiple approvers and reviewers.
13. Select the Review and Approval tab to view the status or the approvals. If you did not assign specific
reviewers or approvers, the Default Approvers (usually the Organization Owner — the owner of the
organization specified in the Policy Scope tab) are asked to approve the policy.
14. Choose Save.
15. Decide if you can immediately Submit for Approval or if you need to Send for Review.
Next Steps
●
●
●
●
● Please also see the Using a Policy as a Risk Response topic in the documentation for SAP Risk
Management.
Prerequisites
Policy reviewers were set up by the policy owner (author of the policy).
After the policy owner submits the newly created policy for review, the policy review workflow is sent to the
reviewer. If the policy owner has set up more than one reviewer, then a parallel policy review workflow is sent to
all the reviewers at once.
Procedure
Note
If you accept the policy draft with no changes, then comments are optional. Before submitting the
comments, the reviewer can delete comments he or she has entered. The reviewer cannot delete
comments entered by other reviewers. Once a reviewer submits a comment, it cannot be modified or
deleted.
5. After the comments have been submitted, the policy owner can see all comments in a compiled format.
The policy owner revises the policy draft based on the review comments. As long as the policy owner does
not submit the policy for approval, reviewers can continue to enter comments by selecting the Review
Policy link in their Work Inbox.
Related Information
Prerequisites
The policy approvers must be set up by the policy owner or the default approvers may be determined by the
workflow engine (based on the organizations and processes assigned to the policy).
Note
● If the policy applies to an organization, then that organization owner becomes the default approver.
Since all the users in the organization are subject to this new policy, the organization owner must
approve it.
● If the policy applies to a certain process and/or subprocess, then the respective owner becomes the
default approver. Since all the users in the process and/or subprocess are subject to this new policy,
the process/subprocess owners must approve it.
● There may be other roles assigned to the policy approver role in the configuration, for a certain
organization, process or subprocess, who also receive the approval workflow.
Context
After the policy owner ensures that all the review comments have been incorporated, the owner submits the
final draft of the policy for approval. One or more approvers may be responsible for this policy, as determined
by the workflow engine and as specified by the policy owner. The defined approvers receive the approval
workflow in their GRC Inbox.
Procedure
Related Information
Prerequisites
The policy must have been reviewed by the policy reviewers and approved by the policy approvers. After
approval, the policy is published directly.
Context
A new policy is published to the Policy Library and is then available to all authorized users for viewing and is
available for distribution and policy attestation.
Procedure
Note
The Distribution Method (Quiz, Survey, or Acknowledgement) is also defined when the policy is
created.
Related Information
7.2.3 Objectives
Depending on the applications you have licensed, in the Objectives section of the Master Data work center, you
can maintain control objectives and business objectives.
For more information about control objectives, see the corresponding topic in the SAP Process Control
application help, .
Related Information
Use
Managing and assessing risks across the organization are important tasks for companies that must adhere to
legal compliance requirements or use management best practice frameworks with risk management
methodologies. Business practice has shown that the connection between risks and objectives provides
greater visibility for the management team during risk reporting. By creating a hierarchy of your company's
objectives, you can link or associate the objectives with impact categories defined for risks.
In the same way as the vision and mission of an organization describe the top-level desired state of the
organization, objectives describe critical, actionable, and measurable components of that desired state within
the context of organizational perspectives.
Prerequisites
Procedure
After you create an objective strategy, you can create individual objectives to assign to this strategy. Proceed
as follows:
Note
You cannot assign an organizational unit to the objective here. Instead, you must assign existing
objectives when you create an organizational unit. These are displayed in the Objectives screen after
saving. For more information, see Entering Risk-Specific Organization Data [page 345].
4. Now choose this strategy again from the list and choose Create Objective . Create an objective for
the strategy, and save the strategy. This procedure can be repeated as frequently as necessary.
5. Save the objective.
More Information
See SAP Strategy Management documentation in the SAP Help Portal at https://help.sap.com by searching for
SAP Strategy Management and choosing Application Help for SAP Strategy Management. In the application
help, choose Administration Connectors .
The Activities and Processes section in the Master Data work center is where you maintain your company's
activities, business processes, subprocesses, and controls. Depending on what applications you have licensed,
it contains the following links:
●
●
● Activity Hierarchy [page 362]
7.2.4.1 Activities
Use
An activity is any project, process, or an object within your business or organization that might be affected by a
specific risk.
After creating activity categories structured in an activity hierarchy, you can create individual activities for the
activity types defined in Customizing and assign them to the activity categories in the hierarchy. At defined
intervals, for example, the activities affected by specific risks can subsequently be evaluated per activity
category in reporting.
You can define all the activities that need to be monitored through dedicated risk management procedures, in
this way structuring risk management in different areas of the business. These structures can later be used for
reporting.
Prerequisites
Activity types must have been maintained in Customizing under Risk Management Master Data Setup .
Features
● Specify the activity category and validity period, as well as enter relevant constraints and assumptions for
the activity.
Note
Activities are time-dependent objects. If the valid-to date has elapsed, you do not see these activities in the
corresponding list, since they have expired. However, you can still evaluate them in reporting.
More Information
Use
In the Activities and Processes section of the Master Data work center, you can define a hierarchy to structure
the activities in your organization that involve risks. In this way, you can define the scope of risk management
activities within your company, making them transparent, in particular for reporting purposes. You do this by
defining risk-relevant activity categories. The research and development projects of your organization could be
one activity category, for example.
Note
If you have also licensed the SAP Process Control application and you want to see the processes of SAP
Process Control in the SAP Risk Management activity hierarchy, proceed as described in Reuse of PC
Central Process Hierarchy in RM [page 16].
Prerequisites
Example
The above example shows how risks are assigned. First, the activity type defined in Customizing called
business processes is used to create an activity category called Financials. Then for Organizational Unit 1, this
activity category is used to define the two activities of budgeting and consolidation. The budgeting activity has
two risks allocated to it: Overspending and Budget not approved.
Use
By creating activity categories and structuring them in an activity hierarchy, you can group your business
processes or other planning objects. You can subsequently use these activity types to structure your activity
hierarchy and activity reports.
Prerequisites
Procedure
To maintain the activity hierarchy, choose Master Data Activities and Processes Activity Hierarchy . The
Activity Hierarchy screen appears. In the dropdown box at the top left, you can see the different activity types
maintained in Customizing.
Note
If you have implemented both the SAP Risk Management and SAP Process Control applications, the
activity hierarchy selection screen contains the defined SAP Risk Management activity hierarchies as well
as the SAP Process Control processes, which you can access in display mode.
1. From the dropdown list, select an activity type to be used for creating the activity category, and then
choose the Create pushbutton.
2. In the screen that opens, enter the name of the activity category and if necessary a description.
3. If you want to allow the assignment of activities to this activity category, set the corresponding indicator at
Yes.
4. On the Risk Classification tab, you can assign risk categories to this activity category by clicking the Assign
pushbutton.
5. On the Opportunity Classification tab, you can assign opportunity categories to this activity category in the
same way.
Definition
The Risks and Responses section of the Master Data work center enables you to maintain your organization's
risk, opportunity, and response catalogs. It contains the following Quick Links:
● Risk Catalog
● Opportunity Catalog
● Response Catalog
Related Information
Use
Classifying risks within a catalog containing a clear risk hierarchy provides you with a structured view of all risks
of your company. You can classify risks according to the categories of risks that you wish to track, and carry out
reporting, for example, to evaluate the risks per risk category defined for your company.
Features
For each risk category you define, you can define individual risk templates. You can use this template when
actual risks are created. Risk templates only have drivers and impacts defined for them, but no further data.
You can subsequently carry out reporting, for example, to evaluate the risks per risk category.
The graphic below shows some risk templates and their assignment to user-defined risk categories.
For more information about risk catalogs, see Classifying Risks, Opportunities, and Responses [page 366].
Note
The risk categories created can also be used for Risk Management reporting.
Use
By structuring your organization's risks, opportunities and responses into individual categories, you can obtain
a clear structure of all enterprise-wide objects created. The following types of catalogs can be created; the
documentation below describes risk catalog maintenance, and opportunity and response catalog maintenance
is carried out similarly.
Note
When you create a risk with a template in the risk application itself, you are accessing the risks created in
the Risk Catalog. A risk template has no analysis and no responses linked to it, and is to be used when
creating the actual risks in the risk application.
Prerequisites
Procedure
To maintain the risk catalog, choose Master Data Risks and Responses Risk Catalog . The Risk Catalog
screen appears. Then proceed as follows:
1. To add a risk category to the hierarchy, select a node of the classification hierarchy as the level you want to
create the category in. Then choose Create Risk Category .
2. In the dialog box, enter the name and description of the risk category, and decide whether to allow
assignment of this risk category to an activity category.
3. On the KRI Template tab, you can assign an existing KRI template to this risk category.
4. On the Allowed Dimensions tab, you can specify the dimensions and context values to be used with this risk
category. For more information, see Working with Contexts [page 480].
5. Save the risk category.
1. To create a risk template, select a risk category from the Risk Catalog Classification overview screen and
choose Create Risk Template . For more information, see Creating a Risk Template [page 368].
2. When finished, save your data.
Use
A risk template is used to streamline the risk assessment process and reduce manual effort during risk
identification. A risk template has no analysis and no responses linked to it, and serves as a model for actual
risk creation. It is useful if you have several similar risks to create.
Note
You create an opportunity template in the same way as you create a risk template.
Prerequisites
Procedure
1. Call the Master Data work center and then choose Risk Assessments Risks and Responses Risk
Catalog .
Note
2. In the Risk Catalog screen, click Create Risk Template . Note that the cursor must first be on a risk
category and may not be on the uppermost Classification Hierarchy node if there are no categories below it.
3. In the General tab, enter the Event Name (the name of the risk template you are creating), then change the
valid-to date and enter a comment if necessary.
4. Add the necessary drivers and impacts in the lower screen section.
If you create a risk using a risk template, existing customer-defined fields can also be taken over into
the template.
5. The next tab, Risk Instances, has no fields ready for input. It displays the risks that were created using this
template, so it can only be accessed after you have created at least one risk with this template. If risks
exist, the Open pushbutton enables you to call the risk directly from this tab, after you have put your cursor
on the line of the risk.
6. In the Response Templates tab, you can assign or remove a response template to be used with the risk
template.
7. In the Central Controls tab, you can assign or remove a control from SAP Process Control to a template (if
you also have a license for SAP Process Control. A central control is a control assigned to a central
subprocess. A central subprocess and central control can be assigned to different organizations for
different regulations. For more information about working with controls, see the SAP Process Control
application help topic . After assignment, the control can be used as a response to a risk in the shared risk
catalog.
8. In the Context tab, you can specify the dimensions and context values that link the risk template with other
areas or system objects. You can select to view the context attributes in table form, graphic form, or as
Crystal reports. For more information, see Working with Contexts [page 480].
9. When finished, save the risk template. It is now ready for use with your risks.
Result
The risk template has been created for use when you create individual risks in the application.
More Information
Procedure
You can use a risk template with several different kinds of objects, such as Risk Management activities or
organizational units defined for Risk Management. In this way, you can create an instance of the risk template.
1. From the Risk Catalog screen under Master Data Risks and Responses , open the classification
hierarchy to a lower level and choose a risk template.
Result
The risk template has been distributed for use over the corresponding objects and is ready for use.
Use
You can create a hierarchy to structure your company's opportunities into opportunity categories within an
opportunity catalog. An opportunity can be regarded as the upside of a risk.
Besides maintaining an opportunity hierarchy, you can also define individual opportunity categories and
opportunity templates to be used when defining opportunity categories.
Prerequisites
You must have maintained the corresponding benefit and driver categories in Customizing.
Features
When you create an opportunity category, you also allow assignment to an activity category. Note the following:
Use
You create opportunity categories and templates in the Risk and Responses section in the Master Data work
center.
Procedure
1. From the Master Data work center, choose Risks and Responses Opportunity Catalog .
2. On the Opportunity Catalog screen that appears, choose Create Opportunity Category .
3. On the General tab, enter the following:
○ Mandatory information:
○ Name
○ Valid from date
○ Valid to date
○ Optional information:
○ You can enter a description for the opportunity category.
○ You can choose whether an assignment of opportunities is allowed for this opportunity category.
○ You can assign the opportunity category to an analysis profile.
You create or modify analysis profiles in Customizing under Risk Management Risk and
Opportunity Analysis Maintain Analysis Profile .
Note
You can review the attributes of existing analysis profiles by choosing the Analysis Profile Detail
link adjacent to the Analysis Profile dropdown menu.
4. On the Attachments and Links tab, you can attach documents and web links.
5. On the Allowed Dimensions tab, you can assign a context to be used with this opportunity category.
6. When finished, save your data.
Note
1. From the Master Data work center, choose Risks and Responses Opportunity Catalog .
Use
The forecasting horizon defines the period for which a forecast is prepared, that is, the interpretation context
for the risk assessment, with respect to the current date.
Depending on the legal requirements a risk management organization has to fulfill, a risk assessment along an
adequate forecasting horizon might be required. The definition for an adequate forecasting horizon varies,
depending on the type of risk (going concern, substantial), the customer’s business and the industry (for
example, process or project oriented).
More Information
Use
Forecasting horizon maintenance includes the creation, editing and deletion of forecasting horizons. Once
created, you can define which forecasting horizons are to be opened or closed. Closed forecasting horizons can
be archived.
For each forecasting horizon, the overview screen displays the following:
● Horizon name
● Status
The following statuses are possible:
Status Meaning
Draft You can change the text and delete the forecasting horizon
in this status.
The status can only change only in the sequence Draft to Open to Closed to Archived. Each change is valid
immediately it is saved.
● Analysis Mode
This defines whether the evaluation of the forecasting horizon is Quantitative or Qualitative.
● Mandatory
This refers to whether the forecasting horizon is mandatory for input when used in DRS-5 (Deutscher
Rechnungslegungs Standard – German accounting regulations – Number 5) analysis.
For maintaining forecasting horizons, on the overview screen you can perform the following functions:
● Create or Edit
Opens a dialog box where you can enter or change the Horizon name, the optional Description and select
the Mandatory check box for a forecasting horizon with a Draft status.
● Delete a draft forecasting horizon
● Open or Close a forecasting horizon
See working with forecasting horizons, below
● Archive a closed forecasting horizon
● Send an e-mail Notification to a list of recipients, which is a collection of agents determined by the agent
slot 0RM_RISK_ASSESSMENT for all risks of type DRS-5
● Display an Action Log of all forecasting horizon maintenance
The action log shows all the actions executed together with a time stamp and user, who executed each
action.
In the overview screen, choose Open and Close. The Open and Close Forecasting Horizons guided activity
opens:
1. Close Horizons.
The system displays a list of open forecasting horizons. Choose the forecasting horizons to close by
selecting the appropriate check box in the Close column.
Choose Next.
2. Open Horizons.
The system displays a list of draft forecasting horizons. Choose the forecasting horizons to open by
selecting the appropriate check box in the Open column.
Choose Next.
3. Roll forward.
This step determines how each forecasting horizon initializes after Open and Close. The system lists all
currently-open forecasting horizons as Target Horizons. Use the dropdown lists to select Source Horizons
for each.
Choose Next.
4. Execution.
This step determines how and when to execute the Open and Close. You can choose immediate execution
or you can schedule for a specific date and time. If you choose immediate (online) execution, the
operations occur immediately after the confirmation step. Scheduling the job for a specific time means
that you can shift the forecasting horizons overnight or at weekends.
Choose Next.
5. Review.
Review your changes and any error or other messages that are displayed. You can use Previous to go back
and make any necessary changes.
Choose Next.
Note
Changes that you make become effective immediately and cannot be reversed.
6. Confirmation.
If you have chosen immediate execution, the operation stars immediately. Any error messages are
displayed directly on the Confirmation screen. For example, when opening and closing forecasting
horizons, it is possible that some leading forecasting horizons, defined on Risk Categories, are no longer
valid. You can start the correction report directly from the Confirmation screen.
Error messages are also written to the Action Log for later processing. If you choose to schedule the
operation, messages are only written to the Action Log.
Note
From the business point of view, it is not reasonable to execute more than one shifting a day. This is
because reporting occurs only once a day and no history can be kept of multiple changes.
If you have scheduled an Open and Close, the maintenance transaction is locked to prevent the changing of
draft forecasting horizons. The only actions that are available on the Overview screen are:
More Information
Use
This option provides an overview of selected leading forecasting horizon for risk categories. You can easily
identify if some risk categories are using, for example, archived horizons, which is not allowed, or missing
horizons.
Activities
Choose Master Data Forecasting Horizons Leading Forecasting Horizon for Risk Categories .
The Leading Forecasting Horizon Consistency Check for Risk Categories report is displayed. You can use the
Filter, to limit the display to include only forecasting horizons that are:
● Open
● Closed
● Closed and Archived
● Not defined
If you identify any inconsistencies in the report, choose Edit, which opens the Edit Leading Forecasting Horizon
for Risk Categories screen. In this screen, you can propose a different leading forecasting horizon where
required. You can do this individually for each risk category or select multiple risk categories and use the mass
selection option in the toolbar to change all the selected risk categories.
Choose Save and the entered values are checked for consistency.
More Information
Use
You can review the quality and structure of your organization's risks via a set of comprehensive predefined
reports. You can carry out a consistency check for your Risk Management data, and you can make sure that the
reports defined do not violate the segregation of duties (SoD).
Note
The term segregation of duties refers to the concept of requiring more than one person to complete a task.
Under SoD, no single person has control over two or more phases of a transaction or operation, so the risk
of fraud or unintentional error is mitigated. An example of this would be that one user cannot be both the
risk owner and the risk validator.
Consistency checks are a set of reports targeting solution and application consultants to support an initial
implementation project. They ensure the completeness and logical consistency of the provided master data in
the Risk Management application. This can be checked during implementation or also later when the system is
in productive use.
Reports that check the completeness of the provided data focus on mandatory and non-mandatory
information in the checked master data. Missing information might either create inconsistencies in data
storage, or affect the behavior of certain parts of the application, such as reporting.
The checks can also be used in the running system to ensure continuous quality of the maintained master data
of the application.
Features
In the Master Data work center, you can carry out a check of the RM data objects in the application as well as of
the corresponding Customizing settings. For more information, see Working with the RM Consistency Checker
[page 376].
Use
The consistency checker enables you to check all your Risk Management data for consistency and
completeness.
1. Call Master Data Consistency Checks Consistency Checks . A new window with the RM
Consistency Checker is displayed. You have two options:
○ Select the individual item you want to check and press Execute.
○ If you want to check all items at once, press Execute Full Pass. This function executes all checks
successively and presents the results in a table.
2. In the Results table, you can drill down to the exact application or Customizing data involved to make direct
changes to the individual data objects in the application or to the Customizing activities. The table has the
following columns:
3. Choosing the individual checks produces the following results, showing you how to resolve individual data
consistency issues:
1. List of organizational units without Lists all organizational units for which Choosing the Execute pushbutton pro
currency no currency is maintained. duces a list of organizational units with
no currency. Choosing one organiza
tional unit opens the corresponding
screen, in which you can assign a cur
rency.
2. Check number of probability levels Lists the probability levels as they are Displays all the probability levels with
maintained in Customizing. the percentage of probability main
tained in Customizing. To make
changes, access the corresponding
Customizing activities.
3. List root nodes Lists all corporate nodes (top organiza Execute produces a list of organiza
tional units). tional units. Choosing one takes you to
the General tab of an organization with
no parent organization.
4. List activity categories without risk or Lists activity categories that do not have Status column: The red stop sign
opportunity categories specific risk and opportunity categories means that no risk or opportunity cate
assigned to them. gories are assigned.
5. Check organizational unit threshold Lists the organizational unit relation Clicking on the parent or the child ID in
relationships ships (parent and child) for which the the output list takes you to the screen
risk threshold settings do not match the where you can maintain the risk thresh
relationship. olds in the corresponding tab.
6. Check the documents Checks for documents with an invalid Dialog box asking whether documents
parent or child object. with invalid parent or child entities
should be deleted. Click the Automatic
Fix pushbutton under the list to auto-
correct the missing values.
7. List of organizational units without Lists all organizational units that do not Clicking the Execute pushbutton produ
thresholds have risk threshold values maintained. ces a list of organizational units with no
risk threshold values. Clicking on one
line opens the organizational unit
screen. Navigate to the Risk Thresholds
tab to maintain the thresholds.
9. List organizational units without ob Lists all organizational units that do not Execute produces a list of organiza
jectives have objectives maintained for them. tional units. Clicking on one takes you
to the organization screen, where you
maintain the Objective tab.
10. List responses without effective- Lists all risks and responses that do not Clicking on a response produces a list
ness / completion values have effectiveness / completion values of responses with missing values. Click
maintained. ing on a line in the Response Title col
umn enables you to enter effectiveness
and/or completion values for a re
sponse.
11. Check role assignment Checks for role errors and warnings, Messages:
such as double assignments.
● User initial: Shows whether a user
name is blank or empty
● Role initial: Shows whether a role
is blank or empty.
● User and role initial: Shows
whether role and user name are
still blank or empty.
● Double role assignment: Shows
whether a user has the same role
twice for the same object in an
overlapping time span.
● Obsolete role assignment: Shows
whether roles are assigned to ob
jects for which they are not rele
vant.
● Unique role assigned multiple
times: Shows whether unique
roles are assigned more than once
to the same object using overlap
ping timeframes.
12. Check role definitions Checks for invalid role definitions. Message No title assigned: Returns a
string that shows the user that the title
is missing.
13. Benefit / impact / driver categories Lists the benefit, impact, and driver cat This check displays the benefit, impact,
egories that are maintained in Custom and driver categories in the application.
izing. To make changes, access the corre
sponding Customizing activities in the
backend system.
14. Check risk level matrix Checks the probability / impact matrix Message Not Assigned (N/A): The
in Customizing, displays the risk levels items show which risk or combination
that are assigned, and shows whether is not assigned.
all levels are used.
15. List organizational units without Lists all organizational units that do not Execute: Produces a list of organiza
units of measure have their own units of measure main tional units. Clicking on one takes you
tained. to the organization screen, where you
maintain the Unit of Measure tab.
16. List risks and responses without Lists all risks and responses that do not Clicking on the link of a risk or re
owner have an owner assigned to them. sponse takes you to the corresponding
screen, where you can maintain the
owner in the Roles tab.
17. Incidents / losses without manda Lists all incidents and losses where You have the following options:
tory attributes mandatory attributes have no values.
● Click the Automatic Fix pushbut
ton under the list to auto-correct
the missing values of all incidents/
losses.
● Depending on the status of the in
cident, clicking on a line of the out
put screen takes you to the inci
dent screen, where you can main
tain the attributes.
This topic lists the reports available under the Reports section of the Master Data work center.
Note
The Reports section is shared by the SAP Risk Management and SAP Process Control applications. Based
on the applications you have licensed, you may see only a subset of the reports.
Report Description
Risk and Control Matrix This report provides information on control and risk matrix.
You can find out what risks specific controls are covering,
under different risk models (Subprocess – Accounts Group
and Assertions – Risk – Control; Subprocess – Control Ob
jective – Risk – Control; Subprocess – Risk – Control).
Risk Coverage This report provides visibility into the coverage of risks by
controls by organization and process. For each risk associ
ated with a subprocess, it shows the list of controls as
signed. You can review this report and understand the risk
gaps to determine if new controls are needed.
Organization and Process Structure This report provides visibility into the organization - process
- subprocess - control hierarchy. You can review this report
and understand what controls and processes are assigned
under each of the business entities.
Indirect Entity-Level Control (iELC) Structure This report provides visibility into the organization - indirect
entity-level control structure. You can review this report and
understand what indirect entity-level controls are imple
mented under each business entity and determine if new
iELCs are needed.
Test Plan by Control This report provides visibility into the coverage of test plans
by controls by organization and process. For each control, it
shows the list of test plans assigned. You can review this re
port and determine if test plans have been assigned properly
to all controls to be tested.
Change Analysis This report provides visibility into all process control object
changes and details within a selected time period. You can
review this report and find out what changes (creation, mod
ification, removal, and role assignment) have been per
formed to each object.
Audit Log This report shows chronologically all changes to local and
central objects within a time period. You can review this re
port and find out what changes have been performed to
each central or local object.
Risk-Based Compliance Management This report provides visibility into the coverage of both Risk
Management and Process Control risks by organization and
process. For each risk, it shows the list of controls assigned
as well as the control design and testing status. You can re
view this report and understand the risk gaps to determine if
new controls are needed.
Policies by Regulation This report provides a method to access all policies, proce
dures, work instructions, and so on, that the company has in
place to address a certain regulation and/or requirement.
Policies Versions This report provides the capability to look at the different
versions of a policy, procedure, work instruction, and so
forth, to provide an idea of how the policy has progressed
and evolved over time. This report also shows the docu
ments (with the version numbers) that were attached to the
policy object in its different versions. The ownership and cre
ation information for each of the versions is also available in
this report.
Risks Associated with Policies This report provides the ability to access the local Risk Man
agement risks associated with a certain policy, procedure,
work instruction, and so on. It also can retrieve a report that
lists all the policies, procedures, work instructions, and so
forth, that the company associated with a risk.
Processes and Controls with Policies This report details the processes that are impacted by a cer
tain policy. It also lists which controls are in place to ensure
compliance with the policy.
Regulation/Policy Requirement-Control Coverage This report provides visibility into the coverage of controls by
requirement by regulation or policy. For each regulation re
quirement, it shows the list of controls assigned. You can re
view this report and determine whether further controls are
needed.
Control-Regulation/Policy Requirement Coverage This report provides visibility into the coverage of require
ments by controls by organization and process. For each
control, it shows the list of requirements assigned. You can
review this report and determine whether further require
ments could be covered by a specific control.
Use
The Rule Setup work center provides a central location to set up automated tests and monitor controls,
maintain schedules for continuous control monitoring, and perform legacy automated monitoring.
Note
The Rule Setup work center is shared by the SAP Access Control, SAP Process Control, and SAP Risk
Management applications in the SAP governance, risk and compliance (GRC) solutions. The menu groups
and quick links available on the screen are determined by the applications you have licensed. The content in
this topic covers the functions specific to SAP Risk Management. If you have licensed additional products,
such as SAP Access Control or SAP Process Control, refer to the relevant topics below for the application-
specific functions.
More Information
See the Rule Setup topic in the application help for SAP Access Control.
Definition
Depending on the applications you have licensed, the Continuous Monitoring section of the Rule Setup work
center gives you access to all or a subset of the following:
●
●
●
More Information
Use
Key risk indicators (KRI) are scores used to quantify risks and make them transparent on a cross-organization
basis. Based on a combination of organization and risk category, KRIs represent the current state of the
business.
Key risk indicators therefore represent a rational and quantitative measure of a particular risk at a particular
time. Risk indicators previously entered provide the risk owner with a series of “warning lights” that help the
owner comprehend the current risk the company is taking. One important application is to use risk data to
calculate KRIs for early indications of your organization's strategic target achievement.
You can enter key risk indicators manually or automatically. The system can also calculate the scores using
other KRIs. You can further automate your analysis by defining aggregation hierarchies based on organizations
or risk categories, which are available for display using the KRI Aggregation report.
Note
Key risk indicators differ from Key Performance Indicators (KPI) in that the latter are intended to show how
well something is being done by measuring past performance. KRIs, in contrast, are an indicator of the
possibility of a future adverse impact on the organization.
● In Management Accounting
○ To ensure there is no budget overrun (evaluation by cost centers, internal orders, projects)
Features
Example
A budget overrun is defined as the planned budget minus the actual budget costs. If the result is less than
zero, the budget has been overrun and represents a risk. If the budget overrun is defined as a key risk
indicator, a calculation to this effect is stored in the system. When the budget is then overrun, the risk
manager receives a message on it. It is possible to define, for example, that:
● The KRI compares the actual and planned costs per cost center.
● The system checks the balance against a threshold previously defined for the KRI.
Prerequisites
You can optionally define the systems, business processes, and components used for key risk indicators in
Customizing.
You can set up predefined key risk indicators (KRI) for your company by creating KRI templates. For each
template, you can then create several different KRI implementations.
Procedure
The KRI Template Catalog screen appears displaying the existing KRI templates.
2. Choose the Create pushbutton.
Results
After defining KRI templates, you can assign the templates to individual risk templates or risk categories. You
can subsequently use this information when you create a KRI instance for a risk, enabling you to obtain a
selection of available KRI implementations.
For more information about creating implementations, see Creating KRI Implementations [page 386].
You can also assign a KRI template to a risk category when you create the risk classification hierarchy. For
more information, see Classifying Risks, Opportunities, and Responses [page 366].
Example
For the risk Potential employee accidents belonging to the risk category Environmental health & safety risks,
only the key risk indicators related to this risk category are available for use. Examples of this would be
categories such as Near misses or Number of security violations.
Use
A key risk indicator (KRI) implementation is the actual application of a KRI template. For each implementation,
you can have several KRI instances (a KRI implementation assigned to a specific risk). The prerequisite for
creating a KRI instance is a saved KRI implementation.
Note
You create a KRI instance for a specific risk. For more information, see Assigning KRIs to a Risk [page 391].
Prerequisites
You need to fulfill the following prerequisites before you can create a KRI implementation:
● Complete the Customizing activities for system connectivity for key risk indicators, so that the KRI system
knows from which system the data is to be taken.
● Create the KRI template with which to implement the KRI. For more information, see Creating KRI
Templates [page 384].
Procedure
Note
For more information about how to work with queries, see Technical Requirements for BW Queries [page
387] and Technical Requirements for SAP Queries [page 388].
Related Information
You can use the SAP NetWeaver Business Warehouse (BW) Query functionality for key risk indicators in Risk
Management, or for automated controls in Process Control. However, you must observe specific technical
requirements regarding the Query Designer in the Business Warehouse. These are described in the table below.
Hierarchies off The data-oriented queries do not need the collapse-and-expand fea
ture. The query is expected to return only the fixed given level and no
virtual aggregation nodes above it. The best way to accomplish this is
to switch off the hierarchies in the hierarchical characteristics.
Results rows: Always suppress Aggregation is done on the Risk Management side, which means that
there is no way to differentiate between data rows and subtotal rows,
leading to the double itemizing of some of the output figures.
Restricted filtering options Risk Management and Process Control currently support only optional
single values and select-options. Other possibilities supported by the
Query Designer, such as interval values or multiple single values, are
not supported.
Key figures only in columns The current key figures are not supported in the individual rows. This
means that some kinds of 0MEASURE-based queries are not sup
ported. For PC usage, there should be only ONE key figure assigned in
columns area, which is then considered as the deficiency field of the
corresponding automated control.
Characteristics in columns If characteristics are in a column, the values must be fixed in the Query
Designer so that the number of columns remains stable and Risk Man
agement or Process Control can use the columns for reference and for
further settings. In Process Control, the characteristics cannot be in
the columns area, but only in the rows area.
Note
When working with BW queries, do not make use of the queries designed for end users. Instead, create a
new query by making a copy of an existing BW query definition, making sure to observe the requirements
above.
Concept
Instead of using the queries designed for end users, for KRIs you must create a new SAP query by making a
copy of an existing SAP query definition.
Prerequisites
● There is no support for ranked list and statistics output. This means that the RFC used does not return the
content of ranked lists and statistics output for an SAP query.
Prerequisites
You must complete the following Customizing activities found under Governance, Risk and Compliance
Risk Management Key Risk Indicators Connectivity :
● Maintain Connectors
● Maintain Scripts for Web Service
Context
You can use external Web services to implement key risk indicators (KRI). The SAP Web Service Connector
enables you to interact with all Web services, regardless of the implementation technology used, as long as it is
compliant with the provided WSDL (Web Services Description Language) file.
Procedure
1. Access a WSDL file in the SAP MIME repository. This is used to implement the correct Web service
interface.
2. Create the Web service implementation according to this WSDL file, using any available technology.
3. Using transaction SOAMANAGER, connect this implementation to the consumer proxy
CO_GRFN_CCI_WEBSERVICE.
Note
For more information, see Configuring a Consumer Proxy in Application Development on AS ABAP
(https://help.sap.com/viewer/7bfe8cdcfbb040dcb6702dada8c3e2f0/7.5.5/en-US).
4. Make note of the logical port you have created. In the Maintain Connectors Customizing activity, enter it as
the remote system. In the Connector Type field, choose the type WEBSERVICE. In the Remote System field,
enter the logical port you have just created. Save your entry.
5. Access the second Customizing activity, Maintain Scripts for Web Service. When you register the script, the
script data must correspond to the script ID in the service implementation. Save your entry.
Your external Web service is ready for use. If required, search the SAP Developer Network for further
information and details.
You can use SAP HANA-based KRIs, which use the capability of SAP HANA to analyze large volumes of data
and find out the potential risk quickly. This allows you to consolidate enterprise risks from multiple systems
through SAP HANA.
Prerequisites
To create the SAP HANA database connection, use transaction code DBCO.
To create the RFC connection (with the same name as the SAP HANA database connection), use transaction
SM59.
Activities
Customizing
1. Maintain categories for connectors and scripts.
1. In Customizing for Governance, Risk and Compliance, go to Risk Management Key Risk Indicators
Connectivity Maintain Categories for Connectors and Scripts .
2. Create a new category or modify an existing one.
Categories are optional for scripts and connectors, and can be used to structure scripts and
connectors in different versions or industries.
2. Maintain connectors.
1. In Customizing for Governance, Risk and Compliance, go to Risk Management Key Risk Indicators
Connectivity Maintain Connectors .
2. Create a new connector or modify an existing one, as follows:
○ Connector ID: The connector ID
○ Connector Type: HANA
○ Category: categories are optional for scripts and connectors and they can be used to structure
scripts or connectors in different versions and/or industries
○ Name: Descriptive name of this HANA connector
○ Remote System: The RFC name of this HANA connector
1. When creating the KRI implementation, for the Connector Type, select HANA.
2. Select the HANA connector.
3. Select the HANA script.
4. Define the implementation detail.
Note
For general instructions about creating a KRI implementation, see Creating KRI Implementations [page
386].
When creating or modifying a risk, create a KRI instance from the Key Risk Indicators tab, assign the KRI
implementation, and create a rule for the instance.
In the Risk Evaluation tab, choose the connection icon in the KRI column to connect the instance to the risk
analysis.
Use
When you enter a new risk, you can assign one or more key risk indicators (KRI) to the risk. This is known as a
KRI instance. In this way, you can automatically identify risks in business processes and escalate them to risk
owners for immediate attention if necessary.
Prerequisites
1. After creating a new risk, choose the Key Risk Indicators tab and choose Create Standard KRI
Instance in the Assigned Key Risk Indicators section.
The Create KRI Instance dialog appears.
2. In the KRI Instance Name field, type the name of the KRI instance that you want to create.
3. In the KRI Implementation field, type or select the KRI implementation for the instance.
4. In the Monitor Frequency field, choose the frequency at which you want the KRI to monitor your system.
5. In the Data Time Frame field, choose the appropriate value using the drop-down list.
6. In the Next Execution Date and Last Execution Date fields, choose the corresponding execution dates using
the drop-down lists.
7. In the History Review Required field, select the Yes radio button to have the previous KRI values maintained
in the database. By default, the Yes radio button is selected.
8. In the Selection Table, modify the KRI implementation settings, as required.
9. In the Attachments and Links tab, specify the attachments and links for the KRI instance.
1. To add an attachment, choose the Add pushbutton and select Add File using the drop-down menu.
Specify the title and the file name of the attachment, and choose the OK pushbutton.
2. To add a link, choose the Add pushbutton and select Add Link using the drop-down menu.
Specify the title and the path of the link, and choose the OK pushbutton.
10. Choose the OK pushbutton to have the system check the data and set the status as Draft for the KRI
instance.
Alternatively, choose from among the following options:
○ Choose the Activate pushbutton to set the status as Active for the KRI instance.
○ Choose the Request Localization pushbutton to have the KRI workflow go to the workflow processor
(to the KRI liaison defined in the Risk Management workflows, for example). The dialog closes and the
Status column displays Localization Requested for the assigned KRI.
After you save the data, a workflow is triggered. When the localization processor has processed the
workflow item, it returns to your inbox for processing or approval, among other options. For more
information, see Workflow for KRI Instance Localization Request [page 395].
11. Choose the Show History pushbutton to view a graphic display of how the KRI value develops over time.
12. Choose the Show Surveys pushbutton to see which surveys are defined for the KRI instance.
13. In the Business Rules section, create a KRI business rule, if required.
For more information, see Creating a KRI Business Rule [page 393].
14. Save the risk data.
1. After creating a new risk, choose the Key Risk Indicators tab and choose Create Manual KRI Instance
in the Assigned Key Risk Indicators section.
The Create KRI Instance dialog appears.
2. In the KRI Instance Name field, type the name of the KRI instance that you want to create.
3. In the KRI Template field, type or select the KRI template for the instance.
4. In the Input Allowed Until field, type or select the appropriate date using the drop-down list.
5. In the History Review Required field, select the Yes radio button to have the previous KRI values maintained
in the database. By default, the Yes radio button is selected.
6. In the Attachments and Links tab, specify the attachments and links for the KRI instance.
1. To add an attachment, choose the Add pushbutton and select Add File using the drop-down menu.
Specify the title and the file name of the attachment, and choose the OK pushbutton.
Prerequisites
● The GRC Customizing activity on workflow notification messages, found under General Settings
Workflow , must be maintained if you wish to use settings other than those in the default system.
Context
A business rule is a formula containing a mathematical calculation that is entered for a defined KRI instance,
that is, one individual implementation of a KRI template. Such business rules provide standard calculations for
both management and legal consolidation reporting.
Example
When monitoring your expenses, you would like to know whether the current monthly expenses are much
higher than the values of the last three months. You define a business rule for this, and an email is
automatically sent via workflow to the risk owner or owners, who can then review the risk and decide on the
proper response to it.
Procedure
The assigned key risk indicator status must be marked active for you to proceed. You can change the
status by opening the assigned KRI and choosing the Activate pushbutton.
You can specify the Expression as either a Formula or a Decision Table using the Rule Type drop-down
menu. After you are finished, you can check the syntax, test the rule, or access the NetWeaver Business
Rule Framework plus Workbench (see https://help.sap.com/doc/
7b784763728810148a4b1a83b0e91070/1.0%20SP04/en-US/pdf.sap_BRFplus_en.pdf).
6. Specify the Actions for the KRI business rule using the corresponding radio buttons.
You can specify whether a risk assessment workflow is to be triggered, whether an email notification is to
be sent to the risk owner, and whether the risk is to be flagged.
Note
You should flag the risk if the corresponding KRI business rule has been violated. After you have flagged
this risk, a yellow lightning symbol appears on the KRI tab of the Risk application. You can reset the
alert by choosing the Reset KRI Violation Status pushbutton.
7. Choose OK pushbutton. The new business rule appears in the list of rules assigned to the risk.
8. Save the risk data.
Next Steps
For more information about the syntax of business rules, see Creating a Formula Expression in https://
help.sap.com/doc/7b784763728810148a4b1a83b0e91070/1.0%20SP04/en-US/pdf.sap_BRFplus_en.pdf.
Use
You can use the SAP workflow functionality to create a KRI implementation request. This workflow enables you
to create one or several KRI implementations.
You must fulfill the following prerequisites before you can use the workflow functionality for KRIs:
● A KRI template must exist for each implementation request. For more information, see Creating KRI
Templates [page 384].
● Risk Management roles must be configured. For more information, see .
Procedure
When you edit a KRI template, you can request one or more implementations for it.
1. Under Rule Setup Continuous Monitoring , choose KRI Templates to access the KRI template catalog.
2. Open the KRI template for which you want to create an implementation request and choose the
Implementations tab.
3. Select the Request view and create a new KRI implementation request by using the Create button. Enter a
Notes text if necessary.
4. Save the request and access the My Home work center. The new workflow displays in the Work Inbox.
5. In the work inbox, choose the work item to see the KRI implementation request for it.
6. In the lower screen section of the work inbox, you can create an implementation. Note that the template
field may be prefilled. In the Implementation Detail tab, make the necessary entries. When you have
finished entering the data, choose OK.
The buttons at the top of the screen mean the following:
○ Complete: The status changes to completed. After the request creator confirms the request, it is
removed from the inbox.
○ Save: This does not change the workflow status.
○ Cancel: The changes you made are canceled.
○ Confirm: This confirms a completed workflow.
Note
When you choose Complete, the work item is returned to the inbox of the workflow processor. When
you call it up again from the inbox, you see the Confirm pushbutton.
Use
You can use the SAP workflow functionality to create a KRI instance localization request.
The following prerequisites must be fulfilled before you can use the workflow:
● A KRI instance must exist for each KRI instance localization request. For more information, see Assigning
KRIs to a Risk [page 391].
● Risk Management roles must be configured.
Procedure
When you create or edit a KRI instance, you can request a localization for it. To process the request, proceed as
follows:
1. Access the work inbox in the My Home work center. Select the work item to see the KRI instance
localization request for it.
Note
2. In the lower screen section, you can adjust the selection table with respect to the risk-specific settings. The
buttons have the following meanings:
○ Complete: The status changes to completed. After the request creator confirms the request, it is
removed from the inbox.
○ Save: This does not change the workflow status.
○ Cancel: The changes you made are canceled.
○ Confirm: This confirms a completed workflow.
3. When you are finished, call up the work inbox to view the work item.
Note
When you choose Complete, the work item is returned to the inbox of the request. When you call it up again
from the inbox, you see the Confirm pushbutton.
Use
You can manually input values for key risk indicator (KRI) instances (that are not scored) using the KRI Manual
Value Input screen. When inputting values, you can select the instances directly or using a combination of KRI
templates and organization units. In the former case, the input is a simple list; in the latter case, the input
consists of a matrix with each cell representing a single instance.
Note
Procedure
Note
If you select the Allow Date Input checkbox, you can manually add the update date of the KRI value in
the next step, which will then be displayed as the KRI timestamp value.
3. In Step 2: Provide Values, specify the values for the entries by choosing the Browse pushbutton, selecting
the upload file, and choosing the Upload pushbutton.
You can use KRI aggregation hierarchies, based on organizations or risk categories, to automate your analysis,
the results of which are available for display using the KRI Aggregation report.
When managing KRI aggregation hierarchies, you can complete the following tasks:
Context
You can search KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen. When defining a
query (known as a worklist), you can either create a new worklist or base your worklist on an existing query.
The KRI Aggregation Hierarchies screen appears displaying the existing aggregation hierarchies.
2. Choose the New Worklist pushbutton.
The New Worklist dialog appears with KRI Aggregation Hierarchies automatically selected in the Select
Object Type field.
3. To base your new worklist on an existing query, choose a query using the Select Existing Query as Template
drop-down list.
4. Choose the Next pushbutton.
5. In the Hierarchy Type ID fields, type or select the range of hierarchy types.
Choose the Preview pushbutton to display the table of aggregation hierarchies based on the current
criteria. Choose the Close pushbutton to dismiss the preview, and choose the Next pushbutton.
6. In the Enter Query Description field, type a short description of the worklist.
7. Optionally, select the Activate Query checkbox to make the query available as a link or tab.
8. Choose the Finish pushbutton.
Next Steps
Use
You can create KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen. You can also create a
new aggregation hierarchy by copying an existing hierarchy and modifying the appropriate settings.
Procedure
1. Select an aggregation hierarchy in the table, and choose the Copy pushbutton.
The Copy Aggregation Hierarchy screen appears.
2. In the Title field, modify the name of the aggregation hierarchy.
3. Review the current settings and modify, as required.
4. Choose the Save and Activate or Save Draft pushbutton, as appropriate.
More Information
Context
You can modify specific KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen.
Procedure
The KRI Aggregation Hierarchies screen appears displaying the existing aggregation hierarchies.
The Change Aggregation Hierarchy screen appears allowing you to modify the settings.
3. Modify the aggregation hierarchy settings, as required.
4. Choose the Save and Activate or Save Draft pushbutton, as appropriate.
Next Steps
Context
You can delete existing KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen.
Procedure
The KRI Aggregation Hierarchies screen appears displaying the existing aggregation hierarchies.
2. Select one or more aggregation hierarchies that you need to delete.
3. Choose the Delete pushbutton.
Next Steps
You can use the KRI Aggregation Run quick link to manage KRI aggregation runs, including completing the
following tasks:
Context
You can search KRI aggregation runs using the KRI Aggregation Run Management screen. When defining a
query (known as a worklist), you can either create a new worklist or base your worklist on an existing query.
Procedure
The KRI Aggregation Run Management screen appears displaying the existing aggregation runs.
2. Choose the New Worklist pushbutton.
The New Worklist dialog appears with KRI Aggregation Runs automatically selected in the Select Object
Type field.
3. To base your new worklist on an existing query, choose a query using the Select Existing Query as Template
drop-down list.
4. Choose the Next pushbutton.
5. In the Aggregation Type field, choose Key Risk Indicator using the drop-down list.
Choose the Preview pushbutton to display the table of aggregation runs based on the current criteria.
Choose the Close pushbutton to dismiss the preview, and choose the Next pushbutton.
6. In the Enter Query Description field, type a short description of the worklist.
7. Optionally, select the Activate Query checkbox to make the query available as a link or tab.
8. Choose the Finish pushbutton.
Use
You can create KRI aggregation runs using the KRI Aggregation Run Management screen. You can also create a
new aggregation run by copying an existing run and modifying the appropriate settings.
Procedure
1. Select an aggregation run in the table, and choose the Copy pushbutton.
The Copy Aggregation Run screen appears.
2. In the Name field, modify the name of the aggregation plan.
3. Review the current settings and modify, as required.
4. Choose the Save pushbutton.
Context
You can modify specific KRI aggregation runs using the KRI Aggregation Run Management screen.
Procedure
The KRI Aggregation Run Management screen appears displaying the existing aggregation runs.
2. Choose the name of the aggregation run you want to modify.
The Edit Aggregation Run screen appears allowing you to modify the settings.
3. Modify the aggregation run settings, as required.
4. Choose the Save pushbutton.
Next Steps
Context
You can delete existing KRI aggregation runs using the KRI Aggregation Run Management screen.
Procedure
The KRI Aggregation Run Management screen appears displaying the existing aggregation runs.
2. Select one or more aggregation runs that you need to delete.
3. Choose the Delete pushbutton.
Next Steps
7.4 Assessments
Use
The Assessments work center provides a central location to view and manage surveys, test plans, and risks and
opportunities. You can also use the work center to maintain incidents and plan evaluations, as well as simulate
risks using scenarios.
●
● Risk Assessments [page 415]
Note
The Assessments work center is shared by the SAP Access Control, SAP Process Control, and SAP Risk
Management applications in the GRC solutions. The menu groups and quick links available on the screen
are determined by the applications you have licensed. The content in this topic covers the functions
specific to SAP Risk Management. If you have licensed additional products, such as SAP Access Control or
SAP Process Control, refer to the relevant topics below for the application-specific functions.
More Information
7.4.1 Surveys
Use
A survey is a structured list of questions. Within GRC, surveys are used to obtain information about the
existence and evaluation of risks (SAP Risk Management) or the design or operational adequacy of controls (if
you also have a license for SAP Process Control). Surveys are used to carry out assessments of objects such as
risks, activities, or policies, for example. These assessments are defined via plans in the Risk Management
Planner [page 499].
Surveys are created and maintained in the and sent via the workflow (which can be routed to an inbox and/or e-
mail).
For more information, see the corresponding topic in the application help of SAP Process Control:
Prerequisites
● To send e-mails with interactive PDF survey data, complete the Customizing activity Maintain Inbound E-
Mail Settings for Survey under Governance, Risk, and Compliance General Settings Workflow .
Related Information
Definition
The Question Library lists the user-defined questions that you can use within your surveys. Each question
comprises the following information:
Use
● Create new questions. You can create a new question, or copy and change an existing question.
● Open questions for editing. You can only edit questions that are not being used in a survey.
● Delete questions. You can only delete questions that have not been assigned to any survey.
● Upload questions from a file stored on your local machine.
You can use the questions defined in the Question Library with the surveys listed in the Survey Library.
More Information
Use
For each type of survey, you can create user-defined questions to be attached. You can create questions in the ,
or you can open a specific survey in the and create questions for it. Furthermore, you can define your own
answer types, which you can attach to question or survey categories if necessary.
Note
If a question is already being used in a survey, you cannot change any data for it, but you can deactivate it.
Complete the Customizing activity Define Ratings for Survey Questions, found under Governance, Risk, and
Compliance Common Component Settings Surveys .
Procedure
To create a question:
Note
If you are not finished formulating the question, or if you want to make a question obsolete, deactivate
the question. You cannot delete questions that are already used in surveys.
5. Enter one of the following answer types (answer types vary based upon the survey category):
Rating Requires the entry of a rating type. If you select this an
swer type, you are asked if the answer requires a com
ment.
Probability Level Requires the entry of a probability level. If you select this
answer type, you are asked if the answer requires a com
ment.
Impact Level Requires the entry of an impact level. If you select this an
swer type, you are asked if the answer requires a com
ment.
Speed of Onset Requires the entry of a speed of onset value. If you select
this answer type, you are asked if the answer requires a
comment.
Note
The answer types Yes/No/NA, Rating and Choice support user-defined scoring for each answer option.
A number score is assigned to each answer option at the design time. At runtime, users receive the
scores according to their selections. A final score is based on aggregating the scores from each
question.
○ For the answer type Rating, scores are defined during the Customizing activity, Define Ratings for
Survey Questions, located under Governance, Risk and Compliance Common Component
Settings Surveys .
○ For the answer type Choice, scores can be defined in the frontend, or they can be defined in the
corresponding column of the survey upload Excel file.
○ For the answer type Yes/No/NA, question scores are defined when the survey is defined.
Recommendation
6. If you are creating a question directly from a survey, choose Actions Create Question . On the Create
Question screen, you can specify if the question is local (only used for this survey). If you choose No, the
question can be used in other surveys.
7. Save your data.
Result
Note
If you want to upload new questions from your hard disk, you can do so by choosing Actions Upload .
The format of the file must be .csv, which can be created from a Microsoft Excel spreadsheet. For Choice
type questions, this spreadsheet can define the scores given to each choice, using the CHOICE_SCORE
column.
Definition
The Survey Library lists the user-defined surveys that you can use to obtain information on the existence and
evaluation of risks (RM) or the adequacy of controls (PC). Each survey comprises the following information:
Use
● Create new surveys. You can create a new survey, or copy and change an existing survey.
● Open surveys for editing. You can only edit surveys that have not been scheduled.
● Delete surveys. You can only delete surveys that have not been scheduled.
You can use the questions defined in the Question Library with the surveys listed in the Survey Library.
More Information
Prerequisites
See .
Procedure
To create a survey:
Note
Using valuation for risk analyses requires additional settings through the Customizing activities.
Complete the activities listed under Governance, Risk, and Compliance Common Component
Settings Surveys .
Note
You cannot activate a survey without first creating one or more questions for it.
Example
Survey A has two questions (Q1 and Q2). The answers and scores are defined as following:
○ Question 1: Answers: 1.1 = 50; Answer 1.2 = 0
○ Question 2: Answers: 2.1 = 0; Answer 2.2 = 0; Answer 2.3 = 50
8. Save the survey. Your survey can now be included in a plan when you call up the .
Note
○ Your survey becomes visible on the Survey tab of the Risk or Activity screen after you create a plan
in the Planner and have sent out the survey.
○ You can display the results of the survey by running the Survey Results report under Reports and
Analytics Compliance .
More Information
SAP Risk Management currently provides the following categories of surveys in the Survey Library for
evaluations of different purposes:
● Activity Survey
● Activity Validation
● Collaborative Risk Assessment
● Opportunity Assessment
● Opportunity Validation
● RCSA
● Response Update
● Risk Assessment
● Risk Consolidation [page 413]
● Risk Indicator Survey
● Risk Survey
● Risk Validation
Risk consolidation allows you to evaluate the risks of different organization levels in a company from bottom
up, and consolidate them at the corporate level. You can choose the risks to be consolidated from a lower level
organization unit, and submit them to the upper level organization unit, until all risks reach the corporate level.
Use
You can use the valuation and scoring function built into survey and question creation to assist in risk analysis
and process control evaluation.
● Surveys can be created with the type No Valuation or Score-Based Valuation. If you choose Score-Based
Valuation, a Set Score link appears on the right side of each line for all score-based questions that you have
created or that you have added from the .
Note
Certain question types, such as those requiring a text entry, cannot be scored. The Set Score link will
not appear next to these kinds of questions. For more information about the different question types,
see .
● When you choose the Set Score link, an Override Question Score window appears. You can choose to use
any maintained values that were preset through the Customizing activities, or you can override those
values with those of your own choosing.
Note
If you override the preset values, the values you enter are valid only for this instance of the question. If
you use the same question type for another question in a survey, the default values are assigned to it
unless you override them again.
● For Score-Based Valuation surveys, the scores of responses are displayed alongside the responses in the
Survey Browser.
● If you wish to revert to the values set in the Customizing activities, click the Reset button in the Override
Question Score window.
● You can indicate whether a question is to be local (one-time only for a survey) or if it is to be global (stored
in the Question Library after creation). The default setting is global.
Use
The Risk Assessments section of the Assessments work center enables you to create activities to be evaluated
for risks and opportunities, such as projects or business processes. These are assigned to risks and
opportunities that you create. Besides specifying risks and opportunities, you can also:
● Analyze the risks and enter the appropriate responses to mitigate these risks.
● Document risks that have occurred (called incidents).
● Define specific risk scenarios.
● Run risk assessment surveys.
Prerequisites
Features
In this work center, you can carry out the following functions:
● Create activities such as business processes, projects or assets, for which you wish to capture risks. For
more information, see Activities [page 477].
● Document risks that have occurred, called incidents, together with the losses incurred for an incident. For
more information, see Incident Management [page 484].
Use
In the section Risks and Opportunities of the Assessments Risk Assessment work center, you can enter
risks as well as opportunities for your organization. Risks and opportunities are defined as follows:
● A risk is any event that can prevent management from meeting the business goals of an organization.
● An opportunity represents an uncertain event or condition that, if it occurred, would have a positive impact
on business objectives. An opportunity can therefore be regarded as a positive aspect of a risk as defined in
Risk Management.
Features
Opportunity Management refers to the analysis of opportunities, to be able to make the best possible use of
them. The process involves the following steps:
When you click the Risk and Opportunity Management link, a query screen opens, displaying all maintained
risks and opportunities. Here you can view all existing risks and opportunities or create a new risk or
opportunity.
For more information, see Creating a Risk [page 416] and Creating an Opportunity [page 454].
Use
After defining a risk classification structure, you can begin creating risks in the Risk Management application.
● Risk impacts and drivers must be maintained in Customizing. You may also need to make entries in the
Maintain Influence Strength Customizing activity, found under Governance, Risk and Compliance Risk
Management Master Data Setup .
● If you want to conduct a risk assessment, the analysis profile must be maintained in Customizing under
Governance, Risk and Compliance Risk Management Risk and Opportunity Analysis .
● If you want to add KRIs to your risk, you must have maintained a KRI implementation in the Risk
Management application. For more information, see Creating KRI Implementations [page 386].
● You must maintain a risk classification structure containing individual risk categories in the risk catalog
[page 365].
Procedure
1. From the Assessments work center, choose Risk Assessments Risks and Opportunities .
2. In the overview screen that appears, choose Create. You have the following options:
○ You can create a risk with or without a risk template. You create a risk template during risk
classification.
Note
For more information about risk template creation, see Classifying Risks, Opportunities, and
Responses [page 366] and Creating a Risk Template [page 368].
To create a risk from a template, see Creating a Risk from a Template [page 419].
○ You can create a risk in the standard application or using the graphical view. You also have the option to
create a risk with or without a risk template. For more information, see Graphical View Risk Creation
[page 447].
3. If you are creating a risk in the standard application, the Create Risk dialog box appears in which you enter
information in the following tabs:
○ General tab: Enter the name of the event or risk you want to create, as well as the organizational unit
and the risk category used to classify it. The validity period is preset, but you can change it to your
relevant dates.
○ In the lower screen section, you can enter the impacts and drivers that would affect this risk if it
occurred. If so specified, there may be customer-defined fields ready for input displayed in this
tab.
○ Roles: Assign a user or users to the Risk Owner role by choosing the Assign pushbutton.
○ Key Risk Indicators tab: You can enter KRI instances and business rules for a KRI, to use when
evaluating the risk. For more information, see Key Risk Indicators [page 383] and Assigning KRIs to a
Risk [page 391].
In the lower section, you can create a business rule for the Key Risk Indicator in the upper section. For
more information, see Creating a KRI Business Rule [page 393].
The prerequisite for creating a KRI instance is an active KRI implementation, and the prerequisite
for creating a KRI business rule is an active KRI instance.
○ Analysis tab: You can view the history of all past and present risk analyses, and you can also create new
risk analysis data. For more information, see Risk Analysis [page 423].
○ Response Plans tab: You can create a new risk response, assign an existing response, or assign a
control proposal from Process Control. For more information, see Creating a Response or
Enhancement Plan [page 459]. You have the following options:
○ If you have licensed Risk Management, you can create a new response or assign an existing
response. For more information, see Assigning a Response [page 463].
○ If you have licensed Process Control, you can also create a control proposal or policy, or assign a
control or a policy on this tab. For more information, see Using PC Controls [page 466].
After submitting the control, it is displayed in the Response tab of the risk as a response of the type
Control. Note that you must first save the risk.
○ Using the Remove pushbutton, you can delete a response from the list, but only if it has Draft
status.
○ Using the Print Version pushbutton, you can create a print version of the results list in PDF format.
○ On the Risk Incidents tab, you can report new risk incidents (that is, risks that have occurred), or open
existing incidents for further processing. For more information, see Working with Incidents [page 485].
○ On the Influenced Risks tab, you can use the Create Influence Factor button to enter other risks (called
influenced risks) and the corresponding influence factors that may increase or decrease the
probability and/or impact of the influenced risk.
Note
You use the chain of influenced risks in the Risk Management Scenario Analysis and Monte Carlo
simulation. For more information, see Scenario Management [page 488] and Scenario Analysis
using Monte Carlo [page 495].
First enter the influenced risk itself. Then you can define the influence factors for the risk either in
quantitative or qualitative form, but not both.
○ If you define a quantitative evaluation type, you make entries for the evaluation type as follows:
○ Influence factor on impact: You enter a factor value between 0.01 and 999.99. This factor
represents the increase (for a factor greater than 1.00) or decrease (for a factor smaller than
1.00) of the total loss of the influenced risk. The condition is that the primary risk — that you
are currently working with — has already occurred.
○ Influence factor on probability: You enter a factor value between 0.01 and 999.99. This factor
represents the increase (for a factor greater than 1.00) or decrease (for a factor smaller than
1.00) of the probability of the influenced risk. The condition is that the primary risk — the one
that you are currently working with — has already occurred.
○ If you specify a qualitative evaluation type, you can define the influence strength in the Strength
field. Select a value from the dropdown options, which refer to the degree and type of influence of
the primary risk on the influenced risk.
Note
The conversion of the influence strength into individual influence factors on impact and
probability is defined in Customizing (see the Prerequisites section above).
Note
After saving your risk data, you can choose the Print Fact Sheet pushbutton to obtain a document with risk
data in PDF format for printing.
Use
You can use a risk template to create a risk with default data maintained for your organizational unit. The risk
template can also have been distributed over several organizational units and can be used in them as the basis
for creating risks.
Prerequisites
A risk template must have been created for use with the new risk.
Procedure
1. Access the risk creation screen under Assessments Risk Assessments Risks and Opportunities
and choose Create Create with Risk Template in the Risk and Opportunity Management screen. You
Note
Two columns referring to risk templates are displayed in the overview list:
○ Distribution Method: The risk template data is either copied, and can be changed in the risk, or it is
merely referenced, and the risk template data cannot be changed.
○ Risk Template: The template used to create the risk is displayed.
Result
The values of the template, including the data of customer-defined fields, are copied into the risk.
More Information
Use
Sometimes it may be necessary to delete a risk. However, due to time-dependency constraints in the system,
you cannot delete a risk on the same day that you created it.
Features
If you created a risk on the current date and activated it the same day, it cannot be deleted without losing the
ability to track and audit this risk in the Risk Management database. In normal processing, deletion sets the
Note
You can delete a risk with Draft status, but note that it will truly be deleted from the database, without any
auditable trace left in the system.
● Wait at least one day before deleting this risk. Note, however, that this risk remains in the system as a valid
risk, with a validity period lasting just one day.
● If you activated the risk by accident (that is, you did not intend to submit it, but it was submitted
nevertheless), you can contact your system administrator, who can delete your risk in the back-end
system.
A risk ("source risk") can be copied to multiple organization units ("target organization units") at a time.
If you want the copies of the source risk to share its underlying risks, by default you have the following two
options:
● Reference
The copies of the source risk reference its underlying risks.
● Copy
The underlying risks are copied to the target organization units as well.
You can also enable the further subdivision of the "Copy" option into "Copy To Target" and "Copy To Source".
● Copy To Target
The underlying risks are copied and the copies are assigned to the target organization units.
● Copy To Source
The underlying risks are copied but the copies are assigned to the source organization units.
To do so, enter transaction SM30, open view V_GRPCCUST1, and activate UL_COPY_TO_SOURCE.
Use
The validation of risks by risk managers is an essential task for proper risk management in your company. It
enables risk managers to obtain proper sign-off and confirmation for the current risk situation with respect to
activities such as company processes or new projects.
Workflow management and personal object worklist (POWL) activities in Customizing under Governance,
Risk and Compliance General Settings Workflow and POWL for Work Inbox must have been carried out.
To be able to create a new risk validation directly from the screen of the corresponding risk, you must must
activate this feature in Customizing for Governance, Risk and Compliance under Risk Management Risk
and Opportunity Analysis Enable Risk Validation from Risk .
Features
Using the SAP Risk Management Planner, you can trigger a validation workflow for risks entered in the system.
Each risk has the attributes Validated by and Validated on, which are updated after validation. Once you have
accessed your inbox and validated the risk, the validation timestamp refers to the date when the risk was
validated. You see the status with a link to comments, and the name and date of the validator.
1. The workflow task goes to the risk owner for validation. The task includes the numbers of incidents and
mitigations, and the validator can click these to drill down to their details.
2. The unit risk manager or validator then approves or rejects the risk as follows:
○ If the validator approves the risk, the risk application displays the validation status Approved and the
validation timestamp.
○ If the validator rejects the risk, the validation status changes to Rework.
Activities
There are two ways you can create a new risk validation.
You can create a new risk validation directly on the screen of the corresponding risk, by choosing Save and New
Validation.
Note
You can only do this if you have enabled the feature in Customizing. See the Prerequisites above for details.
1. Access the Risk Monitoring work center and then the Planner section.
2. Choose the Planner link and proceed as follows in the next screen:
3. Choose the Create pushbutton to enter the plan name and select the plan activity Perform Risk Validation.
4. Enter a name for the plan and the due date.
5. Choose Next and select the organization with which you are working. Choose Next again.
6. In the step Perform Selection, you can choose to work with all risks or limit the selection to one risk or to
specific risks by entering various attributes.
You can see the risks with the defined workflow recipients (in this case, these are the risk owners) by
choosing the Show Detail pushbutton.
7. After choosing Next again, you are in the Review step. You can now choose the Activate Plan button, after
which you receive confirmation that the plan has been saved and activated.
8. Choose Finish to end the guided procedure or choose Create New Plan if you want to create another plan.
If you choose Finish, your plan is displayed in the list of plan activities.
Use
Risk analysis involves analyzing your risks to determine the impact and probability of a potential risk occurring.
The Analysis tab on the Risk application provides users with the flexibility of defining the type of analysis
performed, either qualitative or quantitative, depending on the nature of the risk event. The outcome is the
determination of the risk level (probability level X impact level).
Note
Risks that are initially analyzed are called inherent risks. After analysis and response/mitigation of the risk,
the term residual risk [page 424] is used to denote the degree of risk left.
Prerequisites
Drivers, impacts and analysis data from Customizing must exist before you can analyze a risk. For further
prerequisites, see Creating a Risk Analysis [page 427].
Features
● Qualitative
This analysis includes determining the risk level on the basis of the probability and impact levels of the risk.
The result of the analysis is a qualitative view of the risk level, such as high, medium, and low.
● Quantitative
Using this analysis form, you can assess the probability of a risk happening using percentage values and
the impacts per impact category assigned to the risk. The analysis results include the expected loss, total
impact, and risk level, which is based on the total loss and probability values.
○ Three-point analysis
This type of quantitative analysis is based on the range of Total Loss Values (Minimum Loss, Average
Loss, and Maximum Loss).
More Information
Use
All companies face a variety of internal and external risks that can impact the success of their business
strategies, goals, and objectives, as a part of doing business. You can proactively manage risks using the
following four-step process:
1. Planning
2. Risk identification and assessment
3. Risk response
4. Monitoring
Carry out these steps to gain better visibility into your organization's risk exposure.
Features
By carrying out the above four steps, you perform and consolidate the analytical results of a risk analysis. The
risk analysis is an assessment of the likelihood that the risk is going to occur, and of the impact to the company
if the risk occurs. The result of the risk analysis is also referred to as the risk exposure.
If the risk exposure is unacceptable, you can document risk responses, which are aimed at reducing the
likelihood that the risk will occur or lowering the impact of the risk if it occurs (this is called risk mitigation
[page 453]). Examples of risk responses include actions to reduce the risk, control the risk with internal
policies and processes, transfer the risk to third parties, or accept or watch the risk.
Once a response has been implemented, you can then carry out a second risk analysis, showing the mitigated
probability and impact of the risk, whose values should be lower than those in the initial risk analysis. This new
risk analysis information is referred to as the residual risk exposure.
Residual risk calculation deals with the influence that responses have on the risk exposure. The change in the
risk exposure from the initial exposure to the residual exposure depends on a number of factors related to the
individual risk responses. Furthermore, the effect of the response on the risk exposure changes over time, is
To solve this problem, the influence of the response on the risk exposure can be considered as the result of the
following three independent factors:
● Mitigating reduction: This refers to the mitigating reductions of all the responses associated with the risk
when applied to the initial analysis. The result is the calculated residual risk analysis.
● Completeness of the response: Describing how much of the response has been implemented, this value is
calculated together with the effectiveness of the response.
● Effectiveness of the response: These figures are maintained by response owners, independently of the
actual risk analysis, describing how effective a particular response is at reducing a risk.
Once the responses have been entered, the system calculates both the actual and target residual risk
exposure. After the responses have been implemented and completed, the planned residual risk level should be
low.
Taken together, these steps enable the continuous evolution of the residual risk analysis based on the ever-
changing effectiveness and completeness of the responses. The final result is the calculation of the actual
residual risk exposure.
The final step in the process is to monitor the risk exposure on an ongoing basis. This includes the ongoing
calculation and recalculation of the actual and planned (target) residual risk, based on the response
effectiveness, completeness, and mitigation reduction values.
Concept
Carrying out a risk analysis means taking different factors into consideration, in particular the Customizing
settings involved. These can vary greatly, depending on the type of risk analysis you want to carry out.
Prerequisites
You must make several GRC Customizing settings, the most important of which are in the activity Maintain
Analysis Profile, found under Risk Management Risk and Opportunity Analysis . For more information
about prerequisites, see the linked topics below.
The following table provides an overview of the most important risk analysis fields and how to use them. The
Customizing settings referred to are those made in the Customizing activity Maintain Analysis Profile:
Note
If the probability is disabled, the
risk score equals the total impact,
and the risk level corresponds to
the following formula: Impact level
x highest probability level value (at
least one probability level must be
maintained in Customizing).
Impact Allocation Quantitative The user enters the amount (in the cur
rency of the organizational unit or in the
maintained unit of measure); the proba
bility level and the score are calculated
using the Customizing settings.
Analysis Comment User-defined text The user can enter a text-based com
ment on the overall risk analysis.
Risk Level Calculated by the system The risk level is calculated by the sys
tem from the impact level and the prob
ability level.
Risk Score Calculated by the system The risk score is calculated from the
probability and impact scores using the
aggregation type specified in Customiz
ing.
Risk Priority Calculated by the system The risk priority is calculated by the
system using the speed of onset and
the risk level.
More Information
Use
You can carry out a risk analysis both for a risk you have just created and for an existing risk.
To carry out a collaborative risk analysis involving the participation of several risk managers or users, see
Collaborative Risk Assessment [page 436] and Creating a Collaborative Risk Assessment from a Risk [page
440].
Prerequisites
The following Customizing activities must be carried out before you can carry out a risk analysis:
Procedure
1. Choose Assessments Risk Assessments Risks and Opportunities . In the Risk and Opportunity
Management screen, create a new risk or select an existing risk by clicking on its name in the Risk /
Opportunity column.
2. Make sure that risk impacts for the selected risk have been maintained in the lower screen section. After
saving, these are also listed in the Analysis tab of the risk.
3. Choose the Analysis tab. If no analysis exists, choose Create Analysis or Create Collaborative
Assessment .
4. If you choose Create Analysis , you see the following screen sections:
○ Analysis section: Here you can create a new analysis for this risk as described below.
○ Analysis history section: See Historical Risk Analysis Report [page 435] for further information.
○ If you choose Create Collaborative Assessment , you receive a list of all users, or contributors
who are collaborating on assessing the risk, together with further data about the assessment. You can
continue to modify the list and the data up until you submit the collaborative risk assessment.
5. Analysis section: You can see all the analyses that were run up until now.
You cannot make any changes to analyses that have already run.
Depending on the settings made in Maintain Analysis Profile in Customizing under Governance, Risk and
Compliance Risk Management Risk and Opportunity Analysis , you see the following column headers:
Column Meaning
Note
○ If impact reduction in the Analysis Profile activity
in Customizing is switched on, you should enter
values for the inherent risk. The residual and re
sidual planned risk values are calculated using
the responses assigned to the risk.
○ If impact reduction is not switched on in the
Analysis Profile, you must enter the inherent and
residual risk data manually.
Speed of Onset The speed of onset refers to the time horizon in which you
expect the risk to occur. This time horizon changes over
time, becoming less as the risk event comes nearer.
Speed of Onset (SoO) Score The score for the speed of onset is determined as per the
Customizing settings. The longer the speed of onset, the
higher the score.
Total Loss The total loss in monetary terms, per type of risk. See
Expected Loss below.
Impact Score A value that expresses the impact or impact level, defined
in Customizing.
Expected Loss The expected and total loss are calculated only if there is
at least one quantitative impact.
Risk Level The degree of the risk, based on the probability and im
pact data.
Risk Score A score calculated from the probability score and the im
pact score using the risk score aggregation method de
fined in Customizing.
6. Click the Total Loss link. The Impact Allocation screen section opens below.
7. Make settings in the Impact Allocation section. Depending on what you select here, the fields that are
displayed may differ.
Note
The conversion from quantitative to qualitative impact is carried out using the settings made in
Customizing for Analysis Profile.
The risk thresholds are defined for impacts within an organization. For more information, see Working
with Organizational Units [page 343].
8. First make settings for the impact values to be used with this risk analysis. For this, select an Analysis
Method from the dropdown options. For example, if you select the Quantitative analysis method, you enter
the impact in the Impact column.
Three-Point Analysis Best case, average case, worst case monetary values
9. In the Impact Level column, you can see the impact level that was calculated using the values entered
previously, according to the Customizing settings. Depending on the analysis method selected, this is
either calculated by the system or entered manually.
10. Below this, you can set the Overwrite Overall Impact indicator if necessary. This enables you to overwrite
the impact level and score, depending on the analysis method selected above. The impact level is derived
from the impact score and is displayed below it.
11. Finally, enter the unit of measure to be used for impact calculation.
12. Save the analysis data for the risk.
Use
The quantitative risk analysis method is used to quantitatively analyze the likelihood of risk occurrence and the
potential impacts, so that you can determine which follow-up actions, such as risk responses, are required.
Prerequisites
Impact levels and risk analysis attributes must be defined in Customizing under Governance, Risk and
Compliance Risk Management Risk and Opportunity Analysis , and impacts must be defined for a risk.
Procedure
1. Go to Assessments Risk Assessments Risks and Opportunities and select the risk you want to
analyze by clicking on its name in the Risk / Opportunity column.
2. In the Analysis tab of the risk screen, choose the Create New Analysis pushbutton.
3. Select the date from which the analysis is to be valid and choose OK.
Note
4. The Analysis tab contains an analysis of the inherent risk, which is valid from the date you specified.
Depending on the analysis profile set in Customizing, you can overwrite the probability percentage or the
impact of the risk. If it contains a value, the expected loss is now updated in the corresponding column.
5. Choosing a line of the inherent risk and clicking a linked Total Loss or Impact Level column of the risk leads
to the Impact Allocation section displaying below it.
6. If necessary, use the dropdown options to change the Analysis Method to Quantitative.
7. Enter the impact and change the unit of measure if necessary. You can see the total loss in the column to
the right. If you have set the scoring approach, the system calculates the qualitative impact level, and the
impact score is calculated according to the formula Impact x Probability (%) = Impact Score
8. Carry out the above step for each impact and then save the risk.
9. The Impact Score column now contains the aggregated total of all scores for this risk, and for all specified
analysis methods.
If the Mitigation field in the Analysis tab has been activated in the back-end, you can see all of the mitigation
results for the responses to the selected risk, including the calculated sums for probability and for
particular impacts. For more information, see Risk Mitigation [page 453].
More Information
Use
The scoring method of risk analysis enables risk managers to use a point-based system to assess the risks of
their organization.
The system assesses the drivers and impacts you define, either qualitatively, with results translated into point
values, or quantitatively without conversion into currency. The results of the scoring approach are the defined
risk score and risk level. The following types of scores are calculated and then combined into an overall score:
Prerequisites
The following Governance, Risk and Compliance Customizing activities under must be carried out before
scoring can be used:
Note
The risk score calculation method differs if the probability is enabled in the Maintain Analysis Profile
Customizing activity.
○ If the probability is enabled, the risk score = probability X impact.
○ If the probability is disabled, the risk score = sum of all impact values.
Using RM scoring methodology, you can carry out the following types of risk analyses:
Prerequisites
● The Maintain Analysis Profile Customizing activity, found under Governance, Risk and Compliance Risk
Management Risk and Opportunity Analysis , must have the following settings:
○ Probability and Impacts must be set at Quantitative.
○ The aggregation method for impacts and the risk score should be set at Summation.
○ The Expected Loss and Scoring checkboxes must be selected.
● You must maintain the Customizing activity Maintain Risk and Opportunity Level Matrix.
Context
Using the scoring method, you can carry out a quantitative risk analysis using a user-defined, point-based
approach.
Procedure
1. Open a risk you have created with drivers and impacts, as follows: Assessments Risk Assessments
Risks and Opportunities , and click on its name in the Risk / Opportunity column.
2. From the Analysis tab of the risk screen, choose Create Analysis .
3. Select the date from which the analysis is to be valid and choose OK.
4. The Analysis tab now contains an analysis valid from the date you specified. Enter the probability
percentage of the inherent risk by overwriting the zero value. The expected loss, as a percentage of the
total loss, as well as the risk level, are updated in the corresponding columns.
5. Choosing an inherent risk by placing the cursor on its line and clicking a linked Total Loss or Impact Level
leads to the Impact Allocation section appearing below. Here you can do the following:
○ You can select another analysis method for an impact, as defined in Customizing.
Use
A qualitative risk analysis is carried out using a text-based analysis evaluation. For example, the impact level of
a risk can be minor, major, or catastrophic. To have the system translate the qualitative values into quantitative
values, you can use the scoring method. The system converts the entered probability levels into the
corresponding number of scoring points, as defined in the Customizing activity for probability levels. The
following steps are carried out in this process:
● The system calculates the total impact for the risk based on the aggregation method defined in the
Customizing activity Maintain Analysis Profile, found under Governance, Risk and Compliance Risk
Management Risk and Opportunity Analysis .
● The system identifies the overall impact level based on the risk thresholds defined for the organizational
unit.
● The system derives the risk level based on the probability and impact levels defined in Customizing.
● The system calculates the risk score according to the Customizing settings made for risk score
aggregation.
Prerequisites
Impact levels and risk analysis attributes must be defined in Customizing, and impacts must be defined for
each risk to be analyzed. Impact levels are found under Governance, Risk and Compliance Risk
Management Master Data Setup .
Procedure
1. Go to Assessments Risk Assessments Risks and Opportunities and click on the name of the risk in
the Risk / Opportunity column.
2. From the Analysis tab of the risk screen, choose the Create New Analysis pushbutton.
3. Select the date from which the analysis is to be valid and choose OK.
Use
In the Analysis history section of the Analysis tab, you can see a graphical display of the analysis. You can
specify how you want to view the risk analysis by selecting from one of the following dropdown options:
● By probability of the risk happening, or by a text-based probability level (certain, likely, and so on)
● By impact score (point-based) or impact level (text-based)
● By risk score (point-based) or risk level (text-based)
● By the total or expected financial loss that is incurred if the risk happens
Prerequisites
You must have created at least one risk analysis to obtain historical risk data.
Procedure
1. Go to Assessments Risk Assessments Risks and Opportunities and click on the name of the risk in
the Risk / Opportunity column.
2. In the Analysis history section in the Risk Analysis tab of the risk, choose the Start Report pushbutton.
3. A new subscreen opens with further analysis data that you can enter. Enter the dates to be used and if
necessary, the user assessing the data. After choosing the Go pushbutton, a list of historical risk data is
displayed.
4. The data displayed in the report varies, depending on the risk analysis data used.
Use
Collaborative risk assessment enables more than one risk manager or risk owner to participate in a risk
assessment for one or more risks. This is a workflow-driven activity triggered by the . The individual
assessments are later consolidated into a single analysis for the risk, either automatically or with the help of
the reviewing user.
Collaborative risk assessment recipients and consolidators are determined based on business events (agent
slots) linked via workflows. In this way, risk recipients can determine which risks are in scope for the
collaborative assessment work.
● You can create a collaborative risk assessment from the Analysis tab of the risk, or by using the Planner. For
more information, see Risk Management Planner [page 499] and Creating a Collaborative Risk
Assessment from a Risk [page 440].
● Collaborative risk assessments can be carried out using surveys, which you can use to determine the
probability and impact of specific risks. For more information, see .
Note
Prerequisites
Furthermore, the contributors of the collaborative risk assessment must be defined in the Roles tab of the
organizational unit.
Features
1. The risk manager or risk owner determines whether an assessment is to be carried out for an inherent risk
or a residual risk. For more information about the types of risks that exist, see Risk Management
Terminology [page 40].
Note
The GRC Customizing settings in the activity Maintain Analysis Profile, under Risk Management
Risk and Opportunity Analysis , determine whether the risk assessment conducted is for an inherent
or a residual risk:
○ If the Impact Reduction setting is enabled in the analysis profile, only inherent risks can be
assessed.
○ If Impact Reduction is disabled, then both inherent risks and residual risks can be assessed.
2. Depending on the level of authorization, the risk manager or risk owner can carry out the following tasks:
○ Determine the risks that are in scope for a collaborative assessment.
○ Activate and trigger the workflows for the collaborative assessment to the workflow recipients.
3. As part of the workflow, you receive the results notification for each response, or after all responses have
been completed. After receiving the workflow item, a workflow recipient completes the collaborative
assessment workflow. When the assessment is submitted, the workflow item is no longer displayed in the
recipient's work inbox.
More Information
Use
Collaborative risk assessment involves sending surveys to several participants. You can carry out collaborative
risk assessment with and without surveys. Furthermore, you can create a collaborative risk assessment from
the Analysis tab of the risk, or using the Planner functions. If you create a collaborative risk assessment from
the Analysis tab, you no longer need to create a separate plan for it.
Note
For more information, see Creating a Collaborative Risk Assessment from a Risk [page 440].
You can carry out a collaborative risk assessment in one of the following ways:
Note
The procedure below describes the creation of a collaborative risk assessment using the Planner. For more
information, see Risk Management Planner [page 499].
Prerequisites
● You must define the contributor and consolidator roles, either in the Organizational Unit or the Risk screen.
● RM Customizing activities for risk analysis must be carried out. For more information, see the Prerequisites
section of Creating a Risk Analysis [page 427].
Procedure
Note
If you want to have the survey sent to you via e-mail, select the Delivery: Via E-Mail checkbox.
Otherwise, the survey is sent to your work inbox.
Note
You can create only one analysis per risk for a given date. If you create another analysis for the same
risk on the same day, the analysis must be run on a different date.
You have scheduled the collaborative risk analysis and started the corresponding workflow.
Use
You can create a collaborative risk assessment from the Analysis tab of a risk, instead of using the Planner.
Note
If you create a collaborative risk assessment from a risk, you cannot use the Planner Monitor to keep track
of the status of the collaborative risk assessment. For the consolidator and the contributor(s), the only
means of tracking is through each participant's My Home Work Inbox .
Prerequisites
The same prerequisites apply as for Creating a Collaborative Risk Assessment [page 438].
Procedure
Proceed as follows:
1. Go to Assessments Risk Assessments Risks and Opportunities and click on the name of an existing
risk in the Risk / Opportunity column.
2. In the Analysis tab, choose Create Collaborative Assessment.
3. In the dialog box that appears, enter the valid-from date and specify whether the collaborative assessment
should be carried out using a survey. If you select this checkbox, the Survey Template field appears below
it. Here, select a survey from the dropdown options.
4. Select the user who is to be the consolidator of the collaborative risk assessment.
5. In the lower section, you can add or delete the users who are the contributors to this collaborative
assessment.
6. Choose OK. Now the application displays a new pushbutton called Collaborative Assessment Details.
7. If you choose this pushbutton, a new dialog box appears in the lower section, with the entire set of
collaborative assessment data for each contributor (assessor).
8. Choosing the link in a line opens up the read-only impact allocation section below it. You cannot make any
changes here. The assessment data is sent to you, either as a work inbox item or as an e-mail attachment
containing an interactive PDF to fill out.
Use
After a risk has been assessed (either directly or via a survey) and the results have been returned, the risk
manager needs to consolidate them.
The results can be displayed in table form or graphical form. The risk manager carrying out the consolidation
can do the following:
Procedure
1. From the My Home work center, call the Work Inbox and open the work item Consolidate Collaborative Risk
Assessment. Each line contains a link to a risk, which reaches the inbox after all participants have finished
entering their data or after a work item has been canceled.
2. The collaborative risk assessment consolidation screen appears. Here you can see all the participants who
responded to the assessment, as well as the participants who were excluded during the execution.
Note
If you are in the Analysis tab of the risk, you can also choose the Collaborative Risk Assessment Details
pushbutton to access this screen.
3. In the View field, you can switch the display from a table form to a MARCI chart. This provides you with a
graphical display of the individual users, each represented by a colored bubble, as well as a blue Overall
bubble. Each bubble reflects the rating given by a respondent for a risk.
4. From among the dropdown options of the Risk field, you can choose one of the following:
○ Inherent and residual risk
○ Only inherent risk
○ Only residual risk
5. You can customize and work with the output of the risk assessment as follows:
○ Select the display options for this view. For example, for the graphical display, you can specify that you
want to see the risk level on the y-axis.
Note
○ You can carry out simulations by changing the weighting of an assessment in the Weight column and
then choosing the Calculate pushbutton at the top right of this screen.
6. Choose the Submit pushbutton to store the results and conclude the workflow.
7. To see the overall result, call up the graphical representation again. You can access the results at a later
date from the Analysis tab of the Risk screen, where the results are displayed in updated form.
8. When done, choose the Close pushbutton.
Result
The collaborative analysis data is now stored for this risk and the item has been removed from the work inbox.
Use
When users create collaborative risk assessments, two modes of processing are available. In the Online
processing mode, a work item is sent to a user's work inbox. If you are the risk owner, you can access the
results in your work inbox after all participants have provided feedback, or if the work item was canceled.
Prerequisites
Activities
1. Go to Assessments Risk Assessments Risks and Opportunities , and click on the name of the risk in
the Risk / Opportunity column. In the Analysis tab of that risk, choose the Collaborative Assessment Details
pushbutton.
2. In the window that appears, you can see the processors and contributors to this risk assessment. These
users receive a work item in their work inbox.
3. Open your work inbox and call the work item for processing. There are three different types of work items:
○ Monitoring the progress of work items: Here you can exclude contributors if necessary.
Use
The KRI driven analysis feature allows you to perform risk analysis based on key risk indicators (KRI). You can
link risk probability to number-type KRI instances, and risk impact to currency-type KRI instances, then risk
probability and impact can be calculated automatically by the KRI runtime.
Prerequisites
● You have set up the analysis profile under SPRO > Governance, Risk and Compliance > Risk Management >
Risk and Opportunity Analysis > Maintain Analysis Profile.
● You have activated the KRI evaluation type under SPRO > Governance, Risk and Compliance > Risk
Management > Master Data Setup > Activate Risk and Opportunity Types.
● You have maintained the necessary KRI IMG settings under SPRO > Governance, Risk and Compliance >
Risk Management > Key Risk Indicators.
● You have created manual KRI instances.
Procedure
You can perform KRI driven analysis on a risk through the following steps:
1. Go to Assessments Risk Assessments Risks and Opportunities , and create a new risk or open an
existing risk from the list.
Note
You must maintain the risk thresholds for the organization before you can create an analysis. For more
information, see Entering Risk-Specific Organization Data [page 345].
3. Go to the Risk Evaluation tab and choose Create New KRI Evaluation. A list of risk factors are displayed.
Click on the link icon in the KRI column, select a KRI instance from the popup list and choose OK. The KRI
instance is now linked to the risk factor.
4. Select Automatic or Manual analysis update mode, and choose Update Analysis, the KRI values will be
propagated to the analysis.
5. Save the risk.
More Information
Use
Some enterprise risks are related to environmental and worker safety. SAP has a separate solution,
Environment, Health and Safety Management (EH&S), where such risks can be processed by the solution-
specific mechanisms absent in operational risk management. Integrating EH&S using analysis automation
allows you to track all enterprise risks using one application (Risk Management).
Analysis automation creates EH&S risk assessments from risk analyses in Risk Management, tracking their
probability and severity values, and copying those values to the corresponding analysis parameters according
to rules predefined in Customizing.
Risk managers are not required to have any EH&S background to create an EH&S risk assessment from a risk
analysis. EH&S risk assessments are intended to be processed by an EH&S manager or other responsible user.
Risk managers can use a specific report that runs in the background to track the current probability and impact
levels of the EH&S-related risks that they create (see prerequisite number 9 below).
Prerequisites
Before using analysis automation (integration with EH&S), ensure that the following conditions have been met:
1. The remote system (EH&S) is known, and the logical system has been created for it (transaction SM30,
record in view V_TBDLS).
2. The user is authorized to create risk assessments in the EH&S remote system, and the user's logon
credentials are known.
Process
Note
Instead of an EH&S agent, you can use a material (depending on conditions and requirements).
Caution
Be sure that no risk assessment with the specified combination of work area and agent/material
already exists in EH&S. Such an existing risk assessment will not be overwritten by the new risk
assessment (in other words, the new risk assessment will not be created).
A new risk assessment is created in the EH&S application of the remote system to be processed by the EH&S
manager or other responsible user. The EH&S risk assessment will be assigned probability and severity values.
A background job (step 9 of prerequisites) replicates these values as probability and impact level values for the
corresponding risk analysis in Risk Management.
In automatic risk aggregation, the system calculates an aggregated risk from multiple input risks. Any change
in one of the input risks automatically updates this calculation. In this way, you can set up a hierarchy of risks,
where the higher risks are automatically synchronized with changes happening on the lower levels.
Automatic aggregation only covers the analysis part of the risk. Analyses of the input risks are combined using
defined calculation rules to generate an updated analysis of the aggregate risk. The way in which the
calculation of aggregate risks is performed depends on customizing settings.
● Sum
● Average
● Maximum
● Minimum
Activities
To enable the automatic aggregation of risk analysis, when editing a risk in the Risks and Opportunities work
center, set the mode to Automatic Analysis Aggregation under the Underlying Risks tab.
You can also set the type of aggregation method used in the Aggregation tab. The aggregation methods
available to select here are defined in Customizing for Governance, Risk and Compliance under Risk
Management Risk and Opportunity Analysis Automatic Risk Aggregation Settings .
After you save the risk, under the Analysis tab you can now find a section Auto-Aggregated Analysis, which
contains the risk analysis aggregated from the underlying risks.
For operational risk, the following situations are dealt with as follows:
● If the aggregated and/or parent risks have different consequences to each other, the consequences of all
underlying risks are appended to the consequences of the parent risk.
● If the aggregated and/or parent risks have different analysis profiles to each other, the results of automatic
aggregation will fit the parent risk's analysis profile, with conversion between the values of different
assessment methods being performed where necessary.
With automatic analysis aggregation enabled, any changes to the underlying risks are automatically calculated
in the analysis of the parent risk.
Manual Overwriting
You may edit and overwrite the results of automatically aggregated analysis. Once overwritten, the analysis
results are considered as a new manual analysis.
Use
To centrally store risk-related information on an organization's risks and to simplify working with Risk
Management, the application contains several functions enabling you to work in a graphical and easy-to-use
interface.
Note
The graphical view is an alternative and simplified way of performing risk-related operations using a
graphical user interface. This is a flex-based graphical interface of Adobe Flash Player, or SAP UI5 if the
enhanced graphical view is activated. It is provided as an alternative to the standard Web Dynpro screens,
in particular for casual users from other company departments who need to report on company risks. For
more information about the enhanced graphical view, see Enhanced Graphical View [page 453].
Features
● Summary: This is a read-only section that provides overview information about the risk.
● Identify Risk: You define the risk with all its dependent information using drag and drop. For more
information, see Identifying Risk Data [page 448].
● Assess Risk: You assess the risk by entering or editing information about risk drivers, impacts, and other
objects, which you can drag to the working area of the screen. For more information, see Assessing a Risk
[page 449].
● Mitigate Risk: You can mitigate the risk by proposing new mitigation measures, existing responses,
controls, or policies. For more information, see Mitigating a Risk in the Graphical View [page 452].
Use
Prerequisites
Procedure
To graphically create and evaluate risks, call Assessments Risk Assessments Risks and Opportunities .
In the overview screen that opens, choose Create Using Graphical View .
1. Enter the name of the risk in the center of the risk bubble that appears.
Note
The completion bar shows you the percentage of completed data for this risk. The quick info text
displays further status data about the progress of your risk.
7. If you need to remove an object from the right side, click on the X at the top right of the object. The object
is then no longer displayed.
8. After you have saved your data, proceed to the next step, Assessing a Risk [page 449].
Use
The third step of working with risks in the graphical view is the assessment of a risk and its impacts.
Prerequisites
To work with risk assessment data in the graphical view, proceed as follows:
1. After defining a risk in the Identify Risk section, choose the Assess Risk pushbutton in the left section.
2. The sections and pushbuttons at the top of the Assess Risk screen provide you with the following options:
○ New: Choose this pushbutton to create a new assessment.
○ Delete: You can delete an existing assessment and create a new one.
Note
3. The right side of the screen has the following sections to work with:
○ A calendar frame enabling you to choose the time frame for which you want to assess the risk data.
Note
You can choose each box in this frame that has a colored dot in it, which means that an assessment
exists for that month or date.
○ The Previous (<) and Next (>) pushbuttons enable you to select the previous or next date from the
available assessments.
○ Below this, you can see the following further risk data:
○ Risk analysis data: The bar chart shows the probability, along with the initial, actual (residual), and
planned risk assessment data, with respect to the following:
○ Total loss / expected loss
○ Risk level
○ Individual impact values: For each impact, you can specify the type of risk analysis to be
carried out, as well as change the default impact type and the unit of measure. Depending on
the impact type that you select directly above the Impact field, you can see the loss values by
carrying out the following types of risk assessments:
○ Quantitative: Enter a value in the unit of measure, for example, the currency, and press
Enter to see the changed value.
○ Qualitative: Move the slider to indicate the severity of the risk.
○ Scoring: Enter a value in the left field or use the numeric stepper to increase the value.
The impact values for all types of assessments are shown to the right of the impact.
○ Impact category distribution data: This is a pie chart showing the impact data for the current
assessment. Each impact value represents one portion of the pie.
The following table describes the maximum possible sections that appear, depending on the
Customizing settings made for the analysis profile. For more information, see Background Information
on Risk Analysis [page 425].
Section Description
Calendar frame A calendar frame enabling you to choose the time pe
riod for which you want to assess the risk data.
Probability slider In the Probability section, you can use the percentage
slider to decrease or increase the probability in percent
age that the risk will occur.
Analysis data per impact category For each impact, you can specify the type of risk analy
sis to be carried out, as well as change the default im
pact and the unit of measure.
Note
You can see how far the risk processing has progressed in the Progress Bar at the top. By passing your
mouse over the progress bar, the quick info callout Risk Specification Progress appears, containing all the
risk data you have defined up to then.
This quick info callout contains the number of impacts, drivers, and so on, that were assessed, along with a
slash separating the number of impacts that were added. So if you added three impacts, but assessed only
two, you will see the numbers 2/3 after this item.
More Information
To see the documentation for the standard risk analysis user interface, see Creating a Risk Analysis [page 427].
Use
After assessing a risk, you can mitigate it in the graphical view similarly to the normal application processing.
Risks can be mitigated by adding:
● Responses from Risk Management. For more information, see Risk Responses [page 455].
● A control or controls from Process Control. For more information, see .
● A policy or policies from Risk Management. For more information, see Using a Policy as a Risk Response
[page 475].
Prerequisites
A risk must have been identified and assessed before it can be mitigated, and mitigation procedures such as
responses or controls must exist in the back-end system.
Procedure
1. Call up a risk that has been assessed, choose the Switch to Graphical View pushbutton, and then choose
the Mitigate Risk pushbutton.
2. On the left side, you can use existing responses and controls, or propose new mitigation objects:
○ Responses
○ Controls
○ Procedures
3. Pull the necessary mitigation objects to the right side using drag and drop. To see the detail data, choose
the link inside the box. A section opens in the lower part of the screen with the following detail data for this
mitigation object:
○ Name and type of mitigation object
○ Percentage of completeness
○ Start and finish dates, that is, the validity period of the mitigation object
○ Costs of the risk if it happens
○ Effective from and to dates
○ Current effectiveness value
4. If you have assessed the risk and then chosen the Mitigate pushbutton, the Mitigate Risk screen appears.
5. On the Mitigate Risk screen, you can change the impact values as necessary. The graphs on the left side
then change accordingly.
6. Choose Close to return to the Mitigation screen.
7. When you are finished with the mitigation steps, choose Save.
It is possible to enable an SAP UI5-based version of the graphical view instead of the Flash-based one. Doing so
allows the following additional features:
Activities
You can enable the enhanced graphical view in Customizing for Governance, Risk and Compliance under Risk
Management General Settings Enable Enhanced Risk Graphic View .
The color scheme is customizable in Customizing for Governance, Risk and Compliance under Risk
Management General Settings Set Colors for Graphical View Elements .
If your company's risk exposure is unacceptable, you can document risk responses, which are aimed at
reducing the likelihood that the risk will occur or lowering the impact of the risk if it occurs. This is called risk
mitigation.
● Responses from Risk Management. For more information, see Risk Responses and Enhancement Plans
[page 455].
● One or more controls from Process Control. For more information, see .
● A policy or policies from Risk Management. For more information, see Using a Policy as a Risk Response
[page 475].
Mitigation can be maintained on both the Response Plans tab and the Analysis tab.
Note
You can also maintain mitigation in the Graphical View. For more information, see Mitigating a Risk in the
Graphical View [page 452].
Mitigation for individual responses can be maintained on the Response Plans tab. Although this has the
advantage of allowing you to focus on one specific mitigation factor at a time, there is no way to see the
cumulated value for all the responses at one time, and it is this cumulated value that the back-end system uses
to calculate Residual and Planned Residual values.
If the Mitigation field in the Analysis tab has been activated in the back-end, you can see all of the mitigation
results for the responses to the selected risk, including the calculated sums for probability and for particular
impacts.
Note
To activate this function, you must run the report GRRM_RESPONSE_MITIGATION_UI in the back-end
system.
You also have the possibility to overwrite the calculated sums by using the Click to Overwrite link. If you use this
option, the Overall Calculated values are still available, but only for information purposes. The manually-entered
values are used for Analysis mitigation.
Prerequisites
Benefits and drivers for opportunities must have been maintained in Customizing under Governance, Risk
and Compliance Risk Management Risk and Opportunity Analysis .
Context
You can create an opportunity with or without a template. For information on creating opportunity templates,
see Creating an Opportunity Category and Template [page 371].
1. From the Assessments work center, choose Risk Assessments Risks and Opportunities . The POWL
screen for risks and opportunities appears.
2. On the Opportunities tab, choose Create Opportunity , with or without a template. If necessary,
select the template and choose OK.
3. In the Opportunity screen, enter the following information in the General tab:
○ Name of the opportunity and organizational unit
○ Opportunity category
○ In the lower screen section, you can assign benefits and drivers to the selected opportunity
4. On the Roles tab, you can assign roles to be used with this opportunity category. The procedure is the same
as when assigning user roles to risks. For information, see Assigning Roles to Risks and Activities [page
523].
5. On the Analysis tab, you can choose the Report pushbutton to view the following historical analysis data for
this opportunity:
○ Probability
○ Total gain
○ Expected gain
○ Opportunity level
Note
You conduct an opportunity analysis in a similar way to conducting a risk analysis. For more
information, see Risk Analysis [page 423].
6. On the Enhancement Plans tab, you can create new enhancement plans, assign existing enhancement
plans, or remove them from the list. For more information about enhancement plans, see Creating a
Response or Enhancement Plan [page 459].
7. In the Issues tab, you can create issues that might affect this opportunity. For more information, see
Creating an Issue for a Risk, Opportunity, or Response [page 482]
8. On the Context tab, you can specify the contexts that you are working with for this opportunity. For more
information, see Working with Contexts [page 480].
9. On the Policies tab, you can see any policies that have been created for this opportunity. You cannot create
policies here. For more information, see:
○
○ Using a Policy as a Risk Response [page 475]
10. When finished, save the opportunity data.
Use
A risk response is any counter-measure taken to mitigate a risk. Risk responses are planned and/or executed
within the context of the given risk, and have the intention of reducing the risk exposure.
Note
An enhancement plan can be considered as the response to an opportunity. It enables you to define how
your organization intends to respond to an opportunity. The processing is the same for both types of
objects.
Process
The influence of the response on the risk exposure is split into the following three independent factors:
● Mitigating reduction of all responses, leading to the calculated residual risk analysis.
● Entering a value for the completeness of the response
● Entering a value for the effectiveness of the response
The following three steps are essential to reducing the probability or impact of risks defined for an organization:
1. Define impact and probability data in Customizing under Governance, Risk and Compliance Risk
Management Master Data Setup and Risk and Opportunity Analysis.
2. Reduce the impact and probability of the risk by creating responses and controls, enabling you to mitigate
the risk and monitor the costs.
3. Carry out a risk analysis [page 423] to view the results of the risk mitigation measures that were
implemented, and make additional resources available if necessary.
Note
Once a risk response has been implemented, you can carry out a new risk analysis, showing the
mitigated probability and impact of the risk, which should then be lower than for the initial risk analysis.
This new risk analysis information is referred to as the residual risk exposure.
Example
Your company wants to mitigate its risk of fire. It carries out the following two activities and creates the
corresponding responses for them in the Risk Management application:
● It takes out a fire insurance policy. This reduces the impact of the risk, but does not reduce the probability
of the risk (a fire) happening.
● It installs a fire alarm system. This reduces the probability of the risk happening, since the fire alarm
notifies someone who extinguishes the fire, and so the risk may not happen at all or only minimally.
Taken together, these two responses appropriately mitigate the inherent risk of fire at the company. The
residual risk is further analyzed and is determined to be acceptable.
More Information
Use
For responses that are used frequently, it is advisable to create standard response templates that you can use
when entering responses. This reduces the manual effort of unit risk managers during risk creation. You create
response templates in the Response Catalog.
Prerequisites
The GRC Customizing activity Maintain Response Types must be maintained in Risk Management
Response and Enhancement Plan .
Procedure
Note
For more information about response automation functions, see Working with Response Automation
[page 471].
Note
In the Response Instances tab of the Response application, you can see the responses that were
created using this template. Note that you must first finish creating the template and then assign it to a
risk template before you can see any entries in this screen.
More Information
Use
Documenting and managing response strategies helps to successfully mitigate risks in your organization.
Note
Creating an enhancement plan is similar to creating a response, so the following steps apply to it as well.
Prerequisites
The following Customizing activities, found under Governance, Risk and Compliance Risk Management
Response and Enhancement Plan , must be carried out:
Note
If you are working with automated responses sent to other applications in the SAP Business Suite, see
Working with Response Automation [page 471].
Features
The Risk Management application contains the following two types of responses:
● A risk response determines how to prevent a risk, limit its impact, or reduce the probability of its
occurrence. For more information about assigning responses, see Assigning a Response [page 463].
● The response to an opportunity is called an enhancement plan. It enables you to define a strategy to
respond to an opportunity.
To mitigate risks, the Process Control application also provides the option of defining controls. For more
information about this, see Using PC Controls [page 466].
Activities
1. From the Assessments work center, choose Risk Assessments Risks and Opportunities Responses
and Enhancement Plans .
2. In the next screen, you can see a list of all responses entered in the system. If the desired risk response
already exists and is allowed for sharing, you can select and use it without making any changes, or change
it as required. For more information, see Assigning a Response [page 463].
3. If the desired risk response does not exist, then choose menu path Create → Response to enter a new
response. To create an enhancement plan, choose Create → Enhancement Plan .
4. Under the General tab, enter the response name, the organizational unit, the response owner, and type
(mandatory fields).
5. If desired, you can enter the response details in text form, as well as the response purpose and whether the
response is to be shared between various users or requires your approval.
○ If you want to specify another response owner, enter the user's name in the Owner field. A dialog box
appears in which you can enter the due date for the new owner and any comments for the new owner
that you wish to make. Then choose OK. The response is automatically saved with the new data.
○ If you want to share the response with another user, you can specify whether it requires your approval
or not via the corresponding dropdown.
6. If you make a selection in the Automation field, the submitted response is sent to an application of the SAP
Business Suite, for example, to SAP Plant Maintenance.
The Automation Status field is updated after saving. For more information about using Risk
Management Response Automation, see Working with Response Automation [page 471].
7. In the General tab, you can also carry out the following actions:
○ Notification section: For work items sent per workflow to the response owners, you can enter
information on response notification as follows:
○ On Due Date: If you checkmark this field, the system sends out a notification on the due date of the
response.
○ Due Date: You can specify the date that the response is due.
○ Due Date Offset: You can the set the number of days ahead of the due date by which the
notification is to be sent.
The work item is then displayed in the corresponding user's work inbox under the Home work center.
○ Response Details section: Here you can enter a text describing any response steps or actions that
were taken, including the following information:
○ Distribution Method: This is only displayed if the response is created from a response template —
as a copy or as a reference. (For information about creating a response from a response template,
see Working with Response Templates [page 458].)
○ Enter the Start Date and the Finish Date for the response. Since you are providing information
about a response that was already carried out, the finish date cannot be in the future. You should
enter the start and finish values on the actual dates on which the implementation of the response
was started and finished.
○ When you enter the start date of the response, and choose Enter, the start completeness
percentage that was maintained in the corresponding Customizing activity is displayed in the
Completeness field.
○ When you enter the finish date of the response, and choose Enter, the finish completeness
percentage from the corresponding Customizing activity is added to the start completeness
percentage.
○ Completeness: By setting the Calculate Completeness indicator, you can automatically calculate
the percentage of the completeness of the response.
Note
The Calculate Completeness indicator is inactive and switched off by default. This feature
becomes active after you enter a start date and finish date. Then you must explicitly activate
the feature by selecting the Calculate Completeness checkbox.
If you switch on the Calculate Completeness feature, no manual entry is needed. The value of
the completeness is automatically calculated based on the values set in Customizing under
Governance, Risk and Compliance Risk Management Response and Enhancement Plan
Maintain Response and Enhancement Plan Completeness .
○ Response Effectiveness: You can provide information on the current effectiveness of the response
and change the validity period for the response effectiveness data. When you select an entry for
the current effectiveness, the corresponding quantitative value (in percentage form) is stored and
is further used in the risk analysis calculation.
8. In the Affected Risks tab, the risks that are affected by this response are displayed. Using the Assign
pushbutton, you can also assign existing risks to this response.
The prerequisite to assigning a risk to a response is that the response must be shared. For this, select
one of the two Shared options from the dropdown options of the Shared Response field on the General
tab:
9. In the Context tab, you can add context data. For more information, see Working with Contexts [page 480].
10. In the Issues tab, you can create or display issues that affect this response. For more information, see
Creating an Issue for a Risk, Opportunity, or Response [page 482].
Note
If you want to create an issue for a response, you must first carry out the corresponding organizational
Customizing activities on maintaining responses for issues.
11. When finished, save your data as a draft or submit it for processing. After submission, the response status
changes from Draft to Active.
Example
Response effectiveness: Hiring new employees is a response provided for the risk of employee loss. However,
the new employees lack the necessary expertise, so this response is initially considered as less effective. This
means that you have implemented a response, but it was not fully effective. So you first enter the effectiveness
level as moderately effective. After three months of employee training, you can then change the response to
very effective.
Response completeness: To avoid the risk of fire in a leather factory, a response is provided by installing fire
safety equipment. However, it takes a month to install this equipment. So at the start of the month,
completeness is lower, but gradually the completeness increases, until the equipment is fully installed and you
can enter the response completeness as 100%.
Use
Users can suggest ways to address risks by creating response proposals and submitting them to those
responsible for risk mitigation.
Procedure
After the response proposal is submitted, the creator of the proposal receives an e-mail confirmation that the
proposal was successfully submitted — that is, delivered to the work inbox of the person responsible for
mitigating the specified risk. This person can then approve or reject the response proposal.
Note
Users who are assigned as agents via 0RM_RESPONSE_PROPOSE are authorized to receive and approve or
reject response proposals. The approver can create a response or response template from the response
proposal after approving it. For more information, see Creating a Response or Enhancement Plan [page
459] and Working with Response Templates [page 458].
The creator of the response proposal is notified by e-mail when the response proposal is approved or rejected.
Submitted proposals (including their current status — waiting for approval, approved, or rejected) are listed in
the Proposed Responses tab found in work center Assessments Risk Assessments Responses and
Enhancement Plans . Click on the name of the response proposal to review its contents.
Use
Note
Any SAP Process Control functions mentioned below require a license for the SAP Process Control
application.
Instead of creating a new response to a risk, you can use the existing responses in the system if they meet the
mitigation requirements. You can create individual responses or responses shared among two or more users
(shared responses). There are the following types of risk responses:
● If the response to be used is defined as Shared, requires approval, the status of this response is Pending
approval. A response workflow item then goes to the response owner for approval. When the response
owner approves the response, the status changes to Sharing approved, after which this response can
be used for risk reduction through analysis.
● However, if the owner of the response to be used and the person requesting the response are the same
person, the status changes directly to Sharing approved and no workflow is triggered. This response
can be used immediately for risk reduction through analysis.
● If the response to be used is defined as Shared, does not require approval, the status of the response
becomes Sharing approved. The response can be used immediately for risk reduction through analysis.
Prerequisites
Probability levels must be maintained in Customizing under Governance, Risk and Compliance Risk
Management Risk and Opportunity Analysis , and the response to be used must have the status Active.
Procedure
By accessing Assessments Risk Assessments Responses and Enhancement Plans , you can create
responses directly and link them to the corresponding risks.
Note
For information on assigning specific kinds of risk responses to drivers and impacts, see Assigning Risk
Responses to Drivers and Impacts [page 465].
Conversely, you can also define an existing response for a risk. For this, proceed as follows:
1. From the Assessment work center, choose Risk Assessments Risks and Opportunities .
2. From the list of risks, by clicking on the name in the Risk / Opportunity column, select and open the risk to
which you want to assign a response.
3. In the Response Plans tab for this risk, you can see any existing responses associated with this risk.
4. In the lower section called Mitigation, you can change the current probability reduction percentage value
and change the score reduction value for each impact defined for the risk.
Note
To see the changes you made in the Mitigation section, save the risk and then return to the Analysis tab.
5. To assign a new response to your risk, choose Assign Response . You can also assign a control or a
policy from SAP Process Control here in the same way.
6. In the window that displays, search for the response, control, or policy to be used and click OK.
If you are working with response automation in SAP Risk Management and select one of the
corresponding response types, more information is available on this under Working with Response
Automation [page 471].
Related Information
In many risk management frameworks, including ISO 31000, preventive risk responses are linked to the drivers,
and corrective responses are linked to the impacts. This can also be enabled in SAP Risk Management. Risk
responses can be linked with impacts and drivers depending on the response type. This assignment is reflected
in the response mitigation UI.
Activities
You can activate the functionality in Customizing for Governance, Risk and Compliance under Risk
Management Response and Enhancement Plan -> Enable Response Impact/Driver Assignment .
1. Mitigation on Probability – This attribute determines whether the probability mitigation is allowed. Possible
values are as follows:
1. Enabled – Responses of this type are used to mitigate probability. The analysis mitigation UI shows
probability mitigation.
2. Disabled – Responses of this type aren’t used to mitigate probability. The analysis mitigation UI hides
probability mitigation.
Use
In addition to working with risk responses, you can also work with the controls of the Process Control (PC)
application. A control is a policy, implemented through processes and procedures and directed by an
organization's corporate executives, which supports compliance with operational objectives. These objectives
can be operational efficiency, reliability of financial reporting and disclosures, and compliance with applicable
laws and regulations, such as the Sarbanes-Oxley laws.
● Button Create Control Proposal . In this case, you propose a new control, so that the Process Control
processor can create the corresponding control. The workflow is then applied as described in Sample
Workflow: Control Proposal Notification [page 468].
● Button Assign Control . In this case, you assign an existing control to mitigate this risk.
Procedure
1. Go to Assessments Risk Assessments Risks and Opportunities , and by clicking on the name in the
Risk / Opportunity column, select the risk to which you want to respond by using a control proposal.
2. Access the Response Plans tab of the risk creation screen.
3. Choose the Create button and then choose Control Proposal. The control proposal window opens.
Note
To assign an existing control, choose Assign Control . In the dialog box, select Regulation and
search for an existing PC control. To use it, choose OK. The selected control is added to the list of
responses. The status for an assigned control is Active.
Use
You can convert the Process Control ratings entered for a control to response data in Risk Management. This
links the selected control rating results – roughly defined as three traffic light colors specified for Process
Control – to the completeness and effectiveness data of the corresponding responses defined in percentages.
In this way, the three-state rating values of Process Control are converted to more exact percentage ratings in
Risk Management.
This step enables you to automatically monitor the effectiveness and control assessment results of controls
defined and managed in Process Control, and map the results directly to Risk Management response
effectiveness and completeness fields.
Prerequisites
The following Customizing activities must be carried out as described in the Procedure section below:
● Set Up Link from Control Results to RM, under Governance, Risk and Compliance Risk Management
Response and Enhancement Plan
● Convert Control Rating to Response Fields, also under Governance, Risk and Compliance Risk
Management Response and Enhancement Plan
● Maintain Custom Agent Determination Rules, under Governance, Risk and Compliance General Settings
Workflow .
1. Carry out the above prerequisite Customizing activities as described in the corresponding documentation.
2. In the first Customizing activity Set up Link from Control Results to RM, you set up a link to the results
generated in Process Control, which are stored in the form of SAP Records Management cases. For both
the response and the completeness, you must enter the case type and category to be used.
3. When creating the conversion entries in the second Customizing activity, Convert Control Rating to
Response Fields, you create three entries for response effectiveness and another three entries for response
completion, each one corresponding to a Process Control color rating. For each of the three entries, select
one of the color-coded ratings available. In the percentage field, you can enter a user-defined percentage
value for each entry.
4. Save your entries.
Note
When the Process Control assessment and testing results are published, the corresponding response
fields for completeness and effectiveness in Risk Management are updated. An e-mail notification on
the completeness and effectiveness update is sent to the users assigned to the agent slot/business
event 0RM_NOTIF_ON_CONTROL_CHANGE.
Definition
When you create a control proposal, the Risk Management application sends a notification to the processor
defined for the Process Control (PC) application.
Concept
Process
1. The Risk Management user (“RM”) opens the risk for which a control proposal is to be created and selects
the Response Plans tab.
2. User RM now reviews the list of existing responses and searches through the available list of controls that
can be assigned to this risk.
3. User RM cannot find the desired control and proposes a new control. This user enters the appropriate
control information, including the mandatory information on the organizational unit and regulation, and the
optional information on the process/subprocess and name of the control.
4. User RM submits the proposed control request, after which the control workflow goes to Process Control.
Use
There are several workflows that you can use to process responses in the Risk Management application. Some
of them are linked to Process Control workflows.
Prerequisites
The following prerequisites must be fulfilled before you can use the workflows defined for Risk Management:
Features
Workflow Description
Response update Using the Planner function, the unit risk manager or activity
owner receives a notification to validate a response. The
main purpose of this workflow is to remind response owners
to process overdue responses. For more information, see
Risk Management Planner [page 499].
Response notification on due date You can send out a notification workflow if the response due
date has been reached and the response completeness is
lower than 100%. As a result, the response owner receives a
work item in the work inbox. When the work item is opened,
the response maintenance screen displays, where the re
sponse owner can maintain the missing information.
Response sharing for approval or rejection If a shared response for which permission is required is as
signed to a risk, the owner of the shared response receives
the workflow for approval or rejection of request sharing.
Shared responses are specified when you create a response.
For more information, see Creating a Response or Enhance
ment Plan [page 459] and Assigning a Response [page 463].
Response delegation If the current response owner is changed to a new one, the
new response owner receives this delegation workflow to
process the response.
Process Control proposal notification If a control is proposed to PC, a notification of the approval
or rejection of the proposal is sent to the requestor.
Process Control changes notification When assessment or testing results for a linked control are
published, the corresponding risk or response owner on the
RM side receives the notification of changes.
To manually enable or disable a response workflow, go to the Customizing activity Governance, Risk and
Compliance Risk Management Response and Enhancement Plan Enable Response Related Workflows .
Use
The process for automating risk responses to carry out actions in the SAP Business Suite applications
supports the following scenario:
Risk Management triggers and monitors the progress of response actions in an SAP Business Suite
application. This scenario does not require any add-on modules or coding from the SAP Business Suite
solution. This type of scenario is used in Plant Maintenance (PM) notifications, or to set up a project in the
Project System (PS), or to trigger a workflow.
Response automation creates, according to automation type, the following objects in other applications:
● PM notifications
● Project definitions in PS
● Workflow items
Note
The response automation function can also be used for enhancement plans.
Prerequisites
The same prerequisites apply as for Creating a Response or Enhancement Plan [page 459]. Furthermore, the
following Customizing activities and Business Add-Ins (BAdIs), found under Risk Management Response
and Enhancement Plan Response Automation , must be maintained.
Furthermore, a risk response must have the status Active to work with response automation.
If you are working with response automation, which sends and receives risk responses to/from the SAP
Business Suite, you must select an option from the Automation field at the bottom of the response screen. The
Automation Status field is populated automatically. One or several of the following statuses is displayed:
Project System (PS) Project definition: Created The project definition was created.
Project definition: Partially released Not all WBS elements of the project
definition are released.
Project definition: Master data locked The project was created by means of
master data replication from the
project system.
Project definition: Technically com All project costs have been settled.
pleted
Project definition: Deletion flag The deletion flag is set for project defi-
nition.
Error Self-descriptive
Ready Self-descriptive
In Process Self-descriptive
Waiting Self-descriptive
Generic automation statuses Automation initiated A response with the assigned automa
tion type was created, but the status of
the automated object from the remote
Business Suite application has yet not
been assigned to a response.
1. Go to Assessments Risk Assessments Risks and Opportunities and call up a risk by clicking on its
name in the Risk / Opportunity column. Access the Response Plans tab. Create a response to a risk that is
used for automation.
Note
Specify the automation-specific response type if there are any available (see prerequisite Map
Response Automation to Response Types above).
2. If necessary, you can maintain the dimension objects to be fetched from the remote application in the
Contexts tab. For more information, see Working with Contexts [page 480].
Note
For the automation type PM Notification, you can specify the technical object (functional location or
equipment) and the material in the Context tab. For the automation type Workflow Triggering, you can
specify the objects that are involved in the workflow.
3. Close the response and submit the risk. This sets the status of the response to Active, and the response is
sent to the remote application.
4. When the corresponding processor from the remote application has changed the status of the automated
object, the automation status and completeness are updated for the response accordingly.
5. When the status of the automated object is set to complete or closed or finished, an e-mail is sent to the
original processor stating that response was completed automatically.
Definition
Response automation for plant maintenance involves sending a response request from the Risk Management
application to the corresponding application in the SAP Business Suite, in this case the Plant Maintenance
application.
Concept
Prerequisites
You must have the SAP Business Suite application Plant Maintenance configured and running.
Activities
In the Risk Management application, a risk called "Risk of Overheating of Boiler" has been defined. A
background job was created for it, which proceeds according to the following steps between Risk Management
(RM) and Plant Maintenance (PM):
2 Risk response is created with auto Risk Manager Status not assigned yet
matic PM notification
PM notification status read by sys Automatically in RM, within re Status set to Outstanding
tem sponse-saving program notification
4 (if step 3 was PM notification status read by sys Automatically in Risk Manage Status Notification postponed
executed) tem ment, with periodic background
job
6 PM notification status read by sys Automatically in RM, inside peri Status Notification In Process
tem odic background job
7 Boiler temperature lowered man Plant Maintenance processor Status Notification In Process
ually by processor
9 PM notification status read by sys Automatically in RM, inside peri Status Notification Complete
tem odic background job
Use
Besides a specific risk response and a control, you can also use a policy from the Process Control policy library
to respond to a risk. A policy is a statement of objective, direction, or standard that acts as guidance for a
company’s interactions and operations. It can be regarded as an internal mandate established by a company to
regulate the conduct of its work with respect to the regulations it must observe.
Note
For more information about assigning a response, see Assigning a Response [page 463].
Once assigned to a risk, a policy can be used as a risk response. This enables users to mitigate a risk by
proposing or documenting a policy for their area of responsibility, including the documentation of the response
effectiveness, impact reduction, and probability reduction.
Prerequisites
In Customizing for GRC under Risk Management Response and Enhancement Plan :
● Both Process Control and Risk Management must be installed and running, and the corresponding
Customizing activity Link Policy Status and Response Completeness must be carried out.
● Under Responses for Policies, the organizational Customizing activities Set Up Response Notification
Recipient for Policy and Set Up Policy Response Notification Text must be carried out.
● You must define policy types in the Customizing activities Maintain Policy Types and Distribution Methods
and Policy Types for Response Creation.
● You must activate Process Control and Risk Management components (transaction SPRO).
Procedure
Proceed as follows:
1. Call up a risk and then choose the Response Plans tab to create a policy. For more information about
creating responses directly, see Creating a Response or Enhancement Plan [page 459].
2. Choose Create Policy .
3. The dialog box for policy creation displays. Select a policy group and a policy category.
4. The policy screen displays, in which you create the policy itself. Enter the necessary policy information in
the corresponding tabs.
5. Save the policy. You can send the policy for review or submit it for approval.
6. Close the policy. You can see that the response based on the new policy has been created.
7. Save the updated risk.
Note
If you have entered risks in the Policy screen, they are displayed in the Policy tab of the Risk screen.
1. Select an existing risk and then choose the Response Plans tab to create a policy. For more information
about creating responses directly, see Creating a Response or Enhancement Plan [page 459].
2. Choose Create Policy .
3. A dialog box for the selection of a policy appears. Select a policy and confirm the selection.
4. After confirmation, you are returned to the Response tab, where the new response is displayed.
To notify authorized users by e-mail about the completeness of a risk response created by a policy:
1. Open the response and go to the Notification section of the General tab.
2. Set the Notification on Policy Status Change indicator.
3. Save the response.
7.4.2.6 Activities
Use
An activity is any project, process, or an object within your business or organization that might be affected by a
specific risk.
After creating activity categories structured in an activity hierarchy, you can create individual activities for the
activity types defined in Customizing and assign them to the activity categories in the hierarchy. At defined
intervals, for example, the activities affected by specific risks can subsequently be evaluated per activity
category in reporting.
You can define all the activities that need to be monitored through dedicated risk management procedures, in
this way structuring risk management in different areas of the business. These structures can later be used for
reporting.
Prerequisites
Activity types must have been maintained in Customizing under Risk Management Master Data Setup .
● Specify the activity category and validity period, as well as enter relevant constraints and assumptions for
the activity.
● Assign users/roles responsible for processing the activity.
● Link the corresponding risks and opportunities identified for that activity.
● Display any surveys to be executed for the activity.
● Display and print out a PDF fact sheet with relevant activity information.
Note
Activities are time-dependent objects. If the valid-to date has elapsed, you do not see these activities in the
corresponding list, since they have expired. However, you can still evaluate them in reporting.
More Information
Use
Since any activity can be risk-related, you must define meaningful activities that are meaningful to your
organization in the activity hierarchy to be used for Risk Management.
Prerequisites
Activity types must be maintained in GRC Customizing under Risk Management Master Data Setup .
Procedure
Note
To see the activity in graphical form, choose the Switch to Graphical View pushbutton. By clicking the Print
Fact Sheet pushbutton, you can also generate a PDF called Activity Fact Sheet, which contains all risk
information relevant to this activity.
More Information
For more information about activity categories, see Activity Hierarchy [page 362].
Use
The workflow for activity validation workflow is carried out using the Planner function of SAP Risk
Management. The activity owner is the user that triggers this workflow. The term validation refers to another
user's verifying that the details of an activity, and its associated risks if required, have been entered accurately.
Prerequisites
For the system to automatically trigger additional risk validation for risks associated with the activity, this
feature must be enabled in Customizing for Governance, Risk and Compliance under Risk Management
General Settings Include Additional Risk Validators in Activity Validation .
Features
1. Access the Planner by going to: Assessments work center Assessment Planning Planner .
2. Choose the Create button to access the guided procedure for creating a plan for performing activity
validation.
3. In Step 1, Enter Plan Details, enter the mandatory data: Plan name, activity, and the start and finish dates.
Then choose Next.
4. In Step 2, Select Organizations, select the organization, and choose Next.
5. In Step 3, Perform Selection, specify whether you want to create a plan for all activities or only specific
ones. You can also select by activity attributes.
6. In Step 4, Review, check to see that the selection you made is correct. The Show Detail button gives you a
list of the activities and their owners.
7. Now choose the Activate Plan button. If you select Finish, the window closes and your activity is included in
the list of activities. Alternatively, you can create a new plan from this window.
When triggered, the owner of the activity nor receives an activity validation work item, which they can approve
or reject. If the additional risk validation feature is enabled in Customizing, the owners of any associated risks
also receive risk validation work items to approve or reject.
If risk owners have not yet validated their risks, the activity validator can use the Remind button to remind them
of the incomplete risk validation work item.
More Information
For more information about the Planner, see Risk Management Planner [page 499].
Use
Contexts in Risk Management enable you to store data from other networked applications, such as those in the
SAP Business Suite. This data is then used to carry out assessments in SAP Risk Management, and to link SAP
Web Services for use with SAP Risk Management.
A context is made up of dimensions and their corresponding values. When you select a dimension, you more
closely define the environment or context of the risk. A risk can, for example, occur at a functional location of a
plant. You use the dimension values to more closely define the functional location that is being referred to.
You can also use contexts to define your own customer-specific content. The following areas contain Context
tabs that you can use to enter context data. Note that in some of these areas, the tab is called Allowed
Dimensions.
Prerequisites
Dimensions and contexts must be maintained in Customizing in the Master Data Setup section.
Procedure
Note
If you have personalized the columns using the Settings pushbutton, the Context Value is displayed in
the third column.
Note
Objects from SAP EAM and SAP EHS Management that can be added to a risk appear in the Context
Value Text column as clickable links. Clicking them opens the details of the object.
4. Save the risk. The SAP Risk Management system is now linked via RFC with the dimension objects you
have selected.
To see whether any dimension texts were changed manually, choose the Check pushbutton. You
receive an error message for each line in which the dimension value is incorrect. You can select a
correct one from the corresponding dropdown options.
5. If you want to print out the list, use the Print Version pushbutton. Note that the RFC connection must be
active in this case.
More Information
For more information on how to work with contexts, see the following areas of SAP Risk Management:
Example
One dimension selected from the context list is the system object Plant. The context value for it is 0001,
referring to the ID of the plant selected. The context value text is displayed in the corresponding column as
Plant 0001.
Use
For every risk, you can create one or several ad hoc issues in the Issues tab of the risk, opportunity, or response
screen. These issues are then displayed in the corresponding tab of the risk screen.
Prerequisites
● The Customizing activity Enable Ad Hoc Issues by Object Type, under Governance, Risk and Compliance
Common Component Settings Ad Hoc Issues , must be carried out.
● The two organizational RM Customizing activities, Set Up Response Notification Recipient for Issue and Set
Up Issue Response Notification Text, under Governance, Risk and Compliance Risk Management
Response and Enhancement Plan Responses for Issues , must be carried out.
Proceed as follows:
1. Go to Assessements Risk Assessments and select either Risks and Opportunities or Responses and
Enhancement Plans. Click on the name or the risk or opportunity or response, and then choose the Issues
tab.
2. In the Issues screen, choose Create. You are led to the issue creation screen. Here, enter the name, priority,
and description of the issue. Add a regulation in the corresponding tab if necessary, and submit the issue.
3. Choose Close. You return to the Risk or Response screen.
4. To see the updated issue list in the Issues tab of the Risk screen, choose the Refresh List pushbutton.
5. Save the risk or response.
6. If you are in the Response screen, call the Regulations tab to add any regulations from Process Control that
are relevant to this issue.
Note
After you create an issue for a response, a work item is sent to the issue processor. When the issue
processor closes the issue, it receives the status Closed and the response completeness is updated in
the response screen.
(Number of closed issues for the response / number of all issues for the response) * 100
7. On the General tab, a checkbox called On Issue Status Change is displayed in the Notification section. If you
want an e-mail notification to be sent out when response completeness reaches 100%, based on the issue
status involved, set this indicator.
Note
If you set this indicator, the issue is processed independently of the response and receives the status
Closed.
More Information
in Process Control
Use
In the Risk Assessment Reports section of the Risk Assessment work center, you can run various reports to
review the results of your risk assessment process. You can run separate reports to evaluate your top risks and
the incidents that occurred within a specific period.
More Information
For more information about the individual reports, see Reporting and Analytics [page 535].
Use
Risks that occur are called incidents. For each recorded incident, you can also record individual losses.
Documenting incidents provides historical information to identify and analyze the drivers of risks, and enables
you to design response actions for risks that have characteristics similar to the documented incidents.
The process of managing incidents involves recording them and includes validation to ensure that incident data
is correct and properly states the impact of the incident. In this way, you can analyze, control, and understand
your losses, so that you can decide on how to reduce them. You can use the workflow functions to carry out an
analysis of your losses, and provide an audit trail for incidents leading to losses. The systematic recording of
incidents enables you to:
Note
The Reports work center contains a report for the evaluation of incidents called Overview on Incidents for
Risks. For more information, see Risk Management Reports [page 535].
Prerequisites
Process
In the incident management process, you document and save each incident, which then triggers a workflow
item for the validator. The objective of the validation step is to ensure that the documented incident data is
correct and represents an accurate impact on the organization.
More Information
To enter an incident in the system, see Working with Incidents [page 485].
Use
By documenting incidents, which can be defined as risks that have occurred, you can record and follow up on
negative events and the associated losses for the organization. There are two ways to create incidents:
● You can create an incident directly from a risk. For more information, see Creating a Risk [page 416].
● You can create an incident in the Incident Management section of the Assessments work center.
Note
For the occasional user, the My Home work center provides a separate entry screen with limited
functionality for recording incidents in the Ad Hoc Tasks section. This data can also be entered in an
Employee Self-Service screen. However, here the full functionality for recording incidents in the Risk
Assessment work center is described.
Prerequisites
You must have carried out the following Customizing activities for incidents, losses, and their impact, found
under Risk Management Incident Loss Database :
Procedure
1. From the Assessments work center, access the section Incident Management and choose the link with the
same name.
2. The incident selection screen opens, with a display of the incidents that were already created. If the table is
empty, no incidents have yet been reported.
3. To create an incident, choose the Create pushbutton.
4. In the General tab, enter the following:
○ Incident name
○ Organization
○ Incident date
○ Date that the incident was detected (which may differ from the incident date)
5. If necessary, enter a description of the incident and add the attribute data for the incident on the right side.
To do this, choose the Add pushbutton and select the incident attributes that apply to this incident.
Note
The Loss Summary section displays the losses entered in the Loss tab.
6. Choose the Loss tab. To enter the loss data for this incident, choose the Add pushbutton. After selecting a
line in the upper Loss section, a detail section below it opens. You can enter information in the following
tabs:
○ Under the General tab, the loss name already entered is displayed. You can change the dates, add a
description, and add further loss attributes.
○ Under the Impact Categories tab, you can assign impact categories and enter further data for each
impact category. When you choose Add, a new line appears for which you must first select an impact
category. Then specify the specific loss value for this impact in monetary terms (Monetary Impact
Value) in the field below it.
Note
Depending on the unit of measure specified here (which must have previously been defined in
Customizing for your organizational unit), the impact is calculated differently. If, for example, you
set the working hours as the unit of measure, the system quantifies the loss in terms of working
hours and not in financial terms. The system then converts the value of the Unit of Measure field
using the conversion factor and the currency specified in Customizing for your organizational unit.
○ Under the Loss Drivers tab, you can add the drivers that led to this loss.
7. In the third tab of the upper section, Risk Event Allocation, you can assign risks to this incident. Proceed as
follows:
○ Choose the Add button. The system now adds an undefined risk line.
○ Choose the dropdown options to the right of this column. The risk selection screen opens. Select the
risk you want to assign to this incident.
Note
The sum of the risks allocated to an incident should total 100%. Otherwise you receive a warning
when you call up the incident again.
8. In the Issues tab, you can create issues for the incident if necessary. For more information, see Creating an
Issue for a Risk, Opportunity, or Response [page 482].
9. When finished, you can save the incident in draft form or submit it for processing. When an incident is
submitted, workflow then sends the incident to the defined workflow recipient for approval. See the section
below for further information on the workflow.
Note
More Information
Prerequisites
The following prerequisites must be fulfilled before you can use the workflow functionality for incidents:
Procedure
Use
In Scenario Management, you can define scenarios to be used for Risk Management. Scenarios are events that
link risks in a logical way and then show the effect of a scenario change on these events. After defining a
scenario containing individual linked risks, you can use the scenarios that you have defined for simulation and
testing.
Scenarios can be managed by corporate risk managers, unit risk managers, or other risk owners. The tasks
involved in scenario management are as follows:
● Classifying and grouping scenarios via classifications and if necessary, scenario subclassifications if a
detailed structure is needed.
● Deciding what organizational units, activity categories and risk categories are affected by each scenario.
● Providing an initial estimate of the impact of the scenario on the organization.
● Defining the risks and modeling their dependencies via the inclusion of influenced risks within the scenario.
● Forwarding this information to a group of risk owners, after which each risk can be documented by the risk
owner to whom it belongs.
All users responsible for risks can change the loss values for primary (that is, non-influenced) risks and see the
results on influenced risks and on the scenario.
More Information
Use
By defining individual scenarios (scenario cases), you can link risks within a specific scenario. In this way, you
can build a complete diagram of your company-specific risks, and view the result in a transparent form.
Scenarios are always linked to a scenario classification.
Prerequisites
You have maintained the corresponding risks in the portal application and have carried out the following GRC
Customizing activities:
● Under Risk Management Risk and Opportunity Analysis , you have maintained probability levels (that
is, the likelihood of a risk occurring) and impact categories for risks and opportunities.
● Under Risk Management Master Data Setup , you have maintained the influence strength, or the
degree of influence that risks have.
1. In the Scenario Management section of the Assessments work center, choose the Scenarios quick link.
2. If you have not created any scenarios yet, you must first create a scenario classification and a
subclassification. Select a line from the parent scenario screen section and choose Create
Classification .
Note
You can also create a scenario subclassification below a classification. For this, select a classification
line and then select Scenario Subclassification.
3. If you have created scenarios already, you can select a line from the parent scenario classification and
choose Create Case . To create a case, you need to select a row with both the parent classification
and the subclassification filled.
Then step through the following screens in the individual Scenario Case tabs:
○ Maintain general scenario data on the Component [page 490] tab.
○ Maintain scenario assumptions on the Assumption [page 491] tab.
○ Enter responses to the scenario on the Response [page 493] tab.
○ View the effects of your data input on the Result and Sensitivity [page 494] tabs.
4. When you are finished, save your scenario data.
Result
You have transparency in the risk and opportunity scenarios that you have defined, enabling you to manage
your risk and benefit landscape in an appropriate manner.
Context
On the Component tab under Assessments Scenario Management Scenarios <name of existing
scenario> or via Create button Case , you maintain the general data to be used for your risk scenario.
Note
After creating your scenario, you can view it in graphic form by using the Switch to Graphic View button.
1. Enter the name of your scenario and the currency (mandatory fields). Enter a descriptive text for the
scenario if necessary.
2. Make a selection in the Likelihood field.
3. For the option you have chosen in the Likelihood field, you can enter a user-defined text in the Rationale for
Likelihood field, enabling you to justify the likelihood option you selected.
4. In the Cause field, you can enter a textual description of the root cause or the factors that might cause the
scenario to become a reality.
5. The lower screen section displays all risks involved in this scenario, together with the activity and risk
category assigned. Here you can assign the risk events that might occur in this scenario as follows:
○ By choosing the Assign button, you can search for all related risks (called influenced risks) to assign
them to the scenario. To be able to assign a risk, it must contain a quantitative analysis, or it cannot be
taken into account, since no calculation is done with qualitative analyses here.
○ By choosing the Open button, you can access the risk screen with all the corresponding risk data.
Note
You cannot change the risk data in the scenario screen. You can only change it from the risk and
opportunity management application. When you open a risk from the scenario screen, the
information is displayed in read-only mode.
○ By choosing the Remove button, you can delete some of these influenced risks if you don’t want them
in the scenario.
Note
Influenced risks are linked with percentage probabilities to define influence factors. For more
information about the creation of influence factors, see the corresponding section of the
documentation for Creating a Risk [page 416].
Use
On the Assumption tab for a scenario, you can make entries for your assumed risk values to be used in the
scenario.
1. Make entries for your assumed risk values, which affect all the risks in the screen section below them, in
the following columns:
Column Description
Overall Change on Impact Enter a percentage probability for the change affecting the
Adjusted Impact column in the lower section.
Overall Change on Probability Enter another percentage rate for the probability of this
scenario happening, which affects the Adjusted Probability
column in the lower section.
Overall Benefit from Scenario Specify the overall financial benefit to be derived from us
ing this scenario.
Note
Choosing the Apply Overall Changes button applies the entries you have made in the above fields to the
risks listed in the lower screen section, and choosing the Reset button resets these entries again.
However, this does not apply to influenced risks, which are displayed as indented compared to the
primary risks you define.
2. In the screen section below this, the following column values are displayed for each risk. Note that you can
change the values of two columns, representing a manual form of simulation, as described below:
Column Description
Adjusted Impact (currency) Adjusted monetary impact of the risk happening. The
value in this field changes when you make an entry in the
above Overall Change on Impact field. Note that in this col
umn, you can enter a different monetary value for the fi-
nancial impact of this risk if it occurs. The formula used is
Impact x Influence Factor = Adjusted Impact.
Adjusted Probability (%) Adjusted probability of the risk happening. The formula
used is Probability x Influence Factor on Probability =
Adjusted Probability. The value in this field changes when
you make an entry in the above Overall Change on
Probability field. This formula is only applicable to influ-
enced risks, not for primary risks. Note that in this col
umn, you can enter a different percentage for the proba
bility of the risk occurring.
Influence Factor on Impact This value is a multiplier used in the formula Impact x In
fluence Factor = Adjusted Impact. For more information
about influence factors, see Creating a Risk [page 416].
Note that this formula can only be used for influenced
risks.
Influence Factor on Probability This value is a multiplier used in the formula Probability
(%) x Influence Factor = Adjusted Probability, forming
part of the calculation in this screen. For more information
about influence factors, see Creating a Risk [page 416].
Note
The expected impact is calculated according to the formula used by fields in this screen: Probability
(%) x Impact Value = Expected Impact. However, note that the expected impact itself is displayed on
the Result tab and not in the Assumption tab.
3. In the list of risks, there is a checkbox for the Impact Category Allocation: By selecting this field, the lower
screen section displays the following information for the risks in the upper screen section.
Column Description
Impact Allocation (%) Percentage to which this impact affects the risk. The total
of all impact allocation percentages is 100%.
Note
You can overwrite the monetary value in the Impact Allocation column, after which the value in the Adjusted
Impact (currency) column changes.
Use
In the Response screen of a scenario, you can specify responses to the scenario which would mitigate the
effects of the risks in the scenario if they occurred. You can also maintain the percentage probability and
impact reduction figures for the response.
Impact categories must be maintained in Customizing and a scenario with at least one risk must exist.
Procedure
1. To create a new response, see Creating a Response or Enhancement Plan [page 459]
2. To assign an existing response, choose the Assign button. Select an existing response and press OK. Fore
more information see, Assigning a Response [page 463].
3. Save your data. The system places your saved response in the response section of this screen.
By putting your cursor on a response line and selecting the Impact Reduction Breakdown field at the bottom of
the screen, a list of the impact categories defined for the individual responses displays in the lower screen
section. For each impact category, the calculated planned monetary and percentage figures of the impact
reduction are displayed.
Use
The Result and Sensitivity Analysis tabs of the scenario application enable you to view and interpret the effects
of impact and probability changes on scenarios.
Features
On the Result screen for scenario analysis, you can view the calculated result per impact category in monetary
figures. These monetary results are listed for the following three situations:
● Total Impact: The calculated total of the monetary impact for all impact categories.
● Expected Impact: The value calculated from the Assumption tab (see Working with Assumption Data [page
491]).
The Sensitivity Analysis tab contains an overview of all risks in the scenario, together with the Impact Category,
the Impact Adjustment in monetary terms and the Risk Variance, the latter both in monetary terms.
The system outputs simulation data for each risk, showing what happens when the impact is adjusted by only
1%. That is, the Impact Adjustment field contains a value that is 1% of the impact allocation value for the
corresponding impact category on the Assumption tab.
Note
You cannot change any data on the Result and Sensitivity Analysis tabs.
Use
The Monte Carlo simulation is a method for calculating the value at risk (VaR). This refers to the total risk
exposure in monetary terms. Using a predefined sampling technique, this stochastic process contains
computational algorithms that rely on repeated random sampling to compute the results.
Scenario analysis using Monte Carlo enables you to select a list of risks, assign them to a random distribution,
and decide on a distribution method for the number of losses involved (frequency). In this way, the system
estimates the total aggregated loss (the sum) at risk for your simulation.
These are the steps involved in working with the Monte Carlo simulation:
Prerequisites
The following prerequisites are necessary to use the Monte Carlo simulation:
Procedure
In the Scenario Management section of the Assessments work center, you can carry out a simulation for your
scenario as follows:
Number of Runs How often you want the simulation to be carried out.
Worst-Case Simulation Result The result of simulation in monetary terms. This field con
tains the value zero until after the simulation run.
Created by / Created on The user creating the simulation and the date of creation.
For performance reasons you should not set the number of simulation runs at more than 100,000. The
number of simulation runs is linked to the simulation percentile (see above) as follows:
○ For a 10% simulation percentile, 1,000 simulation runs are sufficient to produce results, but your
degree of certainty would be very low.
○ For a 1% simulation percentile, 10,000 simulation runs produce fairly realistic results.
○ For a 0.1% simulation percentile, you need 100,000 simulation runs to obtain results
representative of a Monte Carlo simulation.
8. On the Result tab, you can see the results of your simulation in graphic form, together with the total
simulated losses per type of impact (average case, worst case) involved. At the bottom of the screen you
can see the monetary effects of the simulation per impact category.
9. On the Issues tab, you can create any issues relating to this simulation. For more information about
creating issues, see Creating Issues for Risks, Opportunities, and Responses [page 482].
10. Finally, you can save the simulation you have created. The simulation window closes and you return to the
overview screen. To see the updated results, choose the Update pushbutton.
Note
You can export the simulation data, including risks and their frequency distributions, impact categories
and severity distributions, in the form of an XML file. You can display the data in table format by
importing it into MS Excel. To do so, use the Export pushbutton.
11. In the list of simulations, you can choose Refresh to see the total of all worst-case simulation results for all
impact categories involved in the simulation run.
Note
If you want to see your scenario and the results of your simulation in graphic form, use the Switch to
Graphic View pushbutton. However, if you close the simulation screen and access it a second time, the
results graph no longer contains graphic data, although the final result was saved to the database. If you
want to see the graph again, you must execute the simulation again.
More Information
Use
To correctly run the Monte Carlo simulation, you must maintain probability distribution values so that the
graphic curve is generated correctly during simulation. There are two kinds of distribution:
● Frequency distribution: This refers to how often the risk is simulated in one simulation run, and is a
numeric value entered by the user.
● Severity distribution: This refers to the type of distribution used in the simulation run, and is a dropdown
option on the Assumption tab of the Monte Carlo Simulation screen.
Prerequisites
A simulation percentile must be maintained in Customizing under Risk Management Master Data Setup .
Features
Risk Management makes use of the following severity distributions, which you can see in the Assumption tab of
the Monte Carlo simulation screen. You have the following options:
Note
The probability percentage values you enter here must total 100%.
● Lognormal distribution: A skewed bell curve is generated. Lognormal distributions are similar to normal
distributions. However, the lognormal distribution is characterized by a large number of independent,
identically-distributed variables, whereas the natural log for the variable results in a normal curve (see
below).
For this option, enter the standard deviation and the mean value in the popup window.
● Normal distribution: The bell curve, or normal distribution, is based on random results that are weighted
by a predetermined average or mean, and a standard deviation. The standard deviation is a measure of
variability from the mean.
For this option, enter the standard deviation and the mean value in the popup window.
A global manufacturer wants to calculate the risk involved for Asian production plants due to a widespread bird
flu pandemic, which has now affected many workers in the plants. The manufacturer defines the risks as
follows:
● The top risk, or primary risk, is the pandemic itself. This leads to:
○ High sickness rate and lower productivity in the plants where the pandemic has hit.
○ Lower sales of products due to low production rates.
These are known as influenced risks, affected by the primary risk. The first influenced risk, the high
sickness rate, results in the following further influenced risks:
○ Shipments are not delivered on time.
○ This may lead to the further risk of fraud, since if most colleagues are out of the office because of
sickness, the segregation of duties principle may be violated.
○ This again may lead to a higher impact of the risk if it happens.
By structuring risks in a risk hierarchy and running the Monte Carlo scenario on it, you can determine more
precisely what the final risk will be, in terms of both probability and impact.
In the Assessment Planning section of the Assessments work center, you have the following options:
●
●
●
Use
Using the Planner, you can plan risk assessments, collaborative risk assessments, risk surveys, activity survey,
risk indicator surveys, opportunity assessments, and risk and activity validation.
Note
For more information about Risk Management workflows, see Workflows [page 33].
To use the Planner in Risk Management, the following prerequisites must be fulfilled:
More Information
To create a plan in Risk Management, see Creating a Plan with the Planner [page 500].
Note
To carry out a collaborative risk assessment, select the plan activity Perform Collaborative Risk
Assessment. This creates a risk assessment using e-mails. If you want to carry out a collaborative risk
assessment via surveys, select the plan activity Perform Collaborative Risk Assessment Via Survey and
set the Via E-Mail indicator in the Delivery field.
Note
The due date cannot be the same as the start date, it must be at least one day later. However, for risk
analyses, the analysis date can be the same as the start date.
Note
If you receive the status Error for your plan, you can see the reason in the Events tab of the plan. In
this case, you must check the application log using transaction SLG1.
Copying a Plan
1. From the Planner overview list, put your cursor on the plan to be copied and choose the Copy pushbutton.
2. A guided procedure for copying the plan appears.
3. You can change the plan details by entering other data. Note that the start date cannot be in the past.
4. The steps to be followed for copying are the same as for creation (see steps 5 through 9 above).
A plan can be deleted or split over several organizational units. In the latter case, you can use one plan for all
organizations or have the plan replicated for each organization.
Note
You can only delete or split a plan that has not been executed yet. Only a plan whose status is Planning
and whose start date is the next day or later can be deleted or split. Furthermore, to split a plan, you
must have previously selected at least two different organizational units over which the plan will be
split.
2. The plan is either split or deleted. If it is split, two lines are displayed in the list. If deleted, the line for this
plan no longer appears.
Risk Control Self Assessment (RCSA) is a process that enables you to coordinate the distribution and analysis
of surveys. To complete a Risk Control Self Assessment, you need to create an RCSA plan, which specifies the
organizations and risk categories covered by specific surveys.
Note
You can define recipients directly in an RCSA plan, or have the recipients determined in the Planner, by
agent slot evaluation.
After creating an RCSA plan, you can use the Planner to distribute the related surveys, and RCSA Plans to
monitor the progress of the Risk Control Self Assessment. After successful completion, you can use the RCSA
Survey Compare report to analyze the results.
You can further automate your analysis using survey valuations, defined using the Survey Library, which
enables you to convert survey answers to scores. This allows you to create aggregates based on organizations
and risk categories, available using the RCSA Aggregation report.
Context
Risk Control Self Assessment (RCSA) plans specify the organizations and risk categories covered by specific
surveys. When managing RCSA plans, you can complete the following tasks:
Context
You can search RCSA plans using the RCSA Plan Management screen. When defining a query (known as a
worklist), you can either create a new worklist or base your worklist on an existing query.
Procedure
The RCSA Plan Management screen appears displaying the existing RCSA plans.
2. Choose the New Worklist pushbutton.
The New Worklist dialog appears with RCSA Plans automatically selected in the Select Object Type field.
3. To base your new worklist on an existing query, choose a query using the Select Existing Query as Template
drop-down list.
4. Choose the Next pushbutton.
5. In the Entity field, choose Organization/Risk Category using the drop-down list.
Choose the Preview pushbutton to display the table of RCSA plans based on the current criteria. Choose
the Close pushbutton to dismiss the preview, and choose the Next pushbutton.
6. In the Enter Query Description field, type a short description of the worklist.
7. Optionally, select the Activate Query checkbox to make the query available as a link or tab.
8. Choose the Finish pushbutton.
Next Steps
Use
You can create RCSA plans using the RCSA Plan Management screen. You can also create a new RCSA plan by
copying an existing plan and modifying the appropriate settings.
Procedure
1. Select an RCSA plan in the table, and choose the Copy pushbutton.
The Copy RCSA Plan screen appears.
2. In the RCSA Plan Name field, modify the name of the RCSA plan.
More Information
Context
You can modify specific RCSA plans using the RCSA Plan Management screen.
Procedure
The RCSA Plan Management screen appears displaying the existing RCSA plans.
2. Choose the name of the RCSA plan you want to modify.
The Edit RCSA Plan screen appears allowing you to modify the settings.
3. Modify the RCSA plan settings, as required.
4. Choose the Save pushbutton.
Next Steps
Context
You can monitor RCSA plans using the RCSA Monitor screen, including displaying statistics and other relevant
information.
Procedure
The RCSA Plan Management screen appears displaying the existing RCSA plans.
2. Select an RCSA plan in the table, and choose the Monitor pushbutton.
The Statistics dialog appears displaying the matrix coverage and a status overview. Choose the Close
pushbutton to dismiss the dialog.
4. To display planner information related to the RCSA plan, choose the Planner pushbutton.
The RCSA Monitor dialog appears displaying the information. Choose the Cancel pushbutton to dismiss the
dialog.
5. To select another RCSA plan to monitor, choose the Select Other Plan pushbutton.
The RCSA Plan dialog appears allowing you to choose another plan. Select a plan, and choose the OK
pushbutton.
6. Choose the Close pushbutton to close the RCSA Plan Management screen.
Next Steps
Context
You can delete existing RCSA plans using the RCSA Plan Management screen.
Procedure
The RCSA Plan Management screen appears displaying the existing RCSA plans.
2. Select one or more RCSA plans that you need to delete.
3. Choose the Delete pushbutton.
Next Steps
When managing RCSA aggregation hierarchies, you can complete the following tasks:
Context
You can search RCSA aggregation hierarchies using the RCSA Aggregation Hierarchies screen. When defining a
query (known as a worklist), you can either create a new worklist or base your worklist on an existing query.
Procedure
The RCSA Aggregation Hierarchies screen appears displaying the existing aggregation hierarchies.
2. Choose the New Worklist pushbutton.
The New Worklist dialog appears with RCSA Aggregation Hierarchies automatically selected in the Select
Object Type field.
3. To base your new worklist on an existing query, choose a query using the Select Existing Query as Template
drop-down list.
4. Choose the Next pushbutton.
5. In the Hierarchy Type ID fields, type or select the range of hierarchy types.
Choose the Preview pushbutton to display the table of aggregation hierarchies based on the current
criteria. Choose the Close pushbutton to dismiss the preview, and choose the Next pushbutton.
6. In the Enter Query Description field, type a short description of the worklist.
7. Optionally, select the Activate Query checkbox to make the query available as a link or tab.
8. Choose the Finish pushbutton.
Next Steps
Use
You can create RCSA aggregation hierarchies using the RCSA Aggregation Hierarchies screen. You can also
create a new aggregation hierarchy by copying an existing hierarchy and modifying the appropriate settings.
Procedure
1. Select an aggregation hierarchy in the table, and choose the Copy pushbutton.
The Copy Aggregation Hierarchy screen appears.
2. In the Title field, modify the name of the aggregation hierarchy.
3. Review the current settings and modify, as required.
4. Choose the Save and Activate or Save Draft pushbutton, as appropriate.
More Information
Context
You can modify specific RCSA aggregation hierarchies using the RCSA Aggregation Hierarchies screen.
Procedure
The RCSA Aggregation Hierarchies screen appears displaying the existing aggregation hierarchies.
2. Choose the title of the aggregation hierarchy you want to modify.
The Change Aggregation Hierarchy screen appears allowing you to modify the settings.
3. Modify the aggregation hierarchy settings, as required.
4. Choose the Save and Activate or Save Draft pushbutton, as appropriate.
Next Steps
Context
You can delete existing RCSA aggregation hierarchies using the RCSA Aggregation Hierarchies screen.
The RCSA Aggregation Hierarchies screen appears displaying the existing aggregation hierarchies.
2. Select one or more aggregation hierarchies that you need to delete.
3. Choose the Delete pushbutton.
Next Steps
Context
When managing RCSA aggregation runs, you can complete the following tasks:
Context
You can search RCSA aggregation runs using the RCSA Aggregation Run Management screen. When defining a
query (known as a worklist), you can either create a new worklist or base your worklist on an existing query.
The RCSA Aggregation Run Management screen appears displaying the existing aggregation runs.
2. Choose the New Worklist pushbutton.
The New Worklist dialog appears with RCSA Aggregation Runs automatically selected in the Select Object
Type field.
3. To base your new worklist on an existing query, choose a query using the Select Existing Query as Template
drop-down list.
4. Choose the Next pushbutton.
5. In the Aggregation Type field, choose Risk Control Self Assessment using the drop-down list.
Choose the Preview pushbutton to display the table of aggregation runs based on the current criteria.
Choose the Close pushbutton to dismiss the preview, and choose the Next pushbutton.
6. In the Enter Query Description field, type a short description of the worklist.
7. Optionally, select the Activate Query checkbox to make the query available as a link or tab.
8. Choose the Finish pushbutton.
Next Steps
Use
You can create aggregation runs using the RCSA Aggregation Run Management screen. You can also create a
new aggregation run by copying an existing run and modifying the appropriate settings.
Procedure
1. Select an aggregation run in the table, and choose the Copy pushbutton.
The Copy Aggregation Run screen appears.
2. In the Name field, modify the name of the aggregation run.
3. Review the current settings and modify, as required.
4. Choose the Save pushbutton.
More Information
Context
You can modify specific RCSA aggregation runs using the RCSA Aggregation Run Management screen.
The RCSA Aggregation Run Management screen appears displaying the existing aggregation runs.
2. Choose the name of the aggregation run you want to modify.
The Edit Aggregation Run screen appears allowing you to modify the settings.
3. Modify the aggregation run settings, as required.
4. Choose the Save pushbutton.
Next Steps
Context
You can delete existing RCSA aggregation runs using the RCSA Aggregation Run Management screen.
Procedure
The RCSA Aggregation Run Management screen appears displaying the existing aggregation runs.
2. Select one or more aggregation runs that you need to delete.
3. Choose the Delete pushbutton.
Assessment reports pertain to all design assessments and tests of effectiveness. Which reports are available
varies by person, based upon the role assigned.
Note
The Case Selection field is used in several Assessment Reports. Use this field to see evaluation cases of:
● All in reporting timeframe: The report shows all evaluation cases per evaluation type that occurred in
the reporting timeframe.
● One per evaluation timeframe: The report only shows one evaluation case per evaluation type for each
evaluation timeframe, according to the setting in Include Assessment.
● One per reporting timeframe: The report only shows one evaluation case per evaluation type for the
reporting timeframe, according to the setting in Include Assessment.
Example
Case 3: planned for timeframe Year 2012, performed on 2012.1.30 and Include Assessments is set to Most
Recent Assessments/Tests in Timeframe. Run report in timeframe Year 2012, regarding to different
selections in Case selection:
Evaluation Results by Organization This report provides a hierarchical view into the evaluation results of
different types of organizations. You can review this report to under
stand the evaluation status of controls and subprocesses for each
evaluation type. You can focus on failed controls and processes and
drilldown to see if further remediation actions must be taken.
Evaluation Management This report provides a list of organizations that have not yet per
formed certain evaluations in a specific timeframe. You can review
this report to understand the evaluation coverage gaps to see if fur
ther assessments or tests must be planned.
Indirect Entity-Level Control (iELC) Evaluations This report provides indirect entity-level control evaluation results
by iELCs by organization. You can review this report to understand
the evaluation status of iELCs for each evaluation type. You can fo
cus on failed iELCs and drilldown to see if further remediation ac
tions must be taken.
Indirect Entity-Level Control (iELC) Evaluations by This report provides a hierarchical view of indirect entity-level con
Organization trol evaluation results by organization. You can review this report to
understand the evaluation status of iELCs for each evaluation type.
You can focus on failed iELCs and drilldown to see if further reme
diation actions must be taken.
Subprocess Design Assessment This report provides visibility into subprocess design assessment by
organization and process. For each subprocess, it shows the results
of the performed subprocess design assessment. You can review
this report and focus on failed subprocesses and drilldown to see if
further remediation actions must be taken.
Control Ratings This report provides visibility into the control evaluation results of
different evaluation types by organization and process. You can re
view this report to understand the evaluation status of controls for
each control evaluation type. You can focus on failed controls and
drilldown to see if further remediation actions must be taken.
Control Test History with Ratings This report provides visibility into control testing results by controls
by organization and process for multiple periods (if available). You
can review this report to understand the testing status of controls.
You can focus on controls that failed the effectiveness test and drill
down to see if further remediation actions must be taken.
Test Step Status This report provides visibility into the test step details of control
testing results for each organization and process. For each effective-
ness test, it shows results for each test step. You can review this re
port to understand what step failures contribute to the overall test
deficiency.
Risk Coverage with Evaluations This report focuses on evaluation results with risk coverage by con
trols by organization and process. You can review this report to un
derstand, for each risk, whether or not the control assigned for miti
gation is designed and executed correctly. This could help see if an
other control is needed or further remediation actions must be
taken.
Risk Coverage with Ratings by Organization This report shows evaluation results risk coverage in a hierarchical
layout. You can review this report to understand, for each risk,
whether or not the control assigned for mitigation is designed and
executed correctly. This could help determine if another control is
needed or further remediation actions must be taken.
Assessment Survey Results This report provides visibility into assessment results of each evalu
ation type by control for each organization and process. For each
control or subprocess, it shows the evaluation results of the per
formed subprocess design, control design, and self-assessment.
You can review this report and focus on failed subprocesses and
controls. You can drilldown to see if further remediation actions
must be taken.
Issue Status This report provides visibility into issue statuses of each evaluation
type. You can review this report to find out whether there are open
issues under specific organizations, processes, subprocesses, or
controls and drilldown to open the issue details.
CAPA Status This report provides visibility into CAPA plan statuses of each evalu
ation type, if applicable. You can review this report to check whether
all addressed CAPA plans are processed in a timely fashion. You can
also drilldown to see the CAPA plan details.
Recommendation
For more information, see .
Remediation Status This report shows the status of the remediation plan for each evalu
ation type. You can review this report to see whether all addressed
remediation plans are processed in a timely fashion and drilldown to
see remediation plan details.
Test Status by Organization This report provides a hierarchical view into high level statistics on
evaluation status by organization. For each organization, it shows
the total number of key controls as well as the evaluation pass rate
of each evaluation type. You can review this report to compare inter
nal control compliance status among different organizations.
Test Status by Process This report provides a hierarchical view into high-level statistics on
evaluation status by process. For each organization and process, it
shows the total number of key controls as well as the evaluation
pass rate on each evaluation type. You can review this report to
compare the internal control compliance status among different
processes.
Scoping Coverage This report provides a hierarchical view into the result of consoli
dated materiality analysis by accounts group. For each central ac
counts group, it shows the consolidated accounts group signifi-
cance decisions together with account groups balance and material
ity threshold. Additionally, this report shows the overall scoping cov
erage status, in terms of scope control numbers and risk coverage.
You can review this report to see if more account groups must be
added to the scope.
Organization-Level Materiality Analysis Results This report provides a hierarchical view into the result of organiza
tion-level materiality analysis by organization and accounts group.
For each local accounts group, it shows the organization-level ac
counts group significance decisions together with the accounts
group balance and materiality threshold. You can review this report
to see if further accounts group, process, and controls must be
added to the scope.
Testing Strategy by Control This report provides visibility into the results of control risk assess
ment results by control by organization and process. For each con
trol, it shows the value of control risk rating from assessment as well
as the level of evidence calculation result. A use could review this re
port and understand the decisions of testing strategy suggestion to
each control following the risk-based compliance approach.
Risk Assessment Results This report provides visibility into the results of risk assessment re
sults by risk by organization and process. For each risk, it shows the
assessed value of probability, impact level, and overall risk level. You
can review this report and use its output as evidence for risk-based
compliance.
Organizational Sign-off Status This report provides visibility into the status of sign-off by organiza
tion. You can review this report to find out whether business owners
have performed the sign-off for their areas of responsibility. You can
drilldown for the detailed sign-off results.
Aggregation of Deficiency (AOD) Status This report provides visibility into the status of aggregation of defi-
ciency by organization. You can review this report to find out
whether business owners have performed aggregation of deficiency
for their areas of responsibility and drilldown to check the detailed
AOD results.
Policy Profile This report provides an overall summary of the policy, its current
status and where it is currently in the workflow.
Policy Distribution Survey Results This report provides visibility into the results of policy distribution on
question and answer level. You can review this report for audit trail
purpose or you can perform analytics on the feedback from specific
survey questions.
Policy and Issue Status This report provides an overall summary of all issues (both evalua
tion and ad hoc) related to a specific policy. You can review this re
port to help evaluate the effectiveness of a policy based on the eval
uation issues of controls in the policy scope or on the ad hoc issues
of the policy.
Ad Hoc Issue Report This report provides an overall summary of the ad hoc issues.
Policy Distribution Survey Results This report provides visibility into the results of policy distribution on
question and answer level. You can review this report for audit trail
purpose or you can perform analytics on the feedback from specific
survey questions.
Policy and Issue Status This report provides an overall summary of all issues (both evalua
tion and ad hoc) related to a specific policy. You can review this re
port to help evaluate the effectiveness of a policy based on the eval
uation issues of controls in the policy scope or on the ad hoc issues
of the policy.
Policy Distribution Survey Results This report provides visibility into the results of policy distribution on
question and answer level. You can review this report for audit trail
purpose or you can perform analytics on the feedback from specific
survey questions.
Policy and Issue Status This report provides an overall summary of all issues (both evalua
tion and ad hoc) related to a specific policy. You can review this re
port to help evaluate the effectiveness of a policy based on the eval
uation issues of controls in the policy scope or on the ad hoc issues
of the policy.
Policy Distribution Survey Results This report provides visibility into the results of policy distribution on
question and answer level. You can review this report for audit trail
purpose or you can perform analytics on the feedback from specific
survey questions.
Policy and Issue Status This report provides an overall summary of all issues (both evalua
tion and ad hoc) related to a specific policy. You can review this re
port to help evaluate the effectiveness of a policy based on the eval
uation issues of controls in the policy scope or on the ad hoc issues
of the policy.
Policy Distribution Survey Results This report provides visibility into the results of policy distribution on
question and answer level. You can review this report for audit trail
purpose or you can perform analytics on the feedback from specific
survey questions.
Policy and Issue Status This report provides an overall summary of all issues (both evalua
tion and ad hoc) related to a specific policy. You can review this re
port to help evaluate the effectiveness of a policy based on the eval
uation issues of controls in the policy scope or on the ad hoc issues
of the policy.
Use
The Access Management work center provides a central location to maintain role assignments that control user
access to application data and functions.
The Access Management work center contains the GRC Role Assignments [page 521] section.
Note
The Access Management work center is shared by the Access Control, Process Control, and Risk
Management products in the GRC Application. The menu groups and quick links available on the screen are
determined by the applications you have licensed. The content in this topic covers the functions specific to
Risk Management. If you have licensed additional products, such as Access Control or Process Control,
refer to the relevant topics below for the application-specific functions.
More Information
For more information, see the topic Access Management Work Center in the documentation for SAP Access
Control.
Use
In the GRC Role Assignments section of the Access Management work center, you can maintain the role
assignments that control user access to application data and functions.
The GRC Role Assignments section contains the following quick links:
Note
The GRC Role Assignments section of the Access Management work center is shared by the Access Control,
Process Control, and Risk Management products in the GRC Application. The quick links available on the
screen are determined by the applications you have licensed. The content in this topic covers the functions
specific to Risk Management. If you have licensed additional products, such as Access Control or Process
Control, refer to the relevant topics below for the application-specific functions.
More Information
Context
You can use this function to assign users to roles for corporate and organization objects. You typically perform
this task during initial setup, when organizations or roles (corporate or organization) are added, or when
multiple users are assigned to roles.
To assign users to roles at the corporate and organization levels, perform the steps in the following categories:
1. Select a timeframe
2. Select organizations
Choose the corporate and organization-level roles that you want to assign.
3. Assign roles
Choose the users that you want to assign to the roles.
Procedure
1. Navigate to Access Management Organizations . The Assign Corporate and Organization Roles screen
appears.
2. The guided activity screen appears. Perform the following steps:
○ Step 1 – Select a timeframe
○ Step 2 – Select Organizations
1. Enter search criteria in the Find field to filter valid organizations based on your parameters. Otherwise,
leave the field blank to show all valid organizations based on the timeframe displayed, and choose Go.
2. Select the organizations and use the arrow buttons to move them from the Available to the Selected
pane. If no organizations are selected, all organizations are considered.
Recommendation
To select multiple fields, press the CTRL key. To select consecutive fields, press the SHIFT key.
3. Select Next. The Assignments table displays the selected organizations and the respective corporate
and organization-level roles.
Note
Some roles allow multiple users to be assigned. If a role allows multiple assignments, it always
presents an editable cell for additional assignments, whether or not an assignment already exists.
2. To copy the same users to multiple roles, select the entire row you want to copy.
3. Select Copy Action and choose either:
○ Copy to ALL – to copy the user to all editable fields (whether empty or not), or
○ Copy to Empty – to copy the user to only empty editable fields.
4. The Copy Assignment screen appears. Select All roles or Only selected roles for roles to which you want
the users copied. Select OK. The Assignments table populates based on your selection.
Example
The copy action is based upon assignments made in the selected row. For example, a row might
contain the process-level role assignments for Process Owner as Denise Smith and Tester as Oleg
Kopp. Choosing Copy to Empty and then All Roles copies Denise Smith to all empty Process Owner
cells and Oleg Kopp to all empty Tester cells. However, choosing Only selected roles and choosing
Tester copies just Oleg Kopp to all empty Tester cells.
Review your selections in the Proposed Changes results table. Select Previous to go back and make any
changes, if desired. Otherwise, choose Next (the Confirmation screen appears) or select Finish.
4. Step 5 - Confirm
Confirm your selection and select Finish. Your assignments have been made, and any changes require a
replacement or removal.
Next Steps
●
● SAP Access Control 10.1 / Process Control 10.1 / Risk Management 10.1 Security Guide at http://
help.sap.com/grc
Use
To use the Risk Management and workflow applications, you need to assign user roles to the various risks and
activities defined for your organization.
Prerequisites
You have defined roles in the back-end system using transaction PFCG. For more information, see Standard
Roles and Authorization Objects [page 30].
Note
Overview information on Risk Management roles is provided in Risk Management Application Roles [page
31].
Procedure
From the Access Management work center, choose GRC Role Assignments Risks, Opportunities and
Activities .
1. First select the evaluation timeframe from the dropdown options and then choose the Apply pushbutton.
2. In Step 1, you select the activities, risks and/or opportunities to which you want to assign user roles. In the
Filters section, you can specify in greater detail the set of objects to be filtered for role assignment:
○ Organization
○ Activity category
○ Risk/opportunity category
○ Role
3. By choosing Next, you access Step 2 of the procedure, which is to assign users to roles for the objects
selected in Step 1. Some of these fields may be user-defined from Customizing, or they may be master
data objects in Risk Management. You can display all the roles, or only the roles not yet assigned to an
object.
Note
In the list that appears, you can see white fields ready for input, and read-only blue fields that are
already filled with role data.
7.5.1.3 Replacements
Use
The Replacement function allows you to remove a user from a role or to replace a user in a role. You use this
function when employee status changes due to job transfers, new hires, or terminations. This changes the role
assignments and transfers the open workflow from the user being replaced to his or her replacement.
Features
1. Navigate to Access Management GRC Role Assignments Replacements . The Replacements and
Removals screen appears.
2. Since you select a user in the upper pane, the lower pane shows role replacements or removals for the
highlighted user. This listing is display-only.
In the lower pane, Level represents the authorization level of the role and Object pertains to the object
(such as process, subprocess, control) to which the role has access.
3. Select the desired year and period in the timeframe fields, and choose Go. The earliest possible date for a
replacement is tomorrow (that is, system date plus one day).
4. To replace or remove a user from a role, select Replace or Remove. The Role Replacement and Removal
screen displays a guided activity.
5. Select user
○ In the Find field, enter the name or user ID of the user you want to replace or remove. Choose Go. Wild
cards (*) are not supported on this screen.
○ Select the row of the user to be replaced or removed and select Next. The Assignments table displays
the current role assignments for the user selected.
6. Define Replacement
○ To replace a user in a role, select the Replacement field of the role for which you want to enter a
replacement.
○ Enter the user name or select the value help to search by user or user ID. Provide a partial user name
or user, using wild cards (*) as needed. Select the row containing the desired replacement and choose
OK.
○ In the Effective Date field, enter the date that you want the replacement to take effect. Optionally, leave
the field blank to default to the earliest possible date, usually the following day.
○ Continue selecting roles and making replacements until all desired roles have replacements.
○ To copy a user name and effective date to multiple roles (rows), select the source row for the copy and
choose Copy Action. If you have not selected a row, Copy Action is disabled.
○ Choose any of the following options from the Copy Action dropdown:
○ Copy to ALL – to copy to all Replacement and Effective Date fields (whether target cells are empty
or not). If the fields are not empty, the fields are overwritten with the new user and effective date.
○ Copy to Empty – to copy to only empty Replacement and Effective Date fields. If these fields are
populated with a different user/date, the fields retain the user/date content and are not replaced.
○ To remove a user from a role without replacing him or her, select the user name and select Remove.
This is useful when a role allows multiple users to be assigned.
Note
If your removal causes a role assignment to become empty, the system displays a warning.
○ Select Next. The Proposed Changes screen displays the changes to be made.
7. Review your selections in the Proposed Changes results table. Select Previous to go back and make
changes. Otherwise, choose Next or select Finish. The Confirmation screen appears.
8. Confirm your selection and choose Finish. Your replacements and removals are effective on the date you
provided. For replacements, the system reroutes open workflow tasks to the replacements on that date.
Use
You authorize users to perform tasks and exercise access rights on behalf of other users. The system
administrator must grant you authorization to perform central delegation.
● You can authorize a user (the delegate) to perform the tasks and to exercise the access rights of another
user (the delegator).
● You delegate access rights by creating a new delegation in which you designate one user as the delegator
and another as the delegate. The delegator’s access rights and tasks become accessible to the delegate for
the validity period that you specify.
Recommendation
Companies limit access to Central Delegation because it authorizes users to access all delegations and to
delegate on another user’s behalf.
Caution
Authorization granted to power users through the role SAP_GRC_FN_ALL cannot be delegated to business
users. If a power user needs to delegate his or her authorization to others, he or she must ask the IT
department to assign the PFCG role SAP_GRC_FN_ALL to that user. This delegation is not entity-
dependent. For more information, see and https://help.sap.com/viewer/
f77342ea45c24d3f81032575e6f50d8b/10.1.19/en-US/98d94d2a26904cb8b42f0120c33183da.html.
Prerequisites
You have authorization for central delegation. For more information, see the SAP Process Control 12.0 Security
Guide at https://help.sap.com/pc.
Procedure
To delegate the access rights of one user to another, follow the steps below.
1. Select Access Management work center, choose GRC Role Assignments Central Delegation
The Central Delegation screen displays all existing delegations. From here, you can create a new delegation,
open and edit an existing delegation, or delete a delegation.
2. To create a new delegation, choose Create.
The Central Delegation screen displays.
3. Enter the information as follows:
1. In the Delegator User field, select the value help to display the User List dialog box.
Note
3. In the Delegate User field, select the delegate in the same manner as you selected a delegator.
The system fills in the Full Name field when you select a user.
4. In the Delegation Period field, adjust the defaults as needed.
○ The Start Date defaults to the date the delegation is created.
Enter the date you want the delegation to begin.
○ The End Date defaults to unlimited (December 31, 9999).
Enter the date you want the delegation to end. If you accept the default of an unlimited End Date,
you can change the date later, or delete the delegation when it is no longer needed.
Use
The Reports and Analytics work center provides a central location to display reports and dashboards related to
Risk Management, such as alerts, user analysis, and audit reports, among other information.
The Reports and Analytics work center contains the following sections:
Note
The Reports and Analytics work center is shared by the Access Control, Process Control, and Risk
Management products in the GRC Application. The menu groups and quick links available on the screen are
determined by the applications you have licensed. The content in this topic covers the functions specific to
Risk Management. If you have licensed additional products, such as Access Control or Process Control,
refer to the relevant topics below for the application-specific functions.
More Information
For more information, see the Reports and Analytics topic in the documentation for SAP Access Control.
7.6.1 Management
Definition
The Management section of the Reports and Analytics work center contains the heatmap and dashboards for
use by corporate-level management:
● Heatmap: The heatmap provides graphical overview data on the risks defined for your organization. For
more information, see Using the Heatmap [page 530].
● Overview: This dashboard provides an overview of all risks defined for an organization. For more
information, see Using the Overview Dashboard [page 531].
● Top Risks: This report provides information for a user-defined number of the organization's most important
risks.
More Information
Use
Risk Management provides visual displays of analysis risk data in your organization in the form of dashboards
and a heatmap. These are found in the Reports and Analytics work center.
Features
Although a dashboard and a heat map provide users with graphical information, they are different in their
structure and content:
● A dashboard provides a graphic display of the most important information needed to accomplish one or
more objectives. These are consolidated and arranged on a single screen, so the information can be
monitored at a glance.
Dashboards enable a company to evaluate risk data on an aggregated basis, in this way fulfilling the risk
reporting needs of senior managers and line managers. Some of the features are:
○ A matrix of the possible risk levels involved
○ Navigation between the different sections of the dashboard
○ Drilldown to perform data analysis
○ Scoring functionality for risk analysis
● A heatmap is a graphical representation of data for which the values used by the variables are represented
as colors in a two-dimensional map.
The following are dashboards in the Management section of the Reports and Analytics work center:
● Heatmap: For more information, see Using the Heatmap [page 530].
● Overview dashboard: Contains an overview of all risk data across an organization's risk structures and
dependencies. For more information, see Using the Overview Dashboard [page 531].
● Top Risks dashboard: Displays information about the top risks, defined per activity, for an organization. You
can specify the number of risks that you consider to be top risks.
● The Overall Compliance Status Dashboard in the Compliance section allows you to view the status of the
following compliance metrics:
○ Risk control coverage
○ Control assessment/evaluation
○ Issue and remediation
○ Organization certification
● For information about dashboards in the Incidents and Losses section, see Working with the Loss
Dashboards [page 532].
Use
A heatmap is a type of dashboard that uses colors in a two-dimensional map to graphically represent data
values for variables.
Prerequisites
To use the heatmap, you must maintain the following Customizing activities:
● Maintain Impact Levels (X-axis values), under Risk Management Master Data Setup .
The following Customizing activities are found under Risk Management Risk and Opportunity Analysis :
Procedure
To access the heatmap, go to Reports and Analytics. In the Management section of this screen, choose the
Heatmap link.
1. Choose the Heatmap link. A heatmap window opens, containing the risks for your organizational unit.
2. To display the heatmap for a different organizational unit, select the organization in the Org. Unit field.
3. To see further selection options, choose the Toggle Advanced Selection Options in double-angle brackets to
the right of this section. You can choose to display only certain activities or risk categories displayed, or
you can filter by Aspect.
Note
If a risk contains underlying risks, that is, risks defined on lower levels of the organization, you can view
them by selecting the Deep checkbox (dropdown text: Include Subordinate Org. Units). A triangle will
then appear to the right of a risk that has underlying risks assigned to it. However, these underlying
risks are not considered during the calculation, which means that the bar chart does not include them
in the sums displayed.
4. By putting the cursor on a column, the quick info text display the loss data in monetary terms. On the right
side, the color coding corresponds to the severity of the risks involved, as defined in Customizing.
5. The numbers in the boxes represent how many risk events correspond to this category. By clicking on a
number, you can see the risk events in the lower section containing the corresponding risk event, whose
data you can display by selecting the relevant line. You can also change the risk data in the window that
opens.
Use
The Overview dashboard is the entry point for all dashboards. It provides general information on your
organization's risk structures and dependencies, filtered according to time frame and organizational unit. In
this way, you can display an aggregated overview of all risks and their dependent objects, as chosen using the
values in the top selection panel.
Procedure
1. In the selection panel, select the organizational unit, the time frame, and the year for which you want to
evaluate the risks. To the right of these selection fields, you can switch on the toggle for advanced selection
options. If you do this, a checkbox for including all subordinate organizational units becomes available for
input.
2. The lower sections now display the requested data. Note the following:
○ Clicking on the square box at the top right enlarges a section.
○ Passing the mouse over the risk exposure columns provides further data on the risk losses involved.
3. To access an individual risk, choose the risk link in the Risk Event column at the bottom. You cannot change
any risk data in the risk screen that appears.
Note
To change the currency displayed in the bottom section, choose the Personalize link at the top right of
the screen.
● Selection Panel: The selection panel at the top is enables you to select the organizational unit, and the
timeframe/year to be evaluated in the dashboard.
● The following summarizes specific risk information about the selected values for risks:
○ Risk Level by Risk Category: This component displays the structure of the classification of risks. It also
displays the distribution of risk colors (red, yellow, green), showing the hierarchical dependencies of
underlying categories. You can select from inherent risks, planned residual risks, and residual risks.
Note
If you select the Drill Up pushbutton, the risks are summarized in one column.
Note
For both the risks per impact category and the risks per driver category, you can put the cursor on
a specific wedge to see the quick-info text with further information about these categories.
○ The lower section has the same layout as the risk heatmap [page 530], containing risk events that you
can select, together with the activity, risk category, and different risk levels and loss data.
Use
For graphically depicting losses, Risk Management has the following two dashboards:
● Loss Overview: This dashboard displays an overview of all losses in the organization for a particular period.
It also shows the loss distribution per quarter and the losses structured according to risk category.
● Loss Structure: This dashboard displays the structure of losses across various organizational units.
Prerequisites
Procedure
1. Access the dashboards under Reports and Analytics Incidents and Losses.
Note
If you are using a dashboard for the first time, you are prompted to select a currency to be used with
this dashboard, which is saved in your user personalization data.
2. If necessary, you can change the currency displayed by choosing the Personalize link. If you want to
maximize the screen section, choose the Zoom-In button at the top right of each section. To work with the
dashboards, proceed as described in the following sections:
1. Specify the time frame for the evaluation and choose the Refresh pushbutton.
1. Specify the time frame for the evaluation and choose the Refresh pushbutton.
2. The columns in the Loss Structure section mean the following:
Column Meaning
Number of Losses The number of losses found in the specified time frame.
Total Amount The total financial amount of the loss, expressed in the
specified currency.
Percentage For this loss, the percentage with respect to all losses in
the organization (all losses total 100%).
Note
By clicking on the triangle to the right of a column header, you can reverse the order of display of the
items in the list.
3. To the right, you can see the losses per organizational unit in pie-chart form.
4. If you choose a line in the upper section, the graphical displays on the right and in the lower section
change. The axes in the lower chart are:
○ X-axis: Loss amount in currency used
○ Y-axis: Number of losses
7.6.2 Compliance
The following reports are contained in the Reports and Analytics work center in the Compliance section.
Report Description
Evaluation Status Dashboard Shows a high-level picture of the overall status of corporate
compliance throughout different business entities and pro
vides analytics and drilldown capabilities to view data on dif
ferent levels and dimensions.
Overall Compliance Status Dashboard Shows a high-level picture of the overall status of corporate
compliance throughout different business entities and pro
vides analytics and drilldown capabilities to view data on dif
ferent levels and dimensions.
Recommendation
For more information, see .
The Access Management section of the Reports and Analytics work center provides reports for managing user
access. Some of the reports provided are:
Change Log Report Displays all configuration changes that a system administra
tor makes in super user privilege management for SOX com
pliance.
Entity Authorization Analysis Displays information on the authorizations granted for a par
ticular entity.
Object Authorization Analysis Displays information on the authorizations granted for a par
ticular object.
The following reports and dashboards are accessed via the Incidents and Losses section in the Reporting and
Analytics work center.
Incidents on Risks Displays information on the incidents and their losses that have occurred
in your organization, per risk category.
Loss Matrix Analysis Enables you to select whether impact or risk categories are to be used for
the loss matrix, and analyzes the losses for specific organizations and im
pact/risk categories for a specific time period. For more information, see
the corresponding Customizing activity and documentation on Web Dyn
pro ABAP for standard colors for table cells, WDUI_TABLE_CELL_DE
SIGN.
Loss Overview (dashboard) Provides an overview of losses in graphic form, including the financial
loss amount, the loss distribution per period, and the loss by risk cate
gory.
Loss Structure (dashboard) Provides an overview in graphic form of all losses per organizational unit,
including loss amount and the number of losses.
Use
In the Risks and Opportunities section of the Reports and Analytics work center, there is a series of predefined
reports for risks, activities, and incidents, as well as for printing report data in PDF format. Each report allows
for the input of specific selection criteria. You can further summarize the report contents for more detailed
analysis.
Features
All reports are delivered with a standard report layout. However, each report allows you to define and save
multiple user-specific settings, providing different views of the data. You can modify reports by adding and
removing columns, perform sorting, and export the structure to an Excel spreadsheet for regrouping and
displaying of hierarchies.
The following two tables describe Risk Management reports in the various areas of the application. The first
table is specific to Risks and Opportunities; the second table describes the reports in the other sections of the
Reports and Analytics work center.
Risks per Activity Category Displays information on risks for a selected activity category.
Risks per Objective Displays information on risks based on the objectives and objective strat
egies defined for an organization.
Risks per Organizational Unit Displays information on all risks specified for an organization.
Note
The risk aspect enables you to see how an impact level would be
rated if the risk were seen from the perspective (aspect) of a differ-
ent organizational unit.
Risk Impact Details Displays detailed information per impact category for selected risks.
Risk Mitigation Details Displays information about the mitigation/response measures taken for
risks.
Risk Summary Displays all risk information in summarized form per defined period.
Opportunities per Opportunity Category Displays information about all opportunities for an opportunity category.
Opportunities and Enhancement Plans Displays all enhancement plans for an opportunity per organizational unit
and/or activity.
Activity History Displays information about the history and associated changes for an ac
tivity. It displays only those activities that contain risks.
Risk History Displays information on your company's risk history and on the changes
associated with specific risks, enabling you to view the changing assess
ments for a particular risk.
KRI for Risk Displays information on all KRIs for an individual risk.
Influence Factors Displays information on given risks that influence other risks.
RCSA Aggregation Report Displays aggregated RCSA scores by organizational unit and risk cate
gory hierarchies.
KRI Aggregation Report Displays aggregated KRI scores by organizational unit and risk category
hierarchies.
Management
Heatmap Displays the graphical heatmap with assigned risk events, which can be
changed.
Overview Provides a graphical and color-coded overview of all risk information, to
gether with a graphical display of a what-if analysis for the top risks. A
separate print function is available with a graphical output function.
Top Risks Displays information on the top risks, defined per activity, for an organi
zation. You can specify the number of risks that you consider to be the
top risks.
Compliance
Risk-Based Compliance Management Contains PC-specific compliance contents for various compliance frame
works, such as Sarbanes-Oxley.
Survey Results Displays the results of surveys that have been carried out.
Note
The risk aspect function enables you to see how a survey would be
rated if the risk were seen from the perspective (aspect) of a differ-
ent organizational unit.
Datasheet
ZCustomizing Datasheet
Incidents and Losses — The following reports are displayed in the Incidents and Losses section
Incidents on Risks Displays information on the incidents and their losses that have occurred
in your organization, per risk category.
Loss Matrix Analysis Enables you to select whether impact or risk categories are to be used for
the loss matrix and analyzes the losses for specific organizations and im
pact/risk categories for a specific time period. For more information, see
the corresponding Customizing activity and the documentation on Web
Dynpro ABAP on standard colors for table cells, WDUI_TABLE_CELL_DE
SIGN.
Loss Overview Loss Overview: Provides an overview of losses in graphic form, including
the financial loss amount, the loss distribution per period, and the loss by
risk category.
Management
Loss Structure Loss Structure: Provides an overview in graphic form of all losses per or
ganizational unit, including loss amount and the number of losses.
Print Reports
Print Reports Enables you to create printable PDF fact sheets for risks, activities, and
opportunities.
Miscellaneous
Risks Associated with Policies Displays all risks for a period per policy category and type.
Note
This report is located in the Master Data work center.
Activities
To access and execute the reports, choose Risk Management Reporting and Analytics . Note that all
reports can be generated immediately, or run in the background (recommended for large amounts of data) by
choosing the Schedule pushbutton.
More Information
For more information about Risk Management dashboards, see Dashboards (Heatmap, Overview, Top Risks,
and Other) [page 529].
For more information about printing PDF fact sheets for reports, see Working with Print Reports [page 538].
Use
The Print Reports application is used to print the following fact sheets:
The Print Fact Sheet pushbutton in the risk and activity application screens prints only the current data for
the selected risk, activity, or opportunity. By using the Print Report function, however, you can select more
than one risk, activity, or opportunity with all or some sections for printing to PDF.
Procedure
1. Choose Reports and Analytics Print Reports Print Reports . A guided procedure appears.
2. In Step 1, Select Report, enter a user-defined name for the report and select the type of report you want to
print, together with the year and the period to be used for the selection.
Note
Choosing the Reset pushbutton resets the entries of the report name and type fields.
3. Choose Next to select the organizational (mandatory) and activity data (optional) to be used as selection
criteria.
4. Choose Next to access the Choose Report Details step. You now select the objects to be included in the fact
sheet report.
○ If you choose the Preview Report pushbutton, you can preview the report in PDF format.
○ If you want to save an online copy in the application, choose Save Report.
5. Choose Next to complete the report creation. You are prompted to either open or save the PDF file that was
generated. If you select Open, the PDF opens for display. You can print it directly, or save it to your hard
disk.
6. If you make changes, choose the Update Report pushbutton to update the report definition.
7. By selecting New Report, you return to Step 1 of the guided procedure, and can define a new print report.
Note
After you have created your print reports, they appear in the bottom section of the guided procedure
screen when you call it up again. You can directly access the PDF printing function by selecting the line of
the desired report.
Use
Operational Risk Management for Banking allows SAP customers to manage and evaluate operational risks in
the banking and financial services sectors.
Note
For banks, operational risk management principally involves recording and analyzing loss events. The loss
event management functions available in Operational Risk Management for Banking are similar to the
incident management features in Risk Management, but offer more detailed recording and reporting
capabilities. Therefore, it is recommended that you use either loss event management or incident
management, but not both.
Features
● You can manage loss events, including creating, modifying, and deleting events, as well as manage loss
event drivers and related risks, as required. For more information, see Loss Event Management [page
545].
● You can group multiple loss events together and manage the group as a single loss event for recording,
management, or modeling purposes. For more information, see Managing Grouped Loss Events [page
549].
● You can upload loss events, as required. You can also display the loss event history, as well as download
loss events and scenario losses. For more information, see Uploading Loss Events [page 558],
Downloading Loss Events [page 555], and Downloading Scenario Losses [page 557] respectively.
● You can reassign loss events between organization units (following an organizational restructure, for
example). For more information, see Reassigning Loss Events [page 559].
● You can map master and dependent organization views, allowing you to map your internal organizational
view to an external view compatible with either the Operational Riskdata eXchange Association (ORX) or
the Basel II accord. You can also map your internal risk category hierarchy to an external hierarchy
compatible with ORX. For more information, see Mapping Master and Dependent Organization Views [page
541] and Mapping Master and Dependent Risk Category Hierarchies [page 543] respectively.
● You can display a series of reports related to loss events, as well as perform loss event matrix analysis. For
more information, see Loss Event Reports [page 560] and Loss Event Matrix Analysis [page 561]
respectively.
The Master Data work center provides a central location to manage and view the organization structure,
regulation and policies, catalog of objectives, and catalog of risks and responses.
The Master Data work center for Operational Risk Management for Banking contains the following additional
quick links:
● Organizations
○ Mapping Master and Dependent Organization Views [page 541]
● Risks and Responses
○ Mapping Master and Dependent Risk Category Hierarchies [page 543]
Note
The Master Data work center is shared by the Access Control, Process Control, and Risk Management
products in the GRC application. The menu groups and quick links available on the screen are determined
by the applications you have licensed. The content in this topic covers the functions specific to Operational
Risk Management for Banking.
Context
You can use the Master and Dependent Organization Views Mapping screen to map your internal organizational
view to an external view compatible with either the Operational Riskdata eXchange Association (ORX) or the
Basel II accord.
Note
In this procedure, the master and dependent views refer to the internal and external organizational views
respectively.
1. Choose Master Data Organizations Master and Dependent Organization Views Mapping .
Choosing ORX or Basel II allows you to map your organizational view to an external view compatible with
the Operational Riskdata eXchange Association (ORX) or the Basel II accord respectively.
Note
You can specify the organization views that appear in this list using the Mapping Hierarchy in Risk
Management type in the Governance, Risk and Compliance Shared Master Data Settings
Maintain Organization Views customizing activity.
5. To display a summary of an organization unit or loss event, select the item in the Organizations hierarchy.
The Organization Unit dialog appears showing details about the entry.
7. To map an organization unit or loss event from the master hierarchy to the dependent hierarchy, select the
entry in the master Organizations hierarchy on the left and drag and drop it to the correct location in the
dependent Organizations hierarchy on the right.
Alternatively, you can highlight the correct location in the dependent Organizations hierarchy on the right,
select the entry in the master Organizations hierarchy on the left, and choose the Add pushbutton.
The organization unit or loss event appears in the dependent Organizations hierarchy on the right.
8. To remove a mapping, select the entry in the dependent Organizations hierarchy on the right and choose
the Remove pushbutton.
9. Review your mappings in the Mappings Overview table at the bottom of the screen.
Optionally, select a mapping in the Mapping Overview table and choose the Open pushbutton to display
details about the mapping.
10. Choose the Save pushbutton to save the mappings.
Note
The mappings are not saved until you choose the Save pushbutton.
Next Steps
Context
You can use the Master and Dependent Risk Category Hierarchies Mapping screen to map your internal risk
category hierarchy to an external hierarchy compatible with the Operational Riskdata eXchange Association
(ORX).
Note
In this procedure, the master and dependent risk categories refer to the internal and external risk
categories respectively.
Procedure
1. Choose Master Data Risks and Responses Master and Dependent Risk Category Hierarchies
Mapping .
The Master and Dependent Risk Classification Hierarchies Mapping screen appears.
2. In the Date field, select the appropriate date and choose the Apply pushbutton.
3. In the View field on the left, choose a risk category using the drop-down list.
4. To display a summary of a risk category, select the item in the Classification hierarchy.
The Risk Category dialog appears showing details about the entry.
6. To map a risk category from the master hierarchy to the dependent hierarchy, select the entry in the
master Classification hierarchy on the left and drag and drop it to the correct location in the dependent
Classification hierarchy on the right.
Alternatively, you can highlight the correct location in the dependent Classification hierarchy on the right,
select the entry in the master Classification hierarchy on the left, and choose the Add pushbutton.
The risk category appears in the dependent Classification hierarchy on the right.
7. To remove a mapping, select the entry in the dependent Classification hierarchy on the right and choose
the Remove pushbutton.
8. Review your mappings in the Mappings Overview table at the bottom of the screen.
Optionally, select a mapping in the Mapping Overview table and choose the Open pushbutton to display
details about the mapping.
Note
The mappings are not saved until you choose the Save pushbutton.
Next Steps
8.2 Assessments
The Assessments work center provides a central location to view and manage surveys, test plans, and risks and
opportunities. You can also use the work center to maintain incidents and plan evaluations, as well as simulate
risks using scenarios.
The Assessments work center for Operational Risk Management for Banking contains the following additional
section and quick links:
Note
The Assessments work center is shared by the Access Control, Process Control, and Risk Management
products in the GRC application. The menu groups and quick links available on the screen are determined
by the applications you have licensed. The content in this topic covers the functions specific to Operational
Risk Management for Banking.
An operational risk loss event is an event that leads to a business process outcome that differs from the
expected outcome. This can result from inadequate or failed internal processes, people, and systems, or from
the occurrence of external events. Loss events include legal risks, but exclude strategic and reputation risks.
Loss events are therefore a central component of operational risk management in the banking and other
financial services sectors.
You can complete the following tasks using the Loss Event Assessments group:
● Manage loss events, including grouping loss events and managing related risks
● Upload loss events using an XML-based file
You can use the Loss Event Management quick link to create, modify, and delete loss events, as required, as well
as manage loss event drivers and related risks. You can also group multiple loss events together and manage
the group as a single loss event for recording, management, or modeling purposes.
Specifically, when performing loss event management, you can complete the following tasks:
Use
You can search loss events using the Loss Event Management screen. When defining a query (known as a
worklist), you can either create a new worklist or base your worklist on an existing query. You can also modify
an existing worklist, as required.
Procedure
To modify a worklist
More Information
Prerequisites
You can use the Governance, Risk and Compliance Risk Management Operational Risk Management for
Banking Industry Loss Event Management Define Loss Event Types and Workflow Configuration Loss
Event Types customizing activity to manage the loss effect types.
Context
You can create loss events using the Loss Event Management screen.
Procedure
The Loss Event Management screen appears displaying the existing loss events.
To add a new effect, choose the Add pushbutton and specify the Effect Name, Effect Type, Effect Amount,
Ins. Policy Number, and the Settlement Date. You can also specify the loss and capital allocations
associated with the effect.
An effect is a positive or negative quantifiable impact on the Profit & Loss (P&L) of an organization due to
an operational risk loss event.
You can distribute the monetary value of an effect as a loss allocation or a capital allocation. A loss
allocation is a distribution of the amount specified in the effect to organizational units, expressed as a
percentage. A capital allocation, in contrast, is a division of the financial resources necessary as a result of
the effect (for mitigation of the effect, for instance), expressed as a monetary value.
Note
The system automatically calculates the Gross Loss Amount, Net Loss Amount, and Capital Amount
fields based on the effects and allocations amounts. The gross loss amount is the sum of all negative
effects, while the net loss amount is the gross loss amount minus the sum of all positive effects. The
capital amount, in contrast, is the sum of all capital allocations of all effects.
7. Choose a tab (such as Responsibility or Dates, among others), and enter appropriate values in the
corresponding fields.
8. To validate your settings, choose the Validate pushbutton.
Next Steps
Context
You can modify specific loss events using the Loss Event Management screen.
Procedure
The Loss Event Management screen appears displaying the existing loss events.
2. Select the loss event in the table.
The Loss Event section appears at the bottom of the screen showing details of the loss event.
3. Modify the loss events details, as required.
4. To validate the settings, choose the Validate pushbutton.
Next Steps
Use
In certain circumstances, it is advantageous to group multiple loss events together and manage the group as a
single loss event for recording, management, or modeling purposes.
When grouping loss events, you can complete the following tasks:
Note
By default, the organization unit of a grouped loss event is a lowest parent of all organization units from the
losses included in the group. All monetary attributes of a grouped loss event represent sums of the
corresponding attributes of all single losses included in the grouped loss event.
More Information
Context
In certain circumstances, it is advantageous to group multiple loss events together and manage the group as a
single loss event for recording, management, or modeling purposes.
Note
For grouped loss events, all monetary attributes represent the sums of corresponding monetary attributes
from the individual loss events.
You can group specific loss events using the Loss Event Management screen.
Procedure
The Loss Event Management screen appears displaying the existing loss events.
2. Select the loss events that you want to group, and choose Group Create New Group .
Next Steps
Context
You can add loss events to a group using the Loss Event Management screen.
Procedure
The Loss Event Management screen appears displaying the existing loss events.
2. Select a loss event in the table.
The Loss Event section appears at the bottom of the screen showing details of the loss event.
Next Steps
Context
You can remove loss events from a group, as required, using the Loss Event Management screen.
The Loss Event Management screen appears displaying the existing loss events.
2. Select the grouped loss event in the table.
The Loss Event section appears at the bottom of the screen showing details of the loss event group.
3. Choose the Group tab.
4. Select a loss event in the table, and choose the Remove pushbutton.
Next Steps
Prerequisites
You can use the Governance, Risk and Compliance Shared Master Data Settings Risk and Opportunity
Attributes Maintain Driver Categories customizing activity to manage the driver categories.
Context
Drivers describe the circumstances or conditions that cause a particular loss event. You can manage loss event
drivers using the Loss Event Management screen.
The Loss Event Management screen appears displaying the existing loss events.
2. Select a loss event in the table.
The Loss Event section appears at the bottom of the screen showing details of the loss event. Alternatively,
you can manage drivers when creating a new loss event.
3. Choose the Drivers tab.
4. Choose the Add pushbutton.
Use
In general, risks represent uncertain events or conditions that, if they occur, have a negative impact on
business objectives. You should consider generating a risk for loss events that are likely to occur either
repeatedly or again in the future. Alternatively, you can link an existing risk to a loss event.
Note
When you generate a risk, the system uses the same organizational unit and risk category as the loss event,
by default.
Procedure
Context
Every time a loss event is saved, the system creates a version of the event to enable change tracking and
reporting. You can display the historical versions of loss events using the Versions section of the Loss Event
Management screen.
Procedure
The Loss Event Management screen appears displaying the existing loss events.
2. Select the loss event in the table.
The Loss Event section appears at the bottom of the screen showing details of the loss event. The Up to
date and User fields display the current date and the name of the current user respectively. A drop-down
list containing all current versions is also available.
The version drop-down list updates to display all versions saved before the specified date.
4. In the User field, type or select a user name.
The version drop-down list updates to display all versions saved by the specified user.
5. Choose a version using the drop-down list.
Next Steps
Context
You can download loss events using the Loss Event Management screen. When downloading loss events, you
can save the data in the following formats:
● XML
● QRR Excel
● QRR plain text
● ORX report — Downloads reports compliant with the Operational Riskdata eXchange Association
● EBA report — Downloads reports compliant with the European Banking Authority
Procedure
The Loss Event Management screen appears displaying the existing loss events.
2. Select one or more loss events that you need to download.
3. Choose the Download pushbutton, and choose a download format from the drop-down menu.
The sample ORX Business Add-In implementation retrieves and downloads the following loss attributes:
○ Reference ID Number, which is the loss event identifier
The sample EBA Business Add-In implementation retrieves and downloads the following loss attributes:
○ Internal Reference Number, which is the loss event identifier
○ Gross Loss Amount
○ Of Which: Unrealized
○ Status: Ended?
○ Direct Recovery
○ Indirect Recovery
○ Potential Recovery
○ Related to CR or MKR
○ Breakdown of Gross Loss (%) by Business Lines
○ Risk Event Type
○ Occurrence
○ Recognition
○ First Payment from Risk TM
○ Last Payment from Risk TM
Next Steps
Context
You can download scenario losses, which are risks that are interpreted as losses, using the Loss Event
Management screen. When downloading scenario losses, the system saves the data in the standard XML
format for losses.
Note
You can specify that a risk is to be considered as a scenario loss by selecting the Risk Used As Scenario
Loss check box in the General tab in Assessments Risk Assessment Risks and Opportunities .
Procedure
The Loss Event Management screen appears displaying the existing loss events.
2. Choose the Download Scenario Losses pushbutton.
Specify the location for the download file and choose the Save pushbutton.
Next Steps
Context
You can delete existing loss events using the Loss Event Management screen.
The Loss Event Management screen appears displaying the existing loss events.
2. Select one or more loss events that you need to delete.
3. Choose the Delete pushbutton.
Next Steps
Context
You can upload loss events using the Upload Loss Events screen.
Procedure
The Upload Loss Events screen appears displaying the first step of the upload wizard.
2. In Step 1: Upload file, choose the Browse pushbutton and select the file to upload.
Choose the Continue pushbutton to advance to the next step of the wizard. The contents of the upload file
appear allowing you to review the loss events.
3. In Step 2: Check content, review the loss events to be uploaded.
1. In the Upload mode field, choose the appropriate option using the drop-down list.
2. Choose the Continue pushbutton.
4. In Step 3: Upload progress, choose the Continue pushbutton, if necessary, after the upload completes to
advance to the next step of the wizard.
Step 3 only appears in cases when you upload a large number of loss events.
5. In Step 4: Check results, verify the upload results and choose the Submit pushbutton to save the loss
events to the database.
Alternatively, choose the Cancel pushbutton to exit the wizard without saving the loss events to the
database.
Context
You can use the Loss Events: Organization Unit Reassignment screen to reassign loss events between
organization units. You might need to do this following an organizational restructure, for example.
Note
In this procedure, the current loss event assignments appear on the left while the reassigned loss events
appear in the hierarchy on the right.
Procedure
Note
3. To display a summary of an organization unit or loss event, select the item in the Organizations hierarchy.
The Organization Unit dialog appears showing details about the entry.
5. To reassign loss events, select the entries in the Organizations hierarchy on the left and drag and drop the
events to the correct location in the Organizations hierarchy on the right.
You can also reassign all loss events from one organization unit to another by dragging and dropping the
entire organizational unit. The reassigned loss events appear in the Organizations hierarchy on the right.
6. Review your reassignments in the Reassignment Overview table at the bottom of the screen.
Optionally, select a reassignment in the Reassignment Overview table, and choose the Open pushbutton to
display details about the reassignment.
7. Choose the Save pushbutton to save the reassignments.
The reassignments are not saved until you choose the Save pushbutton.
Note
If you reassign a loss event more than once (for a specific date), only the last reassignment is
maintained.
The Reports and Analytics work center provides a central location to display reports and dashboards related to
Risk Management, such as alerts, user analysis, and audit reports, among other information.
Operational Risk Management for Banking adds the Loss Event Reports [page 560] section and associated
quick links to the Reports and Analytics work center.
Note
The Reports and Analytics work center is shared by the Access Control, Process Control, and Risk
Management products in the GRC application. The menu groups and quick links available on the screen are
determined by the applications you have licensed. The content in this topic covers the functions specific to
Operational Risk Management for Banking.
The following reports are available in the Loss Event Reports section of the Reports and Analytics work center.
Report Description
Loss Event Matrix Analysis Displays aggregated loss events as a matrix of organizational units, proc
esses, or products (in the first dimension) and risk categories (in the sec
ond dimension), allowing you to analyze the distribution of the losses.
Loss Event Overview Displays a dashboard showing loss events and their development over
time using bar charts.
Loss Event Structure Displays a dashboard showing the loss event distribution, across organi
zational units, in bar and pie charts.
Top Loss Events Displays loss events, based on the selection criteria, with the highest
amount values.
Gross Loss Amount by Organizational Unit Displays the summarized value of gross loss amounts from all loss events
assigned to select organizational units.
Loss Events by Organizational Unit Displays loss event data by organizational unit.
Loss Events by Risk Category Displays loss event data by risk category.
Insurance Payments by Organizational Unit Displays all effects considered as insurance payments (based on the ef
fect type and certain loss event data related to the effects).
Loss Effect Allocations by Organizational Unit Displays all allocations of loss event effects, with the associated
amounts.
Context
You can use the Loss Matrix Analysis screen to display losses, within a specified scope, and organized as a
matrix.
Procedure
1. Choose Reports and Analytics Loss Event Reports Loss Event Matrix Analysis .
1. In the Effective Date field, type or select the effective date for the analysis.
Select the observed figures and matrix comparison for the analysis.
1. Specify the observed figures by selecting the corresponding check boxes, from among the following:
○ Number of Losses
○ Total Amount
○ Maximum Single Loss
○ Percentage
2. Select the Keep previous matrices check box, if appropriate.
3. Choose the Next pushbutton.
The system collects all losses related to your selections, taking into account the loss mappings,
organizational units, and risk categories by which losses can be reported using different hierarchies. The
system then calculates the losses and percentages using the two matrix dimensions, highlighting cells
using a color coding scheme that you can customize.
4. In Step 2: Analyze Loss Matrix, review the loss matrix.
5. To download the loss matrix analysis, choose the Download link, and choose the Save button in the dialog
that appears to save the XML document to your local system.
You can use transaction AOBJ to create archiving objects. You can specify archiving objects for preprocessing,
writing, and deleting activities. For more information, see Customizing for SAP NetWeaver under Application
Server System Administration Data Archiving Archiving Object-Specific Customizing . Archiving for SAP
Risk Management is carried out with the help of archiving objects. The following table gives an overview of the
available archiving objects and respective monitors:
Planner and Planner Monitor GRFNPLAN Risk Management Planner [page 499]
You can also extend these standard archiving objects to suit your own business requirements. You can specify
the database tables from which the system archives the information for the archiving object.
You can use transaction SARA to schedule when the system executes the preprocessing, writing, and deleting
activities for an archiving object. For more information, see SAP Easy Access Tools Administration
SARA - Data Archiving . You can use the following features in transaction SARA:
● Preprocessing
We provide each business object with separate selection criteria to identify the instances of the business
object that are ready for archiving. We provide each query with the same logic. The query selects the
instances that are ready and calls the CHECK_ARCHIVABILITY action. The action checks the residence
period and sets the archiving status to Archiving in Process. The action only runs across the relevant
business object.
You can control the memory used during archive preprocessing by specifying the package size, and
describing the number of documents being processed together in one SAP Logical Unit of Work (SAP
LUW) . Before the next package is selected and processed, allocated memory is released to keep the
memory consumption for the preprocessing batch job constant.
● Writing
The system selects all instances of a business object that have the archiving status Archiving in Process. It
copies the instances into the archive. You can control the memory used during writing in the same way as
for preprocessing.
● Deleting
The system deletes all records that are archived from the registered database tables.
● Deleting from Archive
All SAP Risk Management archiving objects are ILM-enabled. For more information about SAP Information
Lifecycle Management (SAP ILM), seehttp://help.sap.com/erpInformation published on SAP site SAP
ERP Cross-Application Functions Cross-Application Components SAP Information Lifecycle
Management .
Features
Why Archive?
Archiving data from the production database makes the production database faster as it is carrying less
unproductive data. Searching archived documents is possible via the provided POWLs for archived documents.
From there it is possible to open archived documents in the standard SAP NFE UIs in display mode, as if they
were in the production database.
The system archives charge information, address information, or information from texts or attachments when
you archive a business object. It also archives other objects that are used in business objects for tendering. It
does not archive master data objects in general (with the exception of business partner master).
Index Criteria
You can specify database indexes to enable a query to search for data records efficiently. Ideally, you should
have no more than 8 indexes defined for a database table; otherwise the performance of the query decreases.
The database indexes in SAP NFE improve the performance of active business queries, and not archiving
queries. For example, you usually do not search the database table for a product ID in forwarding order items
for business reasons. For this reason, we do not provide database indexes for archiving. The system in general
performs a full table scan during preprocessing.
More Information
For more information about the Archive Information System, see SAP Library for SAP NetWeaver on SAP Help
Portal at http://help.sap.com/nw . Under Application Help for Function-Oriented View, open SAP Library and
choose Solution Life Cycle Management Data Archiving Data Archiving in the ABAP Application System
Data Archiving with Archive Development Kit (ADK) Archive Information System .
For more information about tables and archiving objects, see SAP Library for SAP NetWeaver on SAP Help
Portal at http://help.sap.com/nw . Under Application Help for Function-Oriented View, open SAP Library and
choose Solution Life Cycle Management Data Archiving Data Archiving in the ABAP Application System
Data Archiving with Archive Development Kit (ADK) Archive Administration Tables and Archiving Objects .
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.