GRC Tuesdays: A Few Tips and Tricks on

Making SAP Risk Management Even More

Relevant For Your Organization
00444

If you have been reading these GRC Tuesdays blogs, you will already know that I don’t have a technical
background, so this blog isn’t going to be about detailed implementation techniques.
No, instead, I just wanted to share my tips on how to leverage some of the standard features that are already
available in the solution to make SAP Risk Management even more relevant for your organization and its risk
framework.

1. Terminology
 

It all starts with the alpha and omega of course. Without common terminology, there can’t be common
understanding. The SAP Product Management team fully understood that and, quite some time ago, included
in SAP Risk Management a Terminology Editor.

In the Maintain Risk Management Terminologies configuration activity (SAP Customizing Implementation

Guide > Governance, Risk and Compliance > Risk Management > General Settings > Maintain Risk
Management Terminologies), authorized users – usually the administrators, can change the labels of selected
objects related to risks, opportunities and risk assessments either directly in the configuration screen or via
upload of an Excel file to do a mass change. This will automatically modify the labels in the user interface but
also in the reports.

For instance, if your organization follows the ISO31000 standard, you may decide to rename what is called by
default “impacts” to “consequences”. Nothing simpler in doing that, than going to the Terminology Editor,
selecting all the objects related to “impact” changing the labels to “consequences”:
2. Assessment methods
 

Once a risk has been identified – using the agreed upon terminology as seen just above, the next step is usually
to assess it.
And here comes another difficult part for many organizations: should the assessment be quantitative,
qualitative, using a scoring method? Should users be asked to assess the inherent risk, the residual exposure,
both?
If using Excel, you may have to compromise and choose one or the other of these methods. Also, it means that
you also won’t be able to easily match the assessment method to different risk categories.

Using the Maintain Analysis Profile customizing activity (SAP Customizing Implementation Guide >
Governance, Risk and Compliance > Risk Management > Risk and Opportunity Analysis > Maintain
Analysis Profile), administrators can create as many assessment methods as required and then map them to the
different Risk Categories.

Should your risk management approach be that Operational risks are assessed quantitatively but that Strategic
risks are assessed qualitatively then you would create 2 Analysis Profile and assign them to these 2 risk
categories. And below is an illustration of what the Analysis Profile for the Operational risk category could be
for instance:
Of course, you could also use the different options to provide Risk Owners more flexibility and even let them
choose how they prefer to assess the risks.

3. Mitigation strategies
 

Now that we know the risk scenario and what exposure it carries, it’s time to take action… or not as the case
may be.
In order to do so, I am pretty sure that you already know that you can customize the list of action types:
Accept, Transfer, Mitigate, etc.
But did you also know that you can define whether a response type will prompt users to document the
reduction in impact and/or in likelihood?

In some cases, you might define that a response type is only preventative and, as a result, actions of this nature
will only reduce the likelihood of the risk occurring.
In other cases, you might want to define that other response types address the consequences of the risks and
therefore that users will only be able to assess the reduction effort on this criterion.

As an example: controls would be preventative since they would identify the anomaly before it turns into an
incident – so would reduce the likelihood of the risk manifesting itself, but on the very other side of the
spectrum, an insurance policy would be curative – hence reduce the impact, but not change anything to the
likelihood of the risk occurring. The cruise control will prevent you from going above the speed limit but
won’t reduce the amount of the fine it you set it too high. On the other hand, your car insurance will reduce
your out of pocket expenses in case of an accident but it won’t prevent it.

The good news is that there is once again a customization activity for this requirement: Maintain Response
Types (SAP Customizing Implementation Guide > Governance, Risk and Compliance > Risk Management >
Response and Enhancement Plan > Maintain Response Types) that helps authorized users set this up very
simply:
4. Reporting
 

We have now come to the last part of the risk management process: reporting.

There are of course many standard reports that are readily available – including the famous Heatmap, but what
I actually see is that most still leverage the list reports where the entire context of a risk is displayed for more
detailed analysis.
As I am sure most of you know, you can select the columns displayed in the SAP List Viewer (ALV) reports
simply by clicking on the “Personalize” link at the top right of the report screen and then on the “Personalize
Fields” option.

There, you will have all the objects that are available for display in this report:
But did you know that more objects are available in the reporting framework and can be added to this list?

In case you feel you are missing an important column, I would suggest having a look to see if it is not already
available in the reporting framework but simply not enabled on this report.

To do so, you can leverage the dedicated customizing activity for this purpose: Maintain Report Column
Settings (SAP Customizing Implementation Guide > Governance, Risk and Compliance > General Settings >
Reporting > Maintain Report Column Settings).
Once you have selected the report you want to enhance, click on “Copy standard columns” so that you don’t
have to start from scratch and then click on “New Entries”.

Instead of searching for the needle in the haystack, you can select a specific object – such as “RISK” in our
illustration below, and this will show you all the related columns that can be added to your report:
Once added, these objects will be available straight away for selection as new columns.

5. Bow-tie
 

The bow-tie in SAP Risk Management can be used for risk identification and assessment, and it will
automatically benefit from the configurations made in terminology, assessment methods and so on.

But there is one last thing that you may want to change here: the default colors.

I recall meeting with a Risk Manager of a real estate organization a few years ago that was using an image
copied in a Word document for the bow-ties. When the Risk Committee asked that the colors be changed to fit
with the new risk framework, the Risk Manager had to spend a lot of time redoing all the work manually.
Quite tedious and not really value add…
You may think it’s futile, but as they say, a picture is worth a thousand words. That’s provided there aren’t
discussions like the choice of colors to derail the focus!

To change the colors of the bow-tie, there is, once again, a very simple configuration activity that can be
used: Set Colors for Graphical View Elements (SAP Customizing Implementation Guide > Governance,
Risk and Compliance > Risk Management > General Settings > Set Colors for Graphical View Elements).

From there, administrators can change colors for risks, organizations, drivers, impacts, risks, and so on:
Of course, there are many more customization options that are available in SAP Risk Management since this is
a very flexible tool, but I just wanted to highlight a few that I believe are not well known and will help you
make this solution all the more relevant to your organization. Without much effort.

What about you, are there other configuration options that you have used and that you would recommend? I
look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard