SAP BusinessObjects Risk Management 3.0
Business Blueprint Workshop
Master Data Setup
Version 1.0 Initial Release
SAP 2008 / Page 2
Business Blue Print Master Data Setup
Applies to:
SAP BusinessObjects Risk Management 3.0
Summary
This document is intended to explain the necessary steps required to configure Risk
Management 3.0.
Author(s): Customer Advisory Organization and Regional Implementation Group
Company: Governance, Risk, and Compliance
SAP BusinessObjects Division
Created on: August 2009
SAP 2008 / Page 3
1. Maintain Impact Levels
2. Maintain Influence Strength
3. Maintain Activity Types
4. Maintain Objective Categories
5. Maintain Units of Measure
6. Maintain Risk Appetite
7. Organizational Hierarchies
The following IMG activities are covered in
this document
Each IMG activity has the following sections:
Business context: Summarizes the business purpose.
Solution functionality: Shows the related UI screens.
Configuration and data gathering: Shows the IMG table, suggested interview questions, and data capture area.
SAP 2008 / Page 4
1. Maintain Impact Levels
2. Maintain Influence Strength
3. Maintain Activity Types
4. Maintain Objective Categories
5. Maintain Units of Measure
6. Maintain Risk Appetite
7. Organizational Hierarchies
The following IMG activities are covered in
this document
SAP 2008 / Page 5
Business Context
Impact Levels
What are Impact Levels?
An impact level is a descriptive category of impact. Impact Levels are linked to an impact unit of measurement and an impact value range. Typical, impact levels would be: Insignificant, Minor, Moderate, High, Catastrophic. Impact Levels combined with Probability Levels are used to create a Risk Heat Map. The same principle applies to the upside of risks, namely Benefits, and Benefit Levels. Benefit Levels are part of the configuration in this area. Similarly Mitigation Effects descriptions are also defined along side Impact Levels and Benefit Levels. Mitigation Effects give a meaningful description to the reduction of a response.
Why are Impact Levels Important?
Impact levels (and if use Benefit Levels) are an important building block of any risk management model. All risks are described in terms of Likelihood and Impact. Impact levels are used to give a real world description to the magnitude of a risk event. Benefit Levels give a real world description to the magnitude of a benefit.
What are the Benefits of Defining Impact Levels?
This is an essential element to any risk management model and is therefore a mandatory feature of the system. It will help users to analyse risks, and is a necessary step toward assigning an ordinal value to the impact, in terms of a units of measurement and monetary value.
SAP 2008 / Page 6
Business Context
Example Impact Levels
CRG Global Enterprises has defined 5 Impact Levels within their Risk Management
Model. These are:
1. Insignificant
2. Minor
3. Moderate
4. High
5. Catastrophic
These 5 descriptive levels are linked to quantitative values in the system based on each
node on the Organisation Unit Hierarchy. Below is an example of how this would work.
Impact Level Category Quantitative Impact Quantitative
1. Insignificant 0 200,000
2. Minor 200,001 400,000
3. Moderate 400,001 1,000,000
4. High 1,000,001 5,000,000
5. Catastrophic 5,000,001
SAP 2008 / Page 7
Business Context
Example Impact Levels
CRG Global Enterprises has defined 5 Benefit Levels within their Risk Management
Model. These are:
1. Insignificant
2. Modest
3. Moderate
4. Worthwhile
5. Significant
These 5 descriptive levels equate to the corresponding Impact Levels.
Impact Level Category Benefit Category Level Mitigation Effects
1. Insignificant 1. Insignificant Very Low
2. Minor 2. Modest Low
3. Moderate 3. Moderate Medium
4. High 4. Worthwhile High
5. Catastrophic 5. Significant Very High
SAP 2008 / Page 8
Solution Functionality
Impact Levels
Impact Level is used in the Risk Analysis.
GRC Risk Management->Risk and Opportunities. From the Query, select a Risk and move to
the Risk Analysis Tab
SAP 2008 / Page 9
Solution Functionality
Impact Levels
GRC Risk Management->Risk and Opportunities. From the Query, select a Risk and move to the Risk
Analysis Tab. Click Impact Category Allocation.
Where the Analysis Method selected is Qualitative the Impact Level can be selected to describe the
impact in qualitative terms.
Insignificant
Minor
Moderate
Major
Catastrophic
SAP 2008 / Page 10
Solution Functionality
Impact Levels Mitigation Effects Copy of UI
GRC Risk Management->Risk and Opportunities. From the Query, select a Risk and move to the Risk
Response Tab. Highlight a Risk Response or Control. Click Impact Category Allocation.
Where the Analysis Method is Qualitative the Mitigation Effect drop down pick list can be selected to
describe the reduction in the impact level using qualitative terms.
Very Low
Low
Medium
High
Very High
Medium
SAP 2008 / Page 11
Solution Functionality
Impact Levels Copy of UI
Copy of UI
The Impact Levels form the X axis, and the Probability Levels for the Y axis in this Risk
Heat Map.
SAP 2008 / Page 12
Configuration and Data Gathering
Impact Levels
Use
In this Customizing activity, you maintain the impact levels used in risk analysis, as well as the
benefit levels to be used in opportunity analysis.
An impact level is an estimation of the consequences of a particular risk on the basis of a
configurable scale. This scale can range, for example, from insignificant to catastrophic.
Activities
1. Click on New Entries and enter a number for the impact or benefit level you want to define.
2. Enter a text for the impact and benefit levels.
3. Enter a text for the reduction/improvement for this impact level.
4. Save your entry.
SAP 2008 / Page 13
Configuration and Data Gathering
Impact Levels
Interview questions.
Impact Levels
Have Impact Levels already been defined in your risk management model?
Are Impact Levels used consistently across your organisation? The system supports one
set of Impact Levels so it is important to agree internally what these should be.
Has the number of Impact Levels been defined in your risk management model (e.g. 3 or
5 or 6)?
Have the descriptions for the Impact Levels been agreed?
Benefit Levels
Have the corresponding terms been agreed for Benefits Levels (if these are part of the
risk management model). Please note that use of this aspect of the system is optional.
Mitigation Effects
Have the corresponding terms been agreed for Mitigation Effects. This applies to risks
with qualitatively expressed impacts. Bear in mind that Mitigation Effects will apply to
Impact reductions and Benefits improvements. Therefore the descriptive terms used
must be able to apply to both.
SAP 2008 / Page 14
Configuration Requirements
Impact Levels
Imp Level Impact Level Text Benefit Level Text Reduction/Improvement
1
2
3
4
5
6
7
8
9
10
SAP 2008 / Page 15
1. Maintain Impact Levels
2. Maintain Influence Strength
3. Maintain Activity Types
4. Maintain Objective Categories
5. Maintain Units of Measure
6. Maintain Risk Appetite
7. Organizational Hierarchies
The following IMG activities are covered in
this document
SAP 2008 / Page 16
Business Context
Influence Strength
What is Influence Strength?
Influence strength describes the effect of one risk on another risk, or the relationship between
the two risks. An influence can be either in a negative direction i.e. the influenced risk make
the original risk worse, or it could be a positive influence, making the risk less severe. The
influence can either be on the likelihood of the risk occurring or on the impact of the risk if it
does occur.
Why is Influence Strength Important?
Influence strength is important for risks that are defined qualitatively. It is through use of the
influence strength that the effect on the original risk is described.
What are the Benefits of Defining Influence Strength?
This is a feature of the application available for describing the effect of one risk on another
when only qualitative measures are in use. Influence strengths are used when risks are
analysed using Scenario Analysis and Monte Carlo simulations.
SAP 2008 / Page 17
Business Context
Example Influence Strength
CRG Global Enterprises has defined 6 Influence Strength Levels within their Risk
Management Model. These are:
1. High Negative Influence
2. Moderate Negative Influence
3. Low Negative Influence
4. Low Positive Influence
5. Moderate Positive Influence
6. High Positive Influence
SAP 2008 / Page 18
Solution Functionality
Influence Strength
GRC Risk Management->Risk and Opportunities. From the Query, select a Risk and move to the
Influenced Risks Tab. Click Create Influence Factor.
SAP 2008 / Page 19
Solution Functionality
Influence Strength
In the Name field select the risk to be linked to. Note: A risk must exist in active state.
Select Evaluation Type Qualitative.
Click on the Correlation Strength drop down pick list to select the appropriate level and direction of
the influence between the original risk and the risk selected in the influenced risks tab.
SAP 2008 / Page 20
Solution Functionality
Influence Strength
Copy of UI
In the example below the risk Violations of emissions standards Highly Negatively influences the
risk Illegal arrangements.
SAP 2008 / Page 21
Use
In this Customizing activity, you maintain the strength of influenced risks. An influence can be defined as
strong or weak. You can relate two risks on the basis of the influence of one risk on another risk.
Activities
1. Execute the IMG activity Influence Strength and choose New Entries button.
2. Enter the following:
A numerical value in the Strength ID field
Description of influence strength in the Strength Text field
3. Choose Save. The values appear in the Influence Strength table.
Configuration and Data Gathering
Influence Strength
SAP 2008 / Page 22
Configuration and Data Gathering
Influence Strength
Interview questions.
Do you intend the model the relationships between risks and describe their effects on each
other?
Are you planning to use Scenario Analysis and/or Monte Carlo Simulation?
SAP 2008 / Page 23
Configuration Requirements
Influence Strength
Strength Influence Strength Text
1
2
3
4
5
6
7
8
10
SAP 2008 / Page 24
1. Maintain Impact Levels
2. Maintain Influence Strength
3. Maintain Activity Types
4. Maintain Objective Categories
5. Maintain Units of Measure
6. Maintain Risk Appetite
7. Maintain Organizational Hierarchy
The following IMG activities are covered in
this document
SAP 2008 / Page 25
Business Context
Activity Types
What are Activity Types?
A means of classifying your organizations business activities.
Why are Activity Types Important?
Required if you want to attach risks to Work Breakdown Structures (WBS) elements.
What are the Benefits of Defining Activity Types?
Provides an added dimension for risk reporting.
Gives you insight into the areas of your business impacted by risks (or opportunities).
SAP 2008 / Page 26
Business Context
Example Activity Types
Business Process
Program / Project
Product
Service
Asset
SAP 2008 / Page 27
Solution Functionality
Activity Types
Activity Categories can be linked to
different Activity Types. In this way
you can maintain multiple Activity
Hierarchies by using the types
SAP 2008 / Page 28
Configuration and Data Gathering
Activity Types
The IMG table can be used to capture the Activity Types required to organize Activity
Structures
SAP 2008 / Page 29
Configuration and Data Gathering
Activity Types
Do you currently categorize risks by business activity?
What types of business activities are undertaken by your organization?
SAP 2008 / Page 30
Configuration Requirements
Activity Types
Type Activity Type Name
01
02
03
04
05
06
07
08
09
10
SAP 2008 / Page 31
1. Maintain Impact Levels
2. Maintain Influence Strength
3. Maintain Activity Types
4. Maintain Objective Categories
5. Maintain Units of Measure
6. Maintain Risk Appetite
7. Organizational Hierarchies
The following IMG activities are covered in
this document
SAP 2008 / Page 32
Business Context
Objective Categories
What are Objective Categories?
A means of classifying your organizations performance goals.
Why are Objective Categories Important?
Allows you to discuss risk in terms of whats important to the business.
What are the Benefits of Defining Objective Categories?
Provides an added dimension for risk reporting.
Gives you better insight into the areas of your business impacted by risks (or opportunities).
SAP 2008 / Page 33
Business Context
Example Objective Categories
Financial Objectives
Internal Business Process Objectives
Customer Objectives
Learning and Growth Objectives
SAP 2008 / Page 34
Solution Functionality
Objective Categories
When Creating a new Objective in the Objectives Hierarchy functionality
you can use the objective categories to help categorize the objectives.
SAP 2008 / Page 35
Configuration and Data Gathering
Objective Categories
This IMG Table is used to categorize your companys objectives
SAP 2008 / Page 36
Configuration and Data Gathering
Objective Categories
Do you currently categorize business objectives?
What are the key categories of you business objectives?
SAP 2008 / Page 37
Configuration Requirements
Objective Categories
Objective Category ID Objective Category
SAP 2008 / Page 38
1. Maintain Impact Levels
2. Maintain Influence Strength
3. Maintain Activity Types
4. Maintain Objective Categories
5. Maintain Units of Measure
6. Maintain Risk Appetite
7. Organizational Hierarchies
The following IMG activities are covered in
this document
SAP 2008 / Page 39
Business Context
Units of Measure
What are Units of Measure?
A means of converting type of impact to monetary value.
Why are Units of Measure Important?
This feature enables individual parts of the business to describe risk in units of measurement
that related more specifically to their role in the business and the associated performance
measures.
What are the Benefits of Defining Units of Measure?
Provides an added dimension for risk analysis.
Gives you better insight into the areas of your business impacted by risks (or opportunities).
SAP 2008 / Page 40
Business Context
Example Units of Measure
CRG Global Enterprises has defined 3 Units of Measure within their Risk
Management Model. These are:
Working Hours
Working Days
System Down Time Minutes
SAP 2008 / Page 41
Solution Functionality
Units of Measure used per Org Unit
For each pre-defined
Impact Category a
pre-defined Unit of
Measure is selected.
A conversion factor
to the base currency
of the system is
defined which will be
applicable for the
particular org unit
node.
GRC Risk Management->Risk Structure->Organisations. Select an org unit node from
the hierarchy.
Select the Unit of Measure Tab. Select an appropriate Impact Category. Click Create
button to add a Unit of Measure for an appropriate Impact Category to the org unit node.
SAP 2008 / Page 42
Solution Functionality
Units of Measure used in Risk Analysis
GRC Risk Management->Risk Analysis>Risk & Opportunities. Open a Risk and move to
the Risk Analysis Tab. Create a new Analysis and Click Impact Category Allocation.
Where an Impact Category used has a defined Unit of Measure for the org unit node the
Impact of the Risk can be entered and the Unit of Measure selected.
The system will convert the Impact to a Total Loss value according to the settings in the
Org unit node.
SAP 2008 / Page 43
Solution Functionality
Units of Measure using in risk analysis
The Total Loss value is shown on the Risk Analysis tab.
SAP 2008 / Page 44
Configuration and Data Gathering
Units of Measure
Use
In this Customizing activity, you maintain the units of measure for the impact categories to be used in Risk Management.
The unit of measure calculates the impact of a risk in non-monetary terms. Later, the SAP system converts these non-
monetary values into monetary values using the conversion factor you define in the RM portal.
Note: This is the list of all unit of measures, independent of the organizational units defined.
Requirements
You have configured the impact levels in the Customizing activity Maintain Impact Levels.
Activities
1. Execute the Customizing activity Maintain Unit of Measures for Organizational Unit and choose New Entries.
2. Enter the following:
An abbreviation for the unit of measure in the Abbreviation field, such as HRS
Description of the unit of measure in the Unit of Measure field, such as Working Hours
3. Choose Save. The values appear in the Unit of Measure table.
Example
Assume that you define a unit of measure as Working Hours (HRS) with the following condition:
1 Working Hour = 200 Euros
Now, you anticipate a risk that occurs due to the power outage of your of PCs for 8 working hours for 10 employees.
The non-monetary unit of measure will calculate the monetary impact of the risk as follows:
1 Employee = 8 Working Hours
10 Employees = 80 Working Hours
Therefore,
80 Working Hours = 1600 Euros (80 * 200)
SAP 2008 / Page 45
Configuration and Data Gathering
Units of Measure
IMG Table for Units of Measure
SAP 2008 / Page 46
Configuration and Data Gathering
Units of Measure
Interview questions .
What are the different measures used to describe and quantify risk?
What is the relationship between qualitative measures such as Hours, Days, System
Downtime, Emissions, etc and monetary value?
How does this relationship vary in different parts of the business.
SAP 2008 / Page 47
Configuration Requirements
Units of Measure
Abbreviation Unit of Measure
SAP 2008 / Page 48
1. Maintain Impact Levels
2. Maintain Influence Strength
3. Maintain Activity Types
4. Maintain Objective Categories
5. Maintain Units of Measure
6. Maintain Risk Appetite
7. Organizational Hierarchies
The following IMG activities are covered in
this document
SAP 2008 / Page 49
Business Context
Risk Appetite
What is Risk Appetite?
Reflects the amount of risk taking that is acceptable to your organization.
An organization with a high risk appetite would be willing to accept more uncertainty for a higher reward, while an organization with a low risk appetite would seek less uncertainty, for which it would accept a lower return.
Why is Risk Appetite Important?
Helps in understanding the relative significance of the risks faced by your organization and in prioritizing risk monitoring and control activities.
The better the understanding of risk appetite, the more efficient you will be in the allocation of resources capital across your organization.
What are the Benefits of Defining Risk Appetite Levels?
Provides clear boundaries regarding what is and is not acceptable to your organization.
Assists in the identification and prioritization of areas where additional resources or controls may be necessary to bring the risk into line with the stated risk appetite.
Helps determine the degree of control that needs to be applied to a particular risk. For example:
If the current exposure to a particular risk is considered to be acceptable there is usually little value, other than for efficiency reasons, in changing the extent of control (either in terms of using tighter controls or by increasing capital or the amount invested in risk control).
If the current exposure to a particular risk is considered unacceptable, a manager may decide that it needs to invest more capital and introduce more rigorous controls.
SAP 2008 / Page 50
Business Context
Example Risk Appetite
The success of a university depends on effectively managing key drivers of value (Students, Faculty, Academic Reputation, General Reputation, Financial Resources, Information Management, Buildings & Infrastructure) which in turn support the key strategic initiatives outlined in its Strategic Business Plan.
The University accepts an element of risk in almost every activity it undertakes. The critical question in establishing the Universitys risk appetite is How willing is the University to accept risk related to each key value driver?
The Universitys Risk Appetite levels are as follows:
High Risk Appetite: The University accepts opportunities that have an inherent high risk that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents of regulatory non-compliance, potential risk of injury to staff and students.
Moderate Risk Appetite: The University is willing to accept risks that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents of regulatory non-compliance, potential risk of injury to staff and students.
Modest Risk Appetite: The University is willing to accept some risks in certain circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents of regulatory non-compliance, potential risk of injury to staff and students.
Low Risk Appetite: The University is not willing to accept risks in most circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents of regulatory non-compliance, potential risk of injury to staff and students.
Zero Risk Appetite: The University is not willing to accept risks under any circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents of regulatory non-compliance, potential risk of injury to staff and students.
SAP 2008 / Page 51
Solution Functionality
Risk Appetite
SAP 2008 / Page 52
Configuration and Data Gathering
Risk Appetite
Max 10 characters
Max 60 characters
SAP 2008 / Page 53
Configuration and Data Gathering
Does your organization use Risk Appetite?
If No:
Are you intending to introduce the concept as part of your risk management program?
If Yes:
What are your current Risk Appetite definitions?
Do you use qualitative or quantitative Risk Appetite levels?
What would you like to see improved?
How is Risk Appetite used in deciding whether risks should be mitigated?
SAP 2008 / Page 54
Configuration Requirements
Risk Appetite
Risk Appetite Risk Appetite Description
SAP 2008 / Page 55
1. Maintain Impact Levels
2. Maintain Influence Strength
3. Maintain Activity Types
4. Maintain Objective Categories
5. Maintain Units of Measure
6. Maintain Risk Appetite
7. Organizational Hierarchies
The following IMG activities are covered in
this document
SAP 2008 / Page 56
Business Context
Organizational Hierarchies
What are the Organizational Hierarchies?
The various ways of representing your organization for risk reporting purposes.
Why are the Organizational Hierarchies Important?
Allows you to tailor your risk reporting by different organizational views (e.g. legal structure, geographic,
lines of business, etc)
What are the Benefits of Defining Organizational Hierarchies?
Flexible risk reporting to meet the requirements of different risk management stakeholders.
Improved risk transparency.
SAP 2008 / Page 57
Business Context
Example Organizational Hierarchies
SAP 2008 / Page 58
Solution Functionality
Organizational Hierarchies
SAP 2008 / Page 59
Configuration and Data Gathering
Default Organizational Hierarchy
What are the required risk reporting structures in your organization?
Do you have copies of org charts?
SAP 2008 / Page 60
Configuration Requirements
Organizational Hierarchies
Capture org hierarchy discussions here
SAP 2008 / Page 61
Comments and Feedback
Your feedback is very valuable and will enable us to improve our documents. Please
take a few moments to complete our feedback form. Any information you submit will
be kept confidential.
You can access the feedback form at:
http://www.surveymonkey.com/s.aspx?sm=stdoYUlaABrbKUBpE95Y9g_3d_3d