GRC Tuesdays: Performing Risk Analysis in SAP Risk Management
“A unified and aggregated risk-assessment system immediately makes the control function more efficient and cost effective,” reports a McKinsey article. “This is essential when 5 percent of the workforce can be employed in control-related activities.” ¹
Furthermore, a recent KPMG survey found over 40% of audit committee members think their risk management program and processes “require substantial work,” and a similar percentage say that it is increasingly difficult to oversee those major risks.”²
These studies highlight the importance of risk analysis, which is a key process after risk planning and risk identification. This blog will focus on how SAP Risk Management’s analysis profiles can be configured to provide users with the flexibility of defining the type of risks analysis performed based on the nature of the risk event to provide a consistent view of risks and systematic reports to management and the board of directors.
We’ll take a quick look at how risk analysis profiles can be used to provide risk assessment results in the following three steps.
Step 1: Setting Up Risk Analysis Profiles
SAP Risk Management users can assign different analysis profiles for each risk category. For example, the unplanned service interruption risk below has a risk category of business disruption and system failures. This is because different risk impacts require a mix of qualitative and quantitative profile to be made available. For example, the unplanned service interruption risk below has three impacts: loss of revenue, loss of production, and inability to meet demand.
SAP Risk Management risks analysis profile can be configured to support both qualitative and quantitative assessments for a risk category. (Scoring analysis can also be included). This provides the flexibility for the users to enter different assessment options. In the Maintain Analysis Profile configuration, users with the appropriate authorization can create, modify, or delete analysis profiles with configuration changes.
Step 2: Risk Assessment
During risk assessment, users can perform a quantitative assessment for loss of revenues and qualitative assessment for loss of production and inability to meet demands.
For example, loss of revenues can have a quantitative measure of $ 704,700 while loss of production and inability to meet demand can have qualitative assessment results of ‘Significant’ and ‘Moderate.’
The risk assessment results are immediately aggregated and scored for the risk. For example, a risk score of 63 has been assigned to the unplanned service interruption risk (see below).
Step 3: Collaborating with the Stakeholders
SAP Risk Management provides visual displays of analysis risk data in the form of dashboards and a heat map. Below is a heat map that displays a graphical summary of the unplanned services interruption risk as certain and significant in a two-dimensional map with risks assessment results from all organization units.
SAP Risk Management offers a flexible approach for enterprises to automate their risk management processes to help the business to adapt to the fast changing global business environment and to focus on the most important business risks to help improve business performance and adding assurance to the audit committee and board of directors.
- Read more about risk aggregation.
- Read about GRC in the SAP Digital Board Room.
- Read the other blogs in the GRC Tuesday series.
³ “Using a global survey (based on 576 interviews with companies a review of more than 2,750 analyst and company reports), we assessed the maturity level of risk management practices and then determined a positive relationship between risk management maturity and financial performance.” http://www.ey.com/gl/en/services/advisory/turning-risk-into-results-managing-risk-for-better-performance