GRC Tuesdays: A Few Tips and Tricks on Making SAP Risk Management Even More Relevant For Your Organization
If you have been reading these GRC Tuesdays blogs, you will already know that I don’t have a technical background, so this blog isn’t going to be about detailed implementation techniques.
No, instead, I just wanted to share my tips on how to leverage some of the standard features that are already available in the solution to make SAP Risk Management even more relevant for your organization and its risk framework.
It all starts with the alpha and omega of course. Without common terminology, there can’t be common understanding. The SAP Product Management team fully understood that and, quite some time ago, included in SAP Risk Management a Terminology Editor.
In the Maintain Risk Management Terminologies configuration activity (SAP Customizing Implementation Guide > Governance, Risk and Compliance > Risk Management > General Settings > Maintain Risk Management Terminologies), authorized users – usually the administrators, can change the labels of selected objects related to risks, opportunities and risk assessments either directly in the configuration screen or via upload of an Excel file to do a mass change. This will automatically modify the labels in the user interface but also in the reports.
For instance, if your organization follows the ISO31000 standard, you may decide to rename what is called by default “impacts” to “consequences”. Nothing simpler in doing that, than going to the Terminology Editor, selecting all the objects related to “impact” changing the labels to “consequences”:
2. Assessment methods
Once a risk has been identified – using the agreed upon terminology as seen just above, the next step is usually to assess it.
And here comes another difficult part for many organizations: should the assessment be quantitative, qualitative, using a scoring method? Should users be asked to assess the inherent risk, the residual exposure, both?
If using Excel, you may have to compromise and choose one or the other of these methods. Also, it means that you also won’t be able to easily match the assessment method to different risk categories.
Using the Maintain Analysis Profile customizing activity (SAP Customizing Implementation Guide > Governance, Risk and Compliance > Risk Management > Risk and Opportunity Analysis > Maintain Analysis Profile), administrators can create as many assessment methods as required and then map them to the different Risk Categories.
Should your risk management approach be that Operational risks are assessed quantitatively but that Strategic risks are assessed qualitatively then you would create 2 Analysis Profile and assign them to these 2 risk categories. And below is an illustration of what the Analysis Profile for the Operational risk category could be for instance:
Of course, you could also use the different options to provide Risk Owners more flexibility and even let them choose how they prefer to assess the risks.
3. Mitigation strategies
Now that we know the risk scenario and what exposure it carries, it’s time to take action… or not as the case may be.
In order to do so, I am pretty sure that you already know that you can customize the list of action types: Accept, Transfer, Mitigate, etc.
But did you also know that you can define whether a response type will prompt users to document the reduction in impact and/or in likelihood?
In some cases, you might define that a response type is only preventative and, as a result, actions of this nature will only reduce the likelihood of the risk occurring.
In other cases, you might want to define that other response types address the consequences of the risks and therefore that users will only be able to assess the reduction effort on this criterion.
As an example: controls would be preventative since they would identify the anomaly before it turns into an incident – so would reduce the likelihood of the risk manifesting itself, but on the very other side of the spectrum, an insurance policy would be curative – hence reduce the impact, but not change anything to the likelihood of the risk occurring. The cruise control will prevent you from going above the speed limit but won’t reduce the amount of the fine it you set it too high. On the other hand, your car insurance will reduce your out of pocket expenses in case of an accident but it won’t prevent it.
The good news is that there is once again a customization activity for this requirement: Maintain Response Types (SAP Customizing Implementation Guide > Governance, Risk and Compliance > Risk Management > Response and Enhancement Plan > Maintain Response Types) that helps authorized users set this up very simply:
We have now come to the last part of the risk management process: reporting.
There are of course many standard reports that are readily available – including the famous Heatmap, but what I actually see is that most still leverage the list reports where the entire context of a risk is displayed for more detailed analysis.
As I am sure most of you know, you can select the columns displayed in the SAP List Viewer (ALV) reports simply by clicking on the “Personalize” link at the top right of the report screen and then on the “Personalize Fields” option.
There, you will have all the objects that are available for display in this report:
But did you know that more objects are available in the reporting framework and can be added to this list?
In case you feel you are missing an important column, I would suggest having a look to see if it is not already available in the reporting framework but simply not enabled on this report.
To do so, you can leverage the dedicated customizing activity for this purpose: Maintain Report Column Settings (SAP Customizing Implementation Guide > Governance, Risk and Compliance > General Settings > Reporting > Maintain Report Column Settings).
Once you have selected the report you want to enhance, click on “Copy standard columns” so that you don’t have to start from scratch and then click on “New Entries”.
Instead of searching for the needle in the haystack, you can select a specific object – such as “RISK” in our illustration below, and this will show you all the related columns that can be added to your report:
Once added, these objects will be available straight away for selection as new columns.
The bow-tie in SAP Risk Management can be used for risk identification and assessment, and it will automatically benefit from the configurations made in terminology, assessment methods and so on.
But there is one last thing that you may want to change here: the default colors.
I recall meeting with a Risk Manager of a real estate organization a few years ago that was using an image copied in a Word document for the bow-ties. When the Risk Committee asked that the colors be changed to fit with the new risk framework, the Risk Manager had to spend a lot of time redoing all the work manually. Quite tedious and not really value add…
You may think it’s futile, but as they say, a picture is worth a thousand words. That’s provided there aren’t discussions like the choice of colors to derail the focus!
To change the colors of the bow-tie, there is, once again, a very simple configuration activity that can be used: Set Colors for Graphical View Elements (SAP Customizing Implementation Guide > Governance, Risk and Compliance > Risk Management > General Settings > Set Colors for Graphical View Elements).
From there, administrators can change colors for risks, organizations, drivers, impacts, risks, and so on:
Of course, there are many more customization options that are available in SAP Risk Management since this is a very flexible tool, but I just wanted to highlight a few that I believe are not well known and will help you make this solution all the more relevant to your organization. Without much effort.
What about you, are there other configuration options that you have used and that you would recommend? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard