After releasing a GRC Tuesdays blog on pre-delivered content for Internal Control and Compliance (GRC Tuesdays: Fast Track Your Internal Control Project) and another on automated Fraud Management business rules (GRC Tuesdays: Think Anti-Fraud Programs Are Necessarily Long and Complex? Think Again), I think it’s time to address Risk Management.
As most of you already know, this area has been my focus for a few years now, back from when I was Solution Owner for SAP Risk Management, so I think it’s only legitimate that I receive questions as to why I haven’t covered this solution yet!
I had released a blog GRC Tuesdays: Risk Management Project – Where Do I Start? but it didn’t focus on content, rather on the process. So let’s correct this wrong today!
Here are the premises: you’re currently reviewing, or even creating, your risk management process and have decided to support the initiative with a tool to automate the end-to-end cycle – from the identification to the reporting via the assessment and mitigation of course. You’re considering SAP Risk Management, or even already have usage of the solution but have not yet deployed it, and you are concerned about where to start in terms of settings and master data so not sure where to start the blueprint for a successful implementation. Sound familiar?
I am no implementation specialist so what I’d like to discuss in this blog – like in the 2 previous ones mentioned above – is the content that you can use either directly embedded in the solution, or put at your disposal and that I think you should consider when writing the blueprints.
The first “Business Contents” section might feel a bit more technical, but it should still resonate with business users and at least, help them understand what they can expect.
Let’s start with the Alpha of a software system: the settings. Much like the preconfigured menus in Excel, this will guide users in their inputs up to the reporting of the risk events.
In SAP Risk Management, the “Business Content” is built on best practices gathered from experience across many industries, geographies, etc. and, as such, can help you configure the solution rapidly.
As I am sure you already know, in the SAP Implementation Guide (IMG), administrators can access the configuration activities and that’s also where they can “activate” the Business Content.
Before doing so though, why not have a look at what it brings? Not only will this help guide the implementation, but also, may give you some ideas when designing the process.
Rest assured: there’s nothing easier to do than to display this information.
First, connect to the backend via SAP Logon and go to the SAP Implementation Guide (IMG) and click on the “Existing BC Sets” button. This will flag the list of customizing activities where Business Content is available and can be “activated”:
Now, before activating them, I feel it’s wise to first check if they are relevant for your organization. To do so, simply right click on the relevant activity where it is flagged that “BC Set Exists” and, in the new menu displayed, click on “Display BC Sets for Activity”:
This will open the full detail of the Business Content Set with the settings that can be automatically created. In the example below, notice that there are 5 impact/benefit/improvement levels:
There are many Business Content Sets in SAP Risk Management so it’s really worth investing some time to go over them and having a look at the proposed impact and probability levels, risk and opportunity levels and matrices, risk appetite choices, risk response types, but also risk analysis profiles which determine how a risk can be assessed (qualitatively, quantitatively, etc.).
This is something that you would typically do when designing the requirements for the implementation so it can help put together the blueprints more rapidly. Hence gaining both time in preparation and in execution.
The Business Content is great to kick-start the implementation and have a ready to use solution, but you may then wonder where to start in terms of risk scope.
The good news is that, quite some time ago, my then colleague Satyen Paneri had released a “Content Starter Kits” with controls, risks and key risk indicators that can be found in a Zip file accessible directly from page 3 of the GRC Risk Management and Process Control Content Starter Kits guide. This content starter kit is a collection of risks, controls, and KRI catalogs and some related master data entities such as risk drivers, impacts, business objectives, activities, business processes, regulations, control objectives, and indirect entity-level controls are also included.
This starter kit has been put together as best practices risk and control frameworks and libraries such as COSO II ERM, Audit Standard 5, Basel II, S&P ERM Framework, and APQC Cross-Industry Process Classification Framework (PCF).
As you can see on the screenshots above, a Risks Starter Kit Excel file is included in the Zip document. This is the file that is most relevant for our blog today.
Simply open this Excel and then browse through the tabs to view the drivers (AKA risk causes), impacts (AKA risk consequences) and of course the risk categories:
Once the categories uploaded in the solution, the Risk Catalog will be ready to be used to document and categorize risk instances:
As I am sure you can imagine, the content in these starter kits by no means provides complete coverage for a business process, line of business, risk area, domain, or industry – I am not making such a claim. It’s simply a collection of content sourced from internal and external providers, organized and aggregated to help you start your initiative or at least provide some food for thought. As a result, this content can’t be imported directly as is and first needs to be reviewed, adapted for your needs (i.e.: what risk or control areas do you want to focus on) and then either import or manually create depending on the data typology.
Even if I am sure most of it will already have been identified in your initiative, I still believe this can help in getting your project on the launcher more rapidly.
What about you, are there any other tips that you would suggest in addition to the ones above? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard