Skip to Content
Product Information
Author's profile photo Thomas Frenehard

GRC Tuesdays: Building The Case For Your Enterprise Risk Management Solution

In this second blog of the 4 part “Building The Case” series, I will focus on enterprise risk management solutions – specifically SAP Risk Management, but the series will address all the SAP solutions supporting the 3 Lines Model: internal control and compliance with SAP Process Control (Cf. previous blog on this topic) but also internal audit with SAP Audit Management; and fraud detection and investigation with SAP Business Integrity Screening. So watch this space!

In case you have been looking for a way to quantify potential gains from an enterprise risk management solution, then the value calculator described in this blog should be able to help.

It’s intended to support organizations in putting together a business case for improving their risk management landscape by calculating the potential value of technologies for automating the end-to-end risk management process. That is, from the identification, to the analysis of the exposure, the definition of a mitigation strategy and up to the continuous monitoring of the risk and its reporting.

To quantify the potential benefits of an enterprise approach to risk management across these steps, the SAP Risk Management Value Calculator provides real, useful estimates and data to help organizations:

  • Get insight into value-adding risks
  • Scan the horizon for risks and opportunities
  • Preserve value by minimizing unnecessary losses

Should you decide that this is worth trying out, then just go to the SAP Risk Management Value Calculator and click on GET STARTED. No need to register to this free tool!

Before we start, I just want to highlight the fact that this value calculator provides estimated data for illustration purposes only. Actual results or costs may of course vary and may be affected by additional factors that would need to be taken into account when using this information in your business case.


Section 1 – Configure


Best-in-class enterprises link risk management to business performance and to the achievement of business objectives. In order to drive value, risk events must be aligned with value adding processes. And in order to reduce losses, risks must be linked to incidents and near misses. To be able to assess benefits of this approach, this first step will ask you to provide your best estimate for various company attributes. Don’t worry, you can then change them to create different scenarios if you wish.

What indicators are required:

  • Annual gross revenue
  • Gross margin
  • Full-time equivalents (FTE) managing risk information
  • Average annual fully-loaded cost per FTE
  • Average number of risks in you risk library
  • Average residual expected loss per risk in your risk universe


Section 2 – Plan


This section will focus on the benefits that the solution can provide by automating risk management for both operational and key strategic risks.

Indeed, to add and preserve value, risk managers must understand where the value is and what adverse events could prevent the company from achieving its objectives.

To do so, the value calculator therefore focuses on the questions below:

  • What does the company do that creates business value?
  • What activities support this value creation process?
  • What emerging risks and opportunities are on the horizon and could be either a threat or a chance for the organization?
  • What are the best ways to configure the necessary risk categories, responses, risk appetite, and assign owners?

What indicator is required:

  • Percentage of average time spent on risk management related activity planning – including in responding to the questions listed just above every time a new cycle starts


Section 3 – Identify


Minimizing duplicate risks requires strong configuration practices and good taxonomy. Linking risk drivers, indicators, impacts, and responses via common terminology can also help better understand the root causes of risks which will in turn enable the documentation of more relevant key risk indicators. These indicators can then proactively monitor negative trends that could indicate the risk is beginning to manifest and action can be taken to mitigate the threat before it turns into an incident.

What indicators are required:

  • Improvement in revenue thanks to a better understanding and improved management of root causes of risk events
  • Percentage of time spent identifying risks


Section 4 – Analyse


Risk management’s final objective is to enable executives to make decisions by providing them with information about the future state of the business and therefore help organize the efforts needed to carry out these decisions. Better risk analysis will de facto lead to better decision making results. This can be supported by leveraging different methodologies to understand risk exposure:

  • Modelling scenarios, with approaches such as Monte Carlo
  • Determined inherent, residual, and planned residual risk levels
  • “What-if” simulations to review options before rolling them out
  • Qualitative, quantitative or scoring evaluations, including taking into account the velocity aspect to get an overall picture of the exposure

What indicators are required:

  • Average percentage in loss reduction resulting from better decision-making, which can be achieved through analytics, scenario analysis, and risk modelling for instance
  • Average FTEs involved in analyzing risk
  • Percentage of time spent analyzing risk


Section 5 – Respond


Cost effective risk responses will help ensure the company’s risk appetite is respected. To do so, risk experts will therefore need to document a response strategy after balancing costs and benefits of the controls, action plans or policies.

With this in mind, risk owners can:

  • Respond to risk after reviewing impacts and benefits
  • Document responses and assign accountability
  • Use workflow driven remediation tracking to monitor the progress and the effectiveness of each response and the overall reduction on the risk exposure
  • Leverage control from the internal control framework and get the evaluation and testing, but also continuous automated monitoring directly from this source

What indicators are required:

  • Average improvement from designing the most cost-effective risk response strategy
  • Productivity improvement from better usage of risk management resources as a result of automated monitoring and exceptions review
  • Average number of people involved in the response to risk events, be it for reduction, control or transfer for instance


Section 6 – Monitor


Effective monitoring of risk levels with automated alerts and key risk indicators, result in less manual efforts and faster decision making. It also helps effortlessly keep track of the progress of responses and corrective actions.

SAP Risk Management supports this by providing analytics and reports, including heat maps with drill-down capability, giving users the ability to promptly:

  • Notify risk owners via automated alerts
  • Monitor response effectiveness, including with automated updates based on control ratings
  • Assess impacts on business objectives

What indicators are required:

  • Percentage in efficiency gain from improved monitoring
  • Average number of people involved in risk monitoring


Section 7 – Total Value


That’s it! This last section is a summary that displays the potential value gain achievable with SAP Risk Management. It includes 4 graphs:


Current Spend vs. Potential Spend


Difference in Spend (lighter color is previous state and darker colors represents potential shift)


Total Gains by Control Step


Total Spend and Gain

Registration is not required, and you can change your assumptions as many times as you wish. So why not give it a try?

What about you, what other variables do you take into consideration when building the case for a risk management solution? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard

And stay tuned on the GRC Tuesdays site for other blogs on internal control, internal audit and fraud detection and investigation.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.