Skip to Content
Product Information
Author's profile photo Thomas Frenehard

GRC Tuesdays: 7 Hidden Gems in SAP Risk Management

 

Like most software, SAP Risk Management is continuously improving with the addition of new features and functionalities. When “major” new improvements are specifically called out in the section What’s New in SAP Risk Management of the SAP Help Portal. But very often, “minor” enhancements are released in Support Packages to respond to customer requirements and will fly under the radar.

Over the years, I’ve often advised colleagues, partners and customers to use some of these features and every time, I feel that these would benefit from being advertised more widely.

Today, I’d like to correct this wrong towards 7 very useful features that are, in my opinion, real hidden gem that can truly help customers make better use of their SAP Risk Management system.

 

1. Displaying Opportunity Heatmap

 

This is #1 simply because I was reminded of this report by a great partner recently.

As per ISO31000, risk is the “effect of uncertainty on objectives” and this effect is “a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats” and I know that some don’t like heatmaps, but they are still one of the most consumed risk management report. The question is: did you know the solution had a dedicated heatmap just for opportunities?

If you didn’t, then simply add a link to the application “GRRM_HEATMAP_OPP_REPORT” to your launchpad and that’s it!

Illustration%3A%20Display%20of%20an%20Opportunity%20Heatmap

Illustration: Display of an Opportunity Heatmap

 

2. Viewing Risk with a Different Perspective

 

A risk and its exposure always need to be taken within a given context. The very same risk may be significant when viewed at a business unit level but may be negligible when viewed from the overall organisation – AKA corporate level – since the risk thresholds might vary.

To be able to compare a risk and its rating when viewed with other eyes (i.e. from the perspective of another unit), simply open the report and select another organization in the “Aspect” field. The values will automatically be refreshed, and the risks now compared to the materiality thresholds of the selected unit from the Organizational Hierachy.

Illustration%3A%20Risk%20assessment%20viewed%20from%20different%20organizations

Illustration: Risk assessment viewed from different organizations

 

3. Extending columns in reports

 

Items 1 and 2 of this list highlight that reporting is a big part of the risk management process since it is the output for many executives.

And many times, even when supporting colleagues in preparing demos, I hear that such and such column is missing from the report so that XYZ information can’t be displayed.

This is often followed by an assumption that it would take days to add it… But did you know that there are actually many fields in the reporting framework that can be added to the standard out-of-the-box reports? Without much effort!

Simply open the “Maintain Report” activity in the SAP Customizing Implementation Guide, select the relevant report you want to extend, click on “Copy standard columns” (so that you keep all existing columns or you’ll need to select them manually) and then click on “New Entries”.

There, you can browse the entire library of objects and fields available. You then just need to add what you need and save your work. When opening the reports, users will now have these new columns available when they click on the “Personalize Fields” option.

Illustration%3A%20Additional%20objects%20available%20in%20the%20reporting%20framework

Illustration: Additional objects available in the reporting framework

 

4. Rapidly Changing Terminology

 

Back to the situation we had just now where there was a perception that adding columns to a report would be an insurmountable task, the same goes for terminology.

And terminology is a very important aspect of any enterprise risk management process since it helps ensure that all are on the same page.

What if I told you that you could open an activity called “Maintain Risk Management Terminologies” and change the labels directly there? You can even download the labels in Excel, change the terms offline and upload if that’s easier for you. Surely that doesn’t sound as daunting as originally thought, right?

Give it a try: from there, you can change the labels of selected objects related to risks, opportunities and risk assessments and this will automatically modify the labels in the user interface but also in the reports.

Illustration%3A%20Terminology%20Editor%20with%20%u201CCauses%u201D%20instead%20of%20%u201CDrivers%u201D

Illustration: Terminology Editor with “Causes” instead of “Drivers”

 

5. Bow-tie colors

 

If terminology is important, what about colors? Of course, you can change the colors in the risk matrix, but that you knew already!

What I’m talking about here are the colors in the bow-tie. I met with a Risk Manager a few years ago in the UK who mentioned she would have to spend hours changing the colors of all bow-ties since they were created in PowerPoint and that the executives regularly changed their minds on the colors that needed to be used. I.e. one day red for the risk was deemed to oppressive, the next it was back on the cards, etc.

If that’s the case in your organization as well, simply open the setting “Set Colors for Graphical View Elements” from the SAP Customizing Implementation Guide and select the color in favour on that day by entering its HEX code.

Illustration%3A%20Change%20of%20colors%20for%20the%20risk%20in%20the%20bow-tie

Illustration: Change of colors for the risk in the bow-tie

 

6. Converting qualitative assessments into quantitative assessments

 

Whenever I meet with a company that is just starting on its risk management journey and that has issues with assessing its risks, I usually recommend to start with qualitative assessments in a selected business unit and then roll-out further progressively. And to do the same with risk analysis: if you’re not using quantitative assessments at the moment due to early maturity phase of the process, why not start with qualitative assessment and let the SAP Risk Management solution convert the values for you until such time as you feel the maturity is sufficient to use both?

This is exactly what the “ANALYSIS_QL_QN” setting does! Just maintain this setting by checking the box and you’re ready to go.

Illustration%3A%20Before%20and%20after%20activating%20the%20setting%20in%20the%20backend

Illustration: Before and after activating the setting in the backend

 

7. Updating risk assessments automatically based on key risk indicator values

 

So far, we’ve seen settings that really help Risk Management teams, but let’s think about the end-users too. How good would it be for them if risks could assess themselves? Well, this is precisely what the “KRI Driven Analysis” feature does for you.

To enable this, go to the Risk Evaluation tab of a risk, and, either for the Probability or the Impact(s) or for both, simply select the relevant KRI(s). Then, decide if the analysis will be updated automatically based on new KRI values and you’re good to go.

Illustration%3A%20Assigning%20KRIs%20to%20update%20risk%20analysis%20automatically

Illustration: Assigning KRIs to update risk analysis automatically

You may be asking yourself why I stopped at 7 and not 10. And no, it’s not because I was running out of material. I was just concerned that this blog was becoming too long!

Maybe I’ll write a follow-up where I can also share the integration between SAP Risk Management and SAP Enterprise Asset Management, the ability to send online or offline surveys with simple questions to colleagues whose response will in turn automatically update the key risk indicators values, or the ability to forward certain surveys with the right level of restrictions, or defining an analysis as reviewed even if nothing has changed… And many, many more that I can think of.

What about you, what are your top hidden gems from SAP Risk Management? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard

Assigned tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Toni Cherry
      Toni Cherry

      Nice topic Thomas! To add some additional gems...

      We have clients seeking to enhance standard SAP risk reporting via agile projects that leverage SAP Analytics Cloud (and other 3rd Party reporting solutions).

      Integration with SAP Process Control is also high on wishlists - to document Controls in PC as a response within Risk Management, leveraging the completeness and effectiveness status to drive the residual and planned residual risk status.
      Best, Toni

      Author's profile photo Thomas Frenehard
      Thomas Frenehard
      Blog Post Author

      Thank you, Toni, for sharing your insights, it’s much appreciated indeed!

      Concerning the integration with SAP Process Control, I fully agree with you. As a matter of fact, I was about to include it in the blog when I remembered that I had actually released a blog just on this topic in May of last year: GRC Tuesdays: Bringing Control and Risk Management Together Through Automation.

      So thank you for your comment and for giving me the opportunity of mentioning this important feature here!

      Kind regards,

      Thomas