GRC Tuesdays: 7 Hidden Gems in SAP Risk Management
Like most software, SAP Risk Management is continuously improving with the addition of new features and functionalities. When “major” new improvements are specifically called out in the section What’s New in SAP Risk Management of the SAP Help Portal. But very often, “minor” enhancements are released in Support Packages to respond to customer requirements and will fly under the radar.
Over the years, I’ve often advised colleagues, partners and customers to use some of these features and every time, I feel that these would benefit from being advertised more widely.
Today, I’d like to correct this wrong towards 7 very useful features that are, in my opinion, real hidden gem that can truly help customers make better use of their SAP Risk Management system.
1. Displaying Opportunity Heatmap
This is #1 simply because I was reminded of this report by a great partner recently.
As per ISO31000, risk is the “effect of uncertainty on objectives” and this effect is “a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats” and I know that some don’t like heatmaps, but they are still one of the most consumed risk management report. The question is: did you know the solution had a dedicated heatmap just for opportunities?
If you didn’t, then simply add a link to the application “GRRM_HEATMAP_OPP_REPORT” to your launchpad and that’s it!
2. Viewing Risk with a Different Perspective
A risk and its exposure always need to be taken within a given context. The very same risk may be significant when viewed at a business unit level but may be negligible when viewed from the overall organisation – AKA corporate level – since the risk thresholds might vary.
To be able to compare a risk and its rating when viewed with other eyes (i.e. from the perspective of another unit), simply open the report and select another organization in the “Aspect” field. The values will automatically be refreshed, and the risks now compared to the materiality thresholds of the selected unit from the Organizational Hierachy.
3. Extending columns in reports
Items 1 and 2 of this list highlight that reporting is a big part of the risk management process since it is the output for many executives.
And many times, even when supporting colleagues in preparing demos, I hear that such and such column is missing from the report so that XYZ information can’t be displayed.
This is often followed by an assumption that it would take days to add it… But did you know that there are actually many fields in the reporting framework that can be added to the standard out-of-the-box reports? Without much effort!
Simply open the “Maintain Report” activity in the SAP Customizing Implementation Guide, select the relevant report you want to extend, click on “Copy standard columns” (so that you keep all existing columns or you’ll need to select them manually) and then click on “New Entries”.
There, you can browse the entire library of objects and fields available. You then just need to add what you need and save your work. When opening the reports, users will now have these new columns available when they click on the “Personalize Fields” option.
4. Rapidly Changing Terminology
Back to the situation we had just now where there was a perception that adding columns to a report would be an insurmountable task, the same goes for terminology.
And terminology is a very important aspect of any enterprise risk management process since it helps ensure that all are on the same page.
What if I told you that you could open an activity called “Maintain Risk Management Terminologies” and change the labels directly there? You can even download the labels in Excel, change the terms offline and upload if that’s easier for you. Surely that doesn’t sound as daunting as originally thought, right?
Give it a try: from there, you can change the labels of selected objects related to risks, opportunities and risk assessments and this will automatically modify the labels in the user interface but also in the reports.
5. Bow-tie colors
If terminology is important, what about colors? Of course, you can change the colors in the risk matrix, but that you knew already!
What I’m talking about here are the colors in the bow-tie. I met with a Risk Manager a few years ago in the UK who mentioned she would have to spend hours changing the colors of all bow-ties since they were created in PowerPoint and that the executives regularly changed their minds on the colors that needed to be used. I.e. one day red for the risk was deemed to oppressive, the next it was back on the cards, etc.
If that’s the case in your organization as well, simply open the setting “Set Colors for Graphical View Elements” from the SAP Customizing Implementation Guide and select the color in favour on that day by entering its HEX code.
6. Converting qualitative assessments into quantitative assessments
Whenever I meet with a company that is just starting on its risk management journey and that has issues with assessing its risks, I usually recommend to start with qualitative assessments in a selected business unit and then roll-out further progressively. And to do the same with risk analysis: if you’re not using quantitative assessments at the moment due to early maturity phase of the process, why not start with qualitative assessment and let the SAP Risk Management solution convert the values for you until such time as you feel the maturity is sufficient to use both?
This is exactly what the “ANALYSIS_QL_QN” setting does! Just maintain this setting by checking the box and you’re ready to go.
7. Updating risk assessments automatically based on key risk indicator values
So far, we’ve seen settings that really help Risk Management teams, but let’s think about the end-users too. How good would it be for them if risks could assess themselves? Well, this is precisely what the “KRI Driven Analysis” feature does for you.
To enable this, go to the Risk Evaluation tab of a risk, and, either for the Probability or the Impact(s) or for both, simply select the relevant KRI(s). Then, decide if the analysis will be updated automatically based on new KRI values and you’re good to go.
You may be asking yourself why I stopped at 7 and not 10. And no, it’s not because I was running out of material. I was just concerned that this blog was becoming too long!
Maybe I’ll write a follow-up where I can also share the integration between SAP Risk Management and SAP Enterprise Asset Management, the ability to send online or offline surveys with simple questions to colleagues whose response will in turn automatically update the key risk indicators values, or the ability to forward certain surveys with the right level of restrictions, or defining an analysis as reviewed even if nothing has changed… And many, many more that I can think of.
What about you, what are your top hidden gems from SAP Risk Management? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard