GRC Tuesdays: Hidden Gems – Context-Based Risk Management
Over these last few years, a blog that triggered much interest and follow-up discussions was GRC Tuesdays: 7 Hidden Gems in SAP Risk Management. When I originally wrote it, I didn’t intend to make it a series, but the feedback received was that many capabilities in SAP GRC solutions that really can make your life easier – as a GRC solution admin or as an end-user, were still mostly unknown and would benefit from being better advertised.
This blog is therefore the first one of a new series of “GRC Hidden Gems”. Each blog will focus on only one capability and provide details on functional advantages and how you can leverage it.
Context-based risk management
Informing stakeholders on risks that are truly relevant to their business context is what, in my opinion, sets the difference between a glorified risk ledger and a decision-making tool.
Most SAP Risk Management customer organizations already have a significant SAP landscape with solutions that hold a lot of “context information” relevant for risks – including SAP Enterprise Asset Management, SAP Management of Change or SAP Supply Chain Management for instance.
But did you know that you could assign dimensions from these solutions (assets, locations, equipment, tasks, etc.) to risks from SAP Risk Management so as to provide reviewers and contributors a complete overview of the risk context?
How does this work?
As its name indicate, the object “Context” displayed as a separate tab in SAP Risk Management is designed specifically for this purpose: storing information coming from other applications and being able to use this information for risk documentation, assessment, response and reporting.
1. Defining the connection to the other systems
The first step is to use transaction SM59 to define the Remote Function Call (RFC) connection to the systems that hold the additional context information.
Remote Function Call (or RFC) is the standard SAP interface for communication between SAP systems. Transaction SM59 is where the Remote Function Call that are required for communication between the SAP source system and other systems and programs are maintained.
2. Defining the dimensions for the context
The second preparation step is to be performed in the SAP Customizing Implementation Guide.
From the Implementation Guide, go to the following activity:
- SAP Customizing Implementation Guide > Governance, Risk and Compliance > Risk Management > Master Data Setup > Define Dimensions for Contexts
Here, you will be able to define the dimensions that will be available to risk users when documenting the risk context. To define a new one, simply click on “New Entries” and select a dimension type from the drop-down menu.
Note: the “Dimension types” are pre delivered by SAP and include Business Area, Business Partner, Company Code, Customer, Equipment, Material, Plans, Functional Location, Vendor and many more.
Once this is done, select the source system from where the data will flow and the RFC to be used (good thing we did this in step 1!). Don’t forget to name your Dimension so that it can easilly be identified afterwards.
3. Assigning dimensions to risk objects
Now that we have our dimensions ready and calling the right data source, SAP Risk Management enables you to define where they can be used.
To configure this, and still in the Implementation Guide, go to the following activity:
- SAP Customizing Implementation Guide > Governance, Risk and Compliance > Risk Management > Master Data Setup > Assign Dimensions to Entity
Here, you’ll be able to define what dimension can be used when. For instance, you can activate the “Context” tab on Risks, Responses, Key Risk Indicators, Incidents, etc. and then select that the “Equipment” dimension coming from the Enterprise Asset Management module will be available for the Risk and the Response only. Combinations are of course multiple and depend on your business needs.
Once this 3rd and last configuration step is complete, the feature can be used productively by end-users to further document their risks and related objects.
4. Using the capability
From their usual screens, SAP Risk Management users will simply see a new “Context” tab on objects where it’s been activated in step 3.
They can then click on “Add”, select one of the dimensions that has been assigned to the object being edited and enter or search for the record they want to use from the source system. The search screen that is displayed makes the connection directly!
As soon as they have selected a record, the name of the record will be displayed in a clickable hyperlink – enabling the user to navigate to the target system and review the record in more details if needed.
Finally, and since a decision-making tool is only relevant if it facilitates the understanding of the situation the company is facing, these dimensions can of course be displayed in the standard reports.
To do so, head back to the SAP Customizing Implementation Guide and go the report configurations activities. From there, you can extend the list of fields users can select for display and you can add these new dimensions as well:
There is an additional benefit that this feature can bring: it is further possible to use it for response automation, hence triggering an activity such as an action plan from SAP Risk Management to a source system and then automatically track the progress of this activity. But that’ll be a topic for another blog!
Did you find this “hidden gem” useful? If so, please keep an eye for the other blogs in this series. I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard