The Reality of Risk: Gain insight into your risk position
by Andrew Sawyer
The focus of this series is managing Organizational Risks:
- how this is supported and structured within SAP Risk Management,
- how to drive greater value from the solution (coming in part two),
- and part three will look at maximizing efficiencies in processes and reporting.
Organizations can have a massive volume of complex risks across all areas of the business. Gaining a single view of business risks can help to inform strategic decision-making processes and support active planning for risk reduction.
Technologies such as SAP Risk Management and SAP Analytics Cloud (SAC) can help with identifying the risks which will have the greatest impact on value and business performance, for assessment, analysis and continuous monitoring.
So what is SAP Risk Management?
Firstly and foremost, SAP Risk Management provides a scalable platform for supporting Enterprise Risk Management and Operational Risk Management. The solution facilitates end-to end-management from the initial identification of Risks and alignment with various aspects of the business, through to assessment and response, with tracking of effectiveness via reports and analytics. It scales for all business types, and functional areas.
Risks should be defined and structured from the ground up.
- Assign Risks to Organizational Areas, directly linking the areas of the business where Risk Assessment is needed.
- Associate Risks with the relevant Business Activities – Assets, Business Processes, Projects/Programs and Products.
- Model and visualize Risk relationships for insight into cause-and-effect relationships and aggregate the results
- Leverage functionality to define drivers, impacts and treatment/response strategies. Input can be collected from the key users via surveys or techniques can be built within a “workshop” environment.
Risk Assessment is the process of analyzing identified Risks to prioritize responses and plan for additional validation or reassessments.
The most common workflows to perform or support Risk Assessment include:
- Risk Survey – used to initiate a risk assessment (or reassessment) to uncover new circumstances that might impact the risk assessment
- Risk Indicator Survey – used to receive manual indications on the development of a key risk indicator
- Risk Assessment – used to update risk analysis and responses
- Activity Survey – used to identify new risks / potential shortcomings related to an activity
Risk Treatment / Response
Assessment scoring is based on the “Inherent” Risk, which refers to the initial Risk Rating post-Assessment.
“Residual” and “Planned Residual” Risk levels and scoring are system-led; their definitions are based on the appropriate treatment and responses being applied.
Residual: Current Risk Rating with active Responses being fully effective
Planned Residual: Future Risk Rating with all Responses applied (including ineffective)
- Responses can be defined as activities performed both inside and outside of Risk Management, these include Acceptance, Mitigation, Transfer or Research.
- Controls or Policies defined within SAP Process Control or SAP Policy Management can be added to Risks as a response, they act as a mitigation to the overall Risk Rating (Score).
Key Risk Indicators
Key Risk Indicators (or KRIs) are measures or values that point to the potential for an “adverse” event. They provide an early warning of a risk event taking place are used to help predict when a Risk “threshold” is about to be hit, potentially representing a loss event.
When a KRI is triggered, a notification is initiated so that action may be taken to prevent the Risk Event, facilitating proactive identification of potential Risks.
KRIs can be manual (data collected via survey) or automated, collecting data from multiple SAP or non-SAP data sources sources including:
- SAP Query
- SAP Tables
- SAP BW Queries
- Web Services
The process leverages automation to unearth potential Risks based on threshold violations. For example: Three-way matching of the Purchase Order, Goods Receipt, and Invoice receipt during invoice processing – SAP will mark any discrepancies in the process, and block the invoice for payment.
We’ll explore reporting and analytics as well as gaining the maximum value from SAP’s Risk Management solution later in the series.