Template Business Blueprint - ISACA

Loading...

SAP BusinessObjects Risk Management 3.0

Template Business Blueprint

Marko Hamel

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc – 21.12.2010

PoC SAP BO Risk Management 3.0 Template Business Blueprint

Date

Name

Alteration Reason

24.08.9999

XXX

Template Finalized

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

Version 1.0

page 2/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

Table of Contents 1

2

3

4

5

6

7

8

Overview 1.1 Project Objectives 1.2 Technical Environment 1.2.1 System requirements 1.2.2 System Landscape Use Cases 2.1 Use Cases: General 2.2 Use Cases: Risk Data Model 2.3 Use Cases: Risk Input 2.4 Use Cases: Risk Calculation 2.5 Use Cases: Risk Reporting Processes 3.1 Business Processes 3.1.1 Process 1 3.2 Risk Management Process 3.2.1 Risk Planning 3.2.2 Risk Identification 3.2.3 Risk Analysis 3.2.4 Risk Response 3.2.5 Risk Monitoring Organization Structure 4.1 Risk Management Organization 4.2 Activity Management Risk Data Model 5.1 Risk Input Form Mapping 5.2 Risk Calculation at Risk Management Workflows 6.1 Workflows within the Risk Management Process 6.1.1 Risk Planning Workflow 6.2 Workflows within SAP Risk Management Roles and Responsibilities 7.1 RM: Risk Operations Manager 7.2 AM: Accountable Manager 7.3 RE: Risk Expert 7.4 AO: Assessment Owner 7.5 RV: Risk Validator 7.6 RO: Risk Owner 7.7 ReO: Response Owner 7.8 AA: Auditor and Analyzer 7.9 Authorization Matrix Authorization Concept 8.1 ABAP Standard Roles 8.2 SAP NetWeaver Portal Role

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

5 5 5 5 5 6 6 6 7 7 7 8 8 8 8 8 9 9 9 9 10 10 10 11 11 12 14 14 14 15 16 16 16 16 16 17 17 17 17 17 18 18 19

page 3/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

8.3 Application Roles 19 8.4 Assignment of users to Org-Units 20 9 IMG Settings 21 9.1 Maintain Entity Role Assignment (IMG: General Settings) 21 9.2 Maintain Users Responsibility for Entity (IMG: Reporting) 21 9.3 Maintain Custom Agent Determination Rules (IMG: Workflow Enabling) 21 9.4 Maintain Activity Types (IMG: Master Data Setup) 21 9.5 Risk Data Model and Calculation 22 9.5.1 Maintain Impact Levels (IMG: Master Data Setup) 22 9.5.2 Maintain Probability Levels (IMG: Risk and Opportunity Analysis) 22 9.5.3 Maintain speed of onset (IMG: Risk and Opportunity Analysis) 22 9.5.4 Maintain Probability Level Matrix (IMG: Risk and Opportunity Analysis) 23 9.5.5 Maintain Risk and Opportunity Level Colour (IMG: Risk and Opportunity Analysis) 23 9.5.6 Maintain Risk and Opportunity Level Matrix (IMG: Risk and Opportunity Analysis) 23 9.5.7 Maintain Risk and Opportunity Priorities (IMG: Risk and Opportunity Analysis) 23 9.5.8 Maintain Risk and Opportunity Priority Matrix (IMG: Risk and Opportunity Analysis) 24 9.5.9 Define Three-Point Analysis (IMG: Risk and Opportunity Analysis) 24 9.5.10 Maintain Analysis Profile (IMG: Risk and Opportunity Analysis) 24 9.5.11 Allow free text for Benefit, Impact and Driver Categories (IMG: Risk and Opportunity Attributes)24 9.5.12 Maintain Activity Types (Master Data Setup) 25 9.6 Response and Enhancement 25 9.6.1 Maintain Response and Enhancement purpose (Response and Enhancement Plan) 25 9.6.2 Maintain Response and Enhancement Plan Effectiveness (Response and Enhancement Plan) 25 9.6.3 Maintain Response Plan Types (Response and Enhancement Plan) 25 10 Appendix 26 10.1 Definitions and Abbreviations 26 10.2 References 26 11 Risk Categories 27 12 Index of Tables 29

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 4/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

1

Overview

The current blueprint document helps to streamline and collect the detailed requirements of including the specification of use cases for SAP BusinessObjects Risk Management. It is essential to gain a comprehensive understanding of processes, roles and responsibilities, organization structure, risk calculation model and risk workflows. This information is used as a source to specify and describe the customizing settings that need to be implemented to achieve the project goals.

1.1

Project Objectives

The Proof-of-Concept should ensure the achievement of the following objectives: …

1.2

Technical Environment

Application: Add. Component 1: Add. Component 2: Add. Component 3: Operating System: Database: 1.2.1

SAP BusinessObjects Risk Management 3.0 T-Rex Search engine (Optional) BusinessObjects Enterprise Server Adobe Interactive Forms

System requirements

Solution Validation Landscape: Components Requirements (minimal) Application Component

GRCFND_A 300, GRC RM Portal 300

Optional Application Component

GRC Reporting Framework 3.0

Technology Component

NetWeaver for ABAP 7.01 SP03 / Incl. SAP_ABA / SAP_BASIS / PI_BASIS / SAP_BW / IGS...

Optional Technology Component

BOBJ SAP Integration Kit XI 3.1

NetWeaver for Java 7.01 SP03 / Incl. Adobe Document Services

BOE Server: BOE XI 3.1 (Fixpack 1.2) / BOBJ SAP Integration Kit XI 3.1

Productive Landscape Hardware Requirements (minimal) System Type

Server

Application

Risk Management 3.0**

Processor

Two single core processors or one dual core processor

RAM

4 GB (minimum), 8 GB (recommended)

HD

100 GB minimum, swap space 2*RAM, 1.2 GB temporary space

1.2.2

System Landscape



Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 5/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

2

Use Cases

A detailed description of use cases will ensure a user-oriented and measurable implementation of the requirements regarding a software-based Risk Management solution. For an easier handling the use cases will be defined using the following categorization: General GEN Risk Data Model MDL Risk Input INP Risk Calculation CAL Risk Reporting REP

2.1

Use Cases: General

ID

Name

Description

GEN01

Portal Integration

Integration of the Risk Management solution in a SAP NetWeaver Portal as defined UI

GEN02

Role Concept

All in the risk management process involved persons need to be authorized following a role based approach.

GEN03

Risk Management Process

The risk management process of including the following steps need to be implemented: Risk Planning Risk Identification (incl. Risk Survey) Risk Analysis Risk Response Risk Monitoring Risk Reporting

Table 1: Use Cases: General

2.2

Use Cases: Risk Data Model

ID

Name

Description

MDL01

Qualitative/Quantitative Mapping

Risks are managed in qualitative as well as quantitative way. Consequently the IMG needs to be customized to support this mixed-mode using Probability (%), Impact Before and After Response (level), Total Loss (€), Time (Priority) as input. The Expected Loss (€) as well as the Risk Level (level) are calculated based on a defined calculation matrix.

MDL02

Org.-Units

Recording of risks in connection with the relevant Org.-Unit. Consequently the Org.-Unit of is an essential part of the master data.

MDL03

Risk Categories

Usage of the Common Risk ID’s as part of the „Project Risk Register“ (PRR)

Table 2: Use Cases: Risk Data Model

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 6/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

2.3

Use Cases: Risk Input

ID

Name

Description

INP01

Risk Forms

Simple input of new risks using survey-based offline-forms. The layout of the Customer Standard should be utilized.

INP02

Online Input

After the initial upload of the offline forms all data needs to be available for online maintenance.

Table 3: Use Cases: Risk Input

2.4

Use Cases: Risk Calculation

ID

Name

Description

CAL01

Risk Calculation

The current excel-based approach acts as the foundation for the calculation of risks. For more details see Risk Data Model

Table 4: Use Cases: Risk Calculation

2.5

Use Cases: Risk Reporting

ID

Name

Description

REP01

PDF Printout-Report

The report should show the most important attributes of an risk like: Description Driver Impact Probability Total loss Expected loss Risk level Response details

REP02

Risk Dashboard / Heat Map

The risk dashboard presents the most important risks based on a chosen Org. Unit aggregating the levels below. Furthermore it is important to show a heat map highlighting the distribution of risks in reference to probability and impact.

Table 5: Use Cases: Risk Reporting

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 7/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

3

Processes

3.1

Business Processes

3.1.1

Process 1

The output of process 1 is …

3.2

Risk Management Process

The Risk Management process is based on the internal Risk Management Methodology and contains the following steps: 1. Risk Planning 2. Risk Identification 3. Risk Analysis 4. Risk Response 5. Risk Monitoring 6. Risk Reporting

Risk Management Process Steps

Risk Manager (RM)

Risk Expert (RE)

1. Risk Planning

C

2. Risk Identification

Risk Owner (RO)

Assessment Owner 1 (AO)

Accountable Manager (AM)

R

R

A

C

R

A

I

3. Risk Analysis

C

R

A

I

4. Risk Response

C

C

R

R

A

5. Risk Monitoring

R

C

R

A

I

6. Risk Reporting

C

R

R

A

R

Response Owner (ReO)

Table 6: Risk Management Process RACI

3.2.1

Risk Planning

During this step the approach how to perform risk management in each business area or project is determined. Activities: Meet with the Risk Experts on a monthly basis Discuss / Identify risk topics and areas. Plan and align risk activities and goals for risk assessments Presentation of updates Contact business owners.

1

Project Manager or delegate

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 8/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

3.2.2

Risk Identification

The uncovering of risks to each business area or project before they turn into problems as well as the initiation of the Risk Assessment are characteristics of this steps. Activities: Organization-/ Project-/ process interviews (risk survey) Identification of KRI´s (e.g. global, strategic, operational ...) Identification of relevant / corresponding KPI´s Meet with business experts Setup Risk Assessments according established Processes 3.2.3

Risk Analysis

The main objectives of this phase are the evaluation of risk attributes as well the prioritization of the risks. Activities: Perform the Risk Analysis in terms of: Condition, Indicator, Consequences Probability of Occurrence Impact in terms of quantity or on a qualitative scale Timeline and mitigation (response) actions which must be realized to minimize / eliminate the risk 3.2.4

Risk Response

This phase closes the Risk Assessment by making the decision what should be done to mitigate handle the risks. As a final step the risks are validated by management. Activities: Clarify the questions in terms of: - Do we know enough about the risk? - Can we live with the risk? - Is it possible to do something against the risk? - Are financial and timely efforts adequate in relation to the risk? - Who is responsible to take the action? 3.2.5

Risk Monitoring

Keeping track of the risks and evaluating the effectiveness of the response actions is the essential task of the monitoring. Activities: Check reporting needs in terms of: o Are the identified risks still relevant? o Is the analysis still valid? o Are there any new risks? o Are the response strategies actively taken effective? o Do we have to escalate certain risks?

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 9/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

4

Organization Structure

The Org-Structure will be implemented using the following hierarchy: - Chief Executive Officer (CEO) XXX XXX XXX

4.1

Risk Management Organization

The chart bellow describes the organization of the unit from a risk management perspective:

4.2

Activity Management

Since the work of the different UNIT’s inside the unit is very project-driven, the usage of so called Activities, as specific operations that may lead to actual risks in the different organization units will be implemented within the PoC environment. As a consequence an Activity Owner (represented by the Assessment Owner) is able to structure the risks within his unit based on processes, projects, initiatives or planning objects with the main advantage of having a much better and granular reporting and control possibility. The Activity Management Process contains five main steps: 1. Create an Activity (by Risk Manager) 2. Create Risks (by Assessment Owner) 3. Update Risks (by Assessment Owner and /or Risk Owner) 4. Validate the Activity (Risk Validator role) 5. Close the finished or obsolete activity

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 10/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

5

Risk Data Model

The defines a risk as an uncertain event or condition that, if it occurs, has a negative aspect on business or project objective. This part of the document describes how risks are collected, calculated and managed via dedicated responses.

5.1

Risk Input Form Mapping

At the moment risks are collected offline using the Project Risk Register Tool (PRR) and Risk Forms (PPT). In order to use Adobe Interactive Forms in combination with SAP BusinessObjects Risk Management 3.0 the valid terms need to be mapped to the new terminology internally.

Used Term

Description

Mapping to SAP BO RM 3.0

Title

Short name of a risk.

Name

Common Risk ID

Key attributes to classify a risk in detail. For more information see Appendix A

Risk Category

Organization Unit

Specifies the Organization Unit a risk belongs to.

Organization Unit

Condition

The condition describes what is actually causing the concern that certain business, financial or strategic objectives may not be achieved as planned.

Risk Description

Indicator

Root cause leads to the situation a risk is actually occurring.

Driver

Consequence

The consequence describes the negative impact(s) of the condition(s) on the business, financial or strategic objectives of the related business activity.

Impact

P%

The likelihood that risk will occur in %.

Probability

IBR

Impact Before Response: The qualitative impact before risk response actions are taken

Impact Level

Time

The period when action is required to respond to a risk.

Speed of Onset

Total Loss

The magnitude of the actual loss value accrued when a risk event occurs before the response actions are implemented. It is also called the quantitative financial impact.

Total Loss

Table 7: Risk Input Form

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 11/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

5.2

Risk Calculation at

Inside SAP BusinessObjects Risk Management the probability as well as the quantitative/qualitative Impact mapping will be implemented as described in the table below. The system is able to calculate the Total Loss if the qualitative Impact Level is available and vice versa.

Probability

Quantitative Impact (Total Loss)

Qualitative Impact

1% – 19% = Remote

1 = 0€ – 200 k€

1 = Insignificant

20% – 39% = Unlikely

2 = 200 k€ – 1,000 k€

2 = Minor

40% – 59% = Likely

3 = 1,000 k€ – 5,000 k€

3 = Moderate

60% – 79% = Highly Likely

4 = 5,000 k€– 25.000 k€

4 = Major

80% – 99% = Near Certainty

5 = > 25.000.000 EUR

5 = Catastrophic

Table 8: Probability and Impact Level

The RM application will use the provided data to calculate the Risk Level and the Expected Loss. PRR Term

Description

Mapping to SAP BO RM 3.0

P*i

Calculates the Risk Level by multiplying Probability Level and Qualitative Impact under consideration of the Risk Level Matrix

Risk Level

Expected Loss

A measure of the loss associated with a risk, taking into account the Probability of the risk and the Total Loss in EUR (P*Total Loss).

Expected Loss

Table 9: Risk Calculation Term

The defined Risk Levels rated as High (H), Medium (M) or Low (L) depend on the assessed Probability and the Impact and will be implemented as highlighted in the Risk-Level-Matrix below. Probability at Analysis

Qualitative Impact 1

2

3

4

5

Level 1: 01–19 %

L

L

L

L

M

Level 2: 20–39 %

L

L

L

M

M

Level 3: 40–59 %

L

L

M

M

H

Level 4: 60–79 %

L

M

M

H

H

Level 5: 80–99 %

L

M

H

H

H

Table 10: Risk Level Matrix

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 12/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

After the calculation of the risk level a prioritization using the time input (Speed of Onset) needs to be determined. The risk priority is defined with a numeric value indicating the urgency, where the lowest number equals the highest priority. The defined risk priorities depend on the assessed timeframe and the Risk Level during Analysis. Risk Level during Analysis Timeframe L

M

H

1: Long (12 months+)

9

8

6

2: Medium (3-12 months)

7

4

3

3: Short (less than 3 m)

5

2

1

Table 11: Risk Priority Matrix

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 13/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

6

Risk Management Workflows

6.1

Workflows within the Risk Management Process

6.1.1

Risk Planning Workflow



Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 14/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

6.2

Workflows within SAP Risk Management

There are two kinds of workflows in Risk Management 3.0: planner-based and event-based workflows. Planner-based workflows are scheduled and triggered through the Planner, such as “Update Risk” or “Risk Survey”. They reflect the organizations Risk Management Calendar to perform regular activities like updating existing risk information or preparing for risk reportings. Event-based-workflows on the other side are predefined end-to-end processes triggered by end-user action, such as “Propose Risk”. In Risk Management so called Business Events are use used to map the different workflow tasks to one or several recipients.

Workflow Name

Description

Role of Workflow Recipient

Activity Survey

Identify new risks related to an activity by sending out survey questions.

Assessment Owner (AO)

Activity Validation

Allows a planner to get sign-off and confirmation on the current risk situation for an activity (process or project).

Risk Validator (RV)

Opportunity Assessment

Supports Risk Managers to get an update for opportunities in their area by sending out a risk assessment work item.

(1) Assessment Owner (AO)

Opportunity Validation

Allows a planner to get sign-off and confirmation on the current opportunity (analyses and assigned enhancement plans).

Risk Validator (RV)

Response Update

Helps Risk Managers and Risk Owners to keep track on the current state of the risk responses by sending a work item to the Response Owner.

Response Owner (ReO)

Risk Assessment

Supports Risk Managers to get an update for risks in their area by sending out a risk assessment work item.

(1) Assessment Owner (AO)

Perform a risk survey in preparation to a planned risk re-assessment through a set of survey questions.

(1) Assessment Owner (AO)

Allows a planner to get sign-off and confirmation on the current risk (analyses and assigned responses).

Risk Validator (RV)

Risk Survey

Risk Validation

(2) Risk Expert (RE)

(2) Risk Expert (RE)

(2) Risk Expert (RE)

The Opportunity Assessment, Risk Assessment and Risk Survey will be routed to the Assessment Owner as a first step. If no Assessment Owner is responsible, because the risk was not assigned to an activity it will be sent to the Risk Expert.

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 15/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

7

Roles and Responsibilities

The following roles are involved in the Risk Management Process: Risk Operations Manager (RM) Accountable Manager (AM) Risk Expert (RE) Risk Assessment Owner (AO) Risk Validate (RV) Risk Owner (RO) Response Owner (ReO) Auditor and Analyzer (AA)

7.1

RM: Risk Operations Manager

The Risk Operations Manager is a senior person responsible for all risk management activities in his respective unit. He reports to the unit head. Main Tasks: Planning, coordination and aggregation of risk management activities inside the unit Aggregation of reportings Interface to Corporate Risk Management Risk Management planning for the unit Generation of risk reports (content, process compliance) on unit

7.2

AM: Accountable Manager

The Accountable Manager is a manager responsible for an org unit or the delivery of a project.

7.3

RE: Risk Expert

Every unit has named a Risk Expert, who supports the UnitHead in his responsibility for risk management. The Risk Expert has deep knowledge about risk management theory and the GRC Methodology. Main Tasks: Risk Management planning together with the UNIT Head and others Schedule and organizing the initial risk assessment Moderating risk assessments, including recording risk data in risk register (PPT; PRR) Driving the risk monitoring process Generating risk reports on UNIT level Support project leads and others of the UNIT in driving risk management in their area of responsibility

7.4

AO: Assessment Owner

The Assessment Owner defined in the general project data has primary accountability for the project risk assessment. The Assessment Owner can change all project and risk data, including the creation of new risks. The Assessment Owner is informed of his/her role via a work item notification once the project is created. For projects the assessment owner can be the project lead or his/her delegate. Remark: Inside the unit a neutral person, the so called Risk Assessment Moderator, might support the moderation of a Risk Assessment.

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 16/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

Main Tasks: Execution of Risk and Change Management Process in the responsible area (Planning, Identification, Analysis, Response and Monitoring) Coordination and Participation of Risk Assessment Ensure aggregation of results as well as risk validation

7.5

RV: Risk Validator

The Risk Validator is in charge of reviewing and approving the identified risks, the analysis, and the risk response plans as well as deciding whether the assessment should be approved, rejected, or re-worked. The Risk Validator should be at least one level higher in the management level than the Assessment Owner. Responsibility for validation cannot be delegated. Main Tasks: Sign-Off and approval of single risks or risk assessment results Rejection of risks (e.g. demand for better description, quality …) Determination of confidentiality level for risks Proposes risks for “area risk reporting” as well as “board risk reporting”

7.6

RO: Risk Owner

A person identified during a risk assessment or in follow up of a risk assessment. The risk owner can be different from the project lead that has the original responsibility for all project related risks (applies equally to other tasks and entities). The role of the risk owner is to analyze risks, to initiate risk response action, and to follow-up on risk response actions. He should always be able to provide the most up to date status of the risk. Main Tasks: Description and analysis of risks Proposal of response strategies for mitigation Initiation of response actions Follow-Up of results Set or verification of "Risk and Response" status.

7.7

ReO: Response Owner

A person identified during a risk assessment or in follow up of a risk assessment. The response owner’s responsibility is to execute planned responses. He/she may report to the risk owner or others in that matter. Main Tasks: Execution of defined response measure Reporting of response Set of response status

7.8

AA: Auditor and Analyzer

This role will be assigned to Persons needing read-only access to a complete unit. This may be the Unit Manager (if no data maintenance needed), GIAS or an external auditor.

7.9

Authorization Matrix

The authorization matrix is defined in the excel sheet: “Entity_Authorizations_RM30_for_.xls”.

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 17/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

8

Authorization Concept

The Risk Management application is based on the SAP NetWeaver authorization model and assigns authorizations to users based on roles. SAP Standard roles (PFCG basic roles) provide the technical standard authorizations to the ABAP server. Portal roles provide application content, like order and number of visible work centers, via the SAP NetWeaver Portal. The following table lists the application elements and responsible roles for authorization:

Description

Access determined by Role Type

Navigation Menu

Portal role

Work Set

Portal role

Work Center

Portal role

Menu Group

Application role

Menu Item

Application role

As an additional aspect the Risk Management web-frontend (NW Portal) is used to assign end-users to 2

business user roles and to entities such as risks, opportunities and organizations based on so called application roles. These application entities are structured in a hierarchy, providing top-down authorizations. Roles and entities at a higher entity–level have greater authorizations to perform tasks and greater access to the application than roles at a lower entity–level. The hierarchy also affects task assignments, work flows, and business event processing. Furthermore a usage of the so called Second-Level Authorization allows a restriction of the user selection for entity-level role assignments. So only those users, who have been assigned the corresponding PFCG role in their user profile, are available for an assignment. Consequently the Second-Level Authorization provides an additional level of control. However in the PoC it was decided to de-activate this possibility and rely on the entity authorization via the web-frontend, only.

8.1

ABAP Standard Roles

Risk Management provides the following basis roles:

2

Role Name

Description

SAP_GRC_FN_BASE

This is the basis backend role and is required by every user of Risk Management.

SAP_GRC_FN_ALL

This role acts as a Power User role and provides full access to all entities.

Table GRFNENTITY contains all available entities

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 18/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

SAP_GRC_FN_DISPLAY

This role provides display access to all entities and can be used for auditors.

SAP_GRC_FN_BUSINESS_USER

This is the standard end-user role. The access to the different entities is maintained via the web-frontend application.

8.2

SAP NetWeaver Portal Role

The GRC Risk Management role provides access to the Navigation Menu for Risk Management in the SAP NetWeaver Portal as well as the following relevant Work Sets: My Home Risk Structure Risk Assessment Risk Monitoring Reporting and Analytics User Access Please note that the number and visibility of menu entries is derived from the business user role that was assigned over the frontend.

Role Name

Description

pcd:portal_content/com.sap.grc.rm.Enterprise_Risk_Management/com.sap.grc. rm.roles/com.sap.grc.rm.Role_All

GRC Risk Management

8.3

Application Roles

Application roles (PFCG model roles) grant detailed authorization to the Risk Management application and refine the standard role authorizations. The following table maps the original SAP Roles to the customer specific roles in Risk Management.

Role in RM

3

3

Example Users

Role Name

Original SAP Role

Risk Manager (RM)

Central Risk Manager

Z_GRC_RM_API_RISK_MANAGER

SAP_GRC_RM_API_CENTRAL_RM

Risk Expert (RE)

Unit Risk Manager

Z_GRC_RM_API_RISK_EXPERT

SAP_GRC_RM_API_RISK_MANAGER

Accountable Manager (AM)

Org Unit Manager

Z_GRC_RM_API_ACCOUNT_MAN AGER

SAP_GRC_RM_API_ORG_OWNER

The role name in the web-frontend will be derived from the description of the ABAP role.

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 19/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

Assessment Owner (AO)

Business Unit Manager/ Project Manager/ Program Manager

Z_GRC_RM_API_ASSESSMNT_O WNER

SAP_GRC_RM_API_ACTIVITY_OWN ER

Risk Owner (RO)

Risk Owner

Z_GRC_RM_API_RISK_OWNER

SAP_GRC_RM_API_RISK_OWNER

Response Owner (ReO)

Respons e Owner

Z_GRC_RM_API_RESPONSE_OW NER

SAP_GRC_RM_API_RESPONSE_OW NER

Risk Validator (RV)

CFO / Unit Head

Z_GRC_RM_API_RISK_VALIDATO R

SAP_GRC_RM_API_CEO_CFO

Auditor & Analyzer (AA)

Internal Auditor

Z_GRC_RM_API_AUDITOR_ANAL YZER

SAP_GRC_RM_API_INTERNAL_AUD

8.4

Assignment of users to Org-Units

The assignment of the responsible persons to the different Org.-Units can be maintained in tab Risk Management -> Work Set: Risk Structure -> Menu Item: Organizations

Org-Init

Accountable Manager

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

Risk Expert

page 20/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

9

IMG Settings

9.1

Maintain Entity Role Assignment (IMG: General Settings)

The step is used to assign the entities to individual user roles.

Entity ID

9.2

Role

Unique

Maintain Users Responsibility for Entity (IMG: Reporting)

Use this customizing activity to specify which roles are relevant for a particular entity to be used in Risk Management reporting.

Entity ID

9.3

Example Users

Maintain Custom Agent Determination Rules (IMG: Workflow Enabling)

Specify the agent determination rules to identify the right workflow recipient for all business events to be used in Risk Management. Business Event: Is the event name for which a recipient role will be assigned. Sort: Allows prioritization and grouping of business events. Role: Assigned recipient role. Entity ID: Entity associated with the business event. Subtype: Subtype associated with the business event. (Not maintained) Business Event Name: Description for the business event. Business Event

9.4

S Role

Entity ID

Business Event Name

Maintain Activity Types (IMG: Master Data Setup)

Maintain activity types for an activity hierarchy in your organization. This enables you to group similar activity categories under one activity type in the application.

Type

Activity Type Name

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 21/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

9.5

Risk Data Model and Calculation

9.5.1

Maintain Impact Levels (IMG: Master Data Setup)

Maintain the impact levels used in risk analysis, as well as the benefit levels to be used in opportunity analysis.

Imp Level

Impact level Text

Benefit level Text

Reduction/Improvement

1

Insignificant

Insignificant

Very Low

2

Minor

Modest

Low

3

Moderate

Moderate

Medium

4

Major

Worthwhile

High

5

Catastrophic

Significant

Very High

9.5.2

Maintain Probability Levels (IMG: Risk and Opportunity Analysis)

Configure and maintain risk probability levels for Process Control and Risk Management.

Prob Level

Description

1

Remote

2

Unlikely

3

Likely

4

Highly Likely

5

Near Certainty

9.5.3

Maintain speed of onset (IMG: Risk and Opportunity Analysis)

The speed of onset refers to the time horizon in which you expect the risk to occur. In this way, you can specify values for the periods in which action is required to respond to a risk.

Speed of Onset

Description

1

Long (12 months +)

2

Medium (3-12 months)

3

Short (less than 3 months)

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 22/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

9.5.4

Maintain Probability Level Matrix (IMG: Risk and Opportunity Analysis)

Configure and maintain risk probability levels for Process Control and Risk Management.

Prob Value From

Prob Level

1

1

30

2

50

3

70

4

90

5

9.5.5

Maintain Risk and Opportunity Level Colour (IMG: Risk and Opportunity Analysis)

Maintain risk and opportunity levels, together with the colors for the various risk or opportunity levels. These are used in the front-end application when working with risk scenarios or carrying out a risk analysis.

Level

Description

Position

Risk Level Color

Opportunity Level Color

H

High

1

Red

Red

L

Low

3

Green

Green

M

Medium

2

Yellow

Yellow

9.5.6

Maintain Risk and Opportunity Level Matrix (IMG: Risk and Opportunity Analysis)

A risk level refers to the level of severity for a risk and corresponds to a defined risk level value. The combination of impact level x probability level should correspond to the defined risk level.

Probability

9.5.7

Impact Level

Level

Maintain Risk and Opportunity Priorities (IMG: Risk and Opportunity Analysis)

Maintain numerical values for risk and opportunity priorities.

Risk Priority

Description

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 23/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

9.5.8

Maintain Risk and Opportunity Priority Matrix (IMG: Risk and Opportunity Analysis)

Specify the values for the speed of onset, the calculated risk level and the risk priorities.

Speed of Onset

9.5.9

Level

Risk Priority

Define Three-Point Analysis (IMG: Risk and Opportunity Analysis)

The "three points" to be defined and then analyzed are the minimum loss, the average loss, and the maximum loss, which you define in percentage format. Usage: (Minimum + Maximum + 4(Average))/6

Date

Min Loss

Avg Loss

Max Loss

Active

21.07.2009

16,6667

66,6666

16,6667

X

9.5.10

Maintain Analysis Profile (IMG: Risk and Opportunity Analysis)

The following analysis profile options are available in this Customizing activity: Impact Reduction: This refers to the reduction in the impact of a risk after risk response. If you do not set the indicator, the impact reduction section does not appear on the Response tab of the RM UI. Probability: Quantitative: In this option, the probability appears as in input field on the UI and you can enter the probability percentage value. Speed of Onset: Switch on the timeframe as the period of time that is available to decide on the risk responses. Impact Value: Mixed: In this option, both qualitative and quantitative options appear on the UI.

Profile ID

Impact Reduction

Probability

Speed of Onset

Impact Value

Aggregation Method

Active

0000000001

X

Quantitative

X

Mixed

Average

X

Customized: Probability = quantitative and impact value = quantitative result The system converts the probability percentage value into a probability level. In addition, the system calculates the impact level on the basis of minimum, average, and maximum impact amounts, after which the system calculates the risk level. 9.5.11

Allow free text for Benefit, Impact and Driver Categories (IMG: Risk and Opportunity Attributes)

After a certain category was activated the field for entering the corresponding text is enabled and you can enter text describing the object.

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 24/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

Category

9.5.12

Application

Active

Maintain Activity Types (Master Data Setup)

Maintain activity types for an activity hierarchy in this organization. This enables you to group similar activity categories under one activity type in the application.

Type

9.6

Activity Type Name

Response and Enhancement

Enhancements are not in scope. 9.6.1

Maintain Response and Enhancement purpose (Response and Enhancement Plan)

Maintain the specific purposes of responses to risks or enhancement plans for opportunities.

Response

9.6.2

Response Purpose Text

Maintain Response and Enhancement Plan Effectiveness (Response and Enhancement Plan)

Define levels for the effectiveness of responses to risks, as well as the effectiveness of the enhancement plan for an opportunity.

Eff. Level

RespEff. %

Effectiveness desc.

0

50

Ineffective

1

75

Partly Effective

2

100

Effective

9.6.3

Maintain Response Plan Types (Response and Enhancement Plan)

Configure and maintain specific response types for the risks defined.

Type

Description

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 25/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

10

Appendix

10.1

Definitions and Abbreviations

Term

Description

GRC

Governance, Risk and Compliance

10.2

References

Organization Structure …

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 26/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

11

ID

Risk Categories

Common Risk

Focus Area Country Risk Report

Financial Risks Financial Reporting Accounting Guidelines

Financial

Financial Market Regulations

Financial

Financial Misstatements

Financial

Internal Compliance

Financial

Treasury Currency

Financial

Liquidity

Financial

Cost of Financing

Financial

Investment / Debt

Financial

Derivative Instruments

Financial

Cash Management

Financial

Controlling Budgeting

Financial

Financial Planning and Forecasting

Financial

Cost Center Reporting

Financial

Organization and Governance Corporate Governance

Org. & Gov.

Organizational Structure

Org. & Gov.

Processes

Org. & Gov.

Process Execution

Org. & Gov.

Internal Controls System

Org. & Gov.

Operational Risks Intellectual Property Rights

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

Other Operational

page 27/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

Procurement Vendor Selection

Other Operational

Vendor Monitoring

Other Operational

Vendor Dependency

Other Operational

Policy

Other Operational

Infrastructure Operations Security Governance

Other Operational

Facilities and Physical Security Planning and Construction

Other Operational

Loss of Infrastructure

Other Operational

Unauthorized Access

Other Operational

Impairment of Personnel

Other Operational

Facilities and Physical Security

Other Operational

Information and IT



Confidentiality

Other Operational

Availability

Other Operational

Technology

Other Operational

Integrity

Other Operational

Information & IT

Other Operational





Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 28/29

PoC SAP BO Risk Management 3.0 Template Business Blueprint

12

Index of Tables

Table 1: Use Cases: General .............................................................................................................................6 Table 2: Use Cases: Risk Data Model ...............................................................................................................6 Table 3: Use Cases: Risk Input ...........................................................................................................................7 Table 4: Use Cases: Risk Calculation .................................................................................................................7 Table 5: Use Cases: Risk Reporting ...................................................................................................................7 Table 6: Risk Management Process RACI ..........................................................................................................8 Table 7: Risk Input Form ...................................................................................................................................11 Table 8: Probability and Impact Level ...............................................................................................................12 Table 9: Risk Calculation Term .........................................................................................................................12 Table 10: Risk Level Matrix ...............................................................................................................................12 Table 11: Risk Priority Matrix.............................................................................................................................13

Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc

page 29/29

Loading...

Template Business Blueprint - ISACA

SAP BusinessObjects Risk Management 3.0 Template Business Blueprint Marko Hamel Template_SAPRiskManagement3.0_BusinessBlueprint_1.0.doc – 21.12.201...

217KB Sizes 8 Downloads 23 Views

Recommend Documents

Deloitte PowerPoint template - ISACA
Jun 17, 2015 - Tabletop exercises. Methodology & tools. Recommended. Approach. Table Top Exercise. Description. (What is

Business Continuity-Disaster Recovery Planning - ISACA
Oct 12, 2012 - "Business Continuity Planning (BCP) and Disaster Recovery (DR) are used together so often that people oft

Separation Agreement Template Nc | Business Plan Template
Sep 2, 2017 - Separation Agreement Template Nc NC Separation Agreement – DIY or Use a Lawyer? http://www.mcilveenfamil

Restaurant Business Plan Template
Here's Your FAST Sample Business Plan. This Restaurant Business Plan has been written to use a starting point for develo

Separation Agreement Template Nc | Best Business Template
Business Separation Agreement Template » Separation Agreement Template Nc | Best Business Template.

Business Separation Agreement Template. Legal Contracts Template
Sample Business Separation Agreement - 5+ Free Documents Download. Separation Agreement Template Nc | Best Business Temp

Separation Agreement Template Nc | Template Business
Aug 6, 2017 - Divorce Worksheet & Separation Agreement – Divorce Source in Separation Agreement Template Nc. 11 Be

Business Plan template - NAB
Your business needs a strong plan that sets out what you want to achieve, how you'll do it, and what you'll get out of i

business plan template
The aim should be to produce a business plan of 20 to 30 pages at most. This document is based on the requirements of Ge

Hair Extension Business Plan: Blueprint for Success
A business plan is a written document that highlights in detail how business, usually a new one is going to achieve its