Risk Manamgenet 10.0

SAP Risk Management
PDF download from SAP Help Portal:

http://help.sap.com/saphelp_grcrm10/helpdata/en/13/de98bd929b45ac9cb6ad56d3ccb9c8/frameset.htm
Created on May 29, 2014
The documentation may have changed since you downloaded the PDF. You can always find the latest information on SAP Help Portal.
Note
This PDF document contains the selected topic and its subtopics (max. 150) in the selected structure. Subtopics from other structures are not included.
The selected structure has more than 150 subtopics. This download contains only the first 150 subtopics. You can manually download the missing subtopics.
2014 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG
and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by
SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other
SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other
countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
Table of content
PUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
Page 1 of 94
Table of content
1 SAP Risk Management
1.1 Release Note for SAP BusinessObjects Risk Management 10.0
1.2 Key Concepts
1.2.1 Risk Management Process
1.2.2 Levels of Authorization
1.2.2.1 Standard Roles and Authorization Objects
1.2.2.2 Risk Management Application Roles
1.2.3 Workflows
1.2.3.1 Agent Determination
1.2.4 Analysis Automation: Integration with EH&S
1.2.5 Customer-Defined Fields
1.2.5.1 Adding Customer-Defined Fields
1.2.6 Risk-Related Terminology
1.3 Integration
1.3.1 Integration with Process Control
1.3.1.1 Reusing the PC Central Process Hierarchy in RM
1.4 Work Centers
1.4.1 My Home
1.4.1.1 Work Inbox
1.4.1.1.1 Risk Management Work Inbox
1.4.1.2 Ad Hoc Tasks
1.4.1.2.1 Proposing a Risk
1.4.1.2.2 Creating Response Proposals
1.4.1.2.3 Reporting an Ad Hoc Incident
1.4.1.2.3.1 Workflow for Recording Incidents
1.4.1.2.4 Issues
1.4.1.3 My Objects
1.4.1.3.1 My Risks
1.4.1.3.2 My Responses
1.4.1.3.3 My Incidents
1.4.1.3.4 My Policies
1.4.1.4 Document Search
1.4.1.5 My Delegation
1.4.2 Master Data
1.4.2.1 Organizations
1.4.2.1.1 Working with Organizational Units
1.4.2.1.1.1 Entering Risk-Specific Organization Data
1.4.2.1.1.2 Managing Organizational Key Risk Indicators
1.4.2.2 Regulations and Policies
1.4.2.2.1 Regulations
1.4.2.2.2 Policies
1.4.2.2.2.1 Creating a Policy Group
1.4.2.2.2.2 Creating a Policy
1.4.2.2.2.3 Reviewing a Policy
1.4.2.2.2.4 Approving a Policy
1.4.2.2.2.5 Publishing a Policy
1.4.2.3 Objectives
1.4.2.3.1 Business Objectives Hierarchy
1.4.2.4 Activities and Processes
1.4.2.4.1 Activities
1.4.2.4.1.1 Activity Hierarchy
1.4.2.4.1.2 Creating Activity Categories
1.4.2.5 Risks and Responses
1.4.2.5.1 Risk Catalog
1.4.2.5.1.1 Classifying Risks, Opportunities, and Responses
1.4.2.5.1.2 Creating a Risk Template
1.4.2.5.1.3 Distributing a Risk Template
1.4.2.5.2 Opportunity Catalog
1.4.2.5.2.1 Creating an Opportunity Category and Template
1.4.2.6 Risk Consistency Reports
PUBLIC
Page 2 of 94
1.4.2.6.1 Working with the RM Consistency Checker
1.4.2.7 Reports (Master Data)
1.4.2.8 Content Lifecycle Management
1.4.2.8.1 Content Group
1.4.2.8.2 Package
1.4.2.8.3 Content Group and Package Management
1.4.2.8.3.1 Extracting and Editing Content Groups
1.4.2.8.3.1.1 Mass Edit
1.4.2.8.3.1.1.1 Downloading and Uploading with XML
1.4.2.8.3.2 Creating and Editing Packages
1.4.2.8.3.3 Package Export
1.4.2.8.3.4 Package Import
1.4.2.8.3.5 Content Group Comparison
1.4.2.8.3.5.1 Comparing Content Groups
1.4.2.8.3.6 Content Group Deployment
1.4.3 Rule Setup
1.4.3.1 Continuous Monitoring
1.4.3.2 Key Risk Indicators
1.4.3.2.1 Creating KRI Templates
1.4.3.2.2 Creating KRI Implementations
1.4.3.2.2.1 Technical Requirements for BW Queries
1.4.3.2.2.2 Technical Requirements for SAP Queries
1.4.3.2.2.3 Using External Web Services
1.4.3.2.3 Assigning KRIs to a Risk
1.4.3.2.3.1 Creating KRI Business Rules
1.4.3.2.4 Using Workflow to Create KRI Implementation Requests
1.4.3.2.5 Using Workflow to Create KRI Instance Localization Requests
1.4.3.2.6 Managing KRI Value Inputs
1.4.3.2.7 KRI Aggregation Hierarchy
1.4.3.2.7.1 Searching KRI Aggregation Hierarchies
1.4.3.2.7.2 Creating KRI Aggregation Hierarchies
1.4.3.2.7.3 Modifying KRI Aggregation Hierarchies
1.4.3.2.7.4 Deleting KRI Aggregation Hierarchies
1.4.3.2.8 KRI Aggregation Run
1.4.3.2.8.1 Searching KRI Aggregation Runs
1.4.3.2.8.2 Creating KRI Aggregation Runs
1.4.3.2.8.3 Modifying KRI Aggregation Runs
1.4.3.2.8.4 Deleting KRI Aggregation Runs
1.4.4 Assessments
1.4.4.1 Surveys
1.4.4.1.1 Question Library
1.4.4.1.1.1 Creating Questions for Surveys
1.4.4.1.2 Survey Library
1.4.4.1.2.1 Creating Surveys
1.4.4.1.3 Score-Based Valuation for Surveys and Questions
1.4.4.2 Risk Assessments
1.4.4.2.1 Risks and Opportunities
1.4.4.2.1.1 Creating a Risk
1.4.4.2.1.1.1 Creating a Risk from a Template
1.4.4.2.1.1.2 Risk Deletion
1.4.4.2.1.2 Risk Validation Workflow
1.4.4.2.1.3 Risk Analysis
1.4.4.2.1.3.1 Residual Risk Calculation
1.4.4.2.1.3.2 Background Information on Risk Analysis
1.4.4.2.1.3.3 Creating a Risk Analysis
1.4.4.2.1.3.3.1 Quantitative Risk Analysis
1.4.4.2.1.3.3.2 Risk Analysis Using Scoring
1.4.4.2.1.3.3.2.1 Quantitative Risk Analysis Using Scoring
1.4.4.2.1.3.3.2.2 Qualitative Risk Analysis Using Scoring
1.4.4.2.1.3.3.3 Historical Risk Analysis Report
1.4.4.2.1.3.4 Collaborative Risk Assessment
1.4.4.2.1.3.4.1 Creating a Collaborative Risk Assessment
PUBLIC
Page 3 of 94
1.4.4.2.1.3.4.2 Creating a Collaborative Risk Assessment from a Risk
1.4.4.2.1.3.4.3 Consolidating Collaborative Risk Assessment Results
1.4.4.2.1.3.4.4 Workflow for Collaborative Risk Assessments
1.4.4.2.1.3.5 Analysis Automation: Integration with EH&S
1.4.4.2.2 Graphical View Risk Creation
1.4.4.2.2.1 Identifying Risk Data
1.4.4.2.2.2 Assessing a Risk
1.4.4.2.2.3 Mitigating a Risk in the Graphical View
1.4.4.2.3 Risk Mitigation
1.4.4.2.4 Creating an Opportunity
1.4.4.2.5 Risk Responses and Enhancement Plans
1.4.4.2.5.1 Working with Response Templates
1.4.4.2.5.2 Creating a Response or Enhancement Plan
1.4.4.2.5.3 Creating Response Proposals
1.4.4.2.5.4 Assigning a Response
1.4.4.2.5.5 Using PC Controls
1.4.4.2.5.5.1 Monitoring Control Effectiveness and Assessment Results
1.4.4.2.5.5.2 Sample Workflow: Control Proposal Notification
1.4.4.2.5.6 Workflows for Responses
1.4.4.2.5.7 Working with Response Automation
1.4.4.2.5.7.1 Example: Response Automation for Plant Maintenance
1.4.4.2.5.8 Using a Policy as a Risk Response
1.4.4.2.6.1 Creating an Activity
1.4.4.2.6.2 Activity Validation Workflow
1.4.4.2.7 Working with Contexts
1.4.4.2.8 Creating an Issue for a Risk, Opportunity, or Response
1.4.4.2.9 Risk Assessment Reports
PUBLIC
Page 4 of 94
1 SAP Risk Management

SAP Risk Management enables an enterprise-wide risk management process as mandated by certain legal requirements and recommended by best practice
management frameworks.
Recommendation
If you have also licensed the Process Control component, see the corresponding documentation under SAP Process Control.
Implementation Considerations
The Customizing for SAP Risk Management enables you to carry out the necessary configuration activities and describes the administrative functions necessary
to run the application.
Note
For the graphical representation of activities and scenarios, you must install the latest version of Java Runtime (JRE version 6 update 13 or higher) on your
front-end system. For more information, see www.java.com.
Features
SAP Risk Management uses the various work centers of the GRC, in which you can carry out all Risk Management activities. For more information about Risk
Management activities, see the individual work center topics.
Note
All Risk Management functions are executed in the SAP NetWeaver Portal. For information about using the portal, see Portal.
1.1 Release Note for SAP BusinessObjects Risk Management
10.0 (New)
Technical Data
Product Version SAP BusinessObjects Risk Management 10.0
Area GRC-RM Risk Management
Country Relevance Valid for all countries

SAP BusinessObjects Risk Management 10.0 includes the following new features and enhancements:
Multiple stakeholders can now participate in collaborative risk assessment, which improves productivity by reducing administrative time spent
conducting workshops, by aggregating participant feedback, and by documenting risk assessment results.
The graphical view provides a visual workbench for non-experts to model risks and their relationship to business impacts and responses, and bridges the
gap between risk management and the business functions of an organization.
By allowing risks to be assigned to corporate policies and enabling procedures to be assigned as risk mitigations, integration with policy management
ensures that the company is appropriately mitigating the risks required to comply with the corporate policies currently in its residual risk profile.
Integrated issue management documents and follows up on issues identified for risks, activities, responses, opportunities and scenarios.
The risk catalog serves as a repository for risk templates and best-practice responses to risks. The catalog distributes risks across the organization and
provides a unified view on risks across the enterprise.
The response catalog is a repository for best-practice risk responses to mitigate, transfer, and avoid risk.
Risk scoring is a new assessment tool that uses a point system approach to complement qualitative and quantitative risk assessment methods, thus
making it easier for non-experts to assess risk.
Enhanced overview dashboards provide greater usability and aggregation capabilities when analyzing loss structure and reviewing risks.
1.2 Key Concepts

The key concepts explained in this documentation for Risk Management are:
Risk Management Process
Levels of Authorization
Workflows
Integration with Process Control
Customer-Defined Fields
Risk-Related Terminology
PUBLIC
Page 5 of 94

The basic risk management process, as suggested by most risk management frameworks, involves the steps described below. You can use this process to
step through all risk management activities, from Customizing to user processing, up until the reporting phase.
Prerequisites
You have made the corresponding settings in Risk Management Customizing.
Process
1. Risk Planning
In the planning phase, you define and document your company's risk management framework. This allows the implementation of risk management
programs on a large scale, and enables you to streamline and reduce duplicate efforts in the companys different organizational units. The following steps
are involved in risk planning:
Initial definition and assignment of roles and responsibilities. For more information, see Risk Management Application Roles.
Setup of the organizational hierarchy and organizational views to be used.
Definition of risk-relevant business activities (such as processes, projects, or other company assets).
Creation of a risk classification structure, so that you can structure and report on risk assessment results.
Definition of a key risk indicator (KRI) framework to automate and reduce risk monitoring efforts.
2. Risk Identification
In this phase, you carry out the following tasks:
Identify and collect information on your companys risks, such as the risk drivers, potential impacts and the relationships between risk events.
Define and assign key risk indicators for the risks. For more information, see Key Risk Indicators.
Document the relationships between risks and create surveys for risks, activities, and risk indicators. For more information, see Surveys.
3. Risk Analysis
In this phase, you assess risks and review historical losses in the following way:
Qualitatively and/or quantitatively analyze the likelihood of occurrence of company risks and the potential impacts of the identified risks, so that you
can determine the necessary responses and investments to mitigate or control the risks. For more information, see Risk Analysis.
Collaborate with business stakeholders to collect risk analysis data, or create surveys or other workflows to help in collecting and interpreting risk
analysis data. This enables you to build risk scenarios and simulations, as well as precisely determine your risk exposure. You can also group
similar risks. For more information, see:
Scenario Management
Incident Management
Surveys
4. Risk Response
In this phase, you carry out the following tasks:
Document the response measures taken to manage the risks and their current status. You do this by taking measures to actively mitigate the
probability or potential impact of the risk, such as defining the risk assessment and approval or review cycles for risks and their responses, and
assigning response ownership and actions.
You can also propose and assign internal controls from Process Control, provided you have installed this application. For more information, see Using
PC Controls and Control Objectives.
For more information about responses, see Creating a Response or Enhancement Plan.
5. Risk Monitoring
In this phase, you carry out the following steps to evaluate your organization's risk exposure:
Analyze and report on your company's risk situation. This step includes documentation of incidents and losses for occurred risk events, to track the
effectiveness of mitigation measures such as responses and controls. For more information about documenting incidents, see Incident Management.
You can also monitor the effectiveness and completeness of the responses that were used to mitigate your risks.
Furthermore, to enable the continuous monitoring of risks, in this phase you run the reports for risks and their history, as well as for key risk indicators
defined for these risks. For more information, see Reporting and Analytics and Dashboards (Heatmap, Overview, Top Risks, and Other).
1.2.2 Levels of Authorization

Risk Management uses different levels of authorization, depending on user profiles and the system used, for the following reasons:
The back-end system uses different roles than the SAP NetWeaver Portal. A detailed list is provided below.
The standard SAP authorization concept does not cover the authorization needs of Risk Management, so RM-specific application roles have been
developed. This has the additional advantage that authorizations can be differentiated according to the entity level involved. One risk manager, for example,
can be responsible for all entities (such as activities, risks, opportunities, and incidents) in one organizational unit, and another risk manager can be
responsible for the same entities in another organizational unit. Each manager then accesses the risks for which they are responsible, and not all risks in
the entire company.
Features
Before it is possible to work with Risk Management, the following kinds of roles must be accessed and activated:
The NetWeaver portal role is called com.sap.grc.rm.Role_All
This role enables you to configure the portal navigation structures and menu tabs. This role should be assigned to all Risk Management users directly or via
a group in the portal. The superuser must ensure that the portal interface can be accessed with the correct level of authorization by all other users.
Subsequently, the user can access the Risk Management work centers in the portal.
Standard or back-end roles
These roles define the authorizations in the back-end system, where, for example, Customizing is done. This kind of role should be assigned to users with a
PUBLIC
Page 6 of 94
back-end user profile. Every RM user should have the role SAP_GRC_FN_BASE assigned, since this is the basic role used to run the Risk
Management applications. For more information and further back-end roles, see Standard Roles and Authorization Objects.
Application roles
For all business users, the Risk Management application roles should be assigned as well. For more information, see Risk Management Application Roles.
Note
Standard roles are also referred to as basic roles , and application roles are also referred to as model roles .
After the application roles have been defined, they can be assigned to different users and different entities within the RM application, as described in Assigning
Roles to Risks and Activities.
1.2.2.1 Standard Roles and Authorization Objects

The authorization concept of SAP NetWeaver assigns authorizations to users on the basis of roles. Some general SAP standard roles are delivered with Risk
Management as described below.
You can copy and adjust these default roles in Customizing under SAP NetWeaver Application Server System Administration Users and
Authorizations Maintain Authorizations and Profiles using Profile Generator Maintain Roles (transaction PFCG).
In the Risk Management application, the power user can assign these roles to the corresponding entities.
Features
The standard roles that are delivered with the Risk Management application are:
Basic Role (SAP_GRC_FN_BASE): The basic technical role for a user who wants to use Risk Management or Process Control. This role contains all
necessary authorizations to make the necessary Customizing settings for this application. This role does not contain any authorizations for the portal interface.
Business User (SAP_GRC_FN_BUSINESS_USER): A user with this role is only authorized to perform operations on assigned entities in Risk Management.
We recommend that a user with this role also be assigned a portal role for Risk Management in order to use the web interface of the application.
Power User (SAP_GRC_FN_ALL): In addition to the authorizations of the business user, a power user also has authorization for administrative functions in
Customizing, such as the definition of organizational units.
Display User (SAP_GRC_FN_DISPLAY): A user with this role can display all risk data in the portal. This role is useful for external auditors, for example. We
recommend using this role in addition to the business user role.
Note
For more information, see the documentation on the individual roles in transaction PFCG, for example, Changing Standard Roles.
Activities
To work with user roles, the following steps are necessary:
1. The system administrator assigns the basic role SAP_GRC_FN_BASE to all users working with the Risk Management application. This role contains the
technical authorizations required to run the application. Without this role, assigned users cannot run the application.
2. The system administrator copies the delivered power user role SAP_GRC_FN_ALL, makes any necessary adjustments, and assigns the modified copy of
the standard role to a user who then becomes a power user for the application. Alternatively, the delivered standard role can be used directly.
3. The system administrator copies the delivered display user role SAP_GRC_FN_DISPLAY, makes any necessary adjustments, and assigns the modified
copy of the standard role to other users who become display users for the application. Alternatively, the delivered standard role can be used directly.
4. The system administrator copies the delivered business user role SAP_GRC_FN_BUSINESS_USER, makes any necessary adjustments, and assigns the
modified copy of the standard role to other users who become business users for the application. Alternatively, the delivered standard role can be used
directly. The business users' authorizations within the application can be defined further by the application roles.
Note
For more information about application roles, see Risk Management Application Roles.
5. The portal administrator copies the delivered roles, makes any necessary adjustments, and assigns the modified copy of the enterprise portal roles to the
end users to grant them the required access to the Risk Management application. Alternatively, the delivered standard role can be used directly.
1.2.2.2 Risk Management Application Roles

A large number of users who may frequently change perform operations related to risk management in different functions. The roles and authorization concept
ensures the required flexibility for the end user. In addition to the general SAP standard roles that are maintained by the system administrator in transaction
PFCG, application-specific roles are also available in transaction PFCG, defining the set of operations, and detailed authorizations for an end-user.
Note
For a list and information on the standard roles delivered with SAP Risk Management, see Standard Roles and Authorization Objects.

The application-specific roles defined in transaction PFCG refine the authorizations delivered in the Business User role (SAP_GRC_FN_BUSINESS_USER). An
PUBLIC
Page 7 of 94
application-specific role consists of operations (such as create, edit, delete) for different entities in the application (for example, for an organizational unit or a risk).
For more information, see Assigning Roles to Risks and Activities
Recommendation
To ensure sufficient transparency and oversight for the authorizations currently granted in this application and for the entities stored for it, a set of predefined
authorization reports is also provided. These include a check to ensure that the segregation of duties is adhered to during the assignment of the SAP default
and application-specific roles.
Defining users, roles, and assignments to authorization objects
Risk Management Sample Application Roles
The following sample application roles are available for use in the Risk Management application:
SAP_GRC_RM_API_ACTIVITY_OWNER Activity owner
SAP_GRC_RM_API_CENTRAL_RM Risk template manager
SAP_GRC_RM_API_CEO_CFO CEO/CFO
SAP_GRC_RM_API_INCIDENT_EDITOR Incident editor
SAP_GRC_RM_API_INTERNAL_AUD Internal auditor
SAP_GRC_RM_API_LIAISON System administrator
SAP_GRC_RM_API_OPP_OWNER Opportunity owner
SAP_GRC_RM_API_ORG_OWNER Organizational unit owner
SAP_GRC_RM_API_RISK_MANAGER Unit risk manager
SAP_GRC_RM_API_RISK_OWNER Risk owner
Steps Involved in Role Creation
You can copy roles to your user namespace and change them, or create other roles according to your organization's needs. For example, you can define a new
validator role, or a reporting role for occasional users who want to report a risk. For more information, see Role Administration.
To assign users, proceed as follows:
1. Call transaction PFCG and copy the general SAP roles described above to your user namespace.
2. Adjust the authorizations in these roles to suit the requirements of your system.
3. Assign the adjusted roles to the appropriate users.
4. Save your entries.
Note
After users have been assigned to roles, an authorized user or system administrator needs to check that there is a segregation of duties for Risk Management.
This is done via the corresponding authorization report in the application, called Entity Authorization Analysis , and found under Reports and Analytics
Access Management .
1.2.3 Workflows
PUBLIC
Page 8 of 94
1.2.3 Workflows

The Risk Management application is shipped with a set of workflows that enable collaboration on risk management activities within a company by making use of
the standard SAP workflow functionality.
SAP workflows are based on the guided procedures that walk users through a risk management activity or process. Workflow examples include the validation of
risk reassessments, validation of assessment results, or the review of a newly-documented risk in the application.
Workflows in Risk Management can be classified according to whether they are:
Event-based workflows: These are predefined end-to-end processes triggered by user actions such as proposing a risk.
Event-based workflows are defined using business events: A business event involves the assignment of a workflow task to a recipient, which is also
known as agent determination. For example, the risk validation workflow is assigned to the recipient called Risk Manager.
Planner-based workflows: These are workflows that are planned and triggered through the Risk Management Planner function, such as updating a risk
or creating a risk survey.
Note
Although most workflows are based on the Risk Management Planner functions, the workflows for proposing risks and reporting incidents are handled
differently. For these, you must access the Ad Hoc Tasks section in the My Home work center. For more information, see Ad Hoc Tasks and Workflow for
Recording Incidents.
Prerequisites
The following workflow Customizing activities must be carried out before you can work with SAP workflows:
Customizing Activity Description
Maintain Custom Agent Determination Rules Specifies the agent determination rules to be used for business events in Risk
Management
Perform Automatic Workflow Customizing Assigns customer notification messages to workflow recipients
Perform Task-Specific Customizing Makes the settings required to adapt SAP workflows to Risk Management
Features
A workflow is triggered when you schedule a reassessment or validation and includes the following steps:
1. The workflow goes to all recipients that were defined for it, and appears as a task in the recipients' worklist in the Work Inbox.
2. The recipients complete the workflow item by accessing the corresponding application to process the data.
The Risk Management application contains the following workflows, carried out using the Planner :
Workflow name Description
Activity validation Allows a planner (for example, a risk manager) to obtain sign-off and confirmation for the
current risk situation for an activity (such as a process, project, or company asset). For
information, see Activity Validation.
Risk validation Enables the risk manager to obtain sign-off and confirmation for the current risk
(including the assigned responses). For information, see Risk Validation Workflow.
Opportunity validation Enables the risk manager to obtain sign-off and confirmation for the current opportunity
(including analysis and assigned enhancement plans).
Risk assessment Supports risk managers by providing an update for risks in their areas of responsibility by
sending out risk assessment work items. For more information, see Workflow for
Collaborative Risk Assessments.
Opportunity assessment Supports the risk manager by providing an update for opportunities by sending out an
opportunity assessment work item.
Response update Enables risk managers and risk owners to keep track of current risk responses by
sending work items to the validator' s work inbox. For more information, see Working
with Response Workflows.
Furthermore, there are the following event-based workflows:
Workflow name Description Trigger
Risk proposal Ensures that users review a (potential) risk entered
through the Propose Risk function and rework it if
needed before it is stored in the risk database.
Risk proposed. For information, see Proposing a Risk.
Incident validation Ensures that users check a reported incident for
completeness and accuracy before it is stored in the
incident database.
Incident posted. For information, see Working with
Incidents.
KRI implementation request Ensures the proper configuration and system setup for
Key Risk Indicator (KRI)-related data, which should be
available for risk monitoring.
KRI implementation request. For information, see
Workflow for KRI Implementation Request.
KRI localization request Optional adjustment of an assigned KRI with respect to KRI localization request. For information, see Workflow for
PUBLIC
Page 9 of 94
risk-specific settings. KRI Instance Localization Request.
Propose control (for users of both Risk Management and
Process Control)
Allows users (for example, risk managers) to propose a
control to mitigate a risk. The control becomes part of the
regular monitoring activities in Process Control.
Risk mitigation using controls. For information, see Using
PC Controls and Sample Workflow: Control Proposal
Notification.
1.2.3.1 Agent Determination

Agent determination is the system process that assigns users to workflows. The entity-based authorization concept in Risk Management is used for agent
determination in workflow processing or for surveys. For each usage of agent determination, a business event is determined. A business event is a placeholder
for recipient determination in workflow-driven scenarios or surveys, and the workflow processor or survey recipient is considered the agent.
For agent determination, the implementation team maps the Risk Management roles to the business events in Customizing. The assignment of business events to
RM roles in Customizing is optional. If no Customizing has been defined here, the default system behavior is applied.
When the workflow or survey requires the agent, it triggers the agent determination rule with the corresponding business event and object ID.
Features
Besides using the SAP-delivered rules and workflows, you can also create your own rules. The customer-specific rules override the delivered default rules.
More Information
See Workflows.
Analysis Automation: Integration with EH&S

Some enterprise risks are related to environmental and worker safety. SAP has a separate solution, Environment, Health and Safety Management (EH&S),
where such risks can be processed by the solution-specific mechanisms absent in operational risk management. Integrating EH&S using analysis automation
allows you to track all enterprise risks using one application (Risk Management).
Analysis automation creates EH&S risk assessments from risk analyses in Risk Management, tracking their probability and severity values, and copying those
values to the corresponding analysis parameters according to rules predefined in Customizing.
Risk managers are not required to have any EH&S background to create an EH&S risk assessment from a risk analysis. EH&S risk assessments are intended to
be processed by an EH&S manager or other responsible user. Risk managers can use a specific report that runs in the background to track the current
probability and impact levels of the EH&S-related risks that they create (see prerequisite number 9 below).
Prerequisites
Before using analysis automation (integration with EH&S), ensure that the following conditions have been met:
1. The remote system (EH&S) is known, and the logical system has been created for it (transaction SM30, record in view V_TBDLS).
2. The user is authorized to create risk assessments in the EH&S remote system, and the user's logon credentials are known.
3. Log object GRRM and log sub-object ANLS_AUTOMATION have been created (transaction SLG0).
4. The RFC destination for the EH&S remote system has been created.
5. RM and EH&S probability and severity level values have been mapped in Customizing under Risk Management Risk and Opportunity Analysis
Map Probability and Severity Values from EH&S and RM .
6. Context dimensions have been created for the EH&S agent, EH&S work area, and material in Customizing under Risk Management Risk and
Opportunity Analysis Map Probability and Severity Values from EH&S and RM . Use dimension types EHSAGENT, EHSWA, and MATERIAL within
the logical system mentioned in step 1 and the RFC destination created in step 4.
7. Context dimensions have been assigned to a risk and risk category entity in Customizing under Risk Management Master Data Setup Assign
Dimension to Entity . Assign the dimensions created in step 6 to the entities RISK and CRGROUP.
8. Context dimensions have been set as allowed for the risk category you will use when creating a risk. In the Risk Management application, go to Master
Data Risks and Responses Risk Catalog . Open the desired risk category, go to tab Allowed dimensions , and add the dimensions created in
step 6.
9. You have scheduled the report GRRM_ANLS_AUTOM_STATUS_UPDATE to run with a period of 1 hour.
Process
1. In the Assessments work center, open Risk and Opportunities .
2. Create a new risk.
3. Enter the risk name and specify the risk category (see step 8 of prerequisites).
4. Create an impact for the risk.
5. Go to the Analysis tab and create a new analysis.
6. Go to the Context tab and link the EH&S work area and EH&S agent to a risk as context objects.
Note
Instead of an EH&S agent, you can use a material (depending on conditions and requirements).
PUBLIC
Page 10 of 94
Caution
Be sure that no risk assessment with the specified combination of work area and agent/material already exists in EH&S. Such an existing risk
assessment will not be overwritten by the new risk assessment (in other words, the new risk assessment will not be created).
7. Submit the risk.
Result
A new risk assessment is created in the EH&S application of the remote system to be processed by the EH&S manager or other responsible user. The EH&S
risk assessment will be assigned probability and severity values. A background job (step 9 of prerequisites) replicates these values as probability and impact
level values for the corresponding risk analysis in Risk Management.
1.2.5 Customer-Defined Fields

Customer organizations can add their own fields to the applications they have licensed.
For more information, see the corresponding Customizing section and Adding Customer-Defined Fields.
1.2.5.1 Adding Customer-Defined Fields

You can add customer-defined (user-specific) fields in the following areas:
For HR entities:
Risk, risk template, risk category
Opportunity, opportunity template, opportunity category
Activity and activity category
Response template
For non-HR entities:
Response
Enhancement plan
Incident
Customer-defined fields can be defined as mandatory, read-only, or hidden. You can also define a specific input check for customer-defined fields.
Prerequisites
You must have the S_DEVELOP authorization profile or the equivalent.
Procedure
To add customer-specific fields to screens of the Risk Management application, proceed as follows:
1. Call up the Customizing for Risk Management and carry out the activities under the corresponding section of User-Defined Fields .
2. Access SAP Note number 1470670 and its attachments for more detailed information.
PUBLIC
Page 11 of 94
Caution
You must test all changes in the development system before transporting them to the test and production systems.
Adding Customer-Defined Fields via Risk Template
Via the copy or assignment procedure, customer-defined fields that were created for a risk template are copied into a risk. For more information on risk template
creation, see Creating a Risk Template.
1.2.6 Risk-Related Terminology

Risk Management, Process Control, and Access Control have several risk-related terms that may need an explanation. The following table provides an overview
of risk terms with their definitions and the location in the applications where they are used.
Term Explanation Location in Application
Risk Management SAP NetWeaver application for managing enterprise-wide
risks
Entire Risk Management application
Risk An uncertain event or condition that, if it occurs, has a
negative impact on business objectives
Entire Risk Management application
Risk assessment The evaluation of risks through definition and mitigation
via responses
Assessments work center
Risk template A template to be used for creating actual risks Master Data work center, Risk Catalog
Primary risk A risk used in a scenario, which has no risks influencing it Assessments work center, Scenario Management
Top risks A report containing user-defined risks that are very
significant to management
Reports and Analytics work center, Management
section
Influenced risk A risk influenced by another risk Assessments work center, Risks and Opportunities
Affected risk A risk affected by a response Assessments work center, Responses
Risk event A risk that has not occurred Assessments work center, Incident Management
Inherent risk Overall risk before response Assessments work center, Risks and Opportunities ,
Analysis tab of a risk
Residual risk Overall risk after response Assessments work center, Risks and Opportunities ,
Proposed risk, risk proposal A risk proposed by a casual user My Home work center, Ad-hoc tasks
Risk appetite Level of risk to be supported, which can be described
qualitatively and quantitatively
Master Data work center, Organizations
Underlying risk Risk defined on lower level of organization Assessments work center, Risks and Opportunities
Risk category User-defined category of risk Master Data work center, Risks and Responses, Risk
Catalog
Parent risk category A high-level user-defined risk category Master Data work center, Risks and Responses, Risk
Catalog
Risk incident An incident entered directly for a risk Assessments work center, Risks and Opportunities ,
Risk Incidents tab, and Incident Management section
Risk level Specifies degree of risk using traffic light icons Assessments work center, Risks and Opportunities
Risk factor Synonym of influence factor , a risk with probability and
impact data attached
Assessments work center, Risks and Opportunities
Risk summary A report summarizing all risks per period, organization,
and so on
Reports and Analytics work center
Risk analysis Analysis of one risk Assessment work center, Risks and Opportunities ,
Risk scenario A scenario containing several risks to be analyzed and
evaluated
Assessments work center, Scenario Management
Risk aspect A field in reports evaluating risks. By checkmarking this
field in reports, the user can see how an impact level
would be rated if the risk were seen from the perspective
(aspect) of a different organizational unit.
Reports and Analytics work center, Risks per
Organizational Unit
Risk instance A risk template applied to an individual risk is considered
as an instance of the risk template, or risk instance .
Assessments work center, Risks and Opportunities ,
Analysis tab
Local risk The same as a risk instance Assessments work center, Risks and Opportunities ,
Analysis tab
Access risk A risk defined for Access Control, specifying the severity of
an irregularity related to Segregation of Duties (SOD)
risks.
Access Management work center, Access Risk
Analysis section
SOD risk The same as an access risk Access Management work center, Access Risk
Analysis section
PUBLIC
Page 12 of 94
1.3 Integration

Important Integration Information (English)
The processes and user interfaces of the following products are closely linked, as they have interconnected features:
SAP BusinessObjects Access Control
SAP BusinessObjects Process Control
SAP BusinessObjects Risk Management
You can access the features and documentation of one or several of these products only after licensing and installing the relevant products.
June 2011 SAP NetWeaver 7.02 Support Package Stack 06

10.0, June 2011 SAP NetWeaver 7.02 Support Package Stack 06

10.0, June 2011 SAP NetWeaver 7.02 Support Package Stack 06

Copyright 2011 SAP AG. All rights reserved.
The integration topics describe the integration scenarios that leverage 10.0 features across multiple applications.
For more information, see the relevant integration topics.
Wichtige Informationen zur Integration (Deutsch)
Die Prozesse und die Benutzeroberflche von folgenden Produkten sind sehr eng miteinander verbunden:
Damit Sie auf die Funktionen und die Dokumentation eines oder mehrerer dieser Produkte zugreifen knnen, mssen Sie diese entsprechend lizenziert und
installiert haben.
10.0, Juni 2011

10.0, Juni 2011

10.0, Juni 2011

SAP NetWeaver 7.02 Support Package Stack 06
Copyright 2011 SAP AG. All rights reserved.
1.3.1 Integration with Process Control

Provided your company has licensed both the Risk Management and Process Control applications, you can use a number of integrated functions as described
below.
Features
Among other things, risk templates are common to both Process Control and Risk Management. They can be defined and assigned from both applications.
Match-up of risk templates used in both Risk Management and Process Control
PUBLIC
Page 13 of 94
Common Menu Areas
The areas shared by both applications are:
GRC Role Assignments
Delegation
Document search
Planner See Risk Management Planner and Process Control Planner
Other Functions Common to Risk Management and Process Control
Beyond the functions described above, the following are common areas for both Risk Management and Process Control:
The use of a central PC process hierarchy as part of a Risk Management activity hierarchy. The PC processes are structured into subprocesses; for each
subprocess, controls are defined. Risks can be defined for controls, and these controls can then mitigate the risks specified for them. For more information,
see Reuse of PC Central Process Hierarchy in RM and Creating and Editing Global Processes and Controls.
The reuse of existing PC subprocesses as Risk Management activities. For more information, see Reuse of PC Central Process Hierarchy in RM.
The monitoring of PC assessment results: This conversion of traffic-light PC ratings to detailed RM percentages enables you to automatically monitor the
Process Control effectiveness and assessment results. They are mapped directly to Risk Management response effectiveness and completeness values in
percentage form. For more information, see Monitoring Control Effectiveness and Assessment Results.
For control proposals, which are converted to controls, you can do the following:
You can create a control proposal as a risk response in Risk Management.
If you are using Process Control, the process control application can implement the defined control, which is converted from the control proposal.
For more information, see Using PC Controls.
Note
For more information about creating risks, see Risks and Opportunities.
More Information
For more information about Process Control, see SAP Process Control.
1.3.1.1 Reusing the PC Central Process Hierarchy in RM

Provided you have licensed both the Risk Management and the Process Control applications, you can use the central PC subprocesses as activity categories in
GRC Risk Management. Furthermore, you can use the local PC subprocesses as local activities in RM.
In this way, a defined RM activity category can later be used to assign (local) activities to it. Otherwise no direct assignment of a (local) activity to the activity
category is possible.
This enables you to structure your risk assessment and risk reporting processes, with the option of using the activity hierarchy (containing the assigned
categories) primarily as a reporting or an assessment structure, or both.
Prerequisites
With both applications (Process Control and Risk Management) installed and running, the following procedure must be carried out before you can display and use
the PC process hierarchy in the Risk Management application in the activities screen:
Go to transaction GRFN_STR_CHANGE and make an entry corresponding to the one you have maintained in the above maintenance view. Note that this transaction
corresponds to the Customizing activity of Process Control called Set up Structure: Expert Mode and is documented there also. See the procedure below for the
exact steps.
Procedure
Note
When you access the RM activity overview screen, there are different processing modes, depending on your authorization:
If you have Risk Management authorization, the activities are available and can be edited.
With the same authorization, however, the PC subprocesses only open in display mode. You need PC authorization to change subprocesses. However,
you can attach a risk to a subprocess and submit it.
To use the Process Control central processes in Risk Management:
1. Access the Master Data work center and click the Activity Hierarchy link under Activities and Processes .
2. The activity hierarchy overview screen opens. Select an activity category and make note of it.
3. Access transaction GRFN_STR_CHANGE in the back-end system and go to the section on activity categories.
4. Below the activity category item, select Search Term to find the activity category that you are working with in the application. The result list is displayed at
the bottom left of the screen.
5. Select the activity category at the bottom left to see the data for it on the right-hand screen sections.
6. On the tab Activity Category Attributes (bottom section), access the Prefix field and select the Prefix ID called PROCESS.
7. Save your entry.
8. The Risk Management application now displays the Process Control hierarchy, containing its processes and subprocesses, in the lower section of the
PUBLIC
Page 14 of 94
activities screen.
Note
You may need to scroll in the Activity list to display the subprocesses in the list.
1.4 Work Centers

Work centers provide a central access point for the entire GRC functionality. They are organized to provide easy access to application activities, and contain
menu groups and links to further activities.
This documentation is structured according to the structures within the individual work centers, and contains links to further documentation for the menu groups and
links.
Note
The application provides a standard set of work centers. However, your system administrator can customize them according to your organization's internal
structures. Depending on the product or products that you have licensed, different areas of the GRC application are displayed (Access Control, Process
Control, Risk Management).
1.4.1 My Home

The My Home work center provides a central location to view and act on your assigned tasks, and accessible objects: organizations, processes, subprocesses,
controls.
The My Home work center contains the following sections:
Work Inbox
Ad Hoc Tasks
My Objects
Document Search
My Delegation
Note
The My Home work center is shared by the Access Control, Process Control, and Risk Management products in the GRC Application. The menu groups
and quick links available on the screen are determined by the applications you have licensed. The content in this topic covers the functions specific to Risk
Management. If you have licensed additional products, such as Access Control or Process Control, refer to the relevant topics below for the application-
specific functions.
Activities
The My Home work center allows you to:
View, access, and address workflow tasks assigned to you, including completed reports that you scheduled.
Perform document searches across all documents (including document content) for which you have authorization.
Assign delegates to perform your tasks or activities.
View and process your user data.
More Information
My Home - Access Control specific topics
My Home - Process Control specific topics
1.4.1.1 Work Inbox

The Work Inbox lists the tasks you need to process using GRC applications.
Activities
To process a task, choose a hyperlink in the table. The appropriate workflow window appears. Process the task as required.
The STANDARDVIEW displays the columns.
To change the displayed columns, choose Settings , maintain the columns as required, and save the view.
The new view appears in the View dropdown list.
1.4.1.1.1 Risk Management Work Inbox
PUBLIC
Page 15 of 94

The Work Inbox displays a user's Risk Management task list.
Prerequisites
The RM workflow-enabling activities in Customizing for GRC under General Settings Workflow must be maintained.
Features
The Risk Management tasks contain notifications, alerts, and workflows that are triggered at various stages of the Risk Management process. You can click on
any task in the list to complete the workflow.
More Information
Workflows
1.4.1.2 Ad Hoc Tasks

From the My Home work center, the Ad Hoc Tasks section enables you to process risk proposals, incidents, and issues, depending on the applications you
have licensed.
Procedure
Select the following links to work with individual ad hoc tasks:
Risk Proposals Proposing a Risk
Response Proposals Creating Response Proposals
Incidents Reporting an Ad Hoc Incident
Issues Identifying, Creating, and Assigning Ad Hoc Issues
1.4.1.2.1 Proposing a Risk

Proposing risks for an organizational unit or an activity makes sense for users who are not risk experts, that is, casual users. An employee self-service function is
used for this.
In the Propose Risk section, you access a restricted data view for risks and risk categories defined for particular activity categories. This reduces complexity
and helps streamline risk management activities within a company.
Note
The Propose Risk function represents a limited set of risk data. For information on the full set of risk data, see Creating a Risk.
Procedure
1. In the My Home work center, select Ad Hoc Tasks Risk Proposals .
2. Enter the name of the risk, the organizational unit, and risk category to be assigned to the risk and a description. If necessary, specify the activity.
3. Choose Submit .
4. The system now sends a workflow item to the appropriate user/role for processing. The risk is stored in the list of system risks with the risk type Proposal
and the status Pending Approval .
Working with Risk Proposals
The type of a proposed risk is Proposal until it is converted to a real risk, after which the status changes to Draft for a saved risk or Active when the risk is
submitted. A proposed risk can also be rejected altogether. Proceed as follows:
1. You can work directly with proposed risks by choosing a risk of the type Proposal from the risk list.
2. In the Risk Proposal screen, you can see the risk that was proposed, and you can choose either the Approve or the Reject pushbutton.
3. You receive a confirmation of the risk approval or rejection.
If approved, the risk is displayed in the list of risks with status Approved .
If rejected, the risk is no longer displayed in the list of risks.
Note
A list of proposed risks is displayed in the user's personal object worklist (POWL) under a separate tab, Proposed Risks .

PUBLIC
Page 16 of 94
Users can suggest ways to address risks by creating response proposals and submitting them to those responsible for risk mitigation.
Procedure
To create a response proposal:
1. Go to My Home Ad Hoc Tasks Response Proposals .
2. Enter the following information in the Create Response Proposal window:
Title (mandatory)
Org[anizational] unit
Risk
Type (mandatory)
Purpose
Automation type
Description
Steps
3. Click on Submit .
After the response proposal is submitted, the creator of the proposal receives an e-mail confirmation that the proposal was successfully submitted that is,
delivered to the work inbox of the person responsible for mitigating the specified risk. This person can then approve or reject the response proposal.
Note
Users who are assigned as agents via 0RM_RESPONSE_PROPOSE are authorized to receive and approve or reject response proposals. The approver can
create a response or response template from the response proposal after approving it. For more information, see Creating a Response or Enhancement Plan
and Working with Response Templates.
The creator of the response proposal is notified by e-mail when the response proposal is approved or rejected.
Submitted proposals (including their current status waiting for approval, approved, or rejected) are listed in the Proposed Responses tab found in work center
Assessments Risk Assessments Responses and Enhancement Plans . Click on the name of the response proposal to review its contents.
1.4.1.2.3 Reporting an Ad Hoc Incident

In the My Home work center, you can report incidents in an ad hoc manner if they are urgent or need immediate attention. You can enter or post incidents;
however, in the case of ad hoc incidents, you access a simplified user interface for posting an individual incident. The full functionality for creating incidents can
be accessed from the Incident Management section of the Assessments work center.
Note
An ad hoc risk proposal or posting of an incident might affect an organization's ability to continue as a going concern. In this case, the monetary effect of the
respective losses (due to an incurred risk) would be high, and might require immediate action.
Procedure
1. Call the My Home work center and then choose the Incidents link under Ad Hoc Tasks .
2. In the Report Incident screen, enter the incident name, select an organization, and enter the incident date and the detection date.
Note
For the full processing of incidents and the prerequisites involved, see Working with Incidents
3. If necessary, enter a description and the incident attributes.
4. If you checkmark Define Loss , the lower screen section displays loss details and loss impact data that you can make entries for. At the right, you can add
loss attributes if necessary.
5. Make the necessary entries and choose the Submit pushbutton.
6. The incident has been submitted and goes through the necessary workflow processing. For more information, see Workflow for Recording Incidents.
1.4.1.2.3.1 Workflow for Recording Incidents
Prerequisites
The following prerequisites must be fulfilled before you can use the workflow functionality for incidents:
An incident or incidents must exist in the system.
Incident and loss attributes must be maintained and assigned to the corresponding organizational unit in Customizing under Risk Management
Incident Loss Database .
The corresponding roles and workflow enabling must be maintained in Customizing under General Settings Workflow .
Procedure
The procedure for recording incidents is as follows:
PUBLIC
Page 17 of 94
1. The incident is created with the initial status Draft .
2. After the incident is submitted, it has the status To Be Validated and the workflow goes to the incident validator or validators defined for Risk Management.
3. The incident validator is identified via agent determination, which can lead to one or multiple groups of validators being determined.
4. The incident is sent to the members of one group after the other.
5. As soon as one validator of a group validates the incident, it goes to the next group of validators for validation. This continues until one member of each group
has validated the incident. Once the incident is validated by all groups, it goes to status Accepted .
6. If one validator sends the incident for rework, the validation process is interrupted and the incident needs to be reworked by the user specified by the
validator sending for rework. The status is To Be Reworked .
7. After the reworker has resubmitted the incident, the validation process restarts with the first group of validators.
8. The reworker also has the option of refusing the incident, which sets the incident at status Canceled .
Incident Validation Workflow
1.4.1.2.4 Issues

Issues that did not arise from an evaluation-based test can be a question, action item, or planned task. An issue can be prompted by compliance or business
events or result from identifying a problem area. An issue can be created for any object, depending on the configuration done through the Customizing activities.
If an Issue Owner or an object has not been identified, the issue is sent to the Issue Administrator. This person can then assign an owner, an object or both. The
Issue Administrator or the designee then processes the issue.
Navigate to My Home Ad Hoc Tasks Issues
More Information
Identifying, Creating and Assigning Ad Hoc Issues
1.4.1.3 My Objects

You can view and manage objects to which you have access using the My Objects section of the My Home work center. Specifically, you can view and
maintain the following objects:
My Processes : View and maintain all local organizations, processes, subprocesses, and controls for which you are responsible
My Risks : View all risks for which you are the owner or for which you have change authorization
My Responses : View and maintain all responses for which you are the author or processor, or for which you have change authorization
My Incidents : View and maintain all incidents for which you have change authorization
My iELCs : View and maintain all local indirect entity-level control groups (iELC groups) and indirect entity-level controls (iELCs) for which you are
responsible
My Policies : View all policies that pertain to your responsibilities, including policies that were either created by you or require your review or approval
Open Issues : View all open issues on objects for which you have reporting authorization, including evaluation test issues and ad hoc issues
Open Remediation Plans : View all open remediation plans and corrective and preventive action (CAPA) plans for which you have reporting authorization
More Information
My Processes
PUBLIC
Page 18 of 94
My Risks
My Responses
My Incidents
My iELCs
My Policies
Open Issues
Open Remediation Plans
1.4.1.3.1 My Risks

Under the My Home work center, you can see all the risks for which you are the owner and for which you have change authorization under My Objects My
Risks .
For more information, see Risk and Opportunities.
1.4.1.3.2 My Responses

Under My Responses , you can maintain all the responses for which you have change authorization.
For more information, see Risk Responses and Enhancement Plans.
1.4.1.3.3 My Incidents

Under My Incidents , you can maintain all the incidents for which you have change authorization.
For more information, see Incident Management.
1.4.1.3.4 My Policies

The My Policies section contains the policies that pertain to your responsibilities (either created by you or requiring your review or approval).
Under the My Home work center, you can see all the policies with your involvement under My Objects My Policies .
More Information
Policies
Regulations and Policies
Creating a Policy Group
Creating a Policy
Reviewing a Policy
Approving a Policy
Publishing a Policy
If you have licensed Risk Management, the following topic applies: Using a Policy as a Risk Response
1.4.1.4 Document Search

Document Search enables you to search for documents (including all entities and compliance initiatives). The search includes documents and hyperlinks, which
you can add as attachments.
Features
You only see results for which you are authorized. You can perform freestyle searches, which work like Internet search engines, or attribute-based searches,
which search based on specified fields. You can use wildcards, such as *, and filters to narrow your results. You can also define display layouts for your results,
and you can export them in a standard spreadsheet format.
Activities
To use Document Search:
1. Access My Home Document Search Document Search.
2. Enter your search criteria and choose OK .
The system displays your results in a table format that shows the following document attributes:
Created By
Created On
Document Name
Entity Name
Entity Type
PUBLIC
Page 19 of 94
Version
You can open the attachment directly by selecting the document title. You can also choose Print Version to create a PDF file of your list results, or, choose
Export to download your results to a spreadsheet.
If you want to see entity-related information such as organization, control group, or regulation, choose the link under Entity Name .
1.4.1.5 My Delegation

You can authorize another business user to perform your tasks, exercise your access rights, and specify the duration of the delegation.
Caution
Authorization granted to power users through the role SAP_GRC_FN_ALL cannot be delegated to business users. If power users needs to delegate their
authorization to others, they must ask the IT department to assign the PFCG role SAP_GRC_FN_ALL to specified users. This delegation is not entity-
dependent.
Procedure
To delegate your tasks and access rights to another user, proceed as follows:
1. From the My Home work center, choose Delegation My Delegation .
The Assign Own Delegate screen displays your existing delegations. You can create a new delegation, open and edit an existing delegation, or delete a
delegation.
2. To create a new delegation, choose Create .
The Own Delegation screen displays.
3. In the Delegate User field, select the value help pushbutton to display the User List dialog box. Enter or search for a user name.
Note
Wildcards (*) are supported in a search.
4. Select a user name and choose OK . The system completes the Delegator and User ID fields.
5. For the Delegation Period the following points apply:
The Start Date field defaults to the date the delegation is created. You can change this field.
The End Date field defaults to unlimited (December 31, 9999). You can change this field. If you accept the default of an unlimited End Date, you
can change the date later or delete the delegation when it is no longer needed.
To edit an existing delegation, proceed as follows:
1. Choose the delegation assignment.
2. Choose Open .
The Own Delegation screen appears. You can only change the End Date .
3. Choose Save.
To delete an existing delegation, proceed as follows:
1. Choose the delegation assignment and choose Delete .
The system prompts you to confirm the deletion.
2. Choose Yes .
1.4.2 Master Data

The Master Data work center provides a central location to manage and view the organization structure, regulation and policies, catalog of objectives, and catalog
of risks and responses.
The Master Data work center contains the following sections:
Organizations
Regulations and Policies
Objectives
Activities and Processes
Risks and Responses
Consistency Checks
Reports
Note
The Master Data work center is shared by the Access Control, Process Control, and Risk Management products in the GRC application. The menu groups
specific functions.
More Information
Master Data: Access Control-specific topics
PUBLIC
Page 20 of 94
Master Data: Process Control-specific topics
1.4.2.1 Organizations

You can use the functions on the Organizations screen to create and maintain an organizational structure within the application that mirrors the organizations in
your company.
Integration
If you have licensed Risk Management, Process Control and Access Control and want to use them for the same organization, the application must share a
common organizational view. Complete the Customizing activity Maintain Organization Views , under Governance, Risk, and Compliance General
Settings Workflow
To create the root organization and its first child organization in the specified organization view, complete the Customizing activity Create Root Organization
Hierarchy , under Governance, Risk, and Compliance General Settings Workflow
More Information
Access Control Creating an Organization
Process Control Creating and Editing an Organization
Risk Management Working with Organizational Units
1.4.2.1.1 Working with Organizational Units

In the Organizations area of the Master Data work center, you can maintain the organizational structure for your company. This includes setting up initial roles
and responsibilities and the initial definition of certain risk management details for the respective organizational unit, such as line of business, country, and legal
entity.
Note
If you have licensed both Risk Management and Process Control, and want to use them for the same organization, both applications must share a common
organizational hierarchy.
Prerequisites
The following prerequisites must be fulfilled before you can work with organizational units:
You must define the following in Customizing:
Parent organization
Currency
Units of measure
Risk appetite
Impact categories / impact levels
To assign roles, you must carry out the Customizing activity Maintain Entity Role Assignment , under General Settings Authorizations . For more
information, see Entering Risk-Specific Organization Data.
If you want to maintain objectives, a hierarchy of objectives must exist in the Risk Management application.
If you want the Issues tab to display for organizational units, you must also carry out the Customizing activity Enable Ad Hoc Issues by Object Type ,
under Common Component Settings Ad Hoc Issues .
If you are using SAP workflow functions, you must ensure that the corresponding roles are assigned to specific agent slots (business events) in the
Customizing activity Maintain Custom Agent Determination Rules , under General Settings Workflow . For more information, see Workflows.
Procedure
Adding or Copying Organizations
1. Open the Organizations screen under Master Data Organizations .
2. On the Organizations screen, you can create a hierarchy with organizations and carry out various functions for them.
Note
The View field enables you to switch between different views of the organizational entities in a hierarchy by making a selection in this dropdown field.
You can also select by date to see organizational units that were created on an earlier date.
3. To create an organization in the hierarchy, put the cursor on the parent organization or on the organization for which you wish to create a child organization.
The screen of the organization opens.
4. Choose Add . You are prompted to specify whether you want to create a new organization or reuse an existing organization:
If you create a new organization, proceed as described in the section Working with the Organization Tabs below.
If you want to reuse an existing organization, choose Reuse existing organization . Then select the organization that you want to reuse and choose
OK . After this, select the organization in the overview screen and proceed as described below.
PUBLIC
Page 21 of 94
Working with the Organization Tabs
1. On the General tab, enter a name for the organization and the currency that your organization uses. This is the consolidation currency to be used for risk
aggregation. Change the valid-to date if necessary.
2. On the Policies tab, you can see the policies that have been created for this organization. For more information about policies, see Policies.
3. On the Objectives tab, add the objectives that correspond to your company strategy. For more information, see Business Objectives Hierarchy.
4. On the Key Risk Indicators tab, specify the Assigned Key Risk Indicators and Business Rules for the organization.
When creating Assigned Key Risk Indicators , you can choose to add a Standard KRI Instance , a Score-based KRI Instance , or a Manual KRI Instance .
For more information, see Managing Organizational Key Risk Indicators.
5. On the Units of Measure tab, you must specify the unit of measure to be used in your organization. This is necessary for defining conversion factors for
each impact category defined in Customizing. Select an impact category from the dropdown field. Then choose Create and choose the unit of measure. The
abbreviation field populates automatically. Enter the conversion factor to be used if you are not using a monetary unit of measure.
6. On the Risk Appetite tab, select the degree of risk-taking that is to be applied when individual risks are entered into the system. If desired, you can
specify a monetary value as the upper limit for this.
7. On the Risk Thresholds tab, you can see the various risk thresholds with their impact levels. Here you can specify the lower and upper limit for each
impact level in monetary terms. For more information, see Entering Risk-Specific Organization Data.
Note
You must enter the lower and upper limits per impact level in ascending order. This means that the greater the impact level, the higher the
quantitative/monetary effect.
8. On the Roles tab, you can assign users to individual roles, as well as replace or remove them. For more information, see Entering Risk-Specific
Organization Data.
9. When you are finished, save the data for your organization.
1.4.2.1.1.1 Entering Risk-Specific Organization Data

On the Organizations screen under Master Data Organizations , you can enter the following risk-specific data for your organization:
Business objectives
Risk appetite
Risk thresholds (referring to risk impact levels and monetary values)
Risk-specific roles
Prerequisites
The following Customizing activities must be carried out:
Maintain Objective Categories
Maintain Risk Appetite
Maintain Impact Categories
Maintain Impact Levels
Maintain Entity Role Assignment (to assign risk-specific roles to the organization)
Procedure
Specify Business Objectives
1. In the Objective tab, add the objectives that correspond to your company strategy.
Fore more information on objectives, see Objectives Hierarchy.
Specify the Risk Appetite
For your organization, you can specify the degree of risk-taking that is to be applied when individual risks are entered into the system.
1. On the Risk Appetite tab, select the qualitative appetite from the dropdown options.
2. If desired, you can specify a monetary value as the upper limit for the qualitative appetite.
Define Risk Thresholds per Impact Level
On the Risk Thresholds tab, you can see the various risk thresholds with their impact levels. Here you can specify the lower and upper limit for each impact
level in monetary terms.
1. Put the cursor on an impact level line and enter the values in the fields below this table, moving from the lowest to the highest impact level.
2. If necessary, enter a description for each impact level you define.
4. When finished, you can see that the lowest limit remains at zero and the uppermost limit stays blank.
Assign Risk-Specific Roles
On the Roles tab, you can assign users to individual roles, as well as replace or remove them.
PUBLIC
Page 22 of 94
Note
These roles are added to the organizational unit during implementation and Customizing. For more information, see Risk Management Application Roles.
Before assigning roles, check that the roles you want to assign exist in the Customizing activity Maintain Entity Role Assignment .
Note
If you are using SAP Workflow, you must also ensure that the roles you assign have also been assigned to specific agent slots (business events) in the
Customizing activity Maintain Custom Agent Determination Rules .
To assign users to an organizational unit in the application, proceed as follows:
1. Access Master Data Organizations Organizations . The list of organizations is displayed.
2. Make sure that the Date field contains the current or a future date. If necessary, change it and choose the Apply pushbutton.
Note
Role assignment for the past is not permitted.
3. Open the organization to which you want to assign roles.
4. On the Roles tab of the organization screen, select the line of the role to which you want to assign a user.
5. Then choose the Assign pushbutton. In the dialog box that displays, you can now search for and select the user to be assigned to this role. You can also
remove or replace the role for a user by choosing the corresponding pushbuttons.
1.4.2.1.1.2 Managing Organizational Key Risk Indicators

You can assign one or more key risk indicators (KRI) to an organization. This is known as a KRI instance . In this way, you can automatically identify risks in
organizations and escalate them to risk owners for immediate attention if necessary.
Prerequisites
You have created a KRI implementation.
You have maintained the corresponding activities for timeframes and frequencies in Customizing under Governance, Risk and Compliance General
Settings Key Attributes .
Procedure
Creating Standard KRI Instances
1. When managing an organization, choose the Key Risk Indicators tab and choose Create Standard KRI Instance in the Assigned Key Risk
Indicators section.
The Create KRI Instance dialog appears.
2. In the KRI Instance Name field, type the name of the KRI instance that you want to create.
3. In the KRI Implementation field, type or select the KRI implementation for the instance.
4. In the Monitor Frequency field, choose the frequency at which you want the KRI to monitor your system.
5. In the Data Time Frame field, choose the appropriate value using the drop-down list.
6. In the Next Execution Date and Last Execution Date fields, choose the corresponding execution dates using the drop-down lists.
7. In the History Review Required field, select the Yes radio button to have the previous KRI values maintained in the database. By default, the Yes radio
button is selected.
8. In the Selection Table , modify the KRI implementation settings, as required.
9. In the Attachments and Links tab, specify the attachments and links for the KRI instance.
1. To add an attachment, choose the Add pushbutton and select Add File using the drop-down menu.
Specify the title and the file name of the attachment, and choose the OK pushbutton.
2. To add a link, choose the Add pushbutton and select Add Link using the drop-down menu.
Specify the title and the path of the link, and choose the OK pushbutton.
10. Choose the OK pushbutton to have the system check the data and set the status as Draft for the KRI instance.
Alternatively, choose from among the following options:
Choose the Activate pushbutton to set the status as Active for the KRI instance.
Choose the Request Localization pushbutton to have the KRI workflow go to the workflow processor (to the KRI liaison defined in the Risk
Management workflows, for example). The dialog closes and the Status column displays Localization Requested for the assigned KRI.
After you save the data, a workflow is triggered. When the localization processor has processed the workflow item, it returns to your inbox for
processing or approval, among other options. For more information, see Workflow for KRI Instance Localization Request.
11. Choose the Show History pushbutton to view a graphic display of how the KRI value develops over time.
12. Choose the Show Surveys pushbutton to see which surveys are defined for the KRI instance.
Creating Score-Based KRI Instances
1. Choose the Key Risk Indicators tab and choose Create Score-based KRI Instance in the Assigned Key Risk Indicators section.
3. In the KRI Template field, type or select the KRI template for the instance.
PUBLIC
Page 23 of 94
4. In the Last Execution Date field, choose the appropriate execution date using the drop-down lists.
button is selected.
6. Choose the Rule tab to specify the business rule for the KRI instance.
Using the Mapping and Expression tabs, enter the calculation parameters for the KRI business rule.
You can specify the Expression as either a Formula or a Decision Table using the Rule Type drop-down menu. After you are finished, you can check
the syntax, test the rule, or access the NetWeaver BRFplus (Business Rule Framework plus) Workbench.
Alternatively, choose the Activate pushbutton to set the status as Active for the KRI instance.
Creating Manual KRI Instances
1. Choose the Key Risk Indicators tab and choose Create Manual KRI Instance in the Assigned Key Risk Indicators section.
4. In the Input Allowed Until field, type or select the appropriate date using the drop-down list.
button is selected.
More Information
For more information about specifying business rules, see Creating KRI Business Rules.
1.4.2.2 Regulations and Policies

Regulations and Policies gives you visibility into your compliance landscape.
More Information
Regulations
Policies
1.4.2.2.1 Regulations

In the regulation hierarchy, you document which compliance initiatives your company supports. For each compliance initiative, you can document the regulation
and its requirements. After defining a new regulation, you specify the subprocesses and controls that are relevant to that regulation.
Structure
The Regulations section allows you to:
Review and document your compliance initiatives in one place
Organize your compliance initiatives into groups
Example
You have a group of financial compliance initiatives that could include SOX, J-SOX, and IDS or a group of operational compliance initiatives that include FDA
and Life Sciences regulations.
Maintain your regulation hierarchy to the individual requirement level. For example, you can maintain SOX compliance down to the regulation requirement SOX
302. If you maintain regulation requirements, you can assign them to controls and track the affected requirements at the control level.
More Information
Policies
PUBLIC
Page 24 of 94
1.4.2.2.2 Policies

A policy is a set of principles, rules, and guidelines that are formulated or adopted by an organization to reach its long-term goals. Policies are designed to
influence major decisions and actions, and all activities take place within the boundaries set by them. They are used in Process Control and Risk Management.
A policy contains a written description of an organization's position on important subjects and its response to specific situations. Policies support managerial
decision-making, to help the company achieve its objectives. Policies are an element of a complete governance process. This process involves an analysis of
regulations, best practices, and corporate business objectives, after which they are codified into policies affecting the business actions of all employees.
Policies need to be created, reviewed, approved, and distributed; there is an ongoing process of policy acknowledgment, self-assessment, and updates. Policies
must be managed throughout their lifecycle.
Prerequisites
According to your business needs, complete the Customizing activities under Governance, Risk, and Compliance Common Component Settings Policy
Management .
More Information
Creating a Policy
Reviewing a Policy
Approving a Policy
Publishing a Policy
Using a Policy as a Risk Response
1.4.2.2.2.1 Creating a Policy Group
Procedure
You must create a policy group before you can create a policy.
1. Choose Master Data Regulations and Policies Policies
2. Choose Create Policy Group .
The Policy Group screen displays.
3. Complete the following fields:
Policy Group fields
Field Name Description
Group Name (required) Create a distinctive Group Name.
Description (optional) Enter information to tell users the contents of the Policy Group.
Approval Survey (required) Select the survey from the dropdown.
Note
You must have previously created an Approval Survey in the Survey Library.
Valid From (required) Enter the starting date.
Valid To (required) Enter the ending date.
4. Choose Save and Close .
More Information
Creating a Policy
Reviewing a Policy
Approving a Policy
Publishing a Policy
1.4.2.2.2.2 Creating a Policy

Policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals.
Example
A Global Travel Policy is one example of a business policy. The goal might be to reduce costs and increase efficiency by mandating that everyone in the
company adhere to this policy.
PUBLIC
Page 25 of 94
Prerequisites
You must create a policy group before you can create a policy.
Procedure
1. Choose Master Data Regulations and Policies Policies
2. Choose the Policy Group where you want to add the policy.
3. Choose Create Policy
4. Select a Policy Object Type and choose OK .
Note
The Policy Object Types are configured during the Customizing activity Maintain Policy Types and Distribution Methods under Governance, Risk,
and Compliance Common Component Settings Policy Management .
5. Complete the fields on the General tab.
Policy General tab
Field Name Description
Name (required) Create a distinctive policy name.
Description (optional) Enter information to tell users the contents of the policy.
Distribution Methods (required) Select Acknowledgement , Quiz or Survey . If you choose Quiz or Survey , you
must specify a template from the Survey Library . An e-mail is sent to the recipients
with a PDF attachment, showing the required actions.
Purpose (required) State the reason for the policy.
Policy Category (optional) Select the categories this policy belongs to.
Date (optional) Enter the date.
Assignment Method (optional) Select Assign Directly , Inherited , Localized, or Superseded .
Responsible Organization (required) Enter the organization responsible for the policy.
Created by (optional) The default is the person who created the policy.
Created On (optional) The default is today' s date.
Valid From (required) Enter the first date of effectiveness for the policy.
Valid To (required) Enter the last day of effectiveness for the policy.
Date for Next Revision (optional) Enter the date for the next revision. This date must be between the Valid From and
Valid To dates.
Note (optional) Enter any material that might be helpful to approvers or reviewers.
6. Select the Policy Document tab. Attach the actual policy documents (word files, excel files, images) that contain the written policy. The policy documents
may reside in SAP Document Management Systems (DMS) or you may include links to documents residing in external DMSl.
7. Select the Policy Scope tab.
You document who is in scope and subject to the policy. You may also explicitly specify who is excluded from the scope of this policy. Define which
Organizations , Processes (contained in the Organization), Activities , People (can be roles, user groups, or specific users) or Exclusions you want to
identify (text field). This is who receives the policy when it is published.
8. Select the Risks tab.
This is the risk associated with the nonadherence to the policy. If the company is not compliant with the policy, this is the risk that could occur.
9. Select the Controls tab.
Assign the controls or indirect entity-level controls that pertain to the policy.
10. Select the Policy Sources tab.
Specify the sources or the reasons and motivations behind the creation of the policy. There are defaults choices provided. Add or remove sources as
needed.
Note
The Policy Sources are configured during the Customizing activity Maintain Policy Source Categories under Governance, Risk, and Compliance
Common Component Settings Policy Management .
11. Select the Issues tab.
If there are any ad hoc issues related to this policy that need to be addressed, they will be displayed in this tab.
12. On the Roles tab you can assign users to individual roles (such as Policy Owner, Policy Approver and Policy Reviewer), as well as replace or remove
them. To assign a user, select the line of the role to which you want to assign a user. Then choose Assign . In the dialog box then displayed, you can
search for and select the user to be assigned to this role. You can assign multiple approvers and reviewers.
13. Select the Review and Approval tab to view the status or the approvals. If you did not assign specific reviewers or approvers, the Default Approvers
(usually the Organization Owner the owner of the organization specified in the Policy Scope tab) are asked to approve the policy.
14. Choose Save .
15. Decide if you can immediately Submit for Approval or if you need to Send for Review .
More Information
PUBLIC
Page 26 of 94
Reviewing a Policy
Approving a Policy
Publishing a Policy
1.4.2.2.2.3 Reviewing a Policy

After the policy owner submits the newly created policy for review, the policy review workflow is sent to the reviewer. If the policy owner has set up more than one
reviewer, then a parallel policy review workflow is sent to all the reviewers at once.
Prerequisites
Policy reviewers were set up by the policy owner (author of the policy).
Procedure
1. Choose My Home Work Inbox .
2. Select a policy to review. You see the same tabs that are used to create a policy. Read the material contained in the tabs to understand the scope, history,
and potential risks of the policy.
3. Submit comments as needed for specific tabs.
4. Review any comments on the Review and Approval tab. Add any general comments here. You have virtually unlimited text.
Note
If you accept the policy draft with no changes, then comments are optional. Before submitting the comments, the reviewer can delete comments he or
she has entered. The reviewer cannot delete comments entered by other reviewers. Once a reviewer submits a comment, it cannot be modified or
deleted.
5. After the comments have been submitted, the policy owner can see all comments in a compiled format. The policy owner revises the policy draft based on
the review comments. As long as the policy owner does not submit the policy for approval, reviewers can continue to enter comments by selecting the
Review Policy link in their Work Inbox.
More Information
Creating a Policy
Approving a Policy
Publishing a Policy
1.4.2.2.2.4 Approving a Policy

After the policy owner ensures that all the review comments have been incorporated, the owner submits the final draft of the policy for approval. One or more
approvers may be responsible for this policy, as determined by the workflow engine and as specified by the policy owner. The defined approvers receive the
approval workflow in their GRC Inbox.
Prerequisites
The policy approvers must be set up by the policy owner or the default approvers may be determined by the workflow engine (based on the organizations and
processes assigned to the policy).
Note
If the policy applies to an organization, then that organization owner becomes the default approver. Since all the users in the organization are subject to
this new policy, the organization owner must approve it.
If the policy applies to a certain process and/or subprocess, then the respective owner becomes the default approver. Since all the users in the
process and/or subprocess are subject to this new policy, the process/subprocess owners must approve it.
There may be other roles assigned to the policy approver role in the configuration, for a certain organization, process or subprocess, who also receive
the approval workflow.
Procedure
1. Choose My Home Work Inbox .
2. Select a policy to approve. You see the same tabs used to create a policy. Read the material contained in the tabs to understand the scope, history, and
potential risks of the policy.
3. Review any comments on the Review and Approval tab. If an Approval Survey has been created, it is located here and requires answers. Add any
general comments here.
4. Decide if you need to Save Draft, Close, Send Back for Rework, Reject or Approve the policy.
PUBLIC
Page 27 of 94
5. You now have the following options:
Approve : The approver may (optionally) provide comments to the policy owner. The approver may also attach supporting documents or links. The
policy owner is notified that the policy has been approved. If this policy receives approvals from all approvers, then the policy is ready to be
published directly. Or, this setting can be modified through the Customizing activities so that instead of all approvers, only one approver is required for
the policy to be approved and published to the policy library.
Reject : The approver has to provide comments to the policy owner. The approver may also attach supporting documents or links. The policy owner
is notified that the policy has been rejected. The only choice for the policy owner is to create a new policy and start again.
Send Back for Rework : The approver has to provide comments to the policy owner. The approver must provide suggestions (for example, a
structured list) for improving the policy and any expected changes. The approver may also attach supporting documents or links. The policy owner is
notified that the policy has been sent for rework. The policy owner has to amend the policy and resubmit it for approval.
Save Draft : Save your comments or attachments and complete the approval process at a later time.
Close : Close the policy and complete actions at a later time. No Changes are saved.
6. Select Close .
More Information
Creating a Policy
Reviewing a Policy
Publishing a Policy
1.4.2.2.2.5 Publishing a Policy

A new policy is published to the Policy Library and is then available to all authorized users for viewing and is available for distribution and policy attestation.
Prerequisites
The policy must have been reviewed by the policy reviewers and approved by the policy approvers. After approval, the policy is published directly.
Procedure
1. Navigate to the Assessments work center.
2. Select the Planner to schedule the policy distribution.
Note
The Distribution Method (Quiz, Survey, or Acknowledgement) is also defined when the policy is created.
More Information
Planner
Creating a Policy
Reviewing a Policy
Approving a Policy
1.4.2.3 Objectives

Depending on the products you have licensed, in the Objectives section of the Master Data work center, you can maintain Control Objectives and Business
Objectives.
1.4.2.3.1 Business Objectives Hierarchy

Managing and assessing risks across the organization are important tasks for companies that must adhere to legal compliance requirements or use management
best practice frameworks with risk management methodologies. Business practice has shown that the connection between risks and objectives provides greater
visibility for the management team during risk reporting. By creating a hierarchy of your company's objectives, you can link or associate the objectives with
impact categories defined for risks.
In the same way as the vision and mission of an organization describe the top-level desired state of the organization, objectives describe critical, actionable, and
measurable components of that desired state within the context of organizational perspectives.
In Risk Management, you can create a strategy to describe your company's primary and dependent objectives, which are defined in a time-dependent manner.
By structuring your objectives in a hierarchy, you can obtain a clear breakdown on the business side of your company's strategic and operational objectives.
PUBLIC
Page 28 of 94
Prerequisites
You have maintained the corresponding objective categories in Customizing.
To create a hierarchy of objectives, you must first create the objective strategy.
Procedure
After you create an objective strategy, you can create individual objectives to assign to this strategy. Proceed as follows:
1. Call Master Data Objectives Business Objectives .
2. The Objectives Hierarchy window displays, with a list of the defined objectives.
3. First create a strategy for your objectives by choosing the Create Strategy pushbutton. Enter a name for the strategy, select an objective category
and describe the objective, then save it.
Note
You cannot assign an organizational unit to the objective here. Instead, you must assign existing objectives when you create an organizational unit.
These are displayed in the Objectives screen after saving. For more information, see Entering Risk-Specific Organization Data.
4. Now choose this strategy again from the list and choose the Create Objective pushbutton. Create an objective for the strategy, and save the
strategy. This procedure can be repeated as frequently as necessary.
5. Save the objective.
More Information
See SAP Strategy Management documentation in the SAP Library under SAP BusinessObjects tab EPM Solutions SAP Strategy Management
Application Help. Under application help, choose Administration Connectors .
1.4.2.4 Activities and Processes

The Activities and Processes section in the Master Data work center is where you maintain your company's activities, business processes, subprocesses,
and controls. It contains the following links:
Activity Hierarchy
Business Processes
Indirect Entity-Level Controls

An activity is any project, process, or an object within your business or organization that might be affected by a specific risk.
After creating activity categories structured in an activity hierarchy, you can create individual activities for the activity types defined in Customizing and assign
them to the activity categories in the hierarchy. At defined intervals, for example, the activities affected by specific risks can subsequently be evaluated per
activity category in reporting.
Typical types of activities are:
Processes: Potentially all operational and administrative processes within an enterprise.
Projects: Potentially all internal and customer projects.
Objects: Refers to generic activities that are neither a project nor a process.
You can define all the activities that need to be monitored through dedicated risk management procedures, in this way structuring risk management in different
areas of the business. These structures can later be used for reporting.
You must assign all activities to an activity category.
Prerequisites
Activity types must have been maintained in Customizing under Risk Management Master Data Setup .
Features
For each activity, you can do the following:
Specify the activity category and validity period, as well as enter relevant constraints and assumptions for the activity.
Assign users/roles responsible for processing the activity.
Link the corresponding risks and opportunities identified for that activity.
Display any surveys to be executed for the activity.
Display and print out a PDF fact sheet with relevant activity information.
Note
Activities are time-dependent objects. If the valid-to date has elapsed, you do not see these activities in the corresponding list, since they have expired.
However, you can still evaluate them in reporting.
PUBLIC
Page 29 of 94
More Information
Creating Activity Categories
Creating an Activity
Activity Hierarchy
1.4.2.4.1.1 Activity Hierarchy

In the Activities and Processes section of the Master Data work center, you can define a hierarchy to structure the activities in your organization that involve
risks. In this way, you can define the scope of risk management activities within your company, making them transparent, in particular for reporting purposes. You
do this by defining risk-relevant activity categories. The research and development projects of your organization could be one activity category, for example.
Note
If you want to see the processes of Process Control in the Risk Management activity hierarchy, proceed as described in Reuse of PC Central Process
Hierarchy in RM.
Prerequisites
In Customizing, you must maintain activity types for your organization.
Features
In the Activity Hierarchy section, you can do the following:
Create and delete activity categories
View and edit activity category details
Assign risk and opportunity categories to an activity category
Example
Sample global activity hierarchy showing assigned risks
The above example shows how risks are assigned. First, the activity type defined in Customizing called business processes is used to create an activity
category called Financials . Then for Organizational Unit 1, this activity category is used to define the two activities of budgeting and consolidation. The budgeting
activity has two risks allocated to it: Overspending and Budget not approved .
More Information
For more information about activity creation, see:
PUBLIC
Page 30 of 94
Activities
1.4.2.4.1.2 Creating Activity Categories

By creating activity categories and structuring them in an activity hierarchy, you can group your business processes or other planning objects. You can
subsequently use these activity types to structure your activity hierarchy and activity reports.
Prerequisites
The Customizing activity Maintain Activity Types must be maintained.
Procedure
To maintain the activity hierarchy, choose Master Data Activities and Processes Activity Hierarchy . The Activity Hierarchy screen appears. In the
dropdown box at the top left, you can see the different activity types maintained in Customizing.
Note
If you have implemented both Risk Management and Process Control, the activity hierarchy selection screen contains the defined Risk Management activity
hierarchies as well as the Process Control processes, which you can access in display mode.
Proceed as follows to create an activity hierarchy:
1. From the dropdown list, select an activity type to be used for creating the activity category, and then choose the Create pushbutton.
2. In the screen that opens, enter the name of the activity category and if necessary a description.
3. If you want to allow the assignment of activities to this activity category, set the corresponding indicator at Yes .
4. On the Risk Classification tab, you can assign risk categories to this activity category by clicking the Assign pushbutton.
5. On the Opportunity Classification tab, you can assign opportunity categories to this activity category in the same way.
6. Save your data. The activity category is included in your activity hierarchy.
1.4.2.5 Risks and Responses

The Risks and Responses section of the Master Data work center enables you to maintain your organization's risk, opportunity, and response catalogs. It
contains the following Quick Links:
Risk Catalog
Opportunity Catalog
Response Catalog
More Information
Risk Catalog
Opportunity Catalog
Classifying Risks, Opportunities, and Responses
1.4.2.5.1 Risk Catalog

Classifying risks within a catalog containing a clear risk hierarchy provides you with a structured view of all risks of your company. You can classify risks
according to the categories of risks that you wish to track, and carry out reporting, for example, to evaluate the risks per risk category defined for your company.
Features
For each risk category you define, you can define individual risk templates. You can use this template when actual risks are created. Risk templates only have
drivers and impacts defined for them, but no further data.
You can subsequently carry out reporting, for example, to evaluate the risks per risk category.
The graphic below shows some risk templates and their assignment to user-defined risk categories.
PUBLIC
Page 31 of 94
In the Risks and Responses section of the Master Data work center, you can work with the following features:
Create and delete risk templates and risk categories.
View and edit risk template and risk category details.
Specify driver and impact categories for a risk template, and assign KRIs.
For more information about risk catalogs, see Classifying Risks, Opportunities, and Responses.
Note
The risk categories created can also be used for Risk Management reporting.
1.4.2.5.1.1 Classifying Risks, Opportunities, and Responses

By structuring your organization's risks, opportunities and responses into individual categories, you can obtain a clear structure of all enterprise-wide objects
created. The following types of catalogs can be created; the documentation below describes risk catalog maintenance, and opportunity and response catalog
maintenance is carried out similarly.
Risk Catalog: A Classification Hierarchy is provided by the system, below which you can define individual risk categories. You can also create risk
templates to assign to the risk categories you have defined. These risk templates are used to capture the most important reusable risk data in your
organization.
Opportunity Catalog: The same kind of structure enables you to create opportunity categories, and within them, opportunity templates to be used for
repetitive opportunities created in the system.
Response Catalog: In this catalog, you create response templates to be used for responses that are entered frequently.
Note
When you create a risk with a template in the risk application itself, you are accessing the risks created in the Risk Catalog . A risk template has no
analysis and no responses linked to it, and is to be used when creating the actual risks in the risk application.
Prerequisites
Drivers and impact categories for risks must be maintained in Customizing.
Procedure
To maintain the risk catalog, choose Master Data Risks and Responses Risk Catalog . The Risk Catalog screen appears. Then proceed as follows:
Creating a Risk Category
1. To add a risk category to the hierarchy, select a node of the classification hierarchy as the level you want to create the category in. Then choose Create
Risk Category .
2. In the dialog box, enter the name and description of the risk category, and decide whether to allow assignment of this risk category to an activity category.
3. On the KRI Template tab, you can assign an existing KRI template to this risk category.
4. On the Allowed Dimensions tab, you can specify the dimensions and context values to be used with this risk category. For more information, see Working
PUBLIC
Page 32 of 94
with Contexts.
5. Save the risk category.
Creating a Risk Template
1. To create a risk template, select a risk category from the Risk Catalog Classification overview screen and choose Create Risk Template . For
more information, see Creating a Risk Template.
2. When finished, save your data.
More Information
Creating a Risk
Creating KRI Templates
Working with Contexts
1.4.2.5.1.2 Creating a Risk Template

A risk template is used to streamline the risk assessment process and reduce manual effort during risk identification. A risk template has no analysis and no
responses linked to it, and serves as a model for actual risk creation. It is useful if you have several similar risks to create.
Note
You create an opportunity template in the same way as you create a risk template.
Prerequisites
Risk drivers and impact categories have been maintained in Customizing.
A parent risk category has been maintained in the risk classification application.
A risk analysis profile must be maintained in Customizing.
Procedure
To create a risk template, proceed as follows:
1. Call the Master Data work center and then choose Risk Assessments Risks and Responses Risk Catalog .
Note
To create an opportunity template, choose the Opportunity Catalog link.
2. In the Risk Catalog screen, click Create Risk Template . Note that the cursor must first be on a risk category and may not be on the uppermost
Classification Hierarchy node if there are no categories below it.
3. In the General tab, enter the Event Name (the name of the risk template you are creating), then change the valid-to date and enter a comment if
necessary.
4. Add the necessary drivers and impacts in the lower screen section.
Note
If you create a risk using a risk template, existing customer-defined fields can also be taken over into the template.
5. The next tab, Risk Instances , has no fields ready for input. It displays the risks that were created using this template, so it can only be accessed after you
have created at least one risk with this template. If risks exist, the Open pushbutton enables you to call the risk directly from this tab, after you have put
your cursor on the line of the risk.
6. In the Response Templates tab, you can assign or remove a response template to be used with the risk template.
7. In the Central Controls tab, you can assign or remove a control from Process Control to a template. A central control is a control assigned to a central
subprocess. A central subprocess and central control can be assigned to different organizations for different regulations. For more information about working
with controls, see Business Processes. After assignment, the control can be used as a response to a risk in the shared risk catalog.
8. In the Context tab, you can specify the dimensions and context values that link the risk template with other areas or system objects. You can select to
view the context attributes in table form, graphic form, or as Crystal reports. For more information, see Working with Contexts.
9. When finished, save the risk template. It is now ready for use with your risks.
Result
The risk template has been created for use when you create individual risks in the application.
More Information
Creating a Risk
Creating a Risk from a Template
Distributing a Risk Template
PUBLIC
Page 33 of 94
1.4.2.5.1.3 Distributing a Risk Template
Procedure
You can use a risk template with several different kinds of objects, such as Risk Management activities or organizational units defined for Risk Management. In
this way, you can create an instance of the risk template.
1. From the Risk Catalog screen under Master Data Risks and Responses , open the classification hierarchy to a lower level and choose a risk
template.
2. Choose Actions Distribute .
3. A guided procedure is displayed in which you enter the validity dates for which this distribution is to be applied.
4. Select a distribution method as follows:
Copy : Any risk field can be changed after the template has been copied to the risk.
Reference : Some risk fields are read-only, since they are only referenced and not copied.
5. After choosing Next , you select the targets that is, the organizational units for which the risk template is to be used. Depending on where you position
the cursor, you can select a higher-level or a lower-level organizational unit.
6. Choose Next again. You can see your selection in the lower section and must confirm it via the Finish pushbutton.
Result
The risk template has been distributed for use over the corresponding objects and is ready for use.
1.4.2.5.2 Opportunity Catalog

You can create a hierarchy to structure your company's opportunities into opportunity categories within an opportunity catalog. An opportunity can be regarded as
the upside of a risk.
Besides maintaining an opportunity hierarchy, you can also define individual opportunity categories and opportunity templates to be used when defining
opportunity categories.
Prerequisites
You must have maintained the corresponding benefit and driver categories in Customizing.
Features
When you create an opportunity category, you also allow assignment to an activity category. Note the following:
An opportunity category is similar to a risk category and is assigned to an individual opportunity.
An opportunity template can be used when you create an individual opportunity. An opportunity template has drivers and benefits assigned to it, which can
be passed on to the opportunities you create.
More Information
Creating an Opportunity
1.4.2.5.2.1 Creating an Opportunity Category and Template

You create opportunity categories and templates in the Risk and Responses section in the Master Data work center.
Procedure
1. From the Master Data work center, choose Risks and Responses Opportunity Catalog .
2. On the Opportunity Catalog screen that appears, choose Create Opportunity Category .
3. On the General tab, enter the following:
Mandatory information:
Name
Valid from date
Valid to date
Optional information:
You can enter a description for the opportunity category.
You can choose whether an assignment of opportunities is allowed for this opportunity category.
You can assign the opportunity category to an analysis profile .
You create or modify analysis profiles in Customizing under Risk Management Risk and Opportunity Analysis Maintain Analysis
Profile .
PUBLIC
Page 34 of 94
Note
You can review the attributes of existing analysis profiles by choosing the Analysis Profile Detail link adjacent to the Analysis Profile
dropdown menu.
4. On the Attachments and Links tab, you can attach documents and web links.
5. On the Allowed Dimensions tab, you can assign a context to be used with this opportunity category.
Creating an Opportunity Template
Note
You create an opportunity template only from an existing opportunity category.
1. From the Master Data work center, choose Risks and Responses Opportunity Catalog .
2. Choose an existing opportunity category in the list.
3. Choose Create Opportunity Template . The opportunity template creation screen appears.
4. On the General tab, enter the following information:
Name
Description
Valid from date
Valid to date
Benefits and drivers, if any
5. On the Opportunity Instances tab, you can see the list of opportunity instances that have been created based on this opportunity template.
6. On the Allowed Dimensions tab, you can assign a context to use with this opportunity template.
7. On the Attachments and Links tab, you can attach documents and web links.
1.4.2.6 Risk Consistency Reports

You can review the quality and structure of your organization's risks via a set of comprehensive predefined reports. You can carry out a consistency check for your
Risk Management data, and you can make sure that the reports defined do not violate the segregation of duties (SoD).
Note
The term segregation of duties refers to the concept of requiring more than one person to complete a task. Under SoD, no single person has control over two
or more phases of a transaction or operation, so the risk of fraud or unintentional error is mitigated. An example of this would be that one user cannot be both
the risk owner and the risk validator.
Consistency checks are a set of reports targeting solution and application consultants to support an initial implementation project. They ensure the completeness
and logical consistency of the provided master data in the Risk Management application. This can be checked during implementation or also later when the
system is in productive use.
Reports that check the completeness of the provided data focus on mandatory and non-mandatory information in the checked master data. Missing information
might either create inconsistencies in data storage, or affect the behavior of certain parts of the application, such as reporting.
The checks can also be used in the running system to ensure continuous quality of the maintained master data of the application.
Features
In the Master Data work center, you can carry out a check of the RM data objects in the application as well as of the corresponding Customizing settings. For
more information, see Working with the RM Consistency Checker.
1.4.2.6.1 Working with the RM Consistency Checker

The consistency checker enables you to check all your Risk Management data for consistency and completeness.
Procedure
1. Call Master Data Consistency Checks Consistency Checks . A new window with the RM Consistency Checker is displayed. You have two
options:
Select the individual item you want to check and press Execute .
If you want to check all items at once, press Execute Full Pass . This function executes all checks successively and presents the results in a table.
2. In the Results table, you can drill down to the exact application or Customizing data involved to make direct changes to the individual data objects in the
application or to the Customizing activities. The table has the following columns:
Column name Meaning
Check The name of the specific check report
Error count The number of errors for an individual check
Warning count The number of warnings issued for an individual check
PUBLIC
Page 35 of 94
Status Red for critical, yellow for warning, green for OK
3. Choosing the individual checks produces the following results, showing you how to resolve individual data consistency issues:
Name of Check Description What to Do
1. List of organizational units without currency Lists all organizational units for which no currency is
maintained.
Choosing the Execute pushbutton produces a list of
organizational units with no currency. Choosing one
organizational unit opens the corresponding screen, in
which you can assign a currency.
2. Check number of probability levels Lists the probability levels as they are maintained in
Customizing.
Displays all the probability levels with the percentage of
probability maintained in Customizing. To make changes,
access the corresponding Customizing activities.
3. List root nodes Lists all corporate nodes (top organizational units). Execute produces a list of organizational units. Choosing
one takes you to the General tab of an organization with
no parent organization.
4. List activity categories without risk or opportunity
categories
Lists activity categories that do not have specific risk and
opportunity categories assigned to them.
Status column: The red stop sign means that no risk or
opportunity categories are assigned.
5. Check organizational unit threshold relationships Lists the organizational unit relationships (parent and
child) for which the risk threshold settings do not match
the relationship.
Clicking on the parent or the child ID in the output list
takes you to the screen where you can maintain the risk
thresholds in the corresponding tab.
6. Check the documents Checks for documents with an invalid parent or child
object.
Dialog box asking whether documents with invalid parent
or child entities should be deleted. Click the Automatic
Fix pushbutton under the list to auto-correct the missing
values.
7. List of organizational units without thresholds Lists all organizational units that do not have risk
threshold values maintained.
Clicking the Execute pushbutton produces a list of
organizational units with no risk threshold values. Clicking
on one line opens the organizational unit screen. Navigate
to the Risk Thresholds tab to maintain the thresholds.
8. Check probability level matrix Checks the probability/timeframe matrix in Customizing
and displays the missing settings.
Messages:
Missing : No Customizing value set in the matrix
for the given timeframe and probability.
All : The probability values found are valid for ALL
timeframes.
Timeframes defined : Should be displayed instead
of All if there is no timeframe.
9. List organizational units without objectives Lists all organizational units that do not have objectives
maintained for them.
Execute produces a list of organizational units. Clicking
on one takes you to the organization screen, where you
maintain the Objective tab.
10. List responses without effectiveness / completion
values
Lists all risks and responses that do not have effectiveness
/ completion values maintained.
Clicking on a response produces a list of responses with
missing values. Clicking on a line in the Response Title
column enables you to enter effectiveness and/or
completion values for a response.
11. Check role assignment Checks for role errors and warnings, such as double
assignments.
Messages:
User initial : Shows whether a user name is blank
or empty
Role initial : Shows whether a role is blank or
empty.
User and role initial : Shows whether role and user
name are still blank or empty.
Double role assignment : Shows whether a user
has the same role twice for the same object in an
overlapping time span.
Obsolete role assignment : Shows whether roles
are assigned to objects for which they are not
relevant.
Unique role assigned multiple times : Shows
whether unique roles are assigned more than once
to the same object using overlapping timeframes.
12. Check role definitions Checks for invalid role definitions. Message No title assigned : Returns a string that shows
the user that the title is missing.
13. Benefit / impact / driver categories Lists the benefit, impact, and driver categories that are
maintained in Customizing.
This check displays the benefit, impact, and driver
categories in the application. To make changes, access the
corresponding Customizing activities in the backend
system.
14. Check risk level matrix Checks the probability / impact matrix in Customizing,
displays the risk levels that are assigned, and shows
whether all levels are used.
Message Not Assigned (N/A) : The items show which
risk or combination is not assigned.
15. List organizational units without units of measure Lists all organizational units that do not have their own
units of measure maintained.
Execute : Produces a list of organizational units. Clicking
on one takes you to the organization screen, where you
maintain the Unit of Measure tab.
16. List risks and responses without owner Lists all risks and responses that do not have an owner
assigned to them.
Clicking on the link of a risk or response takes you to the
corresponding screen, where you can maintain the owner
in the Roles tab.
17. Incidents / losses without mandatory attributes Lists all incidents and losses where mandatory attributes You have the following options:
PUBLIC
Page 36 of 94
have no values.
Click the Automatic Fix pushbutton under the list
to auto-correct the missing values of all
incidents/losses.
Depending on the status of the incident, clicking on
a line of the output screen takes you to the incident
screen, where you can maintain the attributes.
1.4.2.7 Reports (Master Data)

This topic lists the reports available under the Reports section of the Master Data work center.
Note
The Reports section is shared by Risk Management and Process Control. Based on the applications you have licensed, you may see only a subset of the
reports.
Report Description
Risk and Control Matrix This report provides information on control and risk matrix. You can find out what risks
specific controls are covering, under different risk models (Subprocess Accounts Group
and Assertions Risk Control; Subprocess Control Objective Risk Control;
Subprocess Risk Control).
Risk Coverage This report provides visibility into the coverage of risks by controls by organization and
process. For each risk associated with a subprocess, it shows the list of controls
assigned. You can review this report and understand the risk gaps to determine if new
controls are needed.
Organization and Process Structure This report provides visibility into the organization - process - subprocess - control
hierarchy. You can review this report and understand what controls and processes are
assigned under each of the business entities.
Indirect Entity-Level Control (iELC) Structure This report provides visibility into the organization - indirect entity-level control structure.
You can review this report and understand what indirect entity-level controls are
implemented under each business entity and determine if new iELCs are needed.
Test Plan by Control This report provides visibility into the coverage of test plans by controls by organization
and process. For each control, it shows the list of test plans assigned. You can review
this report and determine if test plans have been assigned properly to all controls to be
tested.
Change Analysis This report provides visibility into all process control object changes and details within a
selected time period. You can review this report and find out what changes (creation,
modification, removal, and role assignment) have been performed to each object.
Audit Log This report shows chronologically all changes to local and central objects within a time
period. You can review this report and find out what changes have been performed to
each central or local object.
Risk-Based Compliance Management This report provides visibility into the coverage of both Risk Management and Process
Control risks by organization and process. For each risk, it shows the list of controls
assigned as well as the control design and testing status. You can review this report and
understand the risk gaps to determine if new controls are needed.
Policies by Regulation This report provides a method to access all policies, procedures, work instructions, and
so on, that the company has in place to address a certain regulation and/or requirement.
Policies Versions This report provides the capability to look at the different versions of a policy, procedure,
work instruction, and so forth, to provide an idea of how the policy has progressed and
evolved over time. This report also shows the documents (with the version numbers)
that were attached to the policy object in its different versions. The ownership and
creation information for each of the versions is also available in this report.
Risks Associated with Policies This report provides the ability to access the local Risk Management risks associated
with a certain policy, procedure, work instruction, and so on. It also can retrieve a report
that lists all the policies, procedures, work instructions, and so forth, that the company
associated with a risk.
Processes and Controls with Policies This report details the processes that are impacted by a certain policy. It also lists which
controls are in place to ensure compliance with the policy.
Regulation/Policy Requirement-Control Coverage This report provides visibility into the coverage of controls by requirement by regulation or
policy. For each regulation requirement, it shows the list of controls assigned. You can
review this report and determine whether further controls are needed.
Control-Regulation/Policy Requirement Coverage This report provides visibility into the coverage of requirements by controls by
organization and process. For each control, it shows the list of requirements assigned.
You can review this report and determine whether further requirements could be covered
by a specific control.
1.4.2.8 Content Lifecycle Management

PUBLIC
Page 37 of 94
Content Lifecycle Management (CLM) allows SAP customers to leverage application content developed by the ecosystem.
CLM helps content providers to establish a common channel for delivering application content and its subsequent changes in terms of content packages. For
customers using those packages, CLM makes it possible to analyze the content coming from different vendors in a manageable way and to keep the content that
fits closest to their business.
Features
The following functions are available to authorized users:
You can extract content in the form of a content group to CLM. These content groups are made up of individual content records that have been created within
the application. For more information about the structure of a content group, see Content Group.
Note
Content creation takes place in the application itself and not directly in CLM.
You can compare the content records in two different content group versions.
You can create packages in which to include those content groups. For more information about the structure of a package, see Package.
These packages can be exported out of CLM to be made available for import by a customer to their CLM application.
You can see the possible application systems from which you can extract content groups and to which you can deploy content groups in View System
Registry . You can maintain the system registry entries in Customizing for Content Lifecycle Management under Maintain System Registry .
More Information
For more information about the different tasks that can be executed, see Content Group and Package Management.
For Content Lifecycle Management installation information, see the relevant guide of the application on SAP Service Marketplace at
http://service.sap.com/instguides.
1.4.2.8.1 Content Group

A consistent collection of content records that are defined at a specific point in time.

After content is created in an appropriate format in the application system, it can be extracted in the form of a content group to the Content Lifecycle Management
(CLM) application. Each piece of content within the content group is represented as a content record.
CLM allows you to analyze the content groups and deploy the content to a target application system, to start using it in a productive environment.
Structure
Content Group
From the CLM entry screen, go to Manage Content Groups . Each row in the table represents a content group. The following details are displayed:
Content Group
Column Details
ID -
Status Represented by an icon. Possible statuses include the following:
Initial Status
Extracting
Valid Content Group
Content Validation Error
Adding to Repository
Name Enter this when extracting application content to a new content group.
Description Enter this when extracting application content to a new content group.
Application You have defined the applications that can use CLM in Customizing for Content
Lifecycle Management under Define Applications .
PUBLIC
Page 38 of 94
Content Group Type
Standard
Mass Edit
Comparison
Creation details ( Created On , Created At , Created By , Last Changed On , Last
Changed At , Last Changed By )
Time and date of content group extraction, time and date that the last changes were made
to the content group, and the person responsible for creating and changing the content
group.
Source System You have specified the possible systems in Customizing for Content Lifecycle
Management under Maintain System Registry .
Each content group consists of content records. Content records are made up of business application content information and data that is required for business
applications and their users.
Example
Examples of content records:
Risk definitions for healthcare industry
Rules and rule scripts
Content maintained in planning phase activities, objectives, impacts
Content delivered for setting up applications, such as sales planning, financial consolidation
Control settings for sanctioned party list screening service
The details displayed for a content record include the following:
Content Record
Column Details
Content Record Type -
Time Stamp Date and time the last updated version of a content record was extracted to CLM.
Vendor Namespace Unique identifier of the company or organization from which the content originates.
Authoring Domain Used to differentiate between content created for different purposes within a repository (for
example, content created for healthcare or financial industries).
Note
Content that belongs to the same authoring domain, but is created in different
repositories is treated as separate content records. This is due to the different
repository IDs contained in the associated global ID.
Repository ID Used to identify the CLM repository in which the content was created.
Modifier Namespace Namespace of the last vendor to modify a specific content record.
Content Record Status -
Global ID Used to identify the content record; it is made up of the following: Repository ID, Vendor
Namespace, Authoring Domain, Application Namespace, Content Record Type, and
Local ID.
Integration
Caution
Do not change global ID settings (repository ID and vendor namespace) in Customizing after initial setup.
If either of these values are changed in CLM after content extraction or deployment, you lose the lifecycle of that content within CLM (this also applies for the
vendor namespace and authoring domain).
For example, you extract content from system DEV on 12.01.2011 with a specific set of values for the global ID. All content records in this content group have
the same global ID values for application namespace, repository ID, vendor namespace, and authoring domain based on time of extraction. The content
record type and local ID differ according to the content record. If the content group has repository ID: CLM_001 and you change it to CLM_XX1, the link
between the global ID values for different versions of the content group is broken.
When you extract the same set of content records to CLM again, you receive a new identification for this set of content records. As a result you have two
distinct sets of the same application content with no linking between the global IDs.
Note
Do not change your RFC destination settings after initial setup or make sure your RFC destinations are reflected in CLM system registry if changed.
The ideal scenario for CLM is to extract application content from one consolidated system and use it for distribution to customer landscapes or for deployment to
different target systems. It is also technically possible to extract similar content from different systems.
There can be two options in CLM based on your configuration:
Multiple versions of same content
If the parameters contributing to the global ID are the same and if content is extracted from multiple systems with the same local IDs for the content records,
CLM stores different versions of the same content. For example, risk category: 00000001 coming from both system DEV and system PROD does not
result in two new content records in CLM, but in two different versions of the same content record. The active version is the version coming from the most
recent system.
PUBLIC
Page 39 of 94
Different content records with same content
If you want to treat application content with the same local IDs, but coming from two different systems, differently, you must use appropriate Customizing to
trigger the corresponding behavior in CLM. If you want risk category: 00000001 from system DEV to be completely different from risk category: 00000001
from system PROD, you must identify your systems differently by choosing different parameters that are visible in the CLM repository. For example, use
different authoring domains: GERMANY for system DEV and FRANCE for system PROD so that you have different content records in CLM (not different
versions of the same record) with different global IDs.
For more information about system registry and authoring domain, see Customizing for Content Lifecycle Management .
The content group is involved in the following functions:
Extracting a content group from an application
Editing the content group in CLM
Deploying the content group to an application
More Information
For more information about the different tasks you can execute for content groups, see Content Group and Package Management.
1.4.2.8.2 Package

A collection of content groups, combined with metadata and attachments.

After content is extracted in the form of a content group from an application system to Content Lifecycle Management (CLM), the content group can be added to a
package within CLM. Packaging related content groups allows you to transfer the package and its content across system landscapes.
CLM allows a vendor to export a package as a zip file. A customer can import that package into CLM on their system and add the individual content groups to the
CLM repository for analysis.
Structure
Package
From the entry screen, go to Manage Packages . Each row in the table represents a package. The following details are displayed:
Column Details
ID -
Status Represented by an icon. Possible statuses include the following:
Open
Locked
Exported
Import in Progress
Imported
Name Enter this when creating a new package.
Vendor Enter this when creating a new package responsible for creating the package.
Series Enter this when creating a new package allows sorting of packages.
Version Number Enter this when creating a new package identifies the version of the package.
Description Enter this when creating a new package.
Creation details ( Created On , Created At , Created By , Last Changed On , Last
Changed At , Last Changed By )
Time and date of package creation, time and date that the last changes were made to the
package, and the person responsible for creating and changing the package.
Integration
The package is involved in the following functions:
PUBLIC
Page 40 of 94
Creating a package (adding content groups and attachments)
Exporting a package as a zip file from CLM
Importing a package to CLM
More Information
For more information about the different tasks you can execute for packages, see Content Group and Package Management.
1.4.2.8.3 Content Group and Package Management

Depending on your role and requirements, you can perform specific tasks on content groups or packages within the Content Lifecycle Management (CLM)
application.
An administrator or domain expert at the vendor side can create, edit, and package content groups, and export those packages to make them available to the
customer.
An administrator or domain expert at the customer side can import packages, add content groups to the CLM repository, compare content groups, and deploy
content groups to their system.
Caution
The CLM UI times out if any of the following steps takes more than 300 seconds: Upload or download, import or export. This can occur, for example, due to a
file size being too large or a slow-running system.
Prerequisites
The appropriate permissions must have been assigned for vendor or customer tasks.
The necessary settings have been made in Customizing for Content Lifecycle Management .
Process
The following steps are involved in an end-to-end content group extraction to content group deployment cycle using CLM.
Vendor Process
Note
Content creation is an application-specific task and is done in an application system that interacts with CLM. Content records are not created in CLM.
1. An administrator or domain expert extracts managed content from the application system or systems. That content is extracted in the form of a content group
comprising multiple content records.
For more information, see Content Group and the procedure for extracting and editing content groups.
2. You can view and edit the content group details.
3. You create a package.
PUBLIC
Page 41 of 94
This step involves creating a new package and packaging the selected content groups and attachments.
For more information about the structure of packages, see Package and the procedure for creating and editing packages.
4. You can view and edit the package details and copy the package if necessary.
5. You lock a package to prepare it for export.
6. You can export that package as a zip file to make it available for import by the customer.
For more information, seePackage Export.
Customer Process
1. An administrator imports a package and views the content groups and attachments contained in the package.
The new package received by a customer from the vendor is imported to CLM on the target system.
For more information, see Package Import.
2. You can add the individual content groups contained in the package to the CLM repository, making the content ready for analysis within CLM.
3. If the feature is available, you can download a content group to your local system for mass editing before uploading back into CLM.
4. A domain expert on the customer side can compare the differences between two versions of a content group extracted at different times.
For more information, see Content Group Comparison .
5. Once the content has been analyzed, an administrator can deploy the content to the respective application systems.
For more information, see Content Group Deployment .
6. You can view the deployment details in the Deployment Log .
Result
According to the role that has been assigned to you, you have executed tasks in CLM, from the extraction and packaging of a content group to the deployment of a
content group to an application system.
1.4.2.8.3.1 Extracting and Editing Content Groups

You can extract content from the application system to a content group and execute tasks on the content group.
Prerequisites
You must have the appropriate permissions assigned to be able to extract and edit content groups.
Procedure
From the Content Lifecycle Management entry screen, go to Manage Content Groups :
Function Navigation More Information
Extracting content from the application system in the form
of a content group
Choose Extract .
Select the system you want to extract the content from and
specify a name for the content group.
A new content group appears in the list with details about
the creation date and time, source system details, and
content group type.
Caution
Make sure that there are no content records that have
a blank key or ID in your application. For example: If
the impact category or response type in risk
management configuration data accepts blank keys,
and that data is extracted to CLM, the data will not
pass XML validation.
You can also enter a description and comment.
Displaying the content of a content group Select the content group from the list and choose View .
This displays details about the content records contained in
the content group, including the type, ID, and vendor
namespace.
Editing a content group Select the content group from the list and choose Edit .
Edit the name and description of the content group.
It is not possible to add or remove content records. The
content records are automatically extracted in the content
group when you select the system.
Deleting a content group Select the content group from the list and choose Delete .
Displaying the history of content group activities Select the content group from the list and choose View
History .
This displays a record of all activities that have been
executed on that content group.
Downloading a content group to your local system, editing
the content records, and uploading a content group back
into CLM
Choose Mass Edit and select one of the dropdown menu
options.
For more information about these tasks, see Mass Edit.
Displaying the differences between two versions of a
content group extracted at different times
Select a content group from the list and choose View
Differences .
For more information, see Content Group Comparison.
Deploying a content group to an application system Choose Deploy . For more information, see Content Group Deployment.
PUBLIC
Page 42 of 94
Result
You have extracted content in the form of a content group from an application system and can display, edit, and execute other tasks for that content group.
1.4.2.8.3.1.1 Mass Edit

You can download a content group to your local system for editing and analysis. You can upload content, which is in XML format, from your local system to Content
Lifecycle Management (CLM).
Prerequisites
To be able to download a content group for editing, there must be a valid content group available in CLM.
To upload content to CLM, the content must be in a compatible XML file on your local system.
Features
You can download a content group in XML format to be able to analyze and edit that content in a third-party application.
You can upload new content or content you have previously downloaded to your local system into CLM. When you upload the content, it is entered as a
content group. This allows you to analyze the content group in CLM, compare with other content groups, and package or deploy the content group.
Activities
Download
To download content to an XML file, choose Mass Edit Download to XML .
Upload
To upload content from an XML file, choose Mass Edit Upload from XML .
For more information, see Downloading and Uploading with XML.
1.4.2.8.3.1.1.1 Downloading and Uploading with XML

You can download a content group to your local file system in XML format and analyze the XML file using a third-party application. You can upload the content
back into CLM (Content Lifecycle Management).
Prerequisites
A content group must be available in CLM for download.
Content must be available in the appropriate XML format for upload to CLM.
Procedure
Caution
You cannot move content across landscapes using the download and upload functions. You can download and upload content in the same CLM repository
(system-wide instance) in the form of content groups.
For content shipment across CLM repositories and across landscapes, packages must be used. Within a package, include existing content groups from CLM
and use the packages for content distribution.
PUBLIC
Page 43 of 94
Mass Editing with XML
From the Content Lifecycle Management entry screen, go to Manage Content Groups .
1. Select a content group from the list and choose Mass Edit Download to XML .
You must specify the location on your local system where you want to save the content group. It is saved as a zip file.
2. Extract the content of the zip file to a folder.
The XML file and metadata is extracted.
3. You can analyze and edit the content of the XML file using a third-party application.
4. To upload the content back into CLM, you need to upload only the XML file.
In the Manage Content Groups screen, choose Mass Edit Upload from XML and select the XML file to upload back into CLM.
The uploaded content is represented as a new content group in the list.
1.4.2.8.3.2 Creating and Editing Packages

You can create packages containing content groups and attachments and edit the content of those packages.
Prerequisites
You must have the appropriate permissions assigned to be able to create and edit packages.
Procedure
From the Content Lifecycle Management entry screen, go to Manage Packages :
Function Navigation More Information
Creating a new package Choose Create .
Specify a name for the new package.
You also have the option of entering a description, version
number, series, and responsible vendor for the package.
Adding content groups and attachments to the package In the Create Package window, under the Content
Groups tab, choose Add . Select the content groups you
want to add.
Under the Attachments tab, choose Add . Browse for the
files you want to add.
You can search for specific content groups that were
created within a specific period.
You can provide a name and type for the
attachments you add to the package.
Note
Two different content groups that contain different
versions of the same content record cannot be
packaged together each content record can only
exist once within a package.
You can check the timestamp for content records in the
content groups. If there is a content record in both
content groups with the same local ID, you can only
add one of the content groups to the package.
Displaying the content of a package Choose View .
You can see all content groups and attachments contained
You cannot make any changes to the package content
here.
PUBLIC
Page 44 of 94
in the package.
Editing a package Choose Edit .
You can add or remove content groups and attachments.
You can change the name and other details about the
package.
Deleting a package Select the package from the list and choose Delete .
Copying a package Select the package from the list and choose Copy .
The copied package appears in the list of packages.
When copying, you can edit the package details and add or
remove content.
Displaying the history of package activities Select the package from the list and choose View History .
This displays a record of all activities that have been
executed on that package.
Locking a package To prepare a package for export, choose Lock .
Exporting a package To make a package available for customers to import as a
zip file, choose Export .
For more information, see Package Export
Importing a package To add a package to CLM that has been made available by
a vendor, choose Import .
For more information, see Package Import
Recommendation
We recommend creating multiple small packages with content groups that logically belong together and fewer attachments instead of one large package. This
helps to improve performance and minimize time out and memory breakout issues during package export or import.
Examples of attachments: readme files or help documents, and not media or bulk files.
Result
You have created a new package containing content groups and attachments and can execute different tasks on that package.
1.4.2.8.3.3 Package Export

As a vendor, you can export a package from the Content Lifecycle Management (CLM) application to make it available for import on the customer side to their
CLM application.
Prerequisites
You have locked the package meaning that no changes can be made to that package.
Features
Exporting a package makes the content of that package (content groups and the associated content records, and attachments) available to customers. The vendor
chooses an appropriate location to which to export the package.
Note
The customer must have access to this location to be able to import the package.
Activities
To export a package as a zip file from CLM, you choose Export and specify the location where you want to export the package to. The status of the package is
shown as Exported in CLM.
The package is now ready for import to the customers CLM application (see Package Import). You advise the customer of the location where the package has
been exported to.
More Information
For more information about the structure of packages, see Package.
1.4.2.8.3.4 Package Import

A customer can import a package and add the content groups and attachments contained in that package to the Content Lifecycle Management (CLM) repository
for analysis and comparison.
Prerequisites
PUBLIC
Page 45 of 94
A package is available in the appropriate format for import to CLM (see Package Export).
Features
When an available package is imported into the customers CLM application, they can look at the list of contained content groups and attachments individually.
They can decide which ones they want to add to the CLM repository for analysis, comparison, and subsequent deployment to their application system.
Activities
You receive a new package from a vendor. Choose Import and select the location where the package is stored.
When the package has been imported, the list of content groups and attachments contained in the package are displayed.
You can preview the content before adding to the repository.
To add specific content groups to CLM to allow for analysis and comparison, select the Add to Repository checkbox.
The default setting is for all content groups and attachments to be added to the repository.
More Information
For more information about the structure of packages, see Package.
1.4.2.8.3.5 Content Group Comparison

You can compare two different content group versions.
Features
You compare a selected content group (new content group) with an older content group, which was extracted to the Content Lifecycle Management (CLM)
application at an earlier date. You can see if there have been any added, modified, or deleted content records between the content group versions. You can
choose to accept or reject the changes for each content record.
Example
New SOX controls for the drug manufacturing process have been released by the vendor as part of the life science regulatory controls package. This package
contains a new content group with the same name as an older content group in CLM.
The customer already has a drug manufacturing process and its associated controls saved in their system. They want to analyze the differences between this
existing version and the new version released by the vendor. After analysis, the customer decides to add the new controls introduced by the vendor to the
existing drug manufacturing process.
You can save the comparison content group as a draft until you have processed each of the changes; you can then check it into the CLM repository.
The new content group version that is generated represents the result of the comparison.
Activities
To compare different content group versions, select a content group from the list and choose View Differences .
More Information
For more information, see Comparing Content Groups.
1.4.2.8.3.5.1 Comparing Content Groups

You can see the content records that have been added, modified, or deleted between two different versions of a content group, which were extracted to the Content
Lifecycle Management (CLM) application at different points in time. You can accept or reject any changes between the old and new content groups.
Procedure
1. Select a content group from the list and choose View Differences .
2. Select the Old Content Group that you want to compare with a previous version of the content group that is already available in CLM.
The New Content Group corresponds to the one you selected from the list and that field is grayed out with your selection.
3. Choose Compare .
A list of changes to the content records in the content group appears in the table. You can see details about the content records name, description,
creation details, as well as the type of difference: New , Added , Modified , Deleted .
Type of Change Behavior
Added If you choose Accept in the Decision column, the new content record is added to
the comparison content group.
PUBLIC
Page 46 of 94
This content record was not available in the old content group, but is part of the new
content group.
Modified If you choose Accept in the Decision column, the changes made to the content
record in the new content group are added to the comparison.
If you choose Reject , the old version of the content record is included in the
comparison.
Deleted If you choose Accept in the Decision column, the content record is not included in
the comparison content group.
This content record was available in the old content group, but is not part of the new
content group.
When you select a content record from the list, detailed information about the differences and a where-used list can be found under Details .
4. In the Decision column, you need to decide whether to Accept or Reject the changes for each content record.
If you need to leave a content record decision open, for example, if you require input from another user, select Unprocessed from the dropdown list.
Note
To be able to check in the comparison content group, you must have resolved all differences. To save your entries when there are still unprocessed
changes remaining, choose Save Draft . A content group is created with type Comparison .
5. To continue processing the changes, select the Comparison content group and choose View Differences .
Note
Any user can continue to process the changes in a draft content group; however, parallel updates are prevented for the same content group. If one user
is editing the draft content group, another user cannot make changes to that content group at the same time.
6. When you have resolved all differences between the old and new content group, by accepting or rejecting the changes, you can save this as a new content
group by choosing Check In .
7. The default name of the comparison content group is the same as the new content group. The description is a combination of the descriptions for the new
and old content groups.
A new content group appears in the list with status New and type Comparison .
The user can change the name and description at a later stage by choosing Edit .
1.4.2.8.3.6 Content Group Deployment

You can deploy a content group to make its content available in an application system.
Prerequisites
You have the appropriate permissions assigned for deploying content groups.
Features
Deploying content from the Content Lifecycle Management (CLM) application makes it available in an application system. CLM allows administrators to deploy all
the content records that have been resolved and identified for deployment to a target application system.
Example
User receives new comparison terms (generic and phonetic settings) for sanction party list and deploys them to a target application client. These include
updates to Customizing and master data in the target system.
Since a typical customer landscape can consist of development, quality/consolidation, and productive systems, it is possible to deploy to multiple systems.
The deployment of content to an application system is done at content group level. If the same content group is deployed to more than one system, the local ID for
each content record differs in each system. As long as the deployment is done through CLM, CLM holds a common global ID for each content record along with
the appropriate mapping. It is possible to track a system and its respective local ID through CLM.
The deployment log displays details about the deployment status of a content group, as well as the time of deployment, and system details of the system to which
you deployed the content group.
Caution
CLM uses background job SBC_CLM_POLL_DEPLOY_RESULTS to poll results after deployment. The polling count can expire if the deployment takes a
long time, especially when the content being deployed is too large. In such cases, you must clearly define the count of the polling job and adjust it through
Customizing in CLM. If the count is too small, CLM could lose track of the deployment and become out of synch with the target system.
Activities
To deploy content to an application system, you select the specific content group from the list and choose Deploy . You must specify the location where you
want to deploy the content group to.
PUBLIC
Page 47 of 94
Note
While deployment of a content group is taking place to a system, no other user can deploy the same content to the same system. Deployment of the
content group is locked until the deployment is finished or an error is reported.
To display deployment details, choose Deployment Log .
More Information
Caution
Any cleanup of the archive in the application system does not imply clean ID mapping in the CLM repository.
If you deployed an initial version of CLM content to an application system and you subsequently cleaned up the application content in the system, CLM still
refers to the old mappings from the CLM repository to the same system for any subsequent deployments. This is because the CLM repository keeps the
reference to local application IDs for each deployment. In case of subsequent deployments, CLM refers to old mappings to decide if the content record was
already deployed or is new during deployment.
CLM allows you to deploy the same content group to multiple application systems. This provides the option of loading or synchronizing various application
systems with the same content coming through CLM. Since deployment is not reversible, you must understand the impact of deployment to different systems
clearly. Consider the following example:
Example
1. You as a customer receive a new vendor package, which carries enhancements to old content.
2. You compare this new vendor content with existing content from system A.
The differences between content from vendor and content from system A are compared and decisions are made using View Differences .
3. When you deploy the comparison content group to target system A, you are deploying the correct content.
4. If you deploy the comparison content group to system B, you could be deploying incorrect content.
System B content was not compared with the new vendor content and that system might not be exactly the same as system A.
Hence if two systems, A and B, have different application content, you must extract the content from both systems, create two comparison or delta content
groups in CLM and deploy the comparison content groups to each relevant system.
Recommendation
We recommend that you create comparison content groups based on the latest extraction from a target system before deployment. Do not compare an old
extraction with new vendor content.
You compare the content, save the comparison or delta content group in CLM, and deploy the comparison content group to the target system.
1.4.3 Rule Setup

The Rule Setup work center provides a central location to set up automated tests and monitor controls, maintain schedules for continuous control monitoring, and
perform legacy automated monitoring.
The Rule Setup work center contains the following sections:
Continuous Monitoring
Key Risk Indicators
Note
The Rule Setup work center is shared by the Access Control, Process Control, and Risk Management products in the GRC Application. The menu groups
specific functions.
More Information
Rule Setup - Access Control specific topics
Rule Setup - Process Control specific topics
1.4.3.1 Continuous Monitoring

Depending on the products you have licensed, the Continuous Monitoring section of the Rule Setup work center gives you access to the following:
Data Sources
Business Rules
Business Rule Assignment
PUBLIC
Page 48 of 94
More Information
Continuous Monitoring Overview
1.4.3.2 Key Risk Indicators

Key risk indicators (KRI) are scores used to quantify risks and make them transparent on a cross-organization basis. Based on a combination of organization and
risk category, KRIs represent the current state of the business.
Key risk indicators therefore represent a rational and quantitative measure of a particular risk at a particular time. Risk indicators previously entered provide the
risk owner with a series of warning lights that help the owner comprehend the current risk the company is taking. One important application is to use risk data to
calculate KRIs for early indications of your organization's strategic target achievement.
You can enter key risk indicators manually or automatically. The system can also calculate the scores using other KRIs. You can further automate your analysis
by defining aggregation hierarchies based on organizations or risk categories, which are available for display using the KRI Aggregation report.
Note
Key risk indicators differ from Key Performance Indicators (KPI) in that the latter are intended to show how well something is being done by measuring past
performance. KRIs, in contrast, are an indicator of the possibility of a future adverse impact on the organization.
Key risk indicators can be used in the following areas:
In Management Accounting
To ensure there is no budget overrun (evaluation by cost centers, internal orders, projects)
To collect all posting reversals
In Liquidity & Cash Management
To obtain a liquidity forecast
To evaluate cash positions
In Treasury & Risk Management
To monitor overdue payments
In Financial Supply Chain Management
To evaluate DSO (days sales outstanding)
To evaluate by risk class (of all customers within a credit segment, weighted by credit exposure)
To evaluate credit limit utilization (percentage of credit exposure compared to the approved credit limit of customers within a credit segment)
Features
The following functions are available with key risk indicators:
Creating KRI Templates
Creating KRI Implementations of a template
Assigning KRIs to a Risk
Using workflows for KRI implementation requests and KRI instance localization requests
Creating KRI Business Rules
Example
A budget overrun is defined as the planned budget minus the actual budget costs. If the result is less than zero, the budget has been overrun and represents
a risk. If the budget overrun is defined as a key risk indicator, a calculation to this effect is stored in the system. When the budget is then overrun, the risk
manager receives a message on it. It is possible to define, for example, that:
The KRI compares the actual and planned costs per cost center.
The system checks the balance against a threshold previously defined for the KRI.
1.4.3.2.1 Creating KRI Templates

You can set up predefined key risk indicators (KRI) for your company by creating KRI templates. For each template, you can then create several different KRI
implementations.
Prerequisites
You can optionally define the systems, business processes, and components used for key risk indicators in Customizing.
Procedure
1. Choose Rule Setup Key Risk Indicators KRI Templates .
The KRI Template Catalog screen appears displaying the existing KRI templates.
2. Choose the Create pushbutton.
The Create KRI Template screen appears.
3. In the General tab, specify the general template information.
1. In the KRI Template Name field, type the name of the KRI template.
2. In the Description field, type a description of the KRI template.
PUBLIC
Page 49 of 94
3. In the Value Type field, type or select a value type.
You can select from among the following types:
Number
Currency
Quantity
Score
4. In the Risk Category field, type or select the risk category associated with the KRI template.
This field is only required if you select Score as the Value Type .
5. In the System field, type or select the system associated with the KRI template.
6. In the Valid from field, type or select the date from which the KRI template is valid.
7. In the Valid to field, type or select the date to which the KRI template is valid.
4. In the Attachments and Links tab, specify the attachments and links for the KRI template.
5. Choose the Save pushbutton.
Result
After defining KRI templates, you can assign the templates to individual risk templates or risk categories. You can subsequently use this information when you
create a KRI instance for a risk, enabling you to obtain a selection of available KRI implementations.
For more information about creating implementations, see Creating KRI Implementations.
Note
You can also assign a KRI template to a risk category when you create the risk classification hierarchy. For more information, see Classifying Risks,
Opportunities, and Responses.
Example
For the risk Potential employee accidents belonging to the risk category Environmental health & safety risks , only the key risk indicators related to this risk
category are available for use. Examples of this would be categories such as Near misses or Number of security violations .
1.4.3.2.2 Creating KRI Implementations

A key risk indicator (KRI) implementation is the actual application of a KRI template. For each implementation, you can have several KRI instances (a KRI
implementation assigned to a specific risk). The prerequisite for creating a KRI instance is a saved KRI implementation.
Note
You create a KRI instance for a specific risk. For more information, see Assigning KRIs to a Risk.
Prerequisites
You need to fulfill the following prerequisites before you can create a KRI implementation:
Complete the Customizing activities for system connectivity for key risk indicators, so that the KRI system knows from which system the data is to be taken.
Create the KRI template with which to implement the KRI. For more information, see Creating KRI Templates.
Procedure
1. Choose Rule Setup Key Risk Indicators KRI Implementations .
The KRI Implmentation Catalog screen appears displaying the existing KRI implementations.
2. Choose the Create pushbutton.
The Create KRI Implementation screen appears.
3. In the General tab, specify the general implementation information.
1. In the KRI Implementation Name field, type the name of the KRI implementation.
2. In the KRI Template field, type or select the name of the KRI template.
3. In the Description field, type a description of the KRI implementation.
4. In the Connector Type field, type or select a connector type.
You can select from among the following types:
SAP BW Query
SAP Query
SAP Table
Web Service
5. In the Connector field, choose the connector associated with the KRI implementation using the drop-down list.
To test the connector, choose the Test Connector pushbutton.
6. In the Script field, choose the script associated with the KRI implementation using the drop-down list.
To test the script, choose the Test Script pushbutton.
7. In the Valid from field, type or select the date from which the KRI implementation is valid.
PUBLIC
Page 50 of 94
8. In the Valid to field, type or select the date to which the KRI implementation is valid.
4. In the Implementation Detail tab, specify the implementation details for the KRI implementation.
1. In the Value Column field, choose the value column using the drop-down list.
2. In the Aggregation Function field, choose aggregation function using the drop-down list.
3. In the Selection Table , specify the selection criteria by adding or removing selection entries.
5. In the Attachments and Links tab, specify the attachments and links for the KRI template.
Note
For more information about how to work with queries, see Technical Requirements for BW Queries and Technical Requirements for SAP Queries.
1.4.3.2.2.1 Technical Requirements for BW Queries

You can use the SAP NetWeaver Business Warehouse (BW) Query functionality for key risk indicators in Risk Management, or for automated controls in Process
Control. However, you must observe specific technical requirements regarding the Query Designer in the Business Warehouse. These are described in the table
below.
Technical Requirement Description
Hierarchies off The data-oriented queries do not need the collapse-and-expand feature. The query is
expected to return only the fixed given level and no virtual aggregation nodes above it.
The best way to accomplish this is to switch off the hierarchies in the hierarchical
characteristics.
Results rows: Always suppress Aggregation is done on the Risk Management side, which means that there is no way to
differentiate between data rows and subtotal rows, leading to the double itemizing of
some of the output figures.
Restricted filtering options Risk Management and Process Control currently support only optional single values and
select-options. Other possibilities supported by the Query Designer, such as interval
values or multiple single values, are not supported.
Key figures only in columns The current key figures are not supported in the individual rows. This means that some
kinds of 0MEASURE-based queries are not supported. For PC usage, there should be only
ONE key figure assigned in columns area, which is then considered as the deficiency
field of the corresponding automated control.
Characteristics in columns If characteristics are in a column, the values must be fixed in the Query Designer so that
the number of columns remains stable and Risk Management or Process Control can
use the columns for reference and for further settings. In Process Control, the
characteristics cannot be in the columns area, but only in the rows area.
Note
When working with BW queries, do not make use of the queries designed for end users. Instead, create a new query by making a copy of an existing BW
query definition, making sure to observe the requirements above.
1.4.3.2.2.2 Technical Requirements for SAP Queries

Instead of using the queries designed for end users, for KRIs you must create a new SAP query by making a copy of an existing SAP query definition.
Prerequisites
There is no support for ranked list and statistics output. This means that the RFC used does not return the content of ranked lists and statistics output for
an SAP query.
There is no support for the aggregation (totaling field) and sort fields in the basic list output, so that the RFC used does not return the results of
aggregation or output sorted fields.
In the InfoSet, the Additional fields function is not supported. In Process Control, a rule criterion is based on the back-end field containing technical details,
which can be described as table (structure) fields . However, Additional fields in the InfoSet do not reveal such technical details.
1.4.3.2.2.3 Using External Web Services

You can use external Web services to implement key risk indicators (KRI). The SAP Web Service Connector enables you to interact with all Web services,
regardless of the implementation technology used, as long as it is compliant with the provided WSDL (Web Services Description Language) file.
Prerequisites
PUBLIC
Page 51 of 94
You must complete the following Customizing activities found under Governance, Risk and Compliance Risk Management Key Risk Indicators
Connectivity :
Maintain Connectors
Maintain Scripts for Web Service
Procedure
1. Access a WSDL file in the SAP MIME repository. This is used to implement the correct Web service interface.
2. Create the Web service implementation according to this WSDL file, using any available technology.
3. Using transaction SOAMANAGER, connect this implementation to the consumer proxy CO_GRFN_CCI_WEBSERVICE.
Note
For more information, see Configuring a Consumer Proxy.
4. Make note of the logical port you have created. In the Maintain Connectors Customizing activity, enter it as the remote system. In the Connector Type field,
choose the type WEBSERVICE. In the Remote System field, enter the logical port you have just created. Save your entry.
5. Access the second Customizing activity, Maintain Scripts for Web Service . When you register the script, the script data must correspond to the script ID
in the service implementation. Save your entry.
Result
Your external Web service is ready for use. If required, search the SAP Developer Network for further information and details.
1.4.3.2.3 Assigning KRIs to a Risk

When you enter a new risk, you can assign one or more key risk indicators (KRI) to the risk. This is known as a KRI instance . In this way, you can automatically
identify risks in business processes and escalate them to risk owners for immediate attention if necessary.
Prerequisites
You have created a KRI implementation.
You have maintained the corresponding activities for timeframes and frequencies in Customizing under Governance, Risk and Compliance General
Settings Key Attributes .
Procedure
1. After creating a new risk, choose the Key Risk Indicators tab and choose Create Standard KRI Instance in the Assigned Key Risk Indicators
section.
3. In the KRI Implementation field, type or select the KRI implementation for the instance.
4. In the Monitor Frequency field, choose the frequency at which you want the KRI to monitor your system.
5. In the Data Time Frame field, choose the appropriate value using the drop-down list.
6. In the Next Execution Date and Last Execution Date fields, choose the corresponding execution dates using the drop-down lists.
button is selected.
8. In the Selection Table , modify the KRI implementation settings, as required.
Alternatively, choose from among the following options:
Choose the Activate pushbutton to set the status as Active for the KRI instance.
Choose the Request Localization pushbutton to have the KRI workflow go to the workflow processor (to the KRI liaison defined in the Risk
Management workflows, for example). The dialog closes and the Status column displays Localization Requested for the assigned KRI.
After you save the data, a workflow is triggered. When the localization processor has processed the workflow item, it returns to your inbox for
processing or approval, among other options. For more information, see Workflow for KRI Instance Localization Request.
11. Choose the Show History pushbutton to view a graphic display of how the KRI value develops over time.
12. Choose the Show Surveys pushbutton to see which surveys are defined for the KRI instance.
13. In the Business Rules section, create a KRI business rule, if required.
For more information, see Creating a KRI Business Rule.
14. Save the risk data.
Creating Manual KRI Instances
1. After creating a new risk, choose the Key Risk Indicators tab and choose Create Manual KRI Instance in the Assigned Key Risk Indicators
section.
PUBLIC
Page 52 of 94
4. In the Input Allowed Until field, type or select the appropriate date using the drop-down list.
button is selected.
1.4.3.2.3.1 Creating KRI Business Rules

A business rule is a formula containing a mathematical calculation that is entered for a defined KRI instance, that is, one individual implementation of a KRI
template. Such business rules provide standard calculations for both management and legal consolidation reporting.
Example
When monitoring your expenses, you would like to know whether the current monthly expenses are much higher than the values of the last three months. You
define a business rule for this, and an email is automatically sent via workflow to the risk owner or owners, who can then review the risk and decide on the
proper response to it.
Prerequisites
The GRC Customizing activity on workflow notification messages, found under General Settings Workflow , must be maintained if you wish to use
settings other than those in the default system.
A KRI instance for a risk must exist.
Procedure
1. Navigate to My Home My Objects My Risks and select a risk in the table.
Alternatively, navigate to Master Data Organizations Organizations , select an organization, and choose the Open pushbutton.
2. Choose the Key Risk Indicators tab, and select the Assigned Key Risk Indicator for which you want to create a rule.
Note
The assigned key risk indicator status must be marked active for you to proceed. You can change the status by opening the assigned KRI and
choosing the Activate pushbutton.
3. In the Business Rules section, choose the Create pushbutton.
The KRI Business Rule dialog appears.
4. In the Title field, type the title of the new business rule.
5. Using the Mapping and Expression tabs, enter the calculation parameters for the KRI business rule.
You can specify the Expression as either a Formula or a Decision Table using the Rule Type drop-down menu. After you are finished, you can check
the syntax, test the rule, or access the NetWeaver BRFplus (Business Rule Framework plus) Workbench.
6. Specify the Actions for the KRI business rule using the corresponding radio buttons.
You can specify whether a risk assessment workflow is to be triggered, whether an email notification is to be sent to the risk owner, and whether the risk is
to be flagged.
Note
You should flag the risk if the corresponding KRI business rule has been violated. After you have flagged this risk, a yellow lightning symbol appears on
the KRI tab of the Risk application. You can reset the alert by choosing the Reset KRI Violation Status pushbutton.
7. Choose OK pushbutton. The new business rule appears in the list of rules assigned to the risk.
8. Save the risk data.
More Information
For more information about the syntax of business rules, see Creating a Formula Expression.
1.4.3.2.4 Using Workflow to Create KRI Implementation Requests

You can use the SAP workflow functionality to create a KRI implementation request . This workflow enables you to create one or several KRI implementations.
PUBLIC
Page 53 of 94
Prerequisites
You must fulfill the following prerequisites before you can use the workflow functionality for KRIs:
A KRI template must exist for each implementation request. For more information, see Creating KRI Templates.
Risk Management roles must be configured. For more information, see Role Administration.
Procedure
When you edit a KRI template, you can request one or more implementations for it.
1. Under Rule Setup Continuous Monitoring , choose KRI Templates to access the KRI template catalog.
2. Open the KRI template for which you want to create an implementation request and choose the Implementations tab.
3. Select the Request view and create a new KRI implementation request by using the Create button. Enter a Notes text if necessary.
4. Save the request and access the My Home work center. The new workflow displays in the Work Inbox .
5. In the work inbox, choose the work item to see the KRI implementation request for it.
6. In the lower screen section of the work inbox, you can create an implementation. Note that the template field may be prefilled. In the Implementation Detail
tab, make the necessary entries. When you have finished entering the data, choose OK .
The buttons at the top of the screen mean the following:
Complete : The status changes to completed. After the request creator confirms the request, it is removed from the inbox.
Save : This does not change the workflow status.
Cancel : The changes you made are canceled.
Confirm : This confirms a completed workflow.
Note
When you choose Complete , the work item is returned to the inbox of the workflow processor. When you call it up again from the inbox, you see the
Confirm pushbutton.
For more information, see Creating KRI Implementations.
1.4.3.2.5 Using Workflow to Create KRI Instance Localization
Requests

You can use the SAP workflow functionality to create a KRI instance localization request .
Prerequisites
The following prerequisites must be fulfilled before you can use the workflow:
A KRI instance must exist for each KRI instance localization request. For more information, see Assigning KRIs to a Risk.
Procedure
When you create or edit a KRI instance, you can request a localization for it. To process the request, proceed as follows:
1. Access the work inbox in the My Home work center. Select the work item to see the KRI instance localization request for it.
Note
The fields in the upper section cannot be changed.
2. In the lower screen section, you can adjust the selection table with respect to the risk-specific settings. The buttons have the following meanings:
Complete : The status changes to completed. After the request creator confirms the request, it is removed from the inbox.
Save : This does not change the workflow status.
Cancel : The changes you made are canceled.
Confirm : This confirms a completed workflow.
3. When you are finished, call up the work inbox to view the work item.
Note
When you choose Complete , the work item is returned to the inbox of the request. When you call it up again from the inbox, you see the Confirm pushbutton.
1.4.3.2.6 Managing KRI Value Inputs

You can manually input values for key risk indicator (KRI) instances (that are not scored) using the KRI Manual Value Input screen. When inputting values, you
can select the instances directly or using a combination of KRI templates and organization units. In the former case, the input is a simple list; in the latter case, the
input consists of a matrix with each cell representing a single instance.
PUBLIC
Page 54 of 94
Note
Alternatively, you can input values using an XML-format file.
Procedure
1. Choose Rule Setup Key Risk Indicators KRI Value Input .
The KRI Manual Value Input screen appears.
2. In Step 1: Select KRIs , specify the input and selection modes.
1. In the Input Mode field, select the Manual Input radio button.
2. In the Selection Mode field, select either the KRI Instances or KRI Template + Organization Unit radio button.
3. If you selected the KRI Instances radio button, choose the KRI Instances link.
The Select KRI Instances dialog appears.
1. In the Find field, type the search terms and choose the Search pushbutton.
2. Select one or more entries in the Available table, and choose the right arrow pushbutton to include the entries in the Selected table.
3. To change the sequence of the instances, choose the arrow pushbuttons directly below the Selected table.
4. Choose the OK pushbutton.
4. If you selected the KRI Template + Organization Unit radio button, do the following:
1. Choose the KRI Templates link.
The Select KRI Templates dialog appears.
3. Select one or more entries in the Available table, and choose the right arrow pushbutton to include the entries in the Selected table.
4. To change the sequence of the instances, choose the arrow pushbuttons directly below the Selected table.
6. Choose the KRI Organizational Units link.
The Organizations dialog appears.
8. Select one or more entries in the Available table, and choose the Add or Add with children pushbutton to include the entry in the Selected
table.
9. To change the sequence of the organizations, choose the arrow pushbuttons directly below the Selected table.
5. Choose the Next pushbutton.
3. In Step 2: Provide Values , specify the values for the entries by choosing the Browse pushbutton, selecting the upload file, and choosing the Upload
pushbutton.
You can download the XML template for the upload file by choosing the Get XML Template pushbutton and saving the file to your local machine.
5. In Step 3: Review , review the values.
6. Choose the Finish pushbutton.
7. Choose the Close pushbutton.
Inputting Values Using a File Upload
1. Choose Rule Setup Key Risk Indicators KRI Value Input .
The KRI Manual Value Input screen appears.
2. In Step 1: Select KRIs , select the Input via File Upload radio button, and choose the Next pushbutton.
3. In Step 2: Provide Values , specify the values by choosing the Browse pushbutton and selecting the upload file.
5. In Step 3: Review , review the values.
7. Choose the Close pushbutton.
1.4.3.2.7 KRI Aggregation Hierarchy

You can use KRI aggregation hierarchies, based on organizations or risk categories, to automate your analysis, the results of which are available for display using
the KRI Aggregation report.
When managing KRI aggregation hierarchies, you can complete the following tasks:
Search KRI aggregation hierarchies
Create KRI aggregation hierarchies
Modify existing KRI aggregation hierarchies
Delete KRI aggregation hierarchies
1.4.3.2.7.1 Searching KRI Aggregation Hierarchies

You can search KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen. When defining a query (known as a worklist), you can either create a
new worklist or base your worklist on an existing query.
Procedure
1. Choose Rule Setup Key Risk Indicators KRI Aggregation Hierarchy .
The KRI Aggregation Hierarchies screen appears displaying the existing aggregation hierarchies.
2. Choose the New Worklist pushbutton.
PUBLIC
Page 55 of 94
The New Worklist dialog appears with KRI Aggregation Hierarchies automatically selected in the Select Object Type field.
3. To base your new worklist on an existing query, choose a query using the Select Existing Query as Template drop-down list.
5. In the Hierarchy Type ID fields, type or select the range of hierarchy types.
Choose the Preview pushbutton to display the table of aggregation hierarchies based on the current criteria. Choose the Close pushbutton to dismiss the
preview, and choose the Next pushbutton.
6. In the Enter Query Description field, type a short description of the worklist.
7. Optionally, select the Activate Query checkbox to make the query available as a link or tab.
The query results appear.
More Information
Creating KRI Aggregation Hierarchies
Modifying KRI Aggregation Hierarchies
Deleting KRI Aggregation Hierarchies
1.4.3.2.7.2 Creating KRI Aggregation Hierarchies

You can create KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen. You can also create a new aggregation hierarchy by copying an
existing hierarchy and modifying the appropriate settings.
Procedure
2. Choose the Create pushbutton, and select one of the following options using the drop-down menu:
KRI Organization Hierarchy
KRI Risk Category Hierarchy
The Create Aggregation Hierarchy screen appears.
3. In the Title field, type the title of the aggregation hierarchy.
4. In the Description field, type a description of the aggregation hierarchy.
5. In the Hierarchy focus date field, type or select a date, and choose the Apply pushbutton.
6. In the Organization view or Risk Category view field, choose a view using the drop-down list and complete the Excluded and Aggregation Rule settings
in the table.
7. To save the aggregation hierarchy as a draft, choose the Save Draft pushbutton
8. To save and activate the aggregation hierarchy, choose the Save and Activate pushbutton
Creating an Aggregation Hierarchy by Copying an Existing Hierarchy
1. Select an aggregation hierarchy in the table, and choose the Copy pushbutton.
The Copy Aggregation Hierarchy screen appears.
2. In the Title field, modify the name of the aggregation hierarchy.
3. Review the current settings and modify, as required.
4. Choose the Save and Activate or Save Draft pushbutton, as appropriate.
More Information
Searching KRI Aggregation Hierarchies
1.4.3.2.7.3 Modifying KRI Aggregation Hierarchies

You can modify specific KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen.
Procedure
2. Choose the title of the aggregation hierarchy you want to modify.
The Change Aggregation Hierarchy screen appears allowing you to modify the settings.
3. Modify the aggregation hierarchy settings, as required.
4. Choose the Save and Activate or Save Draft pushbutton, as appropriate.
More Information
PUBLIC
Page 56 of 94
1.4.3.2.7.4 Deleting KRI Aggregation Hierarchies

You can delete existing KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen.
Procedure
2. Select one or more aggregation hierarchies that you need to delete.
3. Choose the Delete pushbutton.
A confirmation dialog appears.
4. Choose Yes to delete the selected aggregation hierarchies; choose No to dismiss the dialog without deleting the selected aggregation hierarchies.
More Information
1.4.3.2.8 KRI Aggregation Run

You can use the KRI Aggregation Run quick link to manage KRI aggregation runs, including completing the following tasks:
Search KRI aggregation runs
Create KRI aggregation runs
Modify existing KRI aggregation runs
Delete KRI aggregation runs
1.4.3.2.8.1 Searching KRI Aggregation Runs

You can search KRI aggregation runs using the KRI Aggregation Run Management screen. When defining a query (known as a worklist), you can either create a
new worklist or base your worklist on an existing query.
Procedure
1. Choose Rule Setup Key Risk Indicators KRI Aggregation Run .
The KRI Aggregation Run Management screen appears displaying the existing aggregation runs.
2. Choose the New Worklist pushbutton.
The New Worklist dialog appears with KRI Aggregation Runs automatically selected in the Select Object Type field.
3. To base your new worklist on an existing query, choose a query using the Select Existing Query as Template drop-down list.
5. In the Aggregation Type field, choose Key Risk Indicator using the drop-down list.
Choose the Preview pushbutton to display the table of aggregation runs based on the current criteria. Choose the Close pushbutton to dismiss the
preview, and choose the Next pushbutton.
6. In the Enter Query Description field, type a short description of the worklist.
7. Optionally, select the Activate Query checkbox to make the query available as a link or tab.
The query results appear.
More Information
Creating KRI Aggregation Runs
Modifying KRI Aggregation Runs
Deleting KRI Aggregation Runs
1.4.3.2.8.2 Creating KRI Aggregation Runs

You can create KRI aggregation runs using the KRI Aggregation Run Management screen. You can also create a new aggregation run by copying an existing run
and modifying the appropriate settings.
PUBLIC
Page 57 of 94
Procedure
2. Choose the Create pushbutton, and select KRI Aggregation Run using the drop-down menu.
The Create Aggregation Run screen appears.
3. In the Name field, type the name of the aggregation run.
4. In the Description field, type a description of the aggregation run.
5. In the Owner field, type or select the owner of the aggregation run.
6. In the Start Date field, type or select the start date for the aggregation run.
7. In the Due Date field, type or select the due date for the aggregation run.
8. In the End Date field, type or select the end date for the aggregation run.
9. In the Organization based hierarchy field, choose the organization hierarchy using the drop-down list.
10. In the Risk Category based hierarchy field, choose the risk category using the drop-down list.
11. In the Execution Mode field, select either the Manual or Automatic radio button.
12. To save the aggregation run, choose the Save pushbutton
13. To publish the results, choose the Publish Results pushbutton.
14. To publish the results and close the run, choose the Publish Results and Close Run pushbutton.
15. To perform ad-hoc calculations, choose the Ad-hoc Aggregation Calculation pushbutton, and select the appropriate organization hierarchy or risk category
hierarchy using the drop-down menu.
Creating a KRI Aggregation Run by Copying an Existing Run
1. Select an aggregation run in the table, and choose the Copy pushbutton.
The Copy Aggregation Run screen appears.
2. In the Name field, modify the name of the aggregation plan.
3. Review the current settings and modify, as required.
More Information
Searching KRI Aggregation Runs
1.4.3.2.8.3 Modifying KRI Aggregation Runs

You can modify specific KRI aggregation runs using the KRI Aggregation Run Management screen.
Procedure
2. Choose the name of the aggregation run you want to modify.
The Edit Aggregation Run screen appears allowing you to modify the settings.
3. Modify the aggregation run settings, as required.
More Information
1.4.3.2.8.4 Deleting KRI Aggregation Runs

You can delete existing KRI aggregation runs using the KRI Aggregation Run Management screen.
Procedure
2. Select one or more aggregation runs that you need to delete.
3. Choose the Delete pushbutton.
A confirmation dialog appears.
4. Choose Yes to delete the selected aggregation runs; choose No to dismiss the dialog without deleting the selected aggregation runs.
PUBLIC
Page 58 of 94
More Information
1.4.4 Assessments

The Assessments work center provides a central location to view and manage surveys, test plans, and risks and opportunities. You can also use the work
center to maintain incidents and plan evaluations, as well as simulate risks using scenarios.
The Assessments work center contains the following sections:
Surveys
Risk Assessments
Incident Management
Scenario Management
Assessment Planning
Risk Control Self Assessments
Assessment Reports
Note
The Assessments work center is shared by the Access Control, Process Control, and Risk Management products in the GRC Application. The menu groups
specific functions.
More Information
Assessments - Access Control specific topics
Assessments - Process Control specific topics
1.4.4.1 Surveys

A survey is a structured list of questions. Within GRC, surveys are used to obtain information about the existence and evaluation of risks (RM) or the design or
operational adequacy of controls (PC). Surveys are used to carry out assessments of objects such as risks, activities, or policies, for example. These
assessments are defined via plans in the Planner.
Surveys are created and maintained in the Survey Library and sent via the workflow (which can be routed to an inbox and/or e-mail).
For more information, see:
Risk Management Planner
Process Control Planner
Prerequisites
To send e-mails with interactive PDF survey data, complete the Customizing activity Maintain Inbound E-Mail Settings for Survey under Governance,
Risk, and Compliance General Settings Workflow .
Users who receive survey PDFs by e-mail must have stored their e-mail address in the GRC back-end system (SU01) under System User Profile
Own Data (Address Tab) .
If you are creating a survey for a collaborative assessment, the role Contributor to Collaborative Assessment must be maintained for the user in the Roles
tab of the risk or risks involved.
For risk assessment surveys, complete the Customizing activity Implement New Survey Valuation under Governance, Risk, and Compliance
Common Component Settings Surveys .
The e-mail addresses of all users to whom the system sends a survey must be maintained.
The role assignments must be maintained:
Business users who receive survey responses and post responses in the system need the roles SAP_GRC_FN_BASE and
SAP_GRC_FN_BUSINESS_USER.
The SAPCONNECT user configures the e-mail notification settings in the back-end system, so the roles SAP_GRC_FN_BASE and SAP_GRC_FN_ALL
are required.
For more information, see Standard Roles and Authorization Objects and the SAP BusinessObjects Governance, Risk, and Compliance Access Control
10.0, Process Control 10.0 and Risk Management 10.0 Security Guide on SAP Marketplace at http://service.sap.com/instguides.
For workflow functions, maintain the Customizing activities under Governance, Risk, and Compliance General Settings Workflow .
If you want to be able to change the subject or body of the survey e-mail, then you must also make entries in the Workflow Customizing activity Maintain
Notification Messages .
More Information
Creating Surveys
Creating Questions for Surveys
PUBLIC
Page 59 of 94
Survey Library
Question Library
1.4.4.1.1 Question Library

The Question Library lists the user-defined questions that you can use within your surveys. Each question comprises the following information:
Category : The category of the question.
Question : The text of the question.
Active : Specifies whether the question is active or inactive. Only active questions are available for use in surveys.
Answer Type : The type of answer (yes/no/NA, rating, and so on) expected from the person taking the survey.
Created By
Created On

Using the Question Library , you can do the following:
Create new questions. You can create a new question, or copy and change an existing question.
Open questions for editing. You can only edit questions that are not being used in a survey.
Delete questions. You can only delete questions that have not been assigned to any survey.
Upload questions from a file stored on your local machine.
You can use the questions defined in the Question Library with the surveys listed in the Survey Library .
More Information
Surveys
Survey Library
Creating Surveys
1.4.4.1.1.1 Creating Questions for Surveys

For each type of survey, you can create user-defined questions to be attached. You can create questions in the Question Library, or you can open a specific
survey in the Survey Library and create questions for it. Furthermore, you can define your own answer types, which you can attach to question or survey
categories if necessary.
Note
If a question is already being used in a survey, you cannot change any data for it, but you can deactivate it.
Prerequisites
Complete the Customizing activity Define Ratings for Survey Questions , found under Governance, Risk, and Compliance Common Component Settings
Surveys .
Procedure
To create a question:
1. Go to Assessments Surveys Question Library .
2. A list of all existing questions is displayed. When you choose Create , a dialog box opens in which you can create your own question.
3. Select the category of the question from the dropdown options and enter text describing the question.
4. Specify whether the question is active or not. Active means that it can be used in a survey.
Note
If you are not finished formulating the question, or if you want to make a question obsolete, deactivate the question. You cannot delete questions that are
already used in surveys.
5. Enter one of the following answer types (answer types vary based upon the survey category):
Answer Type Meaning & Type of Entry Required
Rating Requires the entry of a rating type. If you select this answer type, you are asked if the
answer requires a comment.
Yes / No / NA Requires a Yes, No, or Not Applicable (NA) answer. If you select this answer type,
you are asked if the answer requires a comment.
Text Requires a text entry by user.
Percentage Requires the entry of a percentage.
Amount Requires the entry of an amount.
Choice A user-defined question in which you can define the answer options and the scores. If
PUBLIC
Page 60 of 94
you select this answer type, you are asked if the answer requires a comment.
Probability Level Requires the entry of a probability level. If you select this answer type, you are asked
if the answer requires a comment.
Impact Level Requires the entry of an impact level. If you select this answer type, you are asked if
the answer requires a comment.
Speed of Onset Requires the entry of a speed of onset value. If you select this answer type, you are
asked if the answer requires a comment.
Note
The answer types Yes/No/NA , Rating and Choice support user-defined scoring for each answer option. A number score is assigned to each answer
option at the design time. At runtime, users receive the scores according to their selections. A final score is based on aggregating the scores from each
question.
For the answer type Rating , scores are defined during the Customizing activity, Define Ratings for Survey Questions , located under
Governance, Risk and Compliance Common Component Settings Surveys .
For the answer type Choice , scores are defined in the frontend.
For the answer type Yes/No/NA , question scores are defined when the survey is defined.
Recommendation
For more information, see Score-Based Valuation for Surveys and Questions.
6. If you are creating a question directly from a survey, choose Actions Create Question . On the Create Question screen, you can specify if the
question is local (only used for this survey). If you choose No , the question can be used in other surveys.
7. Save your data.
Result
You have created a question for use in the survey.
Note
If you want to upload new questions from your hard disk, you can do so by choosing Actions Upload . The format of the file must be .csv, which can
be created from a Microsoft Excel spreadsheet.
1.4.4.1.2 Survey Library

The Survey Library lists the user-defined surveys that you can use to obtain information on the existence and evaluation of risks (RM) or the adequacy of controls
(PC). Each survey comprises the following information:
Category : The category of the survey.
Title : The title of the survey.
Description : An optional description of the survey and its purpose.
Active : Specifies whether the survey is active or inactive. Only active surveys are available for use.
Questions : The questions that comprise the survey.
Created By
Created On

Using the Survey Library , you can do the following:
Create new surveys. You can create a new survey, or copy and change an existing survey.
Open surveys for editing. You can only edit surveys that have not been scheduled.
Delete surveys. You can only delete surveys that have not been scheduled.
You can use the questions defined in the Question Library with the surveys listed in the Survey Library .
More Information
Creating Surveys
Surveys
Question Library
1.4.4.1.2.1 Creating Surveys
Prerequisites
See Surveys.
PUBLIC
Page 61 of 94
Procedure
To create a survey:
1. Choose Assessments Surveys Survey Library .
2. Choose Create . The Create Survey dialog box appears.
3. On the General tab, select a survey category, a title for the survey, and a description (optional).
4. If necessary, specify the valuation type. The entries defined here are used for surveys, question categories, and answer types.
Note
Using valuation for risk analyses requires additional settings through the Customizing activities. Complete the activities listed under Governance,
Risk, and Compliance Common Component Settings Surveys .
5. Specify whether the survey is to be activated or not.
Note
You cannot activate a survey without first creating one or more questions for it.
6. In the lower screen section, you can add questions as follows:
Choose Add to add questions that were previously defined.
Under the Actions menu, you can navigate within the questions (if there are many) or create a new question.
7. Set the valuation or scoring, if used, for the survey questions. For more information, see Valuation and Scoring for Surveys and Questions.
Answer types Yes/No/NA , Rating and Choice support reconfiguring user-defined scores. If you select score based valuation for Valuation , you
can view and change the predefined scores for each question. Select the Set Score link in the Set Score column.
The total score of one survey is the sum of scores for each question.
Example
Survey A has two questions (Q1 and Q2). The answers and scores are defined as following:
Question 1: Answers: 1.1 = 50; Answer 1.2 = 0
Question 2: Answers: 2.1 = 0; Answer 2.2 = 0; Answer 2.3 = 50
The total score of the survey is the sum of all the answers. In the example, a submission with answers Q1 Answer 1.1 + Q2 Answer 2.1 = 50
as a total score. The highest possible score for this survey would be 100.
8. Save the survey. Your survey can now be included in a plan when you call up the Planner.
Note
Your survey becomes visible on the Survey tab of the Risk or Activity screen after you create a plan in the Planner and have sent out the
survey.
You can display the results of the survey by running the Survey Results report under Reports and Analytics Compliance .
More Information
1.4.4.1.3 Score-Based Valuation for Surveys and Questions

You can use the valuation and scoring function built into survey and question creation to assist in risk analysis and process control evaluation.
Surveys can be created with the type No Valuation or Score-Based Valuation . If you choose Score-Based Valuation , a Set Score link appears on the
right side of each line for all score-based questions that you have created or that you have added from the Question Library.
Note
Certain question types, such as those requiring a text entry, cannot be scored. The Set Score link will not appear next to these kinds of questions. For
more information about the different question types, see Creating Questions for Surveys.
When you choose the Set Score link, an Override Question Score window appears. You can choose to use any maintained values that were preset
through the Customizing activities, or you can override those values with those of your own choosing.
Note
If you override the preset values, the values you enter are valid only for this instance of the question. If you use the same question type for another
question in a survey, the default values are assigned to it unless you override them again.
If you wish to revert to the values set in the Customizing activities, click the Reset button in the Override Question Score window.
You can indicate whether a question is to be local (one-time only for a survey) or if it is to be global (stored in the Question Library after creation). The default
setting is global.
More Information
PUBLIC
Page 62 of 94
Surveys
Survey Library
Creating Surveys
1.4.4.2 Risk Assessments

The Risk Assessments section of the Assessments work center enables you to create activities to be evaluated for risks and opportunities, such as projects or
business processes. These are assigned to risks and opportunities that you create. Besides specifying risks and opportunities, you can also:
Analyze the risks and enter the appropriate responses to mitigate these risks.
Document risks that have occurred (called incidents ).
Define specific risk scenarios.
Run risk assessment surveys.
Prerequisites
You have been assigned the appropriate roles and authorizations.
Features
In this work center, you can carry out the following functions:
Manage your risks and opportunities.
You can create and assess a risk or an opportunity, with or without a template. For more information, see Risks and Opportunities.
Manage your risk scenarios.
You can define detailed scenarios with influenced risks and carry out testing and simulation functions for your risk scenario. For more information, see
Scenario Management.
Enter responses to risks or opportunities.
A risk response determines what you should do either to prevent a risk from occurring or to limit the risk's impact if it does occur. For more information, see
Creating a Response or Enhancement Plan.
Create activities such as business processes, projects or assets, for which you wish to capture risks. For more information, see Activities.
Document risks that have occurred, called incidents , together with the losses incurred for an incident. For more information, see Incident Management.
Create dedicated workflows for risk assessment using the Risk Management Planner.
Create and run your own risk assessment reports. For more information, see Risk Assessment Reports.
1.4.4.2.1 Risks and Opportunities

In the section Risks and Opportunities of the Assessments Risk Assessment work center, you can enter risks as well as opportunities for your
organization. Risks and opportunities are defined as follows:
A risk is any event that can prevent management from meeting the business goals of an organization.
An opportunity represents an uncertain event or condition that, if it occurred, would have a positive impact on business objectives. An opportunity can
therefore be regarded as a positive aspect of a risk as defined in Risk Management.
Both a risk and an opportunity can be defined with or without a template.
Features
Opportunity Management refers to the analysis of opportunities, to be able to make the best possible use of them. The process involves the following steps:
Identifying and documenting the opportunities in an organization.
Analyzing the expected benefits of an opportunity.
Viewing and understanding any possible trade-offs between risks and opportunities.
When you click the Risk and Opportunity Management link, a query screen opens, displaying all maintained risks and opportunities. Here you can view all
existing risks and opportunities or create a new risk or opportunity.
For more information, see Creating a Risk and Creating an Opportunity.
1.4.4.2.1.1 Creating a Risk

After defining a risk classification structure, you can begin creating risks in the Risk Management application.
Prerequisites
The following prerequisites apply before you can create a risk:
Risk impacts and drivers must be maintained in Customizing. You may also need to make entries in the Maintain Influence Strength Customizing activity,
found under Governance, Risk and Compliance Risk Management Master Data Setup .
If you want to conduct a risk assessment, the analysis profile must be maintained in Customizing under Governance, Risk and Compliance Risk
PUBLIC
Page 63 of 94
Management Risk and Opportunity Analysis .
If you want to add KRIs to your risk, you must have maintained a KRI implementation in the Risk Management application. For more information, see
Creating KRI Implementations.
You must maintain a risk classification structure containing individual risk categories in the risk catalog.
Procedure
To create an individual risk, proceed as follows:
1. From the Assessments work center, choose Risk Assessments Risks and Opportunities .
2. In the overview screen that appears, choose Create . You have the following options:
You can create a risk with or without a risk template. You create a risk template during risk classification.
Note
For more information about risk template creation, see Classifying Risks, Opportunities, and Responses and Creating a Risk Template.
To create a risk from a template, see Creating a Risk from a Template.
You can create a risk in the standard application or using the graphical view. You also have the option to create a risk with or without a risk template.
For more information, see Graphical View Risk Creation.
3. If you are creating a risk in the standard application, the Create Risk dialog box appears in which you enter information in the following tabs:
General tab: Enter the name of the event or risk you want to create, as well as the organizational unit and the risk category used to classify it. The
validity period is preset, but you can change it to your relevant dates.
In the lower screen section, you can enter the impacts and drivers that would affect this risk if it occurred. If so specified, there may be
customer-defined fields ready for input displayed in this tab.
Roles : Assign a user or users to the Risk Owner role by choosing the Assign pushbutton.
Key Risk Indicators tab: You can enter KRI instances and business rules for a KRI, to use when evaluating the risk. For more information, see Key
Risk Indicators and Assigning KRIs to a Risk.
In the lower section, you can create a business rule for the Key Risk Indicator in the upper section. For more information, see Creating a KRI Business
Rule.
Note
The prerequisite for creating a KRI instance is an active KRI implementation, and the prerequisite for creating a KRI business rule is an active KRI
instance.
Analysis tab: You can view the history of all past and present risk analyses, and you can also create new risk analysis data. For more information,
see Risk Analysis.
Response Plans tab: You can create a new risk response, assign an existing response, or assign a control proposal from Process Control. For more
information, see Creating a Response or Enhancement Plan. You have the following options:
If you have licensed Risk Management, you can create a new response or assign an existing response. For more information, see Assigning a
Response.
If you have licensed Process Control, you can also create a control proposal or policy, or assign a control or a policy on this tab. For more
information, see Using PC Controls.
After submitting the control, it is displayed in the Response tab of the risk as a response of the type Control . Note that you must first save the
risk.
Using the Remove pushbutton, you can delete a response from the list, but only if it has Draft status.
Using the Print Version pushbutton, you can create a print version of the results list in PDF format.
On the Risk Incidents tab, you can report new risk incidents (that is, risks that have occurred), or open existing incidents for further processing. For
more information, see Working with Incidents.
On the Influenced Risks tab, you can use the Create Influence Factor button to enter other risks (called influenced risks) and the corresponding
influence factors that may increase or decrease the probability and/or impact of the influenced risk.
Note
You use the chain of influenced risks in the Risk Management Scenario Analysis and Monte Carlo simulation. For more information, see Scenario
Management and Scenario Analysis using Monte Carlo.
First enter the influenced risk itself. Then you can define the influence factors for the risk either in quantitative or qualitative form, but not both.
If you define a quantitative evaluation type, you make entries for the evaluation type as follows:
Influence factor on impact : You enter a factor value between 0.01 and 999.99. This factor represents the increase (for a factor greater
than 1.00) or decrease (for a factor smaller than 1.00) of the total loss of the influenced risk. The condition is that the primary risk that
you are currently working with has already occurred.
Influence factor on probability : You enter a factor value between 0.01 and 999.99. This factor represents the increase (for a factor
greater than 1.00) or decrease (for a factor smaller than 1.00) of the probability of the influenced risk. The condition is that the primary
risk the one that you are currently working with has already occurred.
If you specify a qualitative evaluation type, you can define the influence strength in the Strength field. Select a value from the dropdown
options, which refer to the degree and type of influence of the primary risk on the influenced risk.
Note
The conversion of the influence strength into individual influence factors on impact and probability is defined in Customizing (see the
Prerequisites section above).
On the Underlying Risks tab, you can select and group similar underlying risks defined for lower-level organizational units.
On the Surveys tab, you can display any surveys in which this risk is used. For more information about surveys, see Surveys.
On the Issues tab, you can create issues relating to this risk. For more information, see Creating an Issue for a Risk, Opportunity, or Response.
PUBLIC
Page 64 of 94
On the Context tab, you can enter further information relating to issues and contexts. For more information, see Working with Contexts.
On the Policies tab, you can access the policies that were assigned to this risk in the Response tab. For more information about assigning a policy
as a response to a risk, see:
Policies
4. When you are finished maintaining the risk data, you can save it as a draft for further user processing, or submit it for system processing. When you submit
the risk, the status of the risk is changed from Draft to Active . Note that all mandatory fields must be filled to successfully submit the risk.
If, however, you want to delete a risk that you just created, note that this causes system inconsistency. For more information, see Deleting a Risk.
Note
After saving your risk data, you can choose the Print Fact Sheet pushbutton to obtain a document with risk data in PDF format for printing.
1.4.4.2.1.1.1 Creating a Risk from a Template

You can use a risk template to create a risk with default data maintained for your organizational unit. The risk template can also have been distributed over several
organizational units and can be used in them as the basis for creating risks.
Prerequisites
A risk template must have been created for use with the new risk.
Procedure
To create a risk using a risk template, proceed as follows:
1. Access the risk creation screen under Assessments Risk Assessments Risks and Opportunities and choose Create Create with Risk
Template in the Risk and Opportunity Management screen. You can also create a risk with a template using the Graphical View risk creation
function. For more information, see Graphical View Risk Creation.
2. A dialog box opens with a selection of risk templates and distribution methods to be used.
3. You can filter the selection to find the correct risk template.
4. Select a distribution method to be used from the template. You have two options:
Copy: Any risk field can be changed after the template has been copied to the risk.
Distribute: Some risk fields are read-only, since they are referenced.
5. Choose the Create pushbutton. A new window with the created local risk appears.
6. Process the risk by entering the necessary information in the tabs. For more information about creating risks, see Creating a Risk.
7. After finishing, you can submit or save the risk. In both cases, it appears in the overview list (POWL).
Note
Two columns referring to risk templates are displayed in the overview list:
Distribution Method: The risk template data is either copied, and can be changed in the risk, or it is merely referenced, and the risk template data
cannot be changed.
Risk Template: The template used to create the risk is displayed.
Result
The values of the template, including the data of customer-defined fields, are copied into the risk.
More Information
Creating a Risk Template
Distributing a Risk Template
1.4.4.2.1.1.2 Risk Deletion

Sometimes it may be necessary to delete a risk. However, due to time-dependency constraints in the system, you cannot delete a risk on the same day that you
created it.
Features
If you created a risk on the current date and activated it the same day, it cannot be deleted without losing the ability to track and audit this risk in the Risk
Management database. In normal processing, deletion sets the end of validity period for the risk as equal to yesterday. However, this is not possible for the risks
created on the current date. If you wait one day, then this deletion rule applies.
Note
PUBLIC
Page 65 of 94
You can delete a risk with Draft status, but note that it will truly be deleted from the database, without any auditable trace left in the system.
You have two options:
Wait at least one day before deleting this risk. Note, however, that this risk remains in the system as a valid risk, with a validity period lasting just one day.
If you activated the risk by accident (that is, you did not intend to submit it, but it was submitted nevertheless), you can contact your system administrator,
who can delete your risk in the back-end system.
1.4.4.2.1.2 Risk Validation Workflow

The validation of risks by risk managers is an essential task for proper risk management in your company. It enables risk managers to obtain proper sign-off and
confirmation for the current risk situation with respect to activities such as company processes or new projects.
Prerequisites
Workflow management and personal object worklist (POWL) activities in Customizing under Governance, Risk and Compliance General Settings
Workflow and POWL for Work Inbox must have been carried out.
Features
Using the Risk Management Planner , you can trigger a validation workflow for risks entered in the system. Each risk has the attributes Validated by and
Validated on , which are updated after validation. Once you have accessed your inbox and validated the risk, the validation timestamp refers to the date when
the risk was validated. You see the status with a link to comments, and the name and date of the validator.
The workflow is as follows:
1. The workflow task goes to the unit risk manager for validation.
2. The unit risk manager or validator then approves or rejects the risk as follows:
If the validator approves the risk, the risk application displays the validation status Approved and the validation timestamp.
If the validator rejects the risk, the validation status changes to Rework .
Activities
1. Access the Risk Monitoring work center and then the Planner section.
2. Choose the Planner link and proceed as follows in the next screen:
3. Choose the Create pushbutton to enter the plan name and select the plan activity Perform Risk Validation .
4. Enter a name for the plan and the due date.
5. Choose Next and select the organization with which you are working. Choose Next again.
6. In the step Perform Selection , you can choose to work with all risks or limit the selection to one risk or to specific risks by entering various attributes.
Note
You can see the risks with the defined workflow recipients (in this case, these are the risk owners) by choosing the Show Detail pushbutton.
7. After choosing on Next again, you are in the Review step. You can now choose the Activate Plan button, after which you receive confirmation that the
plan has been saved and activated.
8. Choose Finish to end the guided procedure or choose Create New Plan if you want to create another plan.
If you choose Finish , your plan is displayed in the list of plan activities.
1.4.4.2.1.3 Risk Analysis

Risk analysis involves analyzing your risks to determine the impact and probability of a potential risk occurring. The Analysis tab on the Risk application
provides users with the flexibility of defining the type of analysis performed, either qualitative or quantitative, depending on the nature of the risk event. The
outcome is the determination of the risk level (probability level X impact level).
Note
Risks that are initially analyzed are called inherent risks. After analysis and response/mitigation of the risk, the term residual risk is used to denote the
degree of risk left.
Prerequisites
Drivers, impacts and analysis data from Customizing must exist before you can analyze a risk. For further prerequisites, see Creating a Risk Analysis.
Features
You can carry out the following types of risk analysis:
Qualitative
This analysis includes determining the risk level on the basis of the probability and impact levels of the risk. The result of the analysis is a qualitative view
PUBLIC
Page 66 of 94
of the risk level, such as high, medium, and low.
Quantitative
Using this analysis form, you can assess the probability of a risk happening using percentage values and the impacts per impact category assigned to the
risk. The analysis results include the expected loss, total impact, and risk level, which is based on the total loss and probability values.
Three-point analysis
This type of quantitative analysis is based on the range of Total Loss Values ( Minimum Loss , Average Loss , and Maximum Loss ).
Scoring
This analysis method enables you to enter impacts and probability as numeric values. For more information, see Risk Analysis Using Scoring.
More Information
For more information about working with risk analysis, see:
Creating a Risk Analysis
Collaborative Risk Assessment
1.4.4.2.1.3.1 Residual Risk Calculation

All companies face a variety of internal and external risks that can impact the success of their business strategies, goals, and objectives, as a part of doing
business. You can proactively manage risks using the following four-step process:
1. Planning
2. Risk identification and assessment
3. Risk response
4. Monitoring
Carry out these steps to gain better visibility into your organization's risk exposure.
Features
By carrying out the above four steps, you perform and consolidate the analytical results of a risk analysis. The risk analysis is an assessment of the likelihood that
the risk is going to occur, and of the impact to the company if the risk occurs. The result of the risk analysis is also referred to as the risk exposure .
If the risk exposure is unacceptable, you can document risk responses, which are aimed at reducing the likelihood that the risk will occur or lowering the impact of
the risk if it occurs (this is called risk mitigation). Examples of risk responses include actions to reduce the risk, control the risk with internal policies and
processes, transfer the risk to third parties, or accept or watch the risk.
Once a response has been implemented, you can then carry out a second risk analysis, showing the mitigated probability and impact of the risk, whose values
should be lower than those in the initial risk analysis. This new risk analysis information is referred to as the residual risk exposure.
Residual risk calculation deals with the influence that responses have on the risk exposure. The change in the risk exposure from the initial exposure to the
residual exposure depends on a number of factors related to the individual risk responses. Furthermore, the effect of the response on the risk exposure changes
over time, is subject to synergistic effects, and may depend on how much of the response has been implemented and on how effective the response is.
To solve this problem, the influence of the response on the risk exposure can be considered as the result of the following three independent factors:
Mitigating reduction: This refers to the mitigating reductions of all the responses associated with the risk when applied to the initial analysis. The result is
the calculated residual risk analysis.
Completeness of the response: Describing how much of the response has been implemented, this value is calculated together with the effectiveness of
the response.
Effectiveness of the response: These figures are maintained by response owners, independently of the actual risk analysis, describing how effective a
particular response is at reducing a risk.
Once the responses have been entered, the system calculates both the actual and target residual risk exposure. After the responses have been implemented
and completed, the planned residual risk level should be low.
Taken together, these steps enable the continuous evolution of the residual risk analysis based on the ever-changing effectiveness and completeness of the
responses. The final result is the calculation of the actual residual risk exposure.
The final step in the process is to monitor the risk exposure on an ongoing basis. This includes the ongoing calculation and recalculation of the actual and planned
(target) residual risk, based on the response effectiveness, completeness, and mitigation reduction values.
1.4.4.2.1.3.2 Background Information on Risk Analysis

Carrying out a risk analysis means taking different factors into consideration, in particular the Customizing settings involved. These can vary greatly, depending on
the type of risk analysis you want to carry out.
Prerequisites
You must make several GRC Customizing settings, the most important of which are in the activity Maintain Analysis Profile , found under Risk Management
Risk and Opportunity Analysis . For more information about prerequisites, see the linked topics below.
Structure
The following table provides an overview of the most important risk analysis fields and how to use them. The Customizing settings referred to are those made in the
Customizing activity Maintain Analysis Profile :
PUBLIC
Page 67 of 94
Field Available Options User Action / Results
Probability Quantitative The user enters the percentage probability; the probability
level and the score are calculated using the Customizing
settings.
Qualitative The user selects a probability level from the dropdown
options; the score and probability percentage are calculated
using the Customizing settings.
Scoring The user enters the score and the probability level; the
probability percentage is calculated using the Customizing
settings.
Disabled The Probability field is not displayed in the analysis
application.
Note
If the probability is disabled, the risk score equals the
total impact, and the risk level corresponds to the
following formula: Impact level x highest probability
level value (at least one probability level must be
maintained in Customizing).
Impact Allocation Quantitative The user enters the amount (in the currency of the
organizational unit or in the maintained unit of measure);
the probability level and the score are calculated using the
Customizing settings.
Qualitative The user selects a probability level from the dropdown
options; the score is calculated using the Customizing
settings.
Scoring The user enters the score; the probability level is calculated
using the Customizing settings.
Impact Aggregation Customizing setting In the Analysis Profile (Customizing), you define how a
particular impact analysis is aggregated into the overall risk
impact sum, average, or maximum aggregation.
Application: Overwrite checkbox Aggregated values can be overwritten by the user.
Total loss The total loss is calculated by the system using all
quantitative impacts.
Expected loss The expected loss is calculated by the system, using the
probability percentage X the total loss.
Analysis Comment User-defined text The user can enter a text-based comment on the overall
risk analysis.
Risk Level Calculated by the system The risk level is calculated by the system from the impact
level and the probability level.
Risk Score Calculated by the system The risk score is calculated from the probability and impact
scores using the aggregation type specified in
Customizing.
Risk Priority Calculated by the system The risk priority is calculated by the system using the
speed of onset and the risk level.
More Information
Creating a Risk Analysis
Risk Analysis Using Scoring
1.4.4.2.1.3.3 Creating a Risk Analysis

You can carry out a risk analysis both for a risk you have just created and for an existing risk.
Note
To carry out a collaborative risk analysis involving the participation of several risk managers or users, see Collaborative Risk Assessment and Creating a
Collaborative Risk Assessment from a Risk.
Prerequisites
The following Customizing activities must be carried out before you can carry out a risk analysis:
Shared Master Data Settings, Risk, and Opportunity Attributes:
Maintain Impact Categories
Risk Management Master Data Setup:
Maintain Impact Levels
PUBLIC
Page 68 of 94
Risk and Opportunity Analysis:
Define Three-Point Analysis
Maintain Speed of Onset
Maintain Probability Levels
Maintain Probability Level Matrix
Maintain Risk and Opportunity Level Matrix
Maintain Analysis Profile
Procedure
To carry out a risk analysis, proceed as follows:
1. Choose Assessments Risk Assessments Risks and Opportunities . In the Risk and Opportunity Management screen, create a new risk or
select an existing risk by clicking on its name in the Risk / Opportunity column.
2. Make sure that risk impacts for the selected risk have been maintained in the lower screen section. After saving, these are also listed in the Analysis tab
of the risk.
3. Choose the Analysis tab. If no analysis exists, choose Create Analysis or Create Collaborative Assessment .
4. If you choose Create Analysis , you see the following screen sections:
Analysis section: Here you can create a new analysis for this risk as described below.
Analysis history section: See Historical Risk Analysis Report for further information.
If you choose Create Collaborative Assessment , you receive a list of all users, or contributors who are collaborating on assessing the risk,
together with further data about the assessment. You can continue to modify the list and the data up until you submit the collaborative risk
assessment.
5. Analysis section: You can see all the analyses that were run up until now.
Note
You cannot make any changes to analyses that have already run.
Depending on the settings made in Maintain Analysis Profile in Customizing under Governance, Risk and Compliance Risk Management Risk
and Opportunity Analysis , you see the following column headers:
Column Meaning
Analysis Type The following analysis types exist:
Inherent: The overall risk before response
Residual: The overall risk after response
Planned residual: The residual risk after mitigation, assuming full
effectiveness and completeness of all implemented risk responses.
Note
If impact reduction in the Analysis Profile activity in Customizing is
switched on, you should enter values for the inherent risk. The residual
and residual planned risk values are calculated using the responses
assigned to the risk.
If impact reduction is not switched on in the Analysis Profile , you must
enter the inherent and residual risk data manually.
Probability % Quantitative: You enter a percentage probability up to 100%.
Probability Level Textual description of levels defined in Customizing.
Probability Score You enter a numeric score, limits defined in Customizing.
Speed of Onset The speed of onset refers to the time horizon in which you expect the risk to occur.
This time horizon changes over time, becoming less as the risk event comes nearer.
Speed of Onset (SoO) Score The score for the speed of onset is determined as per the Customizing settings. The
longer the speed of onset, the higher the score.
Total Loss The total loss in monetary terms, per type of risk. See Expected Loss below.
Impact Level An estimation of the consequences of a particular risk on the basis of a configurable
scale. This scale can range, for example, from insignificant to catastrophic.
Impact Score A value that expresses the impact or impact level, defined in Customizing.
Expected Loss The expected and total loss are calculated only if there is at least one quantitative
impact.
Risk Level The degree of the risk, based on the probability and impact data.
Risk Score A score calculated from the probability score and the impact score using the risk score
aggregation method defined in Customizing.
6. Click the Total Loss link. The Impact Allocation screen section opens below.
7. Make settings in the Impact Allocation section. Depending on what you select here, the fields that are displayed may differ.
Note
The conversion from quantitative to qualitative impact is carried out using the settings made in Customizing for Analysis Profile .
The risk thresholds are defined for impacts within an organization. For more information, see Working with Organizational Units.
8. First make settings for the impact values to be used with this risk analysis. For this, select an Analysis Method from the dropdown options. For example, if
you select the Quantitative analysis method, you enter the impact in the Impact column.
PUBLIC
Page 69 of 94
Analysis method Fields ready for input
Quantitative Impact amount (dependent on unit of measure)
Qualitative Impact level (text-based), as defined in Customizing
Scoring Impact score
Three-Point Analysis Best case, average case, worst case monetary values
9. In the Impact Level column, you can see the impact level that was calculated using the values entered previously, according to the Customizing settings.
Depending on the analysis method selected, this is either calculated by the system or entered manually.
10. Below this, you can set the Overwrite Overall Impact indicator if necessary. This enables you to overwrite the impact level and score, depending on the
analysis method selected above. The impact level is derived from the impact score and is displayed below it.
11. Finally, enter the unit of measure to be used for impact calculation.
12. Save the analysis data for the risk.
More Information
1.4.4.2.1.3.3.1 Quantitative Risk Analysis

The quantitative risk analysis method is used to quantitatively analyze the likelihood of risk occurrence and the potential impacts, so that you can determine which
follow-up actions, such as risk responses, are required.
Prerequisites
Impact levels and risk analysis attributes must be defined in Customizing under Governance, Risk and Compliance Risk Management Risk and
Opportunity Analysis , and impacts must be defined for a risk.
Procedure
To create a quantitative risk analysis:
1. Go to Assessments Risk Assessments Risks and Opportunities and select the risk you want to analyze by clicking on its name in the Risk
/ Opportunity column.
2. In the Analysis tab of the risk screen, choose the Create New Analysis pushbutton.
3. Select the date from which the analysis is to be valid and choose OK .
Note
An analysis cannot be created for a date in the past.
4. The Analysis tab contains an analysis of the inherent risk, which is valid from the date you specified. Depending on the analysis profile set in
Customizing, you can overwrite the probability percentage or the impact of the risk. If it contains a value, the expected loss is now updated in the
corresponding column.
5. Choosing a line of the inherent risk and clicking a linked Total Loss or Impact Level column of the risk leads to the Impact Allocation section displaying
below it.
6. If necessary, use the dropdown options to change the Analysis Method to Quantitative .
7. Enter the impact and change the unit of measure if necessary. You can see the total loss in the column to the right. If you have set the scoring approach, the
system calculates the qualitative impact level, and the impact score is calculated according to the formula Impact x Probability (%) = Impact
Score
8. Carry out the above step for each impact and then save the risk.
9. The Impact Score column now contains the aggregated total of all scores for this risk, and for all specified analysis methods.
Note
If the Mitigation field in the Analysis tab has been activated in the back-end, you can see all of the mitigation results for the responses to the selected risk,
including the calculated sums for probability and for particular impacts . For more information, see Risk Mitigation.
More Information
1.4.4.2.1.3.3.2 Risk Analysis Using Scoring

The scoring method of risk analysis enables risk managers to use a point-based system to assess the risks of their organization.
The system assesses the drivers and impacts you define, either qualitatively, with results translated into point values, or quantitatively without conversion into
currency. The results of the scoring approach are the defined risk score and risk level . The following types of scores are calculated and then combined into an
overall score:
Speed of onset score, set in Customizing
PUBLIC
Page 70 of 94
Probability score, set in Customizing
Risk score, calculated in the RM application
Prerequisites
The following Governance, Risk and Compliance Customizing activities under must be carried out before scoring can be used:
Maintain Impact Levels , under Risk Management Master Data Setup
Maintain Speed of Onset , under Risk Management Risk and Opportunity Analysis
Maintain Probability Levels , under Risk Management Risk and Opportunity Analysis
Maintain Analysis Profile , under Risk Management Risk and Opportunity Analysis
Note
The risk score calculation method differs if the probability is enabled in the Maintain Analysis Profile Customizing activity.
If the probability is enabled, the risk score = probability X impact.
If the probability is disabled, the risk score = sum of all impact values.
Features
Using RM scoring methodology, you can carry out the following types of risk analyses:
Qualitative Risk Analysis Using Scoring
Quantitative Risk Analysis Using Scoring
Collaborative Risk Assessment
1.4.4.2.1.3.3.2.1 Quantitative Risk Analysis Using Scoring

Using the scoring method, you can carry out a quantitative risk analysis using a user-defined, point-based approach.
Prerequisites
The Maintain Analysis Profile Customizing activity, found under Governance, Risk and Compliance Risk Management Risk and Opportunity
Analysis , must have the following settings:
Probability and Impacts must be set at Quantitative.
The aggregation method for impacts and the risk score should be set at Summation .
The Expected Loss and Scoring checkboxes must be selected.
You must maintain the Customizing activity Maintain Risk and Opportunity Level Matrix .
Procedure
1. Open a risk you have created with drivers and impacts, as follows: Assessments Risk Assessments Risks and Opportunities , and click on
its name in the Risk / Opportunity column.
2. From the Analysis tab of the risk screen, choose Create Analysis .
4. The Analysis tab now contains an analysis valid from the date you specified. Enter the probability percentage of the inherent risk by overwriting the zero
value. The expected loss, as a percentage of the total loss, as well as the risk level, are updated in the corresponding columns.
5. Choosing an inherent risk by placing the cursor on its line and clicking a linked Total Loss or Impact Level leads to the Impact Allocation section
appearing below. Here you can do the following:
You can select another analysis method for an impact, as defined in Customizing.
You can change the respective impact amount for quantitative analyses, the score for the scoring analysis type, or the impact level for the qualitative
analysis type.
You can change the unit of measure.
6. If necessary, use the dropdown options to change the Analysis Method to Quantitative .
7. Now enter the impact. You can see the changed total loss in the column to the right.
8. Save the risk.
1.4.4.2.1.3.3.2.2 Qualitative Risk Analysis Using Scoring

A qualitative risk analysis is carried out using a text-based analysis evaluation. For example, the impact level of a risk can be minor, major, or catastrophic. To
have the system translate the qualitative values into quantitative values, you can use the scoring method. The system converts the entered probability levels into
the corresponding number of scoring points, as defined in the Customizing activity for probability levels. The following steps are carried out in this process:
The system calculates the total impact for the risk based on the aggregation method defined in the Customizing activity Maintain Analysis Profile , found
under Governance, Risk and Compliance Risk Management Risk and Opportunity Analysis .
The system identifies the overall impact level based on the risk thresholds defined for the organizational unit.
The system derives the risk level based on the probability and impact levels defined in Customizing.
The system calculates the risk score according to the Customizing settings made for risk score aggregation.
PUBLIC
Page 71 of 94
Prerequisites
Impact levels and risk analysis attributes must be defined in Customizing, and impacts must be defined for each risk to be analyzed. Impact levels are found
under Governance, Risk and Compliance Risk Management Master Data Setup .
Procedure
To create a quantitative risk analysis, proceed as follows:
1. Go to Assessments Risk Assessments Risks and Opportunities and click on the name of the risk in the Risk / Opportunity column.
2. From the Analysis tab of the risk screen, choose the Create New Analysis pushbutton.
4. The Analysis tab now contains an analysis valid from the date you specified. You can overwrite the probability percentage of the inherent risk if
necessary. The expected loss is now updated in the corresponding column.
5. Place the cursor in a line of the inherent risk and click the linked Total Loss or Impact Level so that the Impact Allocation section appears below.
6. If necessary, use the dropdown options to change the Analysis Method to Qualitative . The impact level column is now displayed in qualitative (text)
form. You can select another impact level from the dropdown options. The impact score changes accordingly.
1.4.4.2.1.3.3.3 Historical Risk Analysis Report

In the Analysis history section of the Analysis tab, you can see a graphical display of the analysis. You can specify how you want to view the risk analysis by
selecting from one of the following dropdown options:
By probability of the risk happening, or by a text-based probability level (certain, likely, and so on)
By impact score (point-based) or impact level (text-based)
By risk score (point-based) or risk level (text-based)
By the total or expected financial loss that is incurred if the risk happens
Note
The graphic displays the inherent, residual, and planned losses for the last three analyses that were carried out.
Prerequisites
You must have created at least one risk analysis to obtain historical risk data.
Procedure
To run a historical risk analysis report:
1. Go to Assessments Risk Assessments Risks and Opportunities and click on the name of the risk in the Risk / Opportunity column.
2. In the Analysis history section in the Risk Analysis tab of the risk, choose the Start Report pushbutton.
3. A new subscreen opens with further analysis data that you can enter. Enter the dates to be used and if necessary, the user assessing the data. After
choosing the Go pushbutton, a list of historical risk data is displayed.
4. The data displayed in the report varies, depending on the risk analysis data used.
1.4.4.2.1.3.4 Collaborative Risk Assessment

Collaborative risk assessment enables more than one risk manager or risk owner to participate in a risk assessment for one or more risks. This is a workflow-
driven activity triggered by the Planner. The individual assessments are later consolidated into a single analysis for the risk, either automatically or with the help of
the reviewing user.
Collaborative risk assessment recipients and consolidators are determined based on business events (agent slots) linked via workflows. In this way, risk
recipients can determine which risks are in scope for the collaborative assessment work.
You can create a collaborative risk assessment from the Analysis tab of the risk, or by using the Planner. For more information, see Risk Management
Planner and Creating a Collaborative Risk Assessment from a Risk.
Collaborative risk assessments can be carried out using surveys, which you can use to determine the probability and impact of specific risks. For more
information, see Surveys.
Note
You must use the Valuation method to carry out a survey.
Prerequisites
The following GRC Customizing activities must be carried out:
Maintain Custom Agent Determination Rules , under General Settings Workflow .
Maintain Entity Role Assignment , under General Settings Authorizations .
Furthermore, the contributors of the collaborative risk assessment must be defined in the Roles tab of the organizational unit.
PUBLIC
Page 72 of 94
Features
Participants of collaborative risk assessment can assess a risk by using:
A quantitative assessment of the probability and impact
A qualitative assessment of the probability and impact.
The scoring method, which involves numeric-based evaluation.
A survey with valuation.
The collaborative risk assessment process has the following steps:
1. The risk manager or risk owner determines whether an assessment is to be carried out for an inherent risk or a residual risk. For more information about
the types of risks that exist, see Risk Management Terminology.
Note
The GRC Customizing settings in the activity Maintain Analysis Profile , under Risk Management Risk and Opportunity Analysis , determine
whether the risk assessment conducted is for an inherent or a residual risk:
If the Impact Reduction setting is enabled in the analysis profile, only inherent risks can be assessed.
If Impact Reduction is disabled, then both inherent risks and residual risks can be assessed.
2. Depending on the level of authorization, the risk manager or risk owner can carry out the following tasks:
Determine the risks that are in scope for a collaborative assessment.
Activate and trigger the workflows for the collaborative assessment to the workflow recipients.
3. As part of the workflow, you receive the results notification for each response, or after all responses have been completed. After receiving the workflow item,
a workflow recipient completes the collaborative assessment workflow. When the assessment is submitted, the workflow item is no longer displayed in the
recipient's work inbox.
4. The risk manager or owner provides consolidated reporting on the applied results across all risks and opportunities for an organizational unit. The
consolidator can monitor the progress via monitoring in the work inbox.
5. The risk manager reviews the assessment results for a risk and can use a predefined aggregation method, the weighted average, to calculate the results or
to override the values. This aggregation method is the weighted average, and the system-based calculated averages are summed to equal 1. The risk
manager then applies the assessment results to the current risk analysis.
More Information
Creating a Collaborative Risk Assessment
1.4.4.2.1.3.4.1 Creating a Collaborative Risk Assessment

Collaborative risk assessment involves sending surveys to several participants. You can carry out collaborative risk assessment with and without surveys.
Furthermore, you can create a collaborative risk assessment from the Analysis tab of the risk, or using the Planner functions. If you create a collaborative risk
assessment from the Analysis tab, you no longer need to create a separate plan for it.
Note
For more information, see Creating a Collaborative Risk Assessment from a Risk.
PUBLIC
Page 73 of 94
You can carry out a collaborative risk assessment in one of the following ways:
Online: By processing a work item sent to a user's work inbox.
Offline: By receiving an e-mail with an interactive Adobe PDF form attached to it, which you return to the sender after filling it out.
Note
The procedure below describes the creation of a collaborative risk assessment using the Planner. For more information, see Risk Management Planner.
Prerequisites
The following prerequisites apply:
You must define the contributor and consolidator roles, either in the Organizational Unit or the Risk screen.
RM Customizing activities for risk analysis must be carried out. For more information, see the Prerequisites section of Creating a Risk Analysis.
The following GRC Customizing activities for workflow enabling must be carried out:
Define Probability and Maximum Score , under Common Component Settings Surveys
Perform Automatic Workflow Customizing , under General Settings Workflow
Perform Task-Specific Customizing , under General Settings Workflow
Procedure
To create a collaborative risk assessment using the Planner:
1. Call Assessments Assessment Planning Planner .
2. Choose the Create pushbutton. A Guided Procedure displays.
3. Enter the plan name and select the plan activity Perform Collaborative Risk Assessment from the dropdown options. Alternatively, you can select Perform
Collaborative Risk Assessment via Survey if you want to use a survey for the assessment.
Note
If you want to have the survey sent to you via e-mail, select the Delivery: Via E-Mail checkbox. Otherwise, the survey is sent to your work inbox.
4. Specify the following mandatory data:
Period to be assessed
Year
Start date
Due date
5. Enter the date on which the analysis is to be run ( Analysis Date ).
Note
You can create only one analysis per risk for a given date. If you create another analysis for the same risk on the same day, the analysis must be run
on a different date.
6. Choose Next and select the organization to be assessed.
7. In the Select Objects step, you have the following selection options:
Select all risks
Select by risk attributes
Select specific risks
8. In the Review step, you can check the risks that were selected in the View Objects pushbutton. You can choose to display all objects, or only the
objects without recipients.
9. Choose the Activate Plan pushbutton to confirm that your plan was saved. By choosing Finish , you add the plan to the list of plans in the Planner .
10. If you want to check any possible warnings or errors that occurred when the plan was running, return to the overview list after the plan is completed and call
up the plan again. In the Events tab, you can see a list of any and all messages that the system has about the execution of this plan.
Result
You have scheduled the collaborative risk analysis and started the corresponding workflow.
1.4.4.2.1.3.4.2 Creating a Collaborative Risk Assessment from a
Risk

You can create a collaborative risk assessment from the Analysis tab of a risk, instead of using the Planner .
Note
If you create a collaborative risk assessment from a risk, you cannot use the Planner Monitor to keep track of the status of the collaborative risk assessment.
For the consolidator and the contributor(s), the only means of tracking is through each participant's My Home Work Inbox .
PUBLIC
Page 74 of 94
Prerequisites
The same prerequisites apply as for Creating a Collaborative Risk Assessment.
Procedure
Proceed as follows:
1. Go to Assessments Risk Assessments Risks and Opportunities and click on the name of an existing risk in the Risk / Opportunity column.
2. In the Analysis tab, choose Create Collaborative Assessment.
3. In the dialog box that appears, enter the valid-from date and specify whether the collaborative assessment should be carried out using a survey. If you
select this checkbox, the Survey Template field appears below it. Here, select a survey from the dropdown options.
4. Select the user who is to be the consolidator of the collaborative risk assessment.
5. In the lower section, you can add or delete the users who are the contributors to this collaborative assessment.
6. Choose OK . Now the application displays a new pushbutton called Collaborative Assessment Details .
7. If you choose this pushbutton, a new dialog box appears in the lower section, with the entire set of collaborative assessment data for each contributor
(assessor).
8. Choosing the link in a line opens up the read-only impact allocation section below it. You cannot make any changes here. The assessment data is sent to
you, either as a work inbox item or as an e-mail attachment containing an interactive PDF to fill out.
9. You can change the display type by selecting either Tabular or MARCI in the View field.
10. By choosing the Calculate pushbutton, you can have the system recalculate the changed data.
11. When finished, choose the Close pushbutton and save the changed risk data.
1.4.4.2.1.3.4.3 Consolidating Collaborative Risk Assessment
Results

After a risk has been assessed (either directly or via a survey) and the results have been returned, the risk manager needs to consolidate them.
The results can be displayed in table form or graphical form. The risk manager carrying out the consolidation can do the following:
Review the answers that were provided.
Look at the calculation of the expected risk assessment results based on participant answers.
Overwrite or change the aggregated results if needed, for example, with respect to participant weighting, and store the results in the final risk analysis.
Exclude participants if necessary.
Procedure
To consolidate the risk assessments of several participants:
1. From the My Home work center, call the Work Inbox and open the work item Consolidate Collaborative Risk Assessment . Each line contains a link to a
risk, which reaches the inbox after all participants have finished entering their data or after a work item has been canceled.
2. The collaborative risk assessment consolidation screen appears. Here you can see all the participants who responded to the assessment, as well as the
participants who were excluded during the execution.
Note
If you are in the Analysis tab of the risk, you can also choose the Collaborative Risk Assessment Details pushbutton to access this screen.
3. In the View field, you can switch the display from a table form to a MARCI chart. This provides you with a graphical display of the individual users, each
represented by a colored bubble, as well as a blue Overall bubble. Each bubble reflects the rating given by a respondent for a risk.
4. From among the dropdown options of the Risk field, you can choose one of the following:
Inherent and residual risk
Only inherent risk
Only residual risk
5. You can customize and work with the output of the risk assessment as follows:
Select the display options for this view. For example, for the graphical display, you can specify that you want to see the risk level on the y-axis.
In the graphical display (MARCI chart), you can see the risk assessments for all the participants.
Note
The blue bubble represents an average value.
You can carry out simulations by changing the weighting of an assessment in the Weight column and then choosing the Calculate pushbutton at
the top right of this screen.
6. Choose the Submit pushbutton to store the results and conclude the workflow.
7. To see the overall result, call up the graphical representation again. You can access the results at a later date from the Analysis tab of the Risk screen,
where the results are displayed in updated form.
8. When done, choose the Close pushbutton.
Result
The collaborative analysis data is now stored for this risk and the item has been removed from the work inbox.
PUBLIC
Page 75 of 94

When users create collaborative risk assessments, two modes of processing are available. In the Online processing mode, a work item is sent to a user's work
inbox. If you are the risk owner, you can access the results in your work inbox after all participants have provided feedback, or if the work item was canceled.
Prerequisites
See Creating a Collaborative Risk Assessment.
Activities
The steps are as follows:
1. Go to Assessments Risk Assessments Risks and Opportunities , and click on the name of the risk in the Risk / Opportunity column. In the
Analysis tab of that risk, choose the Collaborative Assessment Details pushbutton.
2. In the window that appears, you can see the processors and contributors to this risk assessment. These users receive a work item in their work inbox.
3. Open your work inbox and call the work item for processing. There are three different types of work items:
Monitoring the progress of work items: Here you can exclude contributors if necessary.
Performing the risk assessment itself.
Consolidating the risk assessment data.
4. In the window that appears, choose the corresponding work item. For the risk assessment data, you can overwrite the values as necessary. When finished,
select the Completed checkbox and then choose the Submit pushbutton.
5. You return to the overview screen. After you choose Refresh , the item is no longer displayed in the list.
6. If you are using a survey, choose the corresponding items to access a window in which you enter answers and add comments relating to your risk
assessment.
7. By choosing a work item for consolidation, you access the consolidation screen, where you can complete the assessment data and change the weighting
data in the right-hand column.
You can change the impact scores for each contributor or assessor, and the result is then reflected in the Overall line.
If one participant has more knowledge than another, for example, that person can receive a higher weighting.
8. When finished, choose the Complete pushbutton to finish the process.
Analysis Automation: Integration with EH&S

Some enterprise risks are related to environmental and worker safety. SAP has a separate solution, Environment, Health and Safety Management (EH&S),
where such risks can be processed by the solution-specific mechanisms absent in operational risk management. Integrating EH&S using analysis automation
allows you to track all enterprise risks using one application (Risk Management).
Analysis automation creates EH&S risk assessments from risk analyses in Risk Management, tracking their probability and severity values, and copying those
values to the corresponding analysis parameters according to rules predefined in Customizing.
Risk managers are not required to have any EH&S background to create an EH&S risk assessment from a risk analysis. EH&S risk assessments are intended to
be processed by an EH&S manager or other responsible user. Risk managers can use a specific report that runs in the background to track the current
probability and impact levels of the EH&S-related risks that they create (see prerequisite number 9 below).
Prerequisites
Before using analysis automation (integration with EH&S), ensure that the following conditions have been met:
1. The remote system (EH&S) is known, and the logical system has been created for it (transaction SM30, record in view V_TBDLS).
2. The user is authorized to create risk assessments in the EH&S remote system, and the user's logon credentials are known.
3. Log object GRRM and log sub-object ANLS_AUTOMATION have been created (transaction SLG0).
4. The RFC destination for the EH&S remote system has been created.
5. RM and EH&S probability and severity level values have been mapped in Customizing under Risk Management Risk and Opportunity Analysis
Map Probability and Severity Values from EH&S and RM .
6. Context dimensions have been created for the EH&S agent, EH&S work area, and material in Customizing under Risk Management Risk and
Opportunity Analysis Map Probability and Severity Values from EH&S and RM . Use dimension types EHSAGENT, EHSWA, and MATERIAL within
the logical system mentioned in step 1 and the RFC destination created in step 4.
7. Context dimensions have been assigned to a risk and risk category entity in Customizing under Risk Management Master Data Setup Assign
Dimension to Entity . Assign the dimensions created in step 6 to the entities RISK and CRGROUP.
8. Context dimensions have been set as allowed for the risk category you will use when creating a risk. In the Risk Management application, go to Master
Data Risks and Responses Risk Catalog . Open the desired risk category, go to tab Allowed dimensions , and add the dimensions created in
step 6.
9. You have scheduled the report GRRM_ANLS_AUTOM_STATUS_UPDATE to run with a period of 1 hour.
Process
1. In the Assessments work center, open Risk and Opportunities .
2. Create a new risk.
3. Enter the risk name and specify the risk category (see step 8 of prerequisites).
4. Create an impact for the risk.
5. Go to the Analysis tab and create a new analysis.
6. Go to the Context tab and link the EH&S work area and EH&S agent to a risk as context objects.
PUBLIC
Page 76 of 94
Note
Instead of an EH&S agent, you can use a material (depending on conditions and requirements).
Caution
Be sure that no risk assessment with the specified combination of work area and agent/material already exists in EH&S. Such an existing risk
assessment will not be overwritten by the new risk assessment (in other words, the new risk assessment will not be created).
7. Submit the risk.
Result
A new risk assessment is created in the EH&S application of the remote system to be processed by the EH&S manager or other responsible user. The EH&S
risk assessment will be assigned probability and severity values. A background job (step 9 of prerequisites) replicates these values as probability and impact
level values for the corresponding risk analysis in Risk Management.
1.4.4.2.2 Graphical View Risk Creation

To centrally store risk-related information on an organization's risks and to simplify working with Risk Management, the application contains several functions
enabling you to work in a graphical and easy-to-use interface.
The graphical view can be accessed by users of SAP applications (referred to as the source applications ) and by casual users as well. Casual users can
carry out a risk analysis and mitigation without actually having to access the Risk Management application. The Risk Management phases involved in this
process are the risk identification , the risk assessment , and the risk mitigation phases.
Note
The graphical view is an alternative and simplified way of performing risk-related operations using a graphical user interface (Flex-based graphical interface of
Adobe Flash Player). It is provided as an alternative to the standard Web Dynpro screens, in particular for casual users from other company departments who
need to report on company risks.
Features
The graphical view has the following functions:
Summary: This is a read-only section that provides overview information about the risk.
Identify Risk: You define the risk with all its dependent information using drag and drop. For more information, see Identifying Risk Data.
Assess Risk: You assess the risk by entering or editing information about risk drivers, impacts, and other objects, which you can drag to the working area
of the screen. For more information, see Assessing a Risk.
Mitigate Risk: You can mitigate the risk by proposing new mitigation measures, existing responses, controls, or policies. For more information, see
Mitigating a Risk in the Graphical View.
1.4.4.2.2.1 Identifying Risk Data
PUBLIC
Page 77 of 94

Prerequisites
For prerequisites, see Creating a Risk.
Procedure
To graphically create and evaluate risks, call Assessments Risk Assessments Risks and Opportunities . In the overview screen that opens,
choose Create Using Graphical View .
1. Enter the name of the risk in the center of the risk bubble that appears.
2. You can associate the following risk data with the risk by choosing Identify Risk and then using drag and drop to pull the following items from the left to the
right screen section:
Organizational units: If primary and secondary organizational units are used at your company, they mean the following:
Primary organizational unit: This reflects the legal structure of your organization and also contains the necessary authorizations on each level of
the organization
Secondary organizational unit: This is used to reflect a business structure for your organization.
Activities
Risk categories: You can assign only one risk category to a risk.
Drivers: You can assign one or several drivers to the risk.
Impacts: You can assign one or several impacts to the risk.
3. Open a node on the left side at the level that contains the object that you want to use.
4. Assign the object to the right side of the screen using drag and drop. The objects are now displayed there.
5. For the objects that need a title (such as for impacts and drivers), you are prompted to enter one after dragging them to the right side of the screen.
6. When finished, choose the Save pushbutton at the top right to save the data.
Note
The completion bar shows you the percentage of completed data for this risk. The quick info text displays further status data about the progress of your
risk.
7. If you need to remove an object from the right side, click on the X at the top right of the object. The object is then no longer displayed.
8. After you have saved your data, proceed to the next step, Assessing a Risk.
1.4.4.2.2.2 Assessing a Risk

The third step of working with risks in the graphical view is the assessment of a risk and its impacts.
Prerequisites
Risk analysis data must be defined in the corresponding Customizing activities.
The organizational unit you are using must have a currency defined for it.
To assess a risk in the graphical view, the corresponding risk data must be identified and assigned to the risk in the Identify Risk section.
Procedure
To work with risk assessment data in the graphical view, proceed as follows:
1. After defining a risk in the Identify Risk section, choose the Assess Risk pushbutton in the left section.
2. The sections and pushbuttons at the top of the Assess Risk screen provide you with the following options:
New : Choose this pushbutton to create a new assessment.
Delete : You can delete an existing assessment and create a new one.
Note
The system displays only one assessment at a time.
3. The right side of the screen has the following sections to work with:
A calendar frame enabling you to choose the time frame for which you want to assess the risk data.
Note
You can choose each box in this frame that has a colored dot in it, which means that an assessment exists for that month or date.
The Previous (<) and Next (>) pushbuttons enable you to select the previous or next date from the available assessments.
Below this, you can see the following further risk data:
Risk analysis data: The bar chart shows the probability, along with the initial, actual (residual), and planned risk assessment data, with respect
to the following:
Total loss / expected loss
Risk level
Individual impact values: For each impact, you can specify the type of risk analysis to be carried out, as well as change the default
impact type and the unit of measure. Depending on the impact type that you select directly above the Impact field, you can see the loss
PUBLIC
Page 78 of 94
values by carrying out the following types of risk assessments:
Quantitative: Enter a value in the unit of measure, for example, the currency, and press Enter to see the changed value.
Qualitative: Move the slider to indicate the severity of the risk.
Scoring: Enter a value in the left field or use the numeric stepper to increase the value.
The impact values for all types of assessments are shown to the right of the impact.
Impact category distribution data: This is a pie chart showing the impact data for the current assessment. Each impact value represents
one portion of the pie.
The following table describes the maximum possible sections that appear, depending on the Customizing settings made for the analysis profile. For
more information, see Background Information on Risk Analysis.
Section Description
Calendar frame A calendar frame enabling you to choose the time period for which you want to
assess the risk data.
Risk analysis data How the risk analysis is to be carried out:
By probability of the risk happening.
By total loss incurred if the risk happens.
By expected loss for the risk.
By risk level, that is, the level of severity for a risk that corresponds to a
defined risk level value, such as H (high), M (medium), or L (low).
Probability slider In the Probability section, you can use the percentage slider to decrease or
increase the probability in percentage that the risk will occur.
Analysis data per impact category For each impact, you can specify the type of risk analysis to be carried out, as well
as change the default impact and the unit of measure.
4. Change the risk values as follows:
Probability : The probability can be quantitative, qualitative, or scoring, depending on the analysis profile selected in Customizing.
Impact : For each impact category listed, the impact can be quantitative, qualitative, or scoring. You can change the default impact and the impact
value by clicking the Up and Down arrows to the right of the impact.
5. Choose OK to save the assessment data, or Delete if you want to discard the assessment data. At this point, the Save pushbutton becomes active,
and you can save the entire risk data set by clicking it.
6. You can now proceed to Mitigating a Risk in the Graphical View.
Note
You can see how far the risk processing has progressed in the Progress Bar at the top. By passing your mouse over the progress bar, the quick info callout
Risk Specification Progress appears, containing all the risk data you have defined up to then.
This quick info callout contains the number of impacts, drivers, and so on, that were assessed, along with a slash separating the number of impacts that were
added. So if you added three impacts, but assessed only two, you will see the numbers 2/3 after this item.
More Information
To see the documentation for the standard risk analysis user interface, see Creating a Risk Analysis.
1.4.4.2.2.3 Mitigating a Risk in the Graphical View

After assessing a risk, you can mitigate it in the graphical view similarly to the normal application processing. Risks can be mitigated by adding:
Responses from Risk Management. For more information, see Risk Responses.
A control or controls from Process Control. For more information, see Business Processes.
A policy or policies from Risk Management. For more information, see Using a Policy as a Risk Response.
Prerequisites
A risk must have been identified and assessed before it can be mitigated, and mitigation procedures such as responses or controls must exist in the back-end
system.
Procedure
To mitigate a risk in the graphical view, proceed as follows:
1. Call up a risk that has been assessed, choose the Switch to Graphical View pushbutton, and then choose the Mitigate Risk pushbutton.
2. On the left side, you can use existing responses and controls, or propose new mitigation objects:
Responses
Controls
Procedures
3. Pull the necessary mitigation objects to the right side using drag and drop. To see the detail data, choose the link inside the box. A section opens in the
lower part of the screen with the following detail data for this mitigation object:
Name and type of mitigation object
Percentage of completeness
Start and finish dates, that is, the validity period of the mitigation object
Costs of the risk if it happens
Effective from and to dates
Current effectiveness value
PUBLIC
Page 79 of 94
4. If you have assessed the risk and then chosen the Mitigate pushbutton, the Mitigate Risk screen appears.
5. On the Mitigate Risk screen, you can change the impact values as necessary. The graphs on the left side then change accordingly.
6. Choose Close to return to the Mitigation screen.
7. When you are finished with the mitigation steps, choose Save .
1.4.4.2.3 Risk Mitigation

If your company's risk exposure is unacceptable, you can document risk responses, which are aimed at reducing the likelihood that the risk will occur or lowering
the impact of the risk if it occurs. This is called risk mitigation .
Risks can be mitigated by adding:
Responses from Risk Management. For more information, see Risk Responses and Enhancement Plans.
One or more controls from Process Control. For more information, see Business Processes.
A policy or policies from Risk Management. For more information, see Using a Policy as a Risk Response.
Mitigation can be maintained on both the Response Plans tab and the Analysis tab.
Note
You can also maintain mitigation in the Graphical View. For more information, see Mitigating a Risk in the Graphical View.
Risk Mitigation on the Response Plans Tab
Mitigation for individual responses can be maintained on the Response Plans tab. Although this has the advantage of allowing you to focus on one specific
mitigation factor at a time, there is no way to see the cumulated value for all the responses at one time, and it is this cumulated value that the back-end system
uses to calculate Residual and Planned Residual values.
Risk Mitigation on the Analysis Tab
If the Mitigation field in the Analysis tab has been activated in the back-end, you can see all of the mitigation results for the responses to the selected risk,
including the calculated sums for probability and for particular impacts .
Note
To activate this function, you must run the report GRRM_RESPONSE_MITIGATION_UI in the back-end system.
You also have the possibility to overwrite the calculated sums by using the Click to Overwrite link. If you use this option, the Overall Calculated values are still
available, but only for information purposes. The manually-entered values are used for Analysis mitigation.
1.4.4.2.4 Creating an Opportunity

You can create an opportunity with or without a template. For information on creating opportunity templates, see Creating an Opportunity Category and Template.
Prerequisites
Benefits and drivers for opportunities must have been maintained in Customizing under Governance, Risk and Compliance Risk Management Risk and
Opportunity Analysis .
Procedure
1. From the Assessments work center, choose Risk Assessments Risks and Opportunities . The POWL screen for risks and opportunities
appears.
2. On the Opportunities tab, choose Create Opportunity , with or without a template. If necessary, select the template and choose OK .
3. In the Opportunity screen, enter the following information in the General tab:
Name of the opportunity and organizational unit
Opportunity category
In the lower screen section, you can assign benefits and drivers to the selected opportunity
4. On the Roles tab, you can assign roles to be used with this opportunity category. The procedure is the same as when assigning user roles to risks. For
information, see Assigning Roles to Risks and Activities.
5. On the Analysis tab, you can choose the Report pushbutton to view the following historical analysis data for this opportunity:
Probability
Total gain
Expected gain
Opportunity level
Note
You conduct an opportunity analysis in a similar way to conducting a risk analysis. For more information, see Risk Analysis.
6. On the Enhancement Plans tab, you can create new enhancement plans, assign existing enhancement plans, or remove them from the list. For more
information about enhancement plans, see Creating a Response or Enhancement Plan.
7. In the Issues tab, you can create issues that might affect this opportunity. For more information, see Creating an Issue for a Risk, Opportunity, or
PUBLIC
Page 80 of 94
Response
8. On the Context tab, you can specify the contexts that you are working with for this opportunity. For more information, see Working with Contexts.
9. On the Policies tab, you can see any policies that have been created for this opportunity. You cannot create policies here. For more information, see:
Policies
10. When finished, save the opportunity data.
1.4.4.2.5 Risk Responses and Enhancement Plans

A risk response is any counter-measure taken to mitigate a risk. Risk responses are planned and/or executed within the context of the given risk, and have the
intention of reducing the risk exposure.
Documenting and managing response strategies helps to proactively manage risks in your organization. Responses can be used to lower the chance of the risk
occurring (that is, the probability) or to lower the potential impact of the risk event if it occurs.
Note
An enhancement plan can be considered as the response to an opportunity. It enables you to define how your organization intends to respond to an
opportunity. The processing is the same for both types of objects.
Process
The influence of the response on the risk exposure is split into the following three independent factors:
Mitigating reduction of all responses, leading to the calculated residual risk analysis.
Entering a value for the completeness of the response
Entering a value for the effectiveness of the response
The following three steps are essential to reducing the probability or impact of risks defined for an organization:
1. Define impact and probability data in Customizing under Governance, Risk and Compliance Risk Management Master Data Setup and Risk
and Opportunity Analysis .
2. Reduce the impact and probability of the risk by creating responses and controls, enabling you to mitigate the risk and monitor the costs.
3. Carry out a risk analysis to view the results of the risk mitigation measures that were implemented, and make additional resources available if necessary.
Note
Once a risk response has been implemented, you can carry out a new risk analysis, showing the mitigated probability and impact of the risk, which
should then be lower than for the initial risk analysis. This new risk analysis information is referred to as the residual risk exposure.
Response Status Tracking
Example
Your company wants to mitigate its risk of fire. It carries out the following two activities and creates the corresponding responses for them in the Risk Management
application:
It takes out a fire insurance policy. This reduces the impact of the risk, but does not reduce the probability of the risk (a fire) happening.
It installs a fire alarm system. This reduces the probability of the risk happening, since the fire alarm notifies someone who extinguishes the fire, and so
PUBLIC
Page 81 of 94
the risk may not happen at all or only minimally.
Taken together, these two responses appropriately mitigate the inherent risk of fire at the company. The residual risk is further analyzed and is determined to be
acceptable.
More Information
Creating a Response or Enhancement Plan
1.4.4.2.5.1 Working with Response Templates

For responses that are used frequently, it is advisable to create standard response templates that you can use when entering responses. This reduces the
manual effort of unit risk managers during risk creation. You create response templates in the Response Catalog .
Prerequisites
The GRC Customizing activity Maintain Response Types must be maintained in Risk Management Response and Enhancement Plan .
Procedure
To create a response template:
1. Call Master Data Risks and Responses Response Catalog .
2. The Response Catalog screen appears. Choose the Create pushbutton.
3. The Response Template screen appears.
4. Enter a name for the response template, and a description in the fields below it.
5. Change the valid-to date if necessary.
6. Specify the response type to be used with this template.
7. If necessary, specify the purpose.
8. Finally, if you are using the response automation function, enter a type of automation to be used for the response template.
Note
For more information about response automation functions, see Working with Response Automation.
9. When you are finished, save the response template.
Note
In the Response Instances tab of the Response application, you can see the responses that were created using this template. Note that you must
first finish creating the template and then assign it to a risk template before you can see any entries in this screen.
Assigning a Response Template to a Risk Template
To use a response template for a risk:
1. Call Master Data Risks and Responses Risk Catalog .
2. To open the corresponding risk template, navigate to the lower level and put the cursor on the line of the Type called Risk Template , and choose Open .
The risk template screen appears.
3. Choose the Response Templates tab.
4. Choose the Assign pushbutton to search for and assign a specific response template to the risk template.
5. Save the risk template.
Assigning a Response Template to a Risk
You can assign a response template directly to a risk as follows:
1. Call Assessments Risk Assessments Risks and Opportunities .
2. Open the risk to which you want to assign a response template.
3. Choose the Response Plans tab.
4. Choose Create Response using template .
5. A dialog box opens in which you can search for the corresponding response template.
6. After selecting the response template from the lower section and choosing OK , the corresponding response using this template is now displayed in the list
of the Response Plans tab.
7. Save the updated risk data.
More Information
Risk Responses and Enhancement Plans
1.4.4.2.5.2 Creating a Response or Enhancement Plan
PUBLIC
Page 82 of 94

Documenting and managing response strategies helps to successfully mitigate risks in your organization.
Note
Creating an enhancement plan is similar to creating a response, so the following steps apply to it as well.
Prerequisites
The following Customizing activities, found under Governance, Risk and Compliance Risk Management Response and Enhancement Plan , must be
carried out:
Maintain Response and Enhancement Plan Purpose
Maintain Response and Enhancement Plan Completeness
Maintain Response and Enhancement Plan Effectiveness
Maintain Response Plan Types
If you want to maintain responses to risks for which response automation has been set up for the SAP Business Suite applications, you also need to
make entries in the following Response and Enhancement Plan Customizing activities under Response Automation :
Maintain Response Implementation Classes for Automation
Maintain Response Automation Types
Note
If you are working with automated responses sent to other applications in the SAP Business Suite, see Working with Response Automation.
Features
The Risk Management application contains the following two types of responses:
A risk response determines how to prevent a risk, limit its impact, or reduce the probability of its occurrence. For more information about assigning
responses, see Assigning a Response.
The response to an opportunity is called an enhancement plan . It enables you to define a strategy to respond to an opportunity.
To mitigate risks, the Process Control application also provides the option of defining controls. For more information about this, see Using PC Controls.
Activities
To create and maintain responses and enhancement plans:
1. From the Assessments work center, choose Risk Assessments Risks and Opportunities Responses and Enhancement Plans .
2. In the next screen, you can see a list of all responses entered in the system. If the desired risk response already exists and is allowed for sharing, you
can select and use it without making any changes, or change it as required. For more information, see Assigning a Response.
3. If the desired risk response does not exist, then choose menu path Create Response to enter a new response. To create an enhancement plan,
choose Create Enhancement Plan .
4. Under the General tab, enter the response name, the organizational unit, the response owner, and type (mandatory fields).
5. If desired, you can enter the response details in text form, as well as the response purpose and whether the response is to be shared between various
users or requires your approval.
If you want to specify another response owner, enter the user's name in the Owner field. A dialog box appears in which you can enter the due date
for the new owner and any comments for the new owner that you wish to make. Then choose OK . The response is automatically saved with the new
data.
If you want to share the response with another user, you can specify whether it requires your approval or not via the corresponding dropdown.
6. If you make a selection in the Automation field, the submitted response is sent to an application of the SAP Business Suite, for example, to SAP Plant
Maintenance.
Note
The Automation Status field is updated after saving. For more information about using Risk Management Response Automation, see Working with
Response Automation.
7. In the General tab, you can also carry out the following actions:
Notification section: For work items sent per workflow to the response owners, you can enter information on response notification as follows:
On Due Date : If you checkmark this field, the system sends out a notification on the due date of the response.
Due Date : You can specify the date that the response is due.
Due Date Offset : You can the set the number of days ahead of the due date by which the notification is to be sent.
The work item is then displayed in the corresponding user's work inbox under the Home work center.
Response Details section: Here you can enter a text describing any response steps or actions that were taken, including the following information:
Distribution Method : This is only displayed if the response is created from a response template as a copy or as a reference. (For
information about creating a response from a response template, see Working with Response Templates.)
Enter the Start Date and the Finish Date for the response. Since you are providing information about a response that was already carried out,
the finish date cannot be in the future. You should enter the start and finish values on the actual dates on which the implementation of the
response was started and finished.
When you enter the start date of the response, and choose Enter , the start completeness percentage that was maintained in the
corresponding Customizing activity is displayed in the Completeness field.
When you enter the finish date of the response, and choose Enter , the finish completeness percentage from the corresponding
Customizing activity is added to the start completeness percentage.
Completeness : By setting the Calculate Completeness indicator, you can automatically calculate the percentage of the completeness of the
PUBLIC
Page 83 of 94
response.
Note
The Calculate Completeness indicator is inactive and switched off by default. This feature becomes active after you enter a start date and
finish date. Then you must explicitly activate the feature by selecting the Calculate Completeness checkbox.
This feature remains inactive if response automation is used.
If you switch on the Calculate Completeness feature, no manual entry is needed. The value of the completeness is automatically
calculated based on the values set in Customizing under Governance, Risk and Compliance Risk Management Response and
Enhancement Plan Maintain Response and Enhancement Plan Completeness .
Response Effectiveness : You can provide information on the current effectiveness of the response and change the validity period for the
response effectiveness data. When you select an entry for the current effectiveness, the corresponding quantitative value (in percentage form)
is stored and is further used in the risk analysis calculation.
8. In the Affected Risks tab, the risks that are affected by this response are displayed. Using the Assign pushbutton, you can also assign existing risks to
this response.
Note
The prerequisite to assigning a risk to a response is that the response must be shared. For this, select one of the two Shared options from the
dropdown options of the Shared Response field on the General tab:
9. In the Context tab, you can add context data. For more information, see Working with Contexts.
10. In the Issues tab, you can create or display issues that affect this response. For more information, see Creating an Issue for a Risk, Opportunity, or
Response.
Note
If you want to create an issue for a response, you must first carry out the corresponding organizational Customizing activities on maintaining responses
for issues.
11. When finished, save your data as a draft or submit it for processing. After submission, the response status changes from Draft to Active .
Example
Response effectiveness: Hiring new employees is a response provided for the risk of employee loss. However, the new employees lack the necessary
expertise, so this response is initially considered as less effective . This means that you have implemented a response, but it was not fully effective. So you first
enter the effectiveness level as moderately effective . After three months of employee training, you can then change the response to very effective .
Response completeness: To avoid the risk of fire in a leather factory, a response is provided by installing fire safety equipment. However, it takes a month to
install this equipment. So at the start of the month, completeness is lower, but gradually the completeness increases, until the equipment is fully installed and you
can enter the response completeness as 100%.

Users can suggest ways to address risks by creating response proposals and submitting them to those responsible for risk mitigation.
Procedure
To create a response proposal:
1. Go to My Home Ad Hoc Tasks Response Proposals .
2. Enter the following information in the Create Response Proposal window:
Title (mandatory)
Org[anizational] unit
Risk
Type (mandatory)
Purpose
Automation type
Description
Steps
3. Click on Submit .
After the response proposal is submitted, the creator of the proposal receives an e-mail confirmation that the proposal was successfully submitted that is,
delivered to the work inbox of the person responsible for mitigating the specified risk. This person can then approve or reject the response proposal.
Note
Users who are assigned as agents via 0RM_RESPONSE_PROPOSE are authorized to receive and approve or reject response proposals. The approver can
create a response or response template from the response proposal after approving it. For more information, see Creating a Response or Enhancement Plan
and Working with Response Templates.
The creator of the response proposal is notified by e-mail when the response proposal is approved or rejected.
Submitted proposals (including their current status waiting for approval, approved, or rejected) are listed in the Proposed Responses tab found in work center
Assessments Risk Assessments Responses and Enhancement Plans . Click on the name of the response proposal to review its contents.
PUBLIC
Page 84 of 94
1.4.4.2.5.4 Assigning a Response

Instead of creating a new response to a risk, you can use the existing responses in the system if they meet the mitigation requirements. You can create individual
responses or responses shared among two or more users (shared responses). There are the following types of risk responses:
Responses created for a single risk
Responses created using a response template
Responses created from a control (Process Control)
Responses created from a policy (Process Control)
Note
The workflow for sharing a response involves the following options:
If the response to be used is defined as Shared, requires approval , the status of this response is Pending approval . A response workflow item then
goes to the response owner for approval. When the response owner approves the response, the status changes to Sharing approved , after which this
response can be used for risk reduction through analysis.
However, if the owner of the response to be used and the person requesting the response are the same person, the status changes directly to Sharing
approved and no workflow is triggered. This response can be used immediately for risk reduction through analysis.
If the response to be used is defined as Shared, does not require approval , the status of the response becomes Sharing approved . The response
can be used immediately for risk reduction through analysis.
Prerequisites
Probability levels must be maintained in Customizing under Governance, Risk and Compliance Risk Management Risk and Opportunity Analysis ,
and the response to be used must have the status Active .
Procedure
By accessing Assessments Risk Assessments Responses and Enhancement Plans , you can create responses directly and link them to the
corresponding risks.
Conversely, you can also define an existing response for a risk. For this, proceed as follows:
1. From the Assessment work center, choose Risk Assessments Risks and Opportunities .
2. From the list of risks, by clicking on the name in the Risk / Opportunity column, select and open the risk to which you want to assign a response.
3. In the Response Plans tab for this risk, you can see any existing responses associated with this risk.
4. In the lower section called Mitigation , you can change the current probability reduction percentage value and change the score reduction value for each
impact defined for the risk.
Note
To see the changes you made in the Mitigation section, save the risk and then return to the Analysis tab.
5. To assign a new response to your risk, choose Assign Response . You can also assign a control or a policy from Process Control here in the same
way.
6. In the window that displays, search for the response, control, or policy to be used and click OK .
Note
If you are working with response automation in Risk Management and select one of the corresponding response types, more information is available on
this under Working with Response Automation.
7. The response is now in the list of responses. Save your risk.
More Information
1.4.4.2.5.5 Using PC Controls

In addition to working with risk responses, you can also work with the controls of the Process Control (PC) application. A control is a policy, implemented through
processes and procedures and directed by an organization's corporate executives, which supports compliance with operational objectives. These objectives can
be operational efficiency, reliability of financial reporting and disclosures, and compliance with applicable laws and regulations, such as the Sarbanes-Oxley
laws.
In the Response application, you have the following two options:
Button Create Control Proposal . In this case, you propose a new control, so that the Process Control processor can create the corresponding
control. The workflow is then applied as described in Sample Workflow: Control Proposal Notification.
Button Assign Control . In this case, you assign an existing control to mitigate this risk.
PUBLIC
Page 85 of 94
Procedure
To create a control proposal, proceed as follows:
1. Go to Assessments Risk Assessments Risks and Opportunities , and by clicking on the name in the Risk / Opportunity column, select the
risk to which you want to respond by using a control proposal.
2. Access the Response Plans tab of the risk creation screen.
3. Choose the Create button and then choose Control Proposal . The control proposal window opens.
4. Specify the regulation or policy to be used for the control.
5. Enter the organizational unit and the control name, and change the validity dates if necessary (mandatory data). The organizational unit differs depending on
the regulation or policy you have chosen.
6. Change the other default settings if necessary.
7. Submit the control proposal.
8. The system puts the control proposal into the list of responses on the Response screen with the status Proposed .
Note
To assign an existing control, choose Assign Control . In the dialog box, select Regulation and search for an existing PC control. To use it,
choose OK . The selected control is added to the list of responses. The status for an assigned control is Active .
1.4.4.2.5.5.1 Monitoring Control Effectiveness and Assessment
Results

You can convert the Process Control ratings entered for a control to response data in Risk Management. This links the selected control rating results roughly
defined as three traffic light colors specified for Process Control to the completeness and effectiveness data of the corresponding responses defined in
percentages. In this way, the three-state rating values of Process Control are converted to more exact percentage ratings in Risk Management.
This step enables you to automatically monitor the effectiveness and control assessment results of controls defined and managed in Process Control, and map the
results directly to Risk Management response effectiveness and completeness fields.
Prerequisites
The following Customizing activities must be carried out as described in the Procedure section below:
Set Up Link from Control Results to RM , under Governance, Risk and Compliance Risk Management Response and Enhancement Plan
Convert Control Rating to Response Fields , also under Governance, Risk and Compliance Risk Management Response and Enhancement
Plan
Maintain Custom Agent Determination Rules , under Governance, Risk and Compliance General Settings Workflow .
Procedure
To convert the results, proceed as follows:
1. Carry out the above prerequisite Customizing activities as described in the corresponding documentation.
2. In the first Customizing activity Set up Link from Control Results to RM , you set up a link to the results generated in Process Control, which are stored in
the form of SAP Records Management cases. For both the response and the completeness, you must enter the case type and category to be used.
3. When creating the conversion entries in the second Customizing activity, Convert Control Rating to Response Fields , you create three entries for response
effectiveness and another three entries for response completion, each one corresponding to a Process Control color rating. For each of the three entries,
select one of the color-coded ratings available. In the percentage field, you can enter a user-defined percentage value for each entry.
Note
When the Process Control assessment and testing results are published, the corresponding response fields for completeness and effectiveness in Risk
Management are updated. An e-mail notification on the completeness and effectiveness update is sent to the users assigned to the agent slot/business
event 0RM_NOTIF_ON_CONTROL_CHANGE.
1.4.4.2.5.5.2 Sample Workflow: Control Proposal Notification

When you create a control proposal, the Risk Management application sends a notification to the processor defined for the Process Control (PC) application.

Process
The workflow is processed as follows:
1. The Risk Management user (RM) opens the risk for which a control proposal is to be created and selects the Response Plans tab.
2. User RM now reviews the list of existing responses and searches through the available list of controls that can be assigned to this risk.
3. User RM cannot find the desired control and proposes a new control. This user enters the appropriate control information, including the mandatory information
on the organizational unit and regulation, and the optional information on the process/subprocess and name of the control.
4. User RM submits the proposed control request, after which the control workflow goes to Process Control.
PUBLIC
Page 86 of 94
5. The Process Control user (PC) opens the request and reviews the details of the proposed control.
6. User PC now decides whether to accept or reject the control proposal request. In either case, a notification is sent back to the requestor in Risk
Management, user RM.
7. User PC accepts the control request and creates the corresponding control. Subsequently, the workflow sends a notification to the requestor's inbox (that is,
to user RM), and the control becomes active in the Risk Management application and has the status Active .
1.4.4.2.5.6 Workflows for Responses

There are several workflows that you can use to process responses in the Risk Management application. Some of them are linked to Process Control workflows.
Prerequisites
The following prerequisites must be fulfilled before you can use the workflows defined for Risk Management:
Workflow activities in Customizing, under General Settings Workflow , must be carried out.
Features
The table below describes the workflows available for responses:
Workflow Description
Response update Using the Planner function, the unit risk manager or activity owner receives a
notification to validate a response. The main purpose of this workflow is to remind
response owners to process overdue responses. For more information, see Risk
Management Planner.
Response notification on due date You can send out a notification workflow if the response due date has been reached and
the response completeness is lower than 100%. As a result, the response owner
receives a work item in the work inbox. When the work item is opened, the response
maintenance screen displays, where the response owner can maintain the missing
information.
The notification is triggered by report GRRM_NOTIF_ON_RESPONSE_DUEDATE. You can
schedule it as a background job.
To set up this task, carry out the Customizing activity Schedule Notification on
Response Due Date , under Risk Management Response and Enhancement
Plan .
Response sharing for approval or rejection If a shared response for which permission is required is assigned to a risk, the owner of
the shared response receives the workflow for approval or rejection of request sharing.
Shared responses are specified when you create a response. For more information, see
Creating a Response or Enhancement Plan and Assigning a Response.
Response delegation If the current response owner is changed to a new one, the new response owner receives
this delegation workflow to process the response.
Process Control proposal notification If a control is proposed to PC, a notification of the approval or rejection of the proposal is
sent to the requestor.
Process Control changes notification When assessment or testing results for a linked control are published, the corresponding
risk or response owner on the RM side receives the notification of changes.
1.4.4.2.5.7 Working with Response Automation

The process for automating risk responses to carry out actions in the SAP Business Suite applications supports the following scenario:
Risk Management triggers and monitors the progress of response actions in an SAP Business Suite application. This scenario does not require any add-on
modules or coding from the SAP Business Suite solution. This type of scenario is used in Plant Maintenance (PM) notifications, or to set up a project in the Project
System (PS), or to trigger a workflow.
Response automation creates, according to automation type, the following objects in other applications:
PM notifications
Project definitions in PS
Workflow items
Note
The response automation function can also be used for enhancement plans.
Prerequisites
The same prerequisites apply as for Creating a Response or Enhancement Plan. Furthermore, the following Customizing activities and Business Add-Ins (BAdIs),
found under Risk Management Response and Enhancement Plan Response Automation , must be maintained.
Maintain Implementation Classes for Response Automation
PUBLIC
Page 87 of 94
Maintain Response Automation Types
Map Response Automation to Response Types (relevant for types PM notifcation and Project definition in PS only)
Map Business Suite Object Status to Response Completeness (relevant for types PM notifcation and Project definition in PS only)
Maintain Attributes for Workflow Automation (relevant for type Workflow triggering only)
Map Workflow Status to Response Completeness (relevant for type Workflow triggering only)
Business Add-Ins:
Maintain Additional Parameters for PM Notification
Maintain Additional Parameters for Project Definition in PS
Maintain Additional Parameters for Workflow Triggering
Furthermore, a risk response must have the status Active to work with response automation.
Procedure
Response Automation Statuses
If you are working with response automation, which sends and receives risk responses to/from the SAP Business Suite, you must select an option from the
Automation field at the bottom of the response screen. The Automation Status field is populated automatically. One or several of the following statuses is
displayed:
Application Status Meaning
Plant Maintenance (PM) Outstanding notification The notification was created.
Notification In process The notification was put in process.
Notification postponed The notification was postponed.
Order assigned The PM order is assigned to the notification.
Outstanding tasks exist The notification has tasks assigned.
All tasks completed All the tasks assigned to the notification are complete.
Notification complete The notification was created and processing finished.
Deletion flag The deletion flag is set for the notification.
Project System (PS) Project definition: Created The project definition was created.
Project definition: Released The project definition was released.
Project definition: Partially released Not all WBS elements of the project definition are released.
Project definition: Locked The project definition was locked.
Project definition: Master data locked The project was created by means of master data
replication from the project system.
Project definition: Rescheduling required Rescheduling is required for the project.
Project definition: Technically completed All project costs have been settled.
Project definition: Closed The project has been closed.
Project definition: Deletion flag The deletion flag is set for project definition.
Workflow (WF) Completed Self-descriptive
Error Self-descriptive
Ready Self-descriptive
In Process Self-descriptive
Waiting Self-descriptive
Generic automation statuses Automation initiated A response with the assigned automation type was
created, but the status of the automated object from the
remote Business Suite application has yet not been
assigned to a response.
Automation failed The Business Suite object was not created due to errors.
Automation finished The notification status tracking is finished.
Working with Response Automation
1. Go to Assessments Risk Assessments Risks and Opportunities and call up a risk by clicking on its name in the Risk / Opportunity
column. Access the Response Plans tab. Create a response to a risk that is used for automation.
Note
Specify the automation-specific response type if there are any available (see prerequisite Map Response Automation to Response Types above).
2. If necessary, you can maintain the dimension objects to be fetched from the remote application in the Contexts tab. For more information, see Working with
Contexts.
Note
For the automation type PM Notification , you can specify the technical object (functional location or equipment) and the material in the Context tab. For
the automation type Workflow Triggering , you can specify the objects that are involved in the workflow.
PUBLIC
Page 88 of 94
3. Close the response and submit the risk. This sets the status of the response to Active , and the response is sent to the remote application.
4. When the corresponding processor from the remote application has changed the status of the automated object, the automation status and completeness are
updated for the response accordingly.
5. When the status of the automated object is set to complete or closed or finished , an e-mail is sent to the original processor stating that response was
completed automatically.
Example
Example: Response Automation for Plant Maintenance
1.4.4.2.5.7.1 Example: Response Automation for Plant
Maintenance

Response automation for plant maintenance involves sending a response request from the Risk Management application to the corresponding application in the
SAP Business Suite, in this case the Plant Maintenance application.

Prerequisites
You must have the SAP Business Suite application Plant Maintenance configured and running.
Activities
In the Risk Management application, a risk called "Risk of Overheating of Boiler" has been defined. A background job was created for it, which proceeds
according to the following steps between Risk Management (RM) and Plant Maintenance (PM):
Step. Action Action Initiator Automation Status (displayed on
Response screen)
1 Boiler overheats Status not assigned yet
2 Risk response is created with automatic
PM notification
Risk Manager Status not assigned yet
PM notification created Notification saved automatically in RM in
response screen
Status not assigned yet
PM notification status read by system Automatically in RM, within response-
saving program
Status set to Outstanding notification
3 (optional) PM notification postponed Plant Maintenance processor Status set to Outstanding notification
4 (if step 3 was executed) PM notification status read by system Automatically in Risk Management, with
periodic background job
Status Notification postponed
5 PM notification processed manually by PM
processor (tr. IW22)
Plant Maintenance processor Status Outstanding notification (if steps 3
and 4 were not executed ) and Status
Notification postponed (if steps 3 and 4
were executed)
6 PM notification status read by system Automatically in RM, inside periodic
background job
Status Notification In Process
7 Boiler temperature lowered manually by
processor
Plant Maintenance processor Status Notification In Process
8 PM notification complete Plant Maintenance processor Status Notification In Process
9 PM notification status read by system Automatically in RM, inside periodic
background job
Status Notification Complete
10 Response effectiveness is assigned and
risk is mitigated
Risk Manager Status Automation Finished : Status of
corresponding PM notification is no longer
tracked & copied to response.
1.4.4.2.5.8 Using a Policy as a Risk Response

Besides a specific risk response and a control, you can also use a policy from the Process Control policy library to respond to a risk. A policy is a statement of
objective, direction, or standard that acts as guidance for a companys interactions and operations. It can be regarded as an internal mandate established by a
company to regulate the conduct of its work with respect to the regulations it must observe.
Note
For more information about assigning a response, see Assigning a Response.
PUBLIC
Page 89 of 94
Once assigned to a risk, a policy can be used as a risk response. This enables users to mitigate a risk by proposing or documenting a policy for their area of
responsibility, including the documentation of the response effectiveness, impact reduction, and probability reduction.
Note
If defined, policies are displayed in the Organization screen in a separate tab.
Prerequisites
In Customizing for GRC under Risk Management Response and Enhancement Plan :
Both Process Control and Risk Management must be installed and running, and the corresponding Customizing activity Link Policy Status and Response
Completeness must be carried out.
Under Responses for Policies , the organizational Customizing activities Set Up Response Notification Recipient for Policy and Set Up Policy Response
Notification Text must be carried out.
In Customizing for GRC under Common Component Settings Policy Management :
You must define policy types in the Customizing activities Maintain Policy Types and Distribution Methods and Policy Types for Response Creation .
Under General Settings Activate applications in client :
You must activate Process Control and Risk Management components (transaction SPRO).
Procedure
Creating a Policy from a Risk to Use as a Response
Proceed as follows:
1. Call up a risk and then choose the Response Plans tab to create a policy. For more information about creating responses directly, see Creating a
Response or Enhancement Plan.
2. Choose Create Policy .
3. The dialog box for policy creation displays. Select a policy group and a policy category.
4. The policy screen displays, in which you create the policy itself. Enter the necessary policy information in the corresponding tabs.
5. Save the policy. You can send the policy for review or submit it for approval.
6. Close the policy. You can see that the response based on the new policy has been created.
7. Save the updated risk.
Note
If you have entered risks in the Policy screen, they are displayed in the Policy tab of the Risk screen.
Creating a Response Using a Policy
Besides creating a response in the Risk screen, you can also create a response using a policy from the Response screen. To do so:
1. Select an existing risk and then choose the Response Plans tab to create a policy. For more information about creating responses directly, see Creating a
Response or Enhancement Plan.
2. Choose Create Policy .
3. A dialog box for the selection of a policy appears. Select a policy and confirm the selection.
4. After confirmation, you are returned to the Response tab, where the new response is displayed.
Setting Up E-mail Notifications about Policy-Based Responses
To notify authorized users by e-mail about the completeness of a risk response created by a policy:
1. Open the response and go to the Notification section of the General tab.
2. Set the Notification on Policy Status Change indicator.
3. Save the response.

An activity is any project, process, or an object within your business or organization that might be affected by a specific risk.
After creating activity categories structured in an activity hierarchy, you can create individual activities for the activity types defined in Customizing and assign
them to the activity categories in the hierarchy. At defined intervals, for example, the activities affected by specific risks can subsequently be evaluated per
activity category in reporting.
Typical types of activities are:
Processes: Potentially all operational and administrative processes within an enterprise.
Projects: Potentially all internal and customer projects.
Objects: Refers to generic activities that are neither a project nor a process.
You can define all the activities that need to be monitored through dedicated risk management procedures, in this way structuring risk management in different
areas of the business. These structures can later be used for reporting.
You must assign all activities to an activity category.
PUBLIC
Page 90 of 94
Prerequisites
Activity types must have been maintained in Customizing under Risk Management Master Data Setup .
Features
For each activity, you can do the following:
Specify the activity category and validity period, as well as enter relevant constraints and assumptions for the activity.
Assign users/roles responsible for processing the activity.
Link the corresponding risks and opportunities identified for that activity.
Display any surveys to be executed for the activity.
Display and print out a PDF fact sheet with relevant activity information.
Note
Activities are time-dependent objects. If the valid-to date has elapsed, you do not see these activities in the corresponding list, since they have expired.
However, you can still evaluate them in reporting.
More Information
Creating an Activity
Activity Hierarchy
1.4.4.2.6.1 Creating an Activity

Since any activity can be risk-related, you must define meaningful activities that are meaningful to your organization in the activity hierarchy to be used for Risk
Management.
Prerequisites
Activity types must be maintained in GRC Customizing under Risk Management Master Data Setup .
Procedure
To create an activity, proceed as follows:
1. Go to Assessments Risk Assessments Activities .
2. In the subscreen that opens, choose Create . The Create New Activity dialog box opens.
3. Under the General tab, you maintain the following activity data:
Activity name and description
Organizational unit of the activity
Activity category to which the activity is to be assigned
Valid-from and valid-to dates
If necessary, enter any constraints and assumptions in user-defined text format.
4. Before proceeding, save the activity data with the Save Draft pushbutton.
5. In the Roles tab, you next enter the roles to be used in Risk Management when users are working with activities. For more information on assigning roles to
activities see Assigning Roles to Activities.
6. In the Risks and Opportunities tab, enter the risks and/or opportunities for this activity, and if necessary, attach any files or links to it. For more information
about risks, see Creating a Risk.
7. Under the Surveys tab, you can view the surveys that exist for this activity. However, when you are creating a new activity or risk, a created survey will
not be visible in the Surveys tab until after you create a plan in the Planner and have sent out the surveys. For more information about surveys, see
Surveys.
8. In the Issues tab, you can create issues relating to the activity. For more information, see Identifying, Creating, and Assigning Issues.
9. When you are finished, save the activity.
Note
To see the activity in graphical form, choose the Switch to Graphical View pushbutton. By clicking the Print Fact Sheet pushbutton, you can also generate
a PDF called Activity Fact Sheet , which contains all risk information relevant to this activity.
More Information
For more information about activity categories, see Activity Hierarchy.
1.4.4.2.6.2 Activity Validation Workflow
PUBLIC
Page 91 of 94

The workflow for activity validation workflow is carried out using the Planner function of Risk Management. The activity owner is the user that triggers this workflow.
The term validation refers to another user's verifying that the details of an activity have been entered accurately.
Prerequisites
An activity must exist.
Users must have the authorization to use the Planner.
Workflow enabling must be maintained.
Features
Workflow processing for activities is carried out as follows:
1. Access the Planner by going to: Assessments work center Assessment Planning Planner .
2. Choose the Create button to access the guided procedure for creating a plan for performing activity validation.
3. In Step 1, Enter Plan Details , enter the mandatory data: Plan name, activity, and the start and finish dates. Then choose Next .
4. In Step 2, Select Organizations , select the organization, and choose Next .
5. In Step 3, Perform Selection , specify whether you want to create a plan for all activities or only specific ones. You can also select by activity attributes.
6. In Step 4, Review , check to see that the selection you made is correct. The Show Detail button gives you a list of the activities and their owners.
7. Now choose the Activate Plan button. If you select Finish , the window closes and your activity is included in the list of activities. Alternatively, you can
create a new plan from this window.
More Information
For more information about the Planner, see Risk Management Planner.
1.4.4.2.7 Working with Contexts

Contexts in Risk Management enable you to store data from other networked applications, such as those in the SAP Business Suite. This data is then used to
carry out assessments in Risk Management, and to link SAP Web Services for use with Risk Management.
The context of a risk describes the environment in which a risk can occur. The environment can be, for example, a business area of an organization. In this way,
you can group risks according to the context in which they are found. The same applies to an opportunity.
A context is made up of dimensions and their corresponding values. When you select a dimension, you more closely define the environment or context of the
risk. A risk can, for example, occur at a functional location of a plant. You use the dimension values to more closely define the functional location that is being
referred to.
The focus is on integration with the following areas:
SAP Enterprise Asset Management (EAM)
SAP Environment, Health & Safety Management (EH&S)
SAP Management of Change (MOC)
Supply Chain Management (SCM)
You can also use contexts to define your own customer-specific content. The following areas contain Context tabs that you can use to enter context data. Note that
in some of these areas, the tab is called Allowed Dimensions .
Risks, risk templates, risk categories
Opportunities, opportunity templates, opportunity categories
Responses, response templates, enhancement plans
Risk Management reporting, where context dimensions can be used as reporting filters.
Prerequisites
Dimensions and contexts must be maintained in Customizing in the Master Data Setup section.
Procedure
To define context information for a risk, proceed as follows:
1. Open the risk and choose the Context tab.
2. From the dropdown options of the first column, select one or more dimensions.
3. Select a Context Value Text from the dropdown options of the second column. You can add up to 1000 Context Values in the Context tab.
Note
If you have personalized the columns using the Settings pushbutton, the Context Value is displayed in the third column.
4. Save the risk. The Risk Management system is now linked via RFC with the dimension objects you have selected.
Note
PUBLIC
Page 92 of 94
To see whether any dimension texts were changed manually, choose the Check pushbutton. You receive an error message for each line in which the
dimension value is incorrect. You can select a correct one from the corresponding dropdown options.
5. If you want to print out the list, use the Print Version pushbutton. Note that the RFC connection must be active in this case.
More Information
For more information on how to work with contexts, see the following areas of Risk Management:
Classifying Risks, Opportunities, and Responses
Creating a Risk
Creating a Response or Enhancement Plan
Example
One dimension selected from the context list is the system object Plant . The context value for it is 0001, referring to the ID of the plant selected. The context
value text is displayed in the corresponding column as Plant 0001 .
1.4.4.2.8 Creating an Issue for a Risk, Opportunity, or Response

For every risk, you can create one or several ad hoc issues in the Issues tab of the risk, opportunity, or response screen. These issues are then displayed in
the corresponding tab of the risk screen.
Prerequisites
The Customizing activity Enable Ad Hoc Issues by Object Type , under Governance, Risk and Compliance Common Component Settings Ad
Hoc Issues , must be carried out.
The two organizational RM Customizing activities, Set Up Response Notification Recipient for Issue and Set Up Issue Response Notification Text, under
Governance, Risk and Compliance Risk Management Response and Enhancement Plan Responses for Issues , must be carried out.
Procedure
Proceed as follows:
1. Go to Assessements Risk Assessments and select either Risks and Opportunities or Responses and Enhancement Plans . Click on the
name or the risk or opportunity or response, and then choose the Issues tab.
2. In the Issues screen, choose Create . You are led to the issue creation screen. Here, enter the name, priority, and description of the issue. Add a
regulation in the corresponding tab if necessary, and submit the issue.
3. Choose Close . You return to the Risk or Response screen.
4. To see the updated issue list in the Issues tab of the Risk screen, choose the Refresh List pushbutton.
5. Save the risk or response.
6. If you are in the Response screen, call the Regulations tab to add any regulations from Process Control that are relevant to this issue.
Note
After you create an issue for a response, a work item is sent to the issue processor. When the issue processor closes the issue, it receives the status
Closed and the response completeness is updated in the response screen.
The rule for completeness calculation is:
(Number of closed issues for the response / number of all issues for the response) * 100
7. On the General tab, a checkbox called On Issue Status Change is displayed in the Notification section. If you want an e-mail notification to be sent out
when response completeness reaches 100%, based on the issue status involved, set this indicator.
Note
If you set this indicator, the issue is processed independently of the response and receives the status Closed .
8. Submit the issue or save it as a draft.
9. If you want the notification to be sent out, set the indicator in the checkbox and save the response.
More Information
Identifying, Creating, and Assigning Issues in Process Control
1.4.4.2.9 Risk Assessment Reports

In the Risk Assessment Reports section of the Risk Assessment work center, you can run various reports to review the results of your risk assessment process.
You can run separate reports to evaluate your top risks and the incidents that occurred within a specific period.
PUBLIC
Page 93 of 94
More Information
For more information about the individual reports, see Reporting and Analytics.
PUBLIC
Page 94 of 94

Risk Manamgenet 10.0

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Manamgenet 10.0

Uploaded by

Copyright:

Available Formats

SAP Risk Management

PDF download from SAP Help Portal:

SAP BusinessObjects Process Control

SAP BusinessObjects Risk Management

June 2011 SAP NetWeaver 7.02 Support Package Stack 06

10.0, June 2011 SAP NetWeaver 7.02 Support Package Stack 06

10.0, June 2011 SAP NetWeaver 7.02 Support Package Stack 06

SAP BusinessObjects Process Control

SAP BusinessObjects Risk Management

10.0, Juni 2011

10.0, Juni 2011

10.0, Juni 2011

You might also like