Conduct a Workflow-Driven Risk Analysis Across Your Enterprise and Tune It to Your Business Needs
- by Frank Rambo, PhD, Director, Customer Solution Adoption (CSA), EMEA
- December 22, 2010
Become acquainted with the third of the five-phase enterprise risk management (ERM) process: risk analysis. Step through the configuration to customize the risk analysis to your business needs. Learn how a risk analysis is initiated either directly by a responsible risk owner as a scheduled workflow task or by a key risk indicator (KRI) showing a violation of a predefined tolerance.
In SAP BusinessObjects Risk Management 3.0, risk owners can base a risk analysis for a given risk event on their estimates for three distinct factors: probability, impact, and speed of onset. The application converts the estimates for probability and speed of onset into a discrete probability level and computes a discrete impact level out of the impact allocations for various impact categories. The system then combines the probability and impact level to an overall risk level used to prioritize risks.
In the enterprise risk management (ERM) process, risk identification and risk analysis are considered two distinct steps. Risk identification focuses on gathering relevant risk information from all stakeholders in your enterprise in a collaborative process. It describes risk events in terms of different driver and impact categories and relates them to master data structures (e.g., organizational entities, strategic objectives, business activities, and risk categories) set up during the risk planning phase of the ERM process. Risk analysis is all about the prioritization of identified risks in a formal process employing qualitative or quantitative methods. SAP BusinessObjects Risk Management 3.0 supports the analysis of three different types of risk measures for the same risk event:
- Inherent risk
- Residual risk
- Planned residual risk
During the analysis of the inherent risk, a risk level is derived from estimates for the probability, impact, and speed of onset of the risk event assuming that no risk responses are yet implemented to mitigate the risk. Risk responses are identified, analyzed, and implemented during the risk response phase of the ERM process. The mitigation effect of risk responses is documented, giving estimates for the probability and impact reduction of the risk event under the assumption that the response is complete and effective.
The risk level of a risk, taking into account the mitigation effect of all assigned risk responses under their current level of completeness and effectiveness, is a measure for the residual risk. The highest possible mitigation effect of all risk responses is achieved if all risk responses are complete and effective. The corresponding risk level measures the planned residual risks. This article focuses on methods to analyze the inherent risk.
For a high-level overview
of SAP BusinessObjects Risk Management 3.0 and more details on risk planning
, including master data setup and the security model, as well as risk identification
, refer to my other GRC Expert
Would you like to see this full item?