Identify Your Key Business Risks in a Collaborative Process Involving All Stakeholders in Your Enterprise

  • by Frank Rambo, PhD, Director, Customer Solution Adoption (CSA), EMEA
  • November 19, 2010
Learn about the second phase in the enterprise risk management (ERM) process, risk identification. The knowledge about your business risks is spread across your organization and lines of business. A collaborative approach is required to identify and document all risks threatening your enterprise involving many different stakeholders. Discover how SAP BusinessObjects Risk Management 3.0 provides your risk managers with the means to document all key aspects of a risk and reach out to all relevant stakeholders via workflow-driven surveys to collect important information about your risks. Examine how any of your employees can propose a new risk in a self-service scenario for further investigation by your risk managers.
Key Concept
The documentation of a new risk in SAP BusinessObjects Risk Management 3.0 includes the drivers (i.e., root causes) and impacts (i.e., consequences) a risk event can have. Drivers and impacts are grouped in categories as part of the risk classification system. Once the risk drivers are identified, forward-looking key risk indicators (KRIs) need to be aligned with the drivers. The KRIs continuously monitor operational systems (both SAP and non-SAP) and raise alerts or trigger risk assessments before the risk occurs. As risks do not occur in silos, you also need to examine how risks influence each other across organizational boundaries in terms of the probability and impact of a risk event. Finally, for reporting and consolidation purposes, the application allows you to relate a risk to a number of underlying similar risks.

Within the data model of SAP BusinessObjects Risk Management 3.0, risks are created locally in the context of a selected organization within the organizational hierarchy. Optionally, you can relate a risk on a more granular level to a business activity or strategic objective assigned to the selected organization for more detailed risk monitoring and reporting. A risk itself is described by the drivers and impacts of a risk event (Figure 1). Drivers are root causes of the occurrence of a risk event. They are grouped in driver categories that you can maintain by following IMG menu path GRC Risk Management > Risk and Opportunity Attributes > Maintain Driver Categories. You can align drivers with forward-looking key risk indicators (KRIs), which monitor the risk environment for changes that make the risk event more likely to occur and raise early alerts or trigger risk assessments.

Figure 1
Example bow-tie diagram for the environmental non-compliance risk

You can group impacts of a risk event in impact categories by following IMG menu path GRC Risk Management > Risk and Opportunity Attributes > Maintain Impact Categories. The impacts may influence some of the key performance indicators (KPIs) you’re using to measure the achievement of your strategic objectives. The graphical representation of a risk — including its drivers, KRIs, impacts, influenced KPIs, and the risk responses that are assigned to the risk in the later risk response allocation phase — is called the bow-tie diagram (Figure 1). You can categorize the risk responses in preventive and recovery responses and group them in responses that reduce, avoid, transfer, accept, and control the risk.


Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.