Perform Risk Analysis Using a Point-Based Scoring Method for Probability and Impact

  • by Kehinde Eseyin, Security Architect
  • June 12, 2014
A risk is basically any event that can prevent executive management from meeting the defined business goals of an organization. Learn how to perform risk analysis using a simplified score-based concept that involves numeric-centric evaluation.
Learning Objectives

Reading this article you will learn how to:

  • Perform appropriate configuration settings for risk scoring
  • Define appropriate values for the analysis profile
  • Perform risk analysis using the scoring method
Key Concept

Risk management is the identification, analysis, and prioritization of risks followed by the optimal use of resources to minimize, monitor, and control the probability and impact of unfortunate events or to maximize the realization of opportunities. Conventionally, risk analysis can be performed using qualitative and quantitative methods; however, SAP Risk Management supports a third approach called risk scoring that uses a point-based system for risk analysis driven by a nonmonetary values-based risk assessment concept.

Risk management involves a number of activities. These activities include risk planning, risk identification, risk analysis, risk response, and risk monitoring. I focus on the risk analysis phase of a comprehensive risk management process. Risk analysis is an important concept and an integral part of risk management. SAP Risk Management is a system designed to perform documented and coordinated risk analysis.

The following risk analysis methods are supported:

  • Quantitative: This approach relies on monetary values and percentage of probability for risk analysis. The analysis results include the expected loss, total impact, and risk level, all of which are based on the total loss and probability values.
  • Qualitative: This approach relies on descriptive categories for impact and likelihood. The result of the analysis is a qualitative view of the risk level, such as high, medium, and low.
  • Scoring: This approach uses a point-scoring system to drive risk assessment. This analysis method allows you to enter impacts and probability as numeric values.

It is commonplace to see enterprises using quantitative and qualitative approaches for risk analysis; however, these options require relatively good knowledge of risk assessment and analysis concepts. SAP is conscious of this fact and thus introduced a simplified alternative, a risk-scoring approach that is based on using a scoring system. The risk-scoring method allows you to perform risk assessment using a point-based system and not using monetary values. It is possible to use this risk-scoring approach in conjunction with quantitative and qualitative approaches. However, I do not discuss the combined use case in this article.

Risk analysis and risk management are becoming increasingly challenging because of complex operations, and the audit and compliance environment in which business organizations operate. These challenges make finding the best approach for performing risk assessment paramount for organizations, especially when monetary figures are not considered.

Because I cover only the risk-scoring approach to performing risk analysis, I review the basic configuration activities required to use the risk-scoring analysis method productively in the SAP Risk Management system. The output of risk analysis is greatly influenced by the related customization settings. Therefore, impacts and analysis data are some of the customizing activities that must be predefined before you can analyze a risk successfully in the system. I also demonstrate how to perform risk analysis using the risk-scoring approach with a simple business case. I cover the following topics:

  • Maintain impact categories
  • Maintain probability and maximum scores
  • Maintain impact levels
  • Maintain probability levels
  • Maintain analysis profiles
  • A business example of risk analysis using the risk-scoring method
  • A review of audit change logs and analysis history reports

I also discuss two additional points to consider when using the risk-scoring approach for risk analysis:

  • Decimal places representation of scores
  • Dependency of an impact category on risk analysis
This article applies to SAP Risk Management 10.0 and 10.1. However, the steps and screen prints in this article are based on SAP Risk Management 10.1.

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.