Start Your Enterprise Risk Management Process with Diligent Risk Planning

  • by Frank Rambo, PhD, Director, Customer Solution Adoption (CSA), EMEA
  • October 18, 2010
More and more, companies are recognizing the relevance of solid risk management to protect themselves from diverse threats and increase the success rate of their strategies and initiatives. The enterprise risk management (ERM) process can be divided into five phases: risk planning, risk identification, risk analysis, risk response allocation, and risk monitoring. Learn about how the risk planning phase is covered in SAP BusinessObjects Risk Management 3.0, and how to set up the required master data structures to provide a solid framework for your ERM process.
Key Concept
During the risk planning phase, all relevant master data that will later provide the context to classify, locate, aggregate, and monitor risks is set up. Risk planning begins with the identification of strategic objectives and their alignment with organizational entities. The next step is to ensure that appropriate risk appetite and threshold levels for your different business units are documented. Risks can be of different types and require a risk classification system to match your risk taxonomy. A critical but often overlooked part of the planning is to identify the types of business activities (e.g., business processes, products, services, assets, and projects) that are relevant for the risk management program and define a classification schema for them as well.

Consider the fundamentals of the data model of SAP BusinessObjects Risk Management 3.0. A risk is always defined in the context of an organizational entity (Figure 1). In addition, you can optionally link a risk to one of the strategic objectives or activities tied to that entity. You can define types of activities via IMG menu path GRC Risk Management > Master Data Setup > Maintain Activity Types. Common activity types include business processes, projects, products, or other planning objects you’d like to include in your risk management. Activities are always defined in the context of a specific organizational entity, whereas you can assign the same strategic objective to multiple organizations. However, the use of activities and strategic objectives in SAP BusinessObjects Risk Management 3.0 is optional and depends on the requirements and maturity of your enterprise regarding risk management.

Figure 1
The core of the data model from a risk-centric perspective

One example could be the risk of being non-FDA compliant in one of your manufacturing units (e.g., organization) in the production process of a new product (i.e., activity), which also threatens your strategic objective to introduce new products. This setup allows for risk monitoring by organizations, by processes (or other activities), and by objectives.

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.