Conduct a Workflow-Driven Risk Analysis Across Your Enterprise and Tune It to Your Business Needs

  • by Frank Rambo, PhD, Director, Customer Solution Adoption (CSA), EMEA
  • December 22, 2010
Become acquainted with the third of the five-phase enterprise risk management (ERM) process: risk analysis. Step through the configuration to customize the risk analysis to your business needs. Learn how a risk analysis is initiated either directly by a responsible risk owner as a scheduled workflow task or by a key risk indicator (KRI) showing a violation of a predefined tolerance.
Key Concept
In SAP BusinessObjects Risk Management 3.0, risk owners can base a risk analysis for a given risk event on their estimates for three distinct factors: probability, impact, and speed of onset. The application converts the estimates for probability and speed of onset into a discrete probability level and computes a discrete impact level out of the impact allocations for various impact categories. The system then combines the probability and impact level to an overall risk level used to prioritize risks.

In the enterprise risk management (ERM) process, risk identification and risk analysis are considered two distinct steps. Risk identification focuses on gathering relevant risk information from all stakeholders in your enterprise in a collaborative process. It describes risk events in terms of different driver and impact categories and relates them to master data structures (e.g., organizational entities, strategic objectives, business activities, and risk categories) set up during the risk planning phase of the ERM process. Risk analysis is all about the prioritization of identified risks in a formal process employing qualitative or quantitative methods. SAP BusinessObjects Risk Management 3.0 supports the analysis of three different types of risk measures for the same risk event:

  • Inherent risk
  • Residual risk
  • Planned residual risk

During the analysis of the inherent risk, a risk level is derived from estimates for the probability, impact, and speed of onset of the risk event assuming that no risk responses are yet implemented to mitigate the risk. Risk responses are identified, analyzed, and implemented during the risk response phase of the ERM process. The mitigation effect of risk responses is documented, giving estimates for the probability and impact reduction of the risk event under the assumption that the response is complete and effective.

The risk level of a risk, taking into account the mitigation effect of all assigned risk responses under their current level of completeness and effectiveness, is a measure for the residual risk. The highest possible mitigation effect of all risk responses is achieved if all risk responses are complete and effective. The corresponding risk level measures the planned residual risks. This article focuses on methods to analyze the inherent risk.

For a high-level overview of SAP BusinessObjects Risk Management 3.0 and more details on risk planning, including master data setup and the security model, as well as risk identification, refer to my other GRC Expert articles.

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.