5 Steps to Accept or Reject Residual Risks

  • by Judith M. Myerson , Systems Engineer and Architect/Owner
  • September 15, 2009
Follow a five-step process in SAP BusinessObjects Risk Management for evaluating risks that remain in your system and may threaten your compliance with major regulations.

Residual risks remain after you apply security controls to mitigate them (or after you transfer or avoid them). One residual example is the lack of a disaster recovery plan. If not in place, then the company runs the risk of incurring significant expenses to replace data lost in a disaster. If a residual risk is considered too high, you may want to increase beneficial outcomes by modifying the likelihood of the risk or sharing the risks with other parties that can provide cost-effective security controls.

Some residual risks cannot be accepted or retained due to strict compliance data requirements such as those for Sarbanes-Oxley, Basel II, and eXtensible Business Reporting Language (XBRL). Residual risks acceptable for one regulation may not be acceptable for another, so financial executives could still face heavy financial penalties for noncompliance.

You can either accept or reject residual risks based on the information in the reports that SAP BusinessObjects Risk Management generates. You can get those reports from the Reporting and Analytics work center. This work center provides access to risk management reports on the basis of different risk criteria (e.g., risks and incidents) and various overview and auditing reports. It is one of SAP BusinessObjects Risk Management’s six work centers, in which you can carry out all risk management activities.

You need to implement SAP BusinessObjects Risk Management, which you could customize to enable you to carryout the necessary configuration activities and describe the administrative functions to run the application. For the graphical representation of risks, activities, and scenarios, you must install Java Runtime (JRE 6, Update 13 or higher) on your front-end system. For more information, go to www.java.sun.com/javase/downloads/index.jsp. The reports generated may or may not be free depending on copyright issues.

Follow these five steps to determine whether your residual risks are acceptable or not.

Judith M. Myerson

Judith M. Myerson is a systems architect and engineer and an SAP consultant. She is the author of the Enterprise System Integration, Second Edition, handbook, RFID in the Supply Chain: A Guide to Selection and Implementation, and several articles on enterprise-wide systems, database technologies, application development, SAP, RFID technologies, project management, risk management, and GRC.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.