Investigation of alerts is performed in the Manage Alerts app.
All detection scenarios available in SAP BIS solution are supported by this app.
Key Features
- Display a list of all the alerts in the system
- Access the alert details
- Link directly to the other colleagues via your phone or email application
- Create alerts manually
- Assign alerts to yourself or other investigators, or reset the assignment
- Complete alerts
- Export the list to a spreadsheet
- Save your filter and table settings as a tile on your home screen
Alerts can be automatically assigned a risk rating based on the settings in the detection strategy. This helps to prioritize processing of alerts (i.e. hits against sanction lists might have higher risk than an alert indicating some missing tax information in the business partner master data).
Please see the below table for information about all available alert attributes and related configuration options.
| Name | Description |
| Alert | The alert ID. If you click on this ID number, the alert details will be displayed. |
| Risk Rating | A 5-star rating; like product ratings in an online store. The higher the risk factor, the higher the rating. The risk rating of an alert is its risk factor percentage scaled to interval [0 – 5]. For example, if the risk factor percentage is 60%, then the rating is 3-stars. See the customizing activity Define Investigation Settings, field Max. Risk Factor, to see how the risk factor percentage is calculated. |
| Person Responsible | The name of the person who has been assigned to the alert. Note: If you click on the row of this column, a dialog box will be displayed showing the contact details. If it has been defined in the back-end system, you can directly link to the person's phone number or send them an email. |
| Due Date | The date when the alert must be processed. |
| Alert Lifecycle | The status of the alert, such as Not started, In process, or Completed. |
| Investigation Reason | Specifies the motivation behind the detection strategy used to create the alert. The investigation reason also assigns an alert to a particular solution, such as SAP Business Integrity Screening or SAP Business Partner Screening. For more information, see customizing activity Define Investigation Reasons. |
| Investigation Object Type | Indicates the type of customer data that is evaluated. |
| ID1 – ID15 | These are the key fields of the investigation object, which are defined in customizing activity Maintain Investigation and Detection Object Types. Note: If you use the filter, and select a single investigation object type, then the generic column name will dynamically change to the specific key field as defined in Customizing. In this case, the column Investigation Object Type will disappear. |
| Alert Group | A classification for the way in which investigation is distributed, from a reporting perspective. The entries are maintained in customizing activity Define Alert Group. |
| Risk Factor | The calculation for the risk factor is the risk score divided by the threshold. Example: If the risk score is 7 and the threshold is 2, the alert’s risk factor is 3.5 because 7 ⁄ 2 = 3.5. |
| Risk Value | The sum of all the alert item risk values, which are individually calculated based on the detection method values and the detection strategy used. The calculation may be based on the average value, maximum value, or the total sum. |
| Access Group | Used to determine whether a user has the authority to display or change an alert. In SAP Business Integrity Screening, define this in the Data Enrichment Fields in customizing activity Maintain Investigation and Detection Object Types. |
| Actual Loss | In the loss-based approach to evaluating fraud, this would be the amount of money at stake. |
| Additional Date | An additional date that you can assign to the investigation object. In SAP Business Integrity Screening, define the Data Enrichment Fields in customizing activity Maintain Investigation and Detection Object Types. |
| Additional ID 1 – Additional ID 4 | An additional identifier for the investigation object. In SAP Business Integrity Screening, define the Data Enrichment Fields in customizing activity Maintain Investigation and Detection Object Types. |
| Alert Category | Used to classify alerts according to their type of fraud or compliance problem. This field is defined in customizing activity Define Alert Category. |
| Alert Program | Application data that is used to classify alerts when they are created during mass detection. |
| Business System | Identifies the source system of alerts from the investigation object types that have been marked in Customizing as cross-source business objects. Once the business system is defined in customizing activity Define a Business System, you can mark it as a key field for the investigation object type in customizing activity Maintain Investigation and Detection Object Types. |
| Creation Mode | Indicates whether the alert was created manually or through a detection strategy. |
| Created On | The date and time the alert was created. |
| Created By | The name of the person who created the alert. |
| Evaluation Type | Defines the way the financial impact of an alert is calculated; either from a win-based perspective or a loss-based perspective. The evaluation type is defined in customizing activity Define Investigation Settings (column Evaluation Type). |
| Financial Outcome | This is used in the win-based approach to evaluating the alerts. |
| Finding | The completion status of an alert; the values can be Confirmed, False Alarm, and Closed Without Investigation. |
| Fraud Division | A grouping of the type of fraud, by region or by line of business. Note: This field is only displayed if it has been defined in customizing activity Define Fraud Division. |
| Last Changed On | The date and time the alert was last changed. |
| Last Changed By | The name of the person who last changed the alert. |
| Opportunity Cost | In the loss-based approach to evaluating fraud, this would be the cost of the investigation. |
| Phase | Represents the processing stages of the alert. Phase can be defined in the customizing activity Define Processing Phases of Alerts. Multiple phases can be configured and automatically assigned based on the investigation phase (initial processing, investigation, etc.) |
| Risk Factor Percentage | The risk rating expressed in terms of percent. See the customizing activity Define Investigation Settings, field Max. Risk Factor, to see how the risk factor percentage is calculated. |
| Risk Score | The risk score is calculated in the detection strategy; the results of the detection method are multiplied with the weighting factor and added together to calculate the risk score. |
| Solution | The product the alert is associated to; either SAP Business Integrity Screening or SAP Business Partner Screening. |
| Transfer ID | Identifier set by the transferring system. |
| Transfer Status | This indicates whether the alert has been transferred to an external case management system. |
To start the investigation, click on the alert number from the list.
The alert details screen contains the following areas:
- Header
- Address Screening Hits
- Info
- Detection
- Documentation
- Activity
- Tasks
- Network Analysis
- Decision
The order and visibility of tabs can be controls in the customizing activity Assign Alert Sections to Investigation Object Types.
Attributes of the investigation objects which are displayed in the header (Additional IDs 1 to 4) can be set up in the customizing activity Maintain Investigation and Detection Object Types.
Navigation targets to be used in the Go To button can be assigned in the customizing activities Assign Navigation Targets to Navigation Groups.
Header
In the alert header you see information about the investigation object as well as the following buttons:
| Name | Functionality | Comment |
| Set in process | Sets alert in status "In process" | New alerts are automatically set in process when assigned to a processor |
| Reopen | Reopens closed alerts | Not automatically set in process, use the "Set in process" button |
| Assign | Assign a processor to the alert | |
| Edit | Used to maintain additional attributes: | See table above for information about specific alert attributes |
| Action | Transfers the alert to an external system | |
| Go To | Display links for navigation to an external system | |
Address Screening Hits Section
On this screen you see the list of address screening hits, reviewed and submitted by the shared service center team from the Process Address Screening Hits app.
The decision and comments from the previous processor are displayed for every hit.
Information about the list entity as provided by the data provider can be displayed by clicking on the hit entry.
Info Section
This section dispels alert attributes (see table above for details of alert attributes).
Detection Section
The Detection section of the alert details displays the detection results that caused the alert to be created. You can also display the detection strategy and the detection methods that triggered the alert.
Detection means trying to identify suspicious activities as quickly as possible to avoid any loss or damage. Detection starts when the event has already occurred.
Detection is based on detection strategies that contain the detection methods that are used to evaluate the risk of irregularities and their respective weight. The thresholds that are defined in the detection strategy are used to qualify the risk. When you set up a detection strategy, you assign a set of detection methods to the strategy. The detection method contains the business logic used to determine if an incident, such as a claim, tax declaration, or a bank transfer, is suspicious.
The following information is available in this section:
A numerical list of each item detected in the alert. If two or more detection strategies have raised alerts for the same detection object, then you will see multiple alert items, one for each detection strategy.
Click the name to see the details of the detection object (the document that was checked by the detection strategy) behind the alert.
- Detection Strategy Execution
Click the name of the detection strategy to see its details and to open the strategy in related apps. For example, you can open Detection Run to see the details of the run in which the alert was created. You can also check the definition of the detection strategy or see when the detection strategy is selected to run in the Detection Strategy Determination app. If the detection strategy was executed multiple times, click on the expand button to see the details.
This shows the risk score that was calculated in the detection strategy; the results of the detection method are multiplied with the weighting factor and added together to calculate the risk score.
This shows the threshold that was defined in the detection strategy; the threshold sets the trigger for raising an alert. If the sum of the scores of the detection methods exceeds the threshold, then the detection strategy creates an alert item for the detection object.
This shows the sum of all the alert item risk values, which are individually calculated based on the detection method values and the detection strategy used. The calculation may be based on the average value, maximum value, or the total sum.
Hint
Click the message in the Detection Methods column to see the detailed message returned by each detection method. These messages, in the Detection Method Details screen, explain the problems that were found and which triggered the alert.
Click the name of a method In Detection Method Details to open the method definition.
You may experience a slight delay before the Detection section is updated, when you switch from one alert in Manage Alerts to another alert. You may briefly see the detection information of the last alert that you looked at before the screen is refreshed with the detection information of the new alert.
In case of multiple alert items, the Decide button can be used to directly navigate to the decision section of the alert for a final decision.
Documentation Section
The Documentation section displays a list of items relating to an alert, such as notes, action items, or any files that have been uploaded by the investigator.
To make any changes or entries in the Documentation section, the alert must be assigned to you and have the status In Process.
Uploading files and creating documents: You can upload files that are associated with an alert, create notes, create tasks, and edit or delete any existing documents.
Creating hierarchies: Note that all entries made here can be created as top-level entries, or you insert documents (notes, tasks, files) under each other to create hierarchies. Mark an entry to insert another entry under it. Or mark an empty row to create a top-level document. You can rearrange documents and hierarchies by dragging and dropping entries or by using the Cut and Paste buttons above the list of documents.
Activity Section
The Activity section provides complete logging of the actions taken within Manage Alerts with respect to an alert.
With this logging, you can determine exactly what happened during the investigation of an alert and which users were responsible for the actions that were taken. You can answer questions like
- What changes in alert status occurred?
- What documents, action items, and notes were added to, changed, or deleted during the investigation of an alert?
- What decisions were taken with respect to alert items or address screening hits?
- Which users participated in the investigation of the alert?
Network Analysis Section
The Network Analysis displays the relationships of the entities associated with an alert, for example, the related business objects and partners.
The data can be rendered as a graph, consisting of nodes (depicted by icons) that are connected by edges (depicted by lines) or in a table.
Graph visualization fosters insights into the relationships between objects and persons and can help, for example, in unveiling criminal networks of people covering each other's fraudulent actions. What is displayed as nodes and edges depends on the Customizing settings for the Network Analysis and is not limited to the common business-objects to business-partners scenario.
Decision Section
Investigation process for every alert must be completed with a decision.
The final decision has to be documented using the Complete button.
Investigators must enter a Summary, Finding, and Reason for each item of the alert in order to complete their investigation and close the alert. That is, if any of the alert items are not completed, the alert status will remain In Process.
The reasons for completing an alert and the values for the findings are defined in Customizing activity Define Reasons for Closing Alerts.
When an investigator sets the decision, the system checks if an additional approval step is required (as defined in the Customizing activity Define Start Conditions).
If approval is required, the alert cannot be directly closed, instead the request to approval must be sent using the Request Approval button.
Depending on the settings, the approvers can be selected using the Approver field, or determined automatically, using the group settings defined in the Manage User Groups Approvals app.
Alerts submitted for approval reman in Status "In Process" and approval status "Pending".
Approval request can be canceled using the Cancel Approval button.
The approval request log can be displayed by clicking on the "Pending" status:
The status of the request can be monitored using the Investigation Overview app.
The list of approved items is displayed on the card My Approved Alert Items.
By clicking on the approved item, you can directly navigate to the alert, review the decision and click on the Save button to complete the alert processing.
Note
Please note, that the alert is set to status completed only after the responsible investigator confirmed the approval by clicking on the save button. Otherwise, the alert remains in status "In Progress".
Rejected approval request will keep the alert in status "In Progress" so that the required adjustments can be performed by the investigator and approval request submitted again.
The status can be reviewed by clicking on the "Rejected" approval status.
