Before starting with the current unit, let's understand the best practice process flow in SAP Risk and Assurance Management. The process flow consist of five key steps and will be explained in the following units.
- Step 1: Creating Master Data
- Every effective journey begins with a strong foundation. In this step, you will learn how to build master data that forms the structural backbone of any risk and compliance program. This includes creating an organizational hierarchy, mapping core business processes, and documenting relevant regulations and requirements. Establishing this foundation ensures clarity, consistency, and alignment throughout all future activities. The concepts and methods behind this are explored in Unit 2.
- Step 2: Identifying and Assessing Risks
- With the groundwork in place, the next step focuses on identifying potential risks that may impact the organization. Here, you will explore how to assess each risk by analyzing its potential impact and likelihood. Risks are then prioritized, and appropriate treatment strategies are developed to either mitigate or manage them effectively. These strategies help turn uncertainty into informed, manageable actions. You’ll gain practical skills in this process through Unit 3.
- Step 3: Implementing and Testing Controls
- Once risks are assessed, the next task is to design and implement controls that can prevent or reduce those risks. You will learn how to embed controls into daily operations using structured work packages and how to monitor their effectiveness. Regular evaluation ensures that controls perform as intended and comply with relevant standards. When control gaps are identified, adjustments and enhancements are made to strengthen organizational resilience. These activities are covered in detail in Unit 4.
- Step 4: Managing Issues and Remediation
- Despite having controls in place, issues may still arise. This step focuses on how to respond to and manage those issues. You will learn how to conduct investigations, assign responsibilities, and document findings clearly. The development and implementation of remediation plans help address root causes, while systematic documentation ensures transparency and accountability. This comprehensive approach to issue management is covered in Unit 5.
- Step 5: Monitoring and Reporting
- The final step involves ongoing monitoring and reporting across the organization. Using tools like SAP Risk and Assurance Management, learners will discover how to track control activities, monitor issues, and maintain visibility into manual procedures. Dashboards and reporting features help ensure continuous oversight and informed decision-making. This critical step is explored in Unit 6.
Together, these steps provide a complete, practical framework for managing risk and compliance effectively. Each unit in this journey is designed to equip you with the knowledge and tools to apply these concepts confidently in real-world scenarios.
SAP Risk and Assurance Management provides a flexible and structured approach to managing organizational hierarchies, forming the foundation for all risk-related processes. Organizations can document and maintain detailed internal structures, whether mapping business units, departments or subsidiaries. This structure ensures that all risk, control, and compliance activities are accurately aligned with the organization’s operating model.
Before starting with creation of organizational hierarchy and business processes, SAP Risk and Assurance Management provides the possibility to customize specific settings.
Lets see what this looks like.
Organization and Process Settings:
- Focusing on Organizational Unit Types Setup:
- Enter an ID and Name for the unit type (for example, Org, Entity, Office, Country, Department, IT System).
Note
Once saved, the ID cannot be changed. - Importing Organizational Entities:
- Predefined Types for Importing Entities are allowed for Company Code, Profit Center and Cost Center from the backend system (SAP S/4HANA Public Cloud).
- For further information, please go to the SAP Help Portal Import and Use Company Codes | SAP Help Portal
- Data Retention Configuration:
- You can configure retention periods for:
- Organizational Hierarchies
- Process Catalogs
- Organizational Units and Processes
Master Data: Organization
SAP Risk and Assurance Management provides a flexible and structured approach to managing organizational hierarchies, forming the foundation for all risk-related processes. Organizations can document and maintain detailed internal structures, whether mapping business units, departments, subsidiaries, or vendor catalogs. This structure ensures that all risk, control, and compliance activities are accurately aligned with the organization’s operating model.
First you start by creating organizational units.
In SAP Risk and Assurance Management, you define your organization using Organizational Units, which are created and classified in the Org and Process Settings tile. Each unit can represent various types, such as:
- Organization
- Entity
- Office
- Country
- Department
- IT System
Once your organizational units are defined, you can construct an organizational hierarchy using the Org Hierarchy tile. This hierarchy is a structured, tree-like view of the organization, formed by arranging units in parent-child relationships starting from a root node.
Each version of the hierarchy includes a validity period and one of three status options:
- Draft:
- The hierarchy is still being built and is not in use.
- Active:
- The hierarchy is finalized and in use. Structure changes (adding or removing units) are locked, though general information (name, validity) can still be edited.
- Retired:
- The hierarchy is no longer in use and cannot be edited. Retiring it does not impact the organizational units themselves.
Those versions allow you to capture organizational changes over time, ensuring an accurate historical record.
The organizational hierarchy in SAP Risk and Assurance Management is more than just a visual representation. It provides the framework for:
- Assigning risk ownership
- Linking internal controls
- Tracking audit findings
- Generating reports
This structure ensures that all risk-related actions are contextualized within the actual business setup.
General hierarchy consumption rules
- A hierarchy must be Active to be used in processes.
- Once activated, the structure cannot be changed—only descriptive details like the name and validity can be updated.
- Retired hierarchies are locked from further edits, but retiring one does not remove or alter the organizational units it contains.
- Organizational unit validity periods can be changed at any time, even after a hierarchy is activated, while the hierarchy validity can only be modified until it is retired.
This robust and traceable design allows SAP Risk and Assurance Management to support risk and compliance efforts with precision, historical accuracy, and regulatory accountability.
If you want to read more, please visit SAP Help Portal Organization Management | SAP Help Portal
Let's learn how to create and maintain business processes in SAP Risk and Assurance Management.
Every robust internal control framework begins with a clear understanding of how the organization functions. Before risks can be effectively managed or controls implemented, there must be a shared, structured view of the processes that drive the business forward. Whether it’s invoicing a customer, onboarding a new employee, or approving expenses, every organizational process consists of a sequence of decisions, actions, and responsibilities. Clearly mapping and understanding these workflows fosters consistency, transparency and accountability across the enterprise.
When workflows are clearly mapped, understood, and assigned to the appropriate stakeholders, they enhance consistency, accountability, and transparency. Well-documented processes create a foundation for:
- Standardizing operations and reducing human error
- Identifying risks at key control points
- Designing and assigning controls to the right owners
- Demonstrating compliance with regulations
- Supporting audits through clear, organized evidence
By documenting those processes systematically, you will be able to manage intelligently and respond proactively.
Creating and Maintaining Processes in SAP Risk and Assurance Management
Business processes can be created manually within SAP Risk and Assurance Management, or they can be synchronized from SAP Signavio. Once created, processes can be reviewed, edited, or versioned over time, supporting the dynamic nature of business operations. Status changes help teams manage the lifecycle of a process, from draft to active to retired.
While integration with SAP Signavio offers significant benefits, SAP Risk and Assurance Management also provides an intuitive and structured way to capture and manage your organization’s process documentation through its Process Catalog functionality. This feature offers a logical framework in which business processes are grouped, organized, and classified.
SAP Risk and Assurance Management structures business processes into a simple, two-level hierarchy:
- Main Process
- These are your core, high-level business flows. They represent the major activities within your organization. Examples include:
- Order-to-Cash
- Procure-to-Pay
- Hire-to-Retire
- Subprocess
- Each main process can be divided into more specific components that capture detailed tasks or steps. Examples include:
- Generate Customer Invoice
- Vendor Selection and Approval
- Employee Onboarding
This hierarchical structure not only organizes processes logically but also enhances the alignment of controls, ownership and risk assessments with the actual flow of business operations
When documenting business processes in SAP Risk and Assurance Management, the goal is to go beyond surface-level descriptions. Each process and subprocess should be clearly and completely defined.
Key attributes you should document include:
- Process Name and Description
- A concise explanation of what the process does and why it exists in the organization.
- Ownership Information
- Identify the individual or role responsible for executing and maintaining the process.
- Validity Period
- Specify the timeframe during which the process is active. This ensures historical accuracy and aids audit readiness.
- Business Process Type
- Designate whether the process is a Main Process or a Subprocess for structural clarity.
- Process Criticality
- Assign a risk or impact level, which helps prioritize controls and monitoring based on operational or compliance significance.
- Attachments and References
- Supporting documents such as diagrams, SOPs, or policy links can be added to strengthen clarity and traceability.
If you want to read more about business processes, please visit SAP Help Portal Document Business Processes | SAP Help Portal
If you want to learn more about SAP Signavio and SAP Risk and Assurance Management integration, please go back to Unit 1.
Let's learn how to create organizational hierarchy in SAP Risk and Assurance Management.