Risk management is a fundamental component of a strong internal control system. SAP Risk and Assurance Management provides a structured, proactive, and centralized way to identify, assess, and respond to risks across the organization.
This integration not only supports regulatory compliance, but also enhances decision-making and strengthens organizational resilience. With SAP Risk and Assurance Management, risk is no longer a reactive concept—it becomes a strategic lever.
Let’s walk through the key stages of the risk management lifecycle as typically applied within SAP Risk and Assurance Management.
The Risk Lifecycle in SAP Risk and Assurance Management
SAP Risk and Assurance Management guides users through a clearly defined risk lifecycle that mirrors leading GRC practices. This lifecycle ensures consistency, transparency, and control at every stage of risk management.
1. Risk Identification
The process begins with identifying potential risks that could affect business objectives. This includes both internal and external risks, ranging from operational breakdowns to strategic threats or evolving regulatory landscapes.
Within SAP Risk and Assurance Management, each risk is documented with key attributes such as:
- Risk categories (for example, Compliance, Operational, Strategic)
- Cause categories (drivers or conditions that lead to the risk)
- Impact categories (consequences such as financial loss or reputational damage)
2. Risk Analysis
Once risks are captured, they are analyzed to determine their potential impact and likelihood. This step is critical for prioritizing risks and focusing attention on the areas that matter most.
In SAP Risk and Assurance Management, this is supported by:
- Likelihood Assessment: Evaluates how probable it is that the risk will occur.
- Impact Evaluation: Measures the severity of consequences if the risk materializes.
- Risk Scoring Models or Matrices: Helps visualize and rank risks as Low, Medium, or High based on their overall risk profile.
The analysis is driven by data, expert judgment, and contextual awareness, helping uncover risk trends or clusters in specific business units.
3. Risk Mitigation
Following analysis, the organization must determine how to respond to each risk. Common treatment strategies include:
- Avoiding the risk (for example, halting risky operations)
- Reducing the risk (for example, implementing controls or process changes)
- Transferring the risk (for example, via insurance or third-party contracts)
- Accepting the risk (when it falls within established risk appetite)
The Value of Customizing Risk Settings
Every organization faces unique risks and requires specific data points to be captured during the risk creation process. To ensure alignment with your organization's structure, processes, and terminology, SAP Risk and Assurance Management provides the flexibility to customize risk settings, including the ability to define custom fields, categories, and risk attributes tailored to your business needs.
The SAP Risk and Assurance Management risk service enables you to configure:
- Custom fields for risk entry
- Risk levels, likelihood scales, and impact dimensions
- Default role assignments and organizational hierarchies
- Mandatory data inputs and field dependencies
A well-configured risk setting foundation leads to more informed decisions, consistent risk governance, and stronger enterprise oversight.
Lets start by configuring the risk settings in the Risk Settings tile in SAP Risk and Assurance Management.
The Risk Settings tile acts like a control panel. It’s where you set up and manage how your organization looks at risk. This tile gives you the tools to build and customize your risk framework so it fits to your business..
It consists of the following areas which can be customized:
- Risk Categories
- Help classify risks into meaningful groups, enabling better analysis, reporting, and prioritization.
- Business Objectives
- Allow you to align risks with strategic goals, so risk management supports value protection and creation.
- Roles
- Define accountability by assigning clear responsibilities (for example, risk owner, risk reviewer) within the risk lifecycle.
- Cause and Impact Categories
- Standardize how risks are described, making assessments more accurate and actionable.
- Risk Analysis Specifications
- Ensure consistent evaluation methods (qualitative, quantitative) across all risks.
- Risk Treatment Options
- Guide how risks should be mitigated, accepted, transferred, or avoided.
- Organization-Specific Risk Settings
- Allow customization to fit unique organizational structures or risk profiles.
- Custom Fields
- Enable tailored data capture to meet specific reporting or regulatory needs.
- Data-Retention Period
- Ensures compliance with legal requirements and keeps the risk register clean and audit-ready.
Let’s take a look at how to create a risk in SAP Risk and Assurance Management.
Once risk settings are customized you can start to create risks in SAP Risk and Assurance Management. This process begins in the Manage Risks tile which is the entry point for creating and managing risk entries within the system.
Creating a risk involves several key steps:
1. Naming the Risk
Giving the risk a clear and descriptive name is the first crucial step. It serves as a concise identifier that immediately communicates the essence and focus of the risk.
2. General and Additional Information
In the General Information section, you can specify critical details such as:
- The organizational unit which the risk belongs to.
- The risk category, such as financial, operational, or compliance.
- Any related business objectives, with the option to select multiple objectives if needed.
In the Additional Information section, you can:
- Add the link to a corresponding risk in SAP Signavio. (For more information about the integration between SAP Risk and Assurance Management and SAP Signavio, please go to Unit 1).
- Select a time frame for the risk horizon, referring to the period used for assessing and forecasting risks.
3. Describing the Risk
Providing a detailed explanation helps clarify the nature of the risk. This includes what the risk is, how it might arise, and the potential impact it could have.
4. Assigning Roles
Assigning roles ensures clear accountability by designating who is responsible for managing and overseeing the risk. This step helps establish ownership and ensures that the right people are involved throughout the risk management process. When creating a risk in SAP Risk and Assurance Management, risk manager and risk owner roles are automatically assigned based on predefined rules and you are not allowed to change in manually during the risk creation process. Lets understand how the role assignments works in SAP Risk and Assurance Management:
- Organizational Unit Association
- If the risk is linked to an organizational unit that has dedicated risk managers and a risk owner, these roles are automatically assigned.
- Default Assignments
- If no such dedicated roles exist in the unit, the system assigns default risk manager(s) and risk owner.
- No Assignments
- If there are neither dedicated roles for the unit nor default roles, these fields remain unassigned.
Note
- Designating default risk managers and a default risk owner for the system.
- Assigning dedicated roles to specific organizational units.
5. Adding Causes
Documenting causes is a critical step in the risk creation process, as it identifies the root reasons that could lead to the risk’s occurrence. This field is mandatory and plays a key role in understanding what triggers the risk. Causes explain "what is or has happened" that may result in the risk and help distinguish between the current state (what-is) and the desired state (what-should-be). Multiple causes can be linked to a single risk, providing a comprehensive view of its potential origins. Accurately capturing causes enhances risk analysis and supports the development of effective mitigation strategies.
6. Inherent Risk Analysis
Inherent risk analysis is the assessment of a risk before any controls or mitigation efforts are applied. It evaluates the likelihood that a risk will occur and the impact it would have if it materializes. This analysis helps organizations understand the raw level of risk exposure, serving as a baseline for deciding which risks need treatment and prioritization. This part consists of two sections: Impacts and Inherent Risk.
- Impacts
- Allows assessment of potential consequences if the risk occurs.
- Users document both qualitative and quantitative impacts, depending on configured analysis profiles.
- Assess multiple impact types: financial loss, reputational damage, operational disruption.
- Specify the severity or magnitude for each impact type.
- Inherent Risk
- Refers to risk level before any controls or mitigations.
- Two key components:
- Likelihood: Probability of occurrence.
- Impact: Severity of consequences.
- The system may calculate an overall inherent risk level based on input.
7. Risk Treatment
This section outlines how your organization intends to manage or address the risk, aiming to reduce its likelihood and potential impact through planned actions and controls. In SAP Risk and Assurance Management, risk treatment can be implemented through two primary methods:
- 1. Control Assignment
- Assigning an existing control to a risk is a proactive way to reduce or manage that risk. A control is a preventive or detective measure that is already in place (or planned) to help ensure compliance, enforce policies, or reduce exposure.
By linking one or more controls to a risk in SAP Risk and Assurance Management, you provide traceability and clarity around which mechanisms are intended to mitigate that risk. Controls can be anything from process checks and technical safeguards to manual reviews or approval workflows.
Example: Assigning a segregation-of-duties control to mitigate the risk of unauthorized financial transactions.
- 2. Creating a Response
- Alternatively or additionally, you may choose to create a specific risk response. A response is a broader strategy or planned action tailored to how your organization intends to handle the risk. In SAP Risk and Assurance Management, responses are categorized into types such as:
- Accept – No further action is taken.
- Avoid – Activities leading to the risk are discontinued.
- Mitigate – New actions are introduced to reduce the risk.
- Transfer – The risk is passed to another party (for example, through insurance).
- Watch – The risk is monitored over time.
- Research – Further investigation is needed before deciding.
A response also includes assigning ownership, defining effectiveness, and assessing how much it will reduce the risk, qualitatively or quantitatively.
Example: Creating a response to mitigate a cybersecurity risk by implementing a company-wide multi-factor authentication project.
When to Use Each Method
- Use Control Assignment when there are already effective internal controls in place or when you want to reinforce existing measures.
- Create a Response when you need to document a broader treatment strategy, especially for risks that require new initiatives, strategic decisions, or when controls alone are not sufficient.
In SAP Risk and Assurance Management, both methods can be used together to provide a comprehensive treatment approach, ensuring that each risk is not only acknowledged but also actively managed with appropriate accountability and oversight.
8. Risk Analysis Summary
The Risk Analysis Summary provides a clear and comprehensive overview of a risk’s current status and how it is being managed. It summarizes three important risk levels:
- Inherent Risk
- This represents the risk level before any controls or mitigation actions are applied. It reflects the raw exposure your organization faces.
- Residual Risk
- This is the risk that remains after controls and treatments have been put in place to reduce the inherent risk.
- Target Residual Risk
- This is the goal—the acceptable level of risk your organization aims to achieve once all planned risk treatments are completed.
By reviewing this summary, you gain insight into how well a risk is understood, prioritized, and managed throughout its lifecycle by supporting better decision-making and more effective risk treatment.
9. Finalizing the Risk Creation
You can add comments and attach files or links to a risk. If all inputs are correct, select In Assessment to indicate that the analysis is ongoing.
Good to know:
Risk Statuses and Their Definitions in SAP Risk and Assurance Management
Understanding a risk’s status is essential for managing it effectively throughout its lifecycle in SAP Risk and Assurance Management. Each risk moves through several key statuses:
- In Definition
- When you first create a risk, it is in the In Definition status. At this stage, the risk is still being detailed and can be edited or deleted. Once all necessary information is entered, you can begin the risk assessment process.
- In Assessment
- Changing the status to In Assessment means the risk analysis is actively underway. During this phase, the risk’s likelihood, impact, and potential treatments are being evaluated.
- Assessed
- When the analysis is complete, the risk status changes to Assessed. Risks in this status are finalized and can no longer be edited unless you revert them back to In Assessment for re-analysis.
- Retired
- If a risk is no longer relevant or affecting your organization, you can retire it. Retired risks are effectively closed and removed from active management.
By tracking and understanding these statuses, you ensure that risks are properly managed at each stage, from creation to resolution.
Let's see how to create a risk in the manage risk tile in SAP Risk and Assurance Management.