Evaluating Risk Assessment​s

Risk Analysis is an important activity in any Risk Management system as it helps the organization to decide and focus upon high priority risks. It helps organizations to use the right number of resources to mitigate the risk to achieve organization objectives.

The following three risk analysis types are enabled for CRG.

• Inherent risk analysis is the likelihood and impact of the risk without response measures in place.
• Residual risk analysis is the likelihood and impact of the risk with response measures in place. In the first instance, existing response measures are included. As a second step, extra response measures can be added if appropriate.
• Planned residual risk analysis is the target likelihood and impact required for the risk level to be acceptable. This is based on assumptions that all responses are fully implemented (completeness) and fully effective (effectiveness).

SAP Risk Management supports various risk analysis profiles including Qualitative, Quantitative, Scoring, and so on. Risk level is based on the probability and impact of a risk matrix, and risk score is defined as multiplication of probability and impact. It can be represented by the formula shown in the following figure.

Risk Level Matrix

The Risk Level Matrix serves three purposes:

1. It converts the likelihood of the risk event occurring and impact of occurrence into risk levels (as shown by the letter designations in the cells: L, M, H).
2. It helps you to prioritize risks based on their risk level, as shown by the numbers next to the risk levels (where H is the highest priority and L is the lowest priority).
3. When coupled with the risk level definitions, it provides a final check on the resulting risk level ratings in terms of the required management action.

A risk level matrix is typically presented as a 3x3 or 5x5, although other variations are possible in SAP Risk Management, such as a 7x7. A 5x5 matrix is enough to help you prioritize risks. The bigger the matrix, the more difficult it is to come up with differentiating definitions of the likelihood and impact bands.

The risk level matrix is designed so that the higher risk levels appear in the upper right-hand corner, while lower-level risks appear near the lower left-hand corner.

Sam Hall, CRG Internationals Risk Owner, will now demonstrate the Risk Assessment Demo in Risk Analysis and Mitigation in SAP Risk Management in the following video demonstration.

SAP Risk Management incorporates a workflow-based approach to performing risk assessments, ensuring a systematic and efficient process. SAP Risk Management maintains a rigorous audit trial and accountability, documenting every change to risk assessments and the corresponding responses or controls.

By adopting a role-based approach, users are designated specific responsibilities when executing risk assessments, enhancing clarity and ownership. Also, the centralized planning and scheduling feature allows for organized risk assessment timelines and the ability to monitor completion status effectively.

Upon completion of the assessments, risk reports and heat maps are automatically updated, providing real-time insights into the organization's risk profile.