In SAP Risk Management, the Risk Analysis and Risk Treatment phases play a pivotal role in ensuring effective risk management. One critical aspect of this phase is the creation of question and survey libraries. These libraries serve multiple purposes:
- Alignment with Organizational Goals: By defining specific questions related to Risk Assessment. Organizations ensure that Risk activities are directly aligned with their strategic objectives and enterprise risk management requirements.
- Systematic Risk Assessment: Enables organizations to systematically assess critical risks by collecting relevant data and insights from risk owners. This structured approach ensures thorough coverage of potential risk areas.
- Support for Decision-Making: The collected data from surveys provides valuable information for informed decision-making. It helps identify risk, allowing organizations to prioritize the risk.
- Continuous Improvement: Regular surveys and assessments support a culture of continuous improvement by enabling organizations to identify evolving risks and adapt control measures accordingly.
- Enhanced Collaboration: The process of creating question and survey libraries facilitates collaboration between risk owners and the risk management team. It encourages communication and knowledge sharing, fostering a deeper understanding of risk and response requirements and promoting alignment across departments.
Question Library
The Question Library provides comprehensive functionality for creating, maintaining, and organizing questions based on different categories or topics relevant to the organization's Governance, Risk, and Compliance (GRC) objectives. It allows users to develop standardized sets of questions that can be reused across multiple surveys, ensuring consistency and accuracy in data collection.
The questions can be designed for the following assessments:
- Risk assessment through surveys: These questions are used to analyze the risk before deciding which risks should be addressed.
- Collaborative risk assessment through surveys: These questions are used to assess the risk from the business (risk experts) and consolidate the assessment by risk owner.
- Risk consolidation: These questions are used to evaluate the risks of different organization levels in a company.
- Risk Survey: These questions are used to gather valuable information to uncover new circumstances that might impact the risk assessment.
The following answer types are available:
- Rating: Used when the control owner must provide a rating for a question on a scale of 1-5.
- Yes, No, or N/A: Used when the control owner must respond to the question with the options as yes, no, or not applicable.
- Text: Used if response expectation of the question is a detailed explanation from the control owner.
- Choice: Used if custom options are to be provided to the control owner to choose from the answer list.
Risk Assessments are explained in more detail later in this unit.
Survey Library
Identified risks are not always equally critical. Risks must be analyzed before deciding which risks to address. The risk analysis process allows you to start with a qualitative analysis and then add quantitative measures when they are known.
Before proceeding with the risk, owners often survey their counterparts in other departments about their experience with a particular risk. Risk owners can use the survey features in SAP Risk Management to identify new risks, receive and update risk information, or create checklists.
Surveys can be used to perform a risk analysis. Those responding to the survey reply with their answers to the questions posed, and these responses are mapped to risk analysis objects such as probability, impact, and speed of onset. This enables business users to contribute, without being exposed to the details of the risk analysis methodology.
Conducting a survey is a useful way to obtain risk information, which is, in turn, used to make risk-based decisions. The value of the survey depends on the accuracy of the information that the survey contains.
The following figure gives an overview of the general process flow of surveys in SAP Risk Management.
Risk Management: Planner-Based Workflows
There are various stakeholders in a business who must participate in the risk management process. Some people have a role in participating in the risk identification process and the risk analysis process. Others, especially managers, can get involved in approving risk assessments or reported incidents. Also, some others must be assigned specific actions to take in response to a risk.
The people who participate in the risk management process, even infrequently or occasionally, need help and prompting about when they must act and what they must do.
SAP Risk Management supports users in this way through the generation of workflows to remind them of something that needs attention in the risk management system. It provides a guided interface for executing that action. The planner is a tool used by the risk manager to generate the workflows for the users and to track the status of those workflows.
The planner supports the following types of workflows:
- Activity validation
- Opportunity validation
- Risk validation
- Risk assessment
- Risk assessment through surveys
- Opportunity assessment
- Response update
- Activity survey
- Risk indicator survey
- Risk survey
- Collaborative Risk Assessment
- Collaborative Risk Assessment through surveys
SAP Risk Management Business Event and Recipient
| Business Event | Recipient Roles Name |
|---|---|
| Risk Proposal | Risk Manager |
| Propose Control | Control Owner/Process Owner |
| Activity Validation | Organization Owner |
| Risk Validation | Risk Manager |
| Opportunity Validation | Opportunity Owner |
| Risk Assessment | Risk Owner |
| Collaborative Risk Assessment | Risk Expert, Risk Owner |
| Opportunity Assessment | Opportunity Owner |
| Response Update | Response Owner |
| Activity Survey | Project Manager |
| Risk Survey | Risk Owner |
There are three available validation types: Activity, Risk, and Opportunities. Validation is the term in the system used for approvals.
- Risk Validation is used to approve an individual risk.
- Opportunity Validation is used to approve an individual opportunity.
- Activity Validation is used to approve a collection of risks under the umbrella grouping of an activity which could include one or more risks and opportunities, for example, project, initiative, or strategy.
There are three available assessment types: Risk, Opportunities, and Responses. An assessment is an update to the risk analysis and/or responses.
- Risk Assessment is used to update risk analysis and responses.
- Opportunity Assessment is used to update opportunity analysis and enhancement plans.
- Response Update is used to update the details of the response to a risk.
There are three available survey types: Activity, Risk, and Risk Indicator.
- Activity Survey is used to identify new risks and potential shortcomings related to an activity, for example, project or process.
- Risk Survey is used to initiate a risk assessment (or reassessment) to uncover new circumstances that might impact the risk assessment.
- Risk Indicator Survey is used to receive manual indications on the development of a key risk indicator.
Now that you have been introduced to the Planner App, Nancy, the Risk Manager at CRG International Inc, will demonstrate the planner app in SAP Risk Management in the following video demonstration.