cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enterprise Risk Management Approach in SAP GRC

Go to solution
former_member210168
Explorer

on ‎08-12-2008 1:01 PM

0 Kudos

Hi All,

Can you please let me know as to what is the approach followed for implementation of Enterprise Risk Management (ERM) in SAP GRC. Also please tell me how the internal control frameworks like COSO, COBIT is mapped to ERM in SAP GRC.

Regards

Vivek

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

vinay_hk
Explorer
‎08-13-2008 4:08 PM
0 Kudos

The implementation of ERM 2.0 like other product suites has to follow a standard - definition/customization activity. There are customizations that shall have to be done on the Org level and other Catalogues.

Your 2nd question:

As you have rightly said, COSO and COBIT are standard control frameworks and risk management is an integral activity that has to be carried out while defining controls.

On the other side, I am aware of a model for Risk Management itself from COSO (coincidently termed as ERM) and I've to say it lays out the risk management methodology - which is no different from many other available models - In other words, the basic methodology b/w ERM 2.0 and COSO ERM are similar.

Show replies
Show replies
former_member210168
Explorer
‎08-21-2008 12:24 PM
0 Kudos

Hi All,

Thanks a lot for your response. To slightly rephrase my question I do believe COSO framework is mapped to ERM 2.0 in SAP. If you can briefly explain how the same is mapped viz., Control environment, Control Activity etc.The other query I have is once the risks are identified by consultants along with the management, how do we capture the risks identified, controls to mitigate those risks etc. in SAP ERM. Can you provide me an overiew of how the key risk indicators which are identified by the management are tracked in SAP and how the same is measured like we have a Maturity Model rating in COBIT.

Former Member
‎08-21-2008 9:53 PM
0 Kudos

Dear Vivek,

While assigning roles to users, you will be displayed the risks that are identified with those roles, if any. You can either mitigate or remove the roles.

The process covered by GRC Risk management includes the following steps:

-Risk Planning: Determines the approach to risk management in each business area or project. This includes setting up the risk management organization and defining risk thresholds . This phase is partially supported by a software application.

-Risk Identification and Analysis: Identifies the risks in order to analyze and prioritize them along different attributes, such as probability of occurrence and potential total loss associated to the risk.

-Risk Response: Decides on actions needed to respond to a risk. One action could be to actively mitigate the risk to reduce probability of occurrence and/or potential impact.

-Risk Monitoring: Includes the regular update of risk information and the risk reporting to monitor progress along the risk management process.

The Risk Management application provides a set of different reporting capabilities based on the individual needs of the target groups:

-A set of built-in reports that are delivered with the application. These reports allow risk managers to review the current risk state.

-Visual Composer based dashboards that provide information about the current risk status on an aggregated basis. The dashboards fulfill the risk reporting needs of senior managers and line managers.

Step 1: You maintain the Risk structure

1. You set up the organizational hierarchy

2. You set up the Activity Hierarchy

3. You set up the Risk Hierarchy

Step 2: You perform the Risk Assessment

1. You identify the risks

2. You analyze the risks

3. You respond to risks

4. You document the Incidents

Step 3: You analyze risk reports

1. You generate risk reports

2. You report the incidents

Step 4: You analyze the dashboards

Refer SAP documentation on GRC for more information.

Regards,

Naveen.

former_member210168
Explorer
‎09-10-2008 12:18 PM
0 Kudos

Hi Navin,

Thanks for sharing your knowledge. I'm now convinced about how to approach the ERM in SAP through your step by step approach. It will be quite helpful to me if you can share with me the link of SAP documentation on SAP ERM.

Regards

Vivek

Former Member
‎09-12-2008 4:19 AM
0 Kudos

Hi Vivek,

The configuration and user guides are available on the service marketplace. If you navigate to the SAP Support Portal you can find the quicklink '/instguides'. If you click on 'SAP GRC Risk Manangement' and then on the left, 'Release 2.0', the User guide, Master guide and Configuration guide are the best sources of information at the moment.

All the best,

Daniel.

Answers (1)

Answers (1)

former_member785778
Explorer
‎08-13-2008 8:16 PM
0 Kudos

Hi Vivek,

The answer to your question is, "it depends". I know it's the classic consulting answer, but the approach can change depending on the Organization and their ERM goals. For that matter, each organization may have a different definition of the word "Enterprise". Luckily the RM 2.0 application has been built on a solid RM framework (COSO and PMBOK), and is generic enough to apply to numerous ERM scenarios. It is built based on Organizational, Activity and Risk Hierarchies, that provide customers with a multitude of Risk Dimenesions. As mentioned it also supports the key RM standards for Planning, Identification, Analysis and Monitoring.

Dan

Show replies
Show replies
Ask a Question