SAP GRC Risk Management 10.1 Enhancements
Capgemini is one of the first ‘Ramp Up’ partners with SAP on SAP GRC 10.1 suite of products. This blog covers feedback on ‘SAP GRC Risk Management 10.1’ product on behalf of Capgemini.
Enhancements done in SAP GRC Risk Management 10.1 as compared to SAP GRC Risk Management 10.0 have been categorized under five categories as listed below;
- Changes in NWBC Page
- Changes in Terminologies(ISO 31000 Terminology Support)
- User Experience Enhancement
- Operational Data Provision (ODP)
- Risk Assessment/Analysis Related Enhancements
I.Changes in Front End
Below are few additional tabs added in NWBC page which make Risk management easier and faster;
My Home - Work Inbox : As shown in the below pictures, mails can be sorted alphabetically, on priority level of request (high, medium and low) and request date as well.
Risk Structure - Organization: Organizations can be mapped and threshold can be checked at Organization level easily. So,the view option can be customized as per customer requirement.
Risk Structure - Risk & Responses: Related risks can be linked to each other directly. Underlying risks can be mapped to a master risk and canbe browsed from here.
Risk Assessments - Risk Assessments: Risks can be reassigned to a new organization. Proposed risks and other related details like name of person who created the risk, proposed organization etc. can be viewed. Ad-hoc Risk Escalations can also be seen here.
Risk Monitoring: Exception Access Rules: This functionality makes the process of creating organization rules faster and eliminates possible invalid entries due to manual inputs.
II.Changes in terminologies(ISO 31000 Terminology Support):
It helps to harmonize risk management process in existing and future standards. Terminology differences are supported with configurable label changes. Few changes are given below;
- Driver – Cause
- Impact – Consequence
- Probability – Likelihood
- Response – Treatment
- Event – Incident/Loss
The new version i.e. GRC 10.1 also supports activities like edit, upload, download and transport of the terminologies.
III.User Experience Enhancement:
- Entry Page and Side Panel: This functionality is most useful for corporate risk managers and operational risk managers. Users get easy access to critical data and frequently usedt ransactions.
Side Panels are used to enhance the working context of end users by;
- Displaying additional information related to the current context
- Rendering additional shell visuals, such as collaboration, help etc.
- Side panel of risk shows various controls and status of control test(passed/failed) as well
Entry Page is dedicated for SAP Risk Management operational risk managers and can be configured in IMG settings of Operational Risk Management for banking industry.The entry page shows general activities of operational risk manager.
Both Side Panel and Entry Page can be configured and personalized by the customer as per requirement.
- Google like Search:This functionality enables few Risk Management entities for Enterprise search (Google like search) in Risk Management. Below is the list of entities which are supported by enterprise search;
- Activity
- Incident
- Risk
- Response
IV.Operational Data Provision (ODP): This functionality helps indexing data in SAP HANA database/ SAP Netweaver BW Accelerator. It helps faster access to data for analytics purpose and mass data replication as well. Enterprise Search has also been integrated with this functionality.
V.Risk Assessment/Analysis Related Enhancements:GRC 10.1 version has provision to connect to HANA system. So, HANA capabilities can be used in risk analysis now.
- HANA Based Key Risk Indicator (KRI): A new connector type ‘HANA’ is introduced, which helps to connect to HANA system. Thus, makes use of HANA capabilities to analyze large volume of data and find out potential risks quickly. Again, Enterprise Risks from multiple systems can be consolidated through HANA.
- KRI Driven Analysis: This enhancement allows probability and/or impact to be linked to a KRI instance. Probability and impact can be calculated automatically by KRI runtime. Whenever a linked KRI instance is updated, a new standard analysis would be created to keep the history of changes made, if any. This functionality is covered in KRI runtime.
- Operational Risk Analysis: In earlier version, Risk Analysis used to show three risk analysis type; inherent, residual and planned residual. But, in GRC 10.1, Residual Analysis(Planned) can be hidden by configuring the settings. This enhancement helps Risk Management to support industry frameworks (ISO 31000 and COSO) better as Residual Risk Analysis(Planned) is not required in these frameworks.
- Risk Analysis Guidance: The Risk Analysis Guidance can be configured in SPRO. This option helps users understand the possible impacts of a particular risk and perform analysis in a better way. It shows the list of all impact/consequence categories, if configured.
- Ad-hoc Risk Escalation: Also called as Ad-Hoc Reporting. This functionality alerts risk managers whenever a risk exceeds the predefined company threshold level and helps them take corrective measures towards the risks, as ad-hoc risks require a dedicated awareness and reporting process in an organization. Ad-Hoc Risk Escalation also serves a whistle blowing approach within a Risk Management framework.
- Risk Summary: A new ‘Risk Summary’ tab has been introduced in new version at Organization, Risk Category and Activity user interface, which provides risk summary information on respective Organization, Risk Category and Activity collaboratively.
Benefits from Enhancements made in SAP GRC Risk Managements 10.1 as compared to SAP GRC Risk Managements 10.0
| Enhancement Areas in SAP GRC Risk Management 10.1 | New Functionalities in SAP GRC Risk Management 10.1 | Benefits of Enhancements in SAP GRC Risk Management 10.1 | |
|---|---|---|---|
| I. | Changes in NWBC Page | ||
| Simplified Work Inbox | The option to sort mails based on requested by[A-Z/Z-A], Request No[Low-High/High-Low] and requested Date [Low-High/High-Low] makes it easier to handle | ||
| Master & Dependent Organization View Mapping | Customization option for the view of master organization & dependent organization mapping makes it suitable for customers as they can customize their view according to their requirement | ||
| Threshold Browser | Threshold level of companies can be viewed and managed through this link without going to the individiual organization in the organizational hierarchy | ||
| New Risk Assessment features(reassignment of risks, proposed risks and risk escalations, Workshops) | Risks can now be reassigned to various organizations easily directly from NWBC. Proposed risks and their status can be viewed with a new tab | ||
| Organization Rule creation Wizard | Helps in creating organization rules faster and eliminates possible invalid entries | ||
| II. | Changes in terminologies(ISO 31000 Terminology Support) | ||
| (ISO 31000 Terminology Support) | Now terminologies are aligned with ISO 31000 standard which improves global adoption of SAP GRC Risk Management | ||
| III. | User Experience Enhancement | ||
| Entry Page and Side Panel | Risk Managers are most benefited from the improvements in Entry Page and Side Panel which shows additional details about risks, related controls, frequently used critical transactions etc. | ||
| Google like Search | Now searching for various RM entities like risks, activities, incident and response(consequence) is easier which was not there in the older versions | ||
| IV. | Operational Data Provision | This functionality in indexing data in HANA database/SAP Netweaver BW Accelerator which enables faster access to data for analysis | |
| V. | Risk Assessment/Analysis Related Enhancements | ||
| HANA Based Key Risk Indicator (KRI) | HANA connector helps connecting to HANA and utilize HANA capabilities to analyze large volume of data easily | ||
| KRI Driven Analysis | Impact and probabilities can be calculated automatically, which makes Risk Analysis mote accurate and easy | ||
| Operational Risk Analysis | Residual Risk Analysis (Planned) can be hidden and thus supports ISO31000 and COSO framework where the same is not needed. | ||
| Risk Analysis Guidance | This functionality shows the list of possible impacts/consequences during risk analysis thus helps risk managers to take appropriate measures | ||
| Ad-hoc Risk Escalation | Alerts Risk Managers whenever a risk crosses Organization's Threshold Limit and help them take immediate corrective actions |
Conclusion: Thebiggest advantage we feel is the enhancements made in terminologies and the flexibility to change the same with an option to transport. In earlier version of SAP GRC Risk Management 10.0, terminologies were not globally adopted and customers could not understand and correlate the terminologies with the ones in their respective organizations, which was the biggest disadvantage. Now, the terminologies are standard (follow ISO 31000 standard) and globally adoptable. Customers can find the terminologies familiar now, which attracts their attention towards SAP GRC Risk Management. Risk Analysis is easier and faster now with the introduction of HANA features to SAP GRC Risk Management 10.1 version along with introduction of Risk Analysis Guidance, Side Panels and enhanced Entry Page. Ad-Hoc Risk Escalation option is also one of the most important enhancements made in this version. Apart from other new functionalities, Google like search option is really helpful. But, what we feel is, introduction of few functionalities like offline mode of risk analysis,adopting mobile options in SAP GRC Risk Management will really be helpful in attracting customers further. So, we are looking forward to have these features in later versions which would improve the adaptability of SAP GRC Risk Management solution by customers.