0 and
Process Control 10.0 Starter Kits
Applies to:
SAP GRC Risk Management 10.0 and SAP GRC Process Control 10.0
Summary
This document shows how customers can leverage GRC Risk Management and GRC Process Control
specific content provided in three starter kits Risks Library, Controls Library, and KRI Library. This
document is a how-to guide that describes a repeatable process using GRC Content Lifecycle
Management (CLM) to leverage SAP provided content libraries as well as other similar content sourced by
customers.
Author:
Satyen Paneri
Company:
Created on:
Version 1.0
Document History
Document Version
Description
1.00
Initial version
Typographic Conventions
Icons
Type Style
Description
Icon
Example Text
Description
Caution
Note or Important
Example
Recommendation or Tip
Cross-references to other
documentation
Example text
Emphasized words or
phrases in body text, graphic
titles, and table titles
Example text
Example text
<Example
text>
EXAMPLE TEXT
Table of Contents
1.
Business Scenario............................................................................................................... 1
2.
3.
Prerequisites ........................................................................................................................ 2
4.
4.2
5.
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.2.2
Appendix ............................................................................................................................ 20
5.1
6.
Copyright .............................................................................................................................. 1
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
1.
Business Scenario
SAP GRC customers content needs vary by regions, geographies, lines of business, industries,
business processes, business objectives, and regulations. In addition, regulatory requirements change
frequently especially in some industries such as Financial Services and Healthcare. Customers also
prefer to leverage best practice standards, frameworks, and methodologies for risk and compliance
management.
Content starter kits (packages) that incorporate best practice risk and control frameworks and libraries
such as COSO, Audit Standard 5, S&P, and Basel along with a repeatable process to manage new
content along with content updates can help customers get started quickly and stay on top of
regulatory changes. Customers can leverage the GRC 10.0 content lifecycle management (CLM)
capabilities for this process.
The challenge of content is that it keeps evolving and is never complete. The approach described in
this how-to-guide will help our customers better protect their value and better mange their risk,
compliance, and other GRC initiatives.
2.
Background Information
The content starter kits described in this document are a collection of risks, controls, and KRI catalogs.
Some related master data entities such as risk drivers, impacts, business objectives, activities,
business processes, regulations, control objectives, and indirect entity-level controls are also included.
The content in these starter kits by no means provide complete coverage for a business process, line
or business, risk area, domain, or industry. SAP makes no such claim. Its simply a collection of
content sourced from internal and external providers organized and aggregated to the best of our
abilities. It is the customers responsibility to review, change, and use (or not use) the content
packaged here.
The primary objective here is to define an Excel (XLS) based template for risks and controls library
along with a process to deploy the content in the GRC solutions using CLM. Customers can
completely throw-away the SAP provided content, replace with new content sourced internal or
externally, and using the templates provided leverage the same process for deployment. The intent is
to help get customers started quickly with their implementations and/or provoke additional discussions
to modify and add content based on specific requirements.
The content is sourced from past projects with consulting partners such as PwC, Deloitte, and Protiviti.
For all such content SAP owns the intellectual property and the same can be used by GRC customers.
Some other content is sourced from best practice (free) frameworks and methodologies such as
COSO II ERM, Audit Standard 5, Basel II Annexure, S&P ERM Framework, and APQC Cross-Industry
Process Classification Framework (PCF). The document describes the source of content for each
entity in the Section 4.
October 2012
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
3.
Prerequisites
The following software must be installed, configured, and ready-to-use for this How-To-Guide:
GRC 10.0 (Process Control and Risk Management) with the latest service package.
This document also assumes that user is familiar with PC, RM, and CLM functionality and usage. For
additional help please refer to the following.
October 2012
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
4.
This section describes a repeatable process (providing template definitions and using CLM) for
customers to leverage content provided by the following three starter kits:
The content in these starter kits is included in the associated ZIP file.
The Controls Library and the Risks Library XLS document also provides the template for any such
similar content that customers may source internally or externally.
4.1
...
4.1.1
Worksheet
Content Details
Content Source
Regulations
Risks
Business
Processes
Listing of Business Processes and Subprocess structure. Where applicable Subprocesses are linked with Regulations,
Control Objectives, and Risks.
Control Objectives
Controls
October 2012
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
4.1.2
The Controls Starter Kit Excel (XLS) document also serves as a simple template for managing and
deploying the SAP provided content or similar content that customers may have developed internally
or sourced from a third-party.
In each of the worksheets the mandatory entity attributes are marked with a *. This template is simple
and does not capture all the entity relationships that are possible within GRC Process Control. The
objective is that listings of basic master data entities can be managed with this template. Once
deployed in the system users can then create the relationships using GRC Process Control.
4.1.3
Worksheet
Content Details
Content Source
Driver Categories
Impact Categories
Objectives
Activities
Risk Catalog
Response Catalog
4.1.4
The Risks Starter Kit Excel (XLS) document also serves as a simple template for managing and
deploying the SAP provided content or similar content that customers may have developed internally
or sourced from a third-party.
October 2012
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
In each of the worksheets the mandatory entity attributes are marked with a *. This template is simple
and does not capture all the entity relationships that are possible within GRC Risk Management. The
objective is that listings of basic master data entities can be managed with this template. Once
deployed in the system users can then create the relationships using GRC Risk Management.
4.1.5
The content in these starter kits by no means provide complete coverage for a business process, line
or business, risk area, domain, or industry. SAP makes no such claim. Its simply a collection of
content sourced from internal and external providers organized and aggregated to the best of our
abilities. It is the customers responsibility to review, change, and use (or not use) the content
packaged here. Rather the purpose of this how-to-guide is to describe content templates along with
a repeatable process using CLM to manage and deploy content.
Prior to using this content, customers are expected to review, filter, and update the content as
necessary before proceeding with content import. Some key suggestions:
Unique IDs are included in these service packs with a prefix. These IDs are simply generated for
ease of use and may not match the customer requirements. Hence, these will need to be reviewed
and updated.
All IDs are mapped to the name attribute for each entity. This might not be applicable for most
customers and as such will need to be reviewed and updated. However, note that the name
attributes support only 40 characters in length. The Excel (XLS) templates and the CLM templates
will support unlimited characters, but during import these attributes will get truncated to the first 40
characters.
It is not expected that all content in the starter kits will be applicable for a customer. Hence,
customer will first need to review and remove unwanted content. Customers can also choose to
ignore entire entities that are not applicable.
The content does not attempt to define the entity relationships to keep things simpler. Customers
can either define these entity relationships in the templates or import the content and define the
entity relationships using GRC Process Control and Risk Management solutions. The import
procedure described in Section 4.1.6 below does not include import of most entity relationships.
Management and deployment of different content either sourced internally or from external third
parties is possible first by translating the content into the template format provided and then using
the import procedure described in Section 4.1.6.
4.1.6
This section provides a quick CLM primer from the intended usage for external content upload. This is
critical as it will be applicable when executing the import procedure. Please note that its not the
purpose of this document to be a CLM user guide. See the GRC Process Control 10.0 CLM User
Guide for more details.
The following details about CLM functionality should be noted:
The primary usage of CLM is to manage content deployments between GRC landscapes for
customers and partners. The CLM mass edit functionality is being leveraged here to import
external content included in the starter kits.
CLM supports two kinds of formats Hierarchical XML Schema and Flat XML Schema which is
essentially the Excel (XLS) interface.
CLM supports both the schema formats for GRC Process Control and only the Hierarchical XML
Schema for GRC Risk Management. However, only the Flat XML Schema (Excel interface) is
October 2012
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
used for editing. Customers can also edit using the Hierarchical XML Schema but working directly
with XML documents is very cumbersome.
o Hence, this document can only leverage the Flat XML Schema for GRC Process Control
and not all entities in the Controls and Risks Starter Kit can be imported. However, since
all the content is master data related and master data entities are common GRC 10.0
components most data can be imported.
o All entities except the Objectives and Activities catalogs from the Risks Starter Kit can
be imported with the Flat XML Schema. The Hierarchical XML Schema for GRC Risk
Management can be used to import the Objectives and Activities catalogs.
Although CLM handles content package differences, such capabilities cant be leveraged here as
this is external content. After a first time deployment of the content CLM will generated and assign
unique identifiers (IDs) for each record. As these unique identifiers are not part of the external
content in these starter kits, the CLM differences capabilities cant be used. Of course, once the
content is deployed to a particular landscape it can be transported with differences management
within CLM. In other words the purpose here is to import once and then manage content across
multiple landscapes with CLM. Of course the process can be repeated for new (additional) content
imports.
4.1.7
4.1.7.1
Review and update (change, delete, add) the content in the Controls and Risks Starter Kit.
Save the changes as a new file/document.
4.1.7.2
Ensure that CLM is configured and setup to extract and deploy content to the GRC Process
Control Landscape you need.
Check that CLM error logging is enabled on the GRC Process Control Landscape. Using
transaction SM30 enter GRFNVLOGENABLE in Table/View and Click Display.
October 2012
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
For CLM system extraction error log enter /POA/CLM in Object and CHECKPOINT in
Subobject
4.1.7.3
Open the downloaded XLSM file using Microsoft Excel. The GRC Process Control CLM schema
includes all configuration and master data entities. The table below shows the type of each entity
(XLS Worksheet) in the schema.
Data Type
Configuration
Master Data
The content in the Controls and Risks Starter Kit only maps to some of the entities in the CLM
schema. Hence, as part of the update procedure you only need to update some worksheets in the
document. Table below shows this mapping.
October 2012
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
Starter Kit
Worksheet
CLM Entity
Regulations
Regulation Group
Regulation
Regulation Requirement
Risks
Risk Category
Risk Template
Business Processes
Central Process
Central Subprocess
Control Objectives
Control Objective
Controls
Central Control
Indirect ELCs
Driver Categories
Driver Category
Impact Categories
Impact Category
Risk Catalog
Risk Category
Risk Template
Content in the remaining worksheets can be left as is. During deployment CLM will find that there are
no changes in these other worksheets and will simply ignore this content.
The sections below describe how to map the content from the starter kit worksheets into the
corresponding CLM worksheets. Please note the following general principles for updating data in the
CLM worksheets:
To insert new data expand the dark and blue shaded rows. If you enter new data without
expanding the background and directly adding in the white background rows; CLM will ignore this
new content.
o Screen below shows correct updates
ID
IMPCAT/0000000101
IMPCAT/0000000102
IMPCAT/0000000103
IMPCAT/0000000104
IMPCAT/0000000105
Name
Description
Quality
Customer Service
Expenses
Revenue
Loss of revenues
ID
Name
Description
IMPCAT/0000000101
IMPCAT/0000000102
IMPCAT/0000000103
IMPCAT/0000000104
IMPCAT/0000000105
Quality
Customer Service
Expenses
Revenue
Loss of revenues
October 2012
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
Each CLM worksheet/entity has an ID column. Some worksheets have additional ID columns to
specify entity relationships. IDs can be specified in any format as long as there is a unique ID for
each new element. CLM will use the unique ID to determine new element to be added and will
also replace the ID with internally generated IDs.
o For purposes of this procedure it is recommended to create these unique IDs using the
format specified in each of the sections below.
Either delete all rows from the Driver Category and Impact Category CLM worksheets or insert
new rows as described below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity
Column
Impact Category
ID
Name
Description
ID
Name
Description
Driver Category
NOTE: In testing/validations so far CLM is not importing updates to any configuration data elements.
Hence, during the content upload the Driver Category and Impact Category are not getting
deployed. However, the good part is that these two are the only configuration data elements from the
Controls and Risks Starter kits. Once this issues is resolved the procedure described above will work.
There is also a simple workaround to add new Driver Categories and Impact Categories:
1. Logon to the backend, and open IMG (Transaction SPRO).
2. Open the Governance, Risk and Compliance Shared Master Data Settings Risk and
Opportunity Attributes Maintain Impact Categories IMG entry and add the new data
manually.
3. For bulk update copy (Ctrl+C) data from the starter kits and update IMG entry with (Ctrl+Y
followed by Ctrl+V).
4. Repeat steps 2 and 3 for Governance, Risk and Compliance Shared Master Data Settings
Risk and Opportunity Attributes Maintain Driver Categories.
Mapping Regulations
Prior to using new Regulations that will be deployed using the starter kits content, for each new
regulation that needs to be used; users must perform setup to define a new Regulation
Configuration. Please see the Multi-Compliance Framework document on the procedure for
performing this setup.
Please note that a regulation is quite a complex object in GRC Process Control and requires a lot of
setup in the IMG prior to use. As the document above will show this can be quite time consuming.
Hence, it is important to first identify what all regulations needs to be deployed as part of the Step 1
above before proceeding further here.
October 2012
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
Another CLM nuance is the requirement to have at least one Regulation Group and Regulation
with the associated Regulation Configuration defined in the GRC Landscape. Hence the CLM
Regulation worksheet should have at least one row of data. Although as part of content deployment
we are adding new regulations, the CLM upload fails unless there is one existing regulation defined
and extracted in the Step 2 above.
CLM Entity
Column
Regulation Group
ID
Name
Parent
Regulation
Regulation
Requirement
ID
Name
Description
Parent
Assign Regulation
Configuration
ID
Name
Parent
October 2012
10
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
Hence here the Risks worksheet in the Controls Starter Kit and the Risk Catalog worksheet in the
Risks Starter Kit both will be mapped for deployment.
The Risk Catalog worksheet in the Risks Starter Kit consists of risk categories and risk templates.
But the Risks worksheet in the Controls Starter Kit is simply a list of risk templates. Hence, first step
is to assign (choose) a parent Risk Category from the available structure in the Risk Catalog for
these risk templates.
Here all the risk templates from the Controls Starter Kit will be deployed under the Management Risks
Compliance Regulation compliance risks risk category. This new Regulation compliance risks
category does not exist in the Risks Starter Kit but will be created in the CLM upload data. Customers
can choose to define these control risk templates with any category name mapped anywhere in the
risk catalog.
Either delete all rows from the Risk Category CLM worksheet or insert new rows as described
below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity
Column
Risk Category
ID
Name
Parent
The Risks Catalog in the Risks Starter Kit defines a five level hierarchical categorization
structure. This structure needs to be captured in the Risk Category CLM Worksheet.
Add a new row for the Regulation compliance risks category under the Management Risks
Compliance parent category.
Either delete all rows from the Risk Template CLM worksheet or insert new rows as described
below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity
Column
Risk Template
ID
Name
Description
October 2012
11
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
Parent
Review the parent entries such that the risk catalog structure described in the Controls and Risks
Starter Kit is replicated in the CLM worksheets.
Either delete all rows from the Control Objective CLM worksheet or insert new rows as described
below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity
Column
Control Objective
ID
Name
Description
Objective Category
Either delete all rows from the Central Process CLM worksheet or insert new rows as described
below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
October 2012
12
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
CLM Entity
Column
Central Process
ID
Name
Parent
The Business Processes in the Controls Starter Kit defines a two level hierarchical categorization
structure. This structure needs to be captured in the Central Process CLM Worksheet.
Either delete all rows from the Central Subprocess CLM worksheet or insert new rows as
described below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity
Column
Central Subprocess
ID
Name
Parent
Review the parent entries such that the Process and Subprocess structure described in the
Controls Starter Kit is replicated in the CLM worksheets.
Mapping Controls
The Controls worksheet in the Controls Starter Kit defines the controls library to be deployed. The
Control mappings with Regulations and Risks are shown in the starter kit. This procedure does
not describe the upload for these entity relationships and will only deploy the list of controls. Such
entity relationships can be defined by the customer later using the system.
Either delete all rows from the Central Control CLM worksheet or insert new rows as described
below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity
Column
Central Control
ID
Name
Description
October 2012
13
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
Parent
Is Control
Automation
Control Purpose
Allow Refer
Date or Event
To Be Tested
Review the parent entries such that the Control is tied with the correct Subprocess as described
in the Controls Starter Kit.
The other control attributes defined above are mandatory control attributes in the system and need
default values to avoid errors during content deployment.
Either delete all rows from the Central IELC Group CLM worksheet or insert new rows as
described below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
October 2012
14
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
CLM Entity
Column
ID
Name
Description
Parent
The Indirect ELCs in the Controls Starter Kit defines a two level hierarchical categorization
structure. This structure needs to be captured in the Central IELC Group CLM Worksheet.
Either delete all rows from the Central ELC CLM worksheet or insert new rows as described
below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity
Column
Central ELC
ID
Name
Description
Parent
Review the parent entries such that the Indirect ELCs structure described in the Controls Starter
Kit is replicated in the CLM worksheets.
After completion of the Step 3: Update CLM Template as described above the CLM template (PC
10.0 CLM Upload.ZIP) is included in the associated ZIP file.
NOTE: Customers cannot skip Step 3: Update CLM Template above and directly proceed with the
above ZIP file. This is because the CLM template will look a little different based on the GRC Process
Control Landscape where the new content will be deployed. Hence, customers will need to complete
this step as described. The above file is simply a sample for comparison. Moreover, customers will not
deploy all the starter kit content as is and Step 1: Data Preparation will result in somewhat different
content set.
October 2012
15
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
4.1.7.4
Save the updated CLM template as XML. Go to the Developer tab in Excel and click Export to
save document as XML with a new name.
o If you dont see the Developer tab; go to Excel Options and check the Show
Developer tab in the Ribbon checkbox under Popular options.
o The XML file generated (GRC RM and PC Starter Kits.XML) is included in the
associated ZIP file.
o
NOTE: The above XML file can be directly uploaded into CLM but customers cannot skip
Step 3: Update CLM Template above. This is because based on the outcome of this
step and the customers requirements this XML file will be different. The above file is
simply a sample for comparison.
Using Mass Edit Upload from Excel option find and upload the saved XML document. Note
that you need to use the Upload from Excel option and select the XML file for upload.
In case of errors please use transaction SLG1 on the CLM system backend for error log.
o For CLM deployment error log enter /POA/CLM in Object and DEPLOYMENT in
Subobject
4.1.7.5
Select the uploaded XML content group and deploy using the Deploy button and choosing the
same GRC Process Control Landscape as used in Section 4.1.7.2.
In case of deployment errors please use transaction SLG1 to check error logs on the GRC
Process Control Landscape:
o Enter GRFN in Object --> Enter IO_IMPORT in Subobject
October 2012
16
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
4.1.8
As mentioned above the Objectives and Activities catalogs from the Risks Starter Kit cannot be
imported with the Flat XML Schema. Customers have the following options for importing these
catalogs:
Import using the Hierarchical XML Schema for GRC Risk Management. Editing XML documents
can be very cumbersome and this process is not described in this document.
Setup the content manually in the GRC Risk Management system.
The Objectives catalog is generally not very long and only consists of two levels of hierarchy
Strategy and Objective. Its not very time consuming for manual setup. Additionally, this is only
relevant for customers documenting and managing risks within the context of business objectives.
The Activities catalog is long and manual setup can be cumbersome. Note that in GRC Risk
Management there is Master Data Activities and Processes Activity Hierarchy and
Assessments Risk Assessments Activities. Only the Activity Hierarchy is the master data
entity and supported by CLM. Activities (Activity Hierarchy tied with an Organization and Owner(s)) is
the transactional entity and is not supported by CLM. However, only Activities can be used with
Risks; hence Activities will need to be created from Activity Hierarchy for leveraging the content.
The Activities worksheet in the Risks Starter Kit shows the Activity Hierarchy as three-level
taxonomy (Columns B, C, and D). The leaf levels (Column E) is mapped as Activities. Again this is
just an SAP recommendation and customers can choose to update and map this content to meet their
needs.
The Activity Hierarchy (master data) elements will have to be manually created. But the Activities
(transactional data) can be uploaded directly in the system as shown below:
Go to Assessments Risk Assessments Activities.
Click Download. This will generate an Excel (XLS) document of the Activities defined in the system.
Open the Excel file.
October 2012
17
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
To import new Activities delete the contents of the Excel file and add new content with the following
mapping procedure below. To update existing Activities simply keep the rows and update directly.
Column
Value
Activity ID
Activity
Activity Category ID
Activity Category
Orgunit ID
Organization
Organization name
Activity Description
Start Date
End Date
Save the updated Excel (XLS) document and click Upload to attach and import new (and/or updated)
Activities content.
Please note that similar Upload/Download is also supported for the transactional entities of Risks
and Incidents.
October 2012
18
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
4.2
...
4.2.1
Worksheet
Content Details
Content Source
KRIs by Risk
Drivers
KRIs by Risk
Categories
KRIs by Top
Industry Risks
4.2.2
The intent of this library is to get customers started with KRIs quickly and/or in most case guide the
discussion to identify the right set of KRIs based on specific risks, risk drivers, and risk categories.
Some of the KRIs includes a listing of a SAP Source System that can be used to automate the KRI.
Again the intent here is simply to initiate discussions and point customers in the right direction for KRI
automation.
The KRIs listed here can easily be leveraged in the GRC Risk Management solution as manual
KRIs. Please refer to Appendix A for details on how to setup and use a manual KRI. Our
recommendation for customers is to implement applicable KRIs as manual KRIs and plan for
automation in a later project phase.
October 2012
19
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
5.
5.1
Appendix
Appendix A Using Manual Key Risk Indicators
(KRIs)
This appendix describes the procedure for setting up and using manual key risk indicators (KRIs)
along with the associated business rules. The procedure also describes how users can enter manual
values for the KRIs and trigger business rule evaluation.
GRC Risk Management Service Pack 05 introduces the ability to setup and use manual KRIs. Earlier
KRIs were automated and needed to be tied with either SAP Query, SAP BW Query, or a Web
Service to fetch the indicator value. Manual KRIs allows users to enter the indicator value manually
and trigger business rule evaluation.
Automated KRIs can require significant implementation time and the right kind of consultants for setup
and use. Manual KRIs can be setup directly by Risk Owners and Managers and used immediately.
Moreover KRIs are most widely used in risk management in a financial services industry context. Here
most KRIs are aggregations of values sourced from multiple internal and external systems making KRI
automation all the more difficult and time consuming. Many financial services customers may also rely
from an external monitoring service to gather KRI values. In such instances manual KRIs offers a
quick and efficient way to leverage KRIs for risk and organizational monitoring.
Please note that the nature of the KRI function is the same for automated and manual type with the
only difference being the nature of sourcing the indicator value. The definition of KRI business rules
and their evaluation also remains the same. This appendix does not describe how KRIs work in GRC
Risk Management but only how manual KRIs can be setup and used. It is assumed that the user is
familiar with the KRI function in GRC Risk Management.
Example
Consider the risk Litigations resulting from mispricing under the Retail Banking business unit. User
would like to setup the following manual KRIs for risk monitoring:
KRI
KRI Template
(Value Type)
KRI_10118
Numeric (Count)
KRI_10119
Numeric (Count)
KRI_10120
Percentage
KRI_10121
Monetary Amount
(Currency)
Description
For risk monitoring user would like to define the following two business rules:
October 2012
20
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
Business Rule
Description
Monitoring Criteria
Monitor accounts
affected by mispricing
User would like to provide the following value manually for the KRIs which should result in a violation
of both the above business rules.
KRI
Value
KRI_10118
1,250.00
KRI_10119
55.00
KRI_10120
48.00 %
KRI_10121
EUR 20,000,000.00
Procedure
Step 1: Setup KRI Templates
Setup (or check if available) the KRI Templates necessary. For this example three KRI Templates
Numeric (Count), Percentage, Monetary Amount (Currency) should be defined. KRI Template
definition is the same for automated and manual KRIs.
KRI Templates are available under Rule Setup Key Risk Indicators KRI Templates. Open the
list of KRI Template Catalog and define the necessary templates. Screen shot below shows the
definition of the Percentage KRI Template. Note that the System, Business Process, and
Component attributes are neither mandatory nor relevant for manual KRIs.
October 2012
21
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012
22
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
This will setup the manual KRI instance. Repeat the steps to define the other three KRIs as shown
below.
October 2012
23
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012
24
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
Now both the business rules have been defined as shown below. Save the risk or the organizational
entity.
Here user can enter individual values for a KRI instance or upload a file with a list of historical values
by choosing the Input via File Upload mode and selecting the KRI instance.
Click the 0 KRI Instances selected link at the bottom left. Find the 4 KRIs KRI_10118, KRI_10119,
KRI_10120, and KRI_10121 select them and move to the right hand side. Click OK.
October 2012
25
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
Click Next. Here user can see the previous values provided and can enter new values. If the KRI
values are being entered the first time the previous values column will be blank. Note that based on
the KRI Template type user will have to select a currency code (EUR) for the monetary amount
KRI_10121. System treats percentages as numeric values so it does not show any special markings
but for KRI_10120 please enter values between 1 100.
October 2012
26
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
For the Input via File Upload mode user can download a template from the Get Template link. The
template (XML or Excel) can be populated with historical values and uploaded here.
Click Next. Review the new values. The Change column indicates whether the values are going up,
going down, or remaining the same from the previous values. If necessary user can click Previous to
change the values.
Click Finish. This will update the KRI values and trigger business rule evaluation. This step is the
same as running the GRRM_KRI_RUNTIME backend program to fetch values for the automated KRIs
and evaluate business rules.
October 2012
27
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
Click Close.
October 2012
28
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012
29
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
6. Copyright
2012 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors contain proprietary software
components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z,
System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,
S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture,
POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2,
Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are
trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered
trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web
Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology
invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, and other SAP products and services mentioned herein as well as their respective logos
are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of Business Objects
Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products
and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies.
Data contained in this document serves informational purposes only. National product specifications
may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and
its affiliated companies ("SAP Group") for informational purposes only, without representation or
warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the
materials. The only warranties for SAP Group products and services are those that are set forth in the
express warranty statements accompanying such products and services, if any. Nothing herein should
be construed as constituting an additional warranty.