GRC Risk Management and Process Control 10.0 Content Starter Kits

GRC Risk Management 10.
0 and
Process Control 10.0 Starter Kits
Applies to:
SAP GRC Risk Management 10.0 and SAP GRC Process Control 10.0
Summary
This document shows how customers can leverage GRC Risk Management and GRC Process Control
specific content provided in three starter kits Risks Library, Controls Library, and KRI Library. This
document is a how-to guide that describes a repeatable process using GRC Content Lifecycle
Management (CLM) to leverage SAP provided content libraries as well as other similar content sourced by
customers.
Author:
Satyen Paneri
Company:
Governance, Risk, and Compliance

Analytics Division
Created on:
September 20, 2012
Version 1.0
SAP COMMUNITY NETWORK

2012 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
Document History
Document Version
Description
1.00
Initial version

2012 SAP AG
Typographic Conventions
Icons
Type Style
Description
Icon
Example Text
Words or characters quoted

from the screen. These
include field names, screen
titles, pushbuttons labels,
menu names, menu paths,
and menu options.
Description
Caution
Note or Important
Example
Recommendation or Tip
Cross-references to other
documentation
Example text
Emphasized words or
phrases in body text, graphic
titles, and table titles
Example text
File and directory names and

their paths, messages,
names of variables and
parameters, source text, and
names of installation,
upgrade and database tools.
Example text
User entry texts. These are

words or characters that you
enter in the system exactly as
they appear in the
documentation.
<Example
text>
Variable user entry. Angle

brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT
Keys on the keyboard, for

example, F2 or ENTER.

2012 SAP AG
Table of Contents
1.
Business Scenario............................................................................................................... 1
2.
Background Information ..................................................................................................... 1
3.
Prerequisites ........................................................................................................................ 2
4.
GRC Content Starter Kits .................................................................................................... 3

4.1
4.2
5.
4.1.1
Controls Starter Kit Content Details ................................................................. 3
4.1.2
Controls Starter Kit Template Details .............................................................. 4
4.1.3
Risks Starter Kit Content Details ..................................................................... 4
4.1.4
Risks Starter Kit Template Details ................................................................... 4
4.1.5
Recommended Usage and Restrictions .......................................................... 5
4.1.6
Quick CLM Primer ............................................................................................ 5
4.1.7
Import Procedure using CLM ........................................................................... 6
4.1.8
Importing Objectives and Activities Catalog .................................................. 17
KRI Starter Kit ............................................................................................................. 19

4.2.1
KRI Starter Kit Content Details ...................................................................... 19
4.2.2
Using KRIs from the Starter Kit ...................................................................... 19
Appendix ............................................................................................................................ 20
5.1
6.
Controls and Risks Starter Kits ..................................................................................... 3
Appendix A Using Manual Key Risk Indicators (KRIs) ............................................ 20
Copyright .............................................................................................................................. 1

2012 SAP AG
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
1.
Business Scenario
SAP GRC customers content needs vary by regions, geographies, lines of business, industries,
business processes, business objectives, and regulations. In addition, regulatory requirements change
frequently especially in some industries such as Financial Services and Healthcare. Customers also
prefer to leverage best practice standards, frameworks, and methodologies for risk and compliance
management.
Content starter kits (packages) that incorporate best practice risk and control frameworks and libraries
such as COSO, Audit Standard 5, S&P, and Basel along with a repeatable process to manage new
content along with content updates can help customers get started quickly and stay on top of
regulatory changes. Customers can leverage the GRC 10.0 content lifecycle management (CLM)
capabilities for this process.
The challenge of content is that it keeps evolving and is never complete. The approach described in
this how-to-guide will help our customers better protect their value and better mange their risk,
compliance, and other GRC initiatives.
2.
Background Information
The content starter kits described in this document are a collection of risks, controls, and KRI catalogs.
Some related master data entities such as risk drivers, impacts, business objectives, activities,
business processes, regulations, control objectives, and indirect entity-level controls are also included.
The content in these starter kits by no means provide complete coverage for a business process, line
or business, risk area, domain, or industry. SAP makes no such claim. Its simply a collection of
content sourced from internal and external providers organized and aggregated to the best of our
abilities. It is the customers responsibility to review, change, and use (or not use) the content
packaged here.
The primary objective here is to define an Excel (XLS) based template for risks and controls library
along with a process to deploy the content in the GRC solutions using CLM. Customers can
completely throw-away the SAP provided content, replace with new content sourced internal or
externally, and using the templates provided leverage the same process for deployment. The intent is
to help get customers started quickly with their implementations and/or provoke additional discussions
to modify and add content based on specific requirements.
The content is sourced from past projects with consulting partners such as PwC, Deloitte, and Protiviti.
For all such content SAP owns the intellectual property and the same can be used by GRC customers.
Some other content is sourced from best practice (free) frameworks and methodologies such as
COSO II ERM, Audit Standard 5, Basel II Annexure, S&P ERM Framework, and APQC Cross-Industry
Process Classification Framework (PCF). The document describes the source of content for each
entity in the Section 4.
October 2012
3.
Prerequisites
The following software must be installed, configured, and ready-to-use for this How-To-Guide:
GRC 10.0 (Process Control and Risk Management) with the latest service package.
GRC 10.0 Content Lifecycle Management (CLM)
This document also assumes that user is familiar with PC, RM, and CLM functionality and usage. For
additional help please refer to the following.
GRC Risk Management 10.0 Help Portal
GRC Process Control 10.0 Help Portal
GRC Process Control 10.0 CLM User Guide
October 2012
4.
GRC Content Starter Kits
This section describes a repeatable process (providing template definitions and using CLM) for
customers to leverage content provided by the following three starter kits:
Controls Starter Kit

Risks Starter Kit
KRI Starter Kit
The content in these starter kits is included in the associated ZIP file.
The Controls Library and the Risks Library XLS document also provides the template for any such
similar content that customers may source internally or externally.
4.1
Controls and Risks Starter Kits
...
4.1.1
Controls Starter Kit Content Details
Worksheet
Content Details
Content Source
Regulations
Listing of Regulation Groups and

Regulations.
Risks
Listing of control specific Risks.
Business
Processes
Listing of Business Processes and Subprocess structure. Where applicable Subprocesses are linked with Regulations,
Control Objectives, and Risks.
Aggregation of all Process Controls

specific content acquired by SAP
from projects with Deloitte and
Protiviti. SAP owns the intellectual
property for this content.
Control Objectives
Listing of Control Objectives.
Controls
Listing of Controls organized by Subprocesses. Where applicable Controls are

linked with Regulations and Risks.
Indirect Entity Level

Controls
Listing of Indirect Entity Level Control

Groups and Controls.
Draft of the updated COSO Internal

Control Integrated Framework
available for public comments. The
framework updates are proposed by
PwC and the COSO Advisory
Council.
The Indirect ELC Groups and
Controls are the principles and
attributes proposed for the COSO
components.
October 2012
4.1.2
Controls Starter Kit Template Details
The Controls Starter Kit Excel (XLS) document also serves as a simple template for managing and
deploying the SAP provided content or similar content that customers may have developed internally
or sourced from a third-party.
In each of the worksheets the mandatory entity attributes are marked with a *. This template is simple
and does not capture all the entity relationships that are possible within GRC Process Control. The
objective is that listings of basic master data entities can be managed with this template. Once
deployed in the system users can then create the relationships using GRC Process Control.
4.1.3
Risks Starter Kit Content Details
Worksheet
Content Details
Content Source
Driver Categories
Listing of Risk Drivers / Causes.
Impact Categories
Listing of Business Impacts /

Consequences.
SAP Internal GRC Solution

Management and Solution Marketing
Objectives
Listing of Business Objectives.
Activities
Listing of Business Activities / Processes.
APQC Cross-Industry Process

Classification Framework (PCF).
This content is freely available for
APQC members and also for any
user registered with APQC. SAP is a
registered APQC customer.
Please note that this content can be
used freely with customers with the
express notification of the content
source APQC.
Risk Catalog
Risk Classification structure along with

Risk Templates. The Risk Catalog is also
organized by Industry-specific taxonomies
Risk Catalog is a combination of

content sourced from Basel II
Annexure and the S&P ERM
Framework.
The Basel II taxonomies are
applicable for Financial Services
(Banking and Insurance).
The non-financial industry
taxonomies are based on the S&P
ERM Framework.
Response Catalog
4.1.4
Listing of Risk Responses.

Management and Solution Marketing
Risks Starter Kit Template Details
The Risks Starter Kit Excel (XLS) document also serves as a simple template for managing and
deploying the SAP provided content or similar content that customers may have developed internally
or sourced from a third-party.
October 2012
In each of the worksheets the mandatory entity attributes are marked with a *. This template is simple
and does not capture all the entity relationships that are possible within GRC Risk Management. The
objective is that listings of basic master data entities can be managed with this template. Once
deployed in the system users can then create the relationships using GRC Risk Management.
4.1.5
Recommended Usage and Restrictions
The content in these starter kits by no means provide complete coverage for a business process, line
or business, risk area, domain, or industry. SAP makes no such claim. Its simply a collection of
content sourced from internal and external providers organized and aggregated to the best of our
abilities. It is the customers responsibility to review, change, and use (or not use) the content
packaged here. Rather the purpose of this how-to-guide is to describe content templates along with
a repeatable process using CLM to manage and deploy content.
Prior to using this content, customers are expected to review, filter, and update the content as
necessary before proceeding with content import. Some key suggestions:
Unique IDs are included in these service packs with a prefix. These IDs are simply generated for
ease of use and may not match the customer requirements. Hence, these will need to be reviewed
and updated.
All IDs are mapped to the name attribute for each entity. This might not be applicable for most
customers and as such will need to be reviewed and updated. However, note that the name
attributes support only 40 characters in length. The Excel (XLS) templates and the CLM templates
will support unlimited characters, but during import these attributes will get truncated to the first 40
characters.
It is not expected that all content in the starter kits will be applicable for a customer. Hence,
customer will first need to review and remove unwanted content. Customers can also choose to
ignore entire entities that are not applicable.
The content does not attempt to define the entity relationships to keep things simpler. Customers
can either define these entity relationships in the templates or import the content and define the
entity relationships using GRC Process Control and Risk Management solutions. The import
procedure described in Section 4.1.6 below does not include import of most entity relationships.
Management and deployment of different content either sourced internally or from external third
parties is possible first by translating the content into the template format provided and then using
the import procedure described in Section 4.1.6.
4.1.6
Quick CLM Primer
This section provides a quick CLM primer from the intended usage for external content upload. This is
critical as it will be applicable when executing the import procedure. Please note that its not the
purpose of this document to be a CLM user guide. See the GRC Process Control 10.0 CLM User
Guide for more details.
The following details about CLM functionality should be noted:
The primary usage of CLM is to manage content deployments between GRC landscapes for
customers and partners. The CLM mass edit functionality is being leveraged here to import
external content included in the starter kits.
CLM supports two kinds of formats Hierarchical XML Schema and Flat XML Schema which is
essentially the Excel (XLS) interface.
CLM supports both the schema formats for GRC Process Control and only the Hierarchical XML
Schema for GRC Risk Management. However, only the Flat XML Schema (Excel interface) is
October 2012
used for editing. Customers can also edit using the Hierarchical XML Schema but working directly
with XML documents is very cumbersome.
o Hence, this document can only leverage the Flat XML Schema for GRC Process Control
and not all entities in the Controls and Risks Starter Kit can be imported. However, since
all the content is master data related and master data entities are common GRC 10.0
components most data can be imported.
o All entities except the Objectives and Activities catalogs from the Risks Starter Kit can
be imported with the Flat XML Schema. The Hierarchical XML Schema for GRC Risk
Management can be used to import the Objectives and Activities catalogs.
Although CLM handles content package differences, such capabilities cant be leveraged here as
this is external content. After a first time deployment of the content CLM will generated and assign
unique identifiers (IDs) for each record. As these unique identifiers are not part of the external
content in these starter kits, the CLM differences capabilities cant be used. Of course, once the
content is deployed to a particular landscape it can be transported with differences management
within CLM. In other words the purpose here is to import once and then manage content across
multiple landscapes with CLM. Of course the process can be repeated for new (additional) content
imports.
4.1.7
Import Procedure using CLM
4.1.7.1
Review and update (change, delete, add) the content in the Controls and Risks Starter Kit.
Save the changes as a new file/document.
4.1.7.2
Step 1: Data Preparation
Step 2: Download and Extract CLM Template
Ensure that CLM is configured and setup to extract and deploy content to the GRC Process
Control Landscape you need.
Check that CLM error logging is enabled on the GRC Process Control Landscape. Using
transaction SM30 enter GRFNVLOGENABLE in Table/View and Click Display.
o Ensure the IO_IMPORT and IO_EXPORT is filled in the table.

Extract the content from the GRC Process Control 10.0 Landscape into CLM using the Extract
button and choosing the appropriate GRC Process Control Landscape.
In case of extraction errors please use transaction SLG1 to check error logs both on the GRC
Process Control Landscape and the CLM system backend for error log:
o For GRC Process Control Landscape extraction error log enter GRFN in Object -->
Enter IO_EXPORT in Subobject
October 2012
For CLM system extraction error log enter /POA/CLM in Object and CHECKPOINT in
Subobject
Additional details are available on the CLM Troubleshooting Wiki Page.

Using Mass Edit Download to Excel download the extracted content package.
o CLM will generate a ZIP file for download. This ZIP will contain a XLSM and a XML file.
o Unzip these into a new folder on your local disk.
o The XLSM file is the GRC Process Control 10.0 Flat XML Schema that can be used with
Microsoft Excel 2007 or higher.
4.1.7.3
Step 3: Update CLM Template
Open the downloaded XLSM file using Microsoft Excel. The GRC Process Control CLM schema
includes all configuration and master data entities. The table below shows the type of each entity
(XLS Worksheet) in the schema.
Data Type
CLM Entity / XLS Worksheet
Configuration
Impact Category, Driver Category, Control Objective Category, Financial

Statement Assertion, Sampling Method, Industry, Transaction Type, Control
Category, Control Significance, Level of Evidence, Control Rating, Range,
Automation, Control Purpose, Nature or Control, Relevance, Control Group,
Control Subgroup, Frequency, Test Automation, Testing Technique, IELC
Operation Frequency
Master Data
Regulation Group, Regulation, Regulation Requirement, Organization, Risk

Category, Risk Template, Control Objective, Account Group, Test Plan, Central
Process, Central Subprocess, Central Control, Central IELC Group, Central IELC
The content in the Controls and Risks Starter Kit only maps to some of the entities in the CLM
schema. Hence, as part of the update procedure you only need to update some worksheets in the
document. Table below shows this mapping.
October 2012
Starter Kit
Worksheet
CLM Entity
Controls Starter Kit
Regulations
Regulation Group
Regulation
Regulation Requirement
Risks
Risk Category
Risk Template
Business Processes
Central Process
Central Subprocess
Control Objectives
Control Objective
Controls
Central Control
Indirect ELCs
Central IELC Group

Central IELC
Risks Starter Kit
Driver Categories
Driver Category
Impact Categories
Impact Category
Risk Catalog
Risk Category
Risk Template
Content in the remaining worksheets can be left as is. During deployment CLM will find that there are
no changes in these other worksheets and will simply ignore this content.
The sections below describe how to map the content from the starter kit worksheets into the
corresponding CLM worksheets. Please note the following general principles for updating data in the
CLM worksheets:
To insert new data expand the dark and blue shaded rows. If you enter new data without
expanding the background and directly adding in the white background rows; CLM will ignore this
new content.
o Screen below shows correct updates
ID
IMPCAT/0000000101
IMPCAT/0000000102
IMPCAT/0000000103
IMPCAT/0000000104
IMPCAT/0000000105
Name
Description
Quality
Decline in product or service quality
Customer Service
Decline in customer service levels
Expenses
Increase in expenses / costs
Revenue
Loss of revenues
Information Reliability Unreliable business information
Screen below shoes incorrect updates which CLM will ignore
ID
Name
Description
IMPCAT/0000000101
IMPCAT/0000000102
IMPCAT/0000000103
IMPCAT/0000000104
IMPCAT/0000000105
Quality
Decline in product or service quality
Customer Service
Decline in customer service levels
Expenses
Increase in expenses / costs
Revenue
Loss of revenues
October 2012
Information Reliability Unreliable business information
Each CLM worksheet/entity has an ID column. Some worksheets have additional ID columns to
specify entity relationships. IDs can be specified in any format as long as there is a unique ID for
each new element. CLM will use the unique ID to determine new element to be added and will
also replace the ID with internally generated IDs.
o For purposes of this procedure it is recommended to create these unique IDs using the
format specified in each of the sections below.
Mapping Driver Categories and Impact Categories
Either delete all rows from the Driver Category and Impact Category CLM worksheets or insert
new rows as described below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity
Column
Starter Kit Mapping
Impact Category
ID
Specify IDs using the IMPCAT/00000001,

IMPCAT/00000002, IMPCAT/00000003, format
Name
Impact Categories Impact Category (Column A)
Description
Impact Categories Impact Category Description

(Column B)
ID
Specify IDs using the DRVCAT/00000001,

DRVCAT/00000002, DRVCAT/00000003, format
Name
Driver Categories Driver Category (Column A)
Description
Driver Categories Driver Category Description

(Column B)
Driver Category
NOTE: In testing/validations so far CLM is not importing updates to any configuration data elements.
Hence, during the content upload the Driver Category and Impact Category are not getting
deployed. However, the good part is that these two are the only configuration data elements from the
Controls and Risks Starter kits. Once this issues is resolved the procedure described above will work.
There is also a simple workaround to add new Driver Categories and Impact Categories:
1. Logon to the backend, and open IMG (Transaction SPRO).
2. Open the Governance, Risk and Compliance Shared Master Data Settings Risk and
Opportunity Attributes Maintain Impact Categories IMG entry and add the new data
manually.
3. For bulk update copy (Ctrl+C) data from the starter kits and update IMG entry with (Ctrl+Y
followed by Ctrl+V).
4. Repeat steps 2 and 3 for Governance, Risk and Compliance Shared Master Data Settings
Risk and Opportunity Attributes Maintain Driver Categories.
Mapping Regulations
Prior to using new Regulations that will be deployed using the starter kits content, for each new
regulation that needs to be used; users must perform setup to define a new Regulation
Configuration. Please see the Multi-Compliance Framework document on the procedure for
performing this setup.
Please note that a regulation is quite a complex object in GRC Process Control and requires a lot of
setup in the IMG prior to use. As the document above will show this can be quite time consuming.
Hence, it is important to first identify what all regulations needs to be deployed as part of the Step 1
above before proceeding further here.
October 2012
Another CLM nuance is the requirement to have at least one Regulation Group and Regulation
with the associated Regulation Configuration defined in the GRC Landscape. Hence the CLM
Regulation worksheet should have at least one row of data. Although as part of content deployment
we are adding new regulations, the CLM upload fails unless there is one existing regulation defined
and extracted in the Step 2 above.
CLM Entity
Column
Starter Kit Mapping
Regulation Group
ID
Specify IDs using the REG_GROUP/00000001,

REG_GROUP/00000002, REG_GROUP/00000003,
format
Name
Regulations Regulation Group (Column A)
Parent
Specify ID of the parent Regulation Group

(REG_GROUP/00000001, REG_GROUP/00000002,
REG_GROUP/00000003, format) to form a
hierarchical structure
Note in the content starter kits there is a single
Regulation Group level defined so this column will be
blank
However, the system supports N-level structure for
Regulation Groups and this Parent column can be
used to specify such hierarchical structure
Regulation
Regulation
Requirement
ID
Specify IDs using the REGULATION/00000001,

REGULATION/00000002, REGULATION/00000003,
format
Name
Regulations Regulation (Column B)
Description
Regulations Regulation Description (Column C)
Parent
Specify ID of the parent Regulation Group using the

REG_GROUP/00000003, format
Assign Regulation
Configuration
Specify the new Regulation Configuration text

identified as defined in the IMG setup
ID
Specify IDs using the REG_REQ/00000001,

REG_REQ/00000002, REG_REQ/00000003, format
Name
Regulations Regulation Requirement (Column E)
Parent
Specify ID of the parent Regulation using the

REG_GROUP/00000003, format
Mapping Risks and Risk Catalog

The Risk Catalog consists of Risk Categories and Risk Templates and is a shared master data
entity between GRC Process Control and GRC Risk Management.
October 2012
10
Hence here the Risks worksheet in the Controls Starter Kit and the Risk Catalog worksheet in the
Risks Starter Kit both will be mapped for deployment.
The Risk Catalog worksheet in the Risks Starter Kit consists of risk categories and risk templates.
But the Risks worksheet in the Controls Starter Kit is simply a list of risk templates. Hence, first step
is to assign (choose) a parent Risk Category from the available structure in the Risk Catalog for
these risk templates.
Here all the risk templates from the Controls Starter Kit will be deployed under the Management Risks
Compliance Regulation compliance risks risk category. This new Regulation compliance risks
category does not exist in the Risks Starter Kit but will be created in the CLM upload data. Customers
can choose to define these control risk templates with any category name mapped anywhere in the
risk catalog.
Either delete all rows from the Risk Category CLM worksheet or insert new rows as described
below. Either option is fine as we are only adding/deploying new content.
CLM Entity
Column
Starter Kit Mapping
Risk Category
ID
Specify IDs using the CRGROUP/00000001,

CRGROUP/00000002, CRGROUP/00000003, format
Name
Risk Catalog Risk Category 1 (Column A) or

Risk Catalog Risk Category 2 (Column B) or
Risk Catalog Risk Category 3 (Column C) or
Risk Catalog Risk Category 4 (Column D) or
Risk Catalog Risk Category 5 (Column E) or
Parent
Specify ID of the parent Risk Category using the

CRGROUP/00000001, CRGROUP/00000002,
CRGROUP/00000003, format
The Risks Catalog in the Risks Starter Kit defines a five level hierarchical categorization
structure. This structure needs to be captured in the Risk Category CLM Worksheet.
Add a new row for the Regulation compliance risks category under the Management Risks
Compliance parent category.
Either delete all rows from the Risk Template CLM worksheet or insert new rows as described
CLM Entity
Column
Starter Kit Mapping
Risk Template
ID
Specify IDs using the CRISK/00000001,

CRISK/00000002, CRISK/00000003, format
Name
Risk Catalog Risk (Column F) in the Risks Starter Kit

or
Risks Risk (Column A) in the Controls Starter Kit
Description
Risk Catalog Risk Description (Column G) in the Risks

Starter Kit or
Risks Risk Description (Column B) in the Controls
Starter Kit
October 2012
11
Parent
Specify ID of the parent Risk Category using the

CRGROUP/00000001, CRGROUP/00000002,
CRGROUP/00000003, format
Review the parent entries such that the risk catalog structure described in the Controls and Risks
Starter Kit is replicated in the CLM worksheets.
Mapping Control Objectives
Either delete all rows from the Control Objective CLM worksheet or insert new rows as described
CLM Entity
Column
Starter Kit Mapping
Control Objective
ID
Specify IDs using the COBJECTIVE/00000001,

COBJECTIVE/00000002, COBJECTIVE/00000003,
format
Name
Control Objectives Control Objective (Column A)
Description
Control Objectives Control Objective Description

(Column C)
Objective Category
Although Control Objectives Control Objective

Category (Column B) shows objective categories; we are
not adding new objective categories
Objective categories are configuration data and the
current categories that exist in the system will be
extracted in the CLM Worksheet Control Objective
Category
Hence here the CLM IDs from the Control Objective
Category worksheet needs to be copied over for each
new Control Objective entry
For ease of use you can assign the same Control
Objective Category ID for all new Control Objectives
being added and later update in the system
Mapping Business Processes

The Business Processes worksheet in the Controls Starter Kit defines the Process and Subprocess
structure to be deployed. The Subprocess mappings with Regulations, Control Objectives and
Risks are shown in the starter kit. This procedure does not describe the upload for these entity
relationships and will only deploy the Process and Subprocess structure. Such entity relationships can
be defined by the customer later using the system.
Either delete all rows from the Central Process CLM worksheet or insert new rows as described
October 2012
12
CLM Entity
Column
Starter Kit Mapping
Central Process
ID
Specify IDs using the XPROCESS/00000001,

XPROCESS/00000002, XPROCESS/00000003,
format
Name
Business Processes Domain (Column A) or

Business Processes Process (Column B)
Parent
Specify ID of the parent Central Process using the

XPROCESS/00000003, format
The Business Processes in the Controls Starter Kit defines a two level hierarchical categorization
structure. This structure needs to be captured in the Central Process CLM Worksheet.
Either delete all rows from the Central Subprocess CLM worksheet or insert new rows as
described below. Either option is fine as we are only adding/deploying new content.
CLM Entity
Column
Starter Kit Mapping
Central Subprocess
ID
Specify IDs using the XSUBPROCESS/00000001,

XSUBPROCESS/00000002,
XSUBPROCESS/00000003, format
Name
Business Processes Subprocess (Column C)
Parent
Specify ID of the parent Central Process using the

XPROCESS/00000003, format
Review the parent entries such that the Process and Subprocess structure described in the
Controls Starter Kit is replicated in the CLM worksheets.
Mapping Controls
The Controls worksheet in the Controls Starter Kit defines the controls library to be deployed. The
Control mappings with Regulations and Risks are shown in the starter kit. This procedure does
not describe the upload for these entity relationships and will only deploy the list of controls. Such
entity relationships can be defined by the customer later using the system.
Either delete all rows from the Central Control CLM worksheet or insert new rows as described
CLM Entity
Column
Starter Kit Mapping
Central Control
ID
Specify IDs using the XCONTROL/00000001,

XCONTROL/00000002, XCONTROL/00000003,
format
Name
Controls Control (Column A)
Description
Controls Control Description (Column B)
October 2012
13
Parent
Specify ID of the parent Central Subprocess using the

XSUBPROCESS/00000003, format
Is Control
Enter X for each Central Control entry
Automation
This is a mandatory control attribute. The current control

automation types that exist in the system will be
extracted in the CLM Worksheet Automation
Hence here the CLM IDs from the Automation
worksheet needs to be copied over for each Central
Control entry
For ease of use you can assign the same Automation
ID for all new Central Controls being added and later
update in the system
Control Purpose
This is a mandatory control attribute. The current control

purpose types that exist in the system will be extracted in
the CLM Worksheet Control Purpose
Hence here the CLM IDs from the Control Purpose
Control entry
For ease of use you can assign the same Control
Purpose ID for all new Central Controls being added
and later update in the system
Allow Refer
Date or Event
Enter T for each Central Control entry
To Be Tested
Test Automation (ID)
This is a mandatory control attribute. The current test

automation types that exist in the system will be
extracted in the CLM Worksheet Test Automation
Hence here the CLM IDs from the Test Automation
Control entry
For ease of use you can assign the same Test
Automation ID for all new Central Controls being added
and later update in the system
Review the parent entries such that the Control is tied with the correct Subprocess as described
in the Controls Starter Kit.
The other control attributes defined above are mandatory control attributes in the system and need
default values to avoid errors during content deployment.
Mapping Indirect ELCs
Either delete all rows from the Central IELC Group CLM worksheet or insert new rows as
described below. Either option is fine as we are only adding/deploying new content.
October 2012
14
CLM Entity
Column
Starter Kit Mapping
Central IELC Group
ID
Specify IDs using the XECGROUP/00000001,

XECGROUP/00000002, XECGROUP/00000003,
format
Name
Indirect ELCs Indirect ELC Group 1 (Column A) or

Indirect ELCs Indirect ELC Group 2 (Column C)
Description
Indirect ELCs Indirect ELC Group 1 Description

(Column A) or
Indirect ELCs Indirect ELC Group 2 Description
(Column C)
Parent
Specify ID of the parent Central IELC Group using the

XECGROUP/00000003, format
The Indirect ELCs in the Controls Starter Kit defines a two level hierarchical categorization
structure. This structure needs to be captured in the Central IELC Group CLM Worksheet.
Either delete all rows from the Central ELC CLM worksheet or insert new rows as described
CLM Entity
Column
Starter Kit Mapping
Central ELC
ID
Specify IDs using the XECONTROL/00000001,

XECONTROL/00000002, XECONTROL/00000003,
format
Name
Indirect ELCs Indirect ELC Name (Column E)
Description
Indirect ELCs Indirect ELC Description (Column H)
Parent
Specify ID of the parent Central IELC Group using the

XECGROUP/00000003, format
Review the parent entries such that the Indirect ELCs structure described in the Controls Starter
Kit is replicated in the CLM worksheets.
After completion of the Step 3: Update CLM Template as described above the CLM template (PC
10.0 CLM Upload.ZIP) is included in the associated ZIP file.
NOTE: Customers cannot skip Step 3: Update CLM Template above and directly proceed with the
above ZIP file. This is because the CLM template will look a little different based on the GRC Process
Control Landscape where the new content will be deployed. Hence, customers will need to complete
this step as described. The above file is simply a sample for comparison. Moreover, customers will not
deploy all the starter kit content as is and Step 1: Data Preparation will result in somewhat different
content set.
October 2012
15
4.1.7.4
Save the updated CLM template as XML. Go to the Developer tab in Excel and click Export to
save document as XML with a new name.
o If you dont see the Developer tab; go to Excel Options and check the Show
Developer tab in the Ribbon checkbox under Popular options.
o The XML file generated (GRC RM and PC Starter Kits.XML) is included in the
associated ZIP file.
o
Step 4: Save and Upload CLM Template
NOTE: The above XML file can be directly uploaded into CLM but customers cannot skip
Step 3: Update CLM Template above. This is because based on the outcome of this
step and the customers requirements this XML file will be different. The above file is
simply a sample for comparison.
Using Mass Edit Upload from Excel option find and upload the saved XML document. Note
that you need to use the Upload from Excel option and select the XML file for upload.
In case of errors please use transaction SLG1 on the CLM system backend for error log.
o For CLM deployment error log enter /POA/CLM in Object and DEPLOYMENT in
Subobject
4.1.7.5
Step 5: Deploy Content Set
Select the uploaded XML content group and deploy using the Deploy button and choosing the
same GRC Process Control Landscape as used in Section 4.1.7.2.
In case of deployment errors please use transaction SLG1 to check error logs on the GRC
Process Control Landscape:
o Enter GRFN in Object --> Enter IO_IMPORT in Subobject

Logon to the GRC Process Control Landscape and verify the new content imported.
October 2012
16
4.1.8
Importing Objectives and Activities Catalog
As mentioned above the Objectives and Activities catalogs from the Risks Starter Kit cannot be
imported with the Flat XML Schema. Customers have the following options for importing these
catalogs:
Import using the Hierarchical XML Schema for GRC Risk Management. Editing XML documents
can be very cumbersome and this process is not described in this document.
Setup the content manually in the GRC Risk Management system.
The Objectives catalog is generally not very long and only consists of two levels of hierarchy
Strategy and Objective. Its not very time consuming for manual setup. Additionally, this is only
relevant for customers documenting and managing risks within the context of business objectives.
The Activities catalog is long and manual setup can be cumbersome. Note that in GRC Risk
Management there is Master Data Activities and Processes Activity Hierarchy and
Assessments Risk Assessments Activities. Only the Activity Hierarchy is the master data
entity and supported by CLM. Activities (Activity Hierarchy tied with an Organization and Owner(s)) is
the transactional entity and is not supported by CLM. However, only Activities can be used with
Risks; hence Activities will need to be created from Activity Hierarchy for leveraging the content.
The Activities worksheet in the Risks Starter Kit shows the Activity Hierarchy as three-level
taxonomy (Columns B, C, and D). The leaf levels (Column E) is mapped as Activities. Again this is
just an SAP recommendation and customers can choose to update and map this content to meet their
needs.
The Activity Hierarchy (master data) elements will have to be manually created. But the Activities
(transactional data) can be uploaded directly in the system as shown below:
Go to Assessments Risk Assessments Activities.
Click Download. This will generate an Excel (XLS) document of the Activities defined in the system.
Open the Excel file.
October 2012
17
To import new Activities delete the contents of the Excel file and add new content with the following
mapping procedure below. To update existing Activities simply keep the rows and update directly.
Column
Value
Activity ID
Leave blank for new Activities to be added
Activity
New Activity name. Restricted to 40 characters

Column E in the Activities worksheet in the Risks Starter Kit
Activity Category ID
Parent Activity Category ID in the format CACTIVITY/XXXXXXXX. To find the ID

for the parent Activity Category, click Create to add a new Activity in the system
and then click the
icon to view list of all Activity Categories. This will show a
listing with the IDs for selection
Activity Category
Activity Category name
Orgunit ID
Orgunit ID in the format ORGUNIT/XXXXXXXX. To find the ID for the parent

Activity Category, click Create to add a new Activity in the system and then click
the
icon to view list of all Organization Units. This will show a listing with the
IDs for selection
Organization
Organization name
Activity Description
Detailed Activity Description. Can be left blank.
Start Date
Todays date in the same format as in the export
End Date
Enter 12/31/9999 in the same format as in the export
Save the updated Excel (XLS) document and click Upload to attach and import new (and/or updated)
Activities content.
Please note that similar Upload/Download is also supported for the transactional entities of Risks
and Incidents.
October 2012
18
4.2
KRI Starter Kit
...
4.2.1
KRI Starter Kit Content Details
Worksheet
Content Details
Content Source
KRIs by Risk
Drivers
Listing of KRIs by risk driver categories. Also

includes driver category description. These are
high-level KRIs that monitors risk drivers.

Management and Solution
Marketing
KRIs by Risk
Categories
Listing of KRIs by top risk categories

Management Risks, Financial Risks, and
Operational Risks. KRIs are organized by
taxonomic risk categorization and also include
the KRI Unit (type) as well as the Source
System for KRI automation.

Management and Application
/ LOB Solution Management
KRIs by Top
Industry Risks
Listing of KRIs by top industries. KRIs are

organized by taxonomic risk categorization and
also include the KRI Unit (type) as well as the
Source System for KRI automation.

Management and IBUs
KRIs by Basel Risk

Categories
Listing of KRIs organized by the Basel risk

categories. These KRIs will typically only be
applicable for Financial Service (Banking and
Insurance) customers.
SAP Internal Banking IBU
4.2.2
Using KRIs from the Starter Kit
The intent of this library is to get customers started with KRIs quickly and/or in most case guide the
discussion to identify the right set of KRIs based on specific risks, risk drivers, and risk categories.
Some of the KRIs includes a listing of a SAP Source System that can be used to automate the KRI.
Again the intent here is simply to initiate discussions and point customers in the right direction for KRI
automation.
The KRIs listed here can easily be leveraged in the GRC Risk Management solution as manual
KRIs. Please refer to Appendix A for details on how to setup and use a manual KRI. Our
recommendation for customers is to implement applicable KRIs as manual KRIs and plan for
automation in a later project phase.
October 2012
19
5.
5.1
Appendix
Appendix A Using Manual Key Risk Indicators
(KRIs)
This appendix describes the procedure for setting up and using manual key risk indicators (KRIs)
along with the associated business rules. The procedure also describes how users can enter manual
values for the KRIs and trigger business rule evaluation.
GRC Risk Management Service Pack 05 introduces the ability to setup and use manual KRIs. Earlier
KRIs were automated and needed to be tied with either SAP Query, SAP BW Query, or a Web
Service to fetch the indicator value. Manual KRIs allows users to enter the indicator value manually
and trigger business rule evaluation.
Automated KRIs can require significant implementation time and the right kind of consultants for setup
and use. Manual KRIs can be setup directly by Risk Owners and Managers and used immediately.
Moreover KRIs are most widely used in risk management in a financial services industry context. Here
most KRIs are aggregations of values sourced from multiple internal and external systems making KRI
automation all the more difficult and time consuming. Many financial services customers may also rely
from an external monitoring service to gather KRI values. In such instances manual KRIs offers a
quick and efficient way to leverage KRIs for risk and organizational monitoring.
Please note that the nature of the KRI function is the same for automated and manual type with the
only difference being the nature of sourcing the indicator value. The definition of KRI business rules
and their evaluation also remains the same. This appendix does not describe how KRIs work in GRC
Risk Management but only how manual KRIs can be setup and used. It is assumed that the user is
familiar with the KRI function in GRC Risk Management.
Example
Consider the risk Litigations resulting from mispricing under the Retail Banking business unit. User
would like to setup the following manual KRIs for risk monitoring:
KRI
KRI Template
(Value Type)
KRI_10118
Numeric (Count)
Class Action Litigation - Number of Accounts Affected by

Litigation resulting from Mispricing
KRI_10119
Numeric (Count)
Class Action Litigation - Number of Cases resulting from

Mispricing
KRI_10120
Percentage
Class Action Litigation - Percentage of Total Accounts Affected

by Mispricing Litigation
KRI_10121
Monetary Amount
(Currency)
Class Action Litigation - Total Value of Cases resulting from

Mispricing
Description
For risk monitoring user would like to define the following two business rules:
October 2012
20
Business Rule
Description
Monitoring Criteria
Monitor case value from

mispricing
Monitor the total amount of case

value resulting from mispricing
Notify risk owner if:
Monitor accounts
affected by mispricing
Monitor accounts (total number and

percentage) affected by mispricing
including total value of cases
Notify risk owner if:
KRI_10121 >= EUR 10,000,000.00
(KRI_10118 >= 1,000.00 AND

KRI_10120 >= 50.00) OR
KRI_10119 >= 25.00
User would like to provide the following value manually for the KRIs which should result in a violation
of both the above business rules.
KRI
Value
KRI_10118
1,250.00
KRI_10119
55.00
KRI_10120
48.00 %
KRI_10121
EUR 20,000,000.00
Procedure
Step 1: Setup KRI Templates
Setup (or check if available) the KRI Templates necessary. For this example three KRI Templates
Numeric (Count), Percentage, Monetary Amount (Currency) should be defined. KRI Template
definition is the same for automated and manual KRIs.
KRI Templates are available under Rule Setup Key Risk Indicators KRI Templates. Open the
list of KRI Template Catalog and define the necessary templates. Screen shot below shows the
definition of the Percentage KRI Template. Note that the System, Business Process, and
Component attributes are neither mandatory nor relevant for manual KRIs.
October 2012
21
Step 2: Define Manual KRI Instances

Manual KRIs only has instances. Automated KRIs requires a KRI Implementation which can be
leveraged into multiple instances. Note that with GRC Risk Management Service Pack 05, KRIs can
be defined for Organizational Entities and Risks.
Open details for a Risk or an organizational entity and go to the Key Risk Indicators tab. Click
Create Manual KRI Instance. This will open the screen below. Complete the necessary details for
KRI_10118 as shown and click Activate.
October 2012
22
This will setup the manual KRI instance. Repeat the steps to define the other three KRIs as shown
below.
Step 3: Define KRI Business Rules

Under the same tab setup the two business rules as described above. This setup is common for both
types of KRIs. Screen below show the Monitor case value from mispricing rule definition and
evaluation expression.
For both business rules the action is to flag the risk and notify risk owner over email. No risk reassessment work items will be generated.
October 2012
23
October 2012
24
Now both the business rules have been defined as shown below. Save the risk or the organizational
entity.
Step 4: Enter KRI values

Go to Rule Setup Key Risk Indicators KRI Value Input.
Here user can enter individual values for a KRI instance or upload a file with a list of historical values
by choosing the Input via File Upload mode and selecting the KRI instance.
Click the 0 KRI Instances selected link at the bottom left. Find the 4 KRIs KRI_10118, KRI_10119,
KRI_10120, and KRI_10121 select them and move to the right hand side. Click OK.
October 2012
25
Click Next. Here user can see the previous values provided and can enter new values. If the KRI
values are being entered the first time the previous values column will be blank. Note that based on
the KRI Template type user will have to select a currency code (EUR) for the monetary amount
KRI_10121. System treats percentages as numeric values so it does not show any special markings
but for KRI_10120 please enter values between 1 100.
October 2012
26
For the Input via File Upload mode user can download a template from the Get Template link. The
template (XML or Excel) can be populated with historical values and uploaded here.
Click Next. Review the new values. The Change column indicates whether the values are going up,
going down, or remaining the same from the previous values. If necessary user can click Previous to
change the values.
Click Finish. This will update the KRI values and trigger business rule evaluation. This step is the
same as running the GRRM_KRI_RUNTIME backend program to fetch values for the automated KRIs
and evaluate business rules.
October 2012
27
Click Close.
Step 5: View Results

Open the Litigations resulting from mispricing risk again and go to the Key Risk Indicators tab. Here
user can see that new values (Last update timestamp) are available for the KRIs and the business
rules have been evaluated again (Last update timestamp). Both rules have been violated and the
risk owner is notified over email.
October 2012
28
October 2012
29
6. Copyright
2012 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors contain proprietary software
components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z,
System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,
S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture,
POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2,
Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are
trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered
trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web
Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology
invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, and other SAP products and services mentioned herein as well as their respective logos
are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of Business Objects
Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products
and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies.
Data contained in this document serves informational purposes only. National product specifications
may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and
its affiliated companies ("SAP Group") for informational purposes only, without representation or
warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the
materials. The only warranties for SAP Group products and services are those that are set forth in the
express warranty statements accompanying such products and services, if any. Nothing herein should
be construed as constituting an additional warranty.

GRC Risk Management and Process Control 10.0 Content Starter Kits

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

GRC Risk Management and Process Control 10.0 Content Starter Kits

Diunggah oleh

Hak Cipta:

Format Tersedia

GRC Risk Management 10.

Governance, Risk, and Compliance

September 20, 2012

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Words or characters quoted

File and directory names and

User entry texts. These are

Variable user entry. Angle

Keys on the keyboard, for

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

Background Information ..................................................................................................... 1

GRC Content Starter Kits .................................................................................................... 3

Controls Starter Kit Content Details ................................................................. 3

Controls Starter Kit Template Details .............................................................. 4

Risks Starter Kit Content Details ..................................................................... 4

Risks Starter Kit Template Details ................................................................... 4

Recommended Usage and Restrictions .......................................................... 5

Quick CLM Primer ............................................................................................ 5

Import Procedure using CLM ........................................................................... 6

Importing Objectives and Activities Catalog .................................................. 17

KRI Starter Kit ............................................................................................................. 19

KRI Starter Kit Content Details ...................................................................... 19

Using KRIs from the Starter Kit ...................................................................... 19

Controls and Risks Starter Kits ..................................................................................... 3

Appendix A Using Manual Key Risk Indicators (KRIs) ............................................ 20

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

GRC 10.0 Content Lifecycle Management (CLM)

GRC Risk Management 10.0 Help Portal

GRC Process Control 10.0 Help Portal

GRC Process Control 10.0 CLM User Guide

GRC Content Starter Kits

Controls Starter Kit

Controls and Risks Starter Kits

Controls Starter Kit Content Details

Listing of Regulation Groups and

Listing of control specific Risks.

Aggregation of all Process Controls

Listing of Control Objectives.

Listing of Controls organized by Subprocesses. Where applicable Controls are

Indirect Entity Level

Listing of Indirect Entity Level Control

Draft of the updated COSO Internal

Controls Starter Kit Template Details

Risks Starter Kit Content Details

Listing of Risk Drivers / Causes.

Listing of Business Impacts /

SAP Internal GRC Solution

Listing of Business Objectives.

Listing of Business Activities / Processes.

APQC Cross-Industry Process

Risk Classification structure along with

Risk Catalog is a combination of

Listing of Risk Responses.

SAP Internal GRC Solution

Risks Starter Kit Template Details

Recommended Usage and Restrictions

Quick CLM Primer

Import Procedure using CLM

Step 1: Data Preparation