As my colleague Allan Johnson - Solution Advisor at SAP Australia puts it: "controls are repeatable risk responses" and I think that’s a very good way of summarizing it.
First of all, this simple definition takes into account that no control should be created if it does not monitor a risk – hence preventing the typical “box ticking” approach where an organization has too many controls. But more importantly, it highlights that internal control is an ongoing process that needs regular reviewing.
You may decide to create a one-off action item to mitigate a risk of course, but, by the definition above, it wouldn’t be a control. It would be an action item or a task. Both the action item and the control will have a start and end date, but the status of the control effectiveness and its completeness will be driven by the control ratings. If a control fails, should it still be considered as effective? Of course not, and here comes one of the typical hurdles: the risk owner often doesn’t even know a control is monitoring its risk… Let alone that this control has been recently assessed and potentially failed.
In order to bring together control and risk management and do more than just provide cross-department reporting but really make the lives of the risk and control owners easier, SAP introduced some time ago the Risk Harmonization feature.
Even if this capability was released long ago, I do realize that many organizations don’t even know about it, so I decided to write a short blog to explain and illustrate it. But also, to let you know how you can activate it and benefit from its automation straight away with very little effort.
What is Risk Harmonization?
You may already know that SAP Process Control and SAP Risk Management share the same risk register. And I am sure you already know that a control from SAP Process Control can be used as a risk response in SAP Risk Management to mitigate the event.
This is fine indeed but requires 2 conditions to work well:
That the risk owner knows all the controls in the controls library and is sufficiently confident to select the ones that apply to his risk
That both the risk and control owners regularly review their scope to make sure that the controls still apply and mitigate the relevant risks
These 2 prerequisites may be quite bold though… Especially in siloed organizations!
To make sure there is a perfect – and constant – alignment between these two stakeholders, you can activate the Risk Harmonization feature.
* Risk events identified and assessed in SAP Risk Management can be documented on subprocesses in SAP Process Control;
* As soon as a risk is assigned to the scope of a control in SAP Process Control, this control is added as a risk response and is included in the mitigation strategy. And vice-versa: as soon as a control from SAP Process Control is used as a risk response in SAP Risk Management, the risk is added to the control documentation;
* To ensure that this information doesn't go unnoticed, notifications to both the risk and control owners are automatically sent upon addition or removal of risks to controls and controls to risks keeping both these stakeholders informed;
* It further allows SAP Process Control to utilize SAP Risk Management risk assessment results and to display the harmonized data in the frequently used reports (i.e.: Risk Control Matrix, Risk Coverage, Risk Coverage with Evaluations and Risk Coverage with Ratings by Organization).
With this approach, regular updates of static risk and control matrices become a thing of the past.
How to Make it Happen in Your SAP GRC Landscape?
Do you have your pen and paper ready to write down all the steps?
Let’s get started then:
Step 1: go to the relevant activity in the SAP Implementation Guide: Governance, Risk and Compliance > Shared Master Data Settings > Activate the Risk Harmonization Feature
Step 2: select “Activated” for Risk Harmonization (and all the notification options if wished) and save your changes
That’s it! Risk Harmonization is now activated, and you can start benefiting from the automation and notifications mentioned above.
Going a Step Further and Leveraging Control Results for Risk Assessments
Now that you have aligned the risk and control worlds, what would you say about going just an extra mile and leveraging the results of the control ratings (design assessments, self-assessments, test of effectiveness) to help automatically drive the residual and planned residual risk levels?
I’ll be writing a follow-up blog specifically on the customizing activities that you can activate to achieve just this so watch this space!
If you have used the Risk Harmonization feature, do you have any feedback or tips that you would like to share? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard