Financial Management Blogs by SAP
Get financial management insights from blog posts by SAP experts. Find and share tips on how to increase efficiency, reduce risk, and optimize working capital.
cancel
Showing results for 
Search instead for 
Did you mean: 
T_Frenehard
Product and Topic Expert
Product and Topic Expert
616


In this second blog of the 4 part “Building The Case” series, I will focus on enterprise risk management solutions – specifically SAP Risk Management, but the series will address all the SAP solutions supporting the 3 Lines Model: internal control and compliance with SAP Process Control (Cf. previous blog on this topic) but also internal audit with SAP Audit Management; and fraud detection and investigation with SAP Business Integrity Screening. So watch this space!

In case you have been looking for a way to quantify potential gains from an enterprise risk management solution, then the value calculator described in this blog should be able to help.

It’s intended to support organizations in putting together a business case for improving their risk management landscape by calculating the potential value of technologies for automating the end-to-end risk management process. That is, from the identification, to the analysis of the exposure, the definition of a mitigation strategy and up to the continuous monitoring of the risk and its reporting.

To quantify the potential benefits of an enterprise approach to risk management across these steps, the SAP Risk Management Value Calculator provides real, useful estimates and data to help organizations:

  • Get insight into value-adding risks

  • Scan the horizon for risks and opportunities

  • Preserve value by minimizing unnecessary losses


Should you decide that this is worth trying out, then just go to the SAP Risk Management Value Calculator and click on GET STARTED. No need to register to this free tool!

Before we start, I just want to highlight the fact that this value calculator provides estimated data for illustration purposes only. Actual results or costs may of course vary and may be affected by additional factors that would need to be taken into account when using this information in your business case.

 

Section 1 – Configure


 

Best-in-class enterprises link risk management to business performance and to the achievement of business objectives. In order to drive value, risk events must be aligned with value adding processes. And in order to reduce losses, risks must be linked to incidents and near misses. To be able to assess benefits of this approach, this first step will ask you to provide your best estimate for various company attributes. Don’t worry, you can then change them to create different scenarios if you wish.

What indicators are required:

  • Annual gross revenue

  • Gross margin

  • Full-time equivalents (FTE) managing risk information

  • Average annual fully-loaded cost per FTE

  • Average number of risks in you risk library

  • Average residual expected loss per risk in your risk universe


 

Section 2 – Plan


 

This section will focus on the benefits that the solution can provide by automating risk management for both operational and key strategic risks.

Indeed, to add and preserve value, risk managers must understand where the value is and what adverse events could prevent the company from achieving its objectives.

To do so, the value calculator therefore focuses on the questions below:

  • What does the company do that creates business value?

  • What activities support this value creation process?

  • What emerging risks and opportunities are on the horizon and could be either a threat or a chance for the organization?

  • What are the best ways to configure the necessary risk categories, responses, risk appetite, and assign owners?


What indicator is required:

  • Percentage of average time spent on risk management related activity planning – including in responding to the questions listed just above every time a new cycle starts


 

Section 3 – Identify


 

Minimizing duplicate risks requires strong configuration practices and good taxonomy. Linking risk drivers, indicators, impacts, and responses via common terminology can also help better understand the root causes of risks which will in turn enable the documentation of more relevant key risk indicators. These indicators can then proactively monitor negative trends that could indicate the risk is beginning to manifest and action can be taken to mitigate the threat before it turns into an incident.

What indicators are required:

  • Improvement in revenue thanks to a better understanding and improved management of root causes of risk events

  • Percentage of time spent identifying risks


 

Section 4 – Analyse


 

Risk management’s final objective is to enable executives to make decisions by providing them with information about the future state of the business and therefore help organize the efforts needed to carry out these decisions. Better risk analysis will de facto lead to better decision making results. This can be supported by leveraging different methodologies to understand risk exposure:

  • Modelling scenarios, with approaches such as Monte Carlo

  • Determined inherent, residual, and planned residual risk levels

  • “What-if” simulations to review options before rolling them out

  • Qualitative, quantitative or scoring evaluations, including taking into account the velocity aspect to get an overall picture of the exposure


What indicators are required:

  • Average percentage in loss reduction resulting from better decision-making, which can be achieved through analytics, scenario analysis, and risk modelling for instance

  • Average FTEs involved in analyzing risk

  • Percentage of time spent analyzing risk


 

Section 5 – Respond


 

Cost effective risk responses will help ensure the company’s risk appetite is respected. To do so, risk experts will therefore need to document a response strategy after balancing costs and benefits of the controls, action plans or policies.

With this in mind, risk owners can:

  • Respond to risk after reviewing impacts and benefits

  • Document responses and assign accountability

  • Use workflow driven remediation tracking to monitor the progress and the effectiveness of each response and the overall reduction on the risk exposure

  • Leverage control from the internal control framework and get the evaluation and testing, but also continuous automated monitoring directly from this source


What indicators are required:

  • Average improvement from designing the most cost-effective risk response strategy

  • Productivity improvement from better usage of risk management resources as a result of automated monitoring and exceptions review

  • Average number of people involved in the response to risk events, be it for reduction, control or transfer for instance


 

Section 6 – Monitor


 

Effective monitoring of risk levels with automated alerts and key risk indicators, result in less manual efforts and faster decision making. It also helps effortlessly keep track of the progress of responses and corrective actions.

SAP Risk Management supports this by providing analytics and reports, including heat maps with drill-down capability, giving users the ability to promptly:

  • Notify risk owners via automated alerts

  • Monitor response effectiveness, including with automated updates based on control ratings

  • Assess impacts on business objectives


What indicators are required:

  • Percentage in efficiency gain from improved monitoring

  • Average number of people involved in risk monitoring


 

Section 7 – Total Value


 

That’s it! This last section is a summary that displays the potential value gain achievable with SAP Risk Management. It includes 4 graphs:


Current Spend vs. Potential Spend



Difference in Spend (lighter color is previous state and darker colors represents potential shift)



Total Gains by Control Step



Total Spend and Gain


Registration is not required, and you can change your assumptions as many times as you wish. So why not give it a try?

What about you, what other variables do you take into consideration when building the case for a risk management solution? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard

And stay tuned on the GRC Tuesdays site for other blogs on internal control, internal audit and fraud detection and investigation.