Amongst the various GRC Tuesdays blog series, I think the “Hidden Gems” one is my favourite. Simply because it puts a spotlight on an existing functionality that has been created with great care by the Engineering team… but that wasn’t really announced so flew under the radar so to speak.

I feel these blogs give it the recognition it deserves, but it also helps organizations “discover” features and functionalities that they can use today without any additional investment and very little effort. A win-win situation!

Today, I’d like to focus on Flexible Risk Management Workflow.

Reading the 2024 Risk Management Information Systems Panorama published earlier in May by the French Association for the Management of Risks and Insurance in Companies (AMRAE), I noticed that “flexible and customizable” was once again cited as a GRC software challenge for many companies looking to “Think Big and Start Small” with their progressive extended capabilities added along the way.

From my experience, this is a key requirement for companies moving from a “Structured” Enterprise Risk Management maturity level to an “Optimized” one:

Enterprise Risk Management Maturity Levels

The feedback I often hear is that organizations would like their risk workflows to follow this maturity curve, and gradually include more steps as their risk users increasingly get more proficient.

Which brings me to my hidden gem today: did you know that there are dedicated customization options in SAP Risk Management that can help you tailor the risk assessment workflow steps you need, very simply and very rapidly?

Flexible Risk Assessment workflow

The risk assessment workflow is a key component of the SAP Risk Management solution. When triggered from the central Planner, it automatically sends out risk assessment work items to all associated risk owners and they can then provide their updates and insights directly via a guided wizard-type approach.

This risk assessment workflow is designed following the “Guided Activity Floorplan” (GAF) principle. In summary, this is a design template that takes the user through an activity, step-by-step. A guided activity is divided into a series of logical steps, each of which can be broken down further into substeps, and all of which represent tasks and subtasks of an activity. In our case, a risk assessment.

In SAP Risk Management, the standard risk assessment workflow can be composed of the following steps:

• [optional] Review of the risk identification
• [optional] Review of Key Risk Indicators and their values
• [mandatory] Review of the risk analysis – this one you can’t turn off… otherwise the risk assessment won’t really be possible!
• [optional] Review of the risk responses (effectiveness, mitigation effort, etc.)
• [optional] Review of the attached documentation

As such, the organization could decide to start simple and only include the mandatory risk assessment step for the first exercise and progressively add more steps.

To do so, they would simply need to select/unselect the relevant flags in the dedicated customization activity (V_GRPCCUST1):

Scenario 1 – Early stages of risk maturity

Here, the organization is interested in regularly capturing information about risk assessments, but risk review (including documentation and responses) is either done during a workshop or an interview for instance.

What to select in the configuration activity:

• Nothing additional! Only the risk assessment step will be prompted

Steps selected/unselected for this scenario:

Guided workflow activity received by the risk owner:

Scenario 2 – Structured risk management approach

Here, the organization decides to include a review of the risk identification, but also of the risk responses directly with the risk assessment workflow to ensure that any new causes or consequences are captured quickly and that the mitigation efforts are up-to-date so that there is no inconsistencies with the real risk exposure.

 What to select in the configuration activity:

• ANALYSIS_GAF_GENERAL => this will include the existing risk identification information
• ANALYSIS_GAF_MITIG => this will include all the risk responses assigned to the risk and their details

Steps selected/unselected for this scenario:

Guided workflow activity received by the risk owner:

Scenario 3 – Optimized risk management

As per the maturity curve above, formalized Key Risk Indicators is often a step not included in the early stages of the introduction of a risk management framework but rather introduced once the process is well established and runs smoothly.

Steps selected/unselected for this scenario:

Guided workflow activity received by the risk owner:

But that is not all, oh no, that is not all!

The good news is that you can decide when you want to activate these steps, and this decision is not final or irreversible. If the feedback from users is that this becomes too heavy to do during a risk assessment, you can always deactivate the steps, and trigger Risk Response or Key Risk Indicator update activities separately. Still from the central Planner of course:

These customization options therefore give companies flexibility to move along the maturity curve at their own speed, and even decide when to pause and possibly when to roll-back if needed.

I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard

And if you are interested in learning more about SAP solutions for Governance, Risk, and Compliance, feel free to fill-in the demo request form!