Financial Management Blogs by SAP
Get financial management insights from blog posts by SAP experts. Find and share tips on how to increase efficiency, reduce risk, and optimize working capital.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

I keep on seeing on social media, but also in many conferences, that qualitative risk assessment is dead, that heatmaps are useless, and that every risk manager should move to quantitative risk assessment only.

I agree that a quantitative output for a risk is the ideal situation since it then facilitates the cost/benefit comparison of mitigation measures, but I also think that there is no one size fits all.

There are risks where there won’t be enough data points to estimate the potential loss accurately. Hence a qualitative approach will be the suitable option to ensure that expert feedback is still captured. And there are still instances where a heatmap will help executives get a simple picture of the probability and impact of selected events that could impact their business.

To make sure that they are understood, I believe the messenger should not impose their preferred communication method – a reporting format in our present case – but should adapt to what the recipient requires to understand the message. If this means both a heatmap AND another report that the messenger (here the risk manager) would like to suggest, what is the harm in doing so?

In this short blog, I’d like to develop this idea but more importantly, propose a few suggestions on how to “translate” qualitative risk assessment into quantitative and then use the results to propose both a heatmap AND another report. Hence combining both approaches without compromising on anything and even paving the way for using statistical approaches.

Then, should risk owners feel comfortable, they could opt to full quantitative and, should executives also feel comfortable, they could also switch to risk profile type reporting for instance.


(Automatically) Converting qualitative into quantitative


If your risk owners have been using qualitative risk assessments for some time, changing the rating method to input a digit number instead of a textual choice might be disruptive. And even turn them away from assessing risks which is what we should aim at avoiding at all costs.

In my experience, the first step – if this hasn’t been done yet, is to prompt a quantitative mapping for the qualitative scales in use.

When a user selects a “Significant” impact level, they should know what financial range this means for the company in terms of potential damage. Similarly, when assessing a “Rare” probability, they should also understand what frequency this is associated to.

Then, using the scales, it is possible to automatically convert the qualitative assessment in quantitative values and display the results to the end-user. Doing so will help achieve 2 objectives:

  1. This doesn’t feel like a black box as everything is transparent to the user

  2. This is a soft enablement, and the user will grow in confidence over time and will, by themselves, decide to switch to quantitative without feeling forced to do so.


Displaying all in a single dashboard


If executives are used to receiving heatmaps, then they will most likely expect to see one. Unless this has been decided with them before hand, simply excluding this type of report might act as a deterrent.

Instead, I would once again suggest the soft enablement approach here as well: displaying both reports – the heatmap and the one(s) the risk management team feel are more adequate for risk representation. Together.

In my experience, report design is always very subjective. What one stakeholder finds useful, another might deem confusing. Trial and error is an approach that has proven itself: introducing changes progressively and adjusting towards the output that all are happy with, is the best way to get everyone onboard!


Step-by-Step illustration in SAP Risk Management


If you are using SAP Risk Management, then I have provided below some illustrated steps that should enable you to achieve this result, quite easily.


1. Configure the Analysis Guidance

Much like there is no one size fits all for the reports, the very same is true for the scales.

If you are familiar with SAP solutions, then you will have heard of the Implementation Guide – or IMG. This is the tool where administrators can access the configuration activities to adjust the SAP System to the requirements of a company.

Using this tool, you will be able to leverage the relevant configuration activity to document the mapping between qualitative and quantitative scales.

Go to the “Maintain Risk Analysis Guidance” configuration activity and select an impact type.

Then, simply document the associated guidance for each impact level:


Note: you can actually do this for every different impact type. So you can document the quantitative guidance associate to operational impact, reputational damage, loss in market share, etc.


2. Activate Qualitative to Quantitative conversion

This time, enter transaction SM30 in the backend and open view V_GRPCCUST1. From there, you will be able to activate the “ANALYSIS_QL_QN” indicator by checking the associated box. This will enable the automatic conversion from qualitative (QL) to quantitative (QN) values:

Before and after activating the conversion setting

The way this conversion works is actually pretty simple. It leverages the organizational unit’s risk threshold and puts the cursor in the middle of the range. I.e.: if the organizational unit has defined an “Insignificant” impact as being a loss comprised between 0 and 100.000 EUR, when a user selects Insignificant in a qualitative assessment then the solution will automatically convert it and display a financial impact of 50.000 EUR.


3. Leverage the SAP Analytics Cloud for SAP Risk Management

Before I even start on custom reports, I’d like to add a clarification: Risk Heatmap report is available directly in SAP Risk Management and is a standard report. No need to design a new report for this purpose.

But the premises of this blog is that the risk team is trying to associate the “historical” heatmap to more advanced risk reports. Risk Profile being one of them. The Risk Profile is a dashboard that intuitively displays the expected loss of aggregated risks against Risk Appetite threshold. Time and Analysis Type can also act as filters.

Using SAP Analytics Cloud, risk teams can achieve this result and start on their soft enablement process by introducing new templates and design the dashboard that will convey their message.

Risk Count Heatmap and Risk Profile Dashboards

For more details on reporting, I would suggest having a look at my colleague James Chiu’s GRC Tuesdays blog post dedicated to this topic: SAP Analytics Cloud Integration for SAP Risk Management

That’s it!

The debate can now shift from “Quantitative Vs Quantitative” to “Quantitative AND Quantitative” and move from a near ideological stance to a user-based focus helping risk owners and executives alike get what they need out of this process: information they deem necessary to stir their processes and the organization.

What about you, how does your company make this work? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard