grc risk management and process control 10.0 content starter kits

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2012 SAP AG

Applies to:

SAP GRC Risk Management 10.0 and SAP GRC Process Control 10.0

Summary

This document shows how customers can leverage GRC Risk Management and GRC Process Control

specific content provided in three starter kits – Risks Library, Controls Library, and KRI Library. This

document is a “how-to guide” that describes a repeatable process using GRC Content Lifecycle

Management (CLM) to leverage SAP provided content libraries as well as other similar content sourced by

customers.

Author: Satyen Paneri

Company: Governance, Risk, and Compliance

Analytics Division

Created on: September 20, 2012

Version 1.0

GRC Risk Management 10.0 and

Process Control 10.0 Starter Kits


© 2012 SAP AG

Document History

Document Version Description

1.00 Initial version


© 2012 SAP AG

Typographic Conventions

Type Style Description

Example Text Words or characters quoted

from the screen. These

include field names, screen

titles, pushbuttons labels,

menu names, menu paths,

and menu options.

Cross-references to other

documentation

Example text Emphasized words or

phrases in body text, graphic

titles, and table titles

Example text File and directory names and

their paths, messages,

names of variables and

parameters, source text, and

names of installation,

upgrade and database tools.

Example text User entry texts. These are

words or characters that you

enter in the system exactly as

they appear in the

documentation.

<Example

text>

Variable user entry. Angle

brackets indicate that you

replace these words and

characters with appropriate

entries to make entries in the

system.

EXAMPLE TEXT Keys on the keyboard, for

example, F2 or ENTER.

Icons

Icon Description

Caution

Note or Important

Example

Recommendation or Tip


© 2012 SAP AG

Table of Contents

1. Business Scenario............................................................................................................... 1

2. Background Information ..................................................................................................... 1

3. Prerequisites ........................................................................................................................ 2

4. GRC Content Starter Kits .................................................................................................... 3

4.1 Controls and Risks Starter Kits ..................................................................................... 3

4.1.1 Controls Starter Kit Content Details ................................................................. 3

4.1.2 Controls Starter Kit Template Details .............................................................. 4

4.1.3 Risks Starter Kit Content Details ..................................................................... 4

4.1.4 Risks Starter Kit Template Details ................................................................... 4

4.1.5 Recommended Usage and Restrictions .......................................................... 5

4.1.6 Quick CLM Primer ............................................................................................ 5

4.1.7 Import Procedure using CLM ........................................................................... 6

4.1.8 Importing Objectives and Activities Catalog .................................................. 17

4.2 KRI Starter Kit ............................................................................................................. 19

4.2.1 KRI Starter Kit Content Details ...................................................................... 19

4.2.2 Using KRIs from the Starter Kit ...................................................................... 19

5. Appendix ............................................................................................................................ 20

5.1 Appendix A – Using Manual Key Risk Indicators (KRIs) ............................................ 20

6. Copyright .............................................................................................................................. 1

GRC Risk Management 10.0 and Process Control 10.0 Starter Kits

October 2012 1

1. Business Scenario

SAP GRC customers’ content needs vary by regions, geographies, lines of business, industries,

business processes, business objectives, and regulations. In addition, regulatory requirements change

frequently especially in some industries such as Financial Services and Healthcare. Customers also

prefer to leverage best practice standards, frameworks, and methodologies for risk and compliance

management.

Content starter kits (packages) that incorporate best practice risk and control frameworks and libraries

such as COSO, Audit Standard 5, S&P, and Basel along with a repeatable process to manage new

content along with content updates can help customers get started quickly and stay on top of

regulatory changes. Customers can leverage the GRC 10.0 content lifecycle management (CLM)

capabilities for this process.

The challenge of content is that it keeps evolving and is never complete. The approach described in

this “how-to-guide” will help our customers better protect their value and better mange their risk,

compliance, and other GRC initiatives.

2. Background Information

The content starter kits described in this document are a collection of risks, controls, and KRI catalogs.

Some related master data entities such as risk drivers, impacts, business objectives, activities,

business processes, regulations, control objectives, and indirect entity-level controls are also included.

The content in these starter kits by no means provide complete coverage for a business process, line

or business, risk area, domain, or industry. SAP makes no such claim. It’s simply a collection of

content sourced from internal and external providers organized and aggregated to the best of our

abilities. It is the customer’s responsibility to review, change, and use (or not use) the content

packaged here.

The primary objective here is to define an Excel (XLS) based template for risks and controls library

along with a process to deploy the content in the GRC solutions using CLM. Customers can

completely throw-away the SAP provided content, replace with new content sourced internal or

externally, and using the templates provided leverage the same process for deployment. The intent is

to help get customers started quickly with their implementations and/or provoke additional discussions

to modify and add content based on specific requirements.

The content is sourced from past projects with consulting partners such as PwC, Deloitte, and Protiviti.

For all such content SAP owns the intellectual property and the same can be used by GRC customers.

Some other content is sourced from best practice (free) frameworks and methodologies such as

COSO II ERM, Audit Standard 5, Basel II Annexure, S&P ERM Framework, and APQC Cross-Industry

Process Classification Framework (PCF). The document describes the source of content for each

entity in the Section 4.

http://www.coso.org/

http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5.aspx

http://www.bis.org/publ/bcbs128.pdf

http://www.standardandpoors.com/ratings/erm/en/us

http://www.apqc.org/knowledge-base/documents/apqc-process-classification-framework-pcf-cross-industry-pdf-version-520

http://www.apqc.org/knowledge-base/documents/apqc-process-classification-framework-pcf-cross-industry-pdf-version-520


October 2012 2

3. Prerequisites

The following software must be installed, configured, and ready-to-use for this How-To-Guide:

GRC 10.0 (Process Control and Risk Management) with the latest service package.

GRC 10.0 Content Lifecycle Management (CLM)

This document also assumes that user is familiar with PC, RM, and CLM functionality and usage. For

additional help please refer to the following.

GRC Risk Management 10.0 Help Portal

GRC Process Control 10.0 Help Portal

GRC Process Control 10.0 CLM User Guide

http://help.sap.com/rm

http://help.sap.com/pc

http://scn.sap.com/docs/DOC-1597


October 2012 3

4. GRC Content Starter Kits

This section describes a repeatable process (providing template definitions and using CLM) for

customers to leverage content provided by the following three starter kits:

Controls Starter Kit

Risks Starter Kit

KRI Starter Kit

The content in these starter kits is included in the associated ZIP file.

The Controls Library and the Risks Library XLS document also provides the template for any such

similar content that customers may source internally or externally.

4.1 Controls and Risks Starter Kits ...

4.1.1 Controls Starter Kit Content Details

Worksheet Content Details Content Source

Regulations Listing of Regulation Groups and

Regulations.

Aggregation of all Process Controls

specific content acquired by SAP

from projects with Deloitte and

Protiviti. SAP owns the intellectual

property for this content.

Risks Listing of control specific Risks.

Business

Processes

Listing of Business Processes and Sub-

process structure. Where applicable Sub-

processes are linked with Regulations,

Control Objectives, and Risks.

Control Objectives Listing of Control Objectives.

Controls Listing of Controls organized by Sub-

processes. Where applicable Controls are

linked with Regulations and Risks.

Indirect Entity Level

Controls

Listing of Indirect Entity Level Control

Groups and Controls.

Draft of the updated COSO Internal

Control – Integrated Framework

available for public comments. The

framework updates are proposed by

PwC and the COSO Advisory

Council.

The Indirect ELC Groups and

Controls are the “principles” and

“attributes” proposed for the COSO

“components”.

https://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/a072dfde-59fa-2f10-a1b5-b7e852688757


October 2012 4

4.1.2 Controls Starter Kit Template Details

The Controls Starter Kit Excel (XLS) document also serves as a simple template for managing and

deploying the SAP provided content or similar content that customers may have developed internally

or sourced from a third-party.

In each of the worksheets the mandatory entity attributes are marked with a *. This template is simple

and does not capture all the entity relationships that are possible within GRC Process Control. The

objective is that listings of basic master data entities can be managed with this template. Once

deployed in the system users can then create the relationships using GRC Process Control.

4.1.3 Risks Starter Kit Content Details


Driver Categories Listing of Risk Drivers / Causes. SAP Internal – GRC Solution

Management and Solution Marketing Impact Categories Listing of Business Impacts /

Consequences.

Objectives Listing of Business Objectives.

Activities Listing of Business Activities / Processes. APQC Cross-Industry Process

Classification Framework (PCF).

This content is freely available for

APQC members and also for any

user registered with APQC. SAP is a

registered APQC customer.

Please note that this content can be

used freely with customers with the

express notification of the content

source – APQC.

Risk Catalog Risk Classification structure along with

Risk Templates. The Risk Catalog is also

organized by Industry-specific taxonomies

Risk Catalog is a combination of

content sourced from Basel II

Annexure and the S&P ERM

Framework.

The Basel II taxonomies are

applicable for Financial Services

(Banking and Insurance).

The non-financial industry

taxonomies are based on the S&P

ERM Framework.

Response Catalog Listing of Risk Responses. SAP Internal – GRC Solution

Management and Solution Marketing

4.1.4 Risks Starter Kit Template Details

The Risks Starter Kit Excel (XLS) document also serves as a simple template for managing and

deploying the SAP provided content or similar content that customers may have developed internally

or sourced from a third-party.


October 2012 5

In each of the worksheets the mandatory entity attributes are marked with a *. This template is simple

and does not capture all the entity relationships that are possible within GRC Risk Management. The

objective is that listings of basic master data entities can be managed with this template. Once

deployed in the system users can then create the relationships using GRC Risk Management.

4.1.5 Recommended Usage and Restrictions

The content in these starter kits by no means provide complete coverage for a business process, line

or business, risk area, domain, or industry. SAP makes no such claim. It’s simply a collection of

content sourced from internal and external providers organized and aggregated to the best of our

abilities. It is the customer’s responsibility to review, change, and use (or not use) the content

packaged here. Rather the purpose of this “how-to-guide” is to describe content templates along with

a repeatable process using CLM to manage and deploy content.

Prior to using this content, customers are expected to review, filter, and update the content as

necessary before proceeding with content import. Some key suggestions:

Unique ID’s are included in these service packs with a prefix. These ID’s are simply generated for

ease of use and may not match the customer requirements. Hence, these will need to be reviewed

and updated.

All ID’s are mapped to the “name” attribute for each entity. This might not be applicable for most

customers and as such will need to be reviewed and updated. However, note that the “name”

attributes support only 40 characters in length. The Excel (XLS) templates and the CLM templates

will support unlimited characters, but during import these attributes will get truncated to the first 40

characters.

It is not expected that all content in the starter kits will be applicable for a customer. Hence,

customer will first need to review and remove unwanted content. Customers can also choose to

ignore entire entities that are not applicable.

The content does not attempt to define the entity relationships to keep things simpler. Customers

can either define these entity relationships in the templates or import the content and define the

entity relationships using GRC Process Control and Risk Management solutions. The import

procedure described in Section 4.1.6 below does not include import of most entity relationships.

Management and deployment of different content either sourced internally or from external third

parties is possible first by translating the content into the template format provided and then using

the import procedure described in Section 4.1.6.

4.1.6 Quick CLM Primer

This section provides a quick CLM primer from the intended usage for external content upload. This is critical as it will be applicable when executing the import procedure. Please note that it’s not the purpose of this document to be a CLM user guide. See the GRC Process Control 10.0 CLM User Guide for more details. The following details about CLM functionality should be noted:

The primary usage of CLM is to manage content deployments between GRC landscapes for customers and partners. The CLM “mass edit” functionality is being leveraged here to import external content included in the starter kits.

CLM supports two kinds of formats – Hierarchical XML Schema and Flat XML Schema which is essentially the Excel (XLS) interface.

CLM supports both the schema formats for GRC Process Control and only the Hierarchical XML Schema for GRC Risk Management. However, only the Flat XML Schema (Excel interface) is




October 2012 6

used for editing. Customers can also edit using the Hierarchical XML Schema but working directly with XML documents is very cumbersome.

o Hence, this document can only leverage the Flat XML Schema for GRC Process Control and not all entities in the Controls and Risks Starter Kit can be imported. However, since all the content is master data related and master data entities are common GRC 10.0 components most data can be imported.

o All entities except the “Objectives” and “Activities” catalogs from the Risks Starter Kit can be imported with the Flat XML Schema. The Hierarchical XML Schema for GRC Risk Management can be used to import the “Objectives” and “Activities” catalogs.

Although CLM handles content package “differences”, such capabilities can’t be leveraged here as

this is external content. After a first time deployment of the content CLM will generated and assign

unique identifiers (ID’s) for each record. As these unique identifiers are not part of the external

content in these starter kits, the CLM “differences” capabilities can’t be used. Of course, once the

content is deployed to a particular landscape it can be transported with “differences” management

within CLM. In other words the purpose here is to import once and then manage content across

multiple landscapes with CLM. Of course the process can be repeated for new (additional) content

imports.

4.1.7 Import Procedure using CLM

4.1.7.1 Step 1: Data Preparation

Review and update (change, delete, add) the content in the Controls and Risks Starter Kit.

Save the changes as a new file/document.

4.1.7.2 Step 2: Download and Extract CLM Template

Ensure that CLM is configured and setup to extract and deploy content to the GRC Process Control Landscape you need.

Check that CLM error logging is enabled on the GRC Process Control Landscape. Using transaction SM30 enter “GRFNVLOGENABLE” in “Table/View” and Click “Display”.

o Ensure the “IO_IMPORT” and “IO_EXPORT” is filled in the table.

Extract the content from the GRC Process Control 10.0 Landscape into CLM using the “Extract” button and choosing the appropriate GRC Process Control Landscape.

In case of extraction errors please use transaction SLG1 to check error logs both on the GRC Process Control Landscape and the CLM system backend for error log:

o For GRC Process Control Landscape extraction error log enter “GRFN” in “Object” --> Enter “IO_EXPORT” in “Subobject”


October 2012 7

o For CLM system extraction error log enter “/POA/CLM” in “Object” and “CHECKPOINT” in

“Subobject”

Additional details are available on the CLM Troubleshooting Wiki Page.

Using “Mass Edit Download to Excel” download the extracted content package. o CLM will generate a ZIP file for download. This ZIP will contain a XLSM and a XML file. o Unzip these into a new folder on your local disk. o The XLSM file is the GRC Process Control 10.0 Flat XML Schema that can be used with

Microsoft Excel 2007 or higher.

4.1.7.3 Step 3: Update CLM Template

Open the downloaded XLSM file using Microsoft Excel. The GRC Process Control CLM schema includes all “configuration” and “master data” entities. The table below shows the type of each entity (XLS Worksheet) in the schema.

Data Type CLM Entity / XLS Worksheet

Configuration Impact Category, Driver Category, Control Objective Category, Financial

Statement Assertion, Sampling Method, Industry, Transaction Type, Control

Category, Control Significance, Level of Evidence, Control Rating, Range,

Automation, Control Purpose, Nature or Control, Relevance, Control Group,

Control Subgroup, Frequency, Test Automation, Testing Technique, IELC

Operation Frequency

Master Data Regulation Group, Regulation, Regulation Requirement, Organization, Risk

Category, Risk Template, Control Objective, Account Group, Test Plan, Central

Process, Central Subprocess, Central Control, Central IELC Group, Central IELC

The content in the Controls and Risks Starter Kit only maps to some of the entities in the CLM schema. Hence, as part of the update procedure you only need to update some worksheets in the document. Table below shows this mapping.

https://wiki.wdf.sap.corp/wiki/display/SAPGRC/PC+CLM+Issue+Resolving+Check+List


October 2012 8

Starter Kit Worksheet CLM Entity

Controls Starter Kit Regulations Regulation Group

Regulation

Regulation Requirement

Risks Risk Category

Risk Template

Business Processes Central Process

Central Subprocess

Control Objectives Control Objective

Controls Central Control

Indirect ELC’s Central IELC Group

Central IELC

Risks Starter Kit Driver Categories Driver Category

Impact Categories Impact Category

Risk Catalog Risk Category

Risk Template

Content in the remaining worksheets can be left as is. During deployment CLM will find that there are no changes in these other worksheets and will simply ignore this content. The sections below describe how to map the content from the starter kit worksheets into the corresponding CLM worksheets. Please note the following general principles for updating data in the CLM worksheets:

To insert new data expand the “dark and blue shaded” rows. If you enter new data without expanding the background and directly adding in the white background rows; CLM will ignore this new content.

o Screen below shows correct updates

o Screen below shoes incorrect updates which CLM will ignore

ID Name Description

IMPCAT/0000000101 Quality Decline in product or service quality

IMPCAT/0000000102 Customer Service Decline in customer service levels

IMPCAT/0000000103 Expenses Increase in expenses / costs

IMPCAT/0000000104 Revenue Loss of revenues

IMPCAT/0000000105 Information Reliability Unreliable business information

ID Name Description

IMPCAT/0000000101 Quality Decline in product or service quality

IMPCAT/0000000102 Customer Service Decline in customer service levels

IMPCAT/0000000103 Expenses Increase in expenses / costs

IMPCAT/0000000104 Revenue Loss of revenues

IMPCAT/0000000105 Information Reliability Unreliable business information


October 2012 9

Each CLM worksheet/entity has an ID column. Some worksheets have additional ID columns to specify entity relationships. ID’s can be specified in any format as long as there is a unique ID for each new element. CLM will use the unique ID to determine new element to be added and will also replace the ID with internally generated ID’s.

o For purposes of this procedure it is recommended to create these unique ID’s using the format specified in each of the sections below.

Mapping Driver Categories and Impact Categories

Either delete all rows from the “Driver Category” and “Impact Category” CLM worksheets or insert new rows as described below. Either option is fine as we are only adding/deploying new content.

To insert new data proceed as described below.

CLM Entity Column Starter Kit Mapping

Impact Category ID Specify ID’s using the IMPCAT/00000001,

IMPCAT/00000002, IMPCAT/00000003, … format

Name Impact Categories Impact Category (Column A)

Description Impact Categories Impact Category Description

(Column B)

Driver Category ID Specify ID’s using the DRVCAT/00000001,

DRVCAT/00000002, DRVCAT/00000003, … format

Name Driver Categories Driver Category (Column A)

Description Driver Categories Driver Category Description

(Column B)

NOTE: In testing/validations so far CLM is not importing updates to any “configuration” data elements. Hence, during the content upload the “Driver Category” and “Impact Category” are not getting deployed. However, the good part is that these two are the only “configuration” data elements from the Controls and Risks Starter kits. Once this issues is resolved the procedure described above will work. There is also a simple workaround to add new “Driver Categories” and “Impact Categories”:

1. Logon to the backend, and open IMG (Transaction SPRO). 2. Open the “Governance, Risk and Compliance Shared Master Data Settings Risk and

Opportunity Attributes Maintain Impact Categories” IMG entry and add the new data manually.

3. For bulk update copy (Ctrl+C) data from the starter kits and update IMG entry with (Ctrl+Y followed by Ctrl+V).

4. Repeat steps 2 and 3 for “Governance, Risk and Compliance Shared Master Data Settings Risk and Opportunity Attributes Maintain Driver Categories”.

Mapping Regulations

Prior to using new “Regulations” that will be deployed using the starter kits content, for each new regulation that needs to be used; users must perform setup to define a new “Regulation Configuration”. Please see the Multi-Compliance Framework document on the procedure for performing this setup. Please note that a regulation is quite a complex object in GRC Process Control and requires a lot of setup in the IMG prior to use. As the document above will show this can be quite time consuming. Hence, it is important to first identify what all regulations needs to be deployed as part of the Step 1 above before proceeding further here.

https://websmp101.sap-ag.de/~sapidb/011000358700000522232011E


October 2012 10

Another CLM “nuance” is the requirement to have at least one “Regulation Group” and “Regulation” with the associated “Regulation Configuration” defined in the GRC Landscape. Hence the CLM “Regulation” worksheet should have at least one row of data. Although as part of content deployment we are adding new regulations, the CLM upload fails unless there is one existing regulation defined and extracted in the Step 2 above.



Regulation Group ID Specify ID’s using the REG_GROUP/00000001,

REG_GROUP/00000002, REG_GROUP/00000003, …

format

Name Regulations Regulation Group (Column A)

Parent Specify ID of the parent Regulation Group

(REG_GROUP/00000001, REG_GROUP/00000002,

REG_GROUP/00000003, … format) to form a

hierarchical structure

Note in the content starter kits there is a single

“Regulation Group” level defined so this column will be

blank

However, the system supports N-level structure for

“Regulation Groups” and this “Parent” column can be

used to specify such hierarchical structure

Regulation ID Specify ID’s using the REGULATION/00000001,

REGULATION/00000002, REGULATION/00000003, …

format

Name Regulations Regulation (Column B)

Description Regulations Regulation Description (Column C)

Parent Specify ID of the parent Regulation Group using the

REG_GROUP/00000001, REG_GROUP/00000002,

REG_GROUP/00000003, … format

Assign Regulation

Configuration

Specify the new “Regulation Configuration” text

identified as defined in the IMG setup

Regulation

Requirement

ID Specify ID’s using the REG_REQ/00000001,

REG_REQ/00000002, REG_REQ/00000003, … format

Name Regulations Regulation Requirement (Column E)

Parent Specify ID of the parent Regulation using the

REG_GROUP/00000001, REG_GROUP/00000002,

REG_GROUP/00000003, … format

Mapping Risks and Risk Catalog

The “Risk Catalog” consists of “Risk Categories” and “Risk Templates” and is a shared master data entity between GRC Process Control and GRC Risk Management.


October 2012 11

Hence here the “Risks” worksheet in the Controls Starter Kit and the “Risk Catalog” worksheet in the Risks Starter Kit both will be mapped for deployment. The “Risk Catalog” worksheet in the Risks Starter Kit consists of risk categories and risk templates. But the “Risks” worksheet in the Controls Starter Kit is simply a list of risk templates. Hence, first step is to assign (choose) a parent “Risk Category” from the available structure in the “Risk Catalog” for these risk templates. Here all the risk templates from the Controls Starter Kit will be deployed under the “Management Risks Compliance Regulation compliance risks” risk category. This new “Regulation compliance risks” category does not exist in the Risks Starter Kit but will be created in the CLM upload data. Customers can choose to define these control risk templates with any category name mapped anywhere in the risk catalog.

Either delete all rows from the “Risk Category” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.



Risk Category ID Specify ID’s using the CRGROUP/00000001,

CRGROUP/00000002, CRGROUP/00000003, … format

Name Risk Catalog Risk Category 1 (Column A) or

Risk Catalog Risk Category 2 (Column B) or

Risk Catalog Risk Category 3 (Column C) or

Risk Catalog Risk Category 4 (Column D) or

Risk Catalog Risk Category 5 (Column E) or

Parent Specify ID of the parent Risk Category using the

CRGROUP/00000001, CRGROUP/00000002,

CRGROUP/00000003, … format

The “Risks Catalog” in the Risks Starter Kit defines a five level hierarchical categorization structure. This structure needs to be captured in the “Risk Category” CLM Worksheet.

Add a new row for the “Regulation compliance risks” category under the “Management Risks Compliance” parent category.

Either delete all rows from the “Risk Template” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.



Risk Template ID Specify ID’s using the CRISK/00000001,

CRISK/00000002, CRISK/00000003, … format

Name Risk Catalog Risk (Column F) in the Risks Starter Kit

or

Risks Risk (Column A) in the Controls Starter Kit

Description Risk Catalog Risk Description (Column G) in the Risks

Starter Kit or

Risks Risk Description (Column B) in the Controls

Starter Kit


October 2012 12

Parent Specify ID of the parent Risk Category using the

CRGROUP/00000001, CRGROUP/00000002,

CRGROUP/00000003, … format

Review the “parent” entries such that the risk catalog structure described in the Controls and Risks Starter Kit is replicated in the CLM worksheets.

Mapping Control Objectives

Either delete all rows from the “Control Objective” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.



Control Objective ID Specify ID’s using the COBJECTIVE/00000001,

COBJECTIVE/00000002, COBJECTIVE/00000003, …

format

Name Control Objectives Control Objective (Column A)

Description Control Objectives Control Objective Description

(Column C)

Objective Category Although Control Objectives Control Objective

Category (Column B) shows objective categories; we are

not adding new objective categories

Objective categories are configuration data and the

current categories that exist in the system will be

extracted in the CLM Worksheet “Control Objective

Category”

Hence here the CLM ID’s from the “Control Objective

Category” worksheet needs to be copied over for each

new Control Objective entry

For ease of use you can assign the same “Control

Objective Category” ID for all new Control Objectives

being added and later update in the system

Mapping Business Processes

The “Business Processes” worksheet in the Controls Starter Kit defines the Process and Subprocess structure to be deployed. The “Subprocess” mappings with “Regulations”, “Control Objectives” and “Risks” are shown in the starter kit. This procedure does not describe the upload for these entity relationships and will only deploy the Process and Subprocess structure. Such entity relationships can be defined by the customer later using the system.

Either delete all rows from the “Central Process” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.



October 2012 13


Central Process ID Specify ID’s using the XPROCESS/00000001,

XPROCESS/00000002, XPROCESS/00000003, …

format

Name Business Processes Domain (Column A) or

Business Processes Process (Column B)

Parent Specify ID of the parent Central Process using the

XPROCESS/00000001, XPROCESS/00000002,

XPROCESS/00000003, … format

The “Business Processes” in the Controls Starter Kit defines a two level hierarchical categorization structure. This structure needs to be captured in the “Central Process” CLM Worksheet.

Either delete all rows from the “Central Subprocess” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.



Central Subprocess ID Specify ID’s using the XSUBPROCESS/00000001,

XSUBPROCESS/00000002,

XSUBPROCESS/00000003, … format

Name Business Processes Subprocess (Column C)

Parent Specify ID of the parent Central Process using the

XPROCESS/00000001, XPROCESS/00000002,

XPROCESS/00000003, … format

Review the “parent” entries such that the Process and Subprocess structure described in the Controls Starter Kit is replicated in the CLM worksheets.

Mapping Controls

The “Controls” worksheet in the Controls Starter Kit defines the controls library to be deployed. The “Control” mappings with “Regulations” and “Risks” are shown in the starter kit. This procedure does not describe the upload for these entity relationships and will only deploy the list of controls. Such entity relationships can be defined by the customer later using the system.

Either delete all rows from the “Central Control” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.



Central Control ID Specify ID’s using the XCONTROL/00000001,

XCONTROL/00000002, XCONTROL/00000003, …

format

Name Controls Control (Column A)

Description Controls Control Description (Column B)


October 2012 14

Parent Specify ID of the parent Central Subprocess using the



XSUBPROCESS/00000003, … format

Is Control Enter “X” for each Central Control entry

Automation This is a mandatory control attribute. The current control

automation types that exist in the system will be

extracted in the CLM Worksheet “Automation”

Hence here the CLM ID’s from the “Automation”

worksheet needs to be copied over for each Central

Control entry

For ease of use you can assign the same “Automation”

ID for all new Central Controls being added and later

update in the system

Control Purpose This is a mandatory control attribute. The current control

purpose types that exist in the system will be extracted in

the CLM Worksheet “Control Purpose”

Hence here the CLM ID’s from the “Control Purpose”


Control entry

For ease of use you can assign the same “Control

Purpose” ID for all new Central Controls being added

and later update in the system

Allow Refer Enter “X” for each Central Control entry

Date or Event Enter “T” for each Central Control entry

To Be Tested Enter “X” for each Central Control entry

Test Automation (ID) This is a mandatory control attribute. The current test

automation types that exist in the system will be

extracted in the CLM Worksheet “Test Automation”

Hence here the CLM ID’s from the “Test Automation”


Control entry

For ease of use you can assign the same “Test

Automation” ID for all new Central Controls being added

and later update in the system

Review the “parent” entries such that the Control is tied with the correct Subprocess as described in the Controls Starter Kit.

The other control attributes defined above are mandatory control attributes in the system and need default values to avoid errors during content deployment.

Mapping Indirect ELC’s

Either delete all rows from the “Central IELC Group” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.



October 2012 15


Central IELC Group ID Specify ID’s using the XECGROUP/00000001,

XECGROUP/00000002, XECGROUP/00000003, …

format

Name Indirect ELC’s Indirect ELC Group 1 (Column A) or

Indirect ELC’s Indirect ELC Group 2 (Column C)

Description Indirect ELC’s Indirect ELC Group 1 Description

(Column A) or

Indirect ELC’s Indirect ELC Group 2 Description

(Column C)

Parent Specify ID of the parent Central IELC Group using the

XECGROUP/00000001, XECGROUP/00000002,

XECGROUP/00000003, … format

The “Indirect ELC’s” in the Controls Starter Kit defines a two level hierarchical categorization structure. This structure needs to be captured in the “Central IELC Group” CLM Worksheet.

Either delete all rows from the “Central ELC” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.



Central ELC ID Specify ID’s using the XECONTROL/00000001,

XECONTROL/00000002, XECONTROL/00000003, …

format

Name Indirect ELC’s Indirect ELC Name (Column E)

Description Indirect ELC’s Indirect ELC Description (Column H)

Parent Specify ID of the parent Central IELC Group using the

XECGROUP/00000001, XECGROUP/00000002,

XECGROUP/00000003, … format

Review the “parent” entries such that the Indirect ELC’s structure described in the Controls Starter Kit is replicated in the CLM worksheets.

After completion of the “Step 3: Update CLM Template” as described above the CLM template (PC

10.0 CLM Upload.ZIP) is included in the associated ZIP file.

NOTE: Customers cannot skip “Step 3: Update CLM Template” above and directly proceed with the

above ZIP file. This is because the CLM template will look a little different based on the GRC Process

Control Landscape where the new content will be deployed. Hence, customers will need to complete

this step as described. The above file is simply a sample for comparison. Moreover, customers will not

deploy all the starter kit content as is and “Step 1: Data Preparation” will result in somewhat different

content set.



October 2012 16

4.1.7.4 Step 4: Save and Upload CLM Template

Save the updated CLM template as XML. Go to the “Developer” tab in Excel and click “Export” to save document as XML with a new name.

o If you don’t see the “Developer” tab; go to “Excel Options” and check the “Show Developer tab in the Ribbon” checkbox under “Popular” options.

o The XML file generated (GRC RM and PC Starter Kits.XML) is included in the associated ZIP file.

o NOTE: The above XML file can be directly uploaded into CLM but customers cannot skip

“Step 3: Update CLM Template” above. This is because based on the outcome of this

step and the customer’s requirements this XML file will be different. The above file is

simply a sample for comparison.

Using “Mass Edit Upload from Excel” option find and upload the saved XML document. Note that you need to use the “Upload from Excel” option and select the XML file for upload.

In case of errors please use transaction SLG1 on the CLM system backend for error log. o For CLM deployment error log enter “/POA/CLM” in “Object” and “DEPLOYMENT” in

“Subobject”


4.1.7.5 Step 5: Deploy Content Set

Select the uploaded XML content group and deploy using the “Deploy” button and choosing the same GRC Process Control Landscape as used in Section 4.1.7.2.

In case of deployment errors please use transaction SLG1 to check error logs on the GRC Process Control Landscape:

o Enter “GRFN” in “Object” --> Enter “IO_IMPORT” in “Subobject”


Logon to the GRC Process Control Landscape and verify the new content imported.





October 2012 17

4.1.8 Importing Objectives and Activities Catalog

As mentioned above the “Objectives” and “Activities” catalogs from the Risks Starter Kit cannot be imported with the Flat XML Schema. Customers have the following options for importing these catalogs:

Import using the Hierarchical XML Schema for GRC Risk Management. Editing XML documents can be very cumbersome and this process is not described in this document.

Setup the content manually in the GRC Risk Management system. The “Objectives” catalog is generally not very long and only consists of two levels of hierarchy – Strategy and Objective. It’s not very time consuming for manual setup. Additionally, this is only relevant for customers documenting and managing risks within the context of business objectives. The “Activities” catalog is long and manual setup can be cumbersome. Note that in GRC Risk Management there is “Master Data Activities and Processes Activity Hierarchy” and “Assessments Risk Assessments Activities”. Only the “Activity Hierarchy” is the master data entity and supported by CLM. “Activities” (Activity Hierarchy tied with an Organization and Owner(s)) is the transactional entity and is not supported by CLM. However, only “Activities” can be used with “Risks”; hence “Activities” will need to be created from “Activity Hierarchy” for leveraging the content. The “Activities” worksheet in the Risks Starter Kit shows the “Activity Hierarchy” as three-level taxonomy (Columns B, C, and D). The “leaf” levels (Column E) is mapped as “Activities”. Again this is just an SAP recommendation and customers can choose to update and map this content to meet their needs. The “Activity Hierarchy” (master data) elements will have to be manually created. But the “Activities” (transactional data) can be uploaded directly in the system as shown below: Go to “Assessments Risk Assessments Activities”.

Click “Download”. This will generate an Excel (XLS) document of the Activities defined in the system. Open the Excel file.


October 2012 18

To import new “Activities” delete the contents of the Excel file and add new content with the following mapping procedure below. To update existing “Activities” simply keep the rows and update directly.

Column Value

Activity ID Leave blank for new Activities to be added

Activity New Activity name. Restricted to 40 characters

Column E in the “Activities” worksheet in the Risks Starter Kit

Activity Category ID Parent Activity Category ID in the format CACTIVITY/XXXXXXXX. To find the ID

for the parent Activity Category, click “Create” to add a new Activity in the system

and then click the icon to view list of all Activity Categories. This will show a

listing with the ID’s for selection

Activity Category Activity Category name

Orgunit ID Orgunit ID in the format ORGUNIT/XXXXXXXX. To find the ID for the parent

Activity Category, click “Create” to add a new Activity in the system and then click

the icon to view list of all Organization Units. This will show a listing with the

ID’s for selection

Organization Organization name

Activity Description Detailed Activity Description. Can be left blank.

Start Date Today’s date in the same format as in the export

End Date Enter 12/31/9999 in the same format as in the export

Save the updated Excel (XLS) document and click “Upload” to attach and import new (and/or updated) “Activities” content.

Please note that similar Upload/Download is also supported for the transactional entities of “Risks” and “Incidents”.


October 2012 19

4.2 KRI Starter Kit ...

4.2.1 KRI Starter Kit Content Details


KRIs by Risk

Drivers

Listing of KRIs by risk driver categories. Also

includes driver category description. These are

high-level KRIs that monitors risk drivers.

SAP Internal – GRC Solution

Management and Solution

Marketing

KRIs by Risk

Categories

Listing of KRIs by top risk categories –

Management Risks, Financial Risks, and

Operational Risks. KRIs are organized by

taxonomic risk categorization and also include

the “KRI Unit” (type) as well as the “Source

System” for KRI automation.


Management and Application

/ LOB Solution Management

KRIs by Top

Industry Risks

Listing of KRIs by top industries. KRIs are

organized by taxonomic risk categorization and

also include the “KRI Unit” (type) as well as the

“Source System” for KRI automation.


Management and IBU’s

KRIs by Basel Risk

Categories

Listing of KRIs organized by the Basel risk

categories. These KRIs will typically only be

applicable for Financial Service (Banking and

Insurance) customers.

SAP Internal – Banking IBU

4.2.2 Using KRIs from the Starter Kit

The intent of this library is to get customers started with KRIs quickly and/or in most case guide the

discussion to identify the right set of KRIs based on specific risks, risk drivers, and risk categories.

Some of the KRIs includes a listing of a SAP Source System that can be used to automate the KRI.

Again the intent here is simply to initiate discussions and point customers in the right direction for KRI

automation.

The KRIs listed here can easily be leveraged in the GRC Risk Management solution as “manual

KRIs”. Please refer to Appendix A for details on how to setup and use a “manual KRI”. Our

recommendation for customers is to implement applicable KRIs as “manual KRIs” and plan for

automation in a later project phase.


October 2012 20

5. Appendix

5.1 Appendix A – Using Manual Key Risk Indicators

(KRIs)

This appendix describes the procedure for setting up and using manual key risk indicators (KRIs)

along with the associated business rules. The procedure also describes how users can enter manual

values for the KRIs and trigger business rule evaluation.

GRC Risk Management Service Pack 05 introduces the ability to setup and use manual KRIs. Earlier

KRIs were automated and needed to be tied with either SAP Query, SAP BW Query, or a Web

Service to fetch the indicator value. Manual KRIs allows users to enter the indicator value manually

and trigger business rule evaluation.

Automated KRIs can require significant implementation time and the right kind of consultants for setup

and use. Manual KRIs can be setup directly by Risk Owners and Managers and used immediately.

Moreover KRIs are most widely used in risk management in a financial services industry context. Here

most KRIs are aggregations of values sourced from multiple internal and external systems making KRI

automation all the more difficult and time consuming. Many financial services customers may also rely

from an external monitoring service to gather KRI values. In such instances manual KRIs offers a

quick and efficient way to leverage KRIs for risk and organizational monitoring.

Please note that the nature of the KRI function is the same for automated and manual type with the

only difference being the nature of sourcing the indicator value. The definition of KRI business rules

and their evaluation also remains the same. This appendix does not describe how KRI’s work in GRC

Risk Management but only how manual KRIs can be setup and used. It is assumed that the user is

familiar with the KRI function in GRC Risk Management.

Example

Consider the risk “Litigations resulting from mispricing” under the “Retail Banking” business unit. User

would like to setup the following manual KRI’s for risk monitoring:

KRI

KRI Template

(Value Type) Description

KRI_10118 Numeric (Count) Class Action Litigation - Number of Accounts Affected by

Litigation resulting from Mispricing

KRI_10119 Numeric (Count) Class Action Litigation - Number of Cases resulting from

Mispricing

KRI_10120 Percentage Class Action Litigation - Percentage of Total Accounts Affected

by Mispricing Litigation

KRI_10121 Monetary Amount

(Currency)

Class Action Litigation - Total Value of Cases resulting from

Mispricing

For risk monitoring user would like to define the following two business rules:


October 2012 21

Business Rule Description Monitoring Criteria

Monitor case value from

mispricing

Monitor the total amount of case

value resulting from mispricing

Notify risk owner if:

KRI_10121 >= EUR 10,000,000.00

Monitor accounts

affected by mispricing

Monitor accounts (total number and

percentage) affected by mispricing

including total value of cases

Notify risk owner if:

(KRI_10118 >= 1,000.00 AND

KRI_10120 >= 50.00) OR

KRI_10119 >= 25.00

User would like to provide the following value manually for the KRI’s which should result in a violation

of both the above business rules.

KRI Value

KRI_10118 1,250.00

KRI_10119 55.00

KRI_10120 48.00 %

KRI_10121 EUR 20,000,000.00

Procedure

Step 1: Setup KRI Templates

Setup (or check if available) the KRI Templates necessary. For this example three KRI Templates –

Numeric (Count), Percentage, Monetary Amount (Currency) – should be defined. KRI Template

definition is the same for automated and manual KRIs.

KRI Templates are available under “Rule Setup Key Risk Indicators KRI Templates”. Open the

list of KRI Template Catalog and define the necessary templates. Screen shot below shows the

definition of the Percentage KRI Template. Note that the “System”, “Business Process”, and

“Component” attributes are neither mandatory nor relevant for manual KRIs.


October 2012 22

Step 2: Define Manual KRI Instances

Manual KRIs only has instances. Automated KRIs requires a KRI Implementation which can be

leveraged into multiple instances. Note that with GRC Risk Management Service Pack 05, KRIs can

be defined for Organizational Entities and Risks.

Open details for a Risk or an organizational entity and go to the “Key Risk Indicators” tab. Click

“Create Manual KRI Instance”. This will open the screen below. Complete the necessary details for

KRI_10118 as shown and click “Activate”.


October 2012 23

This will setup the manual KRI instance. Repeat the steps to define the other three KRIs as shown

below.

Step 3: Define KRI Business Rules

Under the same tab setup the two business rules as described above. This setup is common for both

types of KRIs. Screen below show the “Monitor case value from mispricing” rule definition and

evaluation expression.

For both business rules the “action” is to flag the risk and notify risk owner over email. No risk re-

assessment work items will be generated.


October 2012 24


October 2012 25

Now both the business rules have been defined as shown below. Save the risk or the organizational

entity.

Step 4: Enter KRI values

Go to “Rule Setup Key Risk Indicators KRI Value Input”.

Here user can enter individual values for a KRI instance or upload a file with a list of historical values

by choosing the “Input via File Upload” mode and selecting the KRI instance.

Click the “0 KRI Instances selected” link at the bottom left. Find the 4 KRIs – KRI_10118, KRI_10119,

KRI_10120, and KRI_10121 – select them and move to the right hand side. Click “OK”.


October 2012 26

Click “Next”. Here user can see the previous values provided and can enter new values. If the KRI

values are being entered the first time the previous values column will be blank. Note that based on

the KRI Template type user will have to select a currency code (EUR) for the monetary amount

KRI_10121. System treats percentages as numeric values so it does not show any special markings

but for KRI_10120 please enter values between 1 – 100.


October 2012 27

For the “Input via File Upload” mode user can download a template from the “Get Template” link. The

template (XML or Excel) can be populated with historical values and uploaded here.

Click “Next”. Review the new values. The “Change” column indicates whether the values are going up,

going down, or remaining the same from the previous values. If necessary user can click “Previous” to

change the values.

Click “Finish”. This will update the KRI values and trigger business rule evaluation. This step is the

same as running the GRRM_KRI_RUNTIME backend program to fetch values for the automated KRIs

and evaluate business rules.


October 2012 28

Click “Close”.

Step 5: View Results

Open the “Litigations resulting from mispricing” risk again and go to the Key Risk Indicators tab. Here

user can see that new values (“Last update” timestamp) are available for the KRIs and the business

rules have been evaluated again (“Last update” timestamp). Both rules have been violated and the

risk owner is notified over email.


October 2012 29


6. Copyright

© 2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the

express permission of SAP AG. The information contained herein may be changed without prior

notice.

Some software products marketed by SAP AG and its distributors contain proprietary software

components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft

Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z,

System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,

S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture,

POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,

BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2,

Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are

trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered

trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are

trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web

Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology

invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,

StreamWork, and other SAP products and services mentioned herein as well as their respective logos

are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal

Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned

herein as well as their respective logos are trademarks or registered trademarks of Business Objects

Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products

and services mentioned herein as well as their respective logos are trademarks or registered

trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies.

Data contained in this document serves informational purposes only. National product specifications

may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and

its affiliated companies ("SAP Group") for informational purposes only, without representation or

warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the

materials. The only warranties for SAP Group products and services are those that are set forth in the

express warranty statements accompanying such products and services, if any. Nothing herein should

be construed as constituting an additional warranty.

grc risk management and process control 10.0 content starter kits

Documents

sap grc risk management

grc content starter

sap grc process control

documentation example

risks starter kits

example text keys

starter kits risks library

sap ag table of contents