SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
© 2012 SAP AG
Applies to:
SAP GRC Risk Management 10.0 and SAP GRC Process Control 10.0
Summary
This document shows how customers can leverage GRC Risk Management and GRC Process Control
specific content provided in three starter kits – Risks Library, Controls Library, and KRI Library. This
document is a “how-to guide” that describes a repeatable process using GRC Content Lifecycle
Management (CLM) to leverage SAP provided content libraries as well as other similar content sourced by
customers.
Author: Satyen Paneri
Company: Governance, Risk, and Compliance
Analytics Division
Created on: September 20, 2012
Version 1.0
GRC Risk Management 10.0 and
Process Control 10.0 Starter Kits
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
© 2012 SAP AG
Document History
Document Version Description
1.00 Initial version
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
© 2012 SAP AG
Typographic Conventions
Type Style Description
Example Text Words or characters quoted
from the screen. These
include field names, screen
titles, pushbuttons labels,
menu names, menu paths,
and menu options.
Cross-references to other
documentation
Example text Emphasized words or
phrases in body text, graphic
titles, and table titles
Example text File and directory names and
their paths, messages,
names of variables and
parameters, source text, and
names of installation,
upgrade and database tools.
Example text User entry texts. These are
words or characters that you
enter in the system exactly as
they appear in the
documentation.
<Example
text>
Variable user entry. Angle
brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 or ENTER.
Icons
Icon Description
Caution
Note or Important
Example
Recommendation or Tip
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
© 2012 SAP AG
Table of Contents
1. Business Scenario............................................................................................................... 1
2. Background Information ..................................................................................................... 1
3. Prerequisites ........................................................................................................................ 2
4. GRC Content Starter Kits .................................................................................................... 3
4.1 Controls and Risks Starter Kits ..................................................................................... 3
4.1.1 Controls Starter Kit Content Details ................................................................. 3
4.1.2 Controls Starter Kit Template Details .............................................................. 4
4.1.3 Risks Starter Kit Content Details ..................................................................... 4
4.1.4 Risks Starter Kit Template Details ................................................................... 4
4.1.5 Recommended Usage and Restrictions .......................................................... 5
4.1.6 Quick CLM Primer ............................................................................................ 5
4.1.7 Import Procedure using CLM ........................................................................... 6
4.1.8 Importing Objectives and Activities Catalog .................................................. 17
4.2 KRI Starter Kit ............................................................................................................. 19
4.2.1 KRI Starter Kit Content Details ...................................................................... 19
4.2.2 Using KRIs from the Starter Kit ...................................................................... 19
5. Appendix ............................................................................................................................ 20
5.1 Appendix A – Using Manual Key Risk Indicators (KRIs) ............................................ 20
6. Copyright .............................................................................................................................. 1
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 1
1. Business Scenario
SAP GRC customers’ content needs vary by regions, geographies, lines of business, industries,
business processes, business objectives, and regulations. In addition, regulatory requirements change
frequently especially in some industries such as Financial Services and Healthcare. Customers also
prefer to leverage best practice standards, frameworks, and methodologies for risk and compliance
management.
Content starter kits (packages) that incorporate best practice risk and control frameworks and libraries
such as COSO, Audit Standard 5, S&P, and Basel along with a repeatable process to manage new
content along with content updates can help customers get started quickly and stay on top of
regulatory changes. Customers can leverage the GRC 10.0 content lifecycle management (CLM)
capabilities for this process.
The challenge of content is that it keeps evolving and is never complete. The approach described in
this “how-to-guide” will help our customers better protect their value and better mange their risk,
compliance, and other GRC initiatives.
2. Background Information
The content starter kits described in this document are a collection of risks, controls, and KRI catalogs.
Some related master data entities such as risk drivers, impacts, business objectives, activities,
business processes, regulations, control objectives, and indirect entity-level controls are also included.
The content in these starter kits by no means provide complete coverage for a business process, line
or business, risk area, domain, or industry. SAP makes no such claim. It’s simply a collection of
content sourced from internal and external providers organized and aggregated to the best of our
abilities. It is the customer’s responsibility to review, change, and use (or not use) the content
packaged here.
The primary objective here is to define an Excel (XLS) based template for risks and controls library
along with a process to deploy the content in the GRC solutions using CLM. Customers can
completely throw-away the SAP provided content, replace with new content sourced internal or
externally, and using the templates provided leverage the same process for deployment. The intent is
to help get customers started quickly with their implementations and/or provoke additional discussions
to modify and add content based on specific requirements.
The content is sourced from past projects with consulting partners such as PwC, Deloitte, and Protiviti.
For all such content SAP owns the intellectual property and the same can be used by GRC customers.
Some other content is sourced from best practice (free) frameworks and methodologies such as
COSO II ERM, Audit Standard 5, Basel II Annexure, S&P ERM Framework, and APQC Cross-Industry
Process Classification Framework (PCF). The document describes the source of content for each
entity in the Section 4.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 2
3. Prerequisites
The following software must be installed, configured, and ready-to-use for this How-To-Guide:
GRC 10.0 (Process Control and Risk Management) with the latest service package.
GRC 10.0 Content Lifecycle Management (CLM)
This document also assumes that user is familiar with PC, RM, and CLM functionality and usage. For
additional help please refer to the following.
GRC Risk Management 10.0 Help Portal
GRC Process Control 10.0 Help Portal
GRC Process Control 10.0 CLM User Guide
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 3
4. GRC Content Starter Kits
This section describes a repeatable process (providing template definitions and using CLM) for
customers to leverage content provided by the following three starter kits:
Controls Starter Kit
Risks Starter Kit
KRI Starter Kit
The content in these starter kits is included in the associated ZIP file.
The Controls Library and the Risks Library XLS document also provides the template for any such
similar content that customers may source internally or externally.
4.1 Controls and Risks Starter Kits ...
4.1.1 Controls Starter Kit Content Details
Worksheet Content Details Content Source
Regulations Listing of Regulation Groups and
Regulations.
Aggregation of all Process Controls
specific content acquired by SAP
from projects with Deloitte and
Protiviti. SAP owns the intellectual
property for this content.
Risks Listing of control specific Risks.
Business
Processes
Listing of Business Processes and Sub-
process structure. Where applicable Sub-
processes are linked with Regulations,
Control Objectives, and Risks.
Control Objectives Listing of Control Objectives.
Controls Listing of Controls organized by Sub-
processes. Where applicable Controls are
linked with Regulations and Risks.
Indirect Entity Level
Controls
Listing of Indirect Entity Level Control
Groups and Controls.
Draft of the updated COSO Internal
Control – Integrated Framework
available for public comments. The
framework updates are proposed by
PwC and the COSO Advisory
Council.
The Indirect ELC Groups and
Controls are the “principles” and
“attributes” proposed for the COSO
“components”.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 4
4.1.2 Controls Starter Kit Template Details
The Controls Starter Kit Excel (XLS) document also serves as a simple template for managing and
deploying the SAP provided content or similar content that customers may have developed internally
or sourced from a third-party.
In each of the worksheets the mandatory entity attributes are marked with a *. This template is simple
and does not capture all the entity relationships that are possible within GRC Process Control. The
objective is that listings of basic master data entities can be managed with this template. Once
deployed in the system users can then create the relationships using GRC Process Control.
4.1.3 Risks Starter Kit Content Details
Worksheet Content Details Content Source
Driver Categories Listing of Risk Drivers / Causes. SAP Internal – GRC Solution
Management and Solution Marketing Impact Categories Listing of Business Impacts /
Consequences.
Objectives Listing of Business Objectives.
Activities Listing of Business Activities / Processes. APQC Cross-Industry Process
Classification Framework (PCF).
This content is freely available for
APQC members and also for any
user registered with APQC. SAP is a
registered APQC customer.
Please note that this content can be
used freely with customers with the
express notification of the content
source – APQC.
Risk Catalog Risk Classification structure along with
Risk Templates. The Risk Catalog is also
organized by Industry-specific taxonomies
Risk Catalog is a combination of
content sourced from Basel II
Annexure and the S&P ERM
Framework.
The Basel II taxonomies are
applicable for Financial Services
(Banking and Insurance).
The non-financial industry
taxonomies are based on the S&P
ERM Framework.
Response Catalog Listing of Risk Responses. SAP Internal – GRC Solution
Management and Solution Marketing
4.1.4 Risks Starter Kit Template Details
The Risks Starter Kit Excel (XLS) document also serves as a simple template for managing and
deploying the SAP provided content or similar content that customers may have developed internally
or sourced from a third-party.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 5
In each of the worksheets the mandatory entity attributes are marked with a *. This template is simple
and does not capture all the entity relationships that are possible within GRC Risk Management. The
objective is that listings of basic master data entities can be managed with this template. Once
deployed in the system users can then create the relationships using GRC Risk Management.
4.1.5 Recommended Usage and Restrictions
The content in these starter kits by no means provide complete coverage for a business process, line
or business, risk area, domain, or industry. SAP makes no such claim. It’s simply a collection of
content sourced from internal and external providers organized and aggregated to the best of our
abilities. It is the customer’s responsibility to review, change, and use (or not use) the content
packaged here. Rather the purpose of this “how-to-guide” is to describe content templates along with
a repeatable process using CLM to manage and deploy content.
Prior to using this content, customers are expected to review, filter, and update the content as
necessary before proceeding with content import. Some key suggestions:
Unique ID’s are included in these service packs with a prefix. These ID’s are simply generated for
ease of use and may not match the customer requirements. Hence, these will need to be reviewed
and updated.
All ID’s are mapped to the “name” attribute for each entity. This might not be applicable for most
customers and as such will need to be reviewed and updated. However, note that the “name”
attributes support only 40 characters in length. The Excel (XLS) templates and the CLM templates
will support unlimited characters, but during import these attributes will get truncated to the first 40
characters.
It is not expected that all content in the starter kits will be applicable for a customer. Hence,
customer will first need to review and remove unwanted content. Customers can also choose to
ignore entire entities that are not applicable.
The content does not attempt to define the entity relationships to keep things simpler. Customers
can either define these entity relationships in the templates or import the content and define the
entity relationships using GRC Process Control and Risk Management solutions. The import
procedure described in Section 4.1.6 below does not include import of most entity relationships.
Management and deployment of different content either sourced internally or from external third
parties is possible first by translating the content into the template format provided and then using
the import procedure described in Section 4.1.6.
4.1.6 Quick CLM Primer
This section provides a quick CLM primer from the intended usage for external content upload. This is critical as it will be applicable when executing the import procedure. Please note that it’s not the purpose of this document to be a CLM user guide. See the GRC Process Control 10.0 CLM User Guide for more details. The following details about CLM functionality should be noted:
The primary usage of CLM is to manage content deployments between GRC landscapes for customers and partners. The CLM “mass edit” functionality is being leveraged here to import external content included in the starter kits.
CLM supports two kinds of formats – Hierarchical XML Schema and Flat XML Schema which is essentially the Excel (XLS) interface.
CLM supports both the schema formats for GRC Process Control and only the Hierarchical XML Schema for GRC Risk Management. However, only the Flat XML Schema (Excel interface) is
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 6
used for editing. Customers can also edit using the Hierarchical XML Schema but working directly with XML documents is very cumbersome.
o Hence, this document can only leverage the Flat XML Schema for GRC Process Control and not all entities in the Controls and Risks Starter Kit can be imported. However, since all the content is master data related and master data entities are common GRC 10.0 components most data can be imported.
o All entities except the “Objectives” and “Activities” catalogs from the Risks Starter Kit can be imported with the Flat XML Schema. The Hierarchical XML Schema for GRC Risk Management can be used to import the “Objectives” and “Activities” catalogs.
Although CLM handles content package “differences”, such capabilities can’t be leveraged here as
this is external content. After a first time deployment of the content CLM will generated and assign
unique identifiers (ID’s) for each record. As these unique identifiers are not part of the external
content in these starter kits, the CLM “differences” capabilities can’t be used. Of course, once the
content is deployed to a particular landscape it can be transported with “differences” management
within CLM. In other words the purpose here is to import once and then manage content across
multiple landscapes with CLM. Of course the process can be repeated for new (additional) content
imports.
4.1.7 Import Procedure using CLM
4.1.7.1 Step 1: Data Preparation
Review and update (change, delete, add) the content in the Controls and Risks Starter Kit.
Save the changes as a new file/document.
4.1.7.2 Step 2: Download and Extract CLM Template
Ensure that CLM is configured and setup to extract and deploy content to the GRC Process Control Landscape you need.
Check that CLM error logging is enabled on the GRC Process Control Landscape. Using transaction SM30 enter “GRFNVLOGENABLE” in “Table/View” and Click “Display”.
o Ensure the “IO_IMPORT” and “IO_EXPORT” is filled in the table.
Extract the content from the GRC Process Control 10.0 Landscape into CLM using the “Extract” button and choosing the appropriate GRC Process Control Landscape.
In case of extraction errors please use transaction SLG1 to check error logs both on the GRC Process Control Landscape and the CLM system backend for error log:
o For GRC Process Control Landscape extraction error log enter “GRFN” in “Object” --> Enter “IO_EXPORT” in “Subobject”
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 7
o For CLM system extraction error log enter “/POA/CLM” in “Object” and “CHECKPOINT” in
“Subobject”
Additional details are available on the CLM Troubleshooting Wiki Page.
Using “Mass Edit Download to Excel” download the extracted content package. o CLM will generate a ZIP file for download. This ZIP will contain a XLSM and a XML file. o Unzip these into a new folder on your local disk. o The XLSM file is the GRC Process Control 10.0 Flat XML Schema that can be used with
Microsoft Excel 2007 or higher.
4.1.7.3 Step 3: Update CLM Template
Open the downloaded XLSM file using Microsoft Excel. The GRC Process Control CLM schema includes all “configuration” and “master data” entities. The table below shows the type of each entity (XLS Worksheet) in the schema.
Data Type CLM Entity / XLS Worksheet
Configuration Impact Category, Driver Category, Control Objective Category, Financial
Statement Assertion, Sampling Method, Industry, Transaction Type, Control
Category, Control Significance, Level of Evidence, Control Rating, Range,
Automation, Control Purpose, Nature or Control, Relevance, Control Group,
Control Subgroup, Frequency, Test Automation, Testing Technique, IELC
Operation Frequency
Master Data Regulation Group, Regulation, Regulation Requirement, Organization, Risk
Category, Risk Template, Control Objective, Account Group, Test Plan, Central
Process, Central Subprocess, Central Control, Central IELC Group, Central IELC
The content in the Controls and Risks Starter Kit only maps to some of the entities in the CLM schema. Hence, as part of the update procedure you only need to update some worksheets in the document. Table below shows this mapping.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 8
Starter Kit Worksheet CLM Entity
Controls Starter Kit Regulations Regulation Group
Regulation
Regulation Requirement
Risks Risk Category
Risk Template
Business Processes Central Process
Central Subprocess
Control Objectives Control Objective
Controls Central Control
Indirect ELC’s Central IELC Group
Central IELC
Risks Starter Kit Driver Categories Driver Category
Impact Categories Impact Category
Risk Catalog Risk Category
Risk Template
Content in the remaining worksheets can be left as is. During deployment CLM will find that there are no changes in these other worksheets and will simply ignore this content. The sections below describe how to map the content from the starter kit worksheets into the corresponding CLM worksheets. Please note the following general principles for updating data in the CLM worksheets:
To insert new data expand the “dark and blue shaded” rows. If you enter new data without expanding the background and directly adding in the white background rows; CLM will ignore this new content.
o Screen below shows correct updates
o Screen below shoes incorrect updates which CLM will ignore
ID Name Description
IMPCAT/0000000101 Quality Decline in product or service quality
IMPCAT/0000000102 Customer Service Decline in customer service levels
IMPCAT/0000000103 Expenses Increase in expenses / costs
IMPCAT/0000000104 Revenue Loss of revenues
IMPCAT/0000000105 Information Reliability Unreliable business information
ID Name Description
IMPCAT/0000000101 Quality Decline in product or service quality
IMPCAT/0000000102 Customer Service Decline in customer service levels
IMPCAT/0000000103 Expenses Increase in expenses / costs
IMPCAT/0000000104 Revenue Loss of revenues
IMPCAT/0000000105 Information Reliability Unreliable business information
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 9
Each CLM worksheet/entity has an ID column. Some worksheets have additional ID columns to specify entity relationships. ID’s can be specified in any format as long as there is a unique ID for each new element. CLM will use the unique ID to determine new element to be added and will also replace the ID with internally generated ID’s.
o For purposes of this procedure it is recommended to create these unique ID’s using the format specified in each of the sections below.
Mapping Driver Categories and Impact Categories
Either delete all rows from the “Driver Category” and “Impact Category” CLM worksheets or insert new rows as described below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity Column Starter Kit Mapping
Impact Category ID Specify ID’s using the IMPCAT/00000001,
IMPCAT/00000002, IMPCAT/00000003, … format
Name Impact Categories Impact Category (Column A)
Description Impact Categories Impact Category Description
(Column B)
Driver Category ID Specify ID’s using the DRVCAT/00000001,
DRVCAT/00000002, DRVCAT/00000003, … format
Name Driver Categories Driver Category (Column A)
Description Driver Categories Driver Category Description
(Column B)
NOTE: In testing/validations so far CLM is not importing updates to any “configuration” data elements. Hence, during the content upload the “Driver Category” and “Impact Category” are not getting deployed. However, the good part is that these two are the only “configuration” data elements from the Controls and Risks Starter kits. Once this issues is resolved the procedure described above will work. There is also a simple workaround to add new “Driver Categories” and “Impact Categories”:
1. Logon to the backend, and open IMG (Transaction SPRO). 2. Open the “Governance, Risk and Compliance Shared Master Data Settings Risk and
Opportunity Attributes Maintain Impact Categories” IMG entry and add the new data manually.
3. For bulk update copy (Ctrl+C) data from the starter kits and update IMG entry with (Ctrl+Y followed by Ctrl+V).
4. Repeat steps 2 and 3 for “Governance, Risk and Compliance Shared Master Data Settings Risk and Opportunity Attributes Maintain Driver Categories”.
Mapping Regulations
Prior to using new “Regulations” that will be deployed using the starter kits content, for each new regulation that needs to be used; users must perform setup to define a new “Regulation Configuration”. Please see the Multi-Compliance Framework document on the procedure for performing this setup. Please note that a regulation is quite a complex object in GRC Process Control and requires a lot of setup in the IMG prior to use. As the document above will show this can be quite time consuming. Hence, it is important to first identify what all regulations needs to be deployed as part of the Step 1 above before proceeding further here.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 10
Another CLM “nuance” is the requirement to have at least one “Regulation Group” and “Regulation” with the associated “Regulation Configuration” defined in the GRC Landscape. Hence the CLM “Regulation” worksheet should have at least one row of data. Although as part of content deployment we are adding new regulations, the CLM upload fails unless there is one existing regulation defined and extracted in the Step 2 above.
To insert new data proceed as described below.
CLM Entity Column Starter Kit Mapping
Regulation Group ID Specify ID’s using the REG_GROUP/00000001,
REG_GROUP/00000002, REG_GROUP/00000003, …
format
Name Regulations Regulation Group (Column A)
Parent Specify ID of the parent Regulation Group
(REG_GROUP/00000001, REG_GROUP/00000002,
REG_GROUP/00000003, … format) to form a
hierarchical structure
Note in the content starter kits there is a single
“Regulation Group” level defined so this column will be
blank
However, the system supports N-level structure for
“Regulation Groups” and this “Parent” column can be
used to specify such hierarchical structure
Regulation ID Specify ID’s using the REGULATION/00000001,
REGULATION/00000002, REGULATION/00000003, …
format
Name Regulations Regulation (Column B)
Description Regulations Regulation Description (Column C)
Parent Specify ID of the parent Regulation Group using the
REG_GROUP/00000001, REG_GROUP/00000002,
REG_GROUP/00000003, … format
Assign Regulation
Configuration
Specify the new “Regulation Configuration” text
identified as defined in the IMG setup
Regulation
Requirement
ID Specify ID’s using the REG_REQ/00000001,
REG_REQ/00000002, REG_REQ/00000003, … format
Name Regulations Regulation Requirement (Column E)
Parent Specify ID of the parent Regulation using the
REG_GROUP/00000001, REG_GROUP/00000002,
REG_GROUP/00000003, … format
Mapping Risks and Risk Catalog
The “Risk Catalog” consists of “Risk Categories” and “Risk Templates” and is a shared master data entity between GRC Process Control and GRC Risk Management.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 11
Hence here the “Risks” worksheet in the Controls Starter Kit and the “Risk Catalog” worksheet in the Risks Starter Kit both will be mapped for deployment. The “Risk Catalog” worksheet in the Risks Starter Kit consists of risk categories and risk templates. But the “Risks” worksheet in the Controls Starter Kit is simply a list of risk templates. Hence, first step is to assign (choose) a parent “Risk Category” from the available structure in the “Risk Catalog” for these risk templates. Here all the risk templates from the Controls Starter Kit will be deployed under the “Management Risks Compliance Regulation compliance risks” risk category. This new “Regulation compliance risks” category does not exist in the Risks Starter Kit but will be created in the CLM upload data. Customers can choose to define these control risk templates with any category name mapped anywhere in the risk catalog.
Either delete all rows from the “Risk Category” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity Column Starter Kit Mapping
Risk Category ID Specify ID’s using the CRGROUP/00000001,
CRGROUP/00000002, CRGROUP/00000003, … format
Name Risk Catalog Risk Category 1 (Column A) or
Risk Catalog Risk Category 2 (Column B) or
Risk Catalog Risk Category 3 (Column C) or
Risk Catalog Risk Category 4 (Column D) or
Risk Catalog Risk Category 5 (Column E) or
Parent Specify ID of the parent Risk Category using the
CRGROUP/00000001, CRGROUP/00000002,
CRGROUP/00000003, … format
The “Risks Catalog” in the Risks Starter Kit defines a five level hierarchical categorization structure. This structure needs to be captured in the “Risk Category” CLM Worksheet.
Add a new row for the “Regulation compliance risks” category under the “Management Risks Compliance” parent category.
Either delete all rows from the “Risk Template” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity Column Starter Kit Mapping
Risk Template ID Specify ID’s using the CRISK/00000001,
CRISK/00000002, CRISK/00000003, … format
Name Risk Catalog Risk (Column F) in the Risks Starter Kit
or
Risks Risk (Column A) in the Controls Starter Kit
Description Risk Catalog Risk Description (Column G) in the Risks
Starter Kit or
Risks Risk Description (Column B) in the Controls
Starter Kit
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 12
Parent Specify ID of the parent Risk Category using the
CRGROUP/00000001, CRGROUP/00000002,
CRGROUP/00000003, … format
Review the “parent” entries such that the risk catalog structure described in the Controls and Risks Starter Kit is replicated in the CLM worksheets.
Mapping Control Objectives
Either delete all rows from the “Control Objective” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity Column Starter Kit Mapping
Control Objective ID Specify ID’s using the COBJECTIVE/00000001,
COBJECTIVE/00000002, COBJECTIVE/00000003, …
format
Name Control Objectives Control Objective (Column A)
Description Control Objectives Control Objective Description
(Column C)
Objective Category Although Control Objectives Control Objective
Category (Column B) shows objective categories; we are
not adding new objective categories
Objective categories are configuration data and the
current categories that exist in the system will be
extracted in the CLM Worksheet “Control Objective
Category”
Hence here the CLM ID’s from the “Control Objective
Category” worksheet needs to be copied over for each
new Control Objective entry
For ease of use you can assign the same “Control
Objective Category” ID for all new Control Objectives
being added and later update in the system
Mapping Business Processes
The “Business Processes” worksheet in the Controls Starter Kit defines the Process and Subprocess structure to be deployed. The “Subprocess” mappings with “Regulations”, “Control Objectives” and “Risks” are shown in the starter kit. This procedure does not describe the upload for these entity relationships and will only deploy the Process and Subprocess structure. Such entity relationships can be defined by the customer later using the system.
Either delete all rows from the “Central Process” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 13
CLM Entity Column Starter Kit Mapping
Central Process ID Specify ID’s using the XPROCESS/00000001,
XPROCESS/00000002, XPROCESS/00000003, …
format
Name Business Processes Domain (Column A) or
Business Processes Process (Column B)
Parent Specify ID of the parent Central Process using the
XPROCESS/00000001, XPROCESS/00000002,
XPROCESS/00000003, … format
The “Business Processes” in the Controls Starter Kit defines a two level hierarchical categorization structure. This structure needs to be captured in the “Central Process” CLM Worksheet.
Either delete all rows from the “Central Subprocess” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity Column Starter Kit Mapping
Central Subprocess ID Specify ID’s using the XSUBPROCESS/00000001,
XSUBPROCESS/00000002,
XSUBPROCESS/00000003, … format
Name Business Processes Subprocess (Column C)
Parent Specify ID of the parent Central Process using the
XPROCESS/00000001, XPROCESS/00000002,
XPROCESS/00000003, … format
Review the “parent” entries such that the Process and Subprocess structure described in the Controls Starter Kit is replicated in the CLM worksheets.
Mapping Controls
The “Controls” worksheet in the Controls Starter Kit defines the controls library to be deployed. The “Control” mappings with “Regulations” and “Risks” are shown in the starter kit. This procedure does not describe the upload for these entity relationships and will only deploy the list of controls. Such entity relationships can be defined by the customer later using the system.
Either delete all rows from the “Central Control” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity Column Starter Kit Mapping
Central Control ID Specify ID’s using the XCONTROL/00000001,
XCONTROL/00000002, XCONTROL/00000003, …
format
Name Controls Control (Column A)
Description Controls Control Description (Column B)
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 14
Parent Specify ID of the parent Central Subprocess using the
XSUBPROCESS/00000001,
XSUBPROCESS/00000002,
XSUBPROCESS/00000003, … format
Is Control Enter “X” for each Central Control entry
Automation This is a mandatory control attribute. The current control
automation types that exist in the system will be
extracted in the CLM Worksheet “Automation”
Hence here the CLM ID’s from the “Automation”
worksheet needs to be copied over for each Central
Control entry
For ease of use you can assign the same “Automation”
ID for all new Central Controls being added and later
update in the system
Control Purpose This is a mandatory control attribute. The current control
purpose types that exist in the system will be extracted in
the CLM Worksheet “Control Purpose”
Hence here the CLM ID’s from the “Control Purpose”
worksheet needs to be copied over for each Central
Control entry
For ease of use you can assign the same “Control
Purpose” ID for all new Central Controls being added
and later update in the system
Allow Refer Enter “X” for each Central Control entry
Date or Event Enter “T” for each Central Control entry
To Be Tested Enter “X” for each Central Control entry
Test Automation (ID) This is a mandatory control attribute. The current test
automation types that exist in the system will be
extracted in the CLM Worksheet “Test Automation”
Hence here the CLM ID’s from the “Test Automation”
worksheet needs to be copied over for each Central
Control entry
For ease of use you can assign the same “Test
Automation” ID for all new Central Controls being added
and later update in the system
Review the “parent” entries such that the Control is tied with the correct Subprocess as described in the Controls Starter Kit.
The other control attributes defined above are mandatory control attributes in the system and need default values to avoid errors during content deployment.
Mapping Indirect ELC’s
Either delete all rows from the “Central IELC Group” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 15
CLM Entity Column Starter Kit Mapping
Central IELC Group ID Specify ID’s using the XECGROUP/00000001,
XECGROUP/00000002, XECGROUP/00000003, …
format
Name Indirect ELC’s Indirect ELC Group 1 (Column A) or
Indirect ELC’s Indirect ELC Group 2 (Column C)
Description Indirect ELC’s Indirect ELC Group 1 Description
(Column A) or
Indirect ELC’s Indirect ELC Group 2 Description
(Column C)
Parent Specify ID of the parent Central IELC Group using the
XECGROUP/00000001, XECGROUP/00000002,
XECGROUP/00000003, … format
The “Indirect ELC’s” in the Controls Starter Kit defines a two level hierarchical categorization structure. This structure needs to be captured in the “Central IELC Group” CLM Worksheet.
Either delete all rows from the “Central ELC” CLM worksheet or insert new rows as described below. Either option is fine as we are only adding/deploying new content.
To insert new data proceed as described below.
CLM Entity Column Starter Kit Mapping
Central ELC ID Specify ID’s using the XECONTROL/00000001,
XECONTROL/00000002, XECONTROL/00000003, …
format
Name Indirect ELC’s Indirect ELC Name (Column E)
Description Indirect ELC’s Indirect ELC Description (Column H)
Parent Specify ID of the parent Central IELC Group using the
XECGROUP/00000001, XECGROUP/00000002,
XECGROUP/00000003, … format
Review the “parent” entries such that the Indirect ELC’s structure described in the Controls Starter Kit is replicated in the CLM worksheets.
After completion of the “Step 3: Update CLM Template” as described above the CLM template (PC
10.0 CLM Upload.ZIP) is included in the associated ZIP file.
NOTE: Customers cannot skip “Step 3: Update CLM Template” above and directly proceed with the
above ZIP file. This is because the CLM template will look a little different based on the GRC Process
Control Landscape where the new content will be deployed. Hence, customers will need to complete
this step as described. The above file is simply a sample for comparison. Moreover, customers will not
deploy all the starter kit content as is and “Step 1: Data Preparation” will result in somewhat different
content set.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 16
4.1.7.4 Step 4: Save and Upload CLM Template
Save the updated CLM template as XML. Go to the “Developer” tab in Excel and click “Export” to save document as XML with a new name.
o If you don’t see the “Developer” tab; go to “Excel Options” and check the “Show Developer tab in the Ribbon” checkbox under “Popular” options.
o The XML file generated (GRC RM and PC Starter Kits.XML) is included in the associated ZIP file.
o NOTE: The above XML file can be directly uploaded into CLM but customers cannot skip
“Step 3: Update CLM Template” above. This is because based on the outcome of this
step and the customer’s requirements this XML file will be different. The above file is
simply a sample for comparison.
Using “Mass Edit Upload from Excel” option find and upload the saved XML document. Note that you need to use the “Upload from Excel” option and select the XML file for upload.
In case of errors please use transaction SLG1 on the CLM system backend for error log. o For CLM deployment error log enter “/POA/CLM” in “Object” and “DEPLOYMENT” in
“Subobject”
Additional details are available on the CLM Troubleshooting Wiki Page.
4.1.7.5 Step 5: Deploy Content Set
Select the uploaded XML content group and deploy using the “Deploy” button and choosing the same GRC Process Control Landscape as used in Section 4.1.7.2.
In case of deployment errors please use transaction SLG1 to check error logs on the GRC Process Control Landscape:
o Enter “GRFN” in “Object” --> Enter “IO_IMPORT” in “Subobject”
Additional details are available on the CLM Troubleshooting Wiki Page.
Logon to the GRC Process Control Landscape and verify the new content imported.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 17
4.1.8 Importing Objectives and Activities Catalog
As mentioned above the “Objectives” and “Activities” catalogs from the Risks Starter Kit cannot be imported with the Flat XML Schema. Customers have the following options for importing these catalogs:
Import using the Hierarchical XML Schema for GRC Risk Management. Editing XML documents can be very cumbersome and this process is not described in this document.
Setup the content manually in the GRC Risk Management system. The “Objectives” catalog is generally not very long and only consists of two levels of hierarchy – Strategy and Objective. It’s not very time consuming for manual setup. Additionally, this is only relevant for customers documenting and managing risks within the context of business objectives. The “Activities” catalog is long and manual setup can be cumbersome. Note that in GRC Risk Management there is “Master Data Activities and Processes Activity Hierarchy” and “Assessments Risk Assessments Activities”. Only the “Activity Hierarchy” is the master data entity and supported by CLM. “Activities” (Activity Hierarchy tied with an Organization and Owner(s)) is the transactional entity and is not supported by CLM. However, only “Activities” can be used with “Risks”; hence “Activities” will need to be created from “Activity Hierarchy” for leveraging the content. The “Activities” worksheet in the Risks Starter Kit shows the “Activity Hierarchy” as three-level taxonomy (Columns B, C, and D). The “leaf” levels (Column E) is mapped as “Activities”. Again this is just an SAP recommendation and customers can choose to update and map this content to meet their needs. The “Activity Hierarchy” (master data) elements will have to be manually created. But the “Activities” (transactional data) can be uploaded directly in the system as shown below: Go to “Assessments Risk Assessments Activities”.
Click “Download”. This will generate an Excel (XLS) document of the Activities defined in the system. Open the Excel file.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 18
To import new “Activities” delete the contents of the Excel file and add new content with the following mapping procedure below. To update existing “Activities” simply keep the rows and update directly.
Column Value
Activity ID Leave blank for new Activities to be added
Activity New Activity name. Restricted to 40 characters
Column E in the “Activities” worksheet in the Risks Starter Kit
Activity Category ID Parent Activity Category ID in the format CACTIVITY/XXXXXXXX. To find the ID
for the parent Activity Category, click “Create” to add a new Activity in the system
and then click the icon to view list of all Activity Categories. This will show a
listing with the ID’s for selection
Activity Category Activity Category name
Orgunit ID Orgunit ID in the format ORGUNIT/XXXXXXXX. To find the ID for the parent
Activity Category, click “Create” to add a new Activity in the system and then click
the icon to view list of all Organization Units. This will show a listing with the
ID’s for selection
Organization Organization name
Activity Description Detailed Activity Description. Can be left blank.
Start Date Today’s date in the same format as in the export
End Date Enter 12/31/9999 in the same format as in the export
Save the updated Excel (XLS) document and click “Upload” to attach and import new (and/or updated) “Activities” content.
Please note that similar Upload/Download is also supported for the transactional entities of “Risks” and “Incidents”.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 19
4.2 KRI Starter Kit ...
4.2.1 KRI Starter Kit Content Details
Worksheet Content Details Content Source
KRIs by Risk
Drivers
Listing of KRIs by risk driver categories. Also
includes driver category description. These are
high-level KRIs that monitors risk drivers.
SAP Internal – GRC Solution
Management and Solution
Marketing
KRIs by Risk
Categories
Listing of KRIs by top risk categories –
Management Risks, Financial Risks, and
Operational Risks. KRIs are organized by
taxonomic risk categorization and also include
the “KRI Unit” (type) as well as the “Source
System” for KRI automation.
SAP Internal – GRC Solution
Management and Application
/ LOB Solution Management
KRIs by Top
Industry Risks
Listing of KRIs by top industries. KRIs are
organized by taxonomic risk categorization and
also include the “KRI Unit” (type) as well as the
“Source System” for KRI automation.
SAP Internal – GRC Solution
Management and IBU’s
KRIs by Basel Risk
Categories
Listing of KRIs organized by the Basel risk
categories. These KRIs will typically only be
applicable for Financial Service (Banking and
Insurance) customers.
SAP Internal – Banking IBU
4.2.2 Using KRIs from the Starter Kit
The intent of this library is to get customers started with KRIs quickly and/or in most case guide the
discussion to identify the right set of KRIs based on specific risks, risk drivers, and risk categories.
Some of the KRIs includes a listing of a SAP Source System that can be used to automate the KRI.
Again the intent here is simply to initiate discussions and point customers in the right direction for KRI
automation.
The KRIs listed here can easily be leveraged in the GRC Risk Management solution as “manual
KRIs”. Please refer to Appendix A for details on how to setup and use a “manual KRI”. Our
recommendation for customers is to implement applicable KRIs as “manual KRIs” and plan for
automation in a later project phase.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 20
5. Appendix
5.1 Appendix A – Using Manual Key Risk Indicators
(KRIs)
This appendix describes the procedure for setting up and using manual key risk indicators (KRIs)
along with the associated business rules. The procedure also describes how users can enter manual
values for the KRIs and trigger business rule evaluation.
GRC Risk Management Service Pack 05 introduces the ability to setup and use manual KRIs. Earlier
KRIs were automated and needed to be tied with either SAP Query, SAP BW Query, or a Web
Service to fetch the indicator value. Manual KRIs allows users to enter the indicator value manually
and trigger business rule evaluation.
Automated KRIs can require significant implementation time and the right kind of consultants for setup
and use. Manual KRIs can be setup directly by Risk Owners and Managers and used immediately.
Moreover KRIs are most widely used in risk management in a financial services industry context. Here
most KRIs are aggregations of values sourced from multiple internal and external systems making KRI
automation all the more difficult and time consuming. Many financial services customers may also rely
from an external monitoring service to gather KRI values. In such instances manual KRIs offers a
quick and efficient way to leverage KRIs for risk and organizational monitoring.
Please note that the nature of the KRI function is the same for automated and manual type with the
only difference being the nature of sourcing the indicator value. The definition of KRI business rules
and their evaluation also remains the same. This appendix does not describe how KRI’s work in GRC
Risk Management but only how manual KRIs can be setup and used. It is assumed that the user is
familiar with the KRI function in GRC Risk Management.
Example
Consider the risk “Litigations resulting from mispricing” under the “Retail Banking” business unit. User
would like to setup the following manual KRI’s for risk monitoring:
KRI
KRI Template
(Value Type) Description
KRI_10118 Numeric (Count) Class Action Litigation - Number of Accounts Affected by
Litigation resulting from Mispricing
KRI_10119 Numeric (Count) Class Action Litigation - Number of Cases resulting from
Mispricing
KRI_10120 Percentage Class Action Litigation - Percentage of Total Accounts Affected
by Mispricing Litigation
KRI_10121 Monetary Amount
(Currency)
Class Action Litigation - Total Value of Cases resulting from
Mispricing
For risk monitoring user would like to define the following two business rules:
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 21
Business Rule Description Monitoring Criteria
Monitor case value from
mispricing
Monitor the total amount of case
value resulting from mispricing
Notify risk owner if:
KRI_10121 >= EUR 10,000,000.00
Monitor accounts
affected by mispricing
Monitor accounts (total number and
percentage) affected by mispricing
including total value of cases
Notify risk owner if:
(KRI_10118 >= 1,000.00 AND
KRI_10120 >= 50.00) OR
KRI_10119 >= 25.00
User would like to provide the following value manually for the KRI’s which should result in a violation
of both the above business rules.
KRI Value
KRI_10118 1,250.00
KRI_10119 55.00
KRI_10120 48.00 %
KRI_10121 EUR 20,000,000.00
Procedure
Step 1: Setup KRI Templates
Setup (or check if available) the KRI Templates necessary. For this example three KRI Templates –
Numeric (Count), Percentage, Monetary Amount (Currency) – should be defined. KRI Template
definition is the same for automated and manual KRIs.
KRI Templates are available under “Rule Setup Key Risk Indicators KRI Templates”. Open the
list of KRI Template Catalog and define the necessary templates. Screen shot below shows the
definition of the Percentage KRI Template. Note that the “System”, “Business Process”, and
“Component” attributes are neither mandatory nor relevant for manual KRIs.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 22
Step 2: Define Manual KRI Instances
Manual KRIs only has instances. Automated KRIs requires a KRI Implementation which can be
leveraged into multiple instances. Note that with GRC Risk Management Service Pack 05, KRIs can
be defined for Organizational Entities and Risks.
Open details for a Risk or an organizational entity and go to the “Key Risk Indicators” tab. Click
“Create Manual KRI Instance”. This will open the screen below. Complete the necessary details for
KRI_10118 as shown and click “Activate”.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 23
This will setup the manual KRI instance. Repeat the steps to define the other three KRIs as shown
below.
Step 3: Define KRI Business Rules
Under the same tab setup the two business rules as described above. This setup is common for both
types of KRIs. Screen below show the “Monitor case value from mispricing” rule definition and
evaluation expression.
For both business rules the “action” is to flag the risk and notify risk owner over email. No risk re-
assessment work items will be generated.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 24
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 25
Now both the business rules have been defined as shown below. Save the risk or the organizational
entity.
Step 4: Enter KRI values
Go to “Rule Setup Key Risk Indicators KRI Value Input”.
Here user can enter individual values for a KRI instance or upload a file with a list of historical values
by choosing the “Input via File Upload” mode and selecting the KRI instance.
Click the “0 KRI Instances selected” link at the bottom left. Find the 4 KRIs – KRI_10118, KRI_10119,
KRI_10120, and KRI_10121 – select them and move to the right hand side. Click “OK”.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 26
Click “Next”. Here user can see the previous values provided and can enter new values. If the KRI
values are being entered the first time the previous values column will be blank. Note that based on
the KRI Template type user will have to select a currency code (EUR) for the monetary amount
KRI_10121. System treats percentages as numeric values so it does not show any special markings
but for KRI_10120 please enter values between 1 – 100.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 27
For the “Input via File Upload” mode user can download a template from the “Get Template” link. The
template (XML or Excel) can be populated with historical values and uploaded here.
Click “Next”. Review the new values. The “Change” column indicates whether the values are going up,
going down, or remaining the same from the previous values. If necessary user can click “Previous” to
change the values.
Click “Finish”. This will update the KRI values and trigger business rule evaluation. This step is the
same as running the GRRM_KRI_RUNTIME backend program to fetch values for the automated KRIs
and evaluate business rules.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 28
Click “Close”.
Step 5: View Results
Open the “Litigations resulting from mispricing” risk again and go to the Key Risk Indicators tab. Here
user can see that new values (“Last update” timestamp) are available for the KRIs and the business
rules have been evaluated again (“Last update” timestamp). Both rules have been violated and the
risk owner is notified over email.
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
October 2012 29
GRC Risk Management 10.0 and Process Control 10.0 Starter Kits
6. Copyright
© 2012 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors contain proprietary software
components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z,
System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,
S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture,
POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2,
Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are
trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered
trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web
Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology
invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, and other SAP products and services mentioned herein as well as their respective logos
are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of Business Objects
Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products
and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies.
Data contained in this document serves informational purposes only. National product specifications
may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and
its affiliated companies ("SAP Group") for informational purposes only, without representation or
warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the
materials. The only warranties for SAP Group products and services are those that are set forth in the
express warranty statements accompanying such products and services, if any. Nothing herein should
be construed as constituting an additional warranty.