Saphelp Grcrm101 en 13 De98bd929b45ac9cb6ad56d3ccb9c8 Content

SAP Risk Management
PDF download from SAP Help Portal:

http://help.sap.com/saphelp_grcrm101/helpdata/en/13/de98bd929b45ac9cb6ad56d3ccb9c8/content.htm
Created on April 17, 2016
The documentation may have changed since you downloaded the PDF. You can always find the latest information on SAP Help
Portal.
Note
This PDF document contains the selected topic and its subtopics (max. 150) in the selected structure. Subtopics from other structures are not included.
The selected structure has more than 150 subtopics. This download contains only the first 150 subtopics. You can manually download the missing
subtopics.
© 2016 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP
SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are
provided by SAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP
Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set
forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in
Germany and other countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
Table of content
PUBLIC Page 1 of 194

© 2014 SAP SE or an SAP affiliate company. All rights reserved.
Table of content
1 SAP Risk Management
1.1 Integration
1.1.1 Integration with Process Control
1.1.1.1 Reusing the PC Central Process Hierarchy in RM
1.2 Key Concepts
1.2.1 Risk Management Process
1.2.2 Levels of Authorization
1.2.2.1 Standard Roles and Authorization Objects
1.2.2.2 Risk Management Application Roles
1.2.3 Workflows
1.2.3.1 Agent Determination
1.2.4 Analysis Automation: Integration with EH&S
1.2.5 Customer-Defined Fields
1.2.5.1 Adding Customer-Defined Fields
1.2.6 Risk-Related Terminology
1.2.7 Operational Data Provisioning in RM
1.2.7.1 Authorization
1.2.7.2 CDF Support in ODP
1.2.7.3 Search and Analytic Models
1.2.7.3.1 Search and Analytics Models (Common)
1.2.7.3.1.1 Ad-Hoc Issue
1.2.7.3.1.2 Business Rule
1.2.7.3.1.3 Data Source
1.2.7.3.1.4 Organization Unit
1.2.7.3.1.5 Organization Hierarchy
1.2.7.3.1.6 Policy
1.2.7.3.1.7 Risk
1.2.7.3.1.8 Timeframe
1.2.7.3.1.9 Timeframe Frequency
1.2.7.3.1.10 Timeframe Year
1.2.7.3.2 Search and Analytics Models (RM)
1.2.7.3.2.1 Activity
1.2.7.3.2.2 Activity Category
1.2.7.3.2.3 Activity Category Hierarchy
1.2.7.3.2.4 Analysis
1.2.7.3.2.5 Analysis with Forecasting Horizon Result
1.2.7.3.2.6 Central Opportunity
1.2.7.3.2.7 Enhancement Plan Attributes
1.2.7.3.2.8 Enterprise Search: Activity
1.2.7.3.2.9 Enterprise Search: Incident
1.2.7.3.2.10 Enterprise Search: Response
1.2.7.3.2.11 Enterprise Search: Risk
1.2.7.3.2.12 Forecasting Horizon Attributes
1.2.7.3.2.13 Impact Category
1.2.7.3.2.14 Incident
1.2.7.3.2.15 Incident-Loss-Impact Category assignment
1.2.7.3.2.16 KRI Instance
1.2.7.3.2.17 KRI Instance Values
1.2.7.3.2.18 KRI Template
1.2.7.3.2.19 Loss Attributes
1.2.7.3.2.20 Objective
1.2.7.3.2.21 Opportunity Category
1.2.7.3.2.22 Opportunity Hierarchy
1.2.7.3.2.23 Opportunity
1.2.7.3.2.24 OU-Activity-Opportunity Assignment
1.2.7.3.2.25 OU-Activity-Opportunity-Enhancement Plan
1.2.7.3.2.26 OU-Activity-Risk Assignment
1.2.7.3.2.27 OU-Activity-Risk-Incident assignment
1.2.7.3.2.28 OU-Activity-Risk-Response Assignment
1.2.7.3.2.29 Response

1.2.7.3.2.30 Risk Category
1.2.7.3.2.31 Risk Category Hierarchy
1.2.8 User Experience Enhancement
1.2.8.1 Entry Page
1.2.8.2 Side Panel
1.2.8.3 GRC CHIP Catalog
1.3 Work Centers
1.3.1 My Home
1.3.1.1 Work Inbox
1.3.1.1.1 Risk Management Work Inbox
1.3.1.2 Ad Hoc Tasks
1.3.1.2.1 Proposing a Risk
1.3.1.2.2 Ad Hoc Risk Escalation
1.3.1.2.3 Creating Response Proposals
1.3.1.2.4 Reporting an Ad Hoc Incident
1.3.1.2.4.1 Workflow for Recording Incidents
1.3.1.2.5 Issues
1.3.1.3 My Objects
1.3.1.3.1 My Risks
1.3.1.3.2 My Responses
1.3.1.3.3 My Incidents
1.3.1.3.4 My Policies
1.3.1.4 Embedded Search
1.3.1.5 My Delegation
1.3.2 Master Data
1.3.2.1 Organizations
1.3.2.1.1 Working with Organizational Units
1.3.2.1.1.1 Entering Risk-Specific Organization Data
1.3.2.1.1.2 Managing Organizational Key Risk Indicators
1.3.2.1.2 Threshold Browser
1.3.2.2 Regulations and Policies
1.3.2.2.1 Regulations
1.3.2.2.2 Policies
1.3.2.2.2.1 Creating a Policy Group
1.3.2.2.2.2 Creating a Policy
1.3.2.2.2.3 Reviewing a Policy
1.3.2.2.2.4 Approving a Policy
1.3.2.2.2.5 Publishing a Policy
1.3.2.3 Objectives
1.3.2.3.1 Business Objectives Hierarchy
1.3.2.4 Activities and Processes
1.3.2.4.1 Activities
1.3.2.4.1.1 Activity Hierarchy
1.3.2.4.1.2 Creating Activity Categories
1.3.2.5 Risks and Responses
1.3.2.5.1 Risk Catalog
1.3.2.5.1.1 Classifying Risks, Opportunities, and Responses
1.3.2.5.1.2 Creating a Risk Template
1.3.2.5.1.3 Distributing a Risk Template
1.3.2.5.2 Opportunity Catalog
1.3.2.5.2.1 Creating an Opportunity Category and Template
1.3.2.6 Forecasting Horizons
1.3.2.6.1 Maintaining Forecasting Horizons
1.3.2.6.2 Leading Forecasting Horizon for Risk Categories
1.3.2.7 Risk Consistency Reports
1.3.2.7.1 Working with the RM Consistency Checker
1.3.2.8 Reports (Master Data)
1.3.3 Rule Setup
1.3.3.1 Continuous Monitoring
1.3.3.2 Key Risk Indicators
1.3.3.2.1 Creating KRI Templates
1.3.3.2.2 Creating KRI Implementations

1.3.3.2.2.1 Technical Requirements for BW Queries
1.3.3.2.2.2 Technical Requirements for SAP Queries
1.3.3.2.2.3 Using External Web Services
1.3.3.2.3 Assigning KRIs to a Risk
1.3.3.2.3.1 Creating KRI Business Rules
1.3.3.2.4 Using Workflow to Create KRI Implementation Requests
1.3.3.2.5 Using Workflow to Create KRI Instance Localization Requests
1.3.3.2.6 Managing KRI Value Inputs
1.3.3.2.7 KRI Aggregation Hierarchy
1.3.3.2.7.1 Searching KRI Aggregation Hierarchies
1.3.3.2.7.2 Creating KRI Aggregation Hierarchies
1.3.3.2.7.3 Modifying KRI Aggregation Hierarchies
1.3.3.2.7.4 Deleting KRI Aggregation Hierarchies
1.3.3.2.8 KRI Aggregation Run
1.3.3.2.8.1 Searching KRI Aggregation Runs
1.3.3.2.8.2 Creating KRI Aggregation Runs
1.3.3.2.8.3 Modifying KRI Aggregation Runs
1.3.3.2.8.4 Deleting KRI Aggregation Runs
1.3.4 Assessments
1.3.4.1 Surveys
1.3.4.1.1 Question Library
1.3.4.1.1.1 Creating Questions for Surveys
1.3.4.1.2 Survey Library
1.3.4.1.2.1 Creating Surveys
1.3.4.1.3 Survey Category
1.3.4.1.3.1 Risk Consolidation
1.3.4.1.4 Score-Based Valuation for Surveys and Questions
1.3.4.2 Risk Assessments

1 SAP Risk Management
Product Information
Product SAP Risk Management
Release 10.1
Based On SAP NetWeaver 7.40 SP02
Documentation Published June 2013
SAP Risk Management enables an enterprise-wide risk management process as mandated by certain legal requirements and recommended by best practice
management frameworks.
Recommendation
If you have also licensed the Process Control component, see the corresponding documentation under SAP Process Control.
Implementation Considerations
The Customizing for SAP Risk Management enables you to carry out the necessary configuration activities and describes the administrative functions
necessary to run the application.
Note
For the graphical representation of activities and scenarios, you must install the latest version of Java Runtime (JRE version 6 update 13 or higher) on your
front-end system. For more information, see http://www.java.com.
Features
SAP Risk Management uses the various work centers of the GRC, in which you can carry out all Risk Management activities. For more information about Risk
Management activities, see the individual work center topics.
Note
All Risk Management functions are executed in the SAP NetWeaver® Portal and SAP NetWeaver® Business Client (NWBC). For information about using
the portal and NWBC, see Portal and SAP NetWeaver Business Client.
1.1 Integration
Important Integration Information (English)

The processes and user interfaces of the following products are closely linked, as they have interconnected features:
SAP® Access Control™
SAP® Process Control™
SAP® Risk Management ™
You can access the features and documentation of one or several of these products only after licensing and installing the relevant products.
SAP® Access Control™ 10.1, SAP NetWeaver® 7.40 Support Package Stack 02
SAP® Process Control™10.1, SAP NetWeaver® 7.40 Support Package Stack 02
SAP® Risk Management ™10.1, SAP NetWeaver® 7.40 Support Package Stack 02
©Copyright 2013 SAP AG. All rights reserved.
The integration topics describe the integration scenarios that leverage 10.1 features across multiple applications.
For more information, see the relevant integration topics.
Wichtige Informationen zur Integration (Deutsch)

Die Prozesse und die Benutzeroberfläche von folgenden Produkten sind sehr eng miteinander verbunden:
SAP® Access Control™
SAP® Process Control™
SAP® Risk Management ™
Damit Sie auf die Funktionen und die Dokumentation eines oder mehrerer dieser Produkte zugreifen können, müssen Sie diese entsprechend lizenziert und
installiert haben.
SAP® Access Control™10.1, Juni 2013

SAP® Process Control™10.1, Juni 2013
SAP® Risk Management ™10.1, Juni 2013
SAP NetWeaver® 7.40 Support Package Stack 02
©Copyright 2013 SAP AG. All rights reserved.
1.1.1 Integration with Process Control
Provided your company has licensed both the Risk Management and Process Control applications, you can use a number of integrated functions as described
below.
Features
Among other things, risk templates are common to both Process Control and Risk Management. They can be defined and assigned from both applications.
Match-up of risk templates used in both Risk Management and Process Control
Common Menu Areas

The areas shared by both applications are:
GRC Role Assignments
Delegation
Embedded Search
Planner – See Risk Management Planner and Process Control Planner
Other Functions Common to Risk Management and Process Control

Beyond the functions described above, the following are common areas for both Risk Management and Process Control:
The use of a central PC process hierarchy as part of a Risk Management activity hierarchy. The PC processes are structured into subprocesses; for
each subprocess, controls are defined. Risks can be defined for controls, and these controls can then mitigate the risks specified for them. For more
information, see Reuse of PC Central Process Hierarchy in RM and Creating and Editing Global Processes and Controls.
The reuse of existing PC subprocesses as Risk Management activities. For more information, see Reuse of PC Central Process Hierarchy in RM.
The monitoring of PC assessment results: This conversion of traffic-light PC ratings to detailed RM percentages enables you to automatically monitor
the Process Control effectiveness and assessment results. They are mapped directly to Risk Management response effectiveness and completeness
values in percentage form. For more information, see Monitoring Control Effectiveness and Assessment Results.
For control proposals, which are converted to controls, you can do the following:
You can create a control proposal as a risk response in Risk Management.
If you are using Process Control, the process control application can implement the defined control, which is converted from the control proposal.
For more information, see Using PC Controls.
Note
For more information about creating risks, see Risks and Opportunities.

More Information
For more information about Process Control, see SAP Process Control.
1.1.1.1 Reusing the PC Central Process Hierarchy in RM
Provided you have licensed both the Risk Management and the Process Control applications, you can use the central PC subprocesses as activity categories
in GRC Risk Management. Furthermore, you can use the local PC subprocesses as local activities in RM.
In this way, a defined RM activity category can later be used to assign (local) activities to it. Otherwise no direct assignment of a (local) activity to the activity
category is possible.
This enables you to structure your risk assessment and risk reporting processes, with the option of using the activity hierarchy (containing the assigned
categories) primarily as a reporting or an assessment structure, or both.
Prerequisites
With both applications (Process Control and Risk Management) installed and running, the following procedure must be carried out before you can display and
use the PC process hierarchy in the Risk Management application in the activities screen:
Go to transaction GRFN_STR_CHANGE and make an entry corresponding to the one you have maintained in the above maintenance view. Note that this
transaction corresponds to the Customizing activity of Process Control called Set up Structure: Expert Mode and is documented there also. See the
procedure below for the exact steps.
Procedure
Note
When you access the RM activity overview screen, there are different processing modes, depending on your authorization:
If you have Risk Management authorization, the activities are available and can be edited.
With the same authorization, however, the PC subprocesses only open in display mode. You need PC authorization to change subprocesses.
However, you can attach a risk to a subprocess and submit it.
To use the Process Control central processes in Risk Management:

1. Access the Master Data work center and click the Activity Hierarchy link under Activities and Processes .
2. The activity hierarchy overview screen opens. Select an activity category and make note of it.
3. Access transaction GRFN_STR_CHANGE in the back-end system and go to the section on activity categories.
4. Below the activity category item, select Search Term to find the activity category that you are working with in the application. The result list is
displayed at the bottom left of the screen.
5. Select the activity category at the bottom left to see the data for it on the right-hand screen sections.
6. On the tab Activity Category Attributes (bottom section), access the Prefix field and select the Prefix ID called PROCESS.
7. Save your entry.
8. The Risk Management application now displays the Process Control hierarchy, containing its processes and subprocesses, in the lower section of the
activities screen.
Note
You may need to scroll in the Activity list to display the subprocesses in the list.
1.2 Key Concepts
The key concepts explained in this documentation for Risk Management are:
Risk Management Process
Levels of Authorization
Workflows
Integration with Process Control
Customer-Defined Fields
Risk-Related Terminology
Operational Data Provisioning in RM
User Experience Enhancement
1.2.1 Risk Management Process
The basic risk management process, as suggested by most risk management frameworks, involves the steps described below. You can use this process to
step through all risk management activities, from Customizing to user processing, up until the reporting phase.
Prerequisites

You have made the corresponding settings in Risk Management Customizing.
Process
1. Risk Planning
In the planning phase, you define and document your company's risk management framework. This allows the implementation of risk management
programs on a large scale, and enables you to streamline and reduce duplicate efforts in the company’s different organizational units. The following
steps are involved in risk planning:
Initial definition and assignment of roles and responsibilities. For more information, see Risk Management Application Roles.
Setup of the organizational hierarchy and organizational views to be used.
Definition of risk-relevant business activities (such as processes, projects, or other company assets).
Creation of a risk classification structure, so that you can structure and report on risk assessment results.
Definition of a key risk indicator (KRI) framework to automate and reduce risk monitoring efforts.
2. Risk Identification
In this phase, you carry out the following tasks:
Identify and collect information on your company’s risks, such as the risk drivers, potential impacts and the relationships between risk events.
Define and assign key risk indicators for the risks. For more information, see Key Risk Indicators.
Document the relationships between risks and create surveys for risks, activities, and risk indicators. For more information, see Surveys.
3. Risk Analysis
In this phase, you assess risks and review historical losses in the following way:
Qualitatively and/or quantitatively analyze the likelihood of occurrence of company risks and the potential impacts of the identified risks, so that
you can determine the necessary responses and investments to mitigate or control the risks. For more information, see Risk Analysis.
Collaborate with business stakeholders to collect risk analysis data, or create surveys or other workflows to help in collecting and interpreting risk
analysis data. This enables you to build risk scenarios and simulations, as well as precisely determine your risk exposure. You can also group
similar risks. For more information, see:
Scenario Management
Incident Management
Surveys
4. Risk Response
In this phase, you carry out the following tasks:
Document the response measures taken to manage the risks and their current status. You do this by taking measures to actively mitigate the
probability or potential impact of the risk, such as defining the risk assessment and approval or review cycles for risks and their responses, and
assigning response ownership and actions.
You can also propose and assign internal controls from Process Control, provided you have installed this application. For more information, see
Using PC Controls and Control Objectives.
For more information about responses, see Creating a Response or Enhancement Plan.
5. Risk Monitoring
In this phase, you carry out the following steps to evaluate your organization's risk exposure:
Analyze and report on your company's risk situation. This step includes documentation of incidents and losses for occurred risk events, to track
the effectiveness of mitigation measures such as responses and controls. For more information about documenting incidents, see Incident
Management.
You can also monitor the effectiveness and completeness of the responses that were used to mitigate your risks.
Furthermore, to enable the continuous monitoring of risks, in this phase you run the reports for risks and their history, as well as for key risk
indicators defined for these risks. For more information, see Reporting and Analytics and Dashboards (Heatmap, Overview, Top Risks, and Other).
1.2.2 Levels of Authorization
Risk Management uses different levels of authorization, depending on user profiles and the system used, for the following reasons:
The back-end system uses different roles than the SAP NetWeaver Portal. A detailed list is provided below.
The standard SAP authorization concept does not cover the authorization needs of Risk Management, so RM-specific application roles have been
developed. This has the additional advantage that authorizations can be differentiated according to the entity level involved. One risk manager, for
example, can be responsible for all entities (such as activities, risks, opportunities, and incidents) in one organizational unit, and another risk manager
can be responsible for the same entities in another organizational unit. Each manager then accesses the risks for which they are responsible, and not all
risks in the entire company.
Features
Before it is possible to work with Risk Management, the following kinds of roles must be accessed and activated:
The NetWeaver portal role is called com.sap.grc.rm.Role_All
This role enables you to configure the portal navigation structures and menu tabs. This role should be assigned to all Risk Management users directly or
via a group in the portal. The superuser must ensure that the portal interface can be accessed with the correct level of authorization by all other users.
Subsequently, the user can access the Risk Management work centers in the portal.
Standard or back-end roles
These roles define the authorizations in the back-end system, where, for example, Customizing is done. This kind of role should be assigned to users
with a back-end user profile. Every RM user should have the role SAP_GRC_FN_BASE assigned, since this is the basic role used to run the Risk
Management applications. For more information and further back-end roles, see Standard Roles and Authorization Objects.
Application roles
For all business users, the Risk Management application roles should be assigned as well. For more information, see Risk Management Application
Roles.
Note
Standard roles are also referred to as basic roles , and application roles are also referred to as model roles .

After the application roles have been defined, they can be assigned to different users and different entities within the RM application, as described in Assigning
Roles to Risks and Activities.
1.2.2.1 Standard Roles and Authorization Objects
The authorization concept of SAP NetWeaver assigns authorizations to users on the basis of roles. Some general SAP standard roles are delivered with Risk
Management as described below.
You can copy and adjust these default roles in Customizing under SAP NetWeaver Application Server System Administration Users and
Authorizations Maintain Authorizations and Profiles using Profile Generator Maintain Roles (transaction PFCG).
In the Risk Management application, the power user can assign these roles to the corresponding entities.
Features
The standard roles that are delivered with the Risk Management application are:
Basic Role (SAP_GRC_FN_BASE): The basic technical role for a user who wants to use Risk Management or Process Control. This role contains all
necessary authorizations to make the necessary Customizing settings for this application. This role does not contain any authorizations for the portal
interface.
Business User (SAP_GRC_FN_BUSINESS_USER): A user with this role is only authorized to perform operations on assigned entities in Risk
Management. We recommend that a user with this role also be assigned a portal role for Risk Management in order to use the web interface of the
application.
Power User (SAP_GRC_FN_ALL): In addition to the authorizations of the business user, a power user also has authorization for administrative functions
in Customizing, such as the definition of organizational units.
Display User (SAP_GRC_FN_DISPLAY): A user with this role can display all risk data in the portal. This role is useful for external auditors, for example.
We recommend using this role in addition to the business user role.
Note
For more information, see the documentation on the individual roles in transaction PFCG, for example, Changing Standard Roles.
Activities
To work with user roles, the following steps are necessary:
1. The system administrator assigns the basic role SAP_GRC_FN_BASE to all users working with the Risk Management application. This role contains the
technical authorizations required to run the application. Without this role, assigned users cannot run the application.
2. The system administrator copies the delivered power user role SAP_GRC_FN_ALL, makes any necessary adjustments, and assigns the modified copy
of the standard role to a user who then becomes a power user for the application. Alternatively, the delivered standard role can be used directly.
3. The system administrator copies the delivered display user role SAP_GRC_FN_DISPLAY, makes any necessary adjustments, and assigns the modified
copy of the standard role to other users who become display users for the application. Alternatively, the delivered standard role can be used directly.
4. The system administrator copies the delivered business user role SAP_GRC_FN_BUSINESS_USER, makes any necessary adjustments, and assigns the
modified copy of the standard role to other users who become business users for the application. Alternatively, the delivered standard role can be used
directly. The business users' authorizations within the application can be defined further by the application roles.
Note
For more information about application roles, see Risk Management Application Roles.
5. The portal administrator copies the delivered roles, makes any necessary adjustments, and assigns the modified copy of the enterprise portal roles to
the end users to grant them the required access to the Risk Management application. Alternatively, the delivered standard role can be used directly.
1.2.2.2 Risk Management Application Roles
A large number of users – who may frequently change – perform operations related to risk management in different functions. The roles and authorization
concept ensures the required flexibility for the end user. In addition to the general SAP standard roles that are maintained by the system administrator in
transaction PFCG, application-specific roles are also available in transaction PFCG, defining the set of operations, and detailed authorizations for an end-
user.
Note
For a list and information on the standard roles delivered with SAP Risk Management, see Standard Roles and Authorization Objects.
The application-specific roles defined in transaction PFCG refine the authorizations delivered in the Business User role (SAP_GRC_FN_BUSINESS_USER). An
application-specific role consists of operations (such as create, edit, delete) for different entities in the application (for example, for an organizational unit or a
risk). For more information, see Assigning Roles to Risks and Activities
Recommendation
To ensure sufficient transparency and oversight for the authorizations currently granted in this application and for the entities stored for it, a set of

predefined authorization reports is also provided. These include a check to ensure that the segregation of duties is adhered to during the assignment of the
SAP default and application-specific roles.
Defining users, roles, and assignments to authorization objects
Risk Management Sample Application Roles

The following sample application roles are available for use in the Risk Management application:
SAP_GRC_RM_API_ACTIVITY_OWNER Activity owner
SAP_GRC_RM_API_CENTRAL_RM Risk template manager
SAP_GRC_RM_API_CEO_CFO CEO/CFO
SAP_GRC_RM_API_INCIDENT_EDITOR Incident editor
SAP_GRC_RM_API_INTERNAL_AUD Internal auditor
SAP_GRC_RM_API_LIAISON System administrator
SAP_GRC_RM_API_OPP_OWNER Opportunity owner
SAP_GRC_RM_API_ORG_OWNER Organizational unit owner
SAP_GRC_RM_API_RISK_MANAGER Unit risk manager
SAP_GRC_RM_API_RISK_OWNER Risk owner
Steps Involved in Role Creation

You can copy roles to your user namespace and change them, or create other roles according to your organization's needs. For example, you can define a
new validator role, or a reporting role for occasional users who want to report a risk. For more information, see Role Administration.
To assign users, proceed as follows:
1. Call transaction PFCG and copy the general SAP roles described above to your user namespace.
2. Adjust the authorizations in these roles to suit the requirements of your system.
3. Assign the adjusted roles to the appropriate users.
4. Save your entries.
Note
After users have been assigned to roles, an authorized user or system administrator needs to check that there is a segregation of duties for Risk
Management. This is done via the corresponding authorization report in the application, called Entity Authorization Analysis , and found under Reports
and Analytics Access Management .
1.2.3 Workflows
The Risk Management application is shipped with a set of workflows that enable collaboration on risk management activities within a company by making use
of the standard SAP workflow functionality.

SAP workflows are based on the guided procedures that walk users through a risk management activity or process. Workflow examples include the validation
of risk reassessments, validation of assessment results, or the review of a newly-documented risk in the application.
Workflows in Risk Management can be classified according to whether they are:
Event-based workflows: These are predefined end-to-end processes triggered by user actions such as proposing a risk.
Event-based workflows are defined using business events: A business event involves the assignment of a workflow task to a recipient, which is also
known as agent determination. For example, the risk validation workflow is assigned to the recipient called Risk Manager.
Planner-based workflows: These are workflows that are planned and triggered through the Risk Management Planner function, such as updating a
risk or creating a risk survey.
Note
Although most workflows are based on the Risk Management Planner functions, the workflows for proposing risks and reporting incidents are handled
differently. For these, you must access the Ad Hoc Tasks section in the My Home work center. For more information, see Ad Hoc Tasks and Workflow
for Recording Incidents.
Prerequisites
The following workflow Customizing activities must be carried out before you can work with SAP workflows:
Customizing Activity Description
Maintain Custom Agent Determination Rules Specifies the agent determination rules to be used for business events in Risk
Management
Perform Automatic Workflow Customizing Assigns customer notification messages to workflow recipients
Perform Task-Specific Customizing Makes the settings required to adapt SAP workflows to Risk Management
Features
A workflow is triggered when you schedule a reassessment or validation and includes the following steps:
1. The workflow goes to all recipients that were defined for it, and appears as a task in the recipients' worklist in the Work Inbox.
2. The recipients complete the workflow item by accessing the corresponding application to process the data.
The Risk Management application contains the following workflows, carried out using the Planner :
Workflow name Description
Activity validation Allows a planner (for example, a risk manager) to obtain sign-off and confirmation
for the current risk situation for an activity (such as a process, project, or company
asset). For information, see Activity Validation.
Risk validation Enables the risk manager to obtain sign-off and confirmation for the current risk
(including the assigned responses). For information, see Risk Validation Workflow.
Opportunity validation Enables the risk manager to obtain sign-off and confirmation for the current
opportunity (including analysis and assigned enhancement plans).
Risk assessment Supports risk managers by providing an update for risks in their areas of
responsibility by sending out risk assessment work items. For more information, see
Workflow for Collaborative Risk Assessments.
Opportunity assessment Supports the risk manager by providing an update for opportunities by sending out
an opportunity assessment work item.
Response update Enables risk managers and risk owners to keep track of current risk responses by
sending work items to the validator's work inbox. For more information, see Working
with Response Workflows.
Furthermore, there are the following event-based workflows:
Workflow name Description Trigger
Risk proposal Ensures that users review a (potential) risk entered Risk proposed. For information, see Proposing a Risk.
through the Propose Risk function and rework it if
needed before it is stored in the risk database.
Incident validation Ensures that users check a reported incident for Incident posted. For information, see Working with
completeness and accuracy before it is stored in the Incidents.
incident database.
KRI implementation request Ensures the proper configuration and system setup for KRI implementation request. For information, see
Key Risk Indicator (KRI)-related data, which should be Workflow for KRI Implementation Request.
available for risk monitoring.
KRI localization request Optional adjustment of an assigned KRI with respect to KRI localization request. For information, see Workflow
risk-specific settings. for KRI Instance Localization Request.
Propose control (for users of both Risk Management Allows users (for example, risk managers) to propose a Risk mitigation using controls. For information, see
and Process Control) control to mitigate a risk. The control becomes part of Using PC Controls and Sample Workflow: Control
the regular monitoring activities in Process Control. Proposal Notification.

Agent determination is the system process that assigns users to workflows. The entity-based authorization concept in Risk Management is used for agent
determination in workflow processing or for surveys. For each usage of agent determination, a business event is determined. A business event is a
placeholder for recipient determination in workflow-driven scenarios or surveys, and the workflow processor or survey recipient is considered the agent.
For agent determination, the implementation team maps the Risk Management roles to the business events in Customizing. The assignment of business
events to RM roles in Customizing is optional. If no Customizing has been defined here, the default system behavior is applied.
When the workflow or survey requires the agent, it triggers the agent determination rule with the corresponding business event and object ID.
Features
Besides using the SAP-delivered rules and workflows, you can also create your own rules. The customer-specific rules override the delivered default rules.
More Information
See Workflows.
Analysis Automation: Integration with EH&S
Some enterprise risks are related to environmental and worker safety. SAP has a separate solution, Environment, Health and Safety Management (EH&S),
where such risks can be processed by the solution-specific mechanisms absent in operational risk management. Integrating EH&S using analysis automation
allows you to track all enterprise risks using one application (Risk Management).
Analysis automation creates EH&S risk assessments from risk analyses in Risk Management, tracking their probability and severity values, and copying
those values to the corresponding analysis parameters according to rules predefined in Customizing.
Risk managers are not required to have any EH&S background to create an EH&S risk assessment from a risk analysis. EH&S risk assessments are
intended to be processed by an EH&S manager or other responsible user. Risk managers can use a specific report that runs in the background to track the
current probability and impact levels of the EH&S-related risks that they create (see prerequisite number 9 below).
Prerequisites
Before using analysis automation (integration with EH&S), ensure that the following conditions have been met:
1. The remote system (EH&S) is known, and the logical system has been created for it (transaction SM30, record in view V_TBDLS).
2. The user is authorized to create risk assessments in the EH&S remote system, and the user's logon credentials are known.
3. Log object GRRM and log sub-object ANLS_AUTOMATION have been created (transaction SLG0).
4. The RFC destination for the EH&S remote system has been created.
5. RM and EH&S probability and severity level values have been mapped in Customizing under Risk Management Risk and Opportunity Analysis
Map Probability and Severity Values from EH&S and RM .
6. Context dimensions have been created for the EH&S agent, EH&S work area, and material in Customizing under Risk Management Risk and
Opportunity Analysis Map Probability and Severity Values from EH&S and RM . Use dimension types EHSAGENT, EHSWA, and MATERIAL within
the logical system mentioned in step 1 and the RFC destination created in step 4.
7. Context dimensions have been assigned to a risk and risk category entity in Customizing under Risk Management Master Data Setup Assign
Dimension to Entity . Assign the dimensions created in step 6 to the entities RISK and CRGROUP.
8. Context dimensions have been set as allowed for the risk category you will use when creating a risk. In the Risk Management application, go to
Master Data Risks and Responses Risk Catalog . Open the desired risk category, go to tab Allowed dimensions , and add the dimensions
created in step 6.
9. You have scheduled the report GRRM_ANLS_AUTOM_STATUS_UPDATE to run with a period of 1 hour.
Process
1. In the Assessments work center, open Risk and Opportunities .
2. Create a new risk.
3. Enter the risk name and specify the risk category (see step 8 of prerequisites).
4. Create an impact for the risk.
5. Go to the Analysis tab and create a new analysis.
6. Go to the Context tab and link the EH&S work area and EH&S agent to a risk as context objects.
Note
Instead of an EH&S agent, you can use a material (depending on conditions and requirements).
Caution
Be sure that no risk assessment with the specified combination of work area and agent/material already exists in EH&S. Such an existing risk
assessment will not be overwritten by the new risk assessment (in other words, the new risk assessment will not be created).
7. Submit the risk.

Result
A new risk assessment is created in the EH&S application of the remote system to be processed by the EH&S manager or other responsible user. The EH&S
risk assessment will be assigned probability and severity values. A background job (step 9 of prerequisites) replicates these values as probability and impact
level values for the corresponding risk analysis in Risk Management.
1.2.5 Customer-Defined Fields
Customer organizations can add their own fields to the applications they have licensed.
For more information, see the corresponding Customizing section and Adding Customer-Defined Fields.
1.2.5.1 Adding Customer-Defined Fields
You can add customer-defined (user-specific) fields in the following areas:

For HR entities:
Risk, risk template, risk category
Opportunity, opportunity template, opportunity category
Activity and activity category
Response template
For non-HR entities:
Response
Enhancement plan
Incident
Customer-defined fields can be defined as mandatory, read-only, or hidden. You can also define a specific input check for customer-defined fields.
Prerequisites
You must have the S_DEVELOP authorization profile or the equivalent.
Procedure
To add customer-specific fields to screens of the Risk Management application, proceed as follows:
1. Call up the Customizing for Risk Management and carry out the activities under the corresponding section of User-Defined Fields .
2. Access SAP Note number 1470670 and its attachments for more detailed information.
Caution
You must test all changes in the development system before transporting them to the test and production systems.

Adding Customer-Defined Fields via Risk Template
Via the copy or assignment procedure, customer-defined fields that were created for a risk template are copied into a risk. For more information on risk
template creation, see Creating a Risk Template.
1.2.6 Risk-Related Terminology
Risk Management, Process Control, and Access Control have several risk-related terms that may need an explanation. The following table provides an
overview of risk terms with their definitions and the location in the applications where they are used.
Term Explanation Location in Application
Risk Management SAP NetWeaver application for managing enterprise- Entire Risk Management application
wide risks
Risk An uncertain event or condition that, if it occurs, has a Entire Risk Management application
negative impact on business objectives
Risk assessment The evaluation of risks through definition and Assessments work center
mitigation via responses
Risk template A template to be used for creating actual risks Master Data work center, Risk Catalog
Primary risk A risk used in a scenario, which has no risks Assessments work center, Scenario Management
influencing it
Top risks A report containing user-defined risks that are very Reports and Analytics work center, Management
significant to management section
Influenced risk A risk influenced by another risk Assessments work center, Risks and Opportunities
Affected risk A risk affected by a response Assessments work center, Responses
Risk event A risk that has not occurred Assessments work center, Incident Management
Inherent risk Overall risk before response Assessments work center, Risks and Opportunities ,
Analysis tab of a risk
Residual risk Overall risk after response Assessments work center, Risks and Opportunities ,
Proposed risk, risk proposal A risk proposed by a casual user My Home work center, Ad-hoc tasks
Risk appetite Level of risk to be supported, which can be described Master Data work center, Organizations
qualitatively and quantitatively
Underlying risk Risk defined on lower level of organization Assessments work center, Risks and Opportunities
Risk category User-defined category of risk Master Data work center, Risks and Responses, Risk
Catalog
Parent risk category A high-level user-defined risk category Master Data work center, Risks and Responses, Risk
Catalog
Risk incident An incident entered directly for a risk Assessments work center, Risks and Opportunities ,
Risk Incidents tab, and Incident Management
section
Risk level Specifies degree of risk using traffic light icons Assessments work center, Risks and Opportunities
Risk factor Synonym of influence factor , a risk with probability Assessments work center, Risks and Opportunities
and impact data attached
Risk summary A report summarizing all risks per period, organization, Reports and Analytics work center
and so on
Risk analysis Analysis of one risk Assessment work center, Risks and Opportunities ,
Risk scenario A scenario containing several risks to be analyzed and Assessments work center, Scenario Management
evaluated
Risk aspect A field in reports evaluating risks. By checkmarking this Reports and Analytics work center, Risks per
field in reports, the user can see how an impact level Organizational Unit
would be rated if the risk were seen from the
perspective (aspect) of a different organizational unit.
Risk instance A risk template applied to an individual risk is Assessments work center, Risks and Opportunities ,
considered as an instance of the risk template, or risk Analysis tab
instance .
Local risk The same as a risk instance Assessments work center, Risks and Opportunities ,
Analysis tab
Access risk A risk defined for Access Control, specifying the Access Management work center, Access Risk
severity of an irregularity related to Segregation of Analysis section
Duties (SOD) risks.
SOD risk The same as an access risk Access Management work center, Access Risk
Analysis section

The structure contains the documents that describe operational reporting for Governance, Risk, and Compliance based on Operational Data Provisioning
(ODP). ODP is a metadata concept in SAP NetWeaver that provides a technical infrastructure that you can use to support application scenarios such as data
replication and operational analytics. You can use operational reporting for real-time analysis of data. You can access the data in your system directly without
having to replicate it into a separate BW system.
In GRC, predefined search and analysis models are delivered for reporting and enterprise search. You can use these models directly or create your own
models in the modelling environment.
For more information about ODP and models, see the documentation at http://help.sap.com, under SAP NetWeaver SAP NetWeaver Platform SAP
NetWeaver 7.3 Including Enhancement Package 1 Application Help SAP NetWeaver Library: Function-Oriented View Search and Operational
Analytics Operational Data Provisioning .
More Information
Authorization
CDF Support in ODP
Search and Analytic Models
1.2.7.1 Authorization
An authorization allows a user to perform a specific action on a specific object. You can define authorization checks to be performed for the nodes in a
business object by adding authorization objects to the node. In this way, you can configure that only authorized users can access the data in search results or
reporting.
To assign an authorization object to a PFCG role:
1. Go to transaction PFCG, enter the role name and choose Change .
2. In the Authorization tab, assign the authorization object in Maintain Authorization Data and Generate Profiles .
In GRC, the following types of authorization objects are available:
Authorization Object Description
GRFN_ODP Authorization check for HR objects based on entity and object ID
GRFN_ODP_C Authorization check for special HR objects with complex IDs
GRFN_ODP_E Entity level authorization check for non-HR objects
GRFN_ODP_R Authorization check for regulation specific entities
GRFN_ODPRC Authorization check for complex ID and regulation specific entities
Note
Ad-hoc Issue and Policy use role-user assignment authorization. The assignment information is stored in table GRFNROLEASSNMT.
Special HR Objects with Complex ID

Some objects contain special entity IDs that cover two HR object types. In such cases, the object ID length of these entities are extended to 9, allowing one
extra character for identification. These objects use the special complex ID authorization check GRFN_AUTH_C. The following is a list of special HR objects
that uses complex ID authorization check.
Object Type Object ID Format Example Description
Activity 8 digit number + S 50****01S Activities mapped from subprocess
8 digit number 50****01 Newly created activities
Activity Category 8 digit number + X 50****01X Activity categories mapped from

subprocess
8 digit number 50****01 Newly created activity categories
Control L + 8 digit number L50****01 Local change allowed controls
8 digit number 50****01 Local change not allowed controls
Risk 8 digit number + X 50****01X Risk template
8 digit number 50****01 Local risk
1.2.7.2 CDF Support in ODP
This chapter discusses how to add customer defined fields (CDF) in ODP models which has BW data source.

Prerequisites
You have implemented CDF support to the master data used in the ODP model.
Procedure
To add a customer defined field in an ODP model:
1. Go to transaction RSA6, find your data source and choose Enhance Extraction Structure .
2. Enter the structure name and choose continue to create a new structure.
3. Enter the necessary fields according to the CDF definition. Make sure the field name completely matches the CDF structure. Now the BI structure
should have the newly created structure appended.
Note
As the data source extractor always pass values according to the field name, normally this should work and return the CDF value in the data source.
If not, check if the datamart is filled with the CDF.
4. Go to the ODP modeler, open the corresponding model and update the node. The newly appended field appears. Adjust the related settings and generate
the ODP again.
For more information, see SAP NetWeaver help document at http://help.sap.comunder SAP NetWeaver SAP NetWeaver Platform SAP NetWeaver 7.3
Including Enhancement Package 1 Application Help SAP NetWeaver Library: Function-Oriented View Search and Operational Analytics Creating
Search and Analysis Models Using the Search and Analytics Modeler Creating or Extending Search and Analysis Models
1.2.7.3 Search and Analytic Models
A search and analytic model reflects a business entity consisting of segments modeled via nodes. Nodes can be connected to other nodes by means of
composition or association relationships using foreign-key dependencies.
The following structure contains both common models and product specific models.
1.2.7.3.1 Search and Analytics Models (Common)
The following structure contains the common search and analytics models shared between Process Control and Risk Management.
1.2.7.3.1.1 Ad-Hoc Issue
( Search and Analytics Model ) Search and Analytics Model: 0GFN_AI
This search and analytics model is used to get the ad-hoc issue data.
Technical Data
Model Usage Application Model
Software Component for Search and Analytics GRCFND_A
Root Node: GRC Ad-Hoc Issue Attributes
Technical Name 0GFN_AI_ATTR
DataSource 0GFN_AI_ATTR
Operational Data Provider: GRC Ad-Hoc Issue Attributes
Technical Name 0GFN_AI
ODP-Semantics Master Data Attributes
View Data Extraction
Direct Access Enabled Yes
Operational Data Provider: GRC Ad-Hoc Issue Text
Technical Name 0GFN_AI
ODP-Semantics Texts

Authorization Checks
Check ID ABAP Authorization Object Description
CN_IS GRFN_ODP_C GRC ODP authorization for complex ID
IELC_IS GRFN_ODP GRC ODP authorization
SP_IS GRFN_ODP GRC ODP authorization
Node Relationship: GRC Ad-Hoc Issue Text
Node 0GFN_AI_TEXT
Association
Cardinality Arbitrary
Reverse Cardinality Exactly One
Sub-query No
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join-Operator
GUID GUID Equal
TF_FREQ TF_FREQ Equal
TF_YEAR TF_YEAR Equal
TIMEFRAME TIMEFRAME Equal
Node Relationship: GRC Ad-Hoc Issue Priority Text
Node 0GFN_AIPRIO.0GFN_AI_PRIORITY_TEX
Association 0GFN_AI_ATTR20GFN_AI_PRIORITY_TE
Sub-query No
Foreign Key
AI_PRIORITY ATTR Equal
Node Relationship: GRC Ad-Hoc Issue Status Text
Node 0GFN_AI_STATUS.0GFN_AI_STATUS_TEXT
Association 0GFN_AI_ATTR20GFN_AI_STATUS_TEXT
Sub-query No
Foreign Key
AI_STATUS ATTR Equal
Node Relationship: GRC Timeframe
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GFN_AI_ATTR20GFN_TF_ATTR
Cardinality Exactly One
Reverse Cardinality Arbitrary
Sub-query No

Foreign Key
Node Relationship: GRC Timeframe Year
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GFN_AI_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node Relationship: GRC Timeframe Year Frequency
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GFN_AI_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
1.2.7.3.1.2 Business Rule
( Search and Analytics Model ) Search and Analytics Model: 0GFN_BR
This search and analytics model is used to get the business rule data.
Technical Data
Root Node: GRC Business Rule Attributes
Technical Name 0GFN_BR_ATTR
DataSource 0GFN_BR_ATTR
Operational Data Provider: GRC Business Rule Attribute
Technical Name 0GFN_BR
Operational Data Provider: GRC Business Rule Texts
Technical Name 0GFN_BR

ODP-Semantics Texts
EO GRFN_ODP GRC ODP authorization
Node Relationship: GRC Business Rule Texts
Node 0GFN_BR_TEXT
Association
Sub-query No
Foreign Key
OBJID OBJID Equal
Association 0GFN_BR_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GFN_BR_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GFN_BR_ATTR20GFN_TF_FREQ

Sub-query No
Foreign Key
Node Relationship: GRC Data Source Attribute
Node 0GFN_EO.0GFN_DS_ATTR
Association 0GFN_BR_ATTR20GFN_DS_ATTR
Sub-query No
Foreign Key
EO_ID OBJID Equal
Node Relationship: GRC Business Rule Analysis Type Text
Node 0GFN_BRANTY.0GFN_BR_ANYSTYPE_TEX
Association 0GFN_BR_ANYSTYPE_TEX20GFN_BR_ATT
Sub-query No
Foreign Key
BR_ANYSTYPE ATTR Equal
Node Relationship: GRC Business Rule Category Texts
Node 0GFN_BRCATE.0GFN_BR_CATEGORY_TEX
Association 0GFN_BR_CATEGORY_TEX20GFN_BR_ATT
Sub-query No
Foreign Key
BR_CATEGORY ATTR Equal
Node Relationship: GRC Business Rule Status Text
Node 0GFN_BRSTAT.0GFN_BR_STATUS_TEXT
Association 0GFN_BR_STATUS_TEXT20GFN_BR_ATTR
Sub-query No
Foreign Key

BR_STATUS ATTR Equal
Node Relationship: GRC Job Steps Attribute
Node 0GFN_JP.0GFN_JP_ATTR
Association 0GFN_JP_ATTR20GFN_BR_ATTR
Sub-query No
Foreign Key
OBJID BR_ID Equal
1.2.7.3.1.3 Data Source
( Search and Analytics Model ) Search and Analytics Model: 0GFN_EO
This search and analytics model is used to get the data source attributes.
Technical Data
Root Node: GRC Data Source Attribute
Technical Name 0GFN_DS_ATTR
DataSource 0GFN_DS_ATTR
Operational Data Provider: GRC Data Source Attribute
Technical Name 0GFN_EO
Operational Data Provider: GRC Data Source Texts
Technical Name 0GFN_EO
ODP-Semantics Texts
EO GRFN_ODP GRC ODP authorization
Node Relationship: GRC Data Source Texts
Node 0GFN_DS_TEXT

Association
Sub-query No
Foreign Key
OBJID OBJID Equal
Association 0GFN_DS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GFN_DS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GFN_DS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node Relationship: GRC Data Source Sub-scenario Text
Node 0GFN_EOSUBS.0GFN_DS_SUBSCENARIO
Association 0GFN_DS_ATTR20GFN_DS_SUBSCENARIO

Sub-query No
Foreign Key
DS_SUBSCENARIO ATTR Equal
Node Relationship: GRC Data Source Connection Type Text
Node 0GFN_EOCOTP.0GFN_DS_CONN_TYPE
Association 0GFN_DS_ATTR20GFN_DS_CONN_TYPE
Sub-query No
Foreign Key
DS_CONNECTTYPE ATTR Equal
Node Relationship: GRC Data Source Connector Texts
Node 0GFN_EOCONN.0GFN_DS_CONNECTOR_TE
Association 0GFN_DS_ATTR20GFN_DS_CONNECTOR_T
Sub-query No
Foreign Key
DS_CONNECTOR ATTR Equal
Node Relationship: GRC Business Rule Attribute
Node 0GFN_BR.0GFN_BR_ATTR
Association 0GFN_BR_ATTR20GFN_DS_ATTR
Sub-query No
Foreign Key
OBJID EO_ID Equal
1.2.7.3.1.4 Organization Unit
( Search and Analytics Model ) Search and Analytics Model: 0GFN_OU
This search and analytics model is used to get the organization unit attributes.
Technical Data

Root Node: GRC Organization Attributes
Technical Name 0GFN_OU_ATTR
DataSource 0GFN_OU_ATTR
Operational Data Provider: GRC Organization Attributes
Technical Name 0GFN_OU
Operational Data Provider: GRC Organization Texts
Technical Name 0GFN_OU
ODP-Semantics Texts
OU GRFN_ODP GRC ODP authorization
Node Relationship: GRC Organizations Texts
Node 0GFN_OU_TEXT
Association
Sub-query Yes
Foreign Key
OBJID OBJID Equal
Node Relationship: GRC Org. Unit Qualitative Appetite Texts
Node 0GFN_OUQAPP.0GFN_OU_QAPP_TEXT
Association 0GFN_OU_ATTR20GFN_OU_QAPP_TEXT
Sub-query No
Foreign Key
OU_QUALITY_APP ATTR Equal
Node Relationship: Region (State, Province, County)
Node 0GFN_REGION.0REGION_TEXT

Association 0GFN_OU_ATTR20REGION_TEXT
Sub-query No
Foreign Key
OU_REGION BLAND Equal
OU_REGION_CNTY LAND1 Equal
Node Relationship: Country
Node 0GFN_COUNTRY.0COUNTRY_TEXT
Association 0GFN_OU_ATTR20COUNTRY_TEXT
Sub-query No
Foreign Key
OU_COUNTRY LAND1 Equal
Association 0GFN_OU_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GFN_OU_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GFN_OU_ATTR20GFN_TF_FREQ
Sub-query No

Foreign Key
Node Relationship: GRC Entity Type Text
Node 0GFN_ENTTYP.0GFN_ENTTYP_TEXT
Association 0GFN_OU_ATTR20GFN_ENTTYP_TEXT
Sub-query No
Foreign Key
ENTITY_ID ATTR Equal
Node Relationship: GRC Organization Attributes
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GFN_OU_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OU_PARENT OBJID Equal
Node Relationship: Org. Unit In Scope
Node 0GPC_OUINSC.0GPC_OUINSC_TEXT
Association 0GFN_OU_ATTR20GPC_OUINSC
Sub-query No
Foreign Key
OU_IN_SCOPE ATTR Equal
Node Relationship: Org. Unit Is Provider
Node 0GPC_OUISPR.0GPC_OUISPR_TEXT
Association 0GFN_OU_ATTR20GPC_OUISPR
Sub-query No
Foreign Key

OU_SPROVIDER ATTR Equal
Node Relationship: GRC User Texts
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GFN_OU_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
OU_RESP_USER ATTR Equal
Node Relationship: Validate iELC Assessment
Node 0GFN_OUVAMC.0GFN_OUVAMC_TEXT
Association 0GFN_OU_ATTR20GFN_OUVAMC
Sub-query No
Foreign Key
OU_VAL_EC_ASS ATTR Equal
Node Relationship: Validate iELC Effectiveness Test
Node 0GFN_OUVAMT.0GFN_OUVAMT_TEXT
Association 0GFN_OUVAMT.0GFN_OUVAMT_TEXT
Sub-query No
Foreign Key
OU_VAL_EC_TEST ATTR Equal
Node Relationship: Retest iELC Assessment
Node 0GFN_OUREMC.0GFN_OUREMC_TEXT
Association 0GFN_OU_ATTR20GFN_OUREMC
Sub-query No
Foreign Key
OU_RTS_EC_ASS ATTR Equal
Node Relationship: Retest iELC Effectiveness Test

Node 0GFN_OUREMT.0GFN_OUREMT_TEXT
Association 0GFN_OU_ATTR20GFN_OUREMT
Sub-query No
Foreign Key
OU_RTS_EC_TEST ATTR Equal
Node Relationship: GRC PC Risk Coverage from all sources
Node 0GPC_RSCN.0GPC_SP_RS_CN_ALL
Association 0GPC_SP_RS_CN_ALL20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC PC Subprocess Attributes
Node 0GPC_SPSRC.0GPC_SP_RS_SOURCE_AT
Association 0GPC_SP_RS_SOURCE_AT20GFN_OU_ATT
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC PC Process Attributes
Node 0GPC_PR.0GPC_PR_ATTR
Association 0GPC_PR_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal

Node Relationship: GRC PC Control and Risk Matrix Attributes
Node 0GPC_CN_RS.0GPC_CN_RS_ATTR
Association 0GPC_CN_RS_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC PC Control Attributes
Node 0GPC_CN.0GPC_CN_ATTR
Association 0GPC_CN_ATTR20GFN_OU_ATTR_1
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC RM OU-Activity-Risk assignment
Node 0GRM_OU_AC_RS.0GRM_OU_AC_RS
Association 0GRM_OU_AC_RS20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC RM OU-Activity-Opportunity assignment
Node 0GRM_OU_AC_OR.0GRM_OU_AC_OR
Association 0GRM_OU_AC_OR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal

Node Relationship: GRC RM OU-Activity-Opportunity-Enhancement Plan
Node 0GRM_OU_AC_OR_EP.0GRM_OU_AC_OR_RP
Association 0GRM_OU_AC_OR_RP20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC RM OU-Activity-Risk-Response assignment
Node 0GRM_OU_AC_RS_RP.0GRM_OU_AC_RS_RP
Association 0GRM_OU_AC_RS_RP20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC RM OU-Activity-Risk-Incident assignment
Node 0GRM_OU_AC_RS_IN.0GRM_OU_AC_RS_IN
Association 0GRM_OU_AC_RS_IN20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC PC Test Step Attributes
Node 0GPC_V0.0GPC_V0_ATTR
Association 0GPC_V0_ATTR20GFN_OU_ATTR
Sub-query No

Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC PC Indirect Enitity-Level Control Group Attributes
Node 0GPC_EG.0GPC_EG_ATTR
Association 0GPC_EG_ATTR20GFN_OU_ATTR
Reverse Cardinality Up to One
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC PC Indirect Enitity-Level Control Attributes
Node 0GPC_EC.0GPC_EC_ATTR
Association 0GPC_EC_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC Job Steps Attribute
Node 0GFN_JP.0GFN_JP_ATTR
Association 0GFN_JP_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Association 0GPC_CN_ATTR20GFN_OU_ATTR_2

Sub-query No
Foreign Key
OBJID CN_SS_OU Equal
Node Relationship: GRC RM Enhancement Plan Attributes
Node 0GRM_EP.0GRM_EP_ATTR
Association 0GRM_EP_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC RM Opportunity Attributes
Node 0GRM_OR.0GRM_OR_ATTR
Association 0GRM_OR_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node 0GPC_SP.0GPC_SP_ATTR
Association 0GPC_SP_ATTR20GFN_OU_ATTR_O
Sub-query No
Foreign Key
OBJID OU_ID Equal

Node 0GPC_SP.0GPC_SP_ATTR
Association 0GPC_SP_ATTR20GFN_OU_ATTR_SS
Sub-query No
Foreign Key
OBJID SP_SS_ORGUNIT Equal
Node Relationship: Hierarchy nodes
Node 0GFN_OU_HIER.HIERARCHY_ELEMENT
Association HIERARCHY_ELEMENT20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID SP_SS_ORGUNIT Equal
Node Relationship: GRC RM KRI (Key Risk Indicator) Values
Node 0GRM_KN_KRI_VALUES.0GRM_KN_KRI_VALUES
Association 0GRM_KN_KRI_VALUES20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC RM Activity Attributes
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_AC_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

OBJID OBJID Equal
Node Relationship: GRC RM Loss Attributes
Node 0GRM_IL.0GRM_IL_ATTR
Association 0GRM_IL_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC RM Incident Attributes
Node 0GRM_IN.0GRM_IN_ATTR
Association 0GRM_IN_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC RM Incident-Loss-Impact Category assignment
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GRM_IN_IL_IC20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC RM KRI Instance Attributes
Node 0GRM_KN.0GRM_KN_ATTR
Association 0GRM_KN_ATTR20GFN_OU_ATTR
Sub-query No

Foreign Key
OBJID OU_ID Equal
Node Relationship: GRC RM Response Attributes
Node 0GRM_RP.0GRM_RP_ATTR
Association 0GRM_RP_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node Relationship: Forecasting Horizon Analysis Attributes
Node 0GRM_W5_ATTR.0GRM_W5_ATTR
Association 0GRM_W5_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU Equal
Node Relationship: GRC RM Analysis Attributes
Node 0GRM_AL.0GRM_AL_ATTR
Association 0GRM_AL_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OU_ID Equal
Node 0GPC_M3.0GPC_CN_ATTR
Association M3 CTRL: ORGANIZATION

Sub-query No
Foreign Key
OBJID OU_ID Equal
1.2.7.3.1.5 Organization Hierarchy
( Search and Analytics Model ) Search and Analytics Model: 0GFN_OU_HIER
This search and analytics model is used to get the organization hierarchy attributes.
Technical Data
Root Node: Hierarchy header
Technical Name HIERARCHY_HEADER
DataSource 0GFN_OU_GFNH_HIER
Node HIERARCHY_ELEMENT
Association
Sub-query Yes
Foreign Key
HEADERID HEADERID Equal
Node Relationship: Node texts
Node HIERARCHY_FOLDERTEXT
Association
Sub-query No
Foreign Key
FOLDERNAME FOLDERNAME Equal

Association HIERARCHY_ELEMENT20GFN_OU_ATTR
Cardinality Up to One
Sub-query No
Foreign Key
OBJID OBJID Equal
Node Relationship: Header texts
Node HIERARCHY_HEADERTEXT
Association
Sub-query No
Foreign Key
1.2.7.3.1.6 Policy
( Search and Analytics Model ) Search and Analytics Model: 0GFN_PO
This search and analytics model is used to get the policy data.
Technical Data
Root Node: GRC Policy Attributes
Technical Name 0GFN_PO_ATTR
DataSource 0GFN_PO_ATTR
Operational Data Provider: GRC Policy Attributes
Technical Name 0GFN_PO
Operational Data Provider: GRC Policy Text
Technical Name 0GFN_PO
ODP-Semantics Texts

PO GRFN_ODP_E GRC ODP authorization for entity level
Node Relationship: GRC Policy Text
Node 0GFN_PO_TEXT
Association
Sub-query No
Foreign Key
GUID GUID Equal
Node Relationship: GRC Policy Category Text
Node 0GFN_POCATEG.0GFN_PO_CATEG_TEXT
Association 0GFN_PO_ATTR20GFN_PO_CATEG_TEXT
Sub-query No
Foreign Key
PO_POLICY_CATEG ATTR Equal
Node Relationship: GRC Policy Status Text
Node 0GFN_POSTATUS.0GFN_PO_STATUS_TEXT
Association 0GFN_PO_ATTR20GFN_PO_STATUS_TEXT
Sub-query No
Foreign Key
PO_POLICY_STATUS ATTR Equal
Node Relationship: GRC Policy Type Text
Node 0GFN_POTYPE.0GFN_PO_TYPE_TEXT
Association 0GFN_PO_ATTR20GFN_PO_TYPE_TEXT
Sub-query No
Foreign Key
PO_POLICY_TYPE ATTR Equal

1.2.7.3.1.7 Risk
( Search and Analytics Model ) Search and Analytics Model: 0GFN_RS
This search and analytics model is used to get the risk data.
Technical Data
Root Node: GRC Risk Attributes
Technical Name 0GFN_RS_ATTR
DataSource 0GFN_RS_ATTR
Operational Data Provider: GRC Risk Attributes
Technical Name 0GFN_RS
Operational Data Provider: GRC Risk Texts
Technical Name 0GFN_RS
ODP-Semantics Texts
RS GRFN_ODP_C GRC ODP authorization for complex ID
Node Relationship: GRC Risk Texts
Node 0GFN_RS_TEXT
Association
Sub-query No
Foreign Key
RS_ID RS_ID Equal
Node Relationship: GRC RM Risk Level Texts
Node 0GRM_RSL.0GRM_RSL_TEXT
Association 0GFN_RS_ATTR20GRM_RSL_TEXT

Sub-query No
Foreign Key
RS_RSA_RSL ATTR Equal
Node Relationship: GRC Risk Status Texts
Node 0GFN_RSSTAT.0GFN_RS_STATUS_TEXT
Association 0GFN_RS_ATTR20GFN_RS_STATUS_TEXT
Sub-query No
Foreign Key
RS_STATUS ATTR Equal
Association 0GFN_RS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GFN_RS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GFN_RS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Relationship: GRC RM Probability Level Texts
Node 0GRM_PBL.0GRM_PBL_TEXT
Association 0GFN_RS_ATTR20GRM_PBL_TEXT
Sub-query No
Foreign Key
RS_RSA_PRL ATTR Equal
Association 0GFN_RS_ATTR20GPC_SP_RS_CN_ALL
Sub-query No
Foreign Key
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GPC_CN_RS_ATTR
Sub-query No
Foreign Key
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_OU_AC_RS
Sub-query No
Foreign Key

RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_OU_AC_RS_RP
Sub-query No
Foreign Key
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_OU_AC_RS_IN
Sub-query No
Foreign Key
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_KN_KRI_VALUES
Sub-query No
Foreign Key
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_IL_ATTR
Sub-query No

Foreign Key
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_IN_ATTR
Sub-query No
Foreign Key
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_IN_IL_IC
Sub-query No
Foreign Key
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_KN_ATTR
Sub-query No
Foreign Key
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_RP_ATTR

Sub-query No
Foreign Key
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_W5_ATTR
Sub-query No
Foreign Key
RS_ID RS Equal
Association 0GFN_RS_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
RS_RESP_USER ATTR Equal
Association 0GRM_AL_ATTR20GFN_RS_ATTR
Sub-query No
Foreign Key
RS_ID RS_ID Equal
1.2.7.3.1.8 Timeframe

( Search and Analytics Model ) Search and Analytics Model: 0GFN_TF
This search and analytics model is used to get the timeframe attributes.
Technical Data
Root Node: GRC Timeframe
Technical Name 0GFN_TF_ATTR
DataSource 0GFN_TF_ATTR
Operational Data Provider: GRC Timeframe
Technical Name 0GFN_TF
Operational Data Provider: GRC Timeframe Texts
Technical Name 0GFN_TF
ODP-Semantics Texts
Node Relationship: GRC Timeframe Texts
Node 0GFN_TF_TEXT
Association
Sub-query Yes
Foreign Key
Node Relationship: Organization Attributes for Enterprise Search
Node 0GFN_OU_ESH.0GFN_OU_ATTR_ESH
Association 0GFN_OU_ATTR_ESH20GFN_TF_TEXT
Sub-query No
Foreign Key
Node Relationship: PC Control Objective Attributes
Node 0GPC_COBJ.0GPC_COBJ_ATTR
Association 0GPC_COBJ_ATTR20GFN_TF_ATTR

Sub-query No
Foreign Key
Node Relationship: GRC PC FS Account Group Attributes
Node 0GPC_AG.0GPC_AG_ATTR
Association 0GPC_AG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC PC Indirect Entity-Level Control Attributes
Association 0GPC_EC_ATTR20GFN_TF_ATTR_1
Sub-query No
Foreign Key
Node Relationship: GRC Test Plan Attributes
Node 0GPC_TP.0GPC_TP_ATTR
Association 0GPC_TP_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GFN_OU_ATTR20GFN_TF_ATTR
Sub-query No

Foreign Key
Association 0GFN_BR_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC PC Testing (Testlog) Attributes
Node 0GPC_TL.0GPC_TL_ATTR
Association 0GPC_TL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GFN_DS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC RM Central Opportunity Texts
Node 0GRM_OC.0GRM_OC_TEXT
Association 0GRM_OC_TEXT20GFN_TF_ATTR
Sub-query No
Foreign Key

Association 0GRM_OR_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_OR_RP20GFN_TF_ATTR
Sub-query No
Foreign Key
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS_IN20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS_RP20GFN_TF_ATTR

Sub-query No
Foreign Key
Association 0GRM_KN_KRI_VALUES20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_IN_IL_IC20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC PC Regulation
Node 0GPC_RE.0GPC_RE
Association 0GPC_RE20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC PC Indirect Entity-Level Control Attributes All Regs
Node 0GPC_EC_REG.0GPC_EC_ATTR_ALL_REG
Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_ATT
Sub-query No
Foreign Key

Node Relationship: GRC Organizations Attributes All Regulations
Node 0GFN_OU_REG.0GFN_OU_ATTR_ALL_REG
Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_ATT
Sub-query No
Foreign Key
Association 0GPC_EG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC RM Risk Category (Risk Group)
Node 0GRM_RG.0GRM_RG_ATTR
Association 0GRM_RG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_EP_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC PC Assessment Attributes

Node 0GPC_AS.0GPC_AS_ATTR
Association 0GPC_AS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GPC_CN_ATTR20GFN_TF_ATTR_1
Sub-query No
Foreign Key
Node Relationship: GRC PC Control Attributes All Regulations
Node 0GPC_CN_REG.0GPC_CN_ATTR_ALL_REG
Association 0GPC_CN_ATTR_ALL_REG20GFN_TF_ATT
Sub-query No
Foreign Key
Association 0GPC_CN_RS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association M3 CTRL: TIMEFRAME

Sub-query No
Foreign Key
Association 0GPC_V0_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC Ad-Hoc Issue Attributes
Node 0GFN_AI.0GFN_AI_ATTR
Association 0GFN_AI_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GPC_SP_RS_CN_ALL20GFN_TF_ATTR
Sub-query No
Foreign Key
Node 0GPC_H2E.0GPC_EC_ATTR
Association H2E IELC: TIMEFRAME
Sub-query No
Foreign Key

Association 0GRM_AC_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_IL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_IN_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC RM Activity Category Attributes
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_CA_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Association 0GRM_KN_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_RP_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC RM KRI Template Attributes
Node 0GRM_KT.0GRM_KT_ATTR
Association 0GRM_KT_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_OR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC RM Opportunity Category Attributes
Node 0GRM_OG.0GRM_OG_ATTR
Association 0GRM_OG_ATTR20GFN_TF_ATTR
Sub-query No

Foreign Key
Node Relationship: GRC PC Remediation Plan Attributes
Node 0GPC_PL.0GPC_PL_ATTR
Association 0GPC_PL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC RM Org. Unit Objective Attributes
Node 0GRM_OB.0GRM_OB_ATTR
Association 0GRM_OB_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC Risk Attributes
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_AL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node 0GPC_F5.0GPC_TL_ATTR
Association F5 TESTLOG: TIMEFRAME
Sub-query No
Foreign Key
Node Relationship: GRC PC Issue Attributes
Node 0GPC_IS.0GPC_IS_ATTR
Association 0GPC_IS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Node Relationship: GRC PC Account Group Assertion Attributes
Node 0GPC_AG_ASSERTION.0GPC_V9_ATTR
Association 0GPC_V9_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
1.2.7.3.1.9 Timeframe Frequency
( Search and Analytics Model ) Search and Analytics Model: 0GFN_TF_FREQ

This search and analytics model is used to get the timeframe frequency attributes.
Technical Data
Root Node: GRC Timeframe Year Frequency
Technical Name 0GFN_TF_FREQ
DataSource 0GFN_TF_FREQ
Operational Data Provider: GRC Timeframe Year Frequency

Operational Data Provider: GRC Timeframe Frequency Texts
ODP-Semantics Texts
Node Relationship: GRC Timeframe Frequency Texts
Node 0GFN_TFFRQ_TEXT
Association
Sub-query Yes
Foreign Key
Node Relationship: GRC PC Control Objective Attributes
Association 0GPC_COBJ_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GPC_AG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GPC_EC_ATTR20GFN_TF_FREQ_1

Sub-query No
Foreign Key
Association 0GPC_TP_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GFN_OU_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GFN_BR_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GPC_TL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Association 0GFN_DS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_OR_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_OU_AC_OR_RP20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_AC_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Association 0GRM_OU_AC_RS20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS_IN20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS_RP20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_KN_KRI_VALUES20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_KT_ATTR20GFN_TF_FREQ

Sub-query No
Foreign Key
Association 0GRM_CA_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_IN_IL_IC20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GPC_RE20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_FRE
Sub-query No
Foreign Key

Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_FRE
Sub-query No
Foreign Key
Association 0GPC_EG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_RG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_OC_TEXT20GFN_TF_FREQ
Sub-query No
Foreign Key

Association 0GRM_EP_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GPC_AS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GPC_CN_ATTR20GFN_TF_FREQ_1
Sub-query No
Foreign Key
Association 0GPC_CN_ATTR_ALL_REG20GFN_TF_FRE
Sub-query No
Foreign Key
Association 0GPC_CN_RS_ATTR20GFN_TF_FREQ
Sub-query No

Foreign Key
Association M3 CTRL: TIMEFRAME FREQ
Sub-query No
Foreign Key
Association 0GPC_V0_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GFN_AI_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GPC_SP_RS_CN_ALL20GFN_TF_FREQ
Sub-query No
Foreign Key

Association H2E IELC: TIMEFRAME FREQ
Sub-query No
Foreign Key
Association 0GRM_IL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_IN_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_KN_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_RP_ATTR20GFN_TF_FREQ

Sub-query No
Foreign Key
Association 0GRM_OU_AC_OR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_OG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GPC_PL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_OB_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Association 0GFN_RS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_AL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association F5 TESTLOG: FREQUENCY
Sub-query No
Foreign Key
Association 0GPC_IS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Association 0GPC_V9_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
1.2.7.3.1.10 Timeframe Year
( Search and Analytics Model ) Search and Analytics Model: 0GFN_TF_YEAR

This search and analytics model is used to get the timeframe year attributes.
Technical Data
Root Node: GRC Timeframe Year
Technical Name 0GFN_TF_YEAR
DataSource 0GFN_TF_YEAR
Operational Data Provider: GRC Timeframe Year
Technical Name 0GFN_TF_YEAR
Node Relationship: GRC PC Control Objective Attributes
Association 0GPC_COBJ_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GPC_AG_ATTR20GFN_TF_YEAR
Sub-query No

Foreign Key
Association 0GPC_EC_ATTR20GFN_TF_YEAR_1
Sub-query No
Foreign Key
Association 0GPC_TP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GFN_OU_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GFN_BR_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Association 0GPC_TL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GFN_DS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OC_TEXT20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OR_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_OR_RP20GFN_TF_YEAR

Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS_IN20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS_RP20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_KN_KRI_VALUES20GFN_TF_YEAR
Sub-query No
Foreign Key

Association 0GRM_IN_IL_IC20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GPC_RE20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_YEA
Sub-query No
Foreign Key
Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_YEA
Sub-query No
Foreign Key

Association 0GPC_EG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_RG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_EP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GPC_AS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GPC_CN_ATTR20GFN_TF_YEAR_1

Sub-query No
Foreign Key
Association 0GPC_CN_ATTR_ALL_REG20GFN_TF_YEA
Sub-query No
Foreign Key
Association 0GPC_CN_RS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association M3 CTRL: TIMEFRAME YEAR
Sub-query No
Foreign Key
Association 0GPC_V0_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Association 0GFN_AI_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GPC_SP_RS_CN_ALL20GFN_TF_YEAR
Sub-query No
Foreign Key
Association H2E IELC: TIMEFRAME YEAR
Sub-query No
Foreign Key
Association 0GRM_AC_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node Relationship: Organization Attributes for Enterprise Search

Node 0GFN_OU_ESH.0GFN_OU_ATTR_ESH
Association 0GFN_OU_ATTR_ESH20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_IL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_IN_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_CA_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_KN_ATTR20GFN_TF_YEAR

Sub-query No
Foreign Key
Association 0GRM_RP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_KT_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_OR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Association 0GPC_PL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OB_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GFN_RS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_AL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Association F5 TESTLOG: YEAR
Sub-query No
Foreign Key
Association 0GPC_IS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GPC_V9_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
1.2.7.3.2 Search and Analytics Models (RM)
The following structure contains search and analytics models used in Risk Management.
1.2.7.3.2.1 Activity
( Search and Analytics Model ) Search and Analytics Model:GRM_AC

This search and analytics model is used to get the activity data.
Technical Data
Root Node: GRC RM Activity Attributes
Technical Name 0GRM_AC_ATTR
DataSource 0GRM_AC_ATTR

Operational Data Provider: GRC RM Activity Attributes
Technical Name 0GRM_AC
Operational Data Provider: GRC RM Activity Texts
Technical Name 0GRM_AC
ODP-Semantics Texts
AC GRFN_ODP_C GRC ODP Authorization for complex ID
Node Relationship: GRC RM Activity Texts
Node 0GRM_AC_TEXT
Association
Sub-query Yes
Foreign Key
Attribute of Parent Node Value Attribute of Child Node Value Join Operator
AC_ID AC_ID Equal
Association 0GRM_AC_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_AC_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Association 0GRM_AC_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_AC_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
AC_RESP_USER ATTR Equal
Node Relationship: GRC Organizations Attributes
Association 0GRM_AC_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OBJID OBJID Equal
Association 0GRM_AC_ATTR20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal

Association 0GRM_OU_AC_RS20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Association 0GRM_OU_AC_OR20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Node Relationship:GRC RM OU-Activity-Opportunity-Enhancement Plan
Association 0GRM_OU_AC_OR_RP20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Association 0GRM_OU_AC_RS_RP20GRM_AC_ATTR
Sub-query No

Foreign Key
AC_ID AC_ID Equal
Association 0GRM_OU_AC_RS_IN20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Association 0GRM_KN_KRI_VALUES20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Association 0GRM_IN_IL_IC20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
1.2.7.3.2.2 Activity Category

( Search and Analytics Model ) Search and Analytics Model: 0GRM_CA
This search and analytics model is used to get the Activity Category data.
Technical Data
Root Node: GRC RM Activity Category Attributes
Technical Name 0GRM_CA_ATTR
DataSource 0GRM_CA_ATTR
Operational Data Provider: GRC RM Activity Category Attributes
Technical Name 0GRM_CA
Operational Data Provider: GRC RM Activity Category Texts
Technical Name 0GRM_CA
ODP-Semantics Texts
CA GRFN_ODP_C GRC ODP Authorization for complex ID
Node Relationship: GRC RM Activity Category Texts
Node 0GRM_CA_TEXT
Association
Sub-query No
Foreign Key
CA_ID CA_ID Equal
Association 0GRM_CA_ATTR20GFN_TF_FREQ
Sub-query No

Foreign Key
Association 0GRM_CA_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Sub-query No
Foreign Key
Association 0GRM_KN_KRI_VALUES20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal
Node 0GRM_CA_HIER.HIERARCHY_ELEMENT
Association HIERARCHY_ELEMENT20GRM_CA_ATTR
Sub-query No
Foreign Key

CA_ID CA_ID Equal
Association 0GRM_AC_ATTR20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal
Association 0GRM_IN_IL_IC20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal
Association 0GRM_OU_AC_OR20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal
Association 0GRM_OU_AC_OR_RP20GRM_CA_ATTR

Sub-query No
Foreign Key
CA_ID CA_ID Equal
Association 0GRM_OU_AC_RS20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal
Association 0GRM_OU_AC_RS_IN20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal
Association 0GRM_OU_AC_RS_RP20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal
1.2.7.3.2.3 Activity Category Hierarchy

( Search and Analytics Model ) Search and Analytics Model: 0GRM_CA_HIER
This search and analytics model is used to get the Activity Category data.
Technical Data
Root Node: Hierarchy Header
DataSource 0GRM_CA_GRMH_HIER
Association
Sub-query No
Foreign Key
Association
Sub-query No
Foreign Key
Association 0GRM_CA.0GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal

Sub-query No
Foreign Key
1.2.7.3.2.4 Analysis
( Search and Analytics Model ) Search and Analytics Model: GRM_AL
This search and analytics model is used to get the analysis data.
Technical Data
Root Node: GRC RM Analylsis Attributes
Technical Name 0GRM_AL_ATTR
DataSource 0GRM_AL_ATTR
Operational Data Provider: GRC RM Analysis Attributes
Technical Name 0GRM_AL
OR GRFN_ODP GRC ODP authorization
RS GRFN_ODP GRC ODP authorization
Association 0GRM_AL_ATTR20GRM_OR_ATTR
Sub-query Yes
Foreign Key
OR_ID OBJID Equal

Association 0GRM_AL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_AL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_AL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_AL_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OU_ID OBJID Equal

Association 0GRM_AL_ATTR20GFN_RS_ATTR
Sub-query No
Foreign Key
RS_ID RS_ID Equal
Node Relationship: Analysis Status Text
Node 0GRM_AL_STATUS_TEXT.0GRM_AL_STATUS_TEXT
Association 0GRM_AL_STATUS_TEXT.0GRM_AL_STATUS_TEXT
Sub-query No
Foreign Key
AL_STATUS ATTR Equal
Association 0GRM_AL_ATTR20GFN_USER_TEXT1
Sub-query No
Foreign Key
AL_CREATED_BY ATTR Equal
Sub-query No
Foreign Key
AL_CHANGED_BY ATTR Equal

Sub-query No
Foreign Key
AL_RESP_USER ATTR Equal
1.2.7.3.2.5 Analysis with Forecasting Horizon Result
( Search and Analytics Model ) Search and Analytics Model: 0GRM_W5_ATTR
This search and analytics model is used to get the Forecasting Horizon Analysis attributes.
Technical Data
Root Node: Forecasting Horizon Analysis Attributes
Technical Name 0GRM_W5_ATTR
DataSource 0GRM_W5_ATTR
Operational Data Provider: Forecasting Horizon Analysis Attributes
Technical Name 0GRM_W5_ATTR
ODP-Semantics Transaction Data
W5 GRFN_ODP_E GRC ODP authorization for entity level
Association 0GRM_W5_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OU OBJID Equal
Node Relationship: Forecasting Horizon Attributes
Node 0GRM_FH.0GRM_FH_ATTR
Association 0GRM_W5_ATTR20GRM_FH_ATTR

Sub-query No
Foreign Key
FH_ID FH_ID Equal
Association 0GFN_RS_ATTR20GRM_W5_ATTR
Sub-query No
Foreign Key
RS RS_ID Equal
1.2.7.3.2.6 Central Opportunity
( Search and Analytics Model ) Search and Analytics Model: 0GRM_OC
This search and analytics model is used to get the Central Opportunity data.
Technical Data
Root Node: GRC RM Central Opportunity Texts
Technical Name 0GRM_OC_TEXT
DataSource 0GRM_OC_TEXT
Operational Data Provider: GRC RM Central Opportunity Texts
Technical Name 0GRM_OC
ODP-Semantics Texts
OC GRFN_ODP GRC ODP authorization
Association 0GRM_OC_TEXT20GFN_TF_ATTR
Sub-query No

Foreign Key
Association 0GRM_OC_TEXT20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OC_TEXT20GFN_TF_FREQ
Sub-query No
Foreign Key
1.2.7.3.2.7 Enhancement Plan Attributes
( Search and Analytics Model ) Search and Analytics Model: 0GRM_EP
This search and analytics model is used to get the enhancement plan attributes.
Technical Data
Root Node: GRC RM Enhancement Plan Attributes
Technical Name 0GRM_EP_ATTR
DataSource 0GRM_EP_ATTR
Operational Data Provider: GRC RM Enhancement Plan Attributes
Technical Name 0GRM_EP

EP GRFN_ODP_E GRC ODP authorization for entity level
Node Relationship: GRC RM Enhancement Plan Texts
Node 0GRM_EP_TEXT
Association
Sub-query No
Foreign Key
GUID GUID Equal
Association 0GRM_EP_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_EP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_EP_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Association 0GRM_EP_ATTR20GFN_USER_T1
Sub-query No
Foreign Key
RP_CREATED_BY ATTR Equal
Sub-query No
Foreign Key
RP_CHANGED_BY ATTR Equal
Sub-query No
Foreign Key
RP_RESP_USER ATTR Equal
Sub-query No
Foreign Key
RP_PROCESSOR ATTR Equal
Association 0GRM_EP_ATTR20GFN_OU_ATTR

Sub-query No
Foreign Key
OU_ID OBJID Equal
Node Relationship: GRC RM Response Status Texts
Node 0GRM_RP_ST.0GRM_RP_STATUS_TEXT
Association 0GRM_EP_ATTR20GRM_RP_STATUS_TEXT
Sub-query No
Foreign Key
RP_STATUS ATTR Equal
Sub-query No
Foreign Key
RP_WF_PROCESSOR ATTR Equal
Node Relationship: GRC RM Enhancement Plan Type Texts
Node 0GRM_EP_TYPE_TEXT.0GRM_EP_RESP_TYPE_TE
Association 0GRM_EP_ATTR20GRM_EP_RESP_TYPE_T
Sub-query No
Foreign Key
EP_RESP_TYPE ATTR Equal
Association 0GRM_OU_AC_OR_RP20GRM_EP_ATTR
Sub-query No

Foreign Key
GU_ID RP_ID Equal
1.2.7.3.2.8 Enterprise Search: Activity
( Search and Analytics Model ) Search and Analytics Model: 0GRM_ESH_ACTIVITY
This search and analytics model is used to get the Activity data for Enterprise Search.
Technical Data
Root Node: Activity
Technical Name ACTIVITY
DataSource GRRM_S_ESH_AC
1.2.7.3.2.9 Enterprise Search: Incident
( Search and Analytics Model ) Search and Analytics Model: 0GRM_ESH_INCIDENT
This search and analytics model is used to get the Incident data for Enterprise Search.
Technical Data
Root Node: Incident
Technical Name INCIDENT
DataSource GRFN_S_IN_ATTR
1.2.7.3.2.10 Enterprise Search: Response
( Search and Analytics Model ) Search and Analytics Model: 0GRM_ESH_RESPONSE
This search and analytics model is used to get the Response data for Enterprise Search.
Technical Data
Root Node: Response for enterprise search
Technical Name RESPONSE
DataSource GRRM_S_ESH_RESPONSE

( Search and Analytics Model ) Search and Analytics Model: 0GRM_ESH_RISK

This search and analytics model is used to get the Risk data for Enterprise Search.
Technical Data
Root Node: Risk
Technical Name RISK
DataSource GRRM_S_ESH_RS
1.2.7.3.2.12 Forecasting Horizon Attributes
( Search and Analytics Model ) Search and Analytics Model: 0GRM_FH
This search and analytics model is used to get the Forecasting Horizon data.
Technical Data
Root Node: Forecasting Horizon Attributes
Technical Name 0GRM_FH_ATTR
DataSource 0GRM_FH_ATTR
Operational Data Provider: Forecasting Horizon Attributes
Technical Name 0GRM_FH
Operational Data Provider: GRC RM Forecasting Horizon Text
Technical Name 0GRM_FH
ODP-Semantics Texts
FH GRFN_ODP_E GRC ODP authorization for entity level
Node Relationship: GRC RM Forecasting Horizon Text
Node 0GRM_FH_TEXT
Association

Sub-query No
Foreign Key
FH_ID ATTR Equal
Association 0GRM_FH_ATTR20GFN_USER_TEXT1
Sub-query No
Foreign Key
OPENED_BY ATTR Equal
Sub-query No
Foreign Key
CLOSED_BY ATTR Equal
Sub-query No
Foreign Key
ARCHIVED_BY ATTR Equal
Association 0GRM_FH_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key

CHANGED_BY ATTR Equal
Node Relationship: Forecasting Horizon Status Text
Node 0GRM_FH_STATUS_TEXT.0GRM_FH_STATUS_TEXT
Association 0GRM_FH_STATUS_TEXT20GRM_FH_ATTR
Sub-query No
Foreign Key
FH_STATUS FH_STATUS Equal
Association 0GRM_W5_ATTR20GRM_FH_ATTR
Sub-query No
Foreign Key
FH_ID FH_ID Equal
1.2.7.3.2.13 Impact Category
( Search and Analytics Model ) Search and Analytics Model: 0GRM_IC
This search and analytics model is used to get the Impact Category data.
Technical Data
Root Node: GRC RM Impact Category
Technical Name 0GRM_IC_ATTR
DataSource 0GRM_IC_ATTR
Operational Data Provider: GRC RM Impact Category
Technical Name 0GRM_IC
Operational Data Provider: GRC RM Loss Impact Category Texts
Technical Name 0GRM_IC
ODP-Semantics Texts

IC GRFN_ODP_E GRC ODP authorization for entity level
Node Relationship: GRC RM Loss Impact Category Texts
Node 0GRM_IC_CATEGORY_TEX
Association
Sub-query No
Foreign Key
IMP_CATG ATTR Equal
Association 0GRM_IN_IL_IC20GRM_IC_ATTR
Sub-query No
Foreign Key
IMP_CATG IC_CATEGORY Equal
1.2.7.3.2.14 Incident
( Search and Analytics Model ) Search and Analytics Model: 0GRM_IN
This search and analytics model is used to get the Incident data.
Technical Data
Root Node: GRC RM Incident Attributes
Technical Name 0GRM_IN_ATTR
DataSource 0GRM_IN_ATTR
Operational Data Provider: GRC RM Incident Attributes
Technical Name 0GRM_IN
Operational Data Provider: GRC RM Incident Texts
Technical Name 0GRM_IN

ODP-Semantics Texts
IN GRFN_ODP_E GRC ODP authorization for entity level
Node Relationship: GRC RM Incident Texts
Node 0GRM_IN_TEXT
Association
Sub-query No
Foreign Key
IN_ID IN_ID Equal
Association 0GRM_IN_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_IN_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_IN_ATTR20GFN_TF_YEAR

Sub-query No
Foreign Key
Association 0GRM_IN_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OU_ID OBJID Equal
Association 0GRM_IN_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
IN_RESP_USER ATTR Equal
Association 0GRM_OU_AC_RS_IN20GRM_IN_ATTR
Sub-query No
Foreign Key
IN_ID IN_ID Equal
Association 0GRM_IN_IL_IC20GRM_IN_ATTR

Sub-query No
Foreign Key
IN_ID IN_ID Equal
Association 0GRM_IL_ATTR20GRM_IN_ATTR
Sub-query No
Foreign Key
IN_ID IN_ID Equal
Association 0GFN_RS_ATTR20GRM_IN_ATTR
Sub-query No
Foreign Key
RS_ID RS_ID Equal
1.2.7.3.2.15 Incident-Loss-Impact Category assignment
( Search and Analytics Model ) Search and Analytics Model: 0GRM_IN_IL_IC
This search and analytics model is used to get the Risk Management Incident, Loss and Impact Category assignment data.
Technical Data
Root Node: GRC RM Incident-Loss-Impact Category assignment
Technical Name 0GRM_IN_IL_IC
DataSource 0GRM_IN_IL_IC

Operational Data Provider: GRC RM Incident-Loss-Impact Category assignment
Technical Name 0GRM_IC_T01
IC GRFN_ODP_E GRC ODP authorization for entity level
IL GRFN_ODP_E GRC ODP authorization for entity level
IN GRFN_ODP_E GRC ODP authorization for entity level
Association 0GRM_IN_IL_IC20GRM_IN_ATTR
Sub-query No
Foreign Key
IN_ID IN_ID Equal
Association 0GRM_IN_IL_IC20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_IN_IL_IC20GFN_TF_FREQ
Sub-query No
Foreign Key

Association 0GRM_IN_IL_IC20GFN_TF_YEAR
Sub-query No
Foreign Key
Node Relationship: GRC RM Impact Category
Node 0GRM_IC.0GRM_IC_ATTR
Association 0GRM_IN_IL_IC20GRM_IC_ATTR
Sub-query No
Foreign Key
IC_CATEGORY IMP_CATG Equal
Association 0GRM_IN_IL_IC20GRM_IL_ATTR
Sub-query No
Foreign Key
IL_ID IL_ID Equal
Association 0GRM_IN_IL_IC20GFN_OU_ATTR
Sub-query No
Foreign Key
OU_ID OBJID Equal
TIMEFRAME TIMEFRAME

Association 0GRM_IN_IL_IC20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal
Association 0GRM_IN_IL_IC20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Association 0GRM_IN_IL_IC20GRM_RG_ATTR
Sub-query No
Foreign Key
IN_ID IN_ID Equal
Association 0GFN_RS_ATTR20GRM_IN_IL_IC
Sub-query No
Foreign Key
RS_ID RS_ID Equal

1.2.7.3.2.16 KRI Instance
( Search and Analytics Model ) Search and Analytics Model: 0GRM_KN
This search and analytics model is used to get the KRI Instance data.
Technical Data
Root Node: GRC RM KRI Instance Attributes
Technical Name 0GRM_KN_ATTR
DataSource 0GRM_KN_ATTR
Operational Data Provider: GRC RM KRI Instance Attributes
Technical Name 0GRM_KN
Operational Data Provider: GRC RM KRI Instance Texts
Technical Name 0GRM_KN
ODP-Semantics Texts
KN GRFN_ODP GRC ODP authorization
Node Relationship: GRC RM KRI Instance Texts
Node 0GRM_KN_TEXT
Association
Sub-query No
Foreign Key
OBJID OBJID Equal
Association 0GRM_KN_ATTR20GFN_TF_ATTR

Sub-query No
Foreign Key
Association 0GRM_KN_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_KN_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_KN_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OU_ID OBJID Equal
Association 0GRM_KN_ATTR20GFN_USER_TEXT1
Sub-query No

Foreign Key
KN_REQUESTOR ATTR Equal
Association 0GRM_KN_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
KN_PROCESSOR ATTR Equal
Node Relationship: GRC RM KRI Instance Status Texts
Node 0GRM_KN_STATUS.0GRM_KN_STATUS_TEXT
Association 0GRM_KN_STATUS_TEXT20GRM_KN_ATTR
Sub-query No
Foreign Key
KN_STATUS ATTR Equal
Association 0GRM_KN_KRI_VALUES20GRM_KN_ATTR
Sub-query No
Foreign Key
OBJID KN_ID Equal
TF_FREQ TF_FREQ
Association 0GFN_RS_ATTR20GRM_KN_ATTR
Sub-query No
Foreign Key

RS_ID RS_ID Equal
1.2.7.3.2.17 KRI Instance Values
( Search and Analytics Model ) Search and Analytics Model: 0GRM_KN_KRI_VALUES
This search and analytics model is used to get the KRI instance values.
Technical Data
Root Node: GRC RM KRI (Key Risk Indicator) Values
Technical Name 0GRM_KN_KRI_VALUES
DataSource 0GRM_KN_KRI_VALUES
Operational Data Provider: GRC RM KRI (Key Risk Indicator) Values
Technical Name 0GRM_KRI_T01
KN GRFN_ODP GRC ODP authorization
RS4 GRFN_ODP_C GRC ODP authorization for complex ID
Association 0GRM_KN_KRI_VALUES20GRM_KN_ATTR
Sub-query No
Foreign Key
KN_ID OBJID Equal
Association 0GRM_KN_KRI_VALUES20GFN_TF_ATTR

Sub-query No
Foreign Key
Association 0GRM_KN_KRI_VALUES20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_KN_KRI_VALUES20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_KN_KRI_VALUES20GFN_OU_ATTR
Sub-query No
Foreign Key
OU_ID OBJID Equal
TIMEFRAME TIMEFRAME
Association 0GRM_KN_KRI_VALUES20GRM_CA_ATTR
Sub-query No

Foreign Key
CA_ID CA_ID Equal
Association 0GRM_KN_KRI_VALUES20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Association 0GRM_KN_KRI_VALUES20GRM_KT_ATTR
Sub-query No
Foreign Key
KT_ID OBJID Equal
Association 0GRM_KN_KRI_VALUES20GRM_RG_ATTR
Sub-query No
Foreign Key
RG_ID OBJID Equal

Association 0GFN_RS_ATTR20GRM_KN_KRI_VALUES
Sub-query No
Foreign Key
RS_ID RS_ID Equal
1.2.7.3.2.18 KRI Template
( Search and Analytics Model ) Search and Analytics Model: 0GRM_KT

This search and analytics model is used to get the KRI template data.
Technical Data
Root Node: GRC RM KRI Template Attributes
Technical Name 0GRM_KT_ATTR
DataSource 0GRM_KT_ATTR
Operational Data Provider: GRC RM KRI Template Attributes
Technical Name 0GRM_KT
Operational Data Provider: GRC RM KRI Template Texts
Technical Name 0GRM_KT
ODP-Semantics Texts
KT GRFN_ODP GRC ODP authorization
Node Relationship: GRC RM KRI Template Texts
Node 0GRM_KT_TEXT
Association
Sub-query No
Foreign Key

OBJID OBJID Equal
Association 0GRM_KT_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_KT_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_KT_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Node Relationship: GRC RM KRI Template Status Texts
Node 0GRM_KT_STATUS.0GRM_KT_STATUS_TEXT
Association 0GRM_KT_STATUS_TEXT20GRM_KT_ATTR
Sub-query No
Foreign Key

KT_STATUS ATTR Equal
Node Relationship: GRC RM KRI Template System Texts
Node 0GRM_KT_SYSTEM.0GRM_KT_SYSTEM_TEXT
Association 0GRM_KT_SYSTEM_TEXT20GRM_KT_ATTR
Sub-query No
Foreign Key
KT_SYSTEM ATTR Equal
Node Relationship: GRC RM KRI Template Component Texts
Node 0GRM_KT_COMP.0GRM_KT_COMP_TEXT
Association 0GRM_KT_COMP_TEXT20GRM_KT_ATTR
Sub-query No
Foreign Key
KT_COMP ATTR Equal
Node Relationship: GRC RM KRI Template Business Process Texts
Node 0GRM_KT_BUSPROC.0GRM_KT_BUSPROC_TEXT
Association 0GRM_KT_BUSPROC_TEXT20GRM_KT_ATT
Sub-query No
Foreign Key
KT_BUSPROC ATTR Equal
Association 0GRM_KN_KRI_VALUES20GRM_KT_ATTR
Sub-query No
Foreign Key
OBJID KT_ID Equal

1.2.7.3.2.19 Loss Attributes
( Search and Analytics Model )Search and Analytics Model: 0GRM_IL
This search and analytics model is used to get the Loss Attributes data.
Technical Data
Root Node: GRC RM Loss Attributes
Technical Name 0GRM_IL_ATTR
DataSource 0GRM_IL_ATTR
Operational Data Provider: GRC RM Loss Attributes
Technical Name 0GRM_IL
Operational Data Provider: GRC RM Loss Texts
Technical Name 0GRM_IL
ODP-Semantics Texts
IL GRFN_ODP_E GRC ODP authorization for entity level
Node Relationship: GRC RM Loss Texts
Node 0GRM_IL_TEXT
Association
Sub-query No
Foreign Key
IL_ID IL_ID Equal
Association 0GRM_IL_ATTR20GFN_TF_ATTR
Sub-query No

Foreign Key
Association 0GRM_IL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_IL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_IL_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key
OU_ID OBJID Equal
Association 0GRM_IL_ATTR20GRM_IN_ATTR
Sub-query No
Foreign Key

IN_ID IN_ID Equal
Association 0GRM_IN_IL_IC20GRM_IL_ATTR
Sub-query No
Foreign Key
IL_ID IL_ID Equal
Association 0GFN_RS_ATTR20GRM_IL_ATTR
Sub-query No
Foreign Key
RS_ID RS_ID Equal
1.2.7.3.2.20 Objective
( Search and Analytics Model ) Search and Analytics Model: 0GRM_OB
This search and analytics model is used to get the Objective data.
Technical Data
Root Node: GRC RM Org. Unit Objective Attributes
Technical Name 0GRM_OB_ATTR
DataSource 0GRM_OB_ATTR
Operational Data Provider: GRC RM Org. Unit Objective Attributes
Technical Name 0GRM_OB

Operational Data Provider: GRC RM Org. Unit Objective Texts
Technical Name 0GRM_OB
ODP-Semantics Texts
OB GRFN_ODP GRC ODP authorization
Node Relationship: GRC RM Org. Unit Objective Texts
Node 0GRM_OB_TEXT
Association
Sub-query No
Foreign Key
OBJID OBJID Equal
Association 0GRM_OB_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_OB_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Association 0GRM_OB_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node Relationship: GRC Opportunity Attributes
Association 0GRM_OR_ATTR20GRM_OB_ATTR
Sub-query No
Foreign Key
OBJID OBJID Equal
1.2.7.3.2.21 Opportunity Category
( Search and Analytics Model ) Search and Analytics Model: 0GRM_OG
This search and analytics model is used to get the Opportunity Category data.
Technical Data
Root Node: GRC RM Opportunity Category Attributes
Technical Name 0GRM_OG_ATTR
DataSource 0GRM_OG_ATTR
Operational Data Provider: GRC RM Opportunity Category Attributes
Technical Name 0GRM_OG
Operational Data Provider: GRC RM Opportunity Category Texts
Technical Name 0GRM_OG
ODP-Semantics Texts

OG GRFN_ODP GRC ODP authorization
Node Relationship: GRC RM Opportunity Category Texts
Node 0GRM_OG_TEXT
Association
Sub-query No
Foreign Key
OG_ID OBJID Equal
Association 0GRM_OG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_OG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node 0GRM_OG_HIER.HIERARCHY_ELEMENT
Association HIERARCHY_ELEMENT20GRM_OG_ATTR
Sub-query No
Foreign Key
OG_ID OBJID Equal
Node Relationship: GRC Opportunity Attributes
Association 0GRM_OR_ATTR20GRM_OG_ATTR
Sub-query No
Foreign Key
OG_ID OG_ID Equal
Association 0GRM_OU_AC_OR20GRM_OG_ATTR
Sub-query No
Foreign Key
OG_ID OG_ID Equal
Association 0GRM_OU_AC_OR_RP20GRM_OG_ATTR
Sub-query No
Foreign Key
OG_ID OG_ID Equal

1.2.7.3.2.22 Opportunity Hierarchy
( Search and Analytics Model ) Search and Analytics Model: 0GRM_OG_HIER
This search and analytics model is used to get the Opportunity Hierarchy data.
Technical Data
DataSource 0GRM_OG_GRMH_HIER
Association
Sub-query No
Foreign Key
Association
Sub-query No
Foreign Key
Association HIERARCHY_ELEMENT20GRM_OG_ATTR
Sub-query No
Foreign Key

OBJID OG_ID Equal
Association
Sub-query No
Foreign Key
1.2.7.3.2.23 Opportunity
( Search and Analytics Model ) Search and Analytics Model: 0GRM_OR
This search and analytics model is used to get the Opportunity data.
Technical Data
Root Node: GRC RM Opportunity Attributes
Technical Name 0GRM_OR_ATTR
DataSource 0GRM_OR_ATTR
Operational Data Provider: GRC RM Opportunity Attributes
Technical Name 0GRM_OR
Operational Data Provider: GRC RM Opportunity Texts
Technical Name 0GRM_OR
ODP-Semantics Texts
Node Relationship: GRC RM Opportunity Texts
Node 0GRM_OR_TEXT
Association

Sub-query No
Foreign Key
OBJID OBJID Equal
Association 0GRM_OR_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_OR_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OR_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_OR_ATTR20GFN_OU_ATTR
Sub-query No

Foreign Key
OU_ID OBJID Equal
Association 0GRM_OB.0GRM_OB_ATTR
Sub-query No
Foreign Key
OB_ID OBJID Equal
Association 0GRM_OR_ATTR20GRM_OG_ATTR
Sub-query No
Foreign Key
OG_ID OG_ID Equal
Association 0GRM_OR_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
OR_RESP_USER ATTR Equal
Association 0GRM_OU_AC_OR.0GRM_OU_AC_OR

Sub-query No
Foreign Key
OBJID OR_ID Equal
Association 0GRM_OU_AC_OR_RP20GRM_OR_ATTR
Sub-query No
Foreign Key
OBJID OR_ID Equal
Association 0GRM_AL_ATTR20GRM_OR_ATTR
Sub-query No
Foreign Key
OBJID OR_ID Equal
1.2.7.3.2.24 OU-Activity-Opportunity Assignment
( Search and Analytics Model ) Search and Analytics Model: 0GRM_OU_AC_OR
This search and analytics model is used to get the Activity and Opportunity assignment data.
Technical Data
Root Node: GRC RM OU-Activity-Opportunity assignment
Technical Name 0GRM_OU_AC_OR
DataSource 0GRM_OU_AC_OR

Technical Name 0GRM_OR_T01
AC GRFN_ODP_C GRC ODP authorization for complex ID
Association 0GRM_OU_AC_OR20GFN_OU_ATTR
Sub-query No
Foreign Key
OU_ID OBJID Equal
Association 0GRM_OU_AC_OR20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Association 0GRM_OU_AC_OR20GRM_OR_ATTR
Sub-query No
Foreign Key
OR_ID OBJID Equal

Association 0GRM_OU_AC_OR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_OR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_OR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_OU_AC_OR20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal

Association 0GRM_OU_AC_OR20GRM_OG_ATTR
Sub-query No
Foreign Key
OG_ID OG_ID Equal
1.2.7.3.2.25 OU-Activity-Opportunity-Enhancement Plan
( Search and Analytics Model ) Search and Analytics Model: 0GRM_OU_AC_OR_EP
This search and analytics model is used to get the Activity and Opportunity enhancement plan data.
Technical Data
Root Node: GRC RM OU-Activity-Opportunity-Enhancement Plan
Technical Name 0GRM_OU_AC_OR_RP
DataSource 0GRM_OU_AC_OR_RP
Operational Data Provider: GRC RM OU-Activity-Opportunity-Enhancement Plan
Technical Name 0GRM_RP_T01
RP GRFN_ODP_E GRC ODP authorization for entity level
Association 0GRM_OU_AC_OR_RP20GFN_OU_ATTR
Sub-query No
Foreign Key
OU_ID OBJID Equal

Association 0GRM_OU_AC_OR_RP20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Association 0GRM_OU_AC_OR_RP20GRM_OR_ATTR
Sub-query No
Foreign Key
OR_ID OBJID Equal
Sub-query No
Foreign Key
Association 0GRM_OU_AC_OR_RP20GFN_TF_YEAR
Sub-query No
Foreign Key

Association 0GRM_OU_AC_OR_RP20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_OU_AC_OR_RP20GRM_EP_ATTR
Sub-query No
Foreign Key
RP_ID GUID Equal
Association 0GRM_OU_AC_OR_RP20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal
Association 0GRM_OU_AC_OR_RP20GRM_OG_ATTR
Sub-query No
Foreign Key

OG_ID OG_ID Equal
1.2.7.3.2.26 OU-Activity-Risk Assignment
( Search and Analytics Model ) Search and Analytics Model: 0GRM_OU_AC_RS
This search and analytics model is used to get the Activity and Risk assignment data.
Technical Data
Root Node: GRC RM OU-Activity-Risk assignment
Technical Name 0GRM_OU_AC_RS
DataSource 0GRM_OU_AC_RS
Operational Data Provider: GRC RM OU-Activity-Risk assignment
Technical Name 0GRM_RS_T01
Association 0GRM_OU_AC_RS20GFN_OU_ATTR
Sub-query No
Foreign Key
OU_ID OBJID Equal
Association 0GRM_OU_AC_RS20GRM_AC_ATTR
Sub-query No

Foreign Key
AC_ID AC_ID Equal
Association 0GRM_OU_AC_RS20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS20GRM_CA_ATTR
Sub-query No
Foreign Key

CA_ID CA_ID Equal
Association 0GRM_OU_AC_RS20GRM_RG_ATTR
Sub-query No
Foreign Key
RG_ID OBJID Equal
Association 0GFN_RS_ATTR20GRM_OU_AC_RS
Sub-query No
Foreign Key
RS_ID RS_ID Equal
1.2.7.3.2.27 OU-Activity-Risk-Incident assignment
( Search and Analytics Model ) Search and Analytics Model: 0GRM_OU_AC_RS_IN
This search and analytics model is used to get the Activity, Risk, and Incident assignment data.
Technical Data
Root Node: GRC RM OU-Activity-Risk-Incident assignment
Technical Name 0GRM_OU_AC_RS_IN
DataSource 0GRM_OU_AC_RS_IN
Operational Data Provider: GRC RM OU-Activity-Risk-Incident assignment
Technical Name 0GRM_IN_T01

Association 0GRM_OU_AC_RS_IN20GFN_OU_ATTR
Sub-query No
Foreign Key
OU_ID OBJID Equal
Association 0GRM_OU_AC_RS_IN20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Association 0GRM_OU_AC_RS_IN20GRM_IN_ATTR
Sub-query No
Foreign Key
IN_ID IN_ID Equal

Association 0GRM_OU_AC_RS_IN20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS_IN20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS_IN20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS_IN20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal

Association 0GRM_OU_AC_RS_IN20GRM_RG_ATTR
Sub-query No
Foreign Key
RG_ID OBJID Equal
Association 0GFN_RS_ATTR20GRM_OU_AC_RS_IN
Sub-query No
Foreign Key
RS_ID RS_ID Equal
1.2.7.3.2.28 OU-Activity-Risk-Response Assignment
( Search and Analytics Model ) Search and Analytics Model: 0GRM_OU_AC_RS_RP
This search and analytics model is used to get the Activity, Risk, and Response assignment data.
Technical Data
Root Node: GRC RM OU-Activity-Risk-Response assignment
Technical Name 0GRM_OU_AC_RS_RP
DataSource 0GRM_OU_AC_RS_RP
Operational Data Provider: GRC RM OU-Activity-Risk-Response assignment
Technical Name 0GRM_RP_T02

Association 0GRM_OU_AC_RS_RP20GFN_OU_ATTR
Sub-query No
Foreign Key
OU_ID OBJID Equal
Association 0GRM_OU_AC_RS_RP20GRM_AC_ATTR
Sub-query No
Foreign Key
AC_ID AC_ID Equal
Association 0GRM_OU_AC_RS_RP20GRM_RP_ATTR
Sub-query No
Foreign Key
RP_ID GUID Equal
Association 0GRM_OU_AC_RS_RP20GFN_TF_ATTR
Sub-query No

Foreign Key
Association 0GRM_OU_AC_RS_RP20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS_RP20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_OU_AC_RS_RP20GRM_CA_ATTR
Sub-query No
Foreign Key
CA_ID CA_ID Equal
Association 0GRM_OU_AC_RS_RP20GRM_RG_ATTR
Sub-query No
Foreign Key

RG_ID OBJID Equal
Association 0GFN_RS_ATTR20GRM_OU_AC_RS_RP
Sub-query No
Foreign Key
RS_ID RS_ID Equal
1.2.7.3.2.29 Response
( Search and Analytics Model ) Search and Analytics Model: 0GRM_RP
This search and analytics model is used to get the Response data.
Technical Data
Root Node: GRC RM Response Attributes
Technical Name 0GRM_RP_ATTR
DataSource 0GRM_RP_ATTR
Operational Data Provider: GRC RM Response Attributes
Technical Name 0GRM_RP
Operational Data Provider: GRC RM Response Texts
Technical Name 0GRM_RP
ODP-Semantics Texts
Node Relationship: GRC RM Response Texts
Node 0GRM_RP_TEXT

Association
Sub-query No
Foreign Key
GUID GUID Equal
Association 0GRM_RP_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_RP_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Association 0GRM_RP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
Association 0GRM_RP_ATTR20GFN_OU_ATTR

Sub-query No
Foreign Key
OU_ID OBJID Equal
Association 0GRM_RP_ATTR20GFN_USER_TEXT1
Sub-query No
Foreign Key
RP_CREATED_BY ATTR Equal
Sub-query No
Foreign Key
RP_CHANGED_BY ATTR Equal
Sub-query No
Foreign Key
RP_RESP_USER ATTR Equal
Association 0GRM_RP_ATTR20GFN_USER_TEXT
Sub-query No

Foreign Key
RP_PROCESSOR ATTR Equal
Node Relationship: GRC RM Response Status Texts
Node 0GRM_RP_ST.0GRM_RP_STATUS_TEXT
Association 0GRM_RP_STATUS_TEXT20GRM_RP_ATTR
Sub-query No
Foreign Key
RP_STATUS ATTR Equal
Association 0GRM_OU_AC_RS_RP20GRM_RP_ATTR
Sub-query No
Foreign Key
GUID RP_ID Equal
Association 0GFN_RS_ATTR20GRM_RP_ATTR
Sub-query No
Foreign Key
RS_ID RS_ID Equal
1.2.7.3.2.30 Risk Category
( Search and Analytics Model ) Search and Analytics Model: 0GRM_RG
This search and analytics model is used to get the Risk Category data.
Technical Data

Root Node: GRC RM Risk Category (Risk Group)
Technical Name 0GRM_RG_ATTR
DataSource 0GRM_RG_ATTR
Operational Data Provider: GRC RM Risk Category (Risk Group)
Technical Name 0GRM_RG
Operational Data Provider: GRC RM Risk Category Texts
Technical Name 0GRM_RG
ODP-Semantics Texts
RG GRFN_ODP GRC ODP authorization
Node Relationship: GRC RM Risk Category Texts
Node 0GRM_RG_TEXT
Association
Sub-query No
Foreign Key
OBJID OBJID Equal
Association 0GRM_RG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Association 0GRM_RG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
Association 0GRM_RG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
Node 0GRM_RG_HIER.HIERARCHY_ELEMENT
Association HIERARCHY_ELEMENT20GRM_RG_ATTR
Sub-query No
Foreign Key
OBJID OBJID Equal
Association 0GRM_IN_IL_IC20GRM_RG_ATTR
Sub-query No
Foreign Key
OBJID RG_ID Equal

Association 0GRM_KN_KRI_VALUES20GRM_RG_ATTR
Sub-query No
Foreign Key
OBJID RG_ID Equal
Sub-query No
Foreign Key
OBJID OBJID Equal
Sub-query No
Foreign Key
OBJID RG_ID Equal
Association 0GRM_OU_AC_RS_IN20GRM_RG_ATTR
Sub-query No
Foreign Key
OBJID RG_ID Equal

Association 0GRM_OU_AC_RS_RP20GRM_RG_ATTR
Sub-query No
Foreign Key
OBJID RG_ID Equal
1.2.7.3.2.31 Risk Category Hierarchy
( Search and Analytics Model ) Search and Analytics Model: 0GRM_RG_HIER
This search and analytics model is used to get the Risk Category Hierarchy data.
Technical Data
DataSource 0GRM_RG_GRMH_HIER
Association
Sub-query No
Foreign Key
Association
Sub-query No
Foreign Key

Association HIERARCHY_ELEMENT20GRM_RG_ATTR
Sub-query No
Foreign Key
OBJID OBJID Equal
Association
Sub-query No
Foreign Key
1.2.8 User Experience Enhancement
User experience enhancements in SAP Process Control and Risk Management includes a set of new features that provides you with better accessibility and
improved presentation. With these enhancements, you can easily access the most commonly used applications in one centralized page, view user-specific
entity data and status, search for objects, and perform various other tasks.
Process Control and Risk Management provides the following user experience enhancements:
Entry Page
Side Panel
Embedded Search
1.2.8.1 Entry Page
Entry page is a role-based Web Dynpro home page that provides user-specific contents and easy access to the most commonly accessed work center items.
Entry page can be configured according to specific user behaviors. Entry page consists of containers and CHIPs. You can personalize the entry page by
adding or removing containers and CHIPs.
Entry page is available for the following roles:
Internal Audit Manager (Process Control)
Internal Control Manager (Process Control)
Corporate Risk Manager (Risk Management)
Operational Risk Manager (Risk Management)
More Information
For more information about available Process Control and Risk Management CHIPs, see GRC CHIP Catalog
1.2.8.2 Side Panel
Side panel is a CHIP-based widget-type panel that can be accessed from an existing Web Dynpro application. It provides additional information and easy
access to work center items.

In Process Control, side panel is user-specific. It is available for the following users:
Internal Audit Manager
Internal Control Manager
Organization Unit Owner
In Process Control, you can configure the side panel for My Processes for a single role or a group of roles using the Customizing activity Configure Side
Panel for My Process under Governance, Risk and Compliance > General Settings > UI Settings .
In Risk Management, side panel is available in the Risk OIF.
More Information
GRC CHIP Catalog
1.2.8.3 GRC CHIP Catalog
A CHIP (Collaborative Human Interface Part) is a small, widget-type, encapsulated, stateful piece of software that can be combined in a layout with other
CHIPs to form a page or a panel. Entry page and side panel are both implemented using the CHIP technology.
The following CHIPs are available in Process Control and Risk Management:
CHIP Technical Name Description Use Suggestion
Ad Hoc Issues for Audit Actions GRFN_ACTION_ADISSUE_LIST_CHIP Display a list of ad hoc issues for audit Use in entry page
actions
Audit Action and Ad Hoc Issue GRFN_ACTION_ISSUE_CHIP Allows you to view ad hoc issues under Use in side panel
specified audit actions
Audit Dashboard GRFN_DAB_AUDITABLE_CHIP Provides risks and audit proposal Use in entry page
information in graphics
Audit Dashboard: Risks by Auditable GRFN_DAB_AUDITABLE_RISKS Provides risk information by auditable Use in entry page
Entities entities in graphics
Audit Dashboard: Audit Proposals by GRFN_DAB_AUDITABLE_APA Provides audit proposal information by Use in entry page
Auditors auditors in graphics
Audit Dashboard: Audit Proposals by GRFN_DAB_AUDITABLE_APAE Provides audit proposal information by Use in entry page
Auditable Entities auditable entities in graphics
Audit Plan Proposal GRFN_UIBB_AP_CHIP Displays the information of a specific Use in side panel
audit plan proposal
Audit Proposal GRFN_UIBB_AU_CHIP Displays the information of a specific Use in side panel
audit proposal
Criteria Data CRITERIA_CHIP_4_ENTRY_PAGE Used together with other CHIPs to Use in entry page
provide criteria data for entry page
Evaluation Status (Pie View) GRPC_CHIP_EVAL_STAT Presents the status of evaluations in Use in side panel
graphics
Evaluation Status (Column View) GRPC_CHIP_EVAL_STAT_COLUMN Presents the status of evaluations in Use in entry page
graphics
Issue Status (Pie View) GRPC_CHIP_ISSUE_STAT Presents the status of issues in graphics Use in side panel
Issue Status (Column View) GRPC_CHIP_ISSUE_STAT_COLUMN Presents the status of issues in graphics Use in entry page
Open Issues GRFN_OPEN_ISSUE_CHIP Displays open issues according to a Use in side panel
specific object, such as subprocess,
control, etc.
POWL Wrapper GRFN_WD_POWL_CHIP Common POWL Wrapper Use in entry page
POWL List GRFN_POWL_LIST_CHIP POWL List CHIP Use in entry page
Risk Heatmap GRRM_CHIP_HEATMAP Displays risks by level and impact in Use in entry page
matrix
Subprocess/Control GRFN_SP_CONTROL_CHIP Displays information of a single Use in side panel

subprocess or control
Timeframe Filter GRFN_TIMEFRAME_FILTER_CHIP A filter used together with other CHIPs Use in entry page
Passed/failed of Control GRRM_CHIP_PASS_FAIL_CNTL Displays the passed/failed status of Use in the side panel of risk OIF
controls that are used in risks as
response
Open Issues GRRM_CHIP_OPEN_ISSUE Displays the ad-hoc issues Use in entry page
New Entered Risks in the last 14 days GRRM_CHIP_NEW_RISKS Displays newly entered risks in the last Use in entry page
14 days
Risk heat map GRRM_CHIP_HEATMAP Displays risk heat map Use in entry page
Incomplete Response GRRM_CHIP_INCOMP_RESPONSE Displays incomplete responses Use in entry page
Planner GRRM_CHIP_PLANNER Displays the planner tasks status Use in entry page
Scope Selection GRRM_CHIP_SCOPE Provides the selection of date and Use in entry page

organization, which will be used as a
scope for other chips in the entry page
Top Risks GRRM_CHIP_TOP_RISKS User report CHIP Top Risks (Variant of This chip is not used in the default
GRRM_R5) to get the top risks delivery
Workflow Monitor GRRM_CHIP_WI_MONITOR Monitors all the work inbox tasks for all This chip is not used in the default
users in the system. Only the power user delivery
who has the authorization is allowed to
do this activity.
Recent Loss Events GRRM_OB_CHIP_RECENT_LOSSES Displays the recent Loss Events from Use in entry page
Banking created during the last 14 days
Top Losses GRRM_OB_CHIP_TOP_LOSSES Risk Banking Top Losses displays Use in entry page
the Top 5 loss events comparing with
Estimated Loss
Loss Event Workflow Pipeline GRRM_OB_CHIP_WF_PIPELINE Displays the Loss Event Workflow in the Use in entry page
form of Pipeline and table list
More Information
For more information about standard SAP CHIPs, see CHIP Catalog.
For more information about creating CHIPs, see Web Dynpro ABAP Page Builder.
1.3 Work Centers
Work centers provide a central access point for the entire GRC functionality. They are organized to provide easy access to application activities, and contain
menu groups and links to further activities.
This documentation is structured according to the structures within the individual work centers, and contains links to further documentation for the menu
groups and links.
Note
The application provides a standard set of work centers. However, your system administrator can customize them according to your organization's internal
structures. Depending on the product or products that you have licensed, different areas of the GRC application are displayed (Access Control, Process
Control, Risk Management).
1.3.1 My Home
The My Home work center provides a central location to view and act on your assigned tasks, and accessible objects: organizations, processes,
subprocesses, controls.
The My Home work center contains the following sections:
Work Inbox
Ad Hoc Tasks
My Objects
Embedded Search
My Delegation
Note
The My Home work center is shared by the Access Control, Process Control, and Risk Management products in the GRC Application. The menu groups
and quick links available on the screen are determined by the applications you have licensed. The content in this topic covers the functions specific to
Risk Management. If you have licensed additional products, such as Access Control or Process Control, refer to the relevant topics below for the
application-specific functions.
Activities
The My Home work center allows you to:
View, access, and address workflow tasks assigned to you, including completed reports that you scheduled.
Search for objects and documents for which you have authorization.
Assign delegates to perform your tasks or activities.
View and process your user data.
More Information
My Home Work Center Access Control specific topics
My Home Process Control specific topics
1.3.1.1 Work Inbox

1.3.1.1 Work Inbox
The Work Inbox lists the tasks you need to process using GRC applications.
Activities
To process a task, choose a hyperlink in the table. The appropriate workflow window appears. Process the task as required.
The STANDARDVIEW displays the columns.
To change the displayed columns, choose Settings , maintain the columns as required, and save the view.
The new view appears in the View dropdown list.
1.3.1.1.1 Risk Management Work Inbox
The Work Inbox displays a user's Risk Management task list.
Prerequisites
The RM workflow-enabling activities in Customizing for GRC under General Settings Workflow must be maintained.
Features
The Risk Management tasks contain notifications, alerts, and workflows that are triggered at various stages of the Risk Management process. You can click
on any task in the list to complete the workflow.
More Information
Workflows
1.3.1.2 Ad Hoc Tasks
From the My Home work center, the Ad Hoc Tasks section enables you to process risk proposals, incidents, and issues, depending on the applications you
have licensed.
Procedure
Select the following links to work with individual ad hoc tasks:
Risk Proposals — Proposing a Risk
Ad Hoc Risk Escalation — Ad Hoc Risk Escalation
Response Proposals — Creating Response Proposals
Incidents — Reporting an Ad Hoc Incident
Issues — Identifying, Creating, and Assigning Ad Hoc Issues
1.3.1.2.1 Proposing a Risk
Proposing risks for an organizational unit or an activity makes sense for users who are not risk experts, that is, casual users. An employee self-service
function is used for this.
In the Propose Risk section, you access a restricted data view for risks and risk categories defined for particular activity categories. This reduces complexity
and helps streamline risk management activities within a company.
Note
The Propose Risk function represents a limited set of risk data. For information on the full set of risk data, see Creating a Risk.
Procedure
1. In the My Home work center, select Ad Hoc Tasks Risk Proposals .
2. Enter the name of the risk, the organizational unit, and risk category to be assigned to the risk and a description. If necessary, specify the activity.
3. Choose Submit .
4. The system now sends a workflow item to the appropriate user/role for processing. The risk is stored in the list of system risks with the risk type
Proposal and the status Pending Approval .

Working with Risk Proposals
The type of a proposed risk is Proposal until it is converted to a real risk, after which the status changes to Draft for a saved risk or Active when the risk is
submitted. A proposed risk can also be rejected altogether. Proceed as follows:
1. You can work directly with proposed risks by choosing a risk of the type Proposal from the risk list.
2. In the Risk Proposal screen, you can see the risk that was proposed, and you can choose either the Approve or the Reject pushbutton.
3. You receive a confirmation of the risk approval or rejection.
If approved, the risk is displayed in the list of risks with status Approved .
If rejected, the risk is no longer displayed in the list of risks.
Note
A list of proposed risks is displayed in the user's personal object worklist (POWL) under a separate tab, Proposed Risks .
1.3.1.2.2 Ad Hoc Risk Escalation
Ad hoc risk escalation is similar to the risk proposal functionality. It enables analysis and direct response when creating the risk proposal. Based on the
analysis data, the escalation is triggered by comparing with the thresholds defined in the organizational unit hierarchy. It is possible to create a new risk
( Activate Risk ) from the proposal, and also associate the proposal with an existing risk ( Transfer to Risk ). When activating or transferring, you can also
generate an analysis and responses.
A personal object work list (POWL) implements the reporting for this functionality.
Prerequisites
You have completed the following customization tasks:
Set the Validate Risk Proposal task as a general task and activate the work flow linkage:
1. Choose Governance Risk and Compliance General settings Workflow Perform Task Specific Customizing .
2. Expand the GRC node.
3. Select the GRC-RM subnode and choose Assign Agents .
4. Select the Validate Risk Proposal task and choose Attributes... .
5. Select General Task and choose Transfer .
6. Choose Back and return to the Task Customizing Overview screen.
7. Select the GRC-RM subnode and choose Activate Event Linking .
8. Expand the Risk Proposal WF node and choose Detail View .
9. Choose Event linkage activated and Continue .
Enable Ad.hoc Risk Escalation:
1. Choose Governance, Risk and Compliance Risk Management Master Data Setup Activate Risk Proposal and/or Ad-hoc Escalation .
2. Activate RISK_ADHOC_ESCAL.
Features
You create an ad hoc risk escalation from My Home Ad-hoc Risk Escalation .
When you Submit a completed Ad-hoc Risk Escalation screen, the system compares the escalation analysis data with the thresholds defined for the
organizational unit (see Threshold Browser). If the impact exceeds the escalation level, the escalation is automatically forwarded to the upper organizational
unit (in some cases, this can be the corporate organizational unit). The escalation is then sent to the recipient determined by evaluation of the agent slot
0RM_RISK_PROPOSE.
When you, as the nominated agent open the work item in your Work Inbox , the status changes from Created to In Process .
In the Ad-hoc Risk Escalation screen that opens, you have the following options:
Forward
This opens the Forward Ad-hoc Risk Escalation screen, in which you can change the organizational unit. The escalation is then forwarded to the
recipient determined by evaluation of the agent slot 0RM_RISK_PROPOSE for the changed organizational unit.
You can add an explanatory note before forwarding the escalation.
Reject
When you Submit the Reject Ad-hoc Risk Escalation screen, you must add an explanatory note.
Transfer
If you want to transfer the escalation to an existing risk, you select the risk and you can also take over some of the proposed responses. By selecting
the responses, you are asked to enter the Response Type and, optionally, the Purpose . The responses are new responses for the risk.
You can also enter an explanatory note.
Activate
If you decide to take over the analysis, you must specify the risk category to which it is assigned. Based on the actual analysis profile, the probability
and impact is converted to required representation based on the customization and threshold set up.
However, if it is a corporate risk escalation, you can decide selectively for which forecasting horizons you want to use. You can also define the impact,
but it is not mandatory. Based on analysis type the impact and probability is converted if required to values based on the customization and the
threshold definition.
In either case, you can also enter an explanatory note.
More Information
Forecasting Horizons

1.3.1.2.3 Creating Response Proposals
Users can suggest ways to address risks by creating response proposals and submitting them to those responsible for risk mitigation.
Procedure
To create a response proposal:
1. Go to My Home Ad Hoc Tasks Response Proposals .
2. Enter the following information in the Create Response Proposal window:
Title (mandatory)
Org[anizational] unit
Risk
Type (mandatory)
Purpose
Automation type
Description
Steps
3. Click on Submit .
After the response proposal is submitted, the creator of the proposal receives an e-mail confirmation that the proposal was successfully submitted — that is,
delivered to the work inbox of the person responsible for mitigating the specified risk. This person can then approve or reject the response proposal.
Note
Users who are assigned as agents via 0RM_RESPONSE_PROPOSE are authorized to receive and approve or reject response proposals. The approver can
create a response or response template from the response proposal after approving it. For more information, see Creating a Response or Enhancement
Plan and Working with Response Templates.
The creator of the response proposal is notified by e-mail when the response proposal is approved or rejected.
Submitted proposals (including their current status — waiting for approval, approved, or rejected) are listed in the Proposed Responses tab found in work
center Assessments Risk Assessments Responses and Enhancement Plans . Click on the name of the response proposal to review its contents.
1.3.1.2.4 Reporting an Ad Hoc Incident
In the My Home work center, you can report incidents in an ad hoc manner if they are urgent or need immediate attention. You can enter or post incidents;
however, in the case of ad hoc incidents, you access a simplified user interface for posting an individual incident. The full functionality for creating incidents
can be accessed from the Incident Management section of the Assessments work center.
Note
An ad hoc risk proposal or posting of an incident might affect an organization's ability to continue as a going concern. In this case, the monetary effect of
the respective losses (due to an incurred risk) would be high, and might require immediate action.
Procedure
1. Call the My Home work center and then choose the Incidents link under Ad Hoc Tasks .
2. In the Report Incident screen, enter the incident name, select an organization, and enter the incident date and the detection date.
Note
For the full processing of incidents and the prerequisites involved, see Working with Incidents
3. If necessary, enter a description and the incident attributes.

4. If you checkmark Define Loss , the lower screen section displays loss details and loss impact data that you can make entries for. At the right, you can
add loss attributes if necessary.
5. Make the necessary entries and choose the Submit pushbutton.
6. The incident has been submitted and goes through the necessary workflow processing. For more information, see Workflow for Recording Incidents.
1.3.1.2.4.1 Workflow for Recording Incidents
Prerequisites
The following prerequisites must be fulfilled before you can use the workflow functionality for incidents:
An incident or incidents must exist in the system.
Incident and loss attributes must be maintained and assigned to the corresponding organizational unit in Customizing under Risk Management
Incident Loss Database .
The corresponding roles and workflow enabling must be maintained in Customizing under General Settings Workflow .

Procedure
The procedure for recording incidents is as follows:
1. The incident is created with the initial status Draft .
2. After the incident is submitted, it has the status To Be Validated and the workflow goes to the incident validator or validators defined for Risk
Management.
3. The incident validator is identified via agent determination, which can lead to one or multiple groups of validators being determined.
4. The incident is sent to the members of one group after the other.
5. As soon as one validator of a group validates the incident, it goes to the next group of validators for validation. This continues until one member of each
group has validated the incident. Once the incident is validated by all groups, it goes to status Accepted .
6. If one validator sends the incident for rework, the validation process is interrupted and the incident needs to be reworked by the user specified by the
validator sending for rework. The status is To Be Reworked .
7. After the reworker has resubmitted the incident, the validation process restarts with the first group of validators.
8. The reworker also has the option of refusing the incident, which sets the incident at status Canceled .
Incident Validation Workflow
1.3.1.2.5 Issues
Issues that did not arise from an evaluation-based test can be a question, action item, or planned task. An issue can be prompted by compliance or business
events or result from identifying a problem area. An issue can be created for any object, depending on the configuration done through the Customizing
activities.
If an Issue Owner or an object has not been identified, the issue is sent to the Issue Administrator. This person can then assign an owner, an object or both.
The Issue Administrator or the designee then processes the issue.
Navigate to My Home Ad Hoc Tasks Issues
More Information
Identifying, Creating and Assigning Ad Hoc Issues
1.3.1.3 My Objects
You can view and manage objects to which you have access using the My Objects section of the My Home work center. Specifically, you can view and
maintain the following objects:
My Processes : View and maintain all local organizations, processes, subprocesses, and controls for which you are responsible
My Risks : View all risks for which you are the owner or for which you have change authorization
My Responses : View and maintain all responses for which you are the author or processor, or for which you have change authorization
My Incidents : View and maintain all incidents for which you have change authorization
My iELCs : View and maintain all local indirect entity-level control groups (iELC groups) and indirect entity-level controls (iELCs) for which you are
responsible

My Policies : View all policies that pertain to your responsibilities, including policies that were either created by you or require your review or approval
Open Issues : View all open issues on objects for which you have reporting authorization, including evaluation test issues and ad hoc issues
Open Remediation Plans : View all open remediation plans and corrective and preventive action (CAPA) plans for which you have reporting authorization
More Information
My Processes
My Risks
My Responses
My Incidents
My iELCs
My Policies
Open Issues
Open Remediation Plans
1.3.1.3.1 My Risks
Under the My Home work center, you can see all the risks for which you are the owner and for which you have change authorization under My Objects
My Risks .
For more information, see Risk and Opportunities.
1.3.1.3.2 My Responses
Under My Responses , you can maintain all the responses for which you have change authorization.
For more information, see Risk Responses and Enhancement Plans.
1.3.1.3.3 My Incidents
Under My Incidents , you can maintain all the incidents for which you have change authorization.
For more information, see Incident Management.
1.3.1.3.4 My Policies
The My Policies section contains the policies that pertain to your responsibilities (either created by you or requiring your review or approval).
Under the My Home work center, you can see all the policies with your involvement under My Objects My Policies .
More Information
Policies
Regulations and Policies
Creating a Policy Group
Creating a Policy
Reviewing a Policy
Approving a Policy
Publishing a Policy
If you have licensed Risk Management, the following topic applies: Using a Policy as a Risk Response
1.3.1.4 Embedded Search
The Embedded Search function in Process Control and Risk Management allows you to search for objects and documents in a browser-based user interface.
The search results include basic information of objects and documents with hyperlinks, through which you can directly access the related applications and
documents.
Features
In Process Control and Risk Management, the following objects are available for search:
Account Group
Activity
Ad-hoc Issue
Assessment
Business Rule

Control
Documents
Incident
Indirect Entity-Level Control
Issue
Objective
Organization
Policy
Process
Response
Risk
Subprocess
Test History
You can configure Embedded Search by activating and deactivating these objects in Customizing activity Open Administration Cockpit under
Governance, Risk and Compliance General Settings Search .
Activities
To use the Embedded Search :
1. Go to My Home Search Embedded Search .
2. Enter your search query and choose Search .
You can use the advanced search function to specify the search scope, save your search terms, and hide/show search criteria. You can filter the search
results by choosing the categories on the left side.
1.3.1.5 My Delegation
You can authorize another business user to perform your tasks, exercise your access rights, and specify the duration of the delegation.
Caution
Authorization granted to power users through the role SAP_GRC_FN_ALL cannot be delegated to business users. If power users needs to delegate their
authorization to others, they must ask the IT department to assign the PFCG role SAP_GRC_FN_ALL to specified users. This delegation is not entity-
dependent.
Procedure
To delegate your tasks and access rights to another user, proceed as follows:
1. From the My Home work center, choose Delegation My Delegation .
The Assign Own Delegate screen displays your existing delegations. You can create a new delegation, open and edit an existing delegation, or delete a
delegation.
2. To create a new delegation, choose Create .
The Own Delegation screen displays.
3. In the Delegate User field, select the value help pushbutton to display the User List dialog box. Enter or search for a user name.
Note
Wildcards (*) are supported in a search.
4. Select a user name and choose OK . The system completes the Delegator and User ID fields.
5. For the Delegation Period the following points apply:
The Start Date field defaults to the date the delegation is created. You can change this field.
The End Date field defaults to unlimited (December 31, 9999). You can change this field. If you accept the default of an unlimited End Date, you
can change the date later or delete the delegation when it is no longer needed.
To edit an existing delegation, proceed as follows:

1. Choose the delegation assignment.
2. Choose Open .
The Own Delegation screen appears. You can only change the End Date .
3. Choose Save.
To delete an existing delegation, proceed as follows:

1. Choose the delegation assignment and choose Delete .
The system prompts you to confirm the deletion.
2. Choose Yes .
1.3.2 Master Data
The Master Data work center provides a central location to manage and view the organization structure, regulation and policies, catalog of objectives, and
catalog of risks and responses.
The Master Data work center contains the following sections:
Organizations

Organizations
Regulations and Policies
Objectives
Activities and Processes
Risks and Responses
Consistency Checks
Reports
Note
The Master Data work center is shared by the Access Control, Process Control, and Risk Management products in the GRC application. The menu
groups and quick links available on the screen are determined by the applications you have licensed. The content in this topic covers the functions
specific to Risk Management. If you have licensed additional products, such as Access Control or Process Control, refer to the relevant topics below for
the application-specific functions.
More Information
Master Data: Process Control-specific topics
1.3.2.1 Organizations
You can use the functions on the Organizations screen to create and maintain an organizational structure within the application that mirrors the organizations
in your company.
Integration
If you have licensed Risk Management, Process Control and Access Control and want to use them for the same organization, the application must
share a common organizational view. Complete the Customizing activity Maintain Organization Views , under Governance, Risk, and Compliance
General Settings Workflow
To create the root organization and its first child organization in the specified organization view, complete the Customizing activity Create Root
Organization Hierarchy , under Governance, Risk, and Compliance General Settings Workflow
More Information
Access Control – Organizations
Process Control – Creating and Editing an Organization
Risk Management – Working with Organizational Units
1.3.2.1.1 Working with Organizational Units
In the Organizations area of the Master Data work center, you can maintain the organizational structure for your company. This includes setting up initial
roles and responsibilities and the initial definition of certain risk management details for the respective organizational unit, such as line of business, country,
and legal entity.
Note
If you have licensed both Risk Management and Process Control, and want to use them for the same organization, both applications must share a
common organizational hierarchy.
Prerequisites
The following prerequisites must be fulfilled before you can work with organizational units:
You must define the following in Customizing:
Parent organization
Currency
Units of measure
Risk appetite
Impact categories / impact levels
To assign roles, you must carry out the Customizing activity Maintain Entity Role Assignment , under General Settings Authorizations . For
more information, see Entering Risk-Specific Organization Data.
If you want to maintain objectives, a hierarchy of objectives must exist in the Risk Management application.
If you want the Issues tab to display for organizational units, you must also carry out the Customizing activity Enable Ad Hoc Issues by Object Type ,
under Common Component Settings Ad Hoc Issues .
If you are using SAP workflow functions, you must ensure that the corresponding roles are assigned to specific agent slots (business events) in the
Customizing activity Maintain Custom Agent Determination Rules , under General Settings Workflow . For more information, see Workflows.

Procedure
Adding or Copying Organizations

1. Open the Organizations screen under Master Data Organizations .
2. On the Organizations screen, you can create a hierarchy with organizations and carry out various functions for them.
Note
The View field enables you to switch between different views of the organizational entities in a hierarchy by making a selection in this dropdown
field. You can also select by date to see organizational units that were created on an earlier date.
3. To create an organization in the hierarchy, put the cursor on the parent organization or on the organization for which you wish to create a child
organization. The screen of the organization opens.
4. Choose Add . You are prompted to specify whether you want to create a new organization or reuse an existing organization:
If you create a new organization, proceed as described in the section Working with the Organization Tabs below.
If you want to reuse an existing organization, choose Reuse existing organization . Then select the organization that you want to reuse and
choose OK . After this, select the organization in the overview screen and proceed as described below.
Working with the Organization Tabs

1. On the General tab, enter a name for the organization and the currency that your organization uses. This is the consolidation currency to be used for
risk aggregation. Change the valid-to date if necessary.
2. On the Policies tab, you can see the policies that have been created for this organization. For more information about policies, see Policies.
3. On the Objectives tab, add the objectives that correspond to your company strategy. For more information, see Business Objectives Hierarchy.
4. On the Key Risk Indicators tab, specify the Assigned Key Risk Indicators and Business Rules for the organization.
When creating Assigned Key Risk Indicators , you can choose to add a Standard KRI Instance , a Score-based KRI Instance , or a Manual KRI
Instance . For more information, see Managing Organizational Key Risk Indicators.
5. On the Units of Measure tab, you must specify the unit of measure to be used in your organization. This is necessary for defining conversion factors
for each impact category defined in Customizing. Select an impact category from the dropdown field. Then choose Create and choose the unit of
measure. The abbreviation field populates automatically. Enter the conversion factor to be used if you are not using a monetary unit of measure.
6. On the Risk Appetite tab, select the degree of risk-taking that is to be applied when individual risks are entered into the system. If desired, you can
specify a monetary value as the upper limit for this.
7. On the Risk Thresholds tab, you can see the various risk thresholds with their impact levels. Here you can specify the lower and upper limit for each
impact level in monetary terms. For more information, see Entering Risk-Specific Organization Data.
Note
You must enter the lower and upper limits per impact level in ascending order. This means that the greater the impact level, the higher the
quantitative/monetary effect.
8. On the Roles tab, you can assign users to individual roles, as well as replace or remove them. For more information, see Entering Risk-Specific
Organization Data.
9. When you are finished, save the data for your organization.
1.3.2.1.1.1 Entering Risk-Specific Organization Data
On the Organizations screen under Master Data Organizations , you can enter the following risk-specific data for your organization:
Business objectives
Risk appetite
Risk thresholds (referring to risk impact levels and monetary values)
Risk-specific roles
Prerequisites
The following Customizing activities must be carried out:
Maintain Objective Categories
Maintain Risk Appetite
Maintain Impact Categories
Maintain Impact Levels
Maintain Entity Role Assignment (to assign risk-specific roles to the organization)
Procedure
Specify Business Objectives

1. In the Objective tab, add the objectives that correspond to your company strategy.
Fore more information on objectives, see Objectives Hierarchy.
Specify the Risk Appetite

For your organization, you can specify the degree of risk-taking that is to be applied when individual risks are entered into the system.
1. On the Risk Appetite tab, select the qualitative appetite from the dropdown options.
2. If desired, you can specify a monetary value as the upper limit for the qualitative appetite.
Define Risk Thresholds per Impact Level

On the Risk Thresholds tab, you can see the various risk thresholds with their impact levels. Here you can specify the lower and upper limit for each impact
level in monetary terms.
1. Put the cursor on an impact level line and enter the values in the fields below this table, moving from the lowest to the highest impact level.
2. If necessary, enter a description for each impact level you define.
4. When finished, you can see that the lowest limit remains at zero and the uppermost limit stays blank.
Assign Risk-Specific Roles

On the Roles tab, you can assign users to individual roles, as well as replace or remove them.
Note
These roles are added to the organizational unit during implementation and Customizing. For more information, see Risk Management Application Roles.
Before assigning roles, check that the roles you want to assign exist in the Customizing activity Maintain Entity Role Assignment .
Note
If you are using SAP Workflow, you must also ensure that the roles you assign have also been assigned to specific agent slots (business events) in the
Customizing activity Maintain Custom Agent Determination Rules .
To assign users to an organizational unit in the application, proceed as follows:

1. Access Master Data Organizations Organizations . The list of organizations is displayed.
2. Make sure that the Date field contains the current or a future date. If necessary, change it and choose the Apply pushbutton.
Note
Role assignment for the past is not permitted.
3. Open the organization to which you want to assign roles.

4. On the Roles tab of the organization screen, select the line of the role to which you want to assign a user.
5. Then choose the Assign pushbutton. In the dialog box that displays, you can now search for and select the user to be assigned to this role. You can
also remove or replace the role for a user by choosing the corresponding pushbuttons.
1.3.2.1.1.2 Managing Organizational Key Risk Indicators
You can assign one or more key risk indicators (KRI) to an organization. This is known as a KRI instance . In this way, you can automatically identify risks in
organizations and escalate them to risk owners for immediate attention if necessary.
Prerequisites
You have created a KRI implementation.
You have maintained the corresponding activities for timeframes and frequencies in Customizing under Governance, Risk and Compliance General
Settings Key Attributes .
Procedure
Creating Standard KRI Instances

1. When managing an organization, choose the Key Risk Indicators tab and choose Create Standard KRI Instance in the Assigned Key Risk
Indicators section.
The Create KRI Instance dialog appears.
2. In the KRI Instance Name field, type the name of the KRI instance that you want to create.
3. In the KRI Implementation field, type or select the KRI implementation for the instance.
4. In the Monitor Frequency field, choose the frequency at which you want the KRI to monitor your system.
5. In the Data Time Frame field, choose the appropriate value using the drop-down list.
6. In the Next Execution Date and Last Execution Date fields, choose the corresponding execution dates using the drop-down lists.
7. In the History Review Required field, select the Yes radio button to have the previous KRI values maintained in the database. By default, the Yes
radio button is selected.
8. In the Selection Table , modify the KRI implementation settings, as required.
9. In the Attachments and Links tab, specify the attachments and links for the KRI instance.
1. To add an attachment, choose the Add pushbutton and select Add File using the drop-down menu.
Specify the title and the file name of the attachment, and choose the OK pushbutton.

2. To add a link, choose the Add pushbutton and select Add Link using the drop-down menu.
Specify the title and the path of the link, and choose the OK pushbutton.
10. Choose the OK pushbutton to have the system check the data and set the status as Draft for the KRI instance.
Alternatively, choose from among the following options:
Choose the Activate pushbutton to set the status as Active for the KRI instance.
Choose the Request Localization pushbutton to have the KRI workflow go to the workflow processor (to the KRI liaison defined in the Risk
Management workflows, for example). The dialog closes and the Status column displays Localization Requested for the assigned KRI.
After you save the data, a workflow is triggered. When the localization processor has processed the workflow item, it returns to your inbox for
processing or approval, among other options. For more information, see Workflow for KRI Instance Localization Request.
11. Choose the Show History pushbutton to view a graphic display of how the KRI value develops over time.
12. Choose the Show Surveys pushbutton to see which surveys are defined for the KRI instance.
Creating Score-Based KRI Instances

1. Choose the Key Risk Indicators tab and choose Create Score-based KRI Instance in the Assigned Key Risk Indicators section.
3. In the KRI Template field, type or select the KRI template for the instance.
4. In the Last Execution Date field, choose the appropriate execution date using the drop-down lists.
6. Choose the Rule tab to specify the business rule for the KRI instance.
Using the Mapping and Expression tabs, enter the calculation parameters for the KRI business rule.
You can specify the Expression as either a Formula or a Decision Table using the Rule Type drop-down menu. After you are finished, you can
check the syntax, test the rule, or access the NetWeaver BRFplus (Business Rule Framework plus) Workbench.
Alternatively, choose the Activate pushbutton to set the status as Active for the KRI instance.
Creating Manual KRI Instances

1. Choose the Key Risk Indicators tab and choose Create Manual KRI Instance in the Assigned Key Risk Indicators section.
4. In the Input Allowed Until field, type or select the appropriate date using the drop-down list.
More Information
For more information about specifying business rules, see Creating KRI Business Rules.
1.3.2.1.2 Threshold Browser
The thresholds browser is a tool to browse and maintain thresholds on organizational units, activities, and risk categories. For organizational units, it allows the
maintenance of the standard impact thresholds, the risk summary thresholds and risk appetite. For activities and risk categories, you can only maintain the
risk summary thresholds.
These thresholds are used in the ad-hoc risk escalation process. For more information, see Ad Hoc Risk Escalation.
Prerequisites
To maintain the risk summaries in the threshold browser, the appropriate entity must have a Determination Attribute of Individual Value in SAP
Customizing Governance, Risk and Compliance Risk Management Master Data Setup Risk Summary Settings . If the Determination Attribute is
Central Value for a particular entity, the risk summary is read-only in the threshold browser for that entity.
Activities
In the threshold browser navigation pane, you can select the organizational unit, activity, or risk category from a list or an hierarchical tree.
In the right-hand pane, you can maintain the risk thresholds, risk summary thresholds, and risk appetite. Once you have defined the thresholds and appetite,
you have the option to copy them to:

The clipboard
All children of the current entity
All entities on the same level
All entities
If you copy the thresholds to the clipboard, you can navigate to another entity and the Paste option is valid to enter the copied thresholds for this entity.
In the header area, you can save and cancel all changes that have been made. You can also change the focus date for which all data is displayed and
maintained. If you change the focus date, all changes are saved or discarded. If you change the focus date to a date in the past, changes are no longer
allowed and all threshold data is shown in read-only mode.
More Information
Ad Hoc Risk Escalation
1.3.2.2 Regulations and Policies
Regulations and Policies gives you visibility into your compliance landscape.
More Information
Regulations
Policies
1.3.2.2.1 Regulations
In the regulation hierarchy, you document which compliance initiatives your company supports. For each compliance initiative, you can document the
regulation and its requirements. After defining a new regulation, you specify the subprocesses and controls that are relevant to that regulation.
Structure
The Regulations section allows you to:
Review and document your compliance initiatives in one place
Organize your compliance initiatives into groups
Example
You have a group of financial compliance initiatives that could include SOX, J-SOX, and IDS or a group of operational compliance initiatives that include FDA
and Life Sciences regulations.
Maintain your regulation hierarchy to the individual requirement level. For example, you can maintain SOX compliance down to the regulation requirement SOX
302. If you maintain regulation requirements, you can assign them to controls and track the affected requirements at the control level.
More Information
Policies
1.3.2.2.2 Policies
A policy is a set of principles, rules, and guidelines that are formulated or adopted by an organization to reach its long-term goals. Policies are designed to
influence major decisions and actions, and all activities take place within the boundaries set by them. They are used in Process Control and Risk
Management.
A policy contains a written description of an organization's position on important subjects and its response to specific situations. Policies support managerial
decision-making, to help the company achieve its objectives. Policies are an element of a complete governance process. This process involves an analysis of
regulations, best practices, and corporate business objectives, after which they are codified into policies affecting the business actions of all employees.
Policies need to be created, reviewed, approved, and distributed; there is an ongoing process of policy acknowledgment, self-assessment, and updates.
Policies must be managed throughout their lifecycle.
Prerequisites
According to your business needs, complete the Customizing activities under Governance, Risk, and Compliance Common Component Settings
Policy Management .

More Information
Creating a Policy
Reviewing a Policy
Approving a Policy
Publishing a Policy
Using a Policy as a Risk Response
1.3.2.2.2.1 Creating a Policy Group
Procedure
You must create a policy group before you can create a policy.
1. Choose Master Data Regulations and Policies Policies
2. Choose Create Policy Group .
The Policy Group screen displays.
3. Complete the following fields:
Policy Group fields
Field Name Description
Group Name (required) Create a distinctive Group Name.
Description (optional) Enter information to tell users the contents of the Policy Group.
Approval Survey (required) Select the survey from the dropdown.
Note
You must have previously created an Approval Survey in the Survey Library.
Valid From (required) Enter the starting date.
Valid To (required) Enter the ending date.
4. Choose Save and Close .
More Information
Creating a Policy
Reviewing a Policy
Approving a Policy
Publishing a Policy
1.3.2.2.2.2 Creating a Policy
Policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals.
Example
A Global Travel Policy is one example of a business policy. The goal might be to reduce costs and increase efficiency by mandating that everyone in the
company adhere to this policy.
Prerequisites
You must create a policy group before you can create a policy.
Procedure
1. Choose Master Data Regulations and Policies Policies
2. Choose the Policy Group where you want to add the policy.
3. Choose Create Policy
4. Select a Policy Object Type and choose OK .
Note
The Policy Object Types are configured during the Customizing activity Maintain Policy Types and Distribution Methods under Governance,
Risk, and Compliance Common Component Settings Policy Management .
5. Complete the fields on the General tab.

Policy — General tab
Field Name Description

Name (required) Create a distinctive policy name.
Description (optional) Enter information to tell users the contents of the policy.
Distribution Methods (required) Select Acknowledgement , Quiz or Survey . If you choose Quiz or Survey ,
you must specify a template from the Survey Library . An e-mail is sent to the
recipients with a PDF attachment, showing the required actions.
Purpose (required) State the reason for the policy.
Policy Category (optional) Select the categories this policy belongs to.
Date (optional) Enter the date.
Assignment Method (optional) Select Assign Directly , Inherited , Localized, or Superseded .
Responsible Organization (required) Enter the organization responsible for the policy.
Created by (optional) The default is the person who created the policy.
Created On (optional) The default is today's date.
Valid From (required) Enter the first date of effectiveness for the policy.
Valid To (required) Enter the last day of effectiveness for the policy.
Date for Next Revision (optional) Enter the date for the next revision. This date must be between the Valid From
and Valid To dates.
Note (optional) Enter any material that might be helpful to approvers or reviewers.
6. Select the Policy Document tab. Attach the actual policy documents (word files, excel files, images) that contain the written policy. The policy
documents may reside in SAP Document Management Systems (DMS) or you may include links to documents residing in external DMSl.
7. Select the Policy Scope tab.
You document who is in scope and subject to the policy. You may also explicitly specify who is excluded from the scope of this policy. Define which
Organizations , Processes (contained in the Organization), Activities , People (can be roles, user groups, or specific users) or Exclusions you want
to identify (text field). This is who receives the policy when it is published.
8. Select the Risks tab.
This is the risk associated with the nonadherence to the policy. If the company is not compliant with the policy, this is the risk that could occur.
9. Select the Controls tab.
Assign the controls or indirect entity-level controls that pertain to the policy.
10. Select the Policy Sources tab.
Specify the sources or the reasons and motivations behind the creation of the policy. There are defaults choices provided. Add or remove sources as
needed.
Note
The Policy Sources are configured during the Customizing activity Maintain Policy Source Categories under Governance, Risk, and
Compliance Common Component Settings Policy Management .
11. Select the Issues tab.

If there are any ad hoc issues related to this policy that need to be addressed, they will be displayed in this tab.
12. On the Roles tab you can assign users to individual roles (such as Policy Owner, Policy Approver and Policy Reviewer), as well as replace or remove
them. To assign a user, select the line of the role to which you want to assign a user. Then choose Assign . In the dialog box then displayed, you can
search for and select the user to be assigned to this role. You can assign multiple approvers and reviewers.
13. Select the Review and Approval tab to view the status or the approvals. If you did not assign specific reviewers or approvers, the Default Approvers
(usually the Organization Owner — the owner of the organization specified in the Policy Scope tab) are asked to approve the policy.
14. Choose Save .
15. Decide if you can immediately Submit for Approval or if you need to Send for Review .
More Information
Reviewing a Policy
Approving a Policy
Publishing a Policy
1.3.2.2.2.3 Reviewing a Policy
After the policy owner submits the newly created policy for review, the policy review workflow is sent to the reviewer. If the policy owner has set up more than
one reviewer, then a parallel policy review workflow is sent to all the reviewers at once.
Prerequisites
Policy reviewers were set up by the policy owner (author of the policy).
Procedure
1. Choose My Home Work Inbox .
2. Select a policy to review. You see the same tabs that are used to create a policy. Read the material contained in the tabs to understand the scope,

history, and potential risks of the policy.
3. Submit comments as needed for specific tabs.
4. Review any comments on the Review and Approval tab. Add any general comments here. You have virtually unlimited text.
Note
If you accept the policy draft with no changes, then comments are optional. Before submitting the comments, the reviewer can delete comments he
or she has entered. The reviewer cannot delete comments entered by other reviewers. Once a reviewer submits a comment, it cannot be modified or
deleted.
5. After the comments have been submitted, the policy owner can see all comments in a compiled format. The policy owner revises the policy draft based
on the review comments. As long as the policy owner does not submit the policy for approval, reviewers can continue to enter comments by selecting
the Review Policy link in their Work Inbox.
More Information
Creating a Policy
Approving a Policy
Publishing a Policy
1.3.2.2.2.4 Approving a Policy
After the policy owner ensures that all the review comments have been incorporated, the owner submits the final draft of the policy for approval. One or more
approvers may be responsible for this policy, as determined by the workflow engine and as specified by the policy owner. The defined approvers receive the
approval workflow in their GRC Inbox.
Prerequisites
The policy approvers must be set up by the policy owner or the default approvers may be determined by the workflow engine (based on the organizations and
processes assigned to the policy).
Note
If the policy applies to an organization, then that organization owner becomes the default approver. Since all the users in the organization are subject
to this new policy, the organization owner must approve it.
If the policy applies to a certain process and/or subprocess, then the respective owner becomes the default approver. Since all the users in the
process and/or subprocess are subject to this new policy, the process/subprocess owners must approve it.
There may be other roles assigned to the policy approver role in the configuration, for a certain organization, process or subprocess, who also
receive the approval workflow.
Procedure
1. Choose My Home Work Inbox .
2. Select a policy to approve. You see the same tabs used to create a policy. Read the material contained in the tabs to understand the scope, history, and
potential risks of the policy.
3. Review any comments on the Review and Approval tab. If an Approval Survey has been created, it is located here and requires answers. Add any
general comments here.
4. Decide if you need to Save Draft, Close, Send Back for Rework, Reject or Approve the policy.
5. You now have the following options:
Approve : The approver may (optionally) provide comments to the policy owner. The approver may also attach supporting documents or links. The
policy owner is notified that the policy has been approved. If this policy receives approvals from all approvers, then the policy is ready to be
published directly. Or, this setting can be modified through the Customizing activities so that instead of all approvers, only one approver is required
for the policy to be approved and published to the policy library.
Reject : The approver has to provide comments to the policy owner. The approver may also attach supporting documents or links. The policy
owner is notified that the policy has been rejected. The only choice for the policy owner is to create a new policy and start again.
Send Back for Rework : The approver has to provide comments to the policy owner. The approver must provide suggestions (for example, a
structured list) for improving the policy and any expected changes. The approver may also attach supporting documents or links. The policy owner
is notified that the policy has been sent for rework. The policy owner has to amend the policy and resubmit it for approval.
Save Draft : Save your comments or attachments and complete the approval process at a later time.
Close : Close the policy and complete actions at a later time. No Changes are saved.
6. Select Close .
More Information
Creating a Policy
Reviewing a Policy
Publishing a Policy

1.3.2.2.2.5 Publishing a Policy
A new policy is published to the Policy Library and is then available to all authorized users for viewing and is available for distribution and policy attestation.
Prerequisites
The policy must have been reviewed by the policy reviewers and approved by the policy approvers. After approval, the policy is published directly.
Procedure
1. Navigate to the Assessments work center.
2. Select the Planner to schedule the policy distribution.
Note
The Distribution Method (Quiz, Survey, or Acknowledgement) is also defined when the policy is created.
More Information
Planner
Creating a Policy
Reviewing a Policy
Approving a Policy
1.3.2.3 Objectives
Depending on the products you have licensed, in the Objectives section of the Master Data work center, you can maintain Control Objectives and Business
Objectives.
1.3.2.3.1 Business Objectives Hierarchy
Managing and assessing risks across the organization are important tasks for companies that must adhere to legal compliance requirements or use
management best practice frameworks with risk management methodologies. Business practice has shown that the connection between risks and objectives
provides greater visibility for the management team during risk reporting. By creating a hierarchy of your company's objectives, you can link or associate the
objectives with impact categories defined for risks.
In the same way as the vision and mission of an organization describe the top-level desired state of the organization, objectives describe critical, actionable,
and measurable components of that desired state within the context of organizational perspectives.
In Risk Management, you can create a strategy to describe your company's primary and dependent objectives, which are defined in a time-dependent manner.
By structuring your objectives in a hierarchy, you can obtain a clear breakdown on the business side of your company's strategic and operational objectives.
Prerequisites
You have maintained the corresponding objective categories in Customizing.
To create a hierarchy of objectives, you must first create the objective strategy.
Procedure
After you create an objective strategy, you can create individual objectives to assign to this strategy. Proceed as follows:
1. Call Master Data Objectives Business Objectives .
2. The Objectives Hierarchy window displays, with a list of the defined objectives.
3. First create a strategy for your objectives by choosing the Create Strategy pushbutton. Enter a name for the strategy, select an objective
category and describe the objective, then save it.
Note
You cannot assign an organizational unit to the objective here. Instead, you must assign existing objectives when you create an organizational unit.
These are displayed in the Objectives screen after saving. For more information, see Entering Risk-Specific Organization Data.
4. Now choose this strategy again from the list and choose the Create Objective pushbutton. Create an objective for the strategy, and save the
strategy. This procedure can be repeated as frequently as necessary.
5. Save the objective.

More Information
See SAP Strategy Management documentation in the SAP Library under SAP BusinessObjects tab EPM Solutions SAP Strategy Management
Application Help. Under application help, choose Administration Connectors .
1.3.2.4 Activities and Processes
The Activities and Processes section in the Master Data work center is where you maintain your company's activities, business processes, subprocesses,
and controls. It contains the following links:
Activity Hierarchy
Business Processes
Indirect Entity-Level Controls
1.3.2.4.1 Activities
An activity is any project, process, or an object within your business or organization that might be affected by a specific risk.
After creating activity categories structured in an activity hierarchy, you can create individual activities for the activity types defined in Customizing and assign
them to the activity categories in the hierarchy. At defined intervals, for example, the activities affected by specific risks can subsequently be evaluated per
activity category in reporting.
Typical types of activities are:
Processes: Potentially all operational and administrative processes within an enterprise.
Projects: Potentially all internal and customer projects.
Objects: Refers to generic activities that are neither a project nor a process.
You can define all the activities that need to be monitored through dedicated risk management procedures, in this way structuring risk management in different
areas of the business. These structures can later be used for reporting.
You must assign all activities to an activity category.
Prerequisites
Activity types must have been maintained in Customizing under Risk Management Master Data Setup .
Features
For each activity, you can do the following:
Specify the activity category and validity period, as well as enter relevant constraints and assumptions for the activity.
Assign users/roles responsible for processing the activity.
Link the corresponding risks and opportunities identified for that activity.
Display any surveys to be executed for the activity.
Display and print out a PDF fact sheet with relevant activity information.
Note
Activities are time-dependent objects. If the valid-to date has elapsed, you do not see these activities in the corresponding list, since they have expired.
However, you can still evaluate them in reporting.
More Information
Creating Activity Categories
Creating an Activity
Activity Hierarchy
1.3.2.4.1.1 Activity Hierarchy
In the Activities and Processes section of the Master Data work center, you can define a hierarchy to structure the activities in your organization that
involve risks. In this way, you can define the scope of risk management activities within your company, making them transparent, in particular for reporting
purposes. You do this by defining risk-relevant activity categories. The research and development projects of your organization could be one activity category,
for example.
Note
If you want to see the processes of Process Control in the Risk Management activity hierarchy, proceed as described in Reuse of PC Central Process
Hierarchy in RM.

Prerequisites
In Customizing, you must maintain activity types for your organization.
Features
In the Activity Hierarchy section, you can do the following:
Create and delete activity categories
View and edit activity category details
Assign risk and opportunity categories to an activity category
Example
Sample global activity hierarchy showing assigned risks
The above example shows how risks are assigned. First, the activity type defined in Customizing called business processes is used to create an activity
category called Financials . Then for Organizational Unit 1, this activity category is used to define the two activities of budgeting and consolidation. The
budgeting activity has two risks allocated to it: Overspending and Budget not approved .
More Information
For more information about activity creation, see:
Activities
Creating Activity Categories
1.3.2.4.1.2 Creating Activity Categories
By creating activity categories and structuring them in an activity hierarchy, you can group your business processes or other planning objects. You can
subsequently use these activity types to structure your activity hierarchy and activity reports.
Prerequisites
The Customizing activity Maintain Activity Types must be maintained.
Procedure
To maintain the activity hierarchy, choose Master Data Activities and Processes Activity Hierarchy . The Activity Hierarchy screen appears. In the
dropdown box at the top left, you can see the different activity types maintained in Customizing.

Note
If you have implemented both Risk Management and Process Control, the activity hierarchy selection screen contains the defined Risk Management
activity hierarchies as well as the Process Control processes, which you can access in display mode.
Proceed as follows to create an activity hierarchy:

1. From the dropdown list, select an activity type to be used for creating the activity category, and then choose the Create pushbutton.
2. In the screen that opens, enter the name of the activity category and if necessary a description.
3. If you want to allow the assignment of activities to this activity category, set the corresponding indicator at Yes .
4. On the Risk Classification tab, you can assign risk categories to this activity category by clicking the Assign pushbutton.
5. On the Opportunity Classification tab, you can assign opportunity categories to this activity category in the same way.
6. Save your data. The activity category is included in your activity hierarchy.
1.3.2.5 Risks and Responses
The Risks and Responses section of the Master Data work center enables you to maintain your organization's risk, opportunity, and response catalogs. It
contains the following Quick Links:
Risk Catalog
Opportunity Catalog
Response Catalog
More Information
Risk Catalog
Opportunity Catalog
Classifying Risks, Opportunities, and Responses
1.3.2.5.1 Risk Catalog
Classifying risks within a catalog containing a clear risk hierarchy provides you with a structured view of all risks of your company. You can classify risks
according to the categories of risks that you wish to track, and carry out reporting, for example, to evaluate the risks per risk category defined for your
company.
Features
For each risk category you define, you can define individual risk templates. You can use this template when actual risks are created. Risk templates only have
drivers and impacts defined for them, but no further data.
You can subsequently carry out reporting, for example, to evaluate the risks per risk category.
The graphic below shows some risk templates and their assignment to user-defined risk categories.

In the Risks and Responses section of the Master Data work center, you can work with the following features:
Create and delete risk templates and risk categories.
View and edit risk template and risk category details.
Specify driver and impact categories for a risk template, and assign KRIs.
For more information about risk catalogs, see Classifying Risks, Opportunities, and Responses.
Note
The risk categories created can also be used for Risk Management reporting.
1.3.2.5.1.1 Classifying Risks, Opportunities, and Responses
By structuring your organization's risks, opportunities and responses into individual categories, you can obtain a clear structure of all enterprise-wide objects
created. The following types of catalogs can be created; the documentation below describes risk catalog maintenance, and opportunity and response catalog
maintenance is carried out similarly.
Risk Catalog: A Classification Hierarchy is provided by the system, below which you can define individual risk categories. You can also create risk
templates to assign to the risk categories you have defined. These risk templates are used to capture the most important reusable risk data in your
organization.
Opportunity Catalog: The same kind of structure enables you to create opportunity categories, and within them, opportunity templates to be used for
repetitive opportunities created in the system.
Response Catalog: In this catalog, you create response templates to be used for responses that are entered frequently.
Note
When you create a risk with a template in the risk application itself, you are accessing the risks created in the Risk Catalog . A risk template has no
analysis and no responses linked to it, and is to be used when creating the actual risks in the risk application.
Prerequisites
Drivers and impact categories for risks must be maintained in Customizing.
Procedure
To maintain the risk catalog, choose Master Data Risks and Responses Risk Catalog . The Risk Catalog screen appears. Then proceed as
follows:
Creating a Risk Category

1. To add a risk category to the hierarchy, select a node of the classification hierarchy as the level you want to create the category in. Then choose
Create Risk Category .
2. In the dialog box, enter the name and description of the risk category, and decide whether to allow assignment of this risk category to an activity
category.
3. On the KRI Template tab, you can assign an existing KRI template to this risk category.
4. On the Allowed Dimensions tab, you can specify the dimensions and context values to be used with this risk category. For more information, see
Working with Contexts.
5. Save the risk category.
Creating a Risk Template

1. To create a risk template, select a risk category from the Risk Catalog Classification overview screen and choose Create Risk Template . For
more information, see Creating a Risk Template.
2. When finished, save your data.
More Information
Creating a Risk
Creating KRI Templates
Working with Contexts
1.3.2.5.1.2 Creating a Risk Template
A risk template is used to streamline the risk assessment process and reduce manual effort during risk identification. A risk template has no analysis and no
responses linked to it, and serves as a model for actual risk creation. It is useful if you have several similar risks to create.
Note
You create an opportunity template in the same way as you create a risk template.

Prerequisites
Risk drivers and impact categories have been maintained in Customizing.
A parent risk category has been maintained in the risk classification application.
A risk analysis profile must be maintained in Customizing.
Procedure
To create a risk template, proceed as follows:
1. Call the Master Data work center and then choose Risk Assessments Risks and Responses Risk Catalog .
Note
To create an opportunity template, choose the Opportunity Catalog link.
2. In the Risk Catalog screen, click Create Risk Template . Note that the cursor must first be on a risk category and may not be on the uppermost
Classification Hierarchy node if there are no categories below it.
3. In the General tab, enter the Event Name (the name of the risk template you are creating), then change the valid-to date and enter a comment if
necessary.
4. Add the necessary drivers and impacts in the lower screen section.
Note
If you create a risk using a risk template, existing customer-defined fields can also be taken over into the template.
5. The next tab, Risk Instances , has no fields ready for input. It displays the risks that were created using this template, so it can only be accessed after
you have created at least one risk with this template. If risks exist, the Open pushbutton enables you to call the risk directly from this tab, after you
have put your cursor on the line of the risk.
6. In the Response Templates tab, you can assign or remove a response template to be used with the risk template.
7. In the Central Controls tab, you can assign or remove a control from Process Control to a template. A central control is a control assigned to a central
subprocess. A central subprocess and central control can be assigned to different organizations for different regulations. For more information about
working with controls, see Business Processes. After assignment, the control can be used as a response to a risk in the shared risk catalog.
8. In the Context tab, you can specify the dimensions and context values that link the risk template with other areas or system objects. You can select to
view the context attributes in table form, graphic form, or as Crystal reports. For more information, see Working with Contexts.
9. When finished, save the risk template. It is now ready for use with your risks.
Result
The risk template has been created for use when you create individual risks in the application.
More Information
Creating a Risk
Creating a Risk from a Template
Distributing a Risk Template
1.3.2.5.1.3 Distributing a Risk Template
Procedure
You can use a risk template with several different kinds of objects, such as Risk Management activities or organizational units defined for Risk Management.
In this way, you can create an instance of the risk template.
1. From the Risk Catalog screen under Master Data Risks and Responses , open the classification hierarchy to a lower level and choose a risk
template.
2. Choose Actions Distribute .
3. A guided procedure is displayed in which you enter the validity dates for which this distribution is to be applied.
4. Select a distribution method as follows:
Copy : Any risk field can be changed after the template has been copied to the risk.
Reference : Some risk fields are read-only, since they are only referenced and not copied.
5. After choosing Next , you select the targets — that is, the organizational units — for which the risk template is to be used. Depending on where you
position the cursor, you can select a higher-level or a lower-level organizational unit.
6. Choose Next again. You can see your selection in the lower section and must confirm it via the Finish pushbutton.
Result
The risk template has been distributed for use over the corresponding objects and is ready for use.

You can create a hierarchy to structure your company's opportunities into opportunity categories within an opportunity catalog. An opportunity can be regarded
as the upside of a risk.
Besides maintaining an opportunity hierarchy, you can also define individual opportunity categories and opportunity templates to be used when defining
opportunity categories.
Prerequisites
You must have maintained the corresponding benefit and driver categories in Customizing.
Features
When you create an opportunity category, you also allow assignment to an activity category. Note the following:
An opportunity category is similar to a risk category and is assigned to an individual opportunity.
An opportunity template can be used when you create an individual opportunity. An opportunity template has drivers and benefits assigned to it, which
can be passed on to the opportunities you create.
More Information
Creating an Opportunity
1.3.2.5.2.1 Creating an Opportunity Category and Template
You create opportunity categories and templates in the Risk and Responses section in the Master Data work center.
Procedure
1. From the Master Data work center, choose Risks and Responses Opportunity Catalog .
2. On the Opportunity Catalog screen that appears, choose Create Opportunity Category .
3. On the General tab, enter the following:
Mandatory information:
Name
Valid from date
Valid to date
Optional information:
You can enter a description for the opportunity category.
You can choose whether an assignment of opportunities is allowed for this opportunity category.
You can assign the opportunity category to an analysis profile .
You create or modify analysis profiles in Customizing under Risk Management Risk and Opportunity Analysis Maintain Analysis
Profile .
Note
You can review the attributes of existing analysis profiles by choosing the Analysis Profile Detail link adjacent to the Analysis Profile
dropdown menu.
4. On the Attachments and Links tab, you can attach documents and web links.
5. On the Allowed Dimensions tab, you can assign a context to be used with this opportunity category.
Creating an Opportunity Template
Note
You create an opportunity template only from an existing opportunity category.
1. From the Master Data work center, choose Risks and Responses Opportunity Catalog .
2. Choose an existing opportunity category in the list.
3. Choose Create Opportunity Template . The opportunity template creation screen appears.
4. On the General tab, enter the following information:
Name
Description
Valid from date
Valid to date
Benefits and drivers, if any
5. On the Opportunity Instances tab, you can see the list of opportunity instances that have been created based on this opportunity template.
6. On the Allowed Dimensions tab, you can assign a context to use with this opportunity template.

7. On the Attachments and Links tab, you can attach documents and web links.
1.3.2.6 Forecasting Horizons
The forecasting horizon defines the period for which a forecast is prepared, that is, the interpretation context for the risk assessment, with respect to the
current date.
Depending on the legal requirements a risk management organization has to fulfill, a risk assessment along an adequate forecasting horizon might be required.
The definition for an adequate forecasting horizon varies, depending on the type of risk (going concern, substantial), the customer’s business and the industry
(for example, process or project oriented).
This function allows you to maintain your forecasting horizons.
More Information
Maintaining Forecasting Horizons
Leading Forecasting Horizon for Risk Categories
1.3.2.6.1 Maintaining Forecasting Horizons
Forecasting horizon maintenance includes the creation, editing and deletion of forecasting horizons. Once created, you can define which forecasting horizons
are to be opened or closed. Closed forecasting horizons can be archived.
The Overview Screen

Choose Master Data Forecasting Horizons Forecasting Horizon Maintenance .
For each forecasting horizon, the overview screen displays the following:
Horizon name
Status
The following statuses are possible:
Status Meaning
Draft You can change the text and delete the forecasting horizon in this status.
Open The forecasting horizon is used for analysis input. Opened forecasting horizons
are ready for input and analysis; the mandatory field is considered.
Closed The forecasting horizon is no longer used for input, but it is still displayed (read
only) on the analysis tab.
Archived The forecasting horizon is not longer visible on the analysis tab, but it is still
available for reporting.
The status can only change only in the sequence Draft to Open to Closed to Archived . Each change is valid immediately it is saved.
Analysis Mode
This defines whether the evaluation of the forecasting horizon is Quantitative or Qualitative .
Mandatory
This refers to whether the forecasting horizon is mandatory for input when used in DRS-5 (Deutscher Rechnungslegungs Standard – German accounting
regulations – Number 5) analysis.
For maintaining forecasting horizons, on the overview screen you can perform the following functions:
Create or Edit
Opens a dialog box where you can enter or change the Horizon name, the optional Description and select the Mandatory check box for a forecasting
horizon with a Draft status.
Delete a draft forecasting horizon
Open or Close a forecasting horizon
See working with forecasting horizons, below
Archive a closed forecasting horizon
Send an e-mail Notification to a list of recipients, which is a collection of agents determined by the agent slot 0RM_RISK_ASSESSMENT for all risks of
type DRS-5
Display an Action Log of all forecasting horizon maintenance
The action log shows all the actions executed together with a time stamp and user, who executed each action.
Procedure
Working with Forecasting Horizons

In the overview screen, choose Open and Close . The Open and Close Forecasting Horizons guided activity opens:
1. Close Horizons .
The system displays a list of open forecasting horizons. Choose the forecasting horizons to close by selecting the appropriate check box in the Close
column.
Choose Next .
2. Open Horizons .
The system displays a list of draft forecasting horizons. Choose the forecasting horizons to open by selecting the appropriate check box in the Open

column.
Choose Next .
3. Roll forward .
This step determines how each forecasting horizon initializes after Open and Close . The system lists all currently-open forecasting horizons as Target
Horizons . Use the dropdown lists to select Source Horizons for each.
Choose Next .
4. Execution .
This step determines how and when to execute the Open and Close . You can choose immediate execution or you can schedule for a specific date and
time. If you choose immediate (online) execution, the operations occur immediately after the confirmation step. Scheduling the job for a specific time
means that you can shift the forecasting horizons overnight or at weekends.
Choose Next .
5. Review .
Review your changes and any error or other messages that are displayed. You can use Previous to go back and make any necessary changes.
Choose Next .
Note
Changes that you make become effective immediately and cannot be reversed.
6. Confirmation .
If you have chosen immediate execution, the operation stars immediately. Any error messages are displayed directly on the Confirmation screen. For
example, when opening and closing forecasting horizons, it is possible that some leading forecasting horizons, defined on Risk Categories, are no longer
valid. You can start the correction report directly from the Confirmation screen.
Error messages are also written to the Action Log for later processing. If you choose to schedule the operation, messages are only written to the
Action Log .
Note
From the business point of view, it is not reasonable to execute more than one shifting a day. This is because reporting occurs only once a day and
no history can be kept of multiple changes.
If you have scheduled an Open and Close , the maintenance transaction is locked to prevent the changing of draft forecasting horizons. The only actions that
are available on the Overview screen are:
Cancel Job to cancel the scheduled job
Notification
Action Log
More Information
Leading Forecasting Horizon for Risk Categories
1.3.2.6.2 Leading Forecasting Horizon for Risk Categories
This option provides an overview of selected leading forecasting horizon for risk categories. You can easily identify if some risk categories are using, for
example, archived horizons, which is not allowed, or missing horizons.
Activities
Choose Master Data Forecasting Horizons Leading Forecasting Horizon for Risk Categories .
The Leading Forecasting Horizon Consistency Check for Risk Categories report is displayed. You can use the Filter , to limit the display to include only
forecasting horizons that are:
Open
Closed
Closed and Archived
Not defined
If you identify any inconsistencies in the report, choose Edit , which opens the Edit Leading Forecasting Horizon for Risk Categories screen. In this screen,
you can propose a different leading forecasting horizon where required. You can do this individually for each risk category or select multiple risk categories and
use the mass selection option in the toolbar to change all the selected risk categories.
Choose Save and the entered values are checked for consistency.
More Information
Maintaining Forecasting Horizons
1.3.2.7 Risk Consistency Reports
You can review the quality and structure of your organization's risks via a set of comprehensive predefined reports. You can carry out a consistency check for
your Risk Management data, and you can make sure that the reports defined do not violate the segregation of duties (SoD).

Note
The term segregation of duties refers to the concept of requiring more than one person to complete a task. Under SoD, no single person has control over
two or more phases of a transaction or operation, so the risk of fraud or unintentional error is mitigated. An example of this would be that one user cannot
be both the risk owner and the risk validator.
Consistency checks are a set of reports targeting solution and application consultants to support an initial implementation project. They ensure the
completeness and logical consistency of the provided master data in the Risk Management application. This can be checked during implementation or also
later when the system is in productive use.
Reports that check the completeness of the provided data focus on mandatory and non-mandatory information in the checked master data. Missing
information might either create inconsistencies in data storage, or affect the behavior of certain parts of the application, such as reporting.
The checks can also be used in the running system to ensure continuous quality of the maintained master data of the application.
Features
In the Master Data work center, you can carry out a check of the RM data objects in the application as well as of the corresponding Customizing settings.
For more information, see Working with the RM Consistency Checker.
1.3.2.7.1 Working with the RM Consistency Checker
The consistency checker enables you to check all your Risk Management data for consistency and completeness.
Procedure
1. Call Master Data Consistency Checks Consistency Checks . A new window with the RM Consistency Checker is displayed. You have two
options:
Select the individual item you want to check and press Execute .
If you want to check all items at once, press Execute Full Pass . This function executes all checks successively and presents the results in a
table.
2. In the Results table, you can drill down to the exact application or Customizing data involved to make direct changes to the individual data objects in
the application or to the Customizing activities. The table has the following columns:
Column name Meaning
Check The name of the specific check report
Error count The number of errors for an individual check
Warning count The number of warnings issued for an individual check
Status Red for critical, yellow for warning, green for OK
3. Choosing the individual checks produces the following results, showing you how to resolve individual data consistency issues:
Name of Check Description What to Do
1. List of organizational units without currency Lists all organizational units for which no currency is Choosing the Execute pushbutton produces a list of
maintained. organizational units with no currency. Choosing one
organizational unit opens the corresponding screen, in
which you can assign a currency.
2. Check number of probability levels Lists the probability levels as they are maintained in Displays all the probability levels with the percentage
Customizing. of probability maintained in Customizing. To make
changes, access the corresponding Customizing
activities.
3. List root nodes Lists all corporate nodes (top organizational units). Execute produces a list of organizational units.
Choosing one takes you to the General tab of an
organization with no parent organization.
4. List activity categories without risk or opportunity Lists activity categories that do not have specific risk Status column: The red stop sign means that no risk
categories and opportunity categories assigned to them. or opportunity categories are assigned.
5. Check organizational unit threshold relationships Lists the organizational unit relationships (parent and Clicking on the parent or the child ID in the output list
child) for which the risk threshold settings do not match takes you to the screen where you can maintain the risk
the relationship. thresholds in the corresponding tab.
6. Check the documents Checks for documents with an invalid parent or child Dialog box asking whether documents with invalid
object. parent or child entities should be deleted. Click the
Automatic Fix pushbutton under the list to auto-correct
the missing values.
7. List of organizational units without thresholds Lists all organizational units that do not have risk Clicking the Execute pushbutton produces a list of
threshold values maintained. organizational units with no risk threshold values.
Clicking on one line opens the organizational unit
screen. Navigate to the Risk Thresholds tab to
maintain the thresholds.
8. Check probability level matrix Checks the probability/timeframe matrix in Customizing Messages:
and displays the missing settings. Missing : No Customizing value set in the matrix
for the given timeframe and probability.

All : The probability values found are valid for
ALL timeframes.
Timeframes defined : Should be displayed
instead of All if there is no timeframe.
9. List organizational units without objectives Lists all organizational units that do not have objectives Execute produces a list of organizational units.
maintained for them. Clicking on one takes you to the organization screen,
where you maintain the Objective tab.
10. List responses without effectiveness / completion Lists all risks and responses that do not have Clicking on a response produces a list of responses
values effectiveness / completion values maintained. with missing values. Clicking on a line in the
Response Title column enables you to enter
effectiveness and/or completion values for a response.
11. Check role assignment Checks for role errors and warnings, such as double Messages:
assignments. User initial : Shows whether a user name is
blank or empty
Role initial : Shows whether a role is blank or
empty.
User and role initial : Shows whether role and
user name are still blank or empty.
Double role assignment : Shows whether a user
has the same role twice for the same object in an
overlapping time span.
Obsolete role assignment : Shows whether
roles are assigned to objects for which they are
not relevant.
Unique role assigned multiple times : Shows
whether unique roles are assigned more than
once to the same object using overlapping
timeframes.
12. Check role definitions Checks for invalid role definitions. Message No title assigned : Returns a string that
shows the user that the title is missing.
13. Benefit / impact / driver categories Lists the benefit, impact, and driver categories that are This check displays the benefit, impact, and driver
maintained in Customizing. categories in the application. To make changes, access
the corresponding Customizing activities in the
backend system.
14. Check risk level matrix Checks the probability / impact matrix in Customizing, Message Not Assigned (N/A) : The items show which
displays the risk levels that are assigned, and shows risk or combination is not assigned.
whether all levels are used.
15. List organizational units without units of measure Lists all organizational units that do not have their own Execute : Produces a list of organizational units.
units of measure maintained. Clicking on one takes you to the organization screen,
where you maintain the Unit of Measure tab.
16. List risks and responses without owner Lists all risks and responses that do not have an owner Clicking on the link of a risk or response takes you to
assigned to them. the corresponding screen, where you can maintain the
owner in the Roles tab.
17. Incidents / losses without mandatory attributes Lists all incidents and losses where mandatory You have the following options:
attributes have no values. Click the Automatic Fix pushbutton under the
list to auto-correct the missing values of all
incidents/losses.
Depending on the status of the incident, clicking
on a line of the output screen takes you to the
incident screen, where you can maintain the
attributes.
1.3.2.8 Reports (Master Data)
This topic lists the reports available under the Reports section of the Master Data work center.
Note
The Reports section is shared by Risk Management and Process Control. Based on the applications you have licensed, you may see only a subset of
the reports.
Report Description
Risk and Control Matrix This report provides information on control and risk matrix. You can find out what
risks specific controls are covering, under different risk models (Subprocess –
Accounts Group and Assertions – Risk – Control; Subprocess – Control Objective –
Risk – Control; Subprocess – Risk – Control).
Risk Coverage This report provides visibility into the coverage of risks by controls by organization
and process. For each risk associated with a subprocess, it shows the list of controls
assigned. You can review this report and understand the risk gaps to determine if
new controls are needed.
Organization and Process Structure This report provides visibility into the organization - process - subprocess - control
hierarchy. You can review this report and understand what controls and processes

are assigned under each of the business entities.
Indirect Entity-Level Control (iELC) Structure This report provides visibility into the organization - indirect entity-level control
structure. You can review this report and understand what indirect entity-level
controls are implemented under each business entity and determine if new iELCs
are needed.
Test Plan by Control This report provides visibility into the coverage of test plans by controls by
organization and process. For each control, it shows the list of test plans assigned.
You can review this report and determine if test plans have been assigned properly
to all controls to be tested.
Change Analysis This report provides visibility into all process control object changes and details
within a selected time period. You can review this report and find out what changes
(creation, modification, removal, and role assignment) have been performed to
each object.
Audit Log This report shows chronologically all changes to local and central objects within a
time period. You can review this report and find out what changes have been
performed to each central or local object.
Risk-Based Compliance Management This report provides visibility into the coverage of both Risk Management and
Process Control risks by organization and process. For each risk, it shows the list of
controls assigned as well as the control design and testing status. You can review
this report and understand the risk gaps to determine if new controls are needed.
Policies by Regulation This report provides a method to access all policies, procedures, work instructions,
and so on, that the company has in place to address a certain regulation and/or
requirement.
Policies Versions This report provides the capability to look at the different versions of a policy,
procedure, work instruction, and so forth, to provide an idea of how the policy has
progressed and evolved over time. This report also shows the documents (with the
version numbers) that were attached to the policy object in its different versions. The
ownership and creation information for each of the versions is also available in this
report.
Risks Associated with Policies This report provides the ability to access the local Risk Management risks
associated with a certain policy, procedure, work instruction, and so on. It also can
retrieve a report that lists all the policies, procedures, work instructions, and so forth,
that the company associated with a risk.
Processes and Controls with Policies This report details the processes that are impacted by a certain policy. It also lists
which controls are in place to ensure compliance with the policy.
Regulation/Policy Requirement-Control Coverage This report provides visibility into the coverage of controls by requirement by
regulation or policy. For each regulation requirement, it shows the list of controls
assigned. You can review this report and determine whether further controls are
needed.
Control-Regulation/Policy Requirement Coverage This report provides visibility into the coverage of requirements by controls by
organization and process. For each control, it shows the list of requirements
assigned. You can review this report and determine whether further requirements
could be covered by a specific control.
1.3.3 Rule Setup
The Rule Setup work center provides a central location to set up automated tests and monitor controls, maintain schedules for continuous control monitoring,
and perform legacy automated monitoring.
The Rule Setup work center contains the following sections:
Continuous Monitoring
Key Risk Indicators
Note
The Rule Setup work center is shared by the Access Control, Process Control, and Risk Management products in the GRC Application. The menu groups
and quick links available on the screen are determined by the applications you have licensed. The content in this topic covers the functions specific to
Risk Management. If you have licensed additional products, such as Access Control or Process Control, refer to the relevant topics below for the
application-specific functions.
More Information
Rule Setup – Access Control specific topics
Rule Setup – Process Control specific topics
1.3.3.1 Continuous Monitoring
Depending on the products you have licensed, the Continuous Monitoring section of the Rule Setup work center gives you access to the following:
Data Sources

Business Rules
Business Rule Assignment
More Information
Continuous Monitoring Overview
1.3.3.2 Key Risk Indicators
Key risk indicators (KRI) are scores used to quantify risks and make them transparent on a cross-organization basis. Based on a combination of organization
and risk category, KRIs represent the current state of the business.
Key risk indicators therefore represent a rational and quantitative measure of a particular risk at a particular time. Risk indicators previously entered provide the
risk owner with a series of “warning lights” that help the owner comprehend the current risk the company is taking. One important application is to use risk data
to calculate KRIs for early indications of your organization's strategic target achievement.
You can enter key risk indicators manually or automatically. The system can also calculate the scores using other KRIs. You can further automate your
analysis by defining aggregation hierarchies based on organizations or risk categories, which are available for display using the KRI Aggregation report.
Note
Key risk indicators differ from Key Performance Indicators (KPI) in that the latter are intended to show how well something is being done by measuring
past performance. KRIs, in contrast, are an indicator of the possibility of a future adverse impact on the organization.
Key risk indicators can be used in the following areas:

In Management Accounting
To ensure there is no budget overrun (evaluation by cost centers, internal orders, projects)
To collect all posting reversals
In Liquidity & Cash Management
To obtain a liquidity forecast
To evaluate cash positions
In Treasury & Risk Management
To monitor overdue payments
In Financial Supply Chain Management
To evaluate DSO (days sales outstanding)
To evaluate by risk class (of all customers within a credit segment, weighted by credit exposure)
To evaluate credit limit utilization (percentage of credit exposure compared to the approved credit limit of customers within a credit segment)
Features
The following functions are available with key risk indicators:
Creating KRI Templates
Creating KRI Implementations of a template
Assigning KRIs to a Risk
Using workflows for KRI implementation requests and KRI instance localization requests
Creating KRI Business Rules
Example
A budget overrun is defined as the planned budget minus the actual budget costs. If the result is less than zero, the budget has been overrun and
represents a risk. If the budget overrun is defined as a key risk indicator, a calculation to this effect is stored in the system. When the budget is then
overrun, the risk manager receives a message on it. It is possible to define, for example, that:
The KRI compares the actual and planned costs per cost center.
The system checks the balance against a threshold previously defined for the KRI.
1.3.3.2.1 Creating KRI Templates
You can set up predefined key risk indicators (KRI) for your company by creating KRI templates. For each template, you can then create several different KRI
implementations.
Prerequisites
You can optionally define the systems, business processes, and components used for key risk indicators in Customizing.
Procedure
1. Choose Rule Setup Key Risk Indicators KRI Templates .
The KRI Template Catalog screen appears displaying the existing KRI templates.

2. Choose the Create pushbutton.
The Create KRI Template screen appears.
3. In the General tab, specify the general template information.
1. In the KRI Template Name field, type the name of the KRI template.
2. In the Description field, type a description of the KRI template.
3. In the Value Type field, type or select a value type.
You can select from among the following types:
Number
Currency
Quantity
Score
4. In the Risk Category field, type or select the risk category associated with the KRI template.
This field is only required if you select Score as the Value Type .
5. In the System field, type or select the system associated with the KRI template.
6. In the Valid from field, type or select the date from which the KRI template is valid.
7. In the Valid to field, type or select the date to which the KRI template is valid.
4. In the Attachments and Links tab, specify the attachments and links for the KRI template.
5. Choose the Save pushbutton.
Result
After defining KRI templates, you can assign the templates to individual risk templates or risk categories. You can subsequently use this information when you
create a KRI instance for a risk, enabling you to obtain a selection of available KRI implementations.
For more information about creating implementations, see Creating KRI Implementations.
Note
You can also assign a KRI template to a risk category when you create the risk classification hierarchy. For more information, see Classifying Risks,
Opportunities, and Responses.
Example
For the risk Potential employee accidents belonging to the risk category Environmental health & safety risks , only the key risk indicators related to this risk
category are available for use. Examples of this would be categories such as Near misses or Number of security violations .
1.3.3.2.2 Creating KRI Implementations
A key risk indicator (KRI) implementation is the actual application of a KRI template. For each implementation, you can have several KRI instances (a KRI
implementation assigned to a specific risk). The prerequisite for creating a KRI instance is a saved KRI implementation.
Note
You create a KRI instance for a specific risk. For more information, see Assigning KRIs to a Risk.
Prerequisites
You need to fulfill the following prerequisites before you can create a KRI implementation:
Complete the Customizing activities for system connectivity for key risk indicators, so that the KRI system knows from which system the data is to be
taken.
Create the KRI template with which to implement the KRI. For more information, see Creating KRI Templates.
Procedure
1. Choose Rule Setup Key Risk Indicators KRI Implementations .
The KRI Implementation Catalog screen appears displaying the existing KRI implementations.
2. Choose the Create pushbutton.
The Create KRI Implementation screen appears.
3. In the General tab, specify the general implementation information.
1. In the KRI Implementation Name field, type the name of the KRI implementation.
2. In the KRI Template field, type or select the name of the KRI template.
3. In the Description field, type a description of the KRI implementation.
4. In the Connector Type field, type or select a connector type.
You can select from among the following types:
HANA
SAP BW Query
SAP Query

SAP Table
Web Service
5. In the Connector field, choose the connector associated with the KRI implementation using the drop-down list.
To test the connector, choose the Test Connector pushbutton.
6. In the Script field, choose the script associated with the KRI implementation using the drop-down list.
To test the script, choose the Test Script pushbutton.
7. In the Valid from field, type or select the date from which the KRI implementation is valid.
8. In the Valid to field, type or select the date to which the KRI implementation is valid.
4. In the Implementation Detail tab, specify the implementation details for the KRI implementation.
1. In the Value Column field, choose the value column using the drop-down list.
2. In the Aggregation Function field, choose aggregation function using the drop-down list.
3. In the Selection Table , specify the selection criteria by adding or removing selection entries.
5. In the Attachments and Links tab, specify the attachments and links for the KRI template.
Note
For more information about how to work with queries, see Technical Requirements for BW Queries and Technical Requirements for SAP Queries.
1.3.3.2.2.1 Technical Requirements for BW Queries
You can use the SAP NetWeaver Business Warehouse (BW) Query functionality for key risk indicators in Risk Management, or for automated controls in
Process Control. However, you must observe specific technical requirements regarding the Query Designer in the Business Warehouse. These are described
in the table below.
Technical Requirement Description
Hierarchies off The data-oriented queries do not need the collapse-and-expand feature. The query
is expected to return only the fixed given level and no virtual aggregation nodes
above it. The best way to accomplish this is to switch off the hierarchies in the
hierarchical characteristics.
Results rows: Always suppress Aggregation is done on the Risk Management side, which means that there is no
way to differentiate between data rows and subtotal rows, leading to the double
itemizing of some of the output figures.
Restricted filtering options Risk Management and Process Control currently support only optional single
values and select-options. Other possibilities supported by the Query Designer,
such as interval values or multiple single values, are not supported.
Key figures only in columns The current key figures are not supported in the individual rows. This means that
some kinds of 0MEASURE-based queries are not supported. For PC usage, there
should be only ONE key figure assigned in columns area, which is then considered
as the deficiency field of the corresponding automated control.
Characteristics in columns If characteristics are in a column, the values must be fixed in the Query Designer so
that the number of columns remains stable and Risk Management or Process
Control can use the columns for reference and for further settings. In Process
Control, the characteristics cannot be in the columns area, but only in the rows area.
Note
When working with BW queries, do not make use of the queries designed for end users. Instead, create a new query by making a copy of an existing BW
query definition, making sure to observe the requirements above.
1.3.3.2.2.2 Technical Requirements for SAP Queries
Instead of using the queries designed for end users, for KRIs you must create a new SAP query by making a copy of an existing SAP query definition.
Prerequisites
There is no support for ranked list and statistics output. This means that the RFC used does not return the content of ranked lists and statistics
output for an SAP query.
There is no support for the aggregation (totaling field) and sort fields in the basic list output, so that the RFC used does not return the results of
aggregation or output sorted fields.
In the InfoSet, the Additional fields function is not supported. In Process Control, a rule criterion is based on the back-end field containing technical
details, which can be described as table (structure) fields . However, Additional fields in the InfoSet do not reveal such technical details.
1.3.3.2.2.3 Using External Web Services

You can use external Web services to implement key risk indicators (KRI). The SAP Web Service Connector enables you to interact with all Web services,
regardless of the implementation technology used, as long as it is compliant with the provided WSDL (Web Services Description Language) file.
Prerequisites
You must complete the following Customizing activities found under Governance, Risk and Compliance Risk Management Key Risk Indicators
Connectivity :
Maintain Connectors
Maintain Scripts for Web Service
Procedure
1. Access a WSDL file in the SAP MIME repository. This is used to implement the correct Web service interface.
2. Create the Web service implementation according to this WSDL file, using any available technology.
3. Using transaction SOAMANAGER, connect this implementation to the consumer proxy CO_GRFN_CCI_WEBSERVICE.
Note
For more information, see Configuring a Consumer Proxy.
4. Make note of the logical port you have created. In the Maintain Connectors Customizing activity, enter it as the remote system. In the Connector
Type field, choose the type WEBSERVICE. In the Remote System field, enter the logical port you have just created. Save your entry.
5. Access the second Customizing activity, Maintain Scripts for Web Service . When you register the script, the script data must correspond to the script
ID in the service implementation. Save your entry.
Result
Your external Web service is ready for use. If required, search the SAP Developer Network for further information and details.
1.3.3.2.3 Assigning KRIs to a Risk
When you enter a new risk, you can assign one or more key risk indicators (KRI) to the risk. This is known as a KRI instance . In this way, you can
automatically identify risks in business processes and escalate them to risk owners for immediate attention if necessary.
Prerequisites
You have created a KRI implementation.
You have maintained the corresponding activities for timeframes and frequencies in Customizing under Governance, Risk and Compliance General
Settings Key Attributes .
Procedure
1. After creating a new risk, choose the Key Risk Indicators tab and choose Create Standard KRI Instance in the Assigned Key Risk Indicators
section.
3. In the KRI Implementation field, type or select the KRI implementation for the instance.
4. In the Monitor Frequency field, choose the frequency at which you want the KRI to monitor your system.
5. In the Data Time Frame field, choose the appropriate value using the drop-down list.
6. In the Next Execution Date and Last Execution Date fields, choose the corresponding execution dates using the drop-down lists.
8. In the Selection Table , modify the KRI implementation settings, as required.
Alternatively, choose from among the following options:
Choose the Activate pushbutton to set the status as Active for the KRI instance.
Choose the Request Localization pushbutton to have the KRI workflow go to the workflow processor (to the KRI liaison defined in the Risk
Management workflows, for example). The dialog closes and the Status column displays Localization Requested for the assigned KRI.
After you save the data, a workflow is triggered. When the localization processor has processed the workflow item, it returns to your inbox for
processing or approval, among other options. For more information, see Workflow for KRI Instance Localization Request.
11. Choose the Show History pushbutton to view a graphic display of how the KRI value develops over time.
12. Choose the Show Surveys pushbutton to see which surveys are defined for the KRI instance.
13. In the Business Rules section, create a KRI business rule, if required.
For more information, see Creating a KRI Business Rule.

14. Save the risk data.
Creating Manual KRI Instances

1. After creating a new risk, choose the Key Risk Indicators tab and choose Create Manual KRI Instance in the Assigned Key Risk Indicators
section.
4. In the Input Allowed Until field, type or select the appropriate date using the drop-down list.
1.3.3.2.3.1 Creating KRI Business Rules
A business rule is a formula containing a mathematical calculation that is entered for a defined KRI instance, that is, one individual implementation of a KRI
template. Such business rules provide standard calculations for both management and legal consolidation reporting.
Example
When monitoring your expenses, you would like to know whether the current monthly expenses are much higher than the values of the last three months.
You define a business rule for this, and an email is automatically sent via workflow to the risk owner or owners, who can then review the risk and decide on
the proper response to it.
Prerequisites
The GRC Customizing activity on workflow notification messages, found under General Settings Workflow , must be maintained if you wish to
use settings other than those in the default system.
A KRI instance for a risk must exist.
Procedure
1. Navigate to My Home My Objects My Risks and select a risk in the table.
Alternatively, navigate to Master Data Organizations Organizations , select an organization, and choose the Open pushbutton.
2. Choose the Key Risk Indicators tab, and select the Assigned Key Risk Indicator for which you want to create a rule.
Note
The assigned key risk indicator status must be marked active for you to proceed. You can change the status by opening the assigned KRI and
choosing the Activate pushbutton.
3. In the Business Rules section, choose the Create pushbutton.

The KRI Business Rule dialog appears.
4. In the Title field, type the title of the new business rule.
5. Using the Mapping and Expression tabs, enter the calculation parameters for the KRI business rule.
You can specify the Expression as either a Formula or a Decision Table using the Rule Type drop-down menu. After you are finished, you can
check the syntax, test the rule, or access the NetWeaver BRFplus (Business Rule Framework plus) Workbench.
6. Specify the Actions for the KRI business rule using the corresponding radio buttons.
You can specify whether a risk assessment workflow is to be triggered, whether an email notification is to be sent to the risk owner, and whether the risk
is to be flagged.
Note
You should flag the risk if the corresponding KRI business rule has been violated. After you have flagged this risk, a yellow lightning symbol appears
on the KRI tab of the Risk application. You can reset the alert by choosing the Reset KRI Violation Status pushbutton.
7. Choose OK pushbutton. The new business rule appears in the list of rules assigned to the risk.
8. Save the risk data.
More Information
For more information about the syntax of business rules, see Creating a Formula Expression.
1.3.3.2.4 Using Workflow to Create KRI Implementation Requests

You can use the SAP workflow functionality to create a KRI implementation request . This workflow enables you to create one or several KRI
implementations.
Prerequisites
You must fulfill the following prerequisites before you can use the workflow functionality for KRIs:
A KRI template must exist for each implementation request. For more information, see Creating KRI Templates.
Risk Management roles must be configured. For more information, see Role Administration.
Procedure
When you edit a KRI template, you can request one or more implementations for it.
1. Under Rule Setup Continuous Monitoring , choose KRI Templates to access the KRI template catalog.
2. Open the KRI template for which you want to create an implementation request and choose the Implementations tab.
3. Select the Request view and create a new KRI implementation request by using the Create button. Enter a Notes text if necessary.
4. Save the request and access the My Home work center. The new workflow displays in the Work Inbox .
5. In the work inbox, choose the work item to see the KRI implementation request for it.
6. In the lower screen section of the work inbox, you can create an implementation. Note that the template field may be prefilled. In the Implementation
Detail tab, make the necessary entries. When you have finished entering the data, choose OK .
The buttons at the top of the screen mean the following:
Complete : The status changes to completed. After the request creator confirms the request, it is removed from the inbox.
Save : This does not change the workflow status.
Cancel : The changes you made are canceled.
Confirm : This confirms a completed workflow.
Note
When you choose Complete , the work item is returned to the inbox of the workflow processor. When you call it up again from the inbox, you see the
Confirm pushbutton.
For more information, see Creating KRI Implementations.
1.3.3.2.5 Using Workflow to Create KRI Instance Localization

Requests
You can use the SAP workflow functionality to create a KRI instance localization request .
Prerequisites
The following prerequisites must be fulfilled before you can use the workflow:
A KRI instance must exist for each KRI instance localization request. For more information, see Assigning KRIs to a Risk.
Risk Management roles must be configured. For more information, see Role Administration.
Procedure
When you create or edit a KRI instance, you can request a localization for it. To process the request, proceed as follows:
1. Access the work inbox in the My Home work center. Select the work item to see the KRI instance localization request for it.
Note
The fields in the upper section cannot be changed.
2. In the lower screen section, you can adjust the selection table with respect to the risk-specific settings. The buttons have the following meanings:
Complete : The status changes to completed. After the request creator confirms the request, it is removed from the inbox.
Save : This does not change the workflow status.
Cancel : The changes you made are canceled.
Confirm : This confirms a completed workflow.
3. When you are finished, call up the work inbox to view the work item.
Note
When you choose Complete , the work item is returned to the inbox of the request. When you call it up again from the inbox, you see the Confirm
pushbutton.
1.3.3.2.6 Managing KRI Value Inputs

You can manually input values for key risk indicator (KRI) instances (that are not scored) using the KRI Manual Value Input screen. When inputting values,
you can select the instances directly or using a combination of KRI templates and organization units. In the former case, the input is a simple list; in the latter
case, the input consists of a matrix with each cell representing a single instance.
Note
Alternatively, you can input values using an XML-format file.
Procedure
1. Choose Rule Setup Key Risk Indicators KRI Value Input .
The KRI Manual Value Input screen appears.
2. In Step 1: Select KRIs , specify the input and selection modes.
1. In the Input Mode field, select the Manual Input radio button.
2. In the Selection Mode field, select either the KRI Instances or KRI Template + Organization Unit radio button.
3. If you selected the KRI Instances radio button, choose the KRI Instances link.
The Select KRI Instances dialog appears.
1. In the Find field, type the search terms and choose the Search pushbutton.
2. Select one or more entries in the Available table, and choose the right arrow pushbutton to include the entries in the Selected table.
3. To change the sequence of the instances, choose the arrow pushbuttons directly below the Selected table.
4. Choose the OK pushbutton.
4. If you selected the KRI Template + Organization Unit radio button, do the following:
1. Choose the KRI Templates link.
The Select KRI Templates dialog appears.
3. Select one or more entries in the Available table, and choose the right arrow pushbutton to include the entries in the Selected table.
4. To change the sequence of the instances, choose the arrow pushbuttons directly below the Selected table.
6. Choose the KRI Organizational Units link.
The Organizations dialog appears.
8. Select one or more entries in the Available table, and choose the Add or Add with children pushbutton to include the entry in the
Selected table.
9. To change the sequence of the organizations, choose the arrow pushbuttons directly below the Selected table.
5. Choose the Next pushbutton.
3. In Step 2: Provide Values , specify the values for the entries by choosing the Browse pushbutton, selecting the upload file, and choosing the Upload
pushbutton.
You can download the XML template for the upload file by choosing the Get XML Template pushbutton and saving the file to your local machine.
5. In Step 3: Review , review the values.
6. Choose the Finish pushbutton.
7. Choose the Close pushbutton.
Inputting Values Using a File Upload

1. Choose Rule Setup Key Risk Indicators KRI Value Input .
The KRI Manual Value Input screen appears.
2. In Step 1: Select KRIs , select the Input via File Upload radio button, and choose the Next pushbutton.
3. In Step 2: Provide Values , specify the values by choosing the Browse pushbutton and selecting the upload file.
5. In Step 3: Review , review the values.
7. Choose the Close pushbutton.
1.3.3.2.7 KRI Aggregation Hierarchy
You can use KRI aggregation hierarchies, based on organizations or risk categories, to automate your analysis, the results of which are available for display
using the KRI Aggregation report.
When managing KRI aggregation hierarchies, you can complete the following tasks:
Search KRI aggregation hierarchies
Create KRI aggregation hierarchies
Modify existing KRI aggregation hierarchies
Delete KRI aggregation hierarchies
1.3.3.2.7.1 Searching KRI Aggregation Hierarchies
You can search KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen. When defining a query (known as a worklist), you can either
create a new worklist or base your worklist on an existing query.

Procedure
1. Choose Rule Setup Key Risk Indicators KRI Aggregation Hierarchy .
The KRI Aggregation Hierarchies screen appears displaying the existing aggregation hierarchies.
2. Choose the New Worklist pushbutton.
The New Worklist dialog appears with KRI Aggregation Hierarchies automatically selected in the Select Object Type field.
3. To base your new worklist on an existing query, choose a query using the Select Existing Query as Template drop-down list.
5. In the Hierarchy Type ID fields, type or select the range of hierarchy types.
Choose the Preview pushbutton to display the table of aggregation hierarchies based on the current criteria. Choose the Close pushbutton to dismiss
the preview, and choose the Next pushbutton.
6. In the Enter Query Description field, type a short description of the worklist.
7. Optionally, select the Activate Query checkbox to make the query available as a link or tab.
The query results appear.
More Information
Creating KRI Aggregation Hierarchies
Modifying KRI Aggregation Hierarchies
Deleting KRI Aggregation Hierarchies
1.3.3.2.7.2 Creating KRI Aggregation Hierarchies
You can create KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen. You can also create a new aggregation hierarchy by copying an
existing hierarchy and modifying the appropriate settings.
Procedure
2. Choose the Create pushbutton, and select one of the following options using the drop-down menu:
KRI Organization Hierarchy
KRI Risk Category Hierarchy
The Create Aggregation Hierarchy screen appears.
3. In the Title field, type the title of the aggregation hierarchy.
4. In the Description field, type a description of the aggregation hierarchy.
5. In the Hierarchy focus date field, type or select a date, and choose the Apply pushbutton.
6. In the Organization view or Risk Category view field, choose a view using the drop-down list and complete the Excluded and Aggregation Rule
settings in the table.
7. To save the aggregation hierarchy as a draft, choose the Save Draft pushbutton
8. To save and activate the aggregation hierarchy, choose the Save and Activate pushbutton
Creating an Aggregation Hierarchy by Copying an Existing Hierarchy

1. Select an aggregation hierarchy in the table, and choose the Copy pushbutton.
The Copy Aggregation Hierarchy screen appears.
2. In the Title field, modify the name of the aggregation hierarchy.
3. Review the current settings and modify, as required.
4. Choose the Save and Activate or Save Draft pushbutton, as appropriate.
More Information
Searching KRI Aggregation Hierarchies
1.3.3.2.7.3 Modifying KRI Aggregation Hierarchies
You can modify specific KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen.
Procedure
2. Choose the title of the aggregation hierarchy you want to modify.
The Change Aggregation Hierarchy screen appears allowing you to modify the settings.
3. Modify the aggregation hierarchy settings, as required.

4. Choose the Save and Activate or Save Draft pushbutton, as appropriate.
More Information
1.3.3.2.7.4 Deleting KRI Aggregation Hierarchies
You can delete existing KRI aggregation hierarchies using the KRI Aggregation Hierarchies screen.
Procedure
2. Select one or more aggregation hierarchies that you need to delete.
3. Choose the Delete pushbutton.
A confirmation dialog appears.
4. Choose Yes to delete the selected aggregation hierarchies; choose No to dismiss the dialog without deleting the selected aggregation hierarchies.
More Information
1.3.3.2.8 KRI Aggregation Run
You can use the KRI Aggregation Run quick link to manage KRI aggregation runs, including completing the following tasks:
Search KRI aggregation runs
Create KRI aggregation runs
Modify existing KRI aggregation runs
Delete KRI aggregation runs
1.3.3.2.8.1 Searching KRI Aggregation Runs
You can search KRI aggregation runs using the KRI Aggregation Run Management screen. When defining a query (known as a worklist), you can either
create a new worklist or base your worklist on an existing query.
Procedure
1. Choose Rule Setup Key Risk Indicators KRI Aggregation Run .
The KRI Aggregation Run Management screen appears displaying the existing aggregation runs.
2. Choose the New Worklist pushbutton.
The New Worklist dialog appears with KRI Aggregation Runs automatically selected in the Select Object Type field.
3. To base your new worklist on an existing query, choose a query using the Select Existing Query as Template drop-down list.
5. In the Aggregation Type field, choose Key Risk Indicator using the drop-down list.
Choose the Preview pushbutton to display the table of aggregation runs based on the current criteria. Choose the Close pushbutton to dismiss the
preview, and choose the Next pushbutton.
6. In the Enter Query Description field, type a short description of the worklist.
7. Optionally, select the Activate Query checkbox to make the query available as a link or tab.
The query results appear.
More Information
Creating KRI Aggregation Runs
Modifying KRI Aggregation Runs
Deleting KRI Aggregation Runs
1.3.3.2.8.2 Creating KRI Aggregation Runs

You can create KRI aggregation runs using the KRI Aggregation Run Management screen. You can also create a new aggregation run by copying an existing
run and modifying the appropriate settings.
Procedure
2. Choose the Create pushbutton, and select KRI Aggregation Run using the drop-down menu.
The Create Aggregation Run screen appears.
3. In the Name field, type the name of the aggregation run.
4. In the Description field, type a description of the aggregation run.
5. In the Owner field, type or select the owner of the aggregation run.
6. In the Start Date field, type or select the start date for the aggregation run.
7. In the Due Date field, type or select the due date for the aggregation run.
8. In the End Date field, type or select the end date for the aggregation run.
9. In the Organization based hierarchy field, choose the organization hierarchy using the drop-down list.
10. In the Risk Category based hierarchy field, choose the risk category using the drop-down list.
11. In the Execution Mode field, select either the Manual or Automatic radio button.
12. To save the aggregation run, choose the Save pushbutton
13. To publish the results, choose the Publish Results pushbutton.
14. To publish the results and close the run, choose the Publish Results and Close Run pushbutton.
15. To perform ad-hoc calculations, choose the Ad-hoc Aggregation Calculation pushbutton, and select the appropriate organization hierarchy or risk
category hierarchy using the drop-down menu.
Creating a KRI Aggregation Run by Copying an Existing Run

1. Select an aggregation run in the table, and choose the Copy pushbutton.
The Copy Aggregation Run screen appears.
2. In the Name field, modify the name of the aggregation plan.
3. Review the current settings and modify, as required.
More Information
Searching KRI Aggregation Runs
1.3.3.2.8.3 Modifying KRI Aggregation Runs
You can modify specific KRI aggregation runs using the KRI Aggregation Run Management screen.
Procedure
2. Choose the name of the aggregation run you want to modify.
The Edit Aggregation Run screen appears allowing you to modify the settings.
3. Modify the aggregation run settings, as required.
More Information
1.3.3.2.8.4 Deleting KRI Aggregation Runs
You can delete existing KRI aggregation runs using the KRI Aggregation Run Management screen.
Procedure

2. Select one or more aggregation runs that you need to delete.
3. Choose the Delete pushbutton.
A confirmation dialog appears.
4. Choose Yes to delete the selected aggregation runs; choose No to dismiss the dialog without deleting the selected aggregation runs.
More Information
1.3.4 Assessments
The Assessments work center provides a central location to view and manage surveys, test plans, and risks and opportunities. You can also use the work
center to maintain incidents and plan evaluations, as well as simulate risks using scenarios.
The Assessments work center contains the following sections:
Surveys
Risk Assessments
Incident Management
Scenario Management
Assessment Planning
Risk Control Self Assessments
Assessment Reports
Note
The Assessments work center is shared by the Access Control, Process Control, and Risk Management products in the GRC Application. The menu
groups and quick links available on the screen are determined by the applications you have licensed. The content in this topic covers the functions
specific to Risk Management. If you have licensed additional products, such as Access Control or Process Control, refer to the relevant topics below for
the application-specific functions.
More Information
Assessments Process Control specific topics
1.3.4.1 Surveys
A survey is a structured list of questions. Within GRC, surveys are used to obtain information about the existence and evaluation of risks (RM) or the design or
operational adequacy of controls (PC). Surveys are used to carry out assessments of objects such as risks, activities, or policies, for example. These
assessments are defined via plans in the Planner.
Surveys are created and maintained in the Survey Library and sent via the workflow (which can be routed to an inbox and/or e-mail).
For more information, see:
Risk Management Planner
Process Control Planner
Prerequisites
To send e-mails with interactive PDF survey data, complete the Customizing activity Maintain Inbound E-Mail Settings for Survey under
Governance, Risk, and Compliance General Settings Workflow .
Users who receive survey PDFs by e-mail must have stored their e-mail address in the GRC back-end system (SU01) under System User Profile
Own Data (Address Tab) .
If you are creating a survey for a collaborative assessment, the role Contributor to Collaborative Assessment must be maintained for the user in the
Roles tab of the risk or risks involved.
For risk assessment surveys, complete the Customizing activity Implement New Survey Valuation under Governance, Risk, and Compliance
Common Component Settings Surveys .
The e-mail addresses of all users to whom the system sends a survey must be maintained.
The role assignments must be maintained:
Business users who receive survey responses and post responses in the system need the roles SAP_GRC_FN_BASE and
SAP_GRC_FN_BUSINESS_USER.
The SAPCONNECT user configures the e-mail notification settings in the back-end system, so the roles SAP_GRC_FN_BASE and
SAP_GRC_FN_ALL are required.
For more information, see Standard Roles and Authorization Objects and the SAP Governance, Risk, and Compliance Access Control 10.1, Process
Control 10.1 and Risk Management 10.1 Security Guide at http://help.sap.com/grc.
For workflow functions, maintain the Customizing activities under Governance, Risk, and Compliance General Settings Workflow .
If you want to be able to change the subject or body of the survey e-mail, then you must also make entries in the Workflow Customizing activity
Maintain Custom Notification Messages .

More Information
Creating Surveys
Creating Questions for Surveys
Survey Library
Question Library
1.3.4.1.1 Question Library
The Question Library lists the user-defined questions that you can use within your surveys. Each question comprises the following information:
Category : The category of the question.
Question : The text of the question.
Active : Specifies whether the question is active or inactive. Only active questions are available for use in surveys.
Answer Type : The type of answer (yes/no/NA, rating, and so on) expected from the person taking the survey.
Created By
Created On
Using the Question Library , you can do the following:

Create new questions. You can create a new question, or copy and change an existing question.
Open questions for editing. You can only edit questions that are not being used in a survey.
Delete questions. You can only delete questions that have not been assigned to any survey.
Upload questions from a file stored on your local machine.
You can use the questions defined in the Question Library with the surveys listed in the Survey Library .
More Information
Surveys
Survey Library
Creating Surveys
1.3.4.1.1.1 Creating Questions for Surveys
For each type of survey, you can create user-defined questions to be attached. You can create questions in the Question Library, or you can open a specific
survey in the Survey Library and create questions for it. Furthermore, you can define your own answer types, which you can attach to question or survey
categories if necessary.
Note
If a question is already being used in a survey, you cannot change any data for it, but you can deactivate it.
Prerequisites
Complete the Customizing activity Define Ratings for Survey Questions , found under Governance, Risk, and Compliance Common Component
Settings Surveys .
Procedure
To create a question:
1. Go to Assessments Surveys Question Library .
2. A list of all existing questions is displayed. When you choose Create , a dialog box opens in which you can create your own question.
3. Select the category of the question from the dropdown options and enter text describing the question.
4. Specify whether the question is active or not. Active means that it can be used in a survey.
Note
If you are not finished formulating the question, or if you want to make a question obsolete, deactivate the question. You cannot delete questions
that are already used in surveys.
5. Enter one of the following answer types (answer types vary based upon the survey category):
Answer Type Meaning & Type of Entry Required
Rating Requires the entry of a rating type. If you select this answer type, you are asked
if the answer requires a comment.
Yes / No / NA Requires a Yes, No, or Not Applicable (NA) answer. If you select this answer
type, you are asked if the answer requires a comment.
Text Requires a text entry by user.

Percentage Requires the entry of a percentage.
Amount Requires the entry of an amount.
Choice A user-defined question in which you can define the answer options and the
scores. If you select this answer type, you are asked if the answer requires a
comment.
Probability Level Requires the entry of a probability level. If you select this answer type, you are
asked if the answer requires a comment.
Impact Level Requires the entry of an impact level. If you select this answer type, you are
asked if the answer requires a comment.
Speed of Onset Requires the entry of a speed of onset value. If you select this answer type, you
are asked if the answer requires a comment.
Note
The answer types Yes/No/NA , Rating and Choice support user-defined scoring for each answer option. A number score is assigned to each
answer option at the design time. At runtime, users receive the scores according to their selections. A final score is based on aggregating the scores
from each question.
For the answer type Rating , scores are defined during the Customizing activity, Define Ratings for Survey Questions , located under
Governance, Risk and Compliance Common Component Settings Surveys .
For the answer type Choice , scores are defined in the frontend.
For the answer type Yes/No/NA , question scores are defined when the survey is defined.
Recommendation
For more information, see Score-Based Valuation for Surveys and Questions.
6. If you are creating a question directly from a survey, choose Actions Create Question . On the Create Question screen, you can specify if the
question is local (only used for this survey). If you choose No , the question can be used in other surveys.
7. Save your data.
Result
You have created a question for use in the survey.
Note
If you want to upload new questions from your hard disk, you can do so by choosing Actions Upload . The format of the file must be .csv, which
can be created from a Microsoft Excel spreadsheet.
1.3.4.1.2 Survey Library
The Survey Library lists the user-defined surveys that you can use to obtain information on the existence and evaluation of risks (RM) or the adequacy of
controls (PC). Each survey comprises the following information:
Category : The category of the survey.
Title : The title of the survey.
Description : An optional description of the survey and its purpose.
Active : Specifies whether the survey is active or inactive. Only active surveys are available for use.
Questions : The questions that comprise the survey.
Created By
Created On
Using the Survey Library , you can do the following:

Create new surveys. You can create a new survey, or copy and change an existing survey.
Open surveys for editing. You can only edit surveys that have not been scheduled.
Delete surveys. You can only delete surveys that have not been scheduled.
You can use the questions defined in the Question Library with the surveys listed in the Survey Library .
More Information
Creating Surveys
Surveys
Question Library
1.3.4.1.2.1 Creating Surveys

Prerequisites
See Surveys.
Procedure
To create a survey:
1. Choose Assessments Surveys Survey Library .
2. Choose Create . The Create Survey dialog box appears.
3. On the General tab, select a survey category, a title for the survey, and a description (optional).
4. If necessary, specify the valuation type. The entries defined here are used for surveys, question categories, and answer types.
Note
Using valuation for risk analyses requires additional settings through the Customizing activities. Complete the activities listed under Governance,
Risk, and Compliance Common Component Settings Surveys .
5. Specify whether the survey is to be activated or not.
Note
You cannot activate a survey without first creating one or more questions for it.
6. In the lower screen section, you can add questions as follows:

Choose Add to add questions that were previously defined.
Under the Actions menu, you can navigate within the questions (if there are many) or create a new question.
7. Set the valuation or scoring, if used, for the survey questions. For more information, see Valuation and Scoring for Surveys and Questions.
Answer types Yes/No/NA , Rating and Choice support reconfiguring user-defined scores. If you select score based valuation for Valuation ,
you can view and change the predefined scores for each question. Select the Set Score link in the Set Score column.
The total score of one survey is the sum of scores for each question.
Example
Survey A has two questions (Q1 and Q2). The answers and scores are defined as following:
Question 1: Answers: 1.1 = 50; Answer 1.2 = 0
Question 2: Answers: 2.1 = 0; Answer 2.2 = 0; Answer 2.3 = 50
The total score of the survey is the sum of all the answers. In the example, a submission with answers Q1 – Answer 1.1 + Q2 – Answer 2.1 =
50 as a total score. The highest possible score for this survey would be 100.
8. Save the survey. Your survey can now be included in a plan when you call up the Planner.
Note
Your survey becomes visible on the Survey tab of the Risk or Activity screen after you create a plan in the Planner and have sent out the
survey.
You can display the results of the survey by running the Survey Results report under Reports and Analytics Compliance .
More Information
1.3.4.1.3 Survey Category
SAP Risk Management currently provides the following categories of surveys in the Survey Library for evaluations of different purposes:
Activity Survey
Activity Validation
Collaborative Risk Assessment
Opportunity Assessment
Opportunity Validation
RCSA
Response Update
Risk Assessment
Risk Consolidation
Risk Indicator Survey
Risk Survey
Risk Validation
1.3.4.1.3.1 Risk Consolidation
Risk consolidation allows you to evaluate the risks of different organization levels in a company from bottom up, and consolidate them at the corporate level.
You can choose the risks to be consolidated from a lower level organization unit, and submit them to the upper level organization unit, until all risks reach the
corporate level.

Risk consolidation can be planned through the Planner:
1. Go to Assessment Assessment Planning Planner .
2. Choose Perform Risk Consolidation as the plan activity, and enter the required details for the plan.
3. Select the organizations you want to perform risk consolidation, and set the due dates.
4. Activate the plan.
For more information about the Planner, see Planner.
1.3.4.1.4 Score-Based Valuation for Surveys and Questions
You can use the valuation and scoring function built into survey and question creation to assist in risk analysis and process control evaluation.
Surveys can be created with the type No Valuation or Score-Based Valuation . If you choose Score-Based Valuation , a Set Score link appears on
the right side of each line for all score-based questions that you have created or that you have added from the Question Library.
Note
Certain question types, such as those requiring a text entry, cannot be scored. The Set Score link will not appear next to these kinds of questions.
For more information about the different question types, see Creating Questions for Surveys.
When you choose the Set Score link, an Override Question Score window appears. You can choose to use any maintained values that were preset
through the Customizing activities, or you can override those values with those of your own choosing.
Note
If you override the preset values, the values you enter are valid only for this instance of the question. If you use the same question type for another
question in a survey, the default values are assigned to it unless you override them again.
If you wish to revert to the values set in the Customizing activities, click the Reset button in the Override Question Score window.
You can indicate whether a question is to be local (one-time only for a survey) or if it is to be global (stored in the Question Library after creation). The
default setting is global.
More Information
Surveys
Survey Library
Creating Surveys
1.3.4.2 Risk Assessments
The Risk Assessments section of the Assessments work center enables you to create activities to be evaluated for risks and opportunities, such as
projects or business processes. These are assigned to risks and opportunities that you create. Besides specifying risks and opportunities, you can also:
Analyze the risks and enter the appropriate responses to mitigate these risks.
Document risks that have occurred (called incidents ).
Define specific risk scenarios.
Run risk assessment surveys.
Prerequisites
You have been assigned the appropriate roles and authorizations.
Features
In this work center, you can carry out the following functions:
Manage your risks and opportunities.
You can create and assess a risk or an opportunity, with or without a template. For more information, see Risks and Opportunities.
Manage your risk scenarios.
You can define detailed scenarios with influenced risks and carry out testing and simulation functions for your risk scenario. For more information, see
Scenario Management.
Enter responses to risks or opportunities.
A risk response determines what you should do either to prevent a risk from occurring or to limit the risk's impact if it does occur. For more information,
see Creating a Response or Enhancement Plan.
Create activities such as business processes, projects or assets, for which you wish to capture risks. For more information, see Activities.
Document risks that have occurred, called incidents , together with the losses incurred for an incident. For more information, see Incident Management.
Create dedicated workflows for risk assessment using the Risk Management Planner.
Create and run your own risk assessment reports. For more information, see Risk Assessment Reports.


Saphelp Grcrm101 en 13 De98bd929b45ac9cb6ad56d3ccb9c8 Content

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Saphelp Grcrm101 en 13 De98bd929b45ac9cb6ad56d3ccb9c8 Content

Transféré par

Droits d'auteur :

Formats disponibles

SAP Risk Management

PDF download from SAP Help Portal:

Created on April 17, 2016

PUBLIC Page 1 of 194

PUBLIC Page 2 of 194

PUBLIC Page 3 of 194

PUBLIC Page 4 of 194

Product SAP Risk Management

Based On SAP NetWeaver 7.40 SP02

Documentation Published June 2013

Important Integration Information (English)

Wichtige Informationen zur Integration (Deutsch)

PUBLIC Page 5 of 194

1.1.1 Integration with Process Control

Common Menu Areas

Other Functions Common to Risk Management and Process Control

PUBLIC Page 6 of 194

1.1.1.1 Reusing the PC Central Process Hierarchy in RM

To use the Process Control central processes in Risk Management:

1.2 Key Concepts

1.2.1 Risk Management Process

PUBLIC Page 7 of 194

1.2.2 Levels of Authorization

PUBLIC Page 8 of 194

1.2.2.1 Standard Roles and Authorization Objects

1.2.2.2 Risk Management Application Roles

PUBLIC Page 9 of 194

Defining users, roles, and assignments to authorization objects

Risk Management Sample Application Roles

SAP_GRC_RM_API_ACTIVITY_OWNER Activity owner

SAP_GRC_RM_API_CENTRAL_RM Risk template manager

SAP_GRC_RM_API_INCIDENT_EDITOR Incident editor

SAP_GRC_RM_API_INTERNAL_AUD Internal auditor

SAP_GRC_RM_API_LIAISON System administrator

SAP_GRC_RM_API_OPP_OWNER Opportunity owner

SAP_GRC_RM_API_ORG_OWNER Organizational unit owner

SAP_GRC_RM_API_RISK_MANAGER Unit risk manager

SAP_GRC_RM_API_RISK_OWNER Risk owner

Steps Involved in Role Creation

PUBLIC Page 10 of 194

Customizing Activity Description

Workflow name Description

Furthermore, there are the following event-based workflows:

Workflow name Description Trigger

1.2.3.1 Agent Determination

Analysis Automation: Integration with EH&S

7. Submit the risk.

PUBLIC Page 12 of 194

1.2.5 Customer-Defined Fields

1.2.5.1 Adding Customer-Defined Fields

You can add customer-defined (user-specific) fields in the following areas:

PUBLIC Page 13 of 194

1.2.6 Risk-Related Terminology

Term Explanation Location in Application

Affected risk A risk affected by a response Assessments work center, Responses

1.2.7 Operational Data Provisioning in RM

Authorization Object Description

GRFN_ODP Authorization check for HR objects based on entity and object ID

GRFN_ODP_C Authorization check for special HR objects with complex IDs

GRFN_ODP_E Entity level authorization check for non-HR objects

GRFN_ODP_R Authorization check for regulation specific entities

GRFN_ODPRC Authorization check for complex ID and regulation specific entities

Special HR Objects with Complex ID

Object Type Object ID Format Example Description