GRC
HR
SCM
CRM
BI
Expand +


Article

 

Perform Risk Analysis Using a Point-Based Scoring Method for Probability and Impact

by Kehinde Eseyin, Security Architect

June 12, 2014

A risk is basically any event that can prevent executive management from meeting the defined business goals of an organization. Learn how to perform risk analysis using a simplified score-based concept that involves numeric-centric evaluation.

 

Risk management involves a number of activities. These activities include risk planning, risk identification, risk analysis, risk response, and risk monitoring. I focus on the risk analysis phase of a comprehensive risk management process. Risk analysis is an important concept and an integral part of risk management. SAP Risk Management is a system designed to perform documented and coordinated risk analysis. 

The following risk analysis methods are supported:

  • Quantitative: This approach relies on monetary values and percentage of probability for risk analysis. The analysis results include the expected loss, total impact, and risk level, all of which are based on the total loss and probability values.
  • Qualitative: This approach relies on descriptive categories for impact and likelihood. The result of the analysis is a qualitative view of the risk level, such as high, medium, and low.
  • Scoring: This approach uses a point-scoring system to drive risk assessment. This analysis method allows you to enter impacts and probability as numeric values.

It is commonplace to see enterprises using quantitative and qualitative approaches for risk analysis; however, these options require relatively good knowledge of risk assessment and analysis concepts. SAP is conscious of this fact and thus introduced a simplified alternative, a risk-scoring approach that is based on using a scoring system. The risk-scoring method allows you to perform risk assessment using a point-based system and not using monetary values. It is possible to use this risk-scoring approach in conjunction with quantitative and qualitative approaches. However, I do not discuss the combined use case in this article.

Risk analysis and risk management are becoming increasingly challenging because of complex operations, and the audit and compliance environment in which business organizations operate. These challenges make finding the best approach for performing risk assessment paramount for organizations, especially when monetary figures are not considered. 

Because I cover only the risk-scoring approach to performing risk analysis, I review the basic configuration activities required to use the risk-scoring analysis method productively in the SAP Risk Management system. The output of risk analysis is greatly influenced by the related customization settings. Therefore, impacts and analysis data are some of the customizing activities that must be predefined before you can analyze a risk successfully in the system. I also demonstrate how to perform risk analysis using the risk-scoring approach with a simple business case. In achieving this objective, I cover the following topics:

  • Maintain impact categories
  • Maintain probability and maximum scores
  • Maintain impact levels
  • Maintain probability levels
  • Maintain analysis profiles
  • A business example of risk analysis using the risk-scoring method
  • Review of audit change logs and analysis history reports

I also discuss two additional points to consider when using the risk-scoring approach for risk analysis:

  • Decimal places representation of scores
  • Dependency of an impact category on risk analysis 

(Note: This article applies to SAP Risk Management 10.0 and 10.1. However, the steps and screen prints in this article are based on SAP Risk Management 10.1.)

Maintain Impact Categories

To perform risk analysis, you need to assign an impact category to the risk in the risk management user interface (UI). This requirement is further illustrated in the section titled “Dependency of Impact Category on Risk Analysis.” Impact categorization is a definition of how an organization wants to group the impacts to which it is susceptible. You can also create new impact categories and maintain existing ones. Impact categories are defined and maintained via menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Shared Master Data Settings > Risk and Opportunities Attributes > Maintain Impact Categories. In the screen that appears click the New Entries button to create a new impact category (Figure 1).


Figure 1
The initial screen for the maintenance of impact categories master data table

In the screen that appears enter values for the Impact Category ID and description as shown in Figure 2. Click the save icon.


Figure 2
Define attributes for a new impact category

The next screen (not shown) displays the following status message: Data was saved. 

Maintain Probability and Maximum Scores

The system allows you to define the maximum value for the risk score. Additionally, this customizing activity allows you to define how the probability score and risk score are displayed in terms of decimal representation. You can define the number of decimal places or allow the system to round up the decimal number. The Maximum Score column is not applicable to the probability attribute; therefore, it is grayed out in the corresponding maintenance column. 

To perform this customizing activity, follow menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Risk Management > Risk and Opportunity Analysis > Define Probability and Maximum Score.

In the screen that appears (Figure 3) I do not make any changes to this table because in my example I retain the default definition at this time.


Figure 3
The initial screen for the maintenance of decimal places and maximum score

Maintain Impact Levels

The impact level definition is an estimation of the consequences of a particular risk on the basis of a configurable scale, usually depicted with a score. The aggregation method for the impact score is subsequently maintained as part of the customizing activity Maintain Analysis Profile. To maintain the impact score, follow menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Risk Management > Master Data Setup > Maintain Impact Levels. In the screen that appears (Figure 4) click the New Entries button to create an additional impact level.


Figure 4
The initial screen for the maintenance of impact levels

For the purpose of my business example, I maintain the score column against the existing impact level as shown in Figure 5. Click the save icon.


Figure 5
Maintain the score corresponding to an impact level

The next screen (not shown) displays the following status message: Data was saved. This message indicates that the impact level definition was saved successfully. The screen, for example, shows that the impact level 4 corresponds to a major impact and has a score of 85.

Maintain Probability Levels

The probability level corresponds to a defined probability score used by the system to evaluate a risk. To maintain probability levels, follow menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Risk Management > Risk and Opportunity Analysis > Maintain Probability Levels. In the screen shown in Figure 6 create new probability levels by clicking the New Entries button.  


Figure 6
The initial screen for maintenance of probability levels

In my business example, I make changes only to the probability score column as shown in Figure 7. Click the save icon.


Figure 7
Maintain the probability score against defined probability level

The next screen (not shown) displays the following status message: Data was saved.

Maintain Analysis Profiles

The analysis profile is used to define the attributes that drive risk analysis or an opportunity session in the SAP Risk Management system. Some of the attributes that can be defined against the analysis profile are probability modes for risk analysis and aggregation methods. The maintenance of the analysis profile helps control what is displayed in the risk analysis UI such as impact level, risk level, probability level, and risk score. Although you can define more than one analysis profile, only one analysis profile can be active at any point in time. The analysis profile can be maintained by following menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Risk Management > Risk and Opportunity Analysis > Maintain Analysis Profile. 

In the screen that appears (Figure 8) click the New Entries button.


Figure 8
Analysis profile master data

In the next screen populate the fields as shown in Figures 9 and 10. Click the save icon. 


Figure 9
Maintained analysis profile attributes


Figure 10
Maintained analysis profile attributes

(Note: Figure 10 is the Display section of the screen shown in Figure 9. In the Speed of Onset field in Figure 9, I disabled this option. Speed of onset is the time frame in which a risk can happen. Speed of onset functionality is beyond the scope of this article.)

The next screen displays a status message (Figure 11).


Figure 11
Status message after saving the analysis profile definition

Click the back button. Figure 12 displays with the analysis profile master data updated with the new analysis profile – KEN_SCORE2. Select the Active radio button against the new analysis profile and click the save icon.


Figure 12
Activate the newly created analysis profile

The next screen (not shown) displays the status message Data was saved.

Before I proceed, let’s review the important definitions (for scoring risk analysis approach) made against the analysis profile KEN_SCORE2, especially as they relate to the probability analysis mode, impact analysis mode, impact aggregation method, and risk-score aggregation method.

Probability analysis mode: The Probability field in the Analysis Mode section is set to Scoring. Figure 13 is an excerpt from the screen shown in Figure 11 showing the possible probability options – Qualitative, Quantitative, Scoring, and Disabled.


Figure 13
Options for probability analysis mode

Impact analysis mode: The Scoring check box is activated in the Impact section. Figure 14, which is an excerpt of Figure 11, shows the risk analysis methods.


Figure 14
Risk analysis methods for impact

As stated earlier, qualitative and quantitative risk analysis methods can be used in conjunction with risk scoring. If this is the intent, then you have to check the corresponding boxes. This allows you to toggle which risk analysis option to use in the risk management application UI at the point of performing risk analysis. I do not discuss this concept as I focus only on the risk-scoring method.

Impact aggregation method: The impact aggregation setting allows you to define how a particular impact analysis is aggregated into the overall risk impact. For the purpose of my business example, the impact aggregation method is set to Max (maximum). Figure 15 is an excerpt of Figure 11 showing the possible impact aggregation calculation options — Max, Average, Summation, and Customer Exit.


Figure 15
Options for the impact aggregation calculation method

Risk score aggregation method: For the purpose of my business example, the Risk score aggregation method is set to Average. Figure 16 is an excerpt of Figure 11 showing the possible risk score aggregation calculation options – Max, Average, Summation, and Multiplication.


Figure 16
Options for the risk score aggregation calculation method

Lastly, for the purpose of my business example, the probability level, impact level, and risk score check boxes have been selected (to display) as shown in Figure 10. Note that the activation of the options to display on the risk management application UI depends to some extent on the analysis method to be adopted. Therefore, for example, quantitative analysis needs to be activated for an expected loss to be checked for display. 

A Business Example of Risk Analysis Using the Scoring Method

You can perform risk analysis both for a newly created risk and for an existing risk. To demonstrate how the risk-scoring approach configuration activities affect risk analysis, I create a new risk and then maintain the impact score and probability score in the risk analysis application UI. In my business example, I follow steps to first create a risk and then perform score-based analysis for the risk using SAP Risk Management’s risk-scoring functionality, a point-based system for risk analysis driven by a nonmonetary values-based risk assessment concept. Meanwhile, to understand the score-based approach, it is important to have an understanding of the following terminologies:

  • Risk impact score: A value calculated and driven by the impact scores maintained for specific impact levels based on the calculation option defined for the impact aggregation method.
  • Risk score: This is calculated and driven by the probability score and risk impact score based on the calculation options defined for the risk score aggregation.

To create a new risk, and consequently perform risk analysis using the scoring approach,

execute transaction code NWBC to access the SAP NetWeaver Business Client (NWBC) portal. Choose the Risks and Opportunities quick link under Risk Assessments in the Assessments work center (this screen is not shown). In the screen that appears (Figure 17), click Create and select Operational Risk from the drop-down list of options.


Figure 17
The menu option to create operational risk

In the screen that appears (Figure 18), enter values for the mandatory fields Name, Organization Unit, and Risk Category. In the Drivers and Impacts section, click the Add button.


Figure 18
Maintain mandatory risk attributes

The screen shown in Figure 19 appears. 


Figure 19
Associate an impact category to the risk

Choose a predefined impact category from the drop-down list in the pop-up screen, such as Operations (Figure 20). Click the OK button.


Figure 20
Definition of impact category for a risk

The next screen displays the added impact category in the Drivers and Impacts section (Figure 21).


Figure 21
Linked operation impact category to a risk master data

Repeat these activities to add another category and you should end up at a screen similar to the one shown in Figure 22. Click the Submit button.


Figure 22
Linked safety impact category to a risk master data

The newly created risk displays in the risk and opportunity management worklist as shown in Figure 23.


Figure 23
The Risk and Opportunity Management worklist showing a newly created risk

Choose the newly created risk by clicking the risk name under the Risk/Opportunity column. For example, if you click the Unauthorized Access link in Figure 23, the details for that risk appear in the next screen (Figure 24). Now click the Analysis tab.


Figure 24
Details of a sample risk master data

In the next screen (Figure 25) click the Create Analysis button. Risk analysis covers the activities of analyzing your organizational risks to determine the impact and probability of a potential risk occurring. The Analysis tab on the Risk Management application UI provides users with the flexibility of defining the type of analysis performed if properly configured, either qualitative or quantitative or scoring.


Figure 25
The Analysis tab of a sample risk

In the next screen (Figure 26), click the value in the Impact Score column to open the impact allocation maintenance table.


Figure 26
The initial screen for the creation of risk analysis

In the next screen (Figure 27), the Impact Allocation table allows you to enter the score that drives the overall impact score and risk score.


Figure 27
Impact allocation table for impact score maintenance

Now maintain the impact allocation table. For the purpose of my business example, I enter a score of 15 against the Operations Impact Category and 85 against the Safety Impact Category as shown in Figure 28. Click the Save button.


Figure 28
Maintain the impact allocation table

Navigate back to the Risk and Opportunity Management worklist. To do this execute transaction code NWBC to return to the NWBC portal (Figure 17). Click the Risk and Opportunities link under Risk Assessments (this screen is not shown). In the next screen click the Create button and choose a risk. In the next screen click the Analysis tab (Figure 29).


Figure 29
Impact score and risk score value after risk analysis

Note that the impact score is set to 85. This is calculated based on the analysis profile setting for the impact aggregation method that is set to Max. The impact score of the operation (85) impact category is higher than the safety (15) impact category, so 85 is selected. Also, the risk score is set to 43. This is calculated based on the analysis profile setting for the risk score aggregation method that is set to Average. Therefore, the average is 85/2 = 42.5. Recall that the risk score was configured earlier to report without decimal places in the customizing activity maintenance of probability and maximum score. Therefore, an approximate risk score of 43 was reported.

To test how the probability score affects the risk score, enter the value 100 in the Probability Score column as shown in Figure 30. Click the save icon.


Figure 30
Update of probability score

Navigate back to the Risk and Opportunity Management worklist, choose the risk, and navigate back to the Analysis tab (Figure 31).


Figure 31
Risk score change based on probability score update

Note that the Risk Score has changed to 93. This is calculated based on the analysis profile setting for the risk-score aggregation method that is set to Average. Therefore, the average of the probability score and the impact score are reported as the risk score. In my business example, this is (100 + 85)/2 = 92.5. Recall that the risk score was configured to report without decimal places in the customizing activity maintenance of probability and maximum score. Therefore, a risk score of approximately 93 was reported.

Review of Audit Change Log and Analysis History Reports

You can display the history of the changes made to a risk including analysis data. This can be useful in meeting specific internal control, compliance, and audit requirements as it relates to keeping an audit log of changes to risk analysis data. Furthermore, specific reports can be provided to executive management showing the risk analysis data and, consequently, guiding them in decision-making based on empirical data.

Navigate back to the Risk and Opportunity Management worklist, choose the risk, and navigate back to the Analysis tab (Figure 32). Click the Show Change History button.


Figure 32
The Analysis tab of a risk definition

 The change audit log appears (Figure 33).


Figure 33
The change audit log for risk maintenance

If I select a specific entry in the change audit log, the details of the audit log, including the before (Old Value) and after (New Value) values, are displayed as shown in Figure 34


Figure 34
Detailed change history log for risk maintenance

The application also provides the capability to graphically report the history of risk analysis. The graphical representation is displayed in the Analysis history section of the risk master data. Figures 35 to 39 show examples of the reports for impact level, impact score, probability level, probability score, and risk score, respectively. To reach these screens execute transaction code NWBC to return to the NWBC portal (Figure 17). Click the Risk and Opportunities link under Risk Assessments (this screen is not shown). In the next screen click the Create button and choose a risk. In the screen that opens (Figures 35 to 39) click the Analysis tab.


Figure 35
Analysis history report for impact score


Figure 36
Analysis history report for impact level


Figure 37
Analysis history report for probability level


Figure 38
Analysis history report for probability score


Figure 39
Analysis history report for risk score

Additional Points to Consider

Keep these two points in mind when using the risk-scoring method for risk analysis:

  • Decimal places representation of scores
  • Dependency of an impact category on risk analysis 
Decimal Places Representation of Scores

To demonstrate how the define probability and maximum score  customizing activity influences the number of decimal places displayed in the risk management UI for the scores, go back and update the initial settings for decimal places. Follow menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Risk Management > Risk and Opportunity Analysis > Define Probability and Maximum Score. The screen shown in Figure 40 appears.


Figure 40
The initial screen for the maintenance of the number of decimal places

In the Score field, select an option from the available values (e.g., 2 Decimal places) as shown in Figure 41. Click the save icon.


Figure 41
Definition of the number of decimal places for score

The next screen (not shown) displays the status message Data was saved.  

Navigate back to the Risk and Opportunity Management worklist. To do so execute transaction code NWBC to return to the NWBC portal (Figure 17). Click the Risk and Opportunities link under Risk Assessments (this screen is not shown). In the next screen click the Create button and choose a risk. In the next screen click the Analysis tab (Figure 42). Note that the score (for example, risk score) is reported as 92.50 (and not 93, as shown in Figure 31), this time with two decimal places.


Figure 42
Score values display in 2 two decimal places

Dependency of an Impact Category on Risk Analysis

To perform risk analysis it is necessary to assign an impact category to a risk master data. To complete this task, execute transaction code NWBC to access the NWBC portal (Figure 17). Click the Risk and Opportunities link under Risk Assessments (this screen is not shown). In the next screen click the Create button and select Operational Risk from the drop-down list of options. Figure 43 shows the initial risk definition screen with mandatory attributes filled, but with a blank Impacts category.


Figure 43
The initial screen for risk creation without impact category assignment

Click the Analysis tab.  Figure 44 displays a warning message about the inability to perform risk analysis because no impact category has been assigned for the risk. 


Figure 44
A warning message about impact assignment dependency of risk analysis

An email has been sent to:





 

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ