Risk Management


Risk_Management_smallRisk Management is the process by which an organization sets the risk tolerance, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization.

Wikipedia (as of 01. September 2009): Governance, Risk Management and Compliance.


Risk Management and the requirements for an efficient and effective Risk Management resurgence in the interest of companies through proposed amendments to legal regulations, such as SOX or BilMoG. In addition have unexpected events, such as the sub-prime crisis, the current financial crisis, or the rapid rise in raw materials, in particular in energy prices, hit many companies without mitigation strategies in place. These losses are largely due to so-called control weaknesses.
The objectives of the Risk Management process is the timely, early and better identification of risks and their management in order to prevent or minimize negative effects on the economic success of the company. The Risk Management process in an enterprise should effectively manage strategic and operational risks. This process can be defined in essentially five to six phases.

In the first phase the strategic objectives of the company are considered, and based on that the relevant risks are defined. In addition, risk categories are determined, in which individual risks are grouped together. Subsequently, during the risk identification, risks are identified which are impacting the company. Therefore a systematic analysis of all processes is required. Due to constant changes this analysis must be repeated regularly in order to receive a current state of the risk situation. A good documentation of procedures and processes within the corporate can greatly simplify this process step.

The third phase risk assessment simplifies the decision which risks need what priority and what degree of attention to be paid too. For the assessment of the risks, there are numerous methods, but basically they are based on the principle of determining the probable extent of loss and to estimate the probability of occurrence. Based on this risk assessment, Risk Management is now in a position to decide for which risk immediate action is required. The measures to deal with the identified and assessed risks can be grouped into four categories, avoid, reduce, transform, and bear.

The avoidance of risks is based primarily on a strategic decision of management. This will be waived in certain transactions or processes that pose a significant risk in weighing the chances / risk profile. Reducing risk includes activities that lower the potential financial loss or the probability of occurrence. This includes technical and organizational changes or changes to personnel. To transform the risk is a further activity to reduce the overall risk. It should be noted that the risk transformation can not lead to full compensation for occurred risks. Should the recent actions had not contributed to a full elimination of risk, or if these measures are in proportion to the risk too inefficient, the company must bear the corresponding residual risk itself by e.g. having appropriate capital reserves.

Each individual risk or risk category has to pass through a control process. The initiation of appropriate measures shall minimize the overall risk in such a manner that the tier below will not be met in order to have eliminated the risk (after taking the opportunities into account). In principle, despite all the risk measures a residual risk always remains. Although identified, this residual risk contains for example non-quantifiable risks and unidentified risks.

The fifth phase does comprise the risk communication and information and regular monitoring. Herein, it is to create processes and systems, which inform the individual risk managers and management of changes in the risk situation in real-time in order to initiate immediately appropriate actions. For effective monitoring most companies define appropriate metrics. Key Risk Indicators (KRI) are normally based on the assessment of risks and set the defined target values in relation with the current situation (e.g. price of oil relative to the average of the last 12 months). Based on these indicators, the risk managers and management can identify quickly and can clearly determine whether appropriate measures must be taken as described above.

The process of Risk Management is supported effectively and efficiently by the software solution from SAP BusinessObjects Risk Management.

003 02 RM Heatmap

In changing times such as these we can not rule out any risks. On the other hand, it is with certainty possible to better define and track risks down. With state-of-the-art software, such as SAP BusinessObjects Risk Management, you can now early and clearly identify vulnerable areas anytime, anywhere in your enterprise. This provides you with the foresight to assess risks properly and the necessary lead time to defuse these risks before they become a really problem.

With the SAP BusinessObjects Risk Management application, a comprehensive risk profile can be developed for your corporate. Furthermore the risk-appetite can be set and response strategies for loss events can be defined. With SAP BusinessObjects Risk Management the standard risk management process also begins with the risk planning. In this phase, among others the company-specific risk thresholds are defined and the organizational structure is set up.

In the phase of risk identification, an early warning system of key risk indicators is defined in order to achieve a proactive transparency. Opportunities and risks can thus be identified more clearly and easily for all risk types and at all corporate levels. The risk analysis in terms of risk impact and risk probability can be performed on quantitative or qualitative basis.

For the risk measures the risk responses are determined and the cost of risk avoidance are calculated. For example, one of these measures could comprise to actively weaken the risk in order to reduce the occurrence probability and / or the possible loss.

SAP BusinessObjects Risk Management does provide for risk monitoring and a centralized risk reporting risk information updates. Via role-based dashboards, alerts and a risk heatmap the progress of the risk management process can be monitored. This ensures continuous transparency across all business sectors and subsequently does also provide a better decision basis.