Provided an organization has Process Control and Risk Management Installed, one can use number of integrated functions. This will describe the process and steps on how to integrate these two applications.
There are many areas shared by both Process Control and risk Management:
- Use of a central Process Control process Hierarchy as part of Risk Management Activity Hierarchy.
- Risk Templates
- How to Propose a new control from RM , so that PC processor can create the control
- Monitoring Control Effectiveness and Assessment Results.
- Using a Policy as a Risk response.
Use the Central Processes of Process Control (PC) as Activity Categories in Risk management (RM) and local Subprocesses of PC as local Activities of RM. Otherwise no direct assignment of a activity to the activity category is possible.
Follow the steps to integrate :
- Access the Master Data work center and click the Activity Hierarchy link under Activities and Processes.
- The activity hierarchy overview screen opens. Select an activity category and make note of it.
- Access transaction GRFN_STR_CHANGE in the back-end system and go to the section on activity categories.
- Below the activity category item, select Search Term to find the activity category that you are working within the application. The result list is displayed at the
bottom left of the screen.
- Select the activity category at the bottom left to see the data for it on the right hand screen sections.
- On the tab Activity Category Attributes (bottom section), access the Prefix field and select the Prefix ID called PROCESS.
- Save your entry.
- The Risk Management application now displays the Process Control hierarchy, containing its processes and subprocesses, in the lower section of the activities screen.
Risk Templates are common to both Process Control and Risk Management application. They can be defined and assigned from both applications.
Propose a new Control from RM, so that a PC processor can create the control
In addition to working with risk responses, we can also work with the controls of the PC application. A control is a policy, implemented through processes and procedures and directed by an organization's corporate executives, which supports compliance with operational objectives.
These objectives can be operational efficiency, reliability of financial reporting and disclosures, and compliance with applicable laws and regulations, such as the SOX laws.
- Go to Assessments->Risk Assessments->Risks and Opportunities , and by clicking on the name in the Risk / Opportunity column, select the risk to which you want to respond by using control proposal.
- Access the Response Plans tab of the risk creation screen.
- Choose the Create button and then choose Control Proposal. The control proposal window opens. Here RM user can propose a new control , so that PC Processor can create the corresponding control.
- Specify the regulation or policy to be used for the control.
- Enter the organizational unit and the control name, and change the validity dates if necessary (mandatory data). The organizational unit differs depending on the regulation or policy you have chosen.
- Change the other default settings if necessary.
- Submit the control proposal.
- The system puts the control proposal into the list of responses on the Response screen with the status Proposed.
To assign an existing control, choose Assign Control . In the dialog box, select Regulation and search for an existing PC control. To use it, choose OK. The selected control is added to the list of responses. The status for an assigned control is Active.
Monitoring Control effectiveness and Assessment Results
We can convert the PC ratings entered for a control to response data in RM. This links the selected control rating results – to the completeness and effectiveness data of the corresponding responses defined in percentages.
This step enables to automatically monitor the effectiveness and control assessment results of PC-controls, and map the results directly to RM response effectiveness and completeness fields.
Prerequisites and Procedures
- Set Up Link from Control Results to RM, under SPRO->Governance, Risk and Compliance->Risk Management->Response and Enhancement Plan.
In this Customizing activity Set up Link from Control Results to RM, set up a link to the results generated in Process Control, which are stored in the form of SAP Records Management cases. For both the response and the completeness, we must enter the case type and category to be used.
- Convert Control Rating to Response Fields, also under Governance, Risk and Compliance Risk Management Response and Enhancement Plan
When creating the conversion entries, Convert Control Rating to Response Fields - we create three entries for response effectiveness and another three entries for response completion, each one corresponding to a Process Control color rating. For each of the three entries, select one of the color-coded ratings available. In the percentage field, enter a user-defined percentage value for each entry
- Maintain Custom Agent Determination Rules, under Governance, Risk and Compliance General Settings Workflow.
When the Process Control assessment and testing results are published, the corresponding response fields for completeness and effectiveness in RM are updated. An e-mail notification on the completeness and effectiveness update is sent to the users assigned to the agent slot/business event 0RM_NOTIF_ON_CONTROL_CHANGE.
Creating a Policy from a Risk to Use as a Response
Besides a specific risk response and a control, we can also use a policy from the PC policy library to respond to a risk. A policy is a statement of objective, direction, or standard that acts as guidance for a company’s interactions and operations.
It can be regarded as an internal mandate established by a company to regulate the conduct of its work with respect to the regulations it must observe.
Once assigned to a risk, a policy can be used as a risk response. This enables users to mitigate a risk by proposing or documenting a policy for their area of responsibility, including the documentation of the response effectiveness, impact reduction, and probability reduction.
Prerequisites and Procedure:
- Customizing Activity SPRO->Governance, Risk and Compliance->Risk Management->Response and Enhancement Plan->Responses for Policies->Link Policy Status and Response Completeness must be carried out.
- Under SPRO->Governance, Risk and Compliance->Risk Management->Response and Enhancement Plan->Responses for Policies, Set Up Response Notification Recipient for Policy and Set Up Policy Response Notification Text are carried out.
- In Customizing for GRC under Common Component Settings Policy Management :we must define policy types in the Customizing activities Maintain Policy Types and Distribution Methods and Policy Types for Response Creation.
- Call up a risk and then choose the Response Plans tab to create a policy.
- Choose Create Policy .
- The dialog box for policy creation displays. Select a policy group and a policy category.
- The policy screen displays, in which you create the policy itself. Enter the necessary policy information in the corresponding tabs.
- Save the policy. You can send the policy for review or submit it for approval.
- Close the policy. You can see that the response based on the new policy has been created.
- Save the updated risk.
If you have entered risks in the Policy screen, they are displayed in the Policy tab of the Risk screen.
Creating a Response Using a Policy
Besides creating a response in the Risk screen, you can also create a response using a policy from the Response screen. To do so
- Select an existing risk and then choose the Response Plans tab to create a policy.
- Choose Create Policy .
- A dialog box for the selection of a policy appears. Select a policy and confirm the selection.
- After confirmation, you are returned to the Response tab, where the new response is displayed.