SAP GRC - Assigning Mitigation Controls

In an organization, you have control owners at different organization hierarchy levels. Risk should be managed and mitigated as per level of access.

The following are the control owners in an organization −

• One control owner for global level
• Different control owners for regional levels
• Multiple control owners for local level

You have to assign mitigation controls to different levels of responsibility. Now if there is a risk violation at region and local level, you should perform risk mitigation at highest level.

To use mitigation control at organization hierarchy, let us say you have performed risk analysis at organization level and the user violates all child organization rules and meets the condition of parent rule and only parent rule shows up; you can perform risk mitigation in the following ways −

• Mitigation on user level
• Mitigation on organization level