SAP GRC - Enhanced Risk Analysis


Advertisements

You can implement enhanced risk analysis using organization rules. In shared service business units, you can use organization rules to achieve procedures for risk analysis and management of user groups.

Consider a case where a user has created a fictitious vendor and invoices have been generated to gain financial benefit.

You can create an organization rule with company code enabled to eliminate this scenario.

Following steps should be performed to prevent this situation −

  • Enable organization level fields in functions
  • Create org rules
  • Update org user mapping table
  • Configure risk analysis web service

Enable organization level fields in functions

Follow these steps to enable organization level fields in functions −

  • Find out functions to be segregated by organization level in shared service environment.

  • Maintain permissions for affected transactions.

Create organization rules

Follow these steps to create organization rules −

Step 1 − Create organization rules for every possible value of organization field.

Step 2 − Go to rule architect → Organization level → Create

Organization Rules

Create Organization Level

Step 3 − Enter the organization rule ID field.

Organization Rule Id

Step 4 − Enter the related task.

Step 5 − Define organization level field and combine them with Boolean operators.

Step 6 − Click Save button to save the Organization rule.

Benefits of Using Organization Rules

Let us now understand th benefits of using organization rules.

You can use organizational rules for companies to implement following features −

  • You can use organization rules to implement shared services. They segregate duties with the help of organizational restrictions.

  • Go to Risk Analysis → Org Level

  • Perform a risk analysis of analysis type Org Rule against a user

  • You will receive the following output −

    • The risk analysis will only show a risk if the user has access to the same specific company code in each of the conflicting functions.

Advertisements