SAP GRC - Risk Management
SAP Risk Management in GRC is used to manage risk-adjusted management of enterprise performance that empowers an organization to optimize efficiency, increase effectiveness, and maximize visibility across risk initiatives.
The following are the key functions under Risk Management −
Risk management emphasizes on organizational alignment towards top risks, associated thresholds, and risk mitigation.
Risk analysis includes performing qualitative and quantitative analysis.
Risk management involves Identification of key risks in an organization.
Risk management also includes resolution/remediation strategies for risks.
Risk management performs the alignment of key risk and performance indicators across all business functions permitting earlier risk identification and dynamic risk mitigation.
Risk management also involves proactive monitoring into existing business processes and strategies.
Phases in Risk Management
Let us now discuss the various phases in Risk Management. The following are the various phases in risk management −
- Risk Recognition
- Rule Building and Validation
- Analysis
- Remediation
- Mitigation
- Continuous Compliance
Risk Recognition
In a risk recognition process under risk management, the following steps can be performed −
- Identify authorization risks and approve exceptions
- Clarify and classify risk as high, medium or low
- Identify new risks and conditions for monitoring in the future
Rule Building and Validation
Perform the following tasks under Rule Building and Validation −
- Reference the best practices rules for environment
- Validate the rules
- Customize rules and test
- Verify against test user and role cases
Analysis
Perform the following tasks under Analysis −
- Run the analytical reports
- Estimate cleanup efforts
- Analyze roles and users
- Modify rules based on analysis
- Set alerts to distinguish executed risks
From the management aspect, you can see compact view of risk violations that are grouped by severity and time.
Step 1 − Go to Virsa Compliance Calibrator → Informer tab
Step 2 − For SoD violations, you can display a pie chart and a bar chart to represent current and past violations in the system landscape.
The following are the two different views to these violations −
- Violations by risk level
- Violations by process
Remediation
Perform the following tasks under remediation −
- Determine alternatives for eliminating risks
- Present analysis and select corrective actions
- Document approval of corrective actions
- Modify or create roles or user assignments
Mitigation
Perform the following tasks under mitigation −
- Determine alternative controls to mitigate risk
- Educate management about conflict approval and monitoring
- Document a process to monitor mitigation controls
- Implement controls
Continuous Compliance
Perform the following tasks under Continuous Compliance −
- Communicate changes in roles and user assignments
- Simulate changes to roles and users
- Implement alerts to monitor for selected risks and mitigate control testing
Risk Classification
Risks should be classified as per the company policy. The following are the various risk classifications that you can define as per risk priority and company policy −
Critical
Critical classification is done for risks that contain company’s critical assets that are very likely to be compromised by fraud or system disruptions.
High
This includes physical or monetary loss or system-wide disruption that includes fraud, loss of any asset or failure of a system.
Medium
This includes multiple system disruption like overwriting master data in the system.
Low
This includes risk where the productivity losses or system failures compromised by fraud or system disruptions and loss is minimum.
