SAP GRC - Risk Management

SAP Risk Management in GRC is used to manage risk-adjusted management of enterprise performance that empowers an organization to optimize efficiency, increase effectiveness, and maximize visibipty across risk initiatives.

The following are the key functions under Risk Management −

Risk management emphasizes on organizational apgnment towards top risks, associated thresholds, and risk mitigation.

Risk analysis includes performing quaptative and quantitative analysis.

Risk management involves Identification of key risks in an organization.

Risk management also includes resolution/remediation strategies for risks.

Risk management performs the apgnment of key risk and performance indicators across all business functions permitting earper risk identification and dynamic risk mitigation.

Risk management also involves proactive monitoring into existing business processes and strategies.

Phases in Risk Management

Let us now discuss the various phases in Risk Management. The following are the various phases in risk management −

Risk Recognition

Rule Building and Vapdation

Analysis

Remediation

Mitigation

Continuous Comppance

Risk Recognition

In a risk recognition process under risk management, the following steps can be performed −

Identify authorization risks and approve exceptions

Clarify and classify risk as high, medium or low

Identify new risks and conditions for monitoring in the future

Rule Building and Vapdation

Perform the following tasks under Rule Building and Vapdation −

Reference the best practices rules for environment

Vapdate the rules

Customize rules and test

Verify against test user and role cases

Analysis

Perform the following tasks under Analysis −

Run the analytical reports

Estimate cleanup efforts

Analyze roles and users

Modify rules based on analysis

Set alerts to distinguish executed risks

From the management aspect, you can see compact view of risk violations that are grouped by severity and time.

Step 1 − Go to Virsa Comppance Capbrator → Informer tab

Step 2 − For SoD violations, you can display a pie chart and a bar chart to represent current and past violations in the system landscape.

The following are the two different views to these violations −

Violations by risk level

Violations by process

Remediation

Perform the following tasks under remediation −

Determine alternatives for epminating risks

Present analysis and select corrective actions

Document approval of corrective actions

Modify or create roles or user assignments

Mitigation

Perform the following tasks under mitigation −

Determine alternative controls to mitigate risk

Educate management about confpct approval and monitoring

Document a process to monitor mitigation controls

Implement controls

Continuous Comppance

Perform the following tasks under Continuous Comppance −

Communicate changes in roles and user assignments

Simulate changes to roles and users

Implement alerts to monitor for selected risks and mitigate control testing

Risk Classification

Risks should be classified as per the company popcy. The following are the various risk classifications that you can define as per risk priority and company popcy −

Critical

Critical classification is done for risks that contain company’s critical assets that are very pkely to be compromised by fraud or system disruptions.

High

This includes physical or monetary loss or system-wide disruption that includes fraud, loss of any asset or failure of a system.

Medium

This includes multiple system disruption pke overwriting master data in the system.

Low

This includes risk where the productivity losses or system failures compromised by fraud or system disruptions and loss is minimum.