A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. My suggestion is to think in lifecycles for getting a better understanding of the processes and who is taking over the responsibilty.
In this post I would like to clarify the lifecycle of Risks. I have grouped them into four steps Create, Change, Delete and Review. Please see for each step expected Tasks and who is involved.
Creation of Risks
Tasks
- Define the SoD risk on business level (e.g. with internal auditors)
- Evaluate the necessary transactions to execute the SoD conflict (transaction and authorization)
- Implement the risk within SAP GRC AC
- Validate the risk analysis results
Involved functions
- Risk owner
- Process owner
- ICS responsible
- SAP GRC responsible
Changing of Risks
Tasks
- Define the changes within the SoD risk on business level (e.g. with internal auditors)
- Evaluate the necessary transactions to execute the SoD conflict (transaction and authorization)
- Change the risk within SAP GRC AC
- Validate the risk analysis results
Involved functions
- Risk owner
- Process owner
- ICS responsible
- SAP GRC responsible
Deletion of Mitigation Controls
Tasks
- Delete risks within SAP GRC AC which are not valid anylonger
- Document the deletion of the risk and especially the decision to delete the risk
Involved functions
- Risk owner
- ICS responsible
- SAP GRC responsible
Reviewing of Risks
Tasks
- Analyse if maintained risks within SAP GRC are still valid
- Define actions to take because of:
- New business processes
- Changes in the IT system
- Changes in the Internal Control System
Involved functions
- Risk owner
- Process owner
- ICS responsible
- SAP GRC responsible
If you want to have further information or contribute in this blog post do not hesitate to contact me directly.