Business measures across the globe have been changed a lot from traditional means to a multinational environment. Organizations now-a- days have larger customer bases, which mean more commitments, more country specific regulations.
This change obviously had affected the balance sheets, more profits, more production and more resources with high targets and competition, which is always increasing each year. This increase in business across the horizon invites more risks. The Business and Risk for any organization could be understood by its Business Process Model as Business is basically run by the underlined processes which are followed in the organization.
Let’s consider a situation:
We have an account (Box) having $10000. I am giving access to people for getting money out of that account (box).
We can define a simple process how to get money from this box (Account).
Here are some rules to get money from this Account (box):
- 1. Only people authorized to get money should be allowed to take this money.
- 2. This money should be approved by the manager.
- 3. You can only get $100 in one time, if the amount is more special permissions are required.
- 4. You need to submit expense report for this amount.
Depending on this situation a simple process could be designed.
Step1: Request for money by person.
Step2: Approval by manager.
Step3: Submit expense report.
Step 4: Review of expense report.
Step5: Grant of money.
In above situation let’s analyze how risk could be categorized as.
- Access based Risk: Unauthorized access/Unwanted Excess/Extra Access.
What if wrong user got access to get $100, this will be an unwanted loss.
One could safeguard this by setting a key/password to get money so that only the user with right key can get the money.
“Access based Risk is basically risk which arise if any individual gets the unwanted access for which he/she is not intended to get.”
We will have a closer look at this kind of risk in an ERP Environment.
The Process based risk in above situation deals with when the above mentioned authorized person gets the access with the key.
There could be a chance the rule specified above situation are not followed.
How if user takes more than $ 100 from the box?
How if user submits the fake expense reports?
How if user asks for the duplicate payment?
All these kinds of risk could be categorized in the process based risk.
“Process based risk arises whenever the underlined process is not followed properly.”
In my later blog we will discuss about these risks in detail in ERP Environment.We will look in to Security from Access controls and Process Controls Point of view.