A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. My suggestion is to think in lifecycles for getting a better understanding of the processes and who is taking over the responsibilty.

 

In this post I would like to clarify the lifecycle of Risks. I have grouped them into four steps Create, Change, Delete and Review. Please see for each step expected Tasks and who is involved.

 

On request I have additionally added the RACI matrix to see who is Responsible, Accountable,Consulted and Informed for each step. Please be aware that this is very much depending on the point of view and can be different in your organization. My considerations are commonsense and pretty much of thinking in smooth processes throughout a global enterprise.

 

Creation of Risks

 

Tasks

  • Define the SoD risk on business level (e.g. with internal auditors)
  • Evaluate the necessary transactions to execute the SoD conflict (transaction and authorization)
  • Implement the risk within SAP GRC AC
  • Validate the risk analysis results

 

Involved functions

  • Risk owner
  • Process owner
  • ICS responsible
  • SAP GRC responsible

RACI_Risks_Create.png

 

Changing of Risks

 

Tasks

  • Define the changes within the SoD risk on business level (e.g. with internal auditors)
  • Evaluate the necessary transactions to execute the SoD conflict (transaction and authorization)
  • Change the risk within SAP GRC AC
  • Validate the risk analysis results

 

Involved functions

  • Risk owner
  • Process owner
  • ICS responsible
  • SAP GRC responsible

RACI_Risks_Change.png

 

Deletion of Mitigation Controls

 

Tasks

  • Delete risks within SAP GRC AC which are not valid anylonger
  • Document the deletion of the risk and especially the decision to delete the risk

 

Involved functions

  • Risk owner
  • ICS responsible
  • SAP GRC responsible

RACI_Risks_Delete.png

 

Reviewing of Risks

 

Tasks

  • Analyse if maintained risks within SAP GRC are still valid
  • Define actions to take because of:
    • New business processes
    • Changes in the IT system
    • Changes in the Internal Control System

 

Involved functions

  • Risk owner
  • Process owner
  • ICS responsible
  • SAP GRC responsible

RACI_Risks_Review.png

 

If you want to have further information or contribute in this blog post do not hesitate to contact me directly.

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Mili Airen

    Thanks Alessandro, very useful and self-explanatory. For starter like us, we get a path from where we should start thinking. RCAI matrix is very useful to think about various duties and responsibility. 

    (0) 

Leave a Reply