GRC Processes, Lifecycles and Responsibilities
in this document I would like to share my experiences with setting up GRC processes, lifecycles and responsibilities. For each topic I have created an own blog post to discuss and contribute on a particular topic. This seems to me a smooth way to consider different knowledge and share with everyone, following the slogan “sharing is caring”.
A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. Therefore my suggestion is to think in lifecycles to get a better understanding of the processes and who is taking over the responsibilty. For the most common lifecycles I have created blog post, please refer as follows:
- Firefighter ID Lifecycle
- Firefighter ID User Assignment Lifecycle
- Mitigating Control Lifecycle
- Risk Lifecycle
Each lifecycles is grouped into four steps Create, Change, Delete and Review. Each step considers expected tasks and who is involved and in charge of the duty.
Additionally I have added the RACI matrix to see who is Responsible, Accountable, Consulted and Informed for each task. Please be aware that this is very much depending on the point of view and can be different in your organization. My considerations are commonsense and pretty much of thinking in smooth processes throughout a global enterprise.
Please feel free to contribute in my post and share your knowledge with the community. If you are missing a process or lifecycle please request directly in this document with a comment. I will then try to define or share an existing process/lifecycle.
Thank you very much for you collaboration and I am looking forward to your valuable input.