Skip to Content

Business Risks / Rule Set

To get a better understanding how a business risk occur, we have to understand the process how GRC identifies a risk and its key terms which are used. One or more business risks can be covered in a rule set which is also shown below. Let’s start with the key terms which are used by specialist to talk about GRC.

Key Terms


Business Process – used to classify risk, rules and rule sets by business functions. E.g. Order to Cash, Purchase to Pay, etc. are all types of Business Processes. All risks and functions are assigned to business processes.


Business Risk – identify potential problems your enterprise may encounter, which could cause error or irregularities within the system.


Business Function – identifies the tasks an employee performs to accomplish a specific portion of their job responsibilities. This can be analogous to a role, but more often a role comprises multiple functions.


Actions – known as transactions in SAP. To perform a function, more than one transaction may be required to be performed.


Permissions – authorization object in SAP, which form as part of transactions.

Risk Rule – possible combinations of transactions and permissions for a business risk. More about risk rules and types of rules can be found here.

Rule set – categorize and aggregate the rules generated from a risk. When you define a risk, you attribute one or more rule sets to that risk. Similar to business processes.

Belows graphic shows the architecture of a Business Risk. Basically two business functions, for example accounts payable payments and vendor master maintenance, are defined as a business risk. The business risk is called “SOD required between accounts payable payments and vendor master maintenance” and says that this two functions should be segregated properly. The business risk, technically named XGPR0005 in my example, is assigned to a rule set. While analyzing the user, GRC compares the rule set with the actual authorization in SAP. Technically GRC compares the given authorization by the rule set and the actual authorization in SAP on permission level and reports if there is a match which should be segregated.


To make it more clear another graphic specifically designed for the above mentioned SOD conflict „SOD required between accounts payable payments and vendor master data maintenance“.




As seen above business risks are a combination of two business functions which shouldn’t be performed by one single person. One or more business risks can be categorized in a rule set which is required to run the risk analysis. Another example, based on the architecture shown above, shows a typicall example of a rule set.


This example also shows that a business function (here Business Function 2) can conflict with one or more other business functions. Let’s say Business Function 2 is “Accounts payable payments” which is conflicting with “Vendor masterdata maintenance” (shown as Business Function 1) and as well with “Bank Reconciliation” (shown as Business Function 3). Hence it might be possible to have a business function assigned in two or more business risks.

I hope this document helps to understand the concept of a rule set and how a rule set works from its architectural point of view.

Please do not hesitate to collaborate and share your knowledge.

Best regards,


You must be Logged on to comment or reply to a post.
  • Hi Alessandro,

    Good document….Its more informative If you could explain risk rule 1..2..(Like permutuation of different tcodes of conflicting function).



    • Hi Mammon,

      thanks for your feedback. Risk Rules are possible combination of transaction and authorization in a business risk. As we can see in the second graphic Risk Rule 000B is a combination of FBZ0 and FK01, etc. All possible combinations are reflected in a risk rule.

      Would you like to have more information in this regard?

      Thanks and regards,


  • Hi Alessandro,

    Thank you for the guides – very helpful. However I have a situation which I just cannot solve – we are on 10.1. We have a requirement where if any two of three functions are met, then it would trigger the SoD risk. The generated rules have automated “AND” condition between the three functions – so it does not work ( it only works if all three functions are met).  The work around seem to create three Risks – but this defeats the whole purpose. Is there any way we can change the default condition from AND to OR ?



  • Till now I was struggling with GRC knowledge. But after reading this documents I think my idea about GRC is getting much clear… Thanks a lot for a perfect guide. If you have time, please publish some document on R/3 Security as well. Good Guide for starter