Financial Management Blogs by Members
Dive into a treasure trove of SAP financial management wisdom shared by a vibrant community of bloggers. Submit a blog post of your own to share knowledge.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Risk Lifecycle

alessandr0
Active Contributor
‎02-23-2014 7:59 AM


A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. My suggestion is to think in lifecycles for getting a better understanding of the processes and who is taking over the responsibilty.

 

In this post I would like to clarify the lifecycle of Risks. I have grouped them into four steps Create, Change, Delete and Review. Please see for each step expected Tasks and who is involved.

 

On request I have additionally added the RACI matrix to see who is Responsible, Accountable,Consulted and Informed for each step. Please be aware that this is very much depending on the point of view and can be different in your organization. My considerations are commonsense and pretty much of thinking in smooth processes throughout a global enterprise.

 

Creation of Risks


 

Tasks



  • Define the SoD risk on business level (e.g. with internal auditors)

  • Evaluate the necessary transactions to execute the SoD conflict (transaction and authorization)

  • Implement the risk within SAP GRC AC

  • Validate the risk analysis results


 

Involved functions



  • Risk owner

  • Process owner

  • ICS responsible

  • SAP GRC responsible




 

Changing of Risks


 

Tasks



  • Define the changes within the SoD risk on business level (e.g. with internal auditors)

  • Evaluate the necessary transactions to execute the SoD conflict (transaction and authorization)

  • Change the risk within SAP GRC AC

  • Validate the risk analysis results


 

Involved functions



  • Risk owner

  • Process owner

  • ICS responsible

  • SAP GRC responsible




 

Deletion of Mitigation Controls


 

Tasks



  • Delete risks within SAP GRC AC which are not valid anylonger

  • Document the deletion of the risk and especially the decision to delete the risk


 

Involved functions



  • Risk owner

  • ICS responsible

  • SAP GRC responsible




 

Reviewing of Risks


 

Tasks



  • Analyse if maintained risks within SAP GRC are still valid

  • Define actions to take because of:

    • New business processes

    • Changes in the IT system

    • Changes in the Internal Control System




 

Involved functions



  • Risk owner

  • Process owner

  • ICS responsible

  • SAP GRC responsible




 

If you want to have further information or contribute in this blog post do not hesitate to contact me directly.

2 Comments
Popular Blog Posts
Top kudoed authors
View all