A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. My suggestion is to think in lifecycles for getting a better understanding of the processes and who is taking over the responsibilty.
In this post I would like to clarify the lifecycle of Risks. I have grouped them into four steps Create, Change, Delete and Review. Please see for each step expected Tasks and who is involved.
On request I have additionally added the RACI matrix to see who is Responsible, Accountable,Consulted and Informed for each step. Please be aware that this is very much depending on the point of view and can be different in your organization. My considerations are commonsense and pretty much of thinking in smooth processes throughout a global enterprise.
Creation of Risks
Tasks
- Define the SoD risk on business level (e.g. with internal auditors)
- Evaluate the necessary transactions to execute the SoD conflict (transaction and authorization)
- Implement the risk within SAP GRC AC
- Validate the risk analysis results
Involved functions
- Risk owner
- Process owner
- ICS responsible
- SAP GRC responsible
Changing of Risks
Tasks
- Define the changes within the SoD risk on business level (e.g. with internal auditors)
- Evaluate the necessary transactions to execute the SoD conflict (transaction and authorization)
- Change the risk within SAP GRC AC
- Validate the risk analysis results
Involved functions
- Risk owner
- Process owner
- ICS responsible
- SAP GRC responsible
Deletion of Mitigation Controls
Tasks
- Delete risks within SAP GRC AC which are not valid anylonger
- Document the deletion of the risk and especially the decision to delete the risk
Involved functions
- Risk owner
- ICS responsible
- SAP GRC responsible
Reviewing of Risks
Tasks
- Analyse if maintained risks within SAP GRC are still valid
- Define actions to take because of:
- New business processes
- Changes in the IT system
- Changes in the Internal Control System
Involved functions
- Risk owner
- Process owner
- ICS responsible
- SAP GRC responsible
If you want to have further information or contribute in this blog post do not hesitate to contact me directly.