Introduction

Request Mitigation Policy is basically a set of rules which can be used to control the GRC request approval behavior when there are risk violations in the request based on “Risk Type”, “Risk Level” of the violations reported in the access request. Additional request parameters can also be included while customizing the Mitigation Policy Rules.

 SAP delivers a predefined BRF+ Application and BRF+ rule mapping that decides the Risk Mitigation policy for GRC. You can either delete this mapping or change the BRF mapping as per your requirement to enforce the approver to mitigate the risk in a request.

Requirement

Usually customers will have requirement to mitigate only specific type of risks after running risk analysis at Stage Level. We have a requirement where our customer wants SoD risks (High, Medium and Low) to be mitigated and Critical Action (High, Medium and Low), Critical Permission Risks (High, Medium and Low) not required to be mitigated.

Solution

The MSMP Workflow Stage Task Setting Configuration Parameter is tied to a BRF+ Configuration

The configuration is available through the below mentioned path.
SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application "Request Mitigation Policy".

Under the Application Mapping, there is the Application ID: 'Request Mitigation Policy'. The BRF Function for this App ID is maintained by default. The BRF+ rule is created to identify which risk requires mitigation and which risk does not require. If there is no BRF+ Rule created for Mitigation Policy, then please remove the entry from IMG.

If the “Request Mitigation Policy” entry is deleted from Maintain AC Applications and BRFPlus Function Mapping then GRC will not allow approvers to approve the request until all risks are mitigated.

Hence we have customized Request Mitigation Policy rule according to our requirement. Following are the steps:

Configuration Setting 1

Stage Level setting “Approver Despite Risk” is set to “No”

Configuration Setting 2

Parameter 1072 - Mitigation of critical risk required before approving the request is set as “NO”. Even if it set as "YES" mitigation policy will overwrite these settings based on mitigation policy rules configured in BRF+


Configuration Setting 3

SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application "Request Mitigation Policy".

 Request Mitigation Policy is maintained and associated with MSMP Process ID “SAP_GRAC_ACCESS_REQUEST”



Open BRF+ in “Expert Mode” and if you are not in Expert mode use “Personalize” button to open in Expert Mode as shown below:





BRF+ Mitigation Policy application provided by SAP is “GRAC_BRFP_MIT_POLICY”.



Open the Function of the Mitigation Policy BRF+ application and create a top expression as “Decision Table”. This decision table is the place where you define your Mitigation Policy rules.





Verify your Decision Table entries, Save and Activate the Decision Table.





Save and activate Function and Application and once completed use Function Simulation to verify the results.







After this we have created a GRC request with SoD and Critical Action risk violations and approver was prompted to mitigated only SoD risks and after mitigating SoD risks requested can be approved without mitigating Critical Action Risk Violations.



Request has SoD risk violations which are not mitigated as shown below:

 



Request has Critical Action risk violations which are unmitigated as shown below:



When approver tried to approve the request GRC stopped the approval with the error message as shown below:



Approver Mitigated the SoD risk violations in the request.



After mitigating the SoD risk violations approver is able to approve the request without mitigating Critical Action risk violations



Critical Action risk violations are not mitigated and approver can approve the request



Mitigation Policy can be customized as per your requirements by creating different rules in the Mitigation Policy BRF+ application.

References

2212543 - How to enforce mitigation of only a specific type of Risk ID

1614290 - Risk Analysis Mandatory for Access Request

Thanks for reading.

Looking forward for your valuable inputs in updating/improving the blog with all relevant details :smile:

Best Regards,

Madhu Babu Sai