Use the Integrated Approach of SAP GRC 10.0 to Remediate Operational Residual Risk

  • by Massimo Manara, SAP Security Consultant, Aglea s.r.l.
  • Maurizio Binatti, SAP GRC Consultant, Aglea s.r.l.
  • October 2, 2012
Mitigation controls in SAP GRC 10.0 enable you to respond proactively to operational risks. See how several SAP GRC 10.0 integration scenarios can be used in response to the operational risk of fraud and money loss in the procure-to-pay (P2P) process.
Key Concept
SAP GRC 10.0 helps your risk management department put in place on-time risk responses. It enables you to link proactively to internal audit, security, Project System, plant maintenance, and departments in which a risk could occur. This approach provides visibility to the business and stakeholders of cost reductions when different types of controls are put in place to remediate problems quickly. With SAP Risk Management 10.0, when you put in place a risk response, you can evaluate cost reduction using a risk analysis history report and analyzing expected loss trends during a different time period. If the risk response (i.e., mitigation control) is effective, the cause of the risk is eliminated or mitigated, so the expected loss related to residual risk is reduced after a mitigation control is implemented correctly.

Mitigation controls in SAP GRC 10.0 enable you to respond proactively to operational risks. From a monetary point of view, you can evaluate benefits of different types of controls. You can use this monetary benefits evaluation as lessons learned to prioritize future risk responses, using the correct type of automated application control for the specific operational risk. You also can use security and segregation of duties (SoD) controls to mitigate operational risks. The following integration scenarios can be used in response to the operational risk of fraud and money loss in the procure-to-pay (P2P) process:

  • SAP Risk Management 10.0 uses an existing SAP Process Control 10.0 automated control to mitigate a risk: The risk manager mitigates a specific risk using a control that has just been created before in SAP Process Control 10.0 by the internal audit department: See the section “Assign a Control to Mitigate the Risk” for more details.
  • SAP Process Control Design Assessment updates the completeness of a risk response in SAP Risk Management. See the section “The Control Design Assessment Phase.”
  • SAP Process Control Testing updates the effectiveness of a risk response in SAP Risk Management (not in the scope of this article).
  • SAP Access Control SoD risk analysis results are used as an SAP Process Control 10.0 automated control to mitigate an operational risk that drives conflict of interest. A potential conflict of interest can lead to fraud over a process that generates an operational risk.

To perform a monetary benefits evaluation correctly, you must start from the implementation of the key risk indicator (KRI) to evaluate implementation effort. You need first to design and implement an effective KRI to measure transparently the level of the risk. Performing the risk analysis in SAP Risk Management, you can also quantify the expected money loss before and after a specific control has been implemented in SAP Process Control 10.0.

We explain this approach and analyze in detail the risk before and after the automatic control that is related to changes to tolerance key settings that are implemented in SAP Process Control 10.0. Evaluating the difference between implementation costs related to automated control and money loss related to the risk for each single mitigation control, you can evaluate which is the best control to use in response to a specific risk.

Massimo Manara

Massimo Manara is an SAP-certified security and compliance consultant at Aglea s.r.l. (www.aglea.com), the only Italian company whose core business is SAP security and compliance. He has nearly 10 years of experience in IT security and a bachelor’s degree and master’s degree in security computer science and on SAP projects.

See more by this author

Maurizio Binatti

Maurizio Binatti is an SAP GRC consultant at Aglea s.r.l. (www.aglea.com), the only Italian company whose core business is SAP security and compliance. He has six years of experience in SAP security, IT automated control, and internal audit best practices over different processes.

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.