Mitigation controls in SAP GRC 10.0 enable you to respond proactively to operational risks. See how several SAP GRC 10.0 integration scenarios can be used in response to the operational risk of fraud and money loss in the procure-to-pay (P2P) process.
SAP GRC 10.0 helps your risk management department put in place on-time risk responses. It enables you to link proactively to internal audit, security, Project System, plant maintenance, and departments in which a risk could occur. This approach provides visibility to the business and stakeholders of cost reductions when different types of controls are put in place to remediate problems quickly. With SAP Risk Management 10.0, when you put in place a risk response, you can evaluate cost reduction using a risk analysis history report and analyzing expected loss trends during a different time period. If the risk response (i.e., mitigation control) is effective, the cause of the risk is eliminated or mitigated, so the expected loss related to residual risk is reduced after a mitigation control is implemented correctly.
Mitigation controls in SAP GRC 10.0 enable you to respond proactively to operational risks. From a monetary point of view, you can evaluate benefits of different types of controls. You can use this monetary benefits evaluation as lessons learned to prioritize future risk responses, using the correct type of automated application control for the specific operational risk. You also can use security and segregation of duties (SoD) controls to mitigate operational risks. The following integration scenarios can be used in response to the operational risk of fraud and money loss in the procure-to-pay (P2P) process:
- SAP Risk Management 10.0 uses an existing SAP Process Control 10.0 automated control to mitigate a risk: The risk manager mitigates a specific risk using a control that has just been created before in SAP Process Control 10.0 by the internal audit department: See the section “Assign a Control to Mitigate the Risk” for more details.
- SAP Process Control Design Assessment updates the completeness of a risk response in SAP Risk Management. See the section “The Control Design Assessment Phase.”
- SAP Process Control Testing updates the effectiveness of a risk response in SAP Risk Management (not in the scope of this article).
- SAP Access Control SoD risk analysis results are used as an SAP Process Control 10.0 automated control to mitigate an operational risk that drives conflict of interest. A potential conflict of interest can lead to fraud over a process that generates an operational risk.
To perform a monetary benefits evaluation correctly, you must start from the implementation of the key risk indicator (KRI) to evaluate implementation effort. You need first to design and implement an effective KRI to measure transparently the level of the risk. Performing the risk analysis in SAP Risk Management, you can also quantify the expected money loss before and after a specific control has been implemented in SAP Process Control 10.0.
We explain this approach and analyze in detail the risk before and after the automatic control that is related to changes to tolerance key settings that are implemented in SAP Process Control 10.0. Evaluating the difference between implementation costs related to automated control and money loss related to the risk for each single mitigation control, you can evaluate which is the best control to use in response to a specific risk.