Show TOC

Object documentationRisk Analysis Locate this document in the navigation structure

 

A Risk is defined as two or more actions or permissions that, when available to a single user, or single role, profile, organizational level, MIC, or HR Object, create the possibility of error or irregularity.

There are thousands of action combinations that can be categorized as risks. Risks can also be defined by different combinations of permissions associated with specific actions. Another name for combinations of two or more actions is functional group. Individual users, roles, or profiles can access risks or functional groups to perform a specific business function.

Reports of Risks are available in the Informer tab. The procedure for creating these reports is in a subsequent topic following this topic, Performing a Risk Analysis.

When you find a risk in a report, you resolve, or remediate, the risk by either removing it or by applying a mitigating control. This procedure is presented in a later topic in this guide: Resolving Risks.

To identify the risks produced in the Risk Analysis reports, you need to know the combinations of actions and permissions that represent conflicts in your organization. The combinations are processed in the Rule Architect tab, a later topic in this guide. The Rule Architect provides the tools to define Risks and Business Processes, and it generates the Rules used to oppose the Risks.

The Risk Terminator service is also an important part of Risk Analysis and Remediation.

Note Note

The Risk Terminator service is a tool that resides in the back end SAP ABAP system and notifies you when a risk violation occurs. Risk Terminator options are disabled by default. You configure Risk Terminator to activate the default options. For more information, see the SAP GRC Access Control Configuration documentation. The Configuration tab does not provide any settings for Risk Terminator.

End of the note.

 

When you perform a Risk Analysis or a Simulation in the Informer tab, the module reports the SoDs, critical actions, roles, or profiles for each user, role, HR object, Organizational level, or MIC, included in the analysis. As mentioned, your company's generated rules are used when you perform Risk Analysis.

To display a report category screen, you select a report category from the navigation bar under the Risk Analysis node.

You can generate reports presenting different types of information, including reports presenting risks or conflicts, or the use of critical actions by the User, Role, Profile, Organizational Level, MIC, or the HR Object that was used in the analysis. You can also use these reports to view mitigated risks, and risks that have not yet been remediated. The procedure for creating reports is found in the next topic, followed by some report options.