Risk Management 
Risks are the core objects that identify the potential access problems your enterprise may encounter. The elements that make up a risk are its attributes. Risk management uses the attribute descriptions to generate rules.
Features
Risks are object definitions:
-
When you create a risk, you define its attributes.
-
When you modify a risk, you change its attributes.
The attributes of a risk are:
|
Attribute |
Description |
|
|---|---|---|
|
Risk ID |
The identification code of the risk. |
|
|
Description |
A short, plain text description of the risk and its purpose. |
|
|
Risk Type |
The nature of the risk. Risk types include the following: |
|
|
Segregation of Duties (SoD) risk |
A combination of two or more actions or permissions that, when assigned to a single employee, create a vulnerability. In the case of two conflicting actions an employee may have permission to perform one of these actions, but not both. This risk can have between 2 – 5 functions. |
|
|
Critical Action risk |
Certain actions are risky. Any employee who has permission to perform one of these actions automatically poses a risk. Defining a critical action risk ensures that any employee assigned this action is identified by the risk analysis process. You can define a critical action to include both the action and the corresponding permissions that allow the user to perform the critical action. This risk can have only one function. |
|
|
Critical Permission risk |
Defining a critical permission risk ensures that risk analysis identifies any employee who has been assigned a potentially risky permission. You can use this feature if the permission has been enabled but has no actions. This risk can have only one function. |
|
|
Risk Level |
The severity of the risk. Risk levels include: Low, Medium, High, and Critical. Each enterprise forms its own severity requirements for risks. You use the Risk Level attribute to categorize risks – and the rules they generate – by severity. |
|
|
Business Process |
A user-defined attribute used to associate a risk (or a function) to a specific aspect of your enterprise. |
|
|
Status |
The setting that determines whether or not the risk is enabled. |
|
|
Conflicting Functions |
The functions that constitute the risk. The risk can be defined by actions included in the functions, or on the permissions associated with those actions.
In the case of a critical action or permission, the risk definition includes a single function. End of the note. |
|
|
Detailed Description |
A full-length text description of the risk. |
|
|
Control Objective |
A full-length text description of the auditing control, targeted by the risk intended for auditing. |
|
|
Risk Owners |
The individual employee or employees who have oversight responsibility and final approval authority for any steps taken to mitigate the risk. This will flow into Workflow, if enabled. |
|
|
Rule Sets |
User-defined attributes used to associate a risk and the rules it generates to collections of risk analysis rules. For example, you might have a rule set that includes all rules of interest to Human Resources, and another rule set solely for use by auditors. |
|
When you create or modify a risk, remember that all of attributes are mandatory.
Note
When you create or maintain a risk, and you save it, you may see Save or Submit.
If you can see Save, Workflow has not been enabled. If you can see the Submit pushbutton, this indicates that Workflow is enabled. In that case, a workflow task notifies the risk owner of the new risk task.
When the task has been approved, the capability saves the risk changes and generates the rules. You can now generate rules.
Activities
The tasks associated with managing risks include creating, modifying, and deleting risks.