cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC 10.0- How to perform Risk analysis by Org Level

Go to solution
Former Member

on ‎06-21-2012 11:52 AM

0 Kudos

Dear GRC Gurus

Requirement: When running e.g. SOD Analysis for User we would like to select a particular business unit to understand the scale of the violations within that particular area.

Scenario: We have implemented GRC10, the 2 modules are ARA and SPM.   When extracting results they are for the entire group/company.  What are requirements if we want to obtain breakdown by business unit/company code? 

My initial thoughts are:

  • the user record would need to contain the business unit, this is not currently the case
  • the business unit in the user record would need to equate/synch to an org unit within GRC
  • within the GRC tab ‘Master Data’ there is the option ‘organisations’, we have currently maintained one node in the organisation hierarchy.  If we manually maintain the underlying company codes, as per ECC6.0 there will be no direct relationship between these GRC units and the ECC company codes.  GRC would need the logic.  Can this information be synched from ECC to GRC?

If a solution existed we would then be able to advise each business unit of the scale of violations and nature of violations in their area. 

Are further GRC modules required to realise this solution?  In order to obtain graphics by business unit what would be approach? 

Many Thanks

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

koehntopp
Product and Topic Expert
Product and Topic Expert
‎06-21-2012 12:45 PM

This is a really difficult task, as you'd have to manage your employee data extremely dilligently in order to make this valuable. Once you start having reorgs it all goes down the drain quickly.

In my opinion this is usually something requested by business units, lacking understanding for the issues.

If you have SoD risk it's really not important which business unit you can put it to. You can either count the users of a business unit that have violating authorizations, or the number of violations allowing illegal access to a specific business unit's data.

I'd suggest thinking in risk instead of violations. If a specific SoD risk puts a certain busness units data at risk, define that as an org level risk and report on it. What you're describing does not seem to be useful in my opinion.

Frank.

Show replies
Show replies
Former Member
‎06-21-2012 2:11 PM
0 Kudos

Hi Frank,

Thanks for your response.

In this scenario, there are multiple business units operating almost independently, but are part of the overall group.

The Financial Controllers for each business unit would like to get a view of the level of violations/risk within their area of responsibility - what is the best way to achieve this?

The same access risks will apply across each of the business units.

Thanks,

Maeve

koehntopp
Product and Topic Expert
Product and Topic Expert
‎06-21-2012 2:39 PM
0 Kudos

Again, what is it they want to know?

- The people in their group with SoD violations, even if they give access to somewhere else in the company?

- The people in or outside their group with access to their data?

If you want to report on people the best guess is to use user groups, which you will have the challenge to maintain.

If you want access risk, define respective org rules.

Frank.

Answers (0)

Ask a Question