on 01-27-2014 2:52 AM
Dear GRC consultants,
I was working with GRC 5.3 system in my previous project. Recently we have migrated to GRC 10.0. I always had a question on my mind about GRC mitigation controls being attached to business unit or Org.Units.
Why a mitigation control needs to be tagged to a business unit [GRC 5.3] or to Org.Unit [GRC 10.0]?
What is the benefit of tagging a control to these units or org,hierarchy?
Although I am creating mitigation controls following the process provided by documents, I wanted to understand the reason behind this. Someone please help me to understand the purpose of Business Unit or Org.Unit and how are they beneficial in GRC process.
Thanks in advance.
Regards,
Sai.
Hi sai,
There is no diffrence between Business unit and org unit,in GRC 5.3 called as Business unit and come down to GRC 10.0 called Organization unit,in 10.0 basically we create Root organization,under root organization we will create child oraganization(nothing but business units)you will define child org's based upon your client requirement.
why this child oraganizations required is,when creation of mitigation controle ids it will ask for organization unit(nothing but business unit) you will define diffrent mitigation controles for different business process.It shold be easy to idetifying for your customer....
Regards
Ravikumar.ch
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ravi,
Thanks a lot for your insight in this.
I understand there is no difference between Business Units and Org.Units.
But, I wanted to understand why Org.Heirarchy is being used in case of mitigation controls. Why not they use business process which is being used while creating Functions and Risks.
What is the difference between Org.Hierarchy and Business Process. Why should a mitigation control be assigned to a Org.hierarchy? I doubt there should be some important benefit out of it rather than just identifying mitigation controls for different org.units.
Regards,
Sai.
Hi sai,
Org Hieraachy is nothing but your company and diffrent child units(org units) and Business process is nothing but like Finance,HR,Basis ....these things
when ever for creation of mitigation controles in 10.0 it will ask for two things one org Hierachy and process.In this case u need to segregate your mitigation controles to Org hierachy to process wise you want create this controles.
Because of large org's having lot of risks shold be there, at the time of mitigation u could not understand what type of id will assigen to which risk.u will created process wise mitigation controles u can easily assigen particular mitigation controler id to particular risks.
And org heirachy you wil define pariticular mitigation id's to particular org units,because of some org units they have thier own funtionalites.that's way u will define organization heirachy is importent at time of mitigation controle id's creation.
And one thing GRC 5.3 we are used Business units and 10.0 just name changed and Organizations units that's it .........both shold be same......
I think i had provided helpfull information for u i have any doubt let me know......
Regards
Ravikumar.ch
Hello Sai,
There can be multiple business units under one Organisation. When you create mitigation control under organisation it will be applicable to all business units tagged to that organisation.
However, when you tag mitigation control to business unit, it will be available only for that BU. While mitigating you can filter mitigation controls based on business unit. If it is applicable only for BU, then it will not show for other business units.
Hope it helps
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.