GRC AC 10.1 - Re-Assign Business Process for Access Risk ID
We are thinking of updating the business processes assigned to standard access risks that are segregation of duties type. Before making any changes we wanted to understand if there would be any adverse impacts to changing it? For example, we know that the first letter of the access risk ID is related to the business process (e.g. F = Finance). Changing the assigned business process would disconnect that relationship but does that matter? Or do we need to create a custom access risk ID using the naming convention of the new business process? For example, if you changed F002 from finance to Order to Cash should we create a new access risk called ZS002 and make the old risk inactive?
Any help is appreciated. I wasn't able to find much information about the link between business process and access risk ID.
Plaban Sahoo replied
Risks are made up of functions, and technically will have no impact on calculation of risk.
The 'access rule summary', in Report and Analytics' tab has Risk against Business process. So, this report will be impacted.This report will show risks, but the Business process will have a changed naming convention, in comparison to previous month.