on 05-06-2008 9:43 PM
Does anyone know how SAP defines the risk criticality ratings for the SAP default ruleset in RAR? For example, what makes a risk Critical vs. High?
Thank you both - great feedback
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must also keep in mind that the terms "critical" and "high" are different sides of the risk equation. The classic risk equation is Probability x Impact = Risk Level. Substituting the terms above you get: Probability x "Critical" = "High". For RM 2.0 you need to configure the system (or set Quantitative Thresholds in the Org) to create definitions for what the Impact levels mean for your customer (they're subjective until defined). This is true for both Inherent and Residual Risk.
There is no definition of HIGH, MEDIUM or LOW given therefore you have to decide what your definitionsof these ratings are and whether the standard ruleset suggestions are appropriate for you and your company.
You should treat the standard ruleset as a "starting point" and not as the "end point". Unfortunately alot of companies treat the standard ruleset as though it is perfect in every way. Logically this can not be the case because it would suggest that the standard rulset would be appropriate for all versions of SAP in all countries for all modules and for all legistlative and internnal requirements which it can not be.
Therefore you should start with the standard ruleset and convert it into something that is more appropriate for your business.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As I understand it, critical is never used in the default rule set.
The other levels are just proposals, every customer needs to make their own individual judgement on this. What's HIGH for one company may be irrelevant to another.
Frank.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.