What is it?
Access Risk Management is the discipline of managing access risks. It contains methods, processes, responsibilities, tools and adequate documentation to ensure the overall compliance of the authorization management in organizations.
Many software solutions like IBS CheckAud(c) or Virtual Forge system profiler(c) provide the necessary functionality to analyze the access granted to roles and user within SAP(c) systems. SAP offers SAP GRC Access Controls to manage access risks seamlessly and across SAP and NON-SAP Systemens. Within SAP GRC Access Controls, Access Risk Analysis (ARA) is the component, allowing to analyze authorizations in numerous backend systems.
The application focuses on the sustainable analysis, mitigation and prevention of segregation of duties (SOD) violation and critical access. Access Risks can be monitored in realtime to ensure that companies are always aware about possible risk violations on the systems connected to SAP GRC. Beside the option to perform realtime analysis, the tool also offers preventive measures for remediation and clensing.
Those functions can be applied before a possible violations gets onto the productive system. In case roles are also created by the GRC suite (using the Business Role Management application BRM), a risk analysis can be implemented on role level so that companies are getting enabled to create a clean role setup without any violating roles. Furthermore the access risk analysis can also be applied to the access Request Management (ARM) as well as for Emergency Access Management (EAM) applications. SAP delivers a standard ruleset for access risks offering companies a good starting point for the analysis.
Why using Access Risk Management?
GRC ARA aims at identifiying, documenting, classifiying and reducing risks to an acceptable level. It supports your company in solving audit issues and in fullfilling legal requirements and compliance regulations like for exaple C-SOX, the Sarbanes Oxley Act, J-SOX, GDPR or Germany’s Federal Data Protection Act. SAP GRC minimizes the time and costs of access risk management by automating monitoring processes. Using the standard functions for analysing your risks provides you with a transparent overview in real-time.
Manage your risks by managing your SoD’s
SAP GRC Access Risk Management ensures your compliance by performing preventive and realtime analysis on your GRC system. SAP delivers a standard rule set which included several risks already, nevertheless there might appear more risks within your company environment that might be worth to check on a regular basis. For managing your risks it is recommenended to follow the SoD risk management process. This process can be initialy performed when setting up your GRC system and should be performed in a regular way as well. The process describes three phases with a total of six steps.
SoD – Segregation of duties
Certain tasks within a business process should not be performed by only one person or only one organizational unit. The aim is to separate important functions and responsibilites for establishing a sustainable organization. Someone who is creating orders should not be responsible for releasing the order as well. Within SAP GRC it should be avoided to combine transactions PR05 and PR09.
Within the risk definition step you should determine and classify (high, medium, low) your risks. Also think about risks you are aware of but which should not be part of the analysis. Always make sure that you have a good balance between effort and usage of your risk definition. In case of a minor risk that causes minor losses it might make sense not to monitor the risk as the monitoring could be more expensive as the actual loss.
Create rules based on the risks you have determined already. Rules consist out of functions, risks and business processes. A function is the technical definition of your risk including authorization objects and transaction codes. A function is the technical layer of a risk. For creating a rule you need to:
- Define the business process for which the rule applies (e.g. order-to-cash, HR..)
- Create functions by assigning actions and authorizations objects
- For creating a SoD assign a second function that conflicts the first function
After you have set up the rules you can perform the risk analysis for checking your system. The risk analysis scans your system based on the ruleset and rules you have defined. Risks are getting identified based on roles or users. In case of false positives double check your rule definitions.
Beside the elimination of an upcoming risk it might be smart to try to remediate the risk by performing a risk simulation. By using the simulation you can simulate change on role level or user level before you applied any changes. Simulate if a removal of a role on user level results in the disappearance of a risk or check if a role change is usefull or not by simulating added ore removed values (authorization objects, tcodes).
In case a user needs to have two roles assigned that, in combination, create a SoD risk. These roles cannot be separated so that a SoD risk comes up on user level. Within the risk analysis process it is possible to mitigate those SoDs that needs to be accepted. Such risks are mitigated by a mitigation controls that need to be defined by each company as SAP does not deliver standard mitigation controls. The authorization concept should be set up in a way that only less mitigation controls are needed, nevertheless in some cases it is needed to meet the business needs.
Beside the detective monitoring of risks a proactive monitoring should be performed whenever a role is being changed or an access request is being created. In order to avoid unmitigated or not monitored risks on the productive environment, it is recommended to use the simulation tools for checking future changes on user or role level.
Control effort and degree of control automatisation
Automatisation of Access Risk Management
Implementing access risk analysis into the internal control system supports you in automating your access risk management and minimizes the control efforts. A decrease of access risk management costs and an increase of control automation enables you to sustainable manage your access risks. Automation can be achieved by setting up internal controls in your ICS. These controls can by compensating or preventive. Compensating controls can be used for checking the as-is status of your system. This kind of control detects threats that are already part of your system environment. Preventive controls are used to check for risks before they become productive on the system environment e.g. by simulating role changes or implementing teh risk analysis functionality into your access request management workflow. As seen in the left chart control efforts are correlating with the degree of automation within a system landscape. The control efforts are significantly decreasing as soon as the degree of automatisation rises.