Automation of risk management in SAP

Publish date:

Risk management in SAP applications through automation via governance, risk, and compliance (GRC) and identity management (IDM) are key topics in this blog

Risk refers to all the potential threats to an organization. For the purposes of this post, we will focus on fraudulent and critical access and exposure of sensitive information – the avoidance of which is of primary importance for any organization. To these ends, the SAP applications GRC and IDM provide automated workflows, notifications, and reports for efficient management.

Fraudulent and critical access:

GRC has standard workflows known as  user access reviews (UARs) and segregation of duties (SOD), which can periodically be triggered as ‘work-items’ to approvers (such as a user’s manager or risk owners) for review. A notification (mail) can be sent for each work-item. UAR work items show a users’s access  and allow approvers to immediately remove or retain these accesses. A SOD work-item shows , thereby allowing risk owners to either mitigate or removing the same.

Periodic background jobs based on standard filters, such as user groups and SAP systems, can be scheduled to extract summary and detail reports. GRC also has a functionality called automated monitoring, which enables customization of monitoring of SOD risks. Risk reports can be tailored to belong to a specific business process or level. IDM provides tools (jobs) to create customized monitoring, such as role access reviews and critical access reports. These can be used to notify reviewers and auditors on critical accesses for their assessment.

Exposure of sensitive information:

Business-sensitive information pertaining to transaction, master, and configuration can easily be monitored through the process control module of GRC. This module has an  automated monitoring feature, which can alert stakeholders on their monitoring criteria.

Examples of each of the three categories are:

Transactional: Detect number and total payment made to vendors

Master: Detect vendor master data, with identical bank account details

Configuration: Changes to release strategies, tolerance limits.

A pictorial representation an automated monitoring report is shown below.

Transaction: Total payment to a vendor

In this blog, standard ‘automated’ solutions from SAP GRC towards ‘Risk management’ are highlighted, which helps an organization stay compliant with Audit regulations, such as GDPR.

So, if you are looking towards protecting your enterprise from threats and ensuring a more secure governance, SAP’s Governance Risk and Compliance (GRC) component is the answer.

Please refer to the GRC website, for more information.

If you want to discuss risk automation, please contact me.

Related Posts


Bringing out the best in Phase Zero, and how to make it a success!

Lowson, David
Date icon November 1, 2019

Most clients engage in a ‘Phase Zero’ study on whether – and sometimes, how – to move to SAP...


SAP ECC – To innovate or not to innovate?

Antti Eivola
Date icon October 18, 2019

Do you wait until you complete an SAP S/4HANA transformation before you innovate, or, do the...


Security in SAP®

Plaban Sahoo
Date icon October 18, 2019

An overview of the concept of security and its supporting SAP applications.


By continuing to navigate on this website, you accept the use of cookies.

For more information and to change the setting of cookies on your computer, please read our Privacy Policy.


Close cookie information