User Manual Risk Analysis & Remediation

It is one of the components in SAP GRC which takes care of risk analysis,
detection, and remediation solution for access and authorization control.
In the below screen shot you have the home page for SAP GRC RAR, where you
are able to see 7 tabs for different types of activity to be performed.
Users have associated work in Mitigation and Informer tab.

Major Functions Of RAR:

RAR provides the ability to perform several major functions:
Determine and report if there are any risks associated with a group of actions
or
permissions and a User, Role, or Profile.
Determine and report if any risks will be introduced by simulating the addition
of
actions, Roles, or Profiles to a User ID. This powerful feature effectively eliminates
new risks being introduced to your production environment.
Easily create, maintain, and manage Risks used to generate Rules.
Apply Controls to mitigate any Risk associated with a User, Role, or Profile.
Alert the appropriate monitor when conflicting or critical actions are used, or a
control is assigned to mitigate a risk.
Alert the appropriate manager when activity monitoring is not performed.

SAP Security Check Sequence:

R/3 user logs into SAP

Executes Transactions
SAP Programs are called
Security routines identify authorization objects and required values
Values in SAP program are matched to the values in security authorization
Access granted.

Risk Analysis:
A Risk is defined as two or more actions that, when available to a single user,
role, profile,
or HR Object, creates the possibility of error or irregularity. There are thousands
of action
combinations that can be categorized as Risks. Risks can also be defined by
different
combinations of permissions associated with specific actions.

Purpose:
When you run a Risk Analysis or a Simulation, you generate reports presenting
different
types of information. You may generate reports presenting risks or conflicts or the
use of
critical actions by the User, Role, Profile, or HR Object you included in the
analysis.
By generating these reports you can identify the Risk and either remove it or
apply a
Control.

Mitigation:
Purpose
Once you have run a Risk Analysis and have identified any Risks associated with
a User,
Role, you may want to limit or monitor the Risk rather than removing the cause.
Mitigation Controls give us the ability to associate controls with Risks, so they can
be
applied to Users, Roles identified to violate SODs during Risk Analysis. You also
define monitors and approvers, and assign them to specific controls, and create
Business Units to help categorize our Mitigation Controls.
The Mitigation tab allows us to mitigate certain risk violations that you want
available to
specific users or roles . This is done by creating and assigning a Mitigation
Control.
Mitigation Control performs the following functions:
Identifies the Segregation of Duties (SOD) as a known Risk.
Establishes a period of time during which the Risk may exist (is monitored).

 Associates a list of Monitors with the Control. Only Monitors associated with a
Control definition may be selected when mitigating a Risk.

Prerequisite to configure Mitigation.

o Administrator
o Business Units
The Administrator option allows us to create and maintain Approvers, Monitors
and Risk Owners. Users who need to perform these functions need to be
maintained in this Administrator screen in order to be available in subsequent
screens.

Administrator ID
Full Name
Email
Role

FBD_M004
Supratip Narayan Roy
supratip.roy@itc.in
Monitor

Search Administrator:
Menu Path:
Go to Mitigation Tab Administrator Select the role you want to search
Search .
Now you can view and edit the created Administrator by selecting and clicking in
the change button.

Business Unit:
Establishing Business Units allows you to categorize your Mitigation Controls.
When you
define Mitigation Controls, you will categorize them by assigning each one a
specific Business Unit. This enables us to limit the Controls available to the
Business Units specified in a RAR Role definition.
Creation of Business Unit:

1. The Business Units option expands to Create and Search. Click Create and
the
Define Business Unit page appears.

2. In the Business Unit ID field, enter a unique alphanumeric identification for

the
business unit.
3. In the Description field, enter a short description of the business unit.
4. In the Approver tab, click the Plus
icon to add a new Approver ID and their
full
name.
5. In the Monitor tab, click the Plus
icon to add a new Monitor ID and their
full
name.
Note: Approvers and Monitors must be set up using the Administrator pane
before they can be assigned to Business Units
6 Click Create.
After creation of the same you can search the business process and can do any
amendment if required.

Click on the search button you will be directed to the below mentioned page
where you have the change and delete option.

Mitigating Controls:
When you define a Mitigation Control you create a Mitigation Control ID. This
Control ID
appears in various Risk Analysis reports.
Defining a Mitigation Control includes associating the Risk IDs that are mitigated
by the
control. Roles are to be mitigated corresponding to the Risk IDs associated in the
Control definition are mitigated.
Create Of Mitigating Control:
1 Menu Path:
Go to Mitigation Tab Mitigation Controls Create

2 In the Mitigating Control ID field, enter a unique alphanumeric maximum of

10 character
number for the mitigating control ID.
3 In the Description field, enter a short description of the mitigating control ID.
4 In the Business Unit drop down menu, select the desired business unit. The
dropdown
menu displays the business units that you created using the Business Units
option.
5 In the Management Approver drop down menu, select the desired approver.
The
drop down menu displays the approvers that are associated with the Business
Unit
entered in Step 4.
6 In the Associated Risks tab, click the Plus
icon to add risk IDs to the
mitigating
control risk id should be placed followed by * as shown in the below mentioned
screen shot.
The Associated Risks tab is used to associate Risk IDs with the Mitigation
Control.
Only Risk IDs associated with a Control can be used to mitigate a Risk.

7. In the Monitors tab, click the Plus

icon to add monitors to the mitigating
control as shown in the above screen shot.
The Monitors tab is used to associate Monitors with the Mitigation Control.
Note: Approvers and Monitors must be set up using the Administrator pane
before they can be assigned to Business Units.
8. Click Save.
To search a Mitigating Control:
1 The Mitigating Controls option expands to Create and Search. Click Search
and the Search Mitigating Controls page appears.
Note: During your search, use any of the fields in the Search Mitigating
Controls page as search criteria. After entering data in any field, click Search.
2 In the Mitigating Control ID field, click the Search icon to search for a
mitigating control ID.
3 In the Description field, enter a short description of the mitigating control.
4 In the Business Unit field, click the Search icon to search for a business unit.
5 In the Management Approver field, enter the approvers user ID for the
mitigating control you want to search.
6 In the User ID field, click the Search icon to search for a user ID.
7 In the Role field, click the Search icon to search for a role.
8 In the Monitor drop down menu, select the desired monitor.
9 In the Risk ID field, click the Search icon to search for a risk ID.

10 In the Valid From and Valid To fields, click the Calendar icon to define a
valid time range during which the mitigation control mitigates a user/role.
11 In the Status drop down menu, select the desired status (All, Enable,
Disable).
12 Click Search.
Mitigation of Roles:
Search the mitigation control id under which the risk id exist for which you want
to mitigate the specific roles then select the control id and click on change button
as shown in below mentioned pic.

Now you select the risk under which you want to put the mitigation roles click the
mitigate roles button as shown in the below mentioned pic.

After clicking the mitigate role you will be directed to below mentioned page
where you will click on add button to add the roles which you want to mitigate.

After clicking the add button you will be directed to below mentioned page where
you search for the role as shown in the below mentioned screen

 click on the Role name select the system paste the role name click on
search button , you will have the roll click select put the risk id followed by
star select the monitor id save the data.

So this specific role has been mitigated now.

Informer:

RAR provides detailed compliance analysis for enterprises. RAR software allows
enterprises to examine every aspect of their complex Enterprise Resource
Planning (ERP) system and to
implement internal controls. The data gathered in each analysis is made available
for
immediate viewing in an exceptionally wide range of predetermined and user
modified
reports. These reports are accessible through the Informer tab.
Informer tab report types include:
Management View
Risk Analysis
Audit Reports
Security Reports
Background Job
You can generate reports for Users, User Groups, Roles, Profiles, HR Objects and
Organizational Levels.
Management View
The following reports are accessed from the Management View menu:
Risk Violations
Users Analysis
Role Analysis
Comparisons
Alerts
Rules Library
Controls Library
Each item in the Management View category includes at least one of the
following
interactive, graphical displays:
Pie Chart
Bar Chart
After selecting report parameters for any Management View report type, click
Go to show the selected information in the graphical display. Drill down further
into the information for each display by clicking anywhere on the pie chart or
clicking the chart labels for the bar and line charts. Drilling down further allows
you to view:
Risk IDs and descriptions for each severity level (critical, high, medium, low).
Detailed information for each Risk Description.
Change History for each Risk.
Conflicting functions that are causing the Risk.
Detailed information for each conflicting function.
Change History for each function.

Risk Violation report under Management View:

In the above screen shot you able to see all the risk violations by process as for
example ITC Order to cash, ITC Financial Accounting. In right side you can see the
bar chart and clicking on that you can view the further report of risk violations
corresponding to each Risk.

To see individual risk violation you have to click on risk id and can see the detail
risk violation as seen in the below screen shot.

Role Analysis under Management view:

Role Analysis features identify SoD violations among the roles and profiles that
have been assigned to users. These roles and profiles include typical
responsibilities such as payroll, accounts payable, and finance.
Menu Path:
Go To Informer Management view Role Analysis
1. From the Cal. Month/Year drop down menu, select a date. This is the date
range set
in SAP.
2. From the System drop down menu, select the system for which you would like
to
collect SoD data.
3. From the Analysis Type drop down menu, select an analysis type.
4. From the Violation Count By field, select either Risk or Permission.
5. Press Go.
Note: Most management reports will want to select counts at the Risk level
which will show the number of conflicts at the highest level. If Risk is selected, a
user will only be counted once against the risk regardless of how many
occurrences the user has. If permission level is selected, a user may count for
multiple violations within a risk because they have several actions which allow
them to do a specific function.

In the above screen shot we able to see that

o number of roles with no violations along with %.
o number of roles with violations along with %.
In the down right side we can see the bar chart of Roles and users. By clicking on
Roles we can see the further report. Where we can see the detail report of
process, Risk Level , No of violations corresponding to a risk, as shown in the
below screen shot.

If you click to any of the risk, system will take us the below mentioned screen
where you can view the detail report including relevant functions and other
required parameters as show in the below mentioned screen shot.

You can see the change history as well by clicking on change history button which
will show the Risk change history report as show in below mentioned screen shot.

Risk Analysis
Risk Analyses are run to see if any User, Role or Organization has access to two
or more conflicting actions. When two or more actions are determined to be
conflicting, the combination of those actions are defined as Risks. Risks define
Rules, also known as SoDs.
When you run a Risk Analysis any existing SoDs are reported for each User, Role
or Organization included in the analysis.
Menu Path:

Informer Risk Analysis Role level

As shown in the above screen shot while doing the role level risk analysis you
have to select some parameters.
System: Select the system for which you want to run the role level risk analysis
for example ECC Quality system
Role: If you want to see a report specifically to a role then put the role name and
run the job.
Risk by process: Under several processes we define the risk. So while doing the
risk analysis we have to choose a process for which we want to view the role level
analysis as for example ITC order to cash.
Risk ID: If you want to see a report specifically to a role then put the role name
and run the job.
Risk Level: There are four types of Risk level Critical/High/Medium/Low. While
defining risk we choose these risk level. So if it is required to do a risk analysis for
specifically any risk level then we have to select that level and run the risk
analysis.
Rule Set: While creating a risk one rule set is assigned. Among several rule sets
select the rule set for which you want to run the role level risk analysis.
Report Type
There are six report types, each of which can be formatted in several ways.
Action Level SoD reports Generating this report type produces a list of SoDs at
the
action level.
Permission Level SoD reports generating this report type produces a list of SoDs
at
the permission level.
Critical Actions reports generating this report type limits the list to Critical
actions
available. Critical actions are defined under the Rule Architect tab.
Critical Permissions reports

 Critical Roles/Profiles reports generating this report type lists only the Critical
Roles and Profiles associated with the User, Role or Organization. This report does
not list any risks.
Mitigation Control reports Generating this report type lists valid Mitigation
Controls assigned to the User, Role or Organization included in the analysis.
Choosing a Report Format:
You can choose one of four report formats for the six report types described
above:
1. Summary: This report format lists the combination of conflicting actions that
produce the risk in one line item.
2. Detail: This report format lists each Risk as a single line item, displays the
Risk severity level and provides a link to the Risk Resolution page where options
are available for resolving the risk. Drill down further by clicking the risk to view
more detailed information, including conflicting functions.
3. Management Summary: This report format lists each Risk as a single line item,
displays the Risk severity level and provides a link to the Risk Resolution page
where options are available for resolving the risk. Drill down further by clicking
the risk to view more detailed information, including conflicting functions.
4. Executive Summary: This report format lists each risk as a single line item and
displays the total number of conflicting actions producing the Risk.
After selecting all the required parameter run a background job as shown in the
above screen shot
Give the Background Job a name.

Select an Immediate start or schedule a Delayed start for the Background Job.
If you choose to schedule a delayed start, set the date and time for the job to
begin.
If you would like to run the Background Job more than once, click the Schedule
periodically check box and then set the schedule parameters.
Click Schedule. You will see a message at the bottom of the page that includes
a Job

ID number if the Background Job was scheduled successfully.

Search back ground job:
Menu Path: Informer Background Job Search put the job id and click on
search button .

Search will take us to the below mentioned screen where we can see the details
of the report

select the job for which one you want to see the detail report use the buttons
below .
The Buttons are as follows.
Show Job History: It will show the job history as shown in below mentioned screen
shot.

View Log: will show each step of the job. If any error occurs while execution of the
job that can be analyzed from this View Log.