SAP GRC - Risk Management

SAP Risk Management in GRC is used to manage risk-adjusted management of enterprise performance that empowers an organization to optimize efficiency, increase effectiveness, and maximize visibility across risk initiatives.

The following are the key functions under Risk Management −

  • Risk management emphasizes on organizational alignment towards top risks, associated thresholds, and risk mitigation.

  • Risk analysis includes performing qualitative and quantitative analysis.

  • Risk management involves Identification of key risks in an organization.

  • Risk management also includes resolution/remediation strategies for risks.

  • Risk management performs the alignment of key risk and performance indicators across all business functions permitting earlier risk identification and dynamic risk mitigation.

Risk management also involves proactive monitoring into existing business processes and strategies.

Phases in Risk Management

Let us now discuss the various phases in Risk Management. The following are the various phases in risk management −

  • Risk Recognition
  • Rule Building and Validation
  • Analysis
  • Remediation
  • Mitigation
  • Continuous Compliance

Risk Recognition

In a risk recognition process under risk management, the following steps can be performed −

  • Identify authorization risks and approve exceptions
  • Clarify and classify risk as high, medium or low
  • Identify new risks and conditions for monitoring in the future

Rule Building and Validation

Perform the following tasks under Rule Building and Validation −

  • Reference the best practices rules for environment
  • Validate the rules
  • Customize rules and test
  • Verify against test user and role cases


Perform the following tasks under Analysis −

  • Run the analytical reports
  • Estimate cleanup efforts
  • Analyze roles and users
  • Modify rules based on analysis
  • Set alerts to distinguish executed risks

From the management aspect, you can see compact view of risk violations that are grouped by severity and time.

Step 1 − Go to Virsa Compliance Calibrator → Informer tab

Step 2 − For SoD violations, you can display a pie chart and a bar chart to represent current and past violations in the system landscape.

The following are the two different views to these violations −

  • Violations by risk level
  • Violations by process
Risk Violations

Violations Process


Perform the following tasks under remediation −

  • Determine alternatives for eliminating risks
  • Present analysis and select corrective actions
  • Document approval of corrective actions
  • Modify or create roles or user assignments


Perform the following tasks under mitigation −

  • Determine alternative controls to mitigate risk
  • Educate management about conflict approval and monitoring
  • Document a process to monitor mitigation controls
  • Implement controls

Continuous Compliance

Perform the following tasks under Continuous Compliance −

  • Communicate changes in roles and user assignments
  • Simulate changes to roles and users
  • Implement alerts to monitor for selected risks and mitigate control testing

Risk Classification

Risks should be classified as per the company policy. The following are the various risk classifications that you can define as per risk priority and company policy −


Critical classification is done for risks that contain company’s critical assets that are very likely to be compromised by fraud or system disruptions.


This includes physical or monetary loss or system-wide disruption that includes fraud, loss of any asset or failure of a system.


This includes multiple system disruption like overwriting master data in the system.


This includes risk where the productivity losses or system failures compromised by fraud or system disruptions and loss is minimum.

Kickstart Your Career

Get certified by completing the course

Get Started