SAP GRC - SoD Risk Management

In every business, it is required to perform Segregation of Duties (SoD) Risk Management - starting from risk recognition to rule building validation and various other risk management activities to follow continuous compliance.

As per different roles, there is a need to perform Segregation of Duties in GRC system. SAP GRC defines various roles and responsibilities under SoD Risk Management −

Business Process Owners

Business Process Owners perform the following tasks −

  • Identify risks and approve risks for monitoring
  • Approve remediation involving user access
  • Design controls to mitigate conflicts
  • Communicate access assignments or role changes
  • Perform proactive continuous compliance

Senior Officers

Senior Officers perform the following tasks −

  • Approve or reject risks between business areas
  • Approve mitigation controls for selected risks

Security Administrators

Security Administrators perform the following tasks −

  • Assume ownership of GRC tools and security process
  • Design and maintain rules to identify risk conditions
  • Customize GRC roles to enforce roles and responsibilities
  • Analyze and remediate SoD conflicts at role level


Auditors perform the following tasks −

  • Risk assessment on a regular basis
  • Provide specific requirements for audit purposes
  • Periodic testing of rules and mitigation controls
  • Act as liaison between external auditors

SoD Rule Keeper

SoD Rule Keeper performs the following tasks −

  • GRC tool configuration and administration
  • Maintains controls over rules to ensure integrity
  • Acts as liaison bet ween basis and GRC support center