Multiple mitigating controls assigned to one risk

Hello experts. We are using GRC compliance calibrator 5.3. We are just starting to implement mitigating controls. The problem we have is we have multiple mitigating controls per risk. Some risks have one control and some have two or three. When we run our risk analysis the resulting report only shows the first mitigating control it finds.
Just wondering if anyone else has this situation. I wanted to check here before I created a message with SAP.
Thanks
Dave

Dave,
   I think this is how the functionality is. You will have to open a CSS message with SAP.
Regards,
Alpesh

Similar Messages

  • Multiple mitigation controls assignment through CUP

    Dear All,
    We have implemented CUP 5.3 and under SP9.
    We have multiple controls addressing same risk where in we are supposed to assign multiple controls to the users. When the manager is assigning multple controls, the old one is getting replaced with the new one for the same risk.
    Is there any configuration change to be made to assign multiple mitigation controls to the same user for the same risk using CUP.
    Thanks and Best Regards,
    Srihari.K

    Ben,
       This is how CUP works. There is no configuration which allows you to ignore SOD violaton even if there is mitigation. You will have to live with this for now.
    Regards,
    Alpesh

  • Mitigation Control Owner instead of Risk Owner.

    Hi All,
    In a Provisioning request after Risk analysis if there is any SOD found then request needs to be forwarded to Mitigation Control Owner instead of Risk owner
    Please advice whether standard Functionality in GRC 10.1 address this requirement or it needs development.
    Thanks in Advance

    Hi Babu,
    There is no standard functionality to forward this to mitigatiion control owner.
    Even forwarding to risk owner ,you may need some customization as per SAP Note 1670504.
    Thanks,
    Mamoon

  • AE: Multiple Mitigation controls per risk

    Hi,
    I am currently setting up mitigation controls in CC and am wondering if it is possible to have 2 mitigation controls for a risk?
    It does not look possible, because when assigning access in AE and mitigating the risks,  it is only possible to choose 1 mitigation control per risk. Has anybody managed to set up AE so that you can assign more tan 1 mitigation control per risk?
    Thanks

    Hi Ankur,
    we have multiple activties to be conducted as part of the mitigation control. We wanted to create a seperate control reference for each as they have different monitors. However this does not look possible so we have grouped the activties to one mitigation control.
    Regards,
    Gary

  • Mitigation controls assignation to users in RAR

    Hi,
    While assigning mitigation control to the users (RAR>Mitigation> Mitigated Users-->Add), it is only possible to assign 1 user at a time...Would it be possible to assign more than 1 user through multiple selection
    Thanks
    Abhijeet

    Abhijeet,
    From that path, you cannot assign multiple users at once however, if authorised, you can upload mitigation controls and within the upload files, you can upload users assigned to them.
    Simon

  • Maintain Validity Date for Mitigation Control Assignment to Users Virsa 5.2

    We have over 1,000 SoD's all mitigated.  The val;idity date for these mitigation controls needs to be updated.  Does anyone know a way to perform a range of updates so it is not necessary to update each user assigned to a Mitigation Control.

    The only way to do that currently would be to download the table information, edit in Excel and re-upload the table.
    Not for the faint of heart, but doable.
    Frank.

  • Multiple Sold to assigned to one Ship to

    Hi,
    Please help me i have one strange senario to prevent perticular Sales area assigned Multiple Sold to only one ship to party's hence causing problem in other system.
    Please help me to how to prevent partner functions happening this while creation of sales orders.
    Regars
    JACK

    hi guys,
                         one ship to party is assigned to multiple sold to partys. If ur customers (SP /SH) are in same sales area.Then u create multiple sold to parties and create one ship to party . finally go to CMR (SP) sales area details then goto patner functions here u maintain ur Ship to party (CMR) for Sold to party customer . When u create Sales order for ur Sold to parties then automatically pop comes to ur Ship to party.If ur sales areas r different its possiable only userexit or field exit.

  • Risks has been removed but Mitigating Control still stays with the users?

    Hi all,
        I have a situation where after a risk has been removed from the users by removing the violating roles, however the Mitigating Control still remains tagged to the same user. Is there any efficient way of removing Mitigating Controls from users where the risks no longer exists?

    Hi Joseph, thanks for the info. My problem comes in when the user request to have the violating role removed via CUP and it so happens that the Mitigating Control assigned for the old risk still has 6 more months of validity left. It seem like there is no mechanism to auto remove this MC when the role has been removed after the request in CUP have been approved and auto-provision.
    My problem is that there might be many more of such users with redundant MC assigned to them in RAR. I can't find a way to search for such redundant MCs for cleanup. There is a possibility that when the same roles are assigned back to the users via request in CUP, these redundant MC if applicable will cause the Risk Analysis via CUP to not flag out any SoD issue.

  • Query on Mitigation Control

    Hi all,
    We have configured Mitigation Controls and mitigated some of the users. We have the following queries in this regard:
    a) When we run the SoD anlaysis for that particular user we could able to see only half description of the Mitigation Control.
    Is there any limitation for the space or the parameters for the Mitigation Control Description.We are unable to see the entire description of the Mitigation Control (If the mitigation control is more than 7-8 lines) in the Detailed Report screen as well. Even after downloading into a spreadsheet also we are getting only the part of the mitigation control and not the entire description of the mitigation control
    b) A risk ID can be addressed by 2 or 3 mitigation controls. In this scenario,we have assigned 2-3 mitigation controls to one Mitigated user for mitigation. When we run SoD analysis we could able to see only the latest mitigation control assigned to the user in the report format (say out of 3 assigned only the 3rd one assigned is being shown).
    But when we did a search for Mitigation controls with  the Risk ID & User ID combination then it is throwing all the 3 mitigation controls. But the same is not shown in SoD violations reports
    Is there anything to do with the parameters set up or at the configuration side to resolve this.
    Please provide the procedure also in case of any changes to be made at configuration level.
    Thanks and Best Regards,
    Sri

    Hi Vit,
    Thanks for your reply. We crosschecked and you are correct that the space limitation is only for 132 characters in this table.
    Is there a way to get the mitigation control whole description or do we need to stick to this limitation itself.
    Also, when we did a search for Mitigation Control it gives only Mit.ID, Mit Control Desc, BU and Management approver. Whether there are any tables (from SAP Backend) or reports where we can get the Risk Ids including the above addressed by the mitigation controls.
    Thanks and Best Regards,
    Sri

  • Implementing Mitigation Control IDs

    Hi,
    We are planning to implement mitigation control ids in GRC. Currently we are only having 1 mitigation control id and all the users are mitigated into this id.
    Now, the plan is to include the mitigation control advise/comments by the SOD approvers into the GRC and thus by introducing multiple mitigation control id we could achieve this.
    In our system users are mapped as per the Business Unit and we have around 25-30 business units. so each BU is have a seprate mitigation control approval (SOD Approver).
    We have around 150 Risk IDs.
    We are not able to understand how to design mitigation control IDs in such case? Is it a best practice to create mitigation control ID for each Risk ID in the system (May be we can group similar Risk IDs)? Your help is appreciated.
    Thanks,
    Umesh

    Hi Umesh,
    No, for 1 Mitigation COntrol there are serveral Monitors and users who are mitigated are added to only 1 mitigation control id.
    Which means you have multiple people monitoring every risk in your system. Does all of the monitors belong to the same functional group?? If yes, what happens if there is a risk in other functional groups? How they can identify and monitor it??
    If no, why a FI functional group monitor, needs to monitor the risk related to other groups?
    Can you pls explain more on primary and secondary functions?
    If the risk is related to one functional area only, the respective functional area will own it. If it is a cross functional risk, then it will be owned by both the functional area managers, which is often referred as primary and secondary functions.
      and what are the disadvantage of creating 1 mitigation control id for each risk (may be grouping some risks) considering the fact that we have 25 business units.
    It is just like giving 1 coke with 100 straws while you still have a stock in your refrigerator
    Regards,
    Raghu

  • CC: Entering Mitigation Controls

    Hi ,
    I am entering mitigation controls in CC and am noticing 2 issues
    1) I cannot blanket mitigate a selection of users. Blanket mitigation only seems to apply if I want to mitigate all users. Is there any way to add 10 select users to a mitigation control by selecting the 10 users, rather than having to specify risk, validity dates etc. for all 10?
    2) I have noticed in SAP documentation that * should be entered after the risk ID e,g, P005*. Why should this be entered. This does not default when setting up the mitigation control and if I forget to do it, I have to delete the mitigation entry for the user and recreate. Can anybody advise why * must be entered and if there is a way to default *
    Thanks,
    Gary

    Gary,
    1)  No there is no way to select 10 individual users without creating a line item for each one.  Unless they all get the access from the same Role.  If that was the case you could just create the mitigating control for that role and anyone that would have the conflict via that Role would not appear in your risk reports.
    2)  The reason you have to enter * in the mitigating controls is so that all risk ID's are mitigated by your rule.  For example short risk ID P033 is made up of multiple long risk ID's based on each transactional combination i.e. P03300101 for ME21,ME51, P03300201 for ME21N,ME51, P03300301 for ME22,ME51, P03300401 for ME22N,ME51.
    So to cover all possible transaction combinations with a mitigating control you need to enter it for P033*.  This would also allow you to enter a mitigating control for only long risk id P03300101 it your mitigating control only covered users with access to ME21 and ME51.
    Hope that helps.
    Matt.

  • CUP - Mitigation Controls in a Detour Workflow

    Hello everybody,
    I have a problem with a detour workflow in CUP.
    I choose the detour condition: "SoD violation".
    So in theory, if there is no conflicts the workflow don't take the detour path.
    We supposed that the user request has an SoD conflict.
    In the stage(s) before the detour, if we assign a mitigation control that mitigate the risk, the detour is still taken.
    I think the workflow swich systematically to the detour if the request had a conflict, even if the risks were deleted by an Mitigation Controls assignment.
    Does anyone have a solution to avoid the detour path if we mitigate the risks?
    Thank you in advance!!

    Ben,
       This is how CUP works. There is no configuration which allows you to ignore SOD violaton even if there is mitigation. You will have to live with this for now.
    Regards,
    Alpesh

  • GRC 5.3 mitigation control

    Dear Guys,
    Please help me to understand the concept of mitigation control in GRC 5.3 and when it is useful and at what time we need to implement mitigation control.
    How could we mitigate user and on what criteria....????
    Also some brief about control monitor.
    Thanks in Advance......

    Hi Arpit,
    Steps for remediation and mitigation strategy is as below,
    Once you do risk analysis, you have the list of risk available in your system, after this you have the option to remove (Remediate) risk by removing conflicting permission or action from role.
    OR
    there is scenario where you have to accept the risk in this case you have to opt for mitigation control, just consider one example given below,
    Function A: Create PO
    Function B: Release PO
    Above two functions are conflicting and create risk in standard process, so as a standard practice, in reference to compliance SAP recommends to have two people doing it separately, but customer might not be having 2 postions in org to separate this, so customer has to accept the risk and create mitigation control to document this and put the monitoring control so one person can perform this function.
    This way it is helful to follow the compliance and when audit happens customer can show that they have identified the risk and documented it and put alternate monitoring control, so the risk cannot be misused.
    Hope this helps you understand it.
    BR,
    Mangesh

  • Blanket Mitigation Controls

    Hi Gurus,
    We are on 5.3 version of RAR,
    I am creating a blanket Mitigation control to Mitigate a risk id against one role. when I run the Risk Analysis report the I found that , the risk id is mitigated for all the roles. For e.g.
    The user has roles three roles A,B andC. The SOD Risk Id " R" is coming from all the three roles. I create Control M to Mitigate Risk id " R" only against Role A.
    When I run the Risk analysis report the risk is mitigated for all the three roles whereas I am expecting it should be mitigated only for Role A and For Role B and C it should still show as unmitigated risk.
    Is there there anything else I need to do??
    Parveen

    Praveen,
       Don't put '' after the risk when you are creating mitigationg control. If you put '' after risk ID, it creates a blanket mitigating control. When you create mitigating control for particular risk, you will have to select the particular role and mitigate it.
    Regards,
    Alpesh

  • Can we assign 2 credit control area for one company codes

    hi,
    sap gurus,
    can we assign 2 credit control areas to one company codes ?
    yes we can.
    but
    what is the impact of that
    can any one analyse.
    regards,
    balaji.t
    09990019711

    Hi,
    we can have multiple credit control areas based on req-
    eg: client wants to restrict customer based on divisoin wise.
    then we will maintain credit control area based on sales area
    there 3 division in a comp: AA -BB - CC
    thens sales areas will be:
    1000-10 -AA
    1000-10-BB
    1000-10-CC ( assuming therez one sales org-1000 & dc 10)
    now create 3 cr control areas- OB45
    Assign sales area to cr Control area - OVFL
    Assign permitted credit control areas to comp code - IMG- FA- AR&AP- Credit Management- Credit control account - Assign permitted credit control areas to comp code.
    Now you can assign this Cr CA- by sales area wise in CMR & maintain the credit limits for each Cr CA.
    So when ever your needs wants to do it by division or sales area wise you can do this.
    Thanks,
    Raja

Maybe you are looking for

  • Oracle8 Database connect with Windows Vista

    Hi, I have a Problem, we have an older Oracle 8 Database, an my problem is, I want to install an Oracle Client on Windows Vista. Whitch Client works under Vista and works with Oracle 8??? I hope you can help me. Greatings from Germany, Thomas

  • Is BPM communication based on Oracle's ESB?

    Hi, when I use BPEL with the Oracle BPM then I am able to use all the adapters and bindings which the Oracle ESB offers. 1. Is it right that the ESB is the communication plattform for BPM? 2. And when I develop BPEL with the JDeveloper where I can us

  • Trouble with Internet Explorer 6, 7 and maybe 8

    Hi everyone!  I have been trying to get this page to display properly in I.E 6,7 and probably 8.  It displays perfectly on my Mac OSX in firefox but did a test in browsershots.org and the last div is displaying incorrectly.  I hope somebody can point

  • SRM BP linked to SUS.

    Hi, I get a lil' question for you all... Do you know where you can find the link between the SRM BP number and SUS BP number? Is there any FM or table that stores that relation between SRM and SUS? for example in SRM the BP #3000032 means the BP #100

  • Is there any way to track an itouch if it's not connected to the internet?

    I lost my ipod but I can't use the app Track My Ipod as my itouch is not connected to the internet. Is there any way I'm able to find it?