Grc100 en col96_fv_inst_a4

GRC100GRC Principles and Harmonization

other solution

Date

Training Center

Instructors

Education Website

Instructor HandbookCourse Version: 96Course Duration: 2 DaysMaterial Number: 50104437Owner: Brenda Oumlil (I811059)

An SAP Compass course - use it to learn, reference it for work

Copyright

Copyright © 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP AG. The information contained herein may be changedwithout prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary softwarecomponents of other software vendors.

Trademarks

• Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® areregistered trademarks of Microsoft Corporation.

• IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®,S/390®, AS/400®, OS/390®, and OS/400® are registered trademarks of IBM Corporation.

• ORACLE® is a registered trademark of ORACLE Corporation.• INFORMIX®-OnLine for SAP and INFORMIX® Dynamic ServerTM are registered

trademarks of Informix Software Incorporated.• UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.• Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®,

VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarksof Citrix Systems, Inc.

• HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, WorldWide Web Consortium, Massachusetts Institute of Technology.

• JAVA® is a registered trademark of Sun Microsystems, Inc.• JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for

technology invented and implemented by Netscape.• SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP

EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.comare trademarks or registered trademarks of SAP AG in Germany and in several other countriesall over the world. All other products mentioned are trademarks or registered trademarks oftheir respective companies.

Disclaimer

THESEMATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLYDISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDINGWITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE,INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTSCONTAINED HEREIN. IN NO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANYKIND WHATSOEVER, INCLUDING WITHOUT LIMITATION LOST REVENUES OR LOSTPROFITS, WHICH MAY RESULT FROM THE USE OF THESE MATERIALS OR INCLUDEDSOFTWARE COMPONENTS.

g2011717113749

About This HandbookThis handbook is intended to complement the instructor-led presentation of thiscourse, and serve as a source of reference. It is not suitable for self-study.

Typographic ConventionsAmerican English is the standard used in this handbook. The followingtypographic conventions are also used.

Type Style Description

Example text Words or characters that appear on the screen. Theseinclude field names, screen titles, pushbuttons as wellas menu names, paths, and options.

Also used for cross-references to other documentationboth internal and external.

Example text Emphasized words or phrases in body text, titles ofgraphics, and tables

EXAMPLE TEXT Names of elements in the system. These includereport names, program names, transaction codes, tablenames, and individual key words of a programminglanguage, when surrounded by body text, for exampleSELECT and INCLUDE.

Example text Screen output. This includes file and directory namesand their paths, messages, names of variables andparameters, and passages of the source text of aprogram.

Example text Exact user entry. These are words and characters thatyou enter in the system exactly as they appear in thedocumentation.

<Example text> Variable user entry. Pointed brackets indicate that youreplace these words and characters with appropriateentries.

2011 © 2011 SAP AG. All rights reserved. iii

About This Handbook GRC100

Icons in Body TextThe following icons are used in this handbook.

Icon Meaning

For more information, tips, or background

Note or further explanation of previous point

Exception or caution

Procedures

Indicates that the item is displayed in the instructor’spresentation.

iv © 2011 SAP AG. All rights reserved. 2011

ContentsCourse Overview ......................................................... vii

Course Goals .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiCourse Objectives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Unit 1: Introduction to SAP BusinessObjects Governance, Risk,and Compliance (GRC) 10.0 ............................................. 1

Introduction to SAP BusinessObjects Governance, Risk, andCompliance (GRC) 10.0... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

GRC Solution Overview... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27GRC Convergence... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Key Features and Benefits .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Integration... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Unit 2: Information Architecture, Security and Authorizations 83Information Architecture.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Security and Authorizations ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Unit 3: The GRC 10.0 User Interface................................ 115Work Centers .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Harmonized Navigation in the GRC 10.0 Portal . . . . . . . . . . . . . . . . .137

Unit 4: Common Functions and Data .............................. 157Common Functions and Data Overview ... . . . . . . . . . . . . . . . . . . . . . . .158User Interface Configuration Framework ... . . . . . . . . . . . . . . . . . . . . . .165Shared Master Data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174

Unit 5: Implementation and Configuration........................ 197Streamlined Configuration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198Functional Implementation... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210

Unit 6: Reporting........................................................ 229Harmonized Reporting Framework ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230

2011 © 2011 SAP AG. All rights reserved. v

Contents GRC100

vi © 2011 SAP AG. All rights reserved. 2011

Course OverviewThis hands-on workshop provides an introduction to SAP BusinessObjectsGovernance, Risk, and Compliance (GRC) 10.0, including solution harmonization,the implementation process, and how GRC helps you to manage compliance andregulations.

Target AudienceThis course is intended for the following audiences:

• Implementation Consultants• Key Technical Business Users involved in a GRC 10.0 project• IT Governance Experts• Consultants for SAP Security and GRC IT Auditors• Business Project Team Leaders

Course PrerequisitesRequired Knowledge

• Knowledge of integrated processes in an SAP system• Knowledge of authorization concepts in an SAP system

Recommended Knowledge

• Practical knowledge of business processes• Practical knowledge of software implementations

Course Duration DetailsUnit 1: Introduction to SAP BusinessObjects Governance, Risk, andCompliance (GRC) 10.0Introduction to SAP BusinessObjects Governance,Risk, and Compliance (GRC) 10.0 30 Minutes

GRC Solution Overview 20 MinutesGRC Convergence 15 MinutesKey Features and Benefits 25 MinutesIntegration 30 Minutes

Unit 2: Information Architecture, Security and AuthorizationsInformation Architecture 15 MinutesExercise 1: Connect to the System and View IMGStructure 15 Minutes

Security and Authorizations 15 Minutes

2011 © 2011 SAP AG. All rights reserved. vii

Course Overview GRC100

Exercise 2: View Role Assignments 20 Minutes

Unit 3: The GRC 10.0 User InterfaceWork Centers 45 MinutesExercise 3: Navigate the Work Centers and Assigna Delegate 30 Minutes

Harmonized Navigation in the GRC 10.0 Portal 20 MinutesExercise 4: Harmonized Navigation 20 Minutes

Unit 4: Common Functions and DataCommon Functions and Data Overview 20 MinutesUser Interface Configuration Framework 20 MinutesShared Master Data 20 MinutesExercise 5: View Shared Master Data Examples 30 Minutes

Unit 5: Implementation and ConfigurationStreamlined Configuration 15 MinutesExercise 6: Review the IMG Structure 20 MinutesFunctional Implementation 30 MinutesExercise 7: Review System Configuration 15 Minutes

Unit 6: ReportingHarmonized Reporting Framework 20 MinutesExercise 8: Run Reports and View Dashboards 30 Minutes

Course GoalsThis course will prepare you to:

• Discuss the integrated GRC 10.0 solution and its business benefits• Describe solution key features and benefits• Describe solution integrations and their business use• Explain relevant information architecture, security and authorization topics• Navigate work centers, assign delegates, and personalize the Work Inbox• Explain shared master data concepts• Identify common and component-specific IMG nodes• Describe project teams and key steps in the functional implementation

process• Use report functionality in the harmonized reporting framework

Course ObjectivesAfter completing this course, you will be able to:

• Introduce SAP BusinessObjects Governance, Risk, and Compliance(GRC)10.0

viii © 2011 SAP AG. All rights reserved. 2011

GRC100 Course Overview

• Identify key governance, risk, and compliance processes supported in theGRC 10.0 solution

• Describe key features and business benefits of the integrated solution• Identify applications that integrate with the GRC 10.0 solution• Describe the purpose and location of key user interface components• Discuss harmonized navigation and how authorizations affect what users see• Describe how common functions and relative master data are shared across

GRC solutions• Describe the IMG organization for GRC 10.0• Describe a general implementation process and key steps• Configure report presentation, structure, and content

This course includes GRC fundamental concepts, especially as they relate toharmonization topics. It is intended to be an overview of GRC 10.0 and providea foundation for GRC300, GRC330, and GRC340, which are deeper dives intoAccess Control, Process Control, and Risk Management, respectively.

Global Trade Services and Electronic Invoicing for Brazil (Nf-e) are not coveredin this course beyond an introduction because GTS has its own introductorycourse. Nf-e comes under the umbrella of GTS, so is not mentioned separately.

While this course is primarily targeted to those new to GRC, it can also bebeneficial to experienced consultants who want to increase their businessunderstanding of GRC topics, have more business examples to ground theirknowledge, and increase their knowledge of harmonization topics.

Interactivity: To make this course as interactive as possible, please use the pollingfeature in SAPConnect often. There are suggested questions for the participants inthe course, mostly where there are no exercises in the beginning of the class. It isrecommended that you set up the polling questions prior to the class, unless you arecomfortable doing so in the live session. Our environment does not support settingthem up to be used for every class, so they must be created prior to each session.

Assessment Questions: To increase participant interaction, you may want toask them some of the assessment questions at the end of each lesson. They cananswer via raised hand, chat, or polling.

Ideally, this course would be taught as two full days online, with breaks for theparticipants to complete the exercises as they arise. If this class structure is notavailable, then lecture would take place during the first part of the day, withparticipants completing the exercises during the latter part of the day outsidethe live SAPConnect session.

POLLING QUESTION: Ask the class what their goals are for this course. Youmay want to do this as part of the standard ice-breaker.

2011 © 2011 SAP AG. All rights reserved. ix

Course Overview GRC100

x © 2011 SAP AG. All rights reserved. 2011

Unit 11 Introduction to SAP BusinessObjects

Governance, Risk, and Compliance(GRC) 10.0

This unit introduces the GRC 10.0 solution, its key benefits, and how it helpscompanies to manage their compliance. It also introduce some examples ofcompliance regulations to show that compliance is a global challenge and toillustrate the complexity of the compliance management task, and how GRC helpsto streamline these efforts. Integrations are also covered here to introduce someintegrations and their business application.

POLLING QUESTION: Ask the class to share their GRC experience level, bothin terms of general compliance and with the SAP BusinessObjects GRC solutions,and if they are currently working on an active project.

Unit OverviewThis unit introduces the GRC solution, presents examples of complianceregulations from various regions of the world, and provides an overview ofsolution components. GRC convergence and the business benefits of an integratedsolution are discussed, as well as how GRC addresses disconnects between risks,policies, and compliance. Solution key features and benefits, as well as Integrationtopics are also presented.

Unit ObjectivesAfter completing this unit, you will be able to:

• Explain how SAP BusinessObjects Governance, Risk, and Compliancesolutions contribute to improved performance

• Identify compliance regulations from various regions and the importance ofan integrated solution

• Identify key governance, risk, and compliance processes supported in GRC10.0

• Explain the business benefits of an integrated solution

2011 © 2011 SAP AG. All rights reserved. 1

Unit 1: Introduction to SAP BusinessObjects Governance, Risk, andCompliance (GRC) 10.0 GRC100

• Describe a business example of how the GRC solution addresses the issue ofdisconnects between risks, policies, and compliance

• Identify and describe key benefits of enhancements to the GRC 10.0 solution• Discuss how particular applications integrate with the GRC 10.0 solution

Unit ContentsLesson: Introduction to SAP BusinessObjects Governance, Risk, andCompliance (GRC) 10.0... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Lesson: GRC Solution Overview ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Lesson: GRC Convergence ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Lesson: Key Features and Benefits .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Lesson: Integration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54


GRC100 Lesson: Introduction to SAP BusinessObjects Governance, Risk,and Compliance (GRC) 10.0

Lesson:3

Introduction to SAP BusinessObjects Governance,Risk, and Compliance (GRC) 10.0Lesson Duration: 30 Minutes

Lesson OverviewThis lesson presents an introduction to SAP BusinessObjects Governance, Risk,and Compliance and how this solution helps companies to proactively balance riskand opportunity. Also presented are compliance initiatives from various regions ofthe world and the benefits of an integrated solution.

Lesson ObjectivesAfter completing this lesson, you will be able to:

• Explain how SAP BusinessObjects Governance, Risk, and Compliancesolutions contribute to improved performance

• Identify compliance regulations from various regions and the importance ofan integrated solution

This lesson is intended to familiarize participants with types of risk and howour GRC solution helps them to proactively manage their risk and complianceinitiatives. A comparison of fragmented governance, risk, and complianceapproaches with an integrated approach is presented, along with an overview ofsome regional compliance initiatives from major world regions.

Business ExampleCompany policy states that material risks need to be identified, documentedand managed to avoid any disruption to business activities and to safeguard thereputation of the company. Some risks can be due to legal regulation, such as:

• Sarbanes-Oxley Act (SOX)• Health Insurance Portability and Accountability Act (HIPAA)• German Federal Data Protection Act

while others may not be regulated by law but have become the “Standard” or“Best Practice” to remain compliant with other regulations (such as ControlObjectives for Information and Related Technology (CoBIT) or IT InfrastructureLibrary (ITIL)) or risks that are more inherent to a specific industry or companyenvironment (such as Oil and Gas or Mining). The risks can be found in manyareas such as business processes and procedures, security and user access, and ITinfrastructure and solution administration just to name a few. SAP BusinessObjectsGovernance, Risk, and Compliance (GRC) can help to document and manage the



prevention and/or detection of the identified risks and also document and managethe mitigation or remediation of the identified risks or issues. This solution canalso serve as an audit trail during period end review processes.

GRC Solution Introduction

Figure 1: Risk

Companies like this realize that risks can have a detrimental impact onperformance. They understand the link between risk and performance, and theyunderstand how to optimize their business in light of risks to which they areexposed. The GRC solution helps companies to prevent, manage, and respondto risks.

Leveraging your Governance, Risk, and Compliance programs to optimizeperformance starts with knowing your business. You must be able to see currentand potential risks and compliance violations. For example, Fonterra claims thattheir thorough knowledge of dairy markets, food safety and trade regulationsenables them to satisfy both customer and regulatory needs, wherever they arise inthe world. They point to their ability to address trade regulations, whether importor export requirements, as a differentiator when selling.



Figure 2: Meaning for Everyone, Everywhere, Anytime

GRC requirements are pervasive. Knowledge of your business and the relatedrisks and compliance and policy requirements is critical for everyone, everywhere.Regardless of your industry, regardless of where you sit in the organization, thereare a set of questions that you are left to answer.

Questions to consider:

• If you are a financial services firm, do your traders consider the risk andregulatory implications before confirming a lucrative trade with an unknowncounterparty?

• If you are part of a utility, are you able to stay ahead of complex andchanging regulatory requirements?

Imagine how your GRC programs could contribute to optimized performance ifyou could always answer these questions. You could:

• Leverage your ability to efficiently and successfully deliver your product tocustomers abroad as a differentiator in your market if you were confident thatall supply chain risks and compliance requirements were addressed

• Limit reserves for litigation and reputational losses knowing that employeebehavior was in check with policy

• Better inform operational leaders and allow them to make optimizeddecisions in light of the current state of risk and compliance



Figure 3: The Cost of Not Knowing

The cost can be significant if you:

• Are not able to answer important questions about your business• Cannot confidently address complex and constantly changing regulatory

requirements• Cannot link your investments in GRC programs to performance

Not being able to do these things results in a variety of potential risk events thathave wide reaching negative impacts. Operational, financial and strategic riskscan all contribute to significant losses. So too can access, fraud, and political risks.The impacts range from immediate losses to long-lasting impacts that devalueshareholder equity and market perception.



Figure 4: Proactively Balance Risk and Opportunity

SAP BusinessObjects GRC solutions help companies to proactively balance riskand opportunity through three main concepts:

• Customers can better manage risk, compliance, and other GRC initiatives• Customers can better protect their value• Organizations can perform better.

Ultimately, the goal is to enable organizations to see all risks and complianceissues so that they can make optimal decisions in light of both the opportunityahead and the related risks.



Our solutions help companies to balance risk and opportunity through 3 concepts:

1. First, we allow our customers to better manage their risk, compliance andother GRC initiatives. Automation is really the key here. Our customersare able to automate previously manual and time consuming tasks andto leverage predefined best practices that are incorporated into our GRCsolutions. Customers are able to increase efficiency and reduce the effortand, therefore, the cost of their GRC initiatives. Additionally, automationincreases the level of repeatability and objectivity of these efforts andpredictability and reliability of the related risk and compliance information.

2. Secondly, customers can better protect their value…better protect revenuestreams, shareholder value and, ultimately, their reputation. Better protectionis delivered through automatic and proactive monitoring of key riskindicators and compliance effectiveness. Automated monitoring can inspectany system, SAP or non-SAP, business or IT system. This monitoring iscombined with deep analytical capabilities that help business owners andexecutives understand the impact of a risk or compliance issue. Betterprotection means that you can limit the impact and duration of risk eventsand compliance violations. Better protection means that you can prevent riskevents from impacting your business.

3. Finally, with SAP’s GRC solutions your organization can perform better.Better performance is enabled through risk and compliance activities thatare embedded and aligned with, for example, strategy management andplanning. Key risk indicators (or KRIs) are aligned with key performanceindicators (KPI) to enable managers and executives to decide with confidence– to make optimal decisions in light of both the opportunity ahead and therelated risks. Our customers leverage real-time risk analytics and scenariomodeling that help them develop a risk-intelligent approach to managingtheir strategic business initiatives.

With SAP BusinessObjects GRC solutions, customers can better manage,better protect and better perform. More importantly, customers can link riskto performance and achieve remarkable results. So…how does SAP delivercomprehensive capabilities? What exactly is included?



Figure 5: Solution Architecture Capability Model

This solution architecture is a capability model illustrating the broad range ofcapabilities incorporated in SAP’s GRC solutions.

Note: This capability model is not meant to represent the technicalarchitecture in any way.

SAP BusinessObjects GRC solutions are comprised of three main areas ofcapabilities: Analyze, Manage and Monitor. Successful GRC programs havecapabilities and supporting technologies that cross these three areas.

Our SAP BusinessObjects GRC solutions are comprised of three main areas ofcapabilities: Analyze, Manage and Monitor. We have found that customers’successful GRC programs have capabilities and supporting technologies that crossthese three areas. SAP has incorporated these three sets of capabilities into oursolutions to best support our customers.

1. Manage – GRC management capabilities allow customers to effectivelyoversee and operate GRC programs. Automation is key to success in thisarea in order to eliminate redundant tasks and minimize labor and costs andincrease repeatability and objectivity.

2. Monitor – GRC monitoring, really automated monitoring, allows customersto connect to key operational systems in order to measure whether actualoutcomes are as expected, intended, desired and required. Monitoringoutcomes are used to support ongoing GRC management capabilities. Morespecifically, automated monitoring contributes to more successful andefficient GRC management. For example, KRI monitoring contributes tomore successful risk management.



SAP believes that successful GRC programs must combine automatedGRC management and automated monitoring. The combination of GRCmanagement and monitoring is unique as compared to many GRC best-of-breed providers. SAP is uniquely positioned to provide GRC monitoring,for customers that want to monitor outcomes in SAP as well as non-SAPsystems.

3. Analyze – Customers can use a analytical capabilities provided by SAP toaugment their GRC programs. These analytical capabilities allow customersto report, both internally and externally, on the success and status of theirprograms. Customers can also use advanced analytical capabilities tonavigate through risk and compliance information for their entire enterprise.

SAP’s GRC solutions are for customers with SAP and/or non-SAP systems. Ourmonitor layer allows customers to connect to key operational systems – enterprisebusiness applications as well as the underlying IT systems. SAP has a collectionof technology partners that enable our customers to extend the value of theirGRC investments beyond their SAP business applications. Greenlight is a keypartner that enables customers to monitor their non-SAP systems. Other partners,including Novell, CA and others, allow our customers to extend the reach of GRCmonitoring deep into their IT infrastructures.

Lastly through integration with Performance Management we are able to providefor a compliant consolidations process, risk adjusted strategy and planning as wellas addressing areas like supply chain performance, planning and forecasting, andprofitability and cost management. Our overall goal is to provide informationabout risk and compliance to decisions makers so that they can make morewell-informed decisions.

Figure 6: Manage, Protect, Perform



SAP BusinessObjects GRC solutions are delivered through four primary solutionsthat help customers automate risk and compliance, protect their value and optimizetheir performance:

1. Our Enterprise GRC solution enables risk-intelligent management ofenterprise performance, by delivering integrated and automated managementand monitoring risk, compliance and internal control programs. Thesecapabilities help our customers become more efficient, more effective, andmore intelligent in how they identify and manage their risk managementand compliance programs.

2. Our Access Risk Management solution helps our customers identify andmitigate the critical user access and authorization risks in their key IT systemsand business applications, and across core business processes. With AccessRisk Management customers can better manage and better protect coresystems and applications that support their business processes and strategies.

3. Our Global Trade Services application helps companies better manageglobal trade operations, ensure ongoing trade compliance, and optimizethe cross-border supply chain. This is critical as companies struggle toefficiently and cost-effectively operate in an increasingly global and complexbusiness and regulatory environment.

4. Our Continuous Transaction Monitoring solution enables customers to detectand address errors, policy violations, and potential fraud in underlyingbusiness transactions. Customers can decrease the cost of operations,increase insight and visibility into those operations and increase margincontribution.

Figure 7: Enterprise GRC: Risk-Intelligent Mangement of EnterprisePerformance



Companies that are able to build a level of risk intelligence, and leverage this toincrease performance, are able to do so by focusing on the three core capabilitieslisted above.

1. First, they are able to automate the key risk and compliance managementactivities that are, too often, manual, time consuming, resource-intensive,and costly. Automation allows organizations to be much more efficient andeffective across how they manage these activities, which helps increaseperformance.

2. Secondly, customers can leverage real-time monitoring capabilities, inorder to monitor key risk indicators and compliance effectiveness, so thatthey can proactively identify and respond to any increased risk exposure orcompliance violation before the business is negatively impacted. Customersare able to minimize the impact and duration of, if not prevent altogether,risk events and compliance violations.

3. Finally, they are able to incorporate risk and compliance into the strategicplanning and operations processes, so that the core business processes areexecuted in a risk-intelligent manner.

Figure 8: Access Risk Management

Business Challenge

Companies today continue to struggle to effectively manage access risk, withsegregation of duties and excessive access rights showing as top contributors tofraud and audit findings. Regulatory requirements increase, often resulting inmultiple compliance teams across departments and relying on manual complianceprocesses. With thousands of users, roles, and processes to test and with multiplecompliance applications taxing IT resources, excessive time is spent documentingprocesses for auditors instead of focusing on business operations. This fragmentedand costly approach to managing access risk leads to reactive – rather thanproactive – access risk prevention, inefficient compliance processes, and a lackof real-time visibility into access risk.



Solution

SAP BusinessObjects Access Control addresses these challenges by enablingbusinesses to confidently manage and reduce access risk across the enterprise. Ithelps to prevent unauthorized access – including segregation of duties (SoD) andcritical access – and achieve real-time visibility to access risk, minimizing the timeand cost of access risk management.

The Access Control solution unifies access risk analysis and remediation,business role management, compliant identity management, emergency privilegemanagement, and provides a holistic, enterprise-wide view in real time. It can helpensure day-to-day compliance, provide comprehensive management oversight,and perform effective and complete audits. The result is an improved ability toprotect information and prevent fraud while minimizing the time and cost ofaccess risk management.

Figure 9: Global Trade Services

Today’s global environment is increasingly dynamic and unpredictable – makinginternational trade risky, volatile, and costly. These realities include complex tradecompliance demands, fluctuating transportation costs, and increasing cross-borderregulations, and drive the need for advanced global trade solutions.

SAP BusinessObjects Global Trade Services helps companies automate tradecompliance and accomplish three key goals:

1. Better management of global trade operations2. Ensure ongoing compliance3. Optimize the cross-border supply chain



SAP’s Global Trade Services solution helps companies automate trade complianceand accomplish three key goals:

1. First, GTS enables better management of global trade operations byautomating many critical trade processes and also integrating directly withsupply chain systems. The result: ongoing trade compliance at a reducedeffort, time and cost.

2. Second, GTS helps companies to ensure ongoing compliance by providingone comprehensive and integrated global trade compliance solution. Criticalcapabilities are built-in, such as sanctioned-party list screening to avoidinappropriate and illegal trade and the ability to manage multiple globaltrade compliance programs cohesively.

3. Finally, GTS lets companies optimize the cross–border supply chainby automating and optimizing trade activities to speed transactions andconsistently meet customer commitments.

Figure 10: Continuous Transaction Monitoring

GRC’s continuous transaction monitoring solution allows you to identify andcorrect errors, waste, abuse, policy violations, and potential fraud. These issuescan only be revealed through in-depth analysis of transactions that are recordedas business activities are completed. This in-depth analysis allow you to achievethree key benefits:

1. Improve the quality and speed of your business processes2. Increase insight into business activities3. Increase margin contribution



More on the three key benefits:

1. First, by identifying these unfortunate problems that can and do occur, youcan speed along and increase the quality of your business processes. Thisallows you to decrease the effort and cost of inspection, increase boththroughput and accuracy and, ultimately, the cost of business processesoperations. Many customers are able to correct problems as they occur.Some go on to identify and eliminate systemic problems leading to repeatedoccurrences.

2. Second, customers are able increase insight into their business activities.This allows them to know and understand what is really happening and,potentially, to identify individual occurrences of policy or proceduralviolations. This ensures greater transparency and allows customers to drivea change in behavior.

3. Finally, customers are able to increase margin contribution. For example, byreviewing all purchase transactions, customers have been able to buy betterand by reviewing sales orders, they have been able to sell better. This canreduce cost of good sold by optimizing revenue, discounts or costs.

Figure 11: The SAP Difference

In summary, some key benefits of the GRC solutions are:

• The most comprehensive set of capabilities available• Proactive monitoring across key risk indicators and compliance effectiveness• Solutions are delivered with industry-specific risk, compliance, and process

content• Solutions are proven



In summary, let’s take a look at The SAP Difference and examine some majordifferentiators for our GRC solutions.

1. As illustrated in our capability model, we have the most comprehensive setof capabilities available. We deliver the broadest capabilities to analyze,manage and monitor activities across risk and compliance management,internal audit, and policy management activities that help our customersbetter perform, across both SAP and non-SAP systems.

2. We combine comprehensive GRC management capabilities with proactivemonitoring across key risk indicators and compliance effectiveness.Proactive monitoring actually allows customers to prevent a risk or violationfrom occurring in the first place. Our customers are leveraging this ability toproactively monitor risk and compliance effectiveness to focus their time,resource, and investment on executing and managing their core businessactivities, rather than focusing on reacting to a risk, compliance violation, orloss event that has already occurred.

3. Our solutions are delivered with industry-specific risk, compliance, andprocess content so that customers can realize value in their GRC investmentsvery quickly, and can manage the risks and regulatory requirements thatare specific to them.

4. Finally, our solutions are proven. We have over 2,300 customers. SAPBusinessObjects GRC solutions are enabling our global customers to knowtheir business and optimize performance across virtually every industry byhelping them to better manage their GRC programs, to better protect againstrisk events and, ultimately, to link risk to performance in order to achieveremarkable results.



Regional Compliance Regulations

Figure 12: Compliance Regulations & Standards

Compliance regulations can be specific to a particular region or country or may beapplicable to multiple regions. In addition, compliance can also be to internationalor national standards. These items are not put into regulatory law, but do becomebest practice to follow or may be required by a particular vendor as in the case ofPCI DSS, which stands for Payment Card Industry Data Security Standards. Thisis a contractual Agreement by the U.S. Payment Card Industry to ensure the safehandling of cardholder information at every step, so it is about security standardsfor account data protection and not a legal regulation.

Each country has its own custom regulations and financial reporting standards.Below is some additional information about each one listed on the slide, in caseyou get questions about them in class. This section is just meant to provideexamples of regulations and standards and to illustrate that companies are facedwith many compliance challenges. It is enough to mention them in a generalsense and state the main purpose.

Basel II: International Convergence of Capital Measurement and CapitalStandards – A Revised Framework – Regulation by Basel Committee on BankingSupervision; the second of the Basel Accords, which are recommendationson banking laws and regulations issued by the Basel Committee on BankingSupervision. The purpose of Basel II, which was initially published in June 2004,is to create an international standard that banking regulators can use when creatingregulations about how much capital banks need to put aside to guard against thetypes of financial and operational risks banks face.



ISSA (Information Systems Security Association) develops Generally AcceptedInformation Security Principles (GAISP) – This is not a regulatory compliance,but is a Best Practice Guideline. Proven and accepted information securityprinciples are collected and documented in a single repository, helping to createobjective guidance for IS professionals, organizations, governments, and users.

WTO - The World Trade Organization (WTO) is the only global internationalorganization dealing with the rules of trade between nations. At its heart are theWTO agreements, negotiated and signed by the bulk of the world’s trading nationsand ratified in their parliaments. The goal is to help producers of goods andservices, exporters, and importers conduct their business.

There are several countries that have Personal Data Protection Laws andstandards.A few examples are listed below:

• Mexico Federal Personal Data Protection Law – Regulation by MexicanCongress

• Argentina Personal Data Protection Act – Regulation by Argentina Congress• Bosnia Personal Data Protection Act – Regulation by The Parliamentary

Assembly of Bosnia and Herzegovina• PCI DSS (U.S. Payment Card Industry Data Security Standards); Contractual

Agreement by Payment Card Industry; ensure the safe handling of cardholderinformation at every step; this is about security standards for account dataprotection

RoHS – Restriction of Hazardous Substances Directive; Restriction of the Use ofCertain Hazardous Substances in Electrical and Electronic Equipment; restrictedsubstances regulations exist on a global and national level;

WEEE – Waste Electrical and Electronic Equipment Directive; collection,recycling, and recovery targets for all types of electrical goods.

Basel Convention: Control of Transboundary Movements of Hazardous Wastesand Their Disposal, usually known simply as the Basel Convention, is aninternational treaty that was designed to reduce the movements of hazardous wastebetween nations, and specifically to prevent transfer of hazardous waste fromdeveloped to less developed countries.

The Financial Action Task Force (FATF), also known by its French name, Grouped’action financière (GAFI), is an intergovernmental organization founded in 1989on the initiative of the G7. The purpose of the FATF is to develop policies tocombat money laundering and terrorist financing. The FATF Secretariat is housedat the headquarters of the OECD in Paris. AML/CFT - Since its creation by theG7 in 1989, the Financial Action Task Force (’FATF’) has spearheaded the effortto adopt and implement measures designed to counter the use of the financialsystem by criminals. The FATF now includes 33 members, including the GulfCooperation Council (’GCC’), which represents its six member states.



The Group of Eight (G8, and formerly the G6 or Group of Six) is a forum, createdby France in 1975,[1] for the governments of six major economies: France,Germany, Italy, Japan, the United Kingdom, and the United States. In 1976,Canada joined the group (thus creating the G7). In 1997, the group added Russia,thus becoming the G8. In addition, the European Union is represented within theG8, but cannot host or chair.[2] "G8" can refer to the member states or to the annualsummit meeting of the G8 heads of government. The former term, G6, is nowfrequently applied to the six most populous countries within the European Union.G8 ministers also meet throughout the year, such as the G7/8 finance ministers(who meet four times a year), G8 foreign ministers, or G8 environment ministers.

The International Organization of Securities Commissions (IOSCO) is anassociation of organizations that regulate the world’s securities and futuresmarkets. Members are typically the Securities Commission or the main financialregulator from each country. IOSCO has members from over 100 differentcountries, who regulate more than 90 percent of the world’s securities markets.The organizations role is to assist its members to promote high standards ofregulation and act as a forum for national regulators to cooperate with each otherand other international organizations.

Figure 13: Regional Compliance Regulations: USA, Canada, Latin America

The Sarbanes Oxley Act of 2002 – Regulation by US Congress ; also known asthe ’Public Company Accounting Reform and Investor Protection Act’ (in theSenate) and ’Corporate and Auditing Accountability and Responsibility Act’(in the House) and commonly called Sarbanes–Oxley, Sarbox or SOX, is aUnited States federal law enacted on July 30, 2002, which set new or enhancedstandards for all U.S. public company boards, management and public accountingfirms. It is named after sponsors U.S. Senator Paul Sarbanes (D-MD) and U.S.Representative Michael G. Oxley (R-OH).



C-SOX or Bill 198: Canada Keeping the Promise for a Strong Economy Act– Regulation by the Canadian Parliament; In Canada, Bill 198 is an Ontariolegislative bill effective April 7, 2003, which provides for regulation of securitiesissued in the province of Ontario. The legislation encompasses many areas. It isperhaps best known for clauses that provide equivalent legislation to the U.S.Sarbanes-Oxley Act to protect investors by improving the accuracy and reliabilityof corporate disclosures. Thus, it is also known as the "Canadian Sarbanes-Oxley"Act or C-SOX (see-socks).

Internal Controls/Financial Reporting for Brazil: Convergence with InternationalFinancial Reporting Standards (IFRS): In pursuit of international convergencewith the IFRS, the Group of 20 (G20), which has two members from LatinAmerica (Argentina and Brazil), has committed itself to compel businessorganizations to adjust their financial reports to meet the IFRS. In the case ofBrazil, banks and listed companies are required to converge their consolidatedfinancial statements with the IFRS from December 31, 2010, and their individualstatements progressively since January 2008. In the case of Argentina, publiccompanies are required to converge from the year beginning on January 1, 2011.

Decree for Development and Operation of the Maquiladora Industry: Mexico’smaquiladora program makes it possible for companies to bring in componentsand materials duty-free, which can in turn be exported for sale to the U.S. andother countries. A maquiladora is a Mexican Corporation which operates under amaquila program approved for it by the Mexican Secretariat of Commerce andIndustrial Development (SECOFI). A maquila program entitles the company, first,to foreign investment participation in the capital -- and in management -- of up to100% without need of any special authorization; second, it entitles the companyto special customs treatment, allowing duty free temporary import of machinery,equipment, parts and materials, and administrative equipment such as computers,and communications devices, subject only to posting a bond guaranteeing thatsuch goods will not remain in Mexico permanently.

Aduana ("Customs") is the Mexican governmental agency charged with theresponsibility of controlling importations and exportations to and from Mexico.NAFTA requires that manufacturing companies closely track all shipments andcomply with customs regulations. Mexico and the U.S adhere to the HarmonizedTariff Schedule to describe all goods for duty, quota, and statistical purposes. TheNAFTA Agreement requires that the exporter of the U.S. product must complete acertificate of origin to qualify for the reduction or exemption of tariffs.

Decree 1936: With these new regulations, the Argentinean Government seeks toimprove its mechanisms to detect illicit money laundering and terrorist financingactivities. The new regulations also provide a single governmental entity, theFinancial Information Unity (“UIF” for its acronym in Spanish), with the authorityto act on behalf of Argentina before certain inter-governmental organizationsfocused on combating money laundering and terrorist financing activities. Inorder to avoid inadvertent involvement in, or commission of, money launderingand terrorist financing activities, the new regulations require certain businesses



(e.g. some stock exchange market participants, insurance companies, etc.) tofile specific “suspicious activities reports” as well as, amongst other obligations,appoint a compliance officer from the administrative body (typically the board ofdirectors) within the organization. Additionally, according to the new regulationsall members of the administrative body are jointly and severally liable for anynon-compliance with these rules. In cases where the business is not an entityseparated from its partners, all partners are jointly and severally liable for saidnon-compliance.

Figure 14: Regional Compliance Regulations: Europe, Middle East, Africa

European Union 8th Directive; EIGHTH COUNCIL DIRECTIVE of 10 April1984 based on Article 54 (3) (g) of the Treaty on the approval of personsresponsible for carrying out the statutory audits of accounting documents(84/253/EEC); Whereas, under Directive 78/660/EEC (4), the annual accounts ofcertain types of company must be audited by one or more persons entitled tocarry out such audits from which only the companies mentioned in Article 11 ofthat Directive may be exempted

South Africa: New Companies Act of 2007 - South Africa’s new CompaniesAct aims to provide some recourse for companies in distress, reduce the cost ofdoing business in the country, promote corporate governance and transparencyand empower shareholders.

Lebanon: The new type approval regulations require importers of radio andtelecommunications terminal equipment (RTTE) and network infrastructureequipment to have telecommunications import licenses for the class(es) of RTTEand/or network infrastructure equipment that they will import. The regulationsalso stipulate that approval is granted only to local companies in Lebanon thathold the appropriate license. The regulations also define a series of schemes forconformity assessment of various classes of equipment.



Switzerland: The Swiss Financial Market Supervisory Authority (FINMA) is apublic law institution that supervises most banking-related activities as well assecurities markets and investment funds.[10] Regulatory authority is derived fromthe Swiss Financial Market Supervision Act (FINMASA) and Article 98 of theSwiss Federal Constitution.

Egypt: Capital Market Authority (CMA) – Rules governing financial institutionsin Egypt include: 1. Bank secrecy, 2. Protecting consumers and investors,transparency, accountability. IOSCO (International Organization of SecuritiesCommissions) had resolved thirty (30) principles in 8 categories to regulate capitalmarkets of member countries, to fulfill the protection of investors. Capital MarketLaw of 1992 Central Depository Law of 2000 Money Laundering Law of 2002Law of the Central Bank, the Banking Sector, and Money of 2003

Figure 15: Regional Compliance Regulations: Asia Pacific

J-SOX; The Financial Instruments and Exchange Law (金融商品取引法, Kin’yūshōhin torihiki-hō?), promulgated on June 14th, 2006, is the main statute codifyingsecurities law and regulating securities companies in Japan.

Australia Telecommunications Act of 1997 – Regulation by AustralianGovernment; On 1 July 2005 the Australian Communications & Media Authority(ACMA) was formed by the merger of the Australian Communications Authority(ACA) and the Australian Broadcasting Authority (ABA). The ACMA, along withthe Australian Competition and Consumer Commission (ACCC) is responsible forregulating the broadcasting industry, the Internet, the telecommunications industryand the radiocommunications industry.

ITA-2000 for India: Information Technology Act 2000 addressed the followingissues: Legal Recognition of Electronic Documents Legal Recognition of DigitalSignatures Offenses and Contraventions Justice Dispensation Systems forCybercrimes ITAA 2008 (Information Technology Amendment Act 2008) as the



new version of Information Technology Act 2000 is often referred has providedadditional focus on Information Security. It has added several new sections onoffences including Cyber Terrorism and Data Protection.

Singapore Competition Act incorporates three key prohibitions common to mostcompetition law regimes, prohibiting agreements that prevent, restrict, or distortcompetition in Singapore, prohibiting abusive behavior by firms that hold adominant position within a market, and prohibiting mergers or anticipated mergersthat substantially lessen or have potential to lessen competition within a market.

New Zealand: All products or machinery requiring installation, maintenance andoperation must comply with the Health and Safety in Employment Act 1992. ThisAct sets regulations to promote the prevention of harm to all people at work, andothers in, or in the vicinity of, places of work.

Figure 16: Fragmentation

In many organizations, implementing policies, identifying and measuring risks,and supporting regulatory mandates takes place at the departmental level. Theorganizational fragmentation resulting from disconnected, departmental activitiescan result in inconsistent policies, difficulty predicting risk, a lack of enterprisetransparency, and duplication of effort.

As an organization increases its collaboration with partners and suppliers, theconsequences of organizational fragmentation intensify. The organization will beheld accountable for good governance and compliance not only within the confinesof its own enterprise, but also across the extended enterprise, so risk increases.



With all these compliance regulations and the complications brought about byglobalization, you can see where it is almost impossible to effectively managecompliance in a fragmented way.

Here is a real-world example: One of the well-known global software vendors put alot of effort into getting and staying SOX-compliant. This initiative was driven bythe compliance committee headed by the CFO and CIO. While the SOX-initiativewas initially successful, the company recently had to announce a delay of their fullyear financial results. The reason? Organizational fragmentation: They they didnot pay attention to their new and complex overlay sales commission plans.

As a consequence, the increase in sales commission expense resulting fromthis new policy created by the sales organization did not appropriately aligncommission payments with the company’s overall performance. They did notrecord an extra $70M in sales commissions properly.

This example shows the fragmentation between governance and complianceinitiatives driven by 2 separate departments. Governance -expressed here as salespolicies and comp plans was driven the sales department. And the Sarbanes-Oxleycompliance initiative was driven by the compliance committee under the CFO andCIO. The example shows how this fragmentation can cause financial damage,damage to brand and reputation and ultimately loss of shareholder value.

Figure 17: Integrated Governance, Risk, and Compliance

Organizations need an integrated approach if they want move towards operationalexcellence. They need an approach that simplifies GRC, not isolated disciplines ofeach, and that dramatically reduces the cost, provides complete compliance and



risk visibility, and easily adapts to change. SAP’s GRC solution embeds GRC intothe way companies do business, into every business process, and provides anintegrated approach to governance, risk, and compliance initiatives.

SAP’s GRC solution provides an enterprise-wide unified framework that helpsto correlate and align all governance, risk, and compliance initiatives. Withoutthis single system of record, organizations are unable to see an enterprise-wideview of their GRC activities, and are unable to take a risk-based approach thatsatisfies multiple interrelated company initiatives and regulatory mandates. Byproviding a central repository that is re-usable and flexible, organizations canminimize duplicated efforts, optimize effectiveness, and combat complexity overthe long run. To progress beyond mere compliance to real business improvement,enterprises need feedback on inefficiencies, fraud and waste, from all of thestakeholders involved in governance, risk and compliance management.

Business example: A risk manager of a Fortune 1000 pharmaceutical organizationshared his concerns about how many times he has to recreate almost identical GRCinformation for initiatives in different departments or regions. He was wonderingif there isn’t a better way to aggregate and correlate relevant information and then“slice and dice” what is needed for one particular initiative.

Without this cross-enterprise insight, management at all levels will never get achance to use relevant data that is aligned with policies, rules and regulations andput in the context of superior risk intelligence to improve their decisions – and thatmeans countless missed opportunities for improved efficiency and effectiveness,risk/return portfolio optimizations – and ultimately business predictability andshareholder value.

POLLING QUESTION: Ask the class what some of their more difficultcompliance issues are and/or about some examples of compliance issues theyhave encountered.



Lesson Summary

You should now be able to:• Explain how SAP BusinessObjects Governance, Risk, and Compliance

solutions contribute to improved performance• Identify compliance regulations from various regions and the importance of

an integrated solution


GRC100 Lesson: GRC Solution Overview

Lesson:15

GRC Solution OverviewLesson Duration: 20 Minutes

Lesson OverviewThis lesson presents an overview of the GRC 10.0 solution and how eachcomponent contributes to encompass people, processes, and products..


• Identify key governance, risk, and compliance processes supported in GRC10.0

SAP BusinessObjects GRC solutions are designed to support users and enablecompliance- and risk-related processes, in many cases across underlyingcomponents. This lesson emphasizes the harmonization related to the RiskManagement, Process Control and Access Control products.

Business ExampleA company is looking for solutions available to assist in managing theirGovernance, Risk and Compliance (GRC) initiatives. SAP BusinessObjects GRCoffers several solutions that will help manage the ability to comply with legalcompliance regulations and internal company policies, including:

Access Control – Segregation of Duties documentation and analysis; securityrole management; user access management, emergency access managementProcess Control – document, monitor and review processes; document andmonitor issue remediation of issuesRisk Management – document, monitor, and review Key Risk Indicators(KRIs)Global Trade Services– manage and document trade information globally;produce documentation for Customs officials for cross-border shipmentsElectronic Invoicing for Brazil (Nota Fiscal Eletronica) – BrazilianElectronic Invoice requirement



Key Governance, Risk, and Compliance ProcessesSupported in GRC 10.0

Figure 18: Key Processes: Risk Management Process

The Risk Management process allows the company to identify, mitigate andmonitor critical business risks that may have a negative impact on an organization’sperformance, goals and objectives. The ERM process allows management toprioritize often times scarce resources to mitigate the company’s highest risk areas.

Figure 19: Key Processes: Compliance Management



Compliance Management provides documentation of compliance structures andrelated compliance initiatives. A risk-based approach to scoping helps focuscontrol evaluation efforts on those control activities with the greatest likelihood offailure and potential negative impact to the enterprise. Compliance evaluationsinclude self-assessments and management assessments using user-definablesurveys, as well as manual testing using test plans and automated testing andmonitoring using business rules. If exceptions are identified during the evaluationprocess, issues are created and assigned for remediation. Once identified, usersreview and determine the how the issues will be processed.

Figure 20: Key Processes: Audit Management

Audit Management involves risk-based audit planning, preparation, fieldwork,execution and reporting. This involves use of the SAP NetWeaver AuditManagement application, and it is not covered here because of the focus on RiskManagement, Process Control and Access Control solutions.



Figure 21: Key Processes: Policy Management

Policy Management provides end-to-end management of corporate policiesaligned with risk and compliance management including creation, localization,distribution, and acknowledgement.

Figure 22: Key Processes: Access Risk Management

Access Risk Management provides the ability to manage and monitor userprivileges, while ensuring compliance with security policies related to segregationof duties and restriction of critical permissions. You can prevent, monitor andmanage access conflicts present at the system, infrastructure, and applicationlevels.



Figure 23: Key Processes: Trade Management

Trade Management involves controlling the cost and risk of international tradeby ensuring compliance with global regulations, accelerating trade activity, andminimizing duties. SAP BusinessObjects Electronic Invoicing for Brazil (NotaFiscal Eletronica) supports companies in complying with the requirements of theBrazilian authorities for electronic invoicing.

At the technology level, different products may be licensed to support theseprocesses. In this course, our focus is on the three components that share somemaster data, user interface and configuration: Risk Management, Process Control,and Access Control.



Lesson Summary

You should now be able to:• Identify key governance, risk, and compliance processes supported in GRC

10.0


GRC100 Lesson: GRC Convergence

Lesson:21

GRC ConvergenceLesson Duration: 15 Minutes

Lesson OverviewThis lesson explains why convergence is important and discusses how GRCcloses the performance loop when there are disconnects between risks, policies,and compliance.


• Explain the business benefits of an integrated solution• Describe a business example of how the GRC solution addresses the issue of

disconnects between risks, policies, and compliance

Convergence means coming together from different directions. GRC convergencewill help customers reduce costs and risk exposure.

Business ExampleThis lesson presents an example of a global enterprise that sees an opportunityto grow.

Business Benefits of an Integrated Solution

Figure 24: GRC Convergence Survey Reponse



In terms of governance, risk and compliance, SAP believes strongly in thetopic of convergence, and according to executives from across the world, manyof them also find this to be a very relevant topic. In February 2010, KPMGreleased a global survey on GRC. Working with the Economist IntelligenceUnit, they surveyed 542 executives from a wide range of industries and regionswith approximately a 1/3 from each major region of the world. One of the veryconsistent themes that arose in this survey was that almost 2/3 of the respondents(64%) basically said GRC convergence was a priority for their organization—butwhat does this mean and why is it important?

As was stated in the report and also echoed by many SAP customers, GRC is atopic that has unfortunately gotten too unwieldy in most organizations. As folkstry to get their arms around GRC, they find that is it is too costly, requires toomany resources and leaves them exposed to undue risk. Our customers are tellingus that they believe GRC convergence will help them to start addressing theseissues by reducing their costs, which is good, but most importantly, reducing theirrisk exposure and improving the overall performance of their businesses.

Figure 25: Example depicting the importance of GRC Convergence

Leadership sets a strategy to increase penetration in some of the markets that theyserve. As in many well-run organizations, when executive leadership says jump,the team jumps. In this example, a variety of related operational initiatives are putinto place by different lines of business. Sales and marketing performs analysisto establish and accept a target for the expanded penetration. That analysis iscommunicated to production planning. That team than makes plans to increaseproduction. The manufacturing team works with strategic sourcing to identify theneed for an increased supply of raw materials. They decide on two suppliersfor a critical component that, based upon known performance and other factors,can meet the demand. Manufacturing ramps-up additional capacity and pushes



more product off the line. Distribution works to get the product into the targetedmarkets. Sales and marketing work to get the product into customers’ hands and,ultimately, achieve success.

Let’s walk through an example that further shows the importance of GRCconvergence. In this example, a somewhat typical global enterprise sees anopportunity to grow.

At each step in this process, there are risks that are introduced, there are differentcompliance requirements, and there are policies associated with each step ofthe process. In many organizations, this picture will result in new complianceinitiatives to address new regulations, another solution or set of solutions forthe policies, and then risk management is usually addressed in some individualsiloed manner. The bottom line is that it becomes very difficult to get a clearpicture in any one of these areas, and almost impossible to get a view of howdifferent activities may impact risks.

Figure 26: Core Issues

Ultimately this brings us to what we see as “the core issue”: How do you closethe performance loop when there is a clear disconnect between risks, policiesand compliance?

Add to this the complex composition of most modern companies: a myriad ofbusiness processes spanning organizations across several regions, coupled withdiffering compliance requirements--and the answer is unfortunately that you can’t.



First of all, there is a lot of duplication of effort as organizations try to solvethis problem, often times duplicating activities and technologies in addressingthis issue. But even more important is that without getting a clear view intothese elements and understanding them, most companies have undue or evencatastrophic risks that lurk within that they are unable to identify or remediate.

SAP believes that GRC convergence can help address this problem and is uniquelyqualified to deliver solutions to support this movement.

How GRC Addresses Disconnects between risks,policies, and compliance

Figure 27: Comprehensive Approach to GRC

Enterprise GRC refers to a platform that enables organizations to gain visibilityinto all of their risk and compliance activities, but also more efficiently manageacross the disciplines of risk management, compliance management, auditmanagement, policy management and access management.

SAP is committed to enabling customers to realize GRC convergence, a keyaspect of which is to ensure that GRC is optimized for SAP, but not tethered toSAP. Many customers maintain hybrid environments or have made the choice fora different business process platform. The GRC 10.0 solution is designed to betightly integrated to SAP, and can leverage adapters from technology partners andopen APIs like web services to losely work with other platforms as well.

While the application process stack is key, partnering with vendors like CA,Novell, and Sensage extends the GRC platform across the IT stack, including ITinfrastructure and applications, which takes into account categories like IdentityManagement integration.



GRC’s content framework allows close work with both system integrators andtechnology service providers to provide out-of-the-box content that provides astarting point for customers with specific business scenarios. Through integrationwith SAP Performance Management, GRC is truly able to close the performanceloop by ensuring that risks are tied closely to key performance indicators in thestrategic management process, that risk influences the planning or supply chainprocess, and that controls can be tied to consolidations processes to ensure acompliant close.

When we say Enterprise GRC, we mean a platform that enables organizationsto gain visibility into all of their risk and compliance activities, but also moreefficiently manage across the disciplines of risk management, compliancemanagement, audit management, policy management and access management.

Today, SAP has many of the elements to enable GRC convergence, and as wemove forward we continue to deliver on the promise of enabling our customersto realize GRC convergence. A key aspect of realizing this promise is that ourphilosophy is to ensure we are optimized for SAP, but not tethered to SAP. Werecognize that many of our customers maintain hybrid environments or have madethe choice for a different business process platform. SAP GRC is designed to betightly integrated to SAP, but by leveraging adapters from technology partners andopen APIs like web services, GRC can closely work with other platforms as well.Leveraging these real-time adapters, we are enabled to manage controls acrossOracle, Peoplesoft, JDEdwards and legacy environments in an identical fashion tohow we do it for SAP.

While the application process stack is key to what we do, it only addresses part ofthe puzzle. Through our open partner ecosystem, we have partnered with vendorslike CA, Novell, and Sensage that extend our GRC platform across the IT stack,including IT infrastructure and applications. This takes into account categorieslike Identity Management where we have partnered with other IDM providers likeNovell, IBM and Sun who have taken advantage of our open web services tointegrate with our GRC solution.

Further to this strategy is our content framework, which enables us to workclosely with both system integrators as well as technology service providers toprovide out-of-the-box content that provides a starting point for customers forspecific business scenarios. For example, consulting firms like Protiviti andDeloitte have leveraged their life sciences, oil and gas, and utilities expertise tocreate content identifying top industry risks and controls. Partners like MkDenialprovide subscription-based content updates to ensure we have the most up-to-datesanctioned party lists for trade compliance. Lastly, through integration with SAPPerformance Management, we are able to truly close the performance loop byensuring that risks are tied closely to key performance indicators in the strategic



management process, that risk information influences the planning or supply chainprocesses, and that controls can be tied to consolidations processes to ensure acompliant close.



Lesson Summary

You should now be able to:• Explain the business benefits of an integrated solution• Describe a business example of how the GRC solution addresses the issue of

disconnects between risks, policies, and compliance



Lesson:26

Key Features and BenefitsLesson Duration: 25 Minutes

Lesson OverviewThis lesson introduces key features and benefits of the GRC 10.0 solution.


• Identify and describe key benefits of enhancements to the GRC 10.0 solution

The purpose of this lesson is to highlight what features make GRC 10.0 important,especially in terms of harmonization.

POLLING QUESTION: Ask the class to share their GRC experience level, bothin terms of general compliance and with the SAP BusinessObjects GRC solutions,and if they are currently working on an active project.

Business ExampleA company is looking for improved ways to efficiently and effectively managetheir Governance, Risk and Compliance areas and to reduce the cost of suchan effort. The company is also looking for a more unified platform to reducethe amount of training needed to increase the skills of their workforce, reducehardware utilization, and to reduce the cost of audit services.

SAP BusinessObjects GRC 10.0 is now on a common platform to where RiskManagement, Process Control, and Access Control are combined into a singlesolution with a unified work space and improved reporting and audit trailfunctionality. The common platform will reduce the amount of time to train usersbecause the user interface is the same across all three of the mentioned solutionsand will allow for improved efficiency in IT maintenance. Global Trade Servicesand Nota Fiscal Eletronica also utilize this platform.


GRC100 Lesson: Key Features and Benefits

Common Technical Platform

Figure 28: Common Technical Platform Purpose and Value

The unified Risk Management, Access Control, and Process Control data modeland technology platform enables optional sharing of selected risk and compliancedata and functions. Sharing is optional because some customers prefer a “siloapproach,” whereas others seek to consolidate and integrate their GRC activities.GRC 10 reduces the total cost of ownership due to lower overall implementation,administrative and maintenance costs, as GRC solutions now leverage a commontechnology (ABAP) platform and appropriately shared Implementation Guide(IMG).

Figure 29: Common Technical Platform Enhancements and Benefits



GRC solutions are on a common technology platform (NetWeaver + ABAP): AC,PC and RM can be installed on a single NetWeaver ABAP system. GTS and NFeare also on NW ABAP, although they are most frequently installed on a separateserver. The SAP NetWeaver Portal component (the Portal) and SAP NetWeaverBusiness Client software (NWBC) are both supported.

Key master data available for sharing includes organizations and relatedorganization views (AC-PC-RM), internal controls (PC-RM for controls asrisk responses, AC-PC for controls to mitigate access risks), risks (PC-RM),and business process hierarchies (AC-PC-RM). Note that the risk catalog usedfor AC-PC differs from that used for definition of SOD and critical permissionaccess risks.

Shared functions include continuous control monitoring, key risk indicators, SODand critical access risk analysis, policy management, ad hoc issues, and more.These will be described further in a later unit.

Enhanced Visualization and Streamlined Navigation

Figure 30: Enhanced Visualization and Streamlined Navigation Purposeand Value

Enhanced Visualization and Streamlined Navigation: Streamlined user navigationwith shared work centers emphasizes function rather than component. Thissignificantly reduces duplication of menu items (for example, one inbox, notthree) and facilitates sharing of data and functions.

The menu items that the individual user sees within each work center is controlledby that user’s GRC roles. This also enables data shared across components to beviewed differently by different users.



Example: A user authorized to see organizations for risk management purposeswill see tabs related to risk appetites and risk thresholds, which would generallynot be available to access management users.

Figure 31: Visualization and Streamlined Navigation Enhancements andKey Benefits

Common look and feel: The separate tabs and navigation for PC and RM havebeen replaced with common work centers to streamline navigation and eliminateduplicate menu items. For example, whereas previously there was a work inboxfor Process Control and a separate one for Risk Management, there is now oneshared inbox for Process Control, Risk Management and Access Control. Inaddition, whereas previously the Access Control product was on a separateplatform with a separate UI, it has now been included as part of GRC Solutionswith Access Control, Process Control and Risk Management sharing the sameinterface and many of the same work centers.

SAP Portal or SAP NetWeaver Business Client: Both interfaces are fullysupported for all GRC Solutions, allowing the customer to choose how best todeploy the solution for their end users.

Role-based access to applications: Although display of work centers is based uponPortal or NWBC menus, display of subordinate links to application activities isbased on the roles assigned to the user. So, for example, a user who has roles thatallow him or her to raise ad hoc issues and create risk proposals—but not create



access requests—will not see the link to access requests. This not only simplifiesthe menu structure by user, but it also supports roles that cross components withoutrequiring separate navigation or logins.

Configurable User Interface

Figure 32: Configurable User Interface Purpose and Value

Configurable User Interface allows configuration to determine field status byapplication components. For example, the organization field “Average Cost perControl” can be shown for those users authorized for Process Control and hiddenfor those users authorized for Access Control. Field statuses (required field,optional field, displayed, or hidden) can be selected by field by component oreven regulation, if applicable. Changes to the field status are reflected in the userinterface without requiring programming.



Figure 33: Configurable User Interface Enhancements and Benefits

The configurable user interface allows customers to configure withoutprogramming:

1. Which fields are relevant to regulations, or even to specific regulations2. Which fields are relevant to each underlying component3. Which fields should be mandatory, optional, or hidden4. Which fields can be changed locally and which must be maintained centrally.

For Process Control, the assignment of subprocess to organization has beenmade more flexible to allow local editing of some fields in a control whiledisallowing editing of other fields.



The configurable User Interface allows customers to configure withoutprogramming:

1. Which fields are relevant to regulations, or even to specific regulations. Inthe example above, the Level of Evidence and Control Relevance fields aremarked as being specific to regulation. That is, there might be a differentvalue for each of these fields based upon the regulation.

2. Which fields are relevant to each underlying component. For example, in thelast screen shot above, the Cost per Control field can be made relevant to PC,RM, AC or all underlying components.

3. Which fields should be mandatory, optional or hidden. In the example above,the Cost per Control field is marked as optional.

4. Which fields can be changed locally and which must be maintained centrally.For PC, the assignment of subprocess to organization has been made moreflexible to allow local editing of some fields in a control while disallowingediting of other fields. For example, a customer might decide thatorganizations are not allowed to change the description of a control, but theymay change the frequency of operation or even the test plan for that control.

Improved Reporting

Figure 34: Improved Reporting Purpose and Value

Improved Reporting: GRC reporting leverages the SAP BusinessSuite ABAP ListViewer (ALV)-Crystal integration framework to present and personalize ABAP(WebDynpro) reports and convert into Crystal reports. This lowers total cost ofownership and extends the benefits and functionality of Crystal without the needfor a separate SAP BusinessObjects Enterprise server.



Figure 35: Reporting Enhancements and Benefits

Improved Reporting:

Existing reports have been refined based on customer feedback to make themmore usable and to facilitate exception management for continuous controlmonitoring.Dashboard technology enables reporting across all continuous monitoringresults and exceptions for better visibility and to facilitate remediation forcontinuous monitoring.The SAP BusinessObjects Enterprise server is now optional for use of theCrystal Reports framework.



Enhanced Policy Management

Figure 36: Enhanced Policy Management Purpose and Value

Enhanced Policy Management: Policy Management provides complete lifecyclemanagement for corporate policies, and it aligns policies with risk and compliancemanagement activities. Effective policy management reduces enterprise risk andimproves corporate governance with management guidance for the organization’sbehavior, actions, and decision-making processes.

Figure 37: Policy Management Enhancements and Benefits



As a common function, Policy Management is available to customers whopurchase Process Control or Risk Management. In a compliance scenario, apolicy could be related to organizations, processes, risks and controls. As part ofenterprise risk management, the policy might be used as a risk response and berelated also to organizations and activities. In general, adherence to policies canbe measured with acknowledgements, surveys and/or quizzes.

There will be more details about Policy Management in a later unit and in theProcess Control class.

Enhanced Business Rule Framework

Figure 38: Enhanced Business Rule Framework Purpose and Value

Enhanced Business Rules for Automated Testing and Monitoring: The enhanced,user-configurable rule engine gives customers maximum flexibility in definingtheir automated rules. You can now monitor a much wider range of back endsystems, consume data from non-SAP systems without needing third-party tools,process asynchronous events, and automatically analyze SAP Basis change logs.



Figure 39: Business Rule Framework Enhancements and Benefits

The enhanced business rule framework:

• Empowers business users by reducing dependency on IT resources• Lessens the load on expensive IT resources• Provides repeatable and sustainable monitoring, this increasing efficiency

and effectiveness

Scalable analysis:

• Enables reuse of data sources for multiple analyses – define once, usemultiple times

• Multiple data source options allow simple to complex analysis without ITdependency

• Direct access to SAP tables with business-friendly view of data• Common rules interface for all varieties of data sources• Business-user friendly definition of back end data sources

Intuitive Rule Building and Enhanced Rule Logic:

• Easy-to-use guided activity to build and configure business rules• Use of filters and condition clauses to access only data needed• Enhanced deficiency-identification logic options• Change log reconstruction for master data and configuration change

monitoring



Content Lifecycle Management

Figure 40: Content Lifecycle Management Purpose and Value

Content Lifecycle Management (CLM) supports check-in, version control,comparisons, and deployment of packaged content. CLM also formalizesthe ability to export structured content out to Excel and check changes backin—an enormous productivity boost for initial implementations, getting contentinto GRC from legacy or reference systems, periodic updates, and expandingimplementations.

Figure 41: Content Lifecycle Management Solution Enhancements andBenefits



Key Benefits

1. For initial deployment and subsequent changes - Speed of ContinuousMonitoring implementation - Facilitates testing of business rules prior tolarge-scale changes; for instance, after mergers and acquisitions or regulatorychanges.

2. Change management controls for business users – business users makingthe changes - This is important for data integrity and has an impact forcontinuous monitoring implementation. (Enables packaging together ofcompatible content, rolling back to earlier versions, tracking authors,ownership and branding of content.)

3. Change management detective control - Enforce standardized rules acrossorganizations.

4. Enable customers to work with partners to address customer-specificcontinuous monitoring content requirements (for example, industry-specificcontinuous monitoring)



Lesson Summary

You should now be able to:• Identify and describe key benefits of enhancements to the GRC 10.0 solution



Lesson:35

IntegrationLesson Duration: 30 Minutes

Lesson OverviewThis lesson introduces an overview of various integrations to and within the GRC10.0 solution.


• Discuss how particular applications integrate with the GRC 10.0 solution

In this lesson, the intent is to focus on the AC, PC, and RM-specific integrations.GTS and NF-e integrations are not covered in this material because this class isrecommended before taking the AC, PC, or RM implementation and configurationclasses.

Business Example1. Your organization is using SAP BusinessObjects Access Control 10.0

Analyze and Manage Access Risk. You want to use SoD analysis resultsautomatically, weekly or monthly to mitigate a risk identified in ProcessControl.

2. Handling some responses for risks appears to be a complicated andtime-consuming process with a lot of resources involved. Therefore, havingprojects in the appropriate SAP application (Project System) based on suchresponses is a good way to track response status and completeness.

3. During the internal and external auditing of this fiscal year, auditors addresscompliance and operational problems outside of the control evaluation cycle.These issues need to be documented and tracked for the improvement ofthe organizational compliance status.

Creating an issue helps to speed up the identification of risk that may lead toputting timely actions in place to mitigate exposure. Timely issue resolutionprevents spending excessive amounts of time and efforts in resolving anynegative impacts that the delay of resolution may lead to.

Integration OverviewThe GRC 10.0 solution integrates with several other systems and applications,both across the solution and for specific solution components.


GRC100 Lesson: Integration

Figure 42: GRC 10.0 Solution Integration Overview

Access Control Integration

Figure 43: Access Control Integration Overview

In this section, we’ll look at Access Control integrations with Process Control,Risk Management, HR Triggers and Identity Management (IdM).



Access Control Integration for Shared Master Data

Figure 44: Access Control Integration for Shared Master Data

Shared Organization Hierarchy

With a shared organization hierarchy, you can:

• Centrally maintain organizations and organization hierarchy• Use one organization hierarchy in Access Control, Process Control, and

Risk Management solutions• Access to organization hierarchy is possible from Access Control, Process

Control, and Risk Management solutions• Maintain different views of organization structures to adapt it to your needs

Mitigating Controls

You can create mitigating controls within Access Control from the AnalysisResults screen after executing User Risk Analysis. You can also create mitigatingcontrols from the Process Control user interface with Business Processes. Tocreate from Process Control:

1. Add a mitigating control ID2. Assign an access risk, mitigation monitor, and mitigation approver3. Now this control can be utilized in Access Control for mitigating an access

risk

Organization Views



To add an organization view, from the back-end system, execute TransactionSPRO, then choose SAP Reference IMG → Governance, Risk, and Compliance→ Shared Master Data Settings → Maintain Organization Views → MaintainOrganization Views Configuration

Note: While creating more entries with the same name, but a differentapplication component, you can specify for which of the components thehierarchy should be used.

Users and Owners

Owners are responsible for the correctness of risks, roles, mitigating controls, andso on. These owners have different responsibilities throughout Access Control,however, only Mitigation Monitors and Mitigation Approvers may be assigned tocontrols and are therefore shared with Process Control and Risk Management.

Access Control Integration: HR TriggersThe HR Triggers functionality of Access Control 10.0 allows the creation ofautomatic access requests, corresponding to changes in master data in SAP orNon-SAP HR systems. When an event is triggered in the SAP HR system, suchas hiring a new employee, rules are applied and a corresponding action to createa workflow request is initiated in Access Control. The request can be processedthrough workflow and can be provisioned to the back-end system by directassignment or indirect assignment.

The configuration of HR Triggers in Access Control 10.0 includes theconfiguration of actions, rules, and field mapping.

Note: Users do not need to complete an access request form.

Access Control HR Triggers functionality allows the creation of automatedrequests based upon changes in an HR system. Home ABAP screen → ExecuteTransaction SPRO → SAP Reference IMG → Governance, Risk, and Compliance→ Access Control → User Provisioning → Maintain Settings for HR Trigger



Figure 45: HR Integration Process Flow

HR Triggers Process Flow Overview

1. User is maintained in the HR system2. A change in the HR system triggers a call to a function module in the GRC

system to create the request (GRAC_GET_HR_TRIGGER_DATA)3. The information is presented to the HR Trigger BRFplus rules and evaluated4. Based on the BRF rules created in the GRC system, the changes are evaluated

and the BRF rules return results that correspond to the actions maintainedin the IMG settings for HR triggers

Additional information about the process flow overview:

• The HR Actions configuration contains the request information attributes(for example, Request Type or Request Priority) that will be passed to theAccess Request. These settings also include the update areas for each HRAction (for example, Address Information or Parameters).

• The necessary information is obtained from the HR system and the request isautomatically submitted. The request will act like any other request that ismanually submitted from this point forward.

Access Control and Identity Management (IdM)Integration OverviewIdentity Management (IdM) solutions provide the key infrastructure to manageuser accounts in multiple back-end systems. Access Control currently providesintegration with IdM solutions for enterprise-wide, compliant provisioning.



The integration of Access Control and Identity Management enables customers todeploy an automated business and risk driven Access Control solution enterprisewide. With this solution, business owners can control access, security postureand risk based on business relevant values without requiring the domain-specificknowledge for each of the IT systems.

GRC Access Control provides robust integration with IdM solutions and continuesto focus on its core competencies of risk, SoD and remediation. To support thisstrategy, Access Control integrates with market leading IdM vendors like SUN,Novell and integrate and optimize for SAP NetWeaver IdM.

User Provisioning Scenarios with IdM Integration

Two scenarios are supported: GRC-driven provisioning and IdM-drivenprovisioning.

Figure 46: Access Control - Identity Management Supported Scenarios

GRC-driven provisioning is initiated in GRC, provisioned by GRC for SAPsystems, and provisioned in IdM for non-SAP systems. IdM-driven provisioningis initiated in IdM, submitted to GRC through Web Services, provisioned by GRCfor SAP systems, and provisioned in IdM for non-SAP systems.

GRC-Driven Provisioning:

1. Provisioning request is initiated in Access Control2. Request follows the approval workflow and is provisioned in GRC for all

SAP systems3. For non-SAP systems, the request is passed to IdM for provisioning action



IdM-Driven Provisioning:

1. Provisioning request is initiated in IdM2. Request is submitted to GRC using WSDL based Web Service interface3. Request follows the approval workflow and is provisioned in GRC for all

SAP systems4. For non-SAP systems, the request is passed to IdM for provisioning action

Figure 47: GRC-Driven Provisioning Process Flow

GRC-Driven Provisioning Process Flow:

1. User logs in to GRC and creates an access request2. The request follows the approval process3. Access Risk Analysis and remediation can be done in GRC for requested

roles4. The approver either approves or rejects the request. If approved, access

to SAP systems is provisioned by GRC and non-SAP requests are sent toIdM for provisioning.



Figure 48: IdM-Driven Provisioning

IdM-Driven Provisioning Process Flow:

1. User logs in to IdM, creates an access request and submits it to GRC.2. The request follows the approval process in GRC3. Access Risk Analysis and remediation can be done in GRC for requested

roles4. The approver either approves or rejects the request. If approved, access

to SAP systems is provisioned by GRC and non-SAP requests are sent toIdM for provisioning.

Process Control IntegrationProcess Control Integration Overview

Integrations for Process Control 10.0 include:

• Process Integration• SoD Integration



Figure 49: Process Integration

Process Integration allows you to monitor deficiencies in other systems. TheProcess Integration Proxy must be completed before you can proceed on the portal.

Complete the following steps to configure Process Integration:

1. Create Process Integration Data Source2. Create Process Integration Business Rule3. Create Business Rule Assignment4. Schedule job in Automated Monitoring5. View result in Job Monitor



Figure 50: Process Integration Job Result

Configure Process Integration, then create an automated monitoring job to test forcontrol deficiencies. Results appear both in the Job Monitor and as a workflowtask if the deficiency is high or medium.

Process Control - SoD IntegrationIf you identify a risk in Process Control, you can use Access Control’s SoDanalysis results to mitigate that risk.

Figure 51: SoD Integration



Complete the following steps to configure SoD Integration:

1. Create Data Source for SoD Integration2. Create Business Rule for SoD Integration3. Finish Business Rule Assignment4. Create job in Automated Monitoring5. View Job Step result for SoD Integration in Job Monitor

Note: You must have the appropriate authorization to view these results.

Figure 52: View Job Step Result for SoD Integration in Job Monitor

The monitor allows you to see all job results without receiving a task.

Figure 53: View Job Step Related Data in Job Monitor



You have access to the same hyperlinks the person receiving a workflow taskreceives.

Figure 54: Prerequisites for SoD Integration

Before you can complete the SoD Integration, you must have completed all thesteps listed above. Multiple role owners will have to complete these steps, orsomeone with GRC_ALL.

Risk Management IntegrationRisk Management integrates with several other systems to help users identify andmanage risk from one location.

Figure 55: Risk Management Integration Overview

Risk Management - SAP Project System IntegrationProject System Integration allows you to:

• Trigger automatic creation of project definition in Project Systems fromRisk Management

• Track the status of the project definition from the remote Project Systemssystem



A Risk Manager is not required to have any Project System background to create aproject out of a Risk Management response. The project is actually maintained bya Project Manager or another responsible person and Risk Managers may onlytrack the current status of the project they created. Current status is obtained by aperiodic background job. The Risk Manager just opens the response.

Figure 56: Integration with project system: Process Flow

The diagram above shows the process flow between Risk Management and SAPProject Systems. Process Overview:

1. Go to Assessments → Risks and Opportunities2. Open a risk (or create a new one), then go to the Response Plans tab and

create a new response.3. Specify response name, description, automation, response type, and actual

start date4. Submit the response5. Save/Submit the risk6. Open the risk again and check the response. If everything is OK, automation

status is PS project: Created, and the project is assigned to a response as acontext object under the Context tab.

Note: Prerequisites include defining automation settings and ResponseType. We recommend using a response type from those you create as aprerequisite task, otherwise the project with the default profile will becreated. By specifying Response Type, you select the project profile forthe project you create.



Plant Maintenance IntegrationSome responses for risks require that service, maintenance, or quality inspectionprocedures be performed over the technical objects or fixed assets. Therefore,automatic creation of Plant Maintenance notifications directly from RiskManagement can be helpful in this regard.

Figure 57: Risk Management Integration with Plant Maintenance

The Risk manager is not required to have any Plant Maintenance background tocreate a notification out of a Risk Management response. A notification is actuallyprocessed by a Plant Maintenance manager or another responsible person and Riskmanager may only track the current status of the notification created. Currentstatus is obtained by a periodic background job. To see this, the Risk managerjust opens the response.

Figure 58: Response Automation - Integration with SAP Plant Maintenance:Process Flow



Above is the process flow between Risk Management 10.0 and SAP PlantMaintenance. Process overview:

1. Go to Assessments → Risk and Opportunities2. Open a risk (or create a new one), then go to the Response Plans tab and

create a new response3. Specify response name, description, automation response type, and actual

start date. By specifying the response type you select the type of PlantMaintenance notification. In the ’Context’ tab specify technical object(equipment/functional location) and/or material from the Plant Maintenancesystem.

4. Submit the response5. Save/Submit the risk

Environmental Health & Safety IntegrationSome enterprise risks can be related to the environment and worker safety. SAPhas a separate solution, Environmental Health & Safety, where such kind ofrisks can be processed by the solution-specific mechanisms, which are absentin operational risk management. Having these risks in Risk Management aswell allows users to track all the enterprise risks with one application (RiskManagement). Analysis Automation creates Environmental Health & Safetyrisk assessment out of risk analysis in Risk Management, tracks its probabilityand severity values and replicates them to the corresponding analysis parametersaccording to the rules predefined in Customizing.



Figure 59: Environmental Health & Safety Integration Overview

Note: A Risk manager is not required to have any Environmental Health& Safety background to create an Environmental Health & Safety riskassessment out of risk analysis. Risk Assessment is actually processed byan Environmental Health & Safety manager or another responsible personand a Risk manager may only track the current probability and impactlevel of the risk he or she created Current values are obtained by a periodicbackground job. To see this, the Risk manager just opens the analysis.

Figure 60: Analysis Automation - Integration with Environmental Health &Safety: Process Flow



Above is the process flow between Risk Management 10.0 and SAP EnvironmentalHealth & Safety. Process Overview:

1. Go to Assessments → Risks and Opportunities2. Create a new risk3. Enter risk name4. Specify risk category5. Create impact for risk

Risk Management - Issue Management IntegrationIssue Management allows the management of issues identified outside of thestandard testing and assessment process.

Figure 61: Issue Management Integration

Features include:

• Enables reporting process for risk and compliance related issues outside ofstandard evaluation processes

• Supports central categorization and management of issues• Allows flexible determination of appropriate responses/remediation

procedures• Provides enterprise-wide visibility of issues and their remediation statuses

Note: Ad Hoc issues can be created during the Aggregation ofDeficiencies and Sign-Off level, but currently are not considered. If youcreate an issue while working these tasks, you do not get an error message.

Policy Management IntegrationYou can set up automatic updates of response completeness for all responsescreated, based on the policy. Each time the policy status is updated, the responsecompleteness is updated accordingly.



If you would like to customize automatic response completeness update based onpolicy status: Execute Transaction SPRO-Risk Management → Response andEnhancement Plan → Responses for Policies → Link Policy Status and ResponseCompleteness. Then execute the task Policy Status and Response Completenesslink.

Each time the policy status is changed, the risk response completeness is updated.For example, a response was created based on policy. The policy status is Draft,therefore the response status was set up to 25%.

You can also customize e-mail notification on completeness update. The e-mailnotification is sent to the response owner when the completeness reaches 100%.The notification is controlled by the Notification on Policy Update check boxin the Response Maintenance screen



Lesson Summary

You should now be able to:• Discuss how particular applications integrate with the GRC 10.0 solution


GRC100 Unit Summary

Unit SummaryYou should now be able to:• Explain how SAP BusinessObjects Governance, Risk, and Compliance

solutions contribute to improved performance• Identify compliance regulations from various regions and the importance of

an integrated solution• Identify key governance, risk, and compliance processes supported in GRC

10.0• Explain the business benefits of an integrated solution• Describe a business example of how the GRC solution addresses the issue of

disconnects between risks, policies, and compliance• Identify and describe key benefits of enhancements to the GRC 10.0 solution• Discuss how particular applications integrate with the GRC 10.0 solution


Unit Summary GRC100


GRC100 Test Your Knowledge

51Test Your Knowledge

1. How can you begin to leverage your Governance, Risk, and Complianceprograms to optimize performance?Choose the correct answer(s).□ A Know your business□ B Know business-related risks□ C Know compliance and policy requirements□ D Know what reserves your company has for litigation

2. SAP BusinessObjects GRC solutions are comprised of three main areasof capabillities:Choose the correct answer(s).□ A Avoid□ B Analyze□ C Monitor□ D Manage

3. Continuous Transaction Monitoring helps you to confidently manage andreduce access risk enterprise-wide.Determine whether this statement is true or false.□ True□ False

4. Continuous Transaction Monitoring provides protection against fraud, waste,misuse, and errors.Determine whether this statement is true or false.□ True□ False

5. Compliance regulations can be specific to a particular region or country, ormay be applicable to multiple regions.Determine whether this statement is true or false.□ True□ False

6. Implementing policies and supporting regulatory mandates at thedepartmental level is an example of .Fill in the blanks to complete the sentence.


Test Your Knowledge GRC100

7. The Enterprise Risk Management process allows management to prioritizescarce resources to mitigate the company’s highest risk areas.Determine whether this statement is true or false.□ True□ False

8. Which component in the SAP BusinessObjects GRC solution supportsCompliance Management by providing documentation of compliancestructures and related compliance initiatives?Choose the correct answer(s).□ A Risk Management□ B Access Control□ C Process Control□ D Global Trade Services

9. Which component in the SAP BusinessObjects GRC solution provides theability to manage and monitor user privileges?Choose the correct answer(s).□ A Risk Management□ B Access Control□ C Process Control□ D Global Trade Services

10. When it comes to managing governance, risk, and compliance efforts, GRCConvergence helps companies:Choose the correct answer(s).□ A Reduce costs and required resources□ B Reduce risk exposure□ C Reduce reporting requirements□ D Improve overall business performance

11. Enterprise GRC enables organizations to more efficiently manage across thedisciplines of risk management, compliance management, audit management,policy management, and access management.Determine whether this statement is true or false.□ True□ False



12. The unified Risk Management, Access Control, and Process Control datamodel and technology platform enables optional sharing of selected riskand compliance data and functions because some customers prefer a siloapproach.Determine whether this statement is true or false.□ True□ False

13. Streamlined user navigation with shared work centers emphasizes eachcomponent rather than function.Determine whether this statement is true or false.□ True□ False

14. The Configurable User Interface allows configuration to determine:Choose the correct answer(s).□ A Field status by application components□ B Field status by regulation□ C A and B□ D None of the above; programming is required

15. Considering the business use and purpose of the Access Control solution,which of the following would be logical integrations?Choose the correct answer(s).□ A HR Triggers□ B SAP Issue Management□ C Identity Management□ D SAP Crystal Reports

16. SoD Integration is between which solution components?Choose the correct answer(s).□ A Process Control and Risk Management□ B Access Control and Risk Management□ C Process Control and Access Control□ D Process Control, Access Control, and Risk Management



17. With a shared organization hierarchy, you can configure whether anorganization view is used for one solution component or shared betweenall GRC components.Determine whether this statement is true or false.□ True□ False



55Answers

1. How can you begin to leverage your Governance, Risk, and Complianceprograms to optimize performance?

Answer: A, B, C

Knowledge of your business, related risks, and compliance and policyrequirements are the starting point to leveraging your Governance, Risk, andCompliance programs to optimize performance.

2. SAP BusinessObjects GRC solutions are comprised of three main areasof capabillities:

Answer: B, C, D

Analyze, Manage, and Monitor are the three main areas of capabilities.

3. Continuous Transaction Monitoring helps you to confidently manage andreduce access risk enterprise-wide.

Answer: False

The statement is false. Access Risk Management helps you to confidentlymanage and reduce access risk enterprise-wide.

4. Continuous Transaction Monitoring provides protection against fraud, waste,misuse, and errors.

Answer: True

The statement is true.

5. Compliance regulations can be specific to a particular region or country, ormay be applicable to multiple regions.

Answer: True


6. Implementing policies and supporting regulatory mandates at thedepartmental level is an example offragmentation.

Answer: fragmentation

Implementing policies and supporting regulatory mandates at thedepartmental level is an example of fragmentation.



7. The Enterprise Risk Management process allows management to prioritizescarce resources to mitigate the company’s highest risk areas.

Answer: True


8. Which component in the SAP BusinessObjects GRC solution supportsCompliance Management by providing documentation of compliancestructures and related compliance initiatives?

Answer: C

The correct answer is Process Control.

9. Which component in the SAP BusinessObjects GRC solution provides theability to manage and monitor user privileges?

Answer: B

The answer is Access Control.

10. When it comes to managing governance, risk, and compliance efforts, GRCConvergence helps companies:

Answer: A, B, D

GRC Convergence helps companies reduce costs and required resources,reduce risk exposure, and improve overall business performance.

11. Enterprise GRC enables organizations to more efficiently manage across thedisciplines of risk management, compliance management, audit management,policy management, and access management.

Answer: True


12. The unified Risk Management, Access Control, and Process Control datamodel and technology platform enables optional sharing of selected riskand compliance data and functions because some customers prefer a siloapproach.

Answer: True




13. Streamlined user navigation with shared work centers emphasizes eachcomponent rather than function.

Answer: False

Streamlined user navigation with shared work centers emphasized functionrather than component.

14. The Configurable User Interface allows configuration to determine:

Answer: C

The Configurable User Interface allows configuration to determine fieldstatus by application components and by regulation.

15. Considering the business use and purpose of the Access Control solution,which of the following would be logical integrations?

Answer: A, C, D

HR Triggers, Identity Management, and SAP Crystal Reports are all logicalintegrations with the Access Control solution.

16. SoD Integration is between which solution components?

Answer: C

SoD Integration is between Process Control and Access Control.

17. With a shared organization hierarchy, you can configure whether anorganization view is used for one solution component or shared betweenall GRC components.

Answer: True





Unit 259 Information Architecture, Security and

Authorizations

The important points in this unit are the harmonized information architectureand how users can access all of the GRC applications from one interface. Also,authorizations are important because they determine what users will see in terms ofwork centers and work sets within each work center. Users will only see what theyare authorized to see, which should only be what they need to perform their work.

Unit OverviewThis unit describes the GRC 10.0 information architecture and harmonization goalsof that architecture. In addition, authorization concepts and role requirements arediscussed, as they relate to the user interface.


• Explain what the information architecture is and why it is important• Explain the harmonization goals of the information architecture• Describe major changes to the GRC 10.0 information architecture• Identify required PFCG roles• Ensure requirements are met to access GRC 10.0 solutions• Describe how authorizations affect what is seen in the user interface

Unit ContentsLesson: Information Architecture .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Exercise 1: Connect to the System and View IMG Structure... . . . . . . . 89Lesson: Security and Authorizations ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Exercise 2: View Role Assignments .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103


Unit 2: Information Architecture, Security and Authorizations GRC100

Lesson:60

Information ArchitectureLesson Duration: 15 Minutes

Lesson OverviewThis lesson presents the information architecture for the GRC 10.0 solution.


• Explain what the information architecture is and why it is important• Explain the harmonization goals of the information architecture• Describe major changes to the GRC 10.0 information architecture

In this brief lesson, the goal is to communicate what information architecture is,give an example, and explain why GRC 10.0 is presented as it is.

Business ExampleYou want to do some online shopping and access retailer’s web site to get started.The buttons, tabs, and other navigation items that you see in the user interfacerepresents the information architecture.

The Importance of the Information Architecture

Figure 62: Information Architecture Example


GRC100 Lesson: Information Architecture

The information architecture (IA) determines the presentation of user interfaceelements:

• Menu structure• Tabs• Navigation alternatives

The IA presents the application or solution to its users and defines much of theinitial user experience.

Information Architecture Example: This example, courtesy of Amazon.com,shows the type of information architecture and user experience most of us arefamiliar with for on-line purchasing.

Note the left-hand navigation menus that are based upon departments andsubordinate categories of purchases. The Search drop-down allows filtering bydepartments while searching for key words or product names. Direct links such asToday’s Deals are used to highlight and provide quick access to specials.

This is personalized by the user without programming.

Harmonization Goals of the Information ArchitectureGoals of information architecture harmonization include:

• Providing a consistent user experience across GRC• Optimizing for users of multiple GRC applications by minimizing

redundancy and streamlining navigation.• Enhancing the user experience while providing users the tools needed to

do their job.

Figure 63: Information Architecture Harmonization

The Information architecture harmonization for GRC solutions goal is to providean easier and more consistent user experience for users who may interact withmultiple GRC products.



Major Changes to the Information Architecture

Figure 64: Prior Information Architecture: PC 3.0, RM 3.0, and AC 5.3

In these screen samples from prior versions, navigation is separate for eachcomponent. This required that users with cross-product responsibilities navigateeach application separately, and even login multiple times if Access Control,Process Control, and Risk Management were used. This also resulted in multipleinboxes, multiple document searches, and so on.

The GRC 10.0 Information Architecture:

• Provides direct navigation to Access Control, Process Control and RiskManagement components.

• Eliminates redundant menu items.• Varies based upon user authorization.• Allows configuration changes for the SAP NetWeaver Portal component or

SAP NetWeaver Business Client software.



Figure 65: GRC 10.0 Information Architecture in SAP NetWeaver PortalComponent

This is an excerpt of the updated information architecture as seen in the SAPNetWeaver Portal component by a user with authorization crossing multipleunderlying components. As an example of streamlining, note that there is a singleshared work inbox (no longer multiple inboxes) for AC, PC and RM. The usernavigates the work centers (tabs) based upon the tasks they need to perform or thedata they need to access, not the product they wish to use. This better supportsthe concept of GRC convergence and facilitates appropriate sharing of data andfunctions.

This is an excerpt of the updated information architecture as seen in the SAPNetWeaver Portal component by a user with authorization crossing multipleunderlying components. As an example of streamlining, note that there is a singleshared work inbox (no longer multiple inboxes) for AC, PC and RM. The usernavigates the work centers (tabs) based upon the tasks they need to perform or thedata they need to access, not the product they wish to use. This better supportsthe concept of GRC convergence and facilitates appropriate sharing of data andfunctions. We provide a brief UI tour in the next lesson.

The contents of the work centers varies based upon the user’s authorization. Thescreen example above has more navigation items than the average user’s screen.



SAP provides default menu configurations delivered with the software. Menuchanges for the SAP NetWeaver Portal component or the SAP NetWeaver BusinessClient software are technical topics that are not covered in these materials.

Figure 66: GRC 10.0 Information Architecture in the SAP NetWeaverBusiness Client

This is a similar look at the information architecture, this time as seen in the SAPNetWeaver Business Client software.

Please demonstrate or review the key steps in the exercise.



65 Exercise 1: Connect to the System andView IMG StructureExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Connect to the training environment• Log on to the GRC 10.0 system ABAP client, NWBC and SAP GUI• Identify high-level nodes for IMG Customizing

Business ExampleYou must connect to the training environment before you can log on to the GRC10.0 system for this course. You will use the ABAP client and the NetWeaverBusiness Client (or SAP GUI) to perform various tasks.

From the ABAP client view, you will access the IMG, where customizingactivities are performed, and view its high-level structure.

System DataSystem: ZMCClient: 800User ID: Included in exercise step instructionsPassword: Included in exercise step instructionsSet up instructions:

1. Set up is complete in master system.

Task 1: Connect to the Training Environment.1. Open a browser window and enter http://mywts.sap.com in the

address bar.

2. Choose EMEA, then choose Training under CORP.

3. Enter the logon and password provided by your instructor.

Task 2: Connect to the Remote Desktop1. Click Start → Run. Enter mstsc.exe in the Run dialog box, then click OK.

2. Enter the system name provided by your instructor, then click Connect.

3. Enter Train-XX as your user name, where XX is your Participant ID. Enterpassword initial.

Continued on next page



4. Click OK in the Language Dialog box.

Task 3: Log On to the GRC 10.0 ABAP Client.1. Click Start → SAP Logon.

Note: If you do not see the Start button in the lower left corner, youmay need to maximize the Remote Desktop window.

2. Choose ZMC, then click Log On.

3. Enter User ID XX_Custom, where XX is your Participant ID. Enterpassword initial, then click the system OK icon or press Enter.

4. Note the user menu items displayed for your User ID.

Task 4: Access the IMG for Customizing Activities1. Enter Transaction SPRO in the transaction field, then click the system OK

icon.

2. Click SAP Reference IMG.

3. Expand the Governance, Risk, and Compliance node.

4. View the nodes listed here. This is where you perform customizing activitiesand maintain configuration settings for the GRC solution. Note thatthere are nodes for shared configuration settings as well as for solutioncomponent-specific configuration settings.

Task 5: Log on to the NetWeaver Business Client1. Enter NWBC (/nnwbc) in the transaction entry field, then click the system

OK icon.

2. On the Launch NetWeaver Business Client screen, choose /nwbc.

3. Click through the various work centers and note the work sets under each one.

Task 6: Log On via the SAP GUI1. Log out of the NWBC, then re-execute /nnwbc from the ABAP client.

2. On the Launch NetWeaver Business Client screen, copy the address of thepage, ending with the forward slash after nwbc. What you copy should besimilar to this: http://wdfbmt2299.wdf.sap.corp:51080/nwbc/

3. From the Remote Desktop Start menu, choose Start → Programs → SAPNWBC → Version 3.0 → NetWeaver Business Client.

4. Click the New icon for a new connection.




5. Enter the following information:

Note: For the URL, paste the one you copied.

Data Data Value

Name ZMC

URL http:wdf-bmt2299.wdf.sap.corp:51080/nwbc/

Type ABAP

Client 800

Language EN

6. Click OK when finished.

7. You can now use this SAP GUI to logon to NWBC.

Note: You can still logon to NWBC by using the Steps 1 - 5 of thisexercise.

ResultYou should now be able to access and logon to the training environment,remote desktop, ABAP client, IMG, and SAP GUI.



Solution 1: Connect to the System andView IMG StructureTask 1: Connect to the Training Environment.1. Open a browser window and enter http://mywts.sap.com in the

address bar.

a)

2. Choose EMEA, then choose Training under CORP.

a)

3. Enter the logon and password provided by your instructor.

a)

Task 2: Connect to the Remote Desktop1. Click Start → Run. Enter mstsc.exe in the Run dialog box, then click OK.

a)

2. Enter the system name provided by your instructor, then click Connect.

a)

3. Enter Train-XX as your user name, where XX is your Participant ID. Enterpassword initial.

a)

4. Click OK in the Language Dialog box.

a)

Task 3: Log On to the GRC 10.0 ABAP Client.1. Click Start → SAP Logon.

Note: If you do not see the Start button in the lower left corner, youmay need to maximize the Remote Desktop window.

a)

2. Choose ZMC, then click Log On.

a)




3. Enter User ID XX_Custom, where XX is your Participant ID. Enterpassword initial, then click the system OK icon or press Enter.

a)

4. Note the user menu items displayed for your User ID.

a)

Task 4: Access the IMG for Customizing Activities1. Enter Transaction SPRO in the transaction field, then click the system OK

icon.

a)


a)

3. Expand the Governance, Risk, and Compliance node.

a)

4. View the nodes listed here. This is where you perform customizing activitiesand maintain configuration settings for the GRC solution. Note thatthere are nodes for shared configuration settings as well as for solutioncomponent-specific configuration settings.

a)

Task 5: Log on to the NetWeaver Business Client1. Enter NWBC (/nnwbc) in the transaction entry field, then click the system

OK icon.

a)

2. On the Launch NetWeaver Business Client screen, choose /nwbc.

a)

3. Click through the various work centers and note the work sets under each one.

a)

Task 6: Log On via the SAP GUI1. Log out of the NWBC, then re-execute /nnwbc from the ABAP client.

a)




2. On the Launch NetWeaver Business Client screen, copy the address of thepage, ending with the forward slash after nwbc. What you copy should besimilar to this: http://wdfbmt2299.wdf.sap.corp:51080/nwbc/

a)

3. From the Remote Desktop Start menu, choose Start → Programs → SAPNWBC → Version 3.0 → NetWeaver Business Client.

a)

4. Click the New icon for a new connection.

a)

5. Enter the following information:

Note: For the URL, paste the one you copied.

Data Data Value

Name ZMC

URL http:wdf-bmt2299.wdf.sap.corp:51080/nwbc/

Type ABAP

Client 800

Language EN

a)

6. Click OK when finished.

a)

7. You can now use this SAP GUI to logon to NWBC.

Note: You can still logon to NWBC by using the Steps 1 - 5 of thisexercise.

a)

ResultYou should now be able to access and logon to the training environment,remote desktop, ABAP client, IMG, and SAP GUI.



Lesson Summary

You should now be able to:• Explain what the information architecture is and why it is important• Explain the harmonization goals of the information architecture• Describe major changes to the GRC 10.0 information architecture



Lesson:72

Security and AuthorizationsLesson Duration: 15 Minutes

Lesson OverviewThis lesson presents high-level authorization engine changes for GRC 10.0 andexplains what types of authorizations are used for different components. It alsoidentifies key roles and how they are used, as well as what controls the userinterface from an authorization perspective.


• Identify required PFCG roles• Ensure requirements are met to access GRC 10.0 solutions• Describe how authorizations affect what is seen in the user interface

[Enter a description of what the instructor should discuss with the participantsabout the context of the lesson. ]

Business ExampleA company segregates its access risk management based upon a specific attributeof a user (User Group, Company, Connector ID) and wishes to limit the itemsthat a reviewer can view. SAP BusinessObjects GRC 10.0 contains permission(authorization object) level security to help limit the data that a user can access,whether this is in a view only or maintenance mode. This also drives what the userwill have access to in regards to Work Centers (both in general and what can beaccessed within a Work Center) and Reports.


GRC100 Lesson: Security and Authorizations

Authorization Overview

Figure 67: Authorization Changes for GRC 10.0

Additional information and technical details can be found in each application’sSecurity guide.

Figure 68: GRC 10.0 Access and IMG Configuration

PFCG refers to the SAP NetWeaver transaction that deals with role maintenanceand profile generation.

In general, this is similar in concept to what was done in prior versions except thatSAP BusinessObjects Access Control 10.0 is now on SAP NetWeaver ABAPServer, and that the SAP NetWeaver Business Client software is now a supportedalternative for front end presentation.



Figure 69: Process Control or Risk Management Access

The entity-level authorizations are done in the Access tab in the role assignmentsor at the object level.

Ticket-based authorization covers any tasks that don’t have a direct roleassignment made to it. Examples of ticket based authorizations are remediationtasks and issue tasks. For example, when the issue owner assigns an owner to aremediation task, that remediation task owner is authorized just for that task. Oncethe task is submitted and closed, the authorization is gone.

Figure 70: GRC Solutions and Access Control

SOD risk analysis can be done on GRC system only for PFCG role authorization.It cannot be done for entity-level authorization. For example, you can specify thata tester cannot also be a control owner (PC) or a risk owner (RM), but this willnot take into account entity authorizations. That is, if you would allow the testerof Control XYZ in Organization ABC to own controls or risks in OrganizationDEF, that is not supported with current functionality.



Figure 71: Authorization Types by Component

This is a more visual representation of what was presented on the prior slides.Although the same as in PC and RM 3.0, PFCG model roles are assigned tobusiness entities (such as organizations, controls, and local risks in RM) withinthe IMG, and assignment of users to the role for a particular entity is done inthe application (such as a control owner for a Control XYZ within OrganizationABC). This enables business users with appropriate access to directly assignentity-level authorization. Again as a reminder, PC ticket-based authorizationsare not configured but instead are performed during transfer of workflow to asubstitute or the next processor.

IMG→Governance, Risk, and Compliance → General Settings → Authorizations→ Maintain Entity Role Assignment



Figure 72: Key Roles

The above are some key roles for GRC 10.0, most of which can be customized bythe technical user. For details, please see each application’s Security Guide.

Authorizations and the User Interface

Figure 73: What Can You See?



The above shows the My Home work center as displayed in the SAP NetWeaverPortal component. The look would be similar, but not identical, in the SAPNetWeaver Business Client (NWBC) software.

1. Work centers are defined in PCD roles for the Portal and in PFCG roles forNWBC. The work centers are fixed in each base role. SAP delivers theseroles, but they can be modified by the customer.

2. The locations of application folders and subordinate applications within theservice map are controlled by the SAP NetWeaver LaunchPad application.You may see this in the IMG configuration.

3. The service map is then generated dynamically based upon user authorization.That is, if the user does not have authorization to see given applicationfolders or applications, they will be hidden from view (not grayed out).

IMG → Governance, Risk, and Compliance → General Settings → MaintainCustomer Specific Menus → Configure LaunchPad for Menus

Consult the IMG and NetWeaver documentation for more information about SAPNetWeaver LaunchPad..

Figure 74: Reminder About How What you See is Determined

As a reminder, what the end user sees is determined by a combination of factors,as shown above.

• The product licensing determines access to components• The UI framework configuration controls what fields are displayed to each

underlying component• Roles/authorizations determine more granular access, all the way down to

individual business entities (such as Control XYZ in Organization ABC) inthe case of Process Control and Risk Management.






77 Exercise 2: View Role AssignmentsExercise Duration: 20 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Locate and review role assignments for business subprocesses via GRC

Role Assignment• Locate and review role assignments for business subprocesses via

Organizations

Business ExampleTo access specific Process Control or Risk Management data or transactions, youmust ensure that entity-level authorizations are assigned within the application.This will permit actions to specific entities, such as organizations, processes,subprocesses, controls, and risks.

System DataSystem: ZMCClient: 800User ID: XX_CUSTOMPassword: Reset in the first exercise by participants; was initialSet up instructions:

1. System is already set up for this exercise.

Task 1: Review Role Assignments in the AccessManagement Work CenterReview role assignments for business subprocesses via GRC Role Assignment inthe Access Management work center.

1. Log on to the ABAP client (ZMC) as XX_CUSTOM, where XX is yourParticipant ID.

2. Execute Transaction NWBC (/nnwbc).

3. Choose /nwbc.

4. Choose Business Processes located under GRC Role Assignments in theAccess Management work center.

5. Enter a time frame of Year 2011, then click Apply.

6. Choose the Subprocess role level.




7. Accept the default value of Yes for Show Cross-Regulation Roles.

8. Add a filter for Organizations. Choose 00-GRC General Accounting .

9. Choose Next to continue to the Assign Roles section.

10. Review the roles assigned to the subprocesses which are listed under theObject header. On this screen, you will see role assignments for AccessControl, Process Control, and Risk Management. A white space in the rolecolumn means that no role is assigned.

11. Roles have been assigned, so do not save your changes. Click Cancelto exit.

Task 2: Review Role Assignments in the Master DataWork CenterReview role assignments for business subprocesses via Organizations in theMaster Data work center.

1. Navigate to the Master Data work center.

2. Choose Organizations under the Organizations work set.

3. Choose any organization from the list, then click Open. Note that the trianglenext to the organization means that there are sub-organizations and the dotnext to the organization means that it is the lowest level. Use today’s date.

4. Choose the Subprocess tab, then click Assign Subprocess.

5. Choose one or more subprocess(es) from the list, then click Next.

6. Without making any changes, click Next on both the Shared Services Usedand Shared Services Offered steps.

7. Change the Allow Local Changes value to Yes, then click Next.

8. Without making any changes, click Finish on the Select Controls step.

9. Choose the first subprocess from the list, then click Open. You should seethe Subprocess details.

10. Click the Roles tab. Choose a role from the list, then click Assign.

11. Select XX_CUSTOM user from the list, where XX is your Participant ID,then click OK.

12. You should now see XX_CUSTOM listed under the Name column next to thesubprocess you chose.

13. Normally you would Save your changes, but for the purposes of this exercise,choose Cancel. Do not Save your changes.



Solution 2: View Role AssignmentsTask 1: Review Role Assignments in the AccessManagement Work CenterReview role assignments for business subprocesses via GRC Role Assignment inthe Access Management work center.


a)

2. Execute Transaction NWBC (/nnwbc).

a)

3. Choose /nwbc.

a)

4. Choose Business Processes located under GRC Role Assignments in theAccess Management work center.

a) Choose Access Management → GRC Role Assignments → BusinessProcesses

5. Enter a time frame of Year 2011, then click Apply.

a)

6. Choose the Subprocess role level.

a)

7. Accept the default value of Yes for Show Cross-Regulation Roles.

a)

8. Add a filter for Organizations. Choose 00-GRC General Accounting .

a) Choose Add next to Organizations.

b) Choose the organization 00-CRG General Accounting, then click theRight arrow to move this organization to the Selected list.

c) Click OK.

9. Choose Next to continue to the Assign Roles section.

a)




10. Review the roles assigned to the subprocesses which are listed under theObject header. On this screen, you will see role assignments for AccessControl, Process Control, and Risk Management. A white space in the rolecolumn means that no role is assigned.

a)

11. Roles have been assigned, so do not save your changes. Click Cancelto exit.

a)

Task 2: Review Role Assignments in the Master DataWork CenterReview role assignments for business subprocesses via Organizations in theMaster Data work center.

1. Navigate to the Master Data work center.

a)

2. Choose Organizations under the Organizations work set.

a)

3. Choose any organization from the list, then click Open. Note that the trianglenext to the organization means that there are sub-organizations and the dotnext to the organization means that it is the lowest level. Use today’s date.

a)

4. Choose the Subprocess tab, then click Assign Subprocess.

a)

5. Choose one or more subprocess(es) from the list, then click Next.

a)

6. Without making any changes, click Next on both the Shared Services Usedand Shared Services Offered steps.

a)

7. Change the Allow Local Changes value to Yes, then click Next.

a)

8. Without making any changes, click Finish on the Select Controls step.

a)




9. Choose the first subprocess from the list, then click Open. You should seethe Subprocess details.

a)

10. Click the Roles tab. Choose a role from the list, then click Assign.

a)

11. Select XX_CUSTOM user from the list, where XX is your Participant ID,then click OK.

a)

12. You should now see XX_CUSTOM listed under the Name column next to thesubprocess you chose.

a)

13. Normally you would Save your changes, but for the purposes of this exercise,choose Cancel. Do not Save your changes.

a)



Lesson Summary

You should now be able to:• Identify required PFCG roles• Ensure requirements are met to access GRC 10.0 solutions• Describe how authorizations affect what is seen in the user interface


GRC100 Unit Summary

Unit SummaryYou should now be able to:• Explain what the information architecture is and why it is important• Explain the harmonization goals of the information architecture• Describe major changes to the GRC 10.0 information architecture• Identify required PFCG roles• Ensure requirements are met to access GRC 10.0 solutions• Describe how authorizations affect what is seen in the user interface


Unit Summary GRC100




1. The determines thepresentation of user interface elements.Fill in the blanks to complete the sentence.

2. A key feature of the GRC 10.0 information architecture is:Choose the correct answer(s).□ A Separate work inboxes for each solution component□ B A single shared work inbox for all solution components□ C A single shared work inbox for Process Control and Risk

Management□ D A single shared work inbox for Process Control and Access

Control

3. Users navigate the work centers based upon the tasks they need to perform orthe data they need to access, not the product they wish to use.Determine whether this statement is true or false.□ True□ False

4. While authorization concepts are similar to prior releases,changes in GRC 10.0 solutions required enhancements to the

engine.Fill in the blanks to complete the sentence.

5. To access GRC 10.0 solutions, you must have at least the following: 1. Portalauthorization or NWBC authorization; 2. Applicable PFCG base roles; and3. PFCG role(s) relative to specific components (AC, PC, RM).Determine whether this statement is true or false.□ True□ False

6. If you use Access Control 10.0 with other GRC solution components, youcan leverage this functionality to:Choose the correct answer(s).□ A Create GRC users□ B Assign and manage PFCG roles used with GRC□ C Perform SoD analysis for PFCG role authorizations□ D Perform SoD analysis for entity-level authorization



7. The locations of application folders and subordinate applications within theservice map are controlled by the SAP NetWeaver LaunchPad application.Determine whether this statement is true or false.□ True□ False

8. Which of the following determine what users see in the GRC 10.0 userinterface?Choose the correct answer(s).□ A Product Licensing□ B User Interface Framework Configuration□ C Roles and Authorizations□ D Work Centers



87Answers

1. The information architecture determines the presentation of user interfaceelements.

Answer: information architecture

The correct answer is information architecture.

2. A key feature of the GRC 10.0 information architecture is:

Answer: B

A key feature of the GRC 10.0 information architecture is a single sharedwork inbox for all solution components.

3. Users navigate the work centers based upon the tasks they need to perform orthe data they need to access, not the product they wish to use.

Answer: True


4. While authorization concepts are similar to prior releases, changes in GRC10.0 solutions required enhancements to the authorization engine.

Answer: authorization

The answer is authorization.

5. To access GRC 10.0 solutions, you must have at least the following: 1. Portalauthorization or NWBC authorization; 2. Applicable PFCG base roles; and3. PFCG role(s) relative to specific components (AC, PC, RM).

Answer: True


6. If you use Access Control 10.0 with other GRC solution components, youcan leverage this functionality to:

Answer: A, B, C

SoD risk analysis cannot be performed for entity-level authorization.



7. The locations of application folders and subordinate applications within theservice map are controlled by the SAP NetWeaver LaunchPad application.

Answer: True


8. Which of the following determine what users see in the GRC 10.0 userinterface?

Answer: A, B, C

Product licensing, the user interface framework configuration, and roles &authorizations determine what users see in the GRC 10.0 user interface.


Unit 389 The GRC 10.0 User Interface

The unit gives participants a chance to tour the user interface and learn about thepurpose of each work center, which contain groupings of related functionality.

Unit OverviewThis unit presents an overview of work centers, including their purpose, and use.Harmonized navigation concepts are discussed, as well as how authorizationsaffect what users can view and access. Hands-on activities include navigating thework centers and assigning a delegate.


• Identify and access key components of the GRC 10.0 User Interface• Describe the purpose of each work center• Describe how to control work center display for NWBC vs Portal• Describe how authorizations affect what users see• Describe examples of what users see in Access Control, Process Control,

and Risk Management

Unit ContentsLesson: Work Centers .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116

Exercise 3: Navigate the Work Centers and Assign a Delegate ... . .129Lesson: Harmonized Navigation in the GRC 10.0 Portal . . . . . . . . . . . . . . . . . .137

Exercise 4: Harmonized Navigation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141


Unit 3: The GRC 10.0 User Interface GRC100

Lesson:90

Work CentersLesson Duration: 45 Minutes

Lesson OverviewThis lesson introduces work centers and their purpose.


• Identify and access key components of the GRC 10.0 User Interface• Describe the purpose of each work center• Describe how to control work center display for NWBC vs Portal

In this lesson, introduce the GRC 10.0 work centers and discuss the purpose andfunctions of each one. It is recommended to go into the live system and displayeach work center as you point out its important aspects. Then you can teach fromthe text for each section.

Business ExampleA user in SAP BusinessObjects GRC 10.0 is responsible for managing severaldifferent areas of the solution. Utilizing the Work Center concept, the user cannavigate easily to the specific area that is desired and have similar actions availableon the screen. This helps to correctly find the specific task more efficiently andalso helps in managing the security between different types of users more easily.

Work Centers OverviewWork centers provide a central access point for GRC 10.0. They can be organizedbased on what the customer has been licensed to operate. Delivered work centersare shown below.


GRC100 Lesson: Work Centers

Figure 75: Work Centers in GRC 10.0

The default delivered system contains the work centers displayed above. However,your system administrator can customize the work centers to support yourorganization’s preferred structures. Depending on the products that you havelicensed, different components of the GRC solution are displayed (Access Control,Process Control, or Risk Management).

As explained earlier, the information architecture has been enhanced to leveragethe same work centers and navigation across the GRC solution rather than tocompletely separate the components as presented in the current product versions.Next, we’ll look at some details about each work center.

My Home Work CenterThe My Home work center allows you to:

• View, access, and perform workflow tasks assigned to you, including viewingcompleted reports that you scheduled.

• Perform document searches across all documents (including documentcontent) for which you have authorization.

• Assign delegates to perform your tasks or activities.• View and process your user data.

The service maps and applications under each work center are controlled by youraccess. If you are a delegate and choose to work as that person, you will inherittheir authorization.



Figure 76: My Home Work Center in the Portal

My Home provides a central location to view and act on your assigned tasksand accessible objects: organizations, processes, subprocesses, and controls.Depending on the products you have licensed, the My Home work center containsthese sections:

Work Inbox - The Work Inbox lists the tasks you need to process for GRCapplications.Ad Hoc Tasks - From the My Home work center, the Ad Hoc Tasks sectionenables you to process risk proposals, incidents and issues, depending on theapplications to which you have access.In the My Objects section of the My Home work center, you can maintainthe GRC objects to which you have accessDocument Search - Document Search enables you to search for documentsacross GRC solutions, including business entities and compliance initiatives.The search includes documents and hyperlinks, which you can add asattachments. This can only be used if you have activated TREX.My Delegation - You can delegate the access rights and tasks of one user,the delegator, to another user, the delegate, for a specific time period orindefinitely. This relates to PC and RM applications.

Delegator: From My Home work center, click My Delegation. Assign one ormore delegates for the desired period. Delegate: From My Home, click ChangeDelegation. Choose to work on behalf of yourself or on behalf of another person.



Figure 77: My Delegation for Process Control and Risk Management

The above delegation does not apply to Access Control, which has its owndelegation function. This applies to Process Control and Risk Management only.

Delegation does not remove access or forward tasks from the delegator. Instead, itallows the delegate to work with the same access and tasks as if he or she were thedelegator. Both the delegator and the delegate can access the system at the sametime, as long as they do not access the same objects or activities.

Master Data Work CenterDepending on the GRC products you have licensed, the Master Data work centercontains the following sections:

OrganizationsRegulations and PoliciesObjectivesActivities and ProcessesMitigating ControlsRisks and ResponsesAccountsConsistency ChecksReports

The service map and applications under each work center are controlled by youraccess.



Figure 78: Master Data Work Center in the Portal

The Organizations section of the Master Data work center enables you to defineand work with the organizations of your company.

Regulations and Policies gives you visibility into your compliance framework andaccess to end-to-end policy management.

Objectives define statements of desired results or purposes. Business objectivesrelate to strategies and risks, while control objectives are assigned to relevantsubprocesses.

The Activities and Processes section is where you maintain your company’sactivities, business processes, subprocesses, and controls.

The Risks and Responses section of the Master Data work center enables you tomaintain your organization’s risk, opportunity, and response catalogs.

Use the Accounts section to create account groups that are relevant to yourcompliance initiatives.

Consistency checks are a set of reports to help ensure data validity.These areespecially useful during initial implementation and after significant changes.Currently these are for the Risk Management product only.

The Reports section includes links to master data reports.

Rule Setup Work CenterDepending on the GRC products you have licensed, the Rule Setup work centerprovides links to the following areas:

Access Rule MaintenanceCritical Access Rules



Exception Access RulesGenerated RulesContinuous MonitoringSchedulingLegacy Automated MonitoringReports

The service map and applications under each work center are controlled by youraccess.

Figure 79: Rule Setup Work Center in the Portal

The Access Rule Maintenance section includes the ability to maintain rule sets,access risks and functions.

The Critical Access Rules section allows you to identify individual roles andprofiles that pose an access risk to your company. If your system uses profiles, youmay have defined profiles that pose an access risk. Make sure that you designatethese profiles as critical profiles.

The Exception Access Rules section allows you to eliminate false positivesbased on organizational-level restrictions. This functionality was created to aidexception-based reporting for organizational rules and supplemental rules.

The Generated Rules section shows generated rules and related details includingaccess risks, functions.

The Continuous Monitoring section (not displayed above due to space) givesyou access to data sources, business rules, assignment of business rules and KeyRisk Indicators (KRIs).



The Scheduling section enables you to maintain schedules for continuous controlmonitoring and track job progress in the areas of monitoring and automated testing.

The Legacy Automated Monitoring section allows you to continue to useautomated rules created in Process Control 3.0.

The Reports section of this work center include reports specifically related tocontinuous control monitoring setup and execution.

Setup Work Center for Access ControlThe Setup work center is available in Access Control and provides links to thefollowing areas:

Access Rule MaintenanceException Access RulesCritical Access RulesGenerated RulesOrganizationsMitigating ControlsSuperuser AssignmentSuperuser MaintenanceAccess Owners

Figure 80: Setup Work Center in NWBC



The Access Rule Maintenance section allows you to manage access rule sets,functions, and the access risks used to identify access violations

Under Exception Access Rules, you can manage rules that supplement accessrules.

The Critical Access Rules section allows you to define additional rules thatidentify access to critical roles and profiles.

The Generated Rules section allows you to find and view generated access rules.

Under Organizations, you can maintain the company’s organization structure forcompliance and risk management with related assignments.

The Mitigating Controls section allows you to manage controls to mitigatesegregation of duty, critical action, and critical permission access violations.

Superuser Assignment is where you assign owners to firefighter IDs and assignfirefighter IDs to users.

Superuser Maintenance is where you maintain firefighter, controller, and reasoncode assignments.

Under Access Owners, you manage owner privileges for access managementcapabilities.

Assessments Work CenterDepending on the GRC products you have licensed, the Assessments work centercontains the following sections:

SurveysManual Test PlansRisk AssessmentsIncident ManagementScenario ManagementAssessment PlanningReports

Remember that the service map and applications under each work center arecontrolled by your access.



Figure 81: Assessments Work Center in the Portal

The Surveys section of the Assessments work center provides setup of surveycomponents. Within GRC, surveys are used to obtain information on the existenceand evaluation of risks (Risk Management) or the adequacy of controls (ProcessControl). Surveys are used to carry out assessments of objects such as risks,activities, controls and policies, for example.

The Manual Test Plans section allows you to create a manual test plans whichconsist of test steps performed to determine whether a control is operatingeffectively.

The Risk Assessments section enables you to create activities to be evaluated forrisks and opportunities, such as projects or business processes.

The Incident Management section provides documentation of risks thatoccur—that is, incidents.

In Scenario Management, you can define and simulate scenarios for RiskManagement.

In the Assessment Planning section you plan and release workflow tasks for thevarious evaluations and other assessments.

The Reports section of the Assessments work center provides a variety of reportsrelated to assessment results.

Access Management Work CenterDepending on the GRC products you have licensed, the Access Managementwork center has the following sections:



GRC Role AssignmentsAccess Risk AnalysisMitigated AccessAccess Requests AdministrationRole ManagementRole MiningRole Mass MaintenanceSuperuser AssignmentSuperuser MaintenanceAccess Request CreationCompliance Certification ReviewsAlertsScheduling

Figure 82: Access Management Work Center in the Portal

In the Access Risk Analysis section, you evaluate your systems for access risksacross user, role, HR object and organization levels. An access risk is two or moreactions or permissions that, when available to a single user or single role, profile,organizational level, or HR Object, create the possibility of error or irregularity.

Mitigated Access allows you to identify access risks, assess the level of thoserisks, and assign mitigating controls to users, roles, and profiles to mitigate theaccess rule violations.



Access Request Administration manages access assignments, accounts, andreview processes.

Role Management allows you to manage roles from multiple systems in a singleunified repository.

Role Mining groups features allow you to target roles of interest, analyze them,and take action.

Role Mass Maintenance lets you import and change authorizations and attributesfor multiple roles.

Superuser Assignment allows you to assign firefighter IDs to owners and assignfirefighters and controllers to firefighter IDs.

In the Superuser Maintenance section, you can perform activities such asresearching and maintaining firefighters and controllers, and assigning reasoncodes by system.

Access Request Creation provides creation of access assignments and accounts.

Compliance Certification Reviews supports review of users’ access, risk violationsand role assignments.

Alerts are generated by the application for execution of critical or conflictingactions.

The Scheduling section of the Rule Setup work center enables you to maintainschedules for continuous control monitoring and automated testing, and to trackrelated job progress.

Reports and Analytics Work CenterDepending on the GRC products you have licensed, the Reports and Analyticswork center has the following sections:

ManagementComplianceRisks and OpportunitiesAccess ManagementIncidents and LossesPrint ReportsBI Analytics



Figure 83: Reports and Analytics Work Center in the Portal

These are the delivered reports. When you execute reports you only see objectsyou are authorized to view.






101 Exercise 3: Navigate the Work Centersand Assign a DelegateExercise Duration: 30 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Identify work sets and key tasks in various work centers• Assign a delegate

Business ExampleWork centers contain work sets that include links to functions across the GRCsolution. Your view and available choices depend on your user authorizations.

You are the Internal Control Manager working in Process Control and must assignanother user to fill in for you while you are on vacation. You identify the CrossRegulation Process Owner as your delegate.

System DataSystem: ZMCClient: 800User ID: XX_CUSTOM, XX_G_ICMAN, XX_G_PRCOWNPassword: initial, until changed by participantSet up instructions:

1. System is already set up for this exercise.

Task 1: Explore the Access Control Setup Work CenterExplore the Setup work center, which is unique to Access Control.

1. Logon as XX_CUSTOM, where XX is your Participant ID.

2. Go to the Setup work center and explore the work sets. Click some of thelinks under each one and explore the various screens.

3. Choose Rule Set under the Access Rule Maintenance work set. Note theRule Set IDs and descriptions.

4. Choose Rule Set Comparison, then enter two rule sets to compare.

5. Choose which components to compare, then click Run in Foreground.

6. On the Analysis Results screen, you can see which rule set each Access Riskbelongs to in the Rule Set ID column.




7. Close the current window and the Rule Set Comparison window to return tothe Setup work center.

Task 2: View the Organization HierarchyAccess the Organization Hierarchy from two separate work centers.

1. Still in the Setup work center, choose Organizations under the Organizationswork set.

2. Find the organization XX_GRC GLB INTL, where XX is your Participant ID.Expand the organization hierarchy nodes to view the levels of the hierarchy.Remember that this Setup work center is specific to Access Control.

3. Close the Organization Hierarchy window and navigate to the Master Datawork center.

4. Choose Organizations under the Organizations work center.

5. Note that you are viewing the same Organization Hierarchy informationfrom this Master Data work center as you saw in the Setup work center.

Task 3: Explore the Reports and Analytics Work CenterNavigate to the Reports and Analytics work center and view the work setscontained therein.

1. Go to the Reports and Analytics work center. Note the work sets in this workcenter and the links under each one.

2. Note that the report links you see in this work center are for Access Control,Risk Management, and Process Control, and that access is grouped in thisone place for any of these components.

3. Explore the remaining work centers and choose some of the links under thevarious work sets to examine what can be done in each one.

Task 4: Assign a DelegateLog in as the Internal Control Manager and assign a delegate to process tasksin your absence.

1. Exit the application and log in as the Internal Control Manger, XX_G_ICMAN,where XX is your Participant ID.

2. Review the various work centers to review the activities that are availableto ICMAN.

3. Choose the My Home work center, then find the My Delegation work set.

4. Click My Delegation to open the Assign Own Delegate window.




5. Click Create.

6. Click the search icon in the User field to choose a user who will act as yourdelegate.

7. Choose XX_G_PRCOWN from the list, where XX is your Participant ID,then click OK.

8. Enter today’s date for the Start Date.

9. Enter any future date for the End Date.

10. Click Save. You should now see XX_G_PRCOWN listed on the AssignOwn Delegate screen.

Task 5: Change Settings to Work as the AssignedDelegateYou are the delegate named by the Internal Control Manager and must now logonand change your settings to work on behalf of this person.

1. Exit the system, then log in as XX_G_PRCOWN, where XX is yourParticipant ID.

2. View the work centers and activities that are available to XX_G_PRCOWN.

3. Choose Change Delegation, located at the top right of the My Home workcenter next to your user welcome message.

4. Ensure that any other sessions are closed, and verify this by checking the AllSessions Closed check box.

5. Change the Work on Behalf of setting to XX_G_ICMAN, and then click Save.

6. You should now see a message displayed at the top of the My Home workcenter indicating that you are working on behalf of XX_G_ICMAN. Notethat you now have access to all the activities and screens assigned to theICMAN role.



Solution 3: Navigate the Work Centers andAssign a DelegateTask 1: Explore the Access Control Setup Work CenterExplore the Setup work center, which is unique to Access Control.

1. Logon as XX_CUSTOM, where XX is your Participant ID.

a)

2. Go to the Setup work center and explore the work sets. Click some of thelinks under each one and explore the various screens.

a)

3. Choose Rule Set under the Access Rule Maintenance work set. Note theRule Set IDs and descriptions.

a)

4. Choose Rule Set Comparison, then enter two rule sets to compare.

a)

5. Choose which components to compare, then click Run in Foreground.

a)

6. On the Analysis Results screen, you can see which rule set each Access Riskbelongs to in the Rule Set ID column.

a)

7. Close the current window and the Rule Set Comparison window to return tothe Setup work center.

a)

Task 2: View the Organization HierarchyAccess the Organization Hierarchy from two separate work centers.

1. Still in the Setup work center, choose Organizations under the Organizationswork set.

a) Choose Setup → Organizations work set→ Organizations

2. Find the organization XX_GRC GLB INTL, where XX is your Participant ID.Expand the organization hierarchy nodes to view the levels of the hierarchy.Remember that this Setup work center is specific to Access Control.

a)




3. Close the Organization Hierarchy window and navigate to the Master Datawork center.

a)

4. Choose Organizations under the Organizations work center.

a) Choose Master Data work center → Organizations work set →Organizations

5. Note that you are viewing the same Organization Hierarchy informationfrom this Master Data work center as you saw in the Setup work center.

a)

Task 3: Explore the Reports and Analytics Work CenterNavigate to the Reports and Analytics work center and view the work setscontained therein.

1. Go to the Reports and Analytics work center. Note the work sets in this workcenter and the links under each one.

a)

2. Note that the report links you see in this work center are for Access Control,Risk Management, and Process Control, and that access is grouped in thisone place for any of these components.

a)

3. Explore the remaining work centers and choose some of the links under thevarious work sets to examine what can be done in each one.

a)

Task 4: Assign a DelegateLog in as the Internal Control Manager and assign a delegate to process tasksin your absence.

1. Exit the application and log in as the Internal Control Manger, XX_G_ICMAN,where XX is your Participant ID.

a) Logoff the NWBC or SAP GUI, whichever you are using.

b) Use the system Exit icon to logoff the ZMC system.

c) At the SAP Logon window, choose ZMC and click Log On.

d) Enter XX_G_ICMAN as the user ID and initial as the password.

e) Click the system OK icon or press Enter.




2. Review the various work centers to review the activities that are availableto ICMAN.

a)

3. Choose the My Home work center, then find the My Delegation work set.

a) Choose My Home → My Delegation work set

4. Click My Delegation to open the Assign Own Delegate window.

a)

5. Click Create.

a)

6. Click the search icon in the User field to choose a user who will act as yourdelegate.

a)

7. Choose XX_G_PRCOWN from the list, where XX is your Participant ID,then click OK.

a)

8. Enter today’s date for the Start Date.

a)

9. Enter any future date for the End Date.

a)

10. Click Save. You should now see XX_G_PRCOWN listed on the AssignOwn Delegate screen.

a)




Task 5: Change Settings to Work as the AssignedDelegateYou are the delegate named by the Internal Control Manager and must now logonand change your settings to work on behalf of this person.

1. Exit the system, then log in as XX_G_PRCOWN, where XX is yourParticipant ID.

a) Logoff the NWBC or SAP GUI, whichever you are using.

b) Use the system Exit icon to logoff the ZMC system.

c) At the SAP Logon window, choose ZMC and click Log On.

d) Enter XX_G_PRCOWN as the user ID and initial as the password.

e) Click the system OK icon or press Enter.

2. View the work centers and activities that are available to XX_G_PRCOWN.

a)

3. Choose Change Delegation, located at the top right of the My Home workcenter next to your user welcome message.

a) Choose My Home → Change Delegation

4. Ensure that any other sessions are closed, and verify this by checking the AllSessions Closed check box.

a)

5. Change the Work on Behalf of setting to XX_G_ICMAN, and then click Save.

a)

6. You should now see a message displayed at the top of the My Home workcenter indicating that you are working on behalf of XX_G_ICMAN. Notethat you now have access to all the activities and screens assigned to theICMAN role.

a)



Lesson Summary

You should now be able to:• Identify and access key components of the GRC 10.0 User Interface• Describe the purpose of each work center• Describe how to control work center display for NWBC vs Portal


GRC100 Lesson: Harmonized Navigation in the GRC 10.0 Portal

Lesson:109

Harmonized Navigation in the GRC 10.0 PortalLesson Duration: 20 Minutes

Lesson OverviewIn this lesson you will see examples of how authorization affects what users see.


• Describe how authorizations affect what users see• Describe examples of what users see in Access Control, Process Control,

and Risk Management

Share examples of different views seen by different users with the class. Remindthe class that what users see is based upon their user authorization.

Business ExampleIn the Rule Setup work center, a Control Owner for Process Control would seethings like Data Sources, Business Rules, and Business Rule Assignment forContinuous Monitoring, while a Risk Manager would be more interested inviewing KRI templates and KRI Implementation information in the ContinuousMonitoring section.

In this example, an Access Control user won’t see the Continuous Monitoringsection at all, but would see sections like Access Rule Maintenance and CriticalAccess Rules.



How Authorizations Affect what Users See

Examples of What Users see in Access Control,Process Control, and Risk Management

Figure 84: Rule Setup as Viewed by a Control Owner in Process Control

A Control Owner can see Process Control specific tasks, but not Access Controland Risk Management.

Note: The open space on the lower left is caused by use of SAPNetWeaver Floorplan Manager, which does not allow service mapcontents to flow seamlessly from one side to the other. Depending uponthe user authorization and layout of application groups within the servicemap, these white spaces may appear, and it does not indicate a problem.



Figure 85: Rule Setup as Viewed by a Risk Manager in Risk Management

A Risk Manager can only see Risk Management Tasks and Reports.

Figure 86: Rule Setup as Viewed by an Access Control User

This Access Control user will only see those objects included in the assigned role.






113 Exercise 4: Harmonized NavigationExercise Duration: 20 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Examine various user views based on different authorizations• Experience how harmonized navigation improves accessibility• Personalize the Work Inbox

Business ExampleUsers who only need to see certain aspects of each application will see only thosecomponents when logging onto the system. Users with broader authorizations willhave access to more work centers and work sets, with additional choices undereach one.

Users can personalize the view of the Work Inbox to meet their business needs.

System DataSystem: ZMCClient: 800User ID: AC_DISPLAYXX, XX_S_CTLTST, XX_RISKMAN,XX_CUSTOMPassword: [Specify the password to be used for this exercise. Thestandard format for the intitial password is INIT.]Set up instructions:

1. The system is already set up for this exercise.

Task 1: View Access Control-Specific ObjectsLogon as an Access Control user with limited authorizations and view AccessControl-Specific work centers and work sets.

1. Log on to the ABAP client (ZMC) as ACDISPLAYXX, where XX is yourParticipant ID, using password initial.

2. Access the NWBC or SAP GUI.

3. Note the work centers across the top of the screen. Which work center isunique to Access Control?

4. Note the work sets and links displayed under each work center and that theyare specific to Access Control functions.




Remember that there is shared master data. For example, the organizationsyou see here are the same ones you can see from the Process Control-specificand Risk Management-specific user interfaces.

Task 2: View Process Control-Specific ObjectsLog on as a Process Control user with limited authorizations and view ProcessControl-specific work centers and work sets.

1. Exit the GRC 10.0 system and log on to the ABAP client as XX_S_CTLTST,where XX is your Participant ID. Use the password initial.

2. Launch the NWBC.

3. Note the work centers. Which ones were not seen in the AccessControl-specific user interface?

4. Note the work sets and links displayed under each work center and that theyare specific to Process Control functions.

5. Why is the Access Management work center empty?

Task 3: View Risk Management-Specific ObjectsLogon as a Risk Management user with limited authorizations and view RiskManagement-specific work centers and work sets.

1. Exit the GRC 10.0 system and logon to the ABAP client as XX_RISKMAN,where XX is your Participant ID. Use the password initial.

2. Launch the NWBC.

3. Note the work centers, work sets, and functions.

4. Navigate to the Assessments work center, then note that Risk Assessments isthe work set. What type of assessments would be done in Process Controlthat are not listed here?

Task 4: Explore a Harmonized ViewLogon as a user with broader authorizations to explore a harmonized view ofwork centers and work sets.

1. Exit the GRC 10.0 system, then logon as XX_CUSTOM, where XX is yourParticipant ID. Remember that you changed your password in an earlierexercise when you first logged onto the system.

2. Launch NWBC.

3. Explore the work centers, work sets, and functions. You can now see workcenters across GRC, including Access Control, Process Control, RiskManagement, and Global Trade Services.




4. Choose the Assessments work center, then click Planner under theAssessment Planning work set.

5. In the list of plans, you can see that some are for Risk Managementassessments and some are for Process Control assessments.

6. Navigate to the My Home work center, then choose My Profile under theMy Profile work set.

7. Note the role assignments for your user. The Request Access button allowsyou to request access for you or another user and to run a simulation so thatyou can see any access risks potentially resulting from the change.

Task 5: Personalize your Work InboxIn this task, you will personalize your work inbox. You will create a query, a newquery category, and personalize inbox settings.

1. You should already be logged on as XX_CUSTOM.

2. Choose the My Home work center, then click the Work Inboxlink.

3. Click Personalize at the top right of the window.

4. Choose Add Category to add a category for your Active Queries. Enter adescription for this category: XX Category, where XX is your ParticipantID, then choose OK.

5. In the Personalization window, add a query to your Active Queries underyour new category.

6. Click Apply to save changes.

7. Define a new query, using the Define New Query link at the top right of thescreen.

8. Choose an Object Type.

9. Choose an existing query as a template.

10. Click Next.

11. Set Status equal to Ready.

12. Enter 01.01.2010 to 01.01.2011 for the Created On and CreatedTo dates.

13. Click Next.

14. Enter XX Query for the Description, where XX is your Participant ID.

15. Activate Query should be checked.

16. Choose the category you created for your Work Inbox: XX Custom.




17. Click Finish.

18. Return to the Work Inbox, and then choose Personalize. You should see yournew query, XX Query, listed under your new category.

19. Click Cancel to return to the Work Inbox.

20. Choose Settings, located above the elevator box.

21. Select some settings from the Hidden Columns list to add to the DisplayedColumns list. Change the sequence if you’d like and choose the number ofcolumns that will be fixed to the left of the display. Click OK when finished.

22. You should now see your chosen columns and indicated display order inthe Work Inbox view.



Solution 4: Harmonized NavigationTask 1: View Access Control-Specific ObjectsLogon as an Access Control user with limited authorizations and view AccessControl-Specific work centers and work sets.

1. Log on to the ABAP client (ZMC) as ACDISPLAYXX, where XX is yourParticipant ID, using password initial.

a) Exit NWBC by logging off, then exit the ABAP client, using thesystem Exit icon . Use the SAP Logon window to log on to ZMCas a new user.

2. Access the NWBC or SAP GUI.

a) From the ABAP client, enter /nnwbc, then click the system OK iconor press Enter.

3. Note the work centers across the top of the screen. Which work center isunique to Access Control?

a) The Setup work center.

4. Note the work sets and links displayed under each work center and that theyare specific to Access Control functions.

Remember that there is shared master data. For example, the organizationsyou see here are the same ones you can see from the Process Control-specificand Risk Management-specific user interfaces.

a)

Task 2: View Process Control-Specific ObjectsLog on as a Process Control user with limited authorizations and view ProcessControl-specific work centers and work sets.

1. Exit the GRC 10.0 system and log on to the ABAP client as XX_S_CTLTST,where XX is your Participant ID. Use the password initial.

a)

2. Launch the NWBC.

a) /nnwbc

3. Note the work centers. Which ones were not seen in the AccessControl-specific user interface?

a) Master Data, Rule Setup, Assessments




4. Note the work sets and links displayed under each work center and that theyare specific to Process Control functions.

a)

5. Why is the Access Management work center empty?

a) Access Management is an Access Control function and your currentuser authorizations only allow you to view Process Control-specificfunctions.

Task 3: View Risk Management-Specific ObjectsLogon as a Risk Management user with limited authorizations and view RiskManagement-specific work centers and work sets.

1. Exit the GRC 10.0 system and logon to the ABAP client as XX_RISKMAN,where XX is your Participant ID. Use the password initial.

a)

2. Launch the NWBC.

a) /nnwbc

3. Note the work centers, work sets, and functions.

a)

4. Navigate to the Assessments work center, then note that Risk Assessments isthe work set. What type of assessments would be done in Process Controlthat are not listed here?

a) Control Risk Assessments

Task 4: Explore a Harmonized ViewLogon as a user with broader authorizations to explore a harmonized view ofwork centers and work sets.

1. Exit the GRC 10.0 system, then logon as XX_CUSTOM, where XX is yourParticipant ID. Remember that you changed your password in an earlierexercise when you first logged onto the system.

a)

2. Launch NWBC.

a) /nnwbc




3. Explore the work centers, work sets, and functions. You can now see workcenters across GRC, including Access Control, Process Control, RiskManagement, and Global Trade Services.

a)

4. Choose the Assessments work center, then click Planner under theAssessment Planning work set.

a) Choose Assessments → Assessment Planning → Planner

5. In the list of plans, you can see that some are for Risk Managementassessments and some are for Process Control assessments.

a)

6. Navigate to the My Home work center, then choose My Profile under theMy Profile work set.

a) Choose My Home → My Profile work set → My Profile

7. Note the role assignments for your user. The Request Access button allowsyou to request access for you or another user and to run a simulation so thatyou can see any access risks potentially resulting from the change.

a)

Task 5: Personalize your Work InboxIn this task, you will personalize your work inbox. You will create a query, a newquery category, and personalize inbox settings.

1. You should already be logged on as XX_CUSTOM.

a)

2. Choose the My Home work center, then click the Work Inboxlink.

a) Choose My Home → Work Inbox

3. Click Personalize at the top right of the window.

a) Personalize is a link on the screen.

4. Choose Add Category to add a category for your Active Queries. Enter adescription for this category: XX Category, where XX is your ParticipantID, then choose OK.

a)

5. In the Personalization window, add a query to your Active Queries underyour new category.

a)




6. Click Apply to save changes.

a)

7. Define a new query, using the Define New Query link at the top right of thescreen.

a)

8. Choose an Object Type.

a)

9. Choose an existing query as a template.

a)

10. Click Next.

a)

11. Set Status equal to Ready.

a)

12. Enter 01.01.2010 to 01.01.2011 for the Created On and CreatedTo dates.

a)

13. Click Next.

a)

14. Enter XX Query for the Description, where XX is your Participant ID.

a)

15. Activate Query should be checked.

a)

16. Choose the category you created for your Work Inbox: XX Custom.

a)

17. Click Finish.

a)

18. Return to the Work Inbox, and then choose Personalize. You should see yournew query, XX Query, listed under your new category.

a)

19. Click Cancel to return to the Work Inbox.

a)




20. Choose Settings, located above the elevator box.

a)

21. Select some settings from the Hidden Columns list to add to the DisplayedColumns list. Change the sequence if you’d like and choose the number ofcolumns that will be fixed to the left of the display. Click OK when finished.

a)

22. You should now see your chosen columns and indicated display order inthe Work Inbox view.

a)



Lesson Summary

You should now be able to:• Describe how authorizations affect what users see• Describe examples of what users see in Access Control, Process Control,

and Risk Management


GRC100 Unit Summary

Unit SummaryYou should now be able to:• Identify and access key components of the GRC 10.0 User Interface• Describe the purpose of each work center• Describe how to control work center display for NWBC vs Portal• Describe how authorizations affect what users see• Describe examples of what users see in Access Control, Process Control,

and Risk Management


Unit Summary GRC100




1. Work centers:Choose the correct answer(s).□ A Provide a central access point for GRC 10.0□ B Are independent of customer licensing□ C Can be customized by a system administrator□ D Do not contained shared tasks across solution components

2. The My Home work center is used as an entry point for any other workcenters.Determine whether this statement is true or false.□ True□ False

3. The My Home work center allows you to:Choose the correct answer(s).□ A View, access, and perform workflow tasks, whether assigned to

you or not□ B View completed reports scheduled by anyone□ C Perform document searches across all documents, including

document content□ D Assign delegates to perform your tasks or activities

4. Assigning a delegate from the My Home work center does not apply toAccess Control, which has its own delegation function.Determine whether this statement is true or false.□ True□ False

5. Which of the following work centers is only used in Access Control?Choose the correct answer(s).□ A Rule Setup□ B Master Data□ C Assessments□ D Setup



6. In the Rule Setup work center, a Control Owner for Process Control wouldbe interested in seeing things like Data Sources, Business Rule Assignmentsfor Continuous Monitoring, and KRI templates.Determine whether this statement is true or false.□ True□ False

7. An Access Control user won’t see the Continuous Monitoring sectionof the Rule Setup work center, but would see sections like Access RuleMaintenance and Critical Access Rules.Determine whether this statement is true or false.□ True□ False

8. Users will only see those objects included in the assigned role.Determine whether this statement is true or false.□ True□ False



125Answers

1. Work centers:

Answer: A, C

Work centers provide a central access point for GRC 10.0 and can becustomized by a system administrator.

2. The My Home work center is used as an entry point for any other workcenters.

Answer: False

The statement is false.

3. The My Home work center allows you to:

Answer: C, D

C and D are correct. The My Home work center also allows you to view,access, and perform workflow tasks that are assigned to you and viewcompleted reports that were scheduled by you.

4. Assigning a delegate from the My Home work center does not apply toAccess Control, which has its own delegation function.

Answer: True


5. Which of the following work centers is only used in Access Control?

Answer: D

The Setup work center is unique to Access Control.

6. In the Rule Setup work center, a Control Owner for Process Control wouldbe interested in seeing things like Data Sources, Business Rule Assignmentsfor Continuous Monitoring, and KRI templates.

Answer: False

The statement is false. A Risk Manager would be more interested in seeingKRI templates.



7. An Access Control user won’t see the Continuous Monitoring sectionof the Rule Setup work center, but would see sections like Access RuleMaintenance and Critical Access Rules.

Answer: True


8. Users will only see those objects included in the assigned role.

Answer: True



Unit 4127 Common Functions and Data

Now that participants know what GRC is about and have seen the work centersand work sets, this unit provides information about sharing master data and GRCfunctions that are common to AC, PC, and RM.

Unit OverviewThis unit discusses sharing master data and common functions across GRCsolutions, the User Interface Configuration Framework, local field changes, andsetting field status for applications or regulations. Also presented are, master datarelated implementation considerations for organizations.


• Describe how common functions are shared across GRC solutions.• Explain which master data can be shared relative to common functions.• Describe key features of the User Interface Configuration Framework• Specify whether or not a field has regulation-specific values• Specify whether or not a field can be changed locally• Set the field status for individual application components or for individual

regulations• Discuss shared master data examples• Discuss master data related implementation considerations for organizations• Describe various organization hierarchy views and advanced date options

Unit ContentsLesson: Common Functions and Data Overview... . . . . . . . . . . . . . . . . . . . . . . . .158Lesson: User Interface Configuration Framework... . . . . . . . . . . . . . . . . . . . . . . .165Lesson: Shared Master Data... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174

Exercise 5: View Shared Master Data Examples ... . . . . . . . . . . . . . . . . . . .183


Unit 4: Common Functions and Data GRC100

Lesson:128

Common Functions and Data OverviewLesson Duration: 20 Minutes

Lesson OverviewThis lesson presents how GRC solutions share common functions and what masterdata can be shared across solutions relative to these functions.


• Describe how common functions are shared across GRC solutions.• Explain which master data can be shared relative to common functions.

Business ExampleYour organization wants to use the GRC 10.0 solution to manage risk andcompliance across the enterprise. Management would like to reduce working insilos by sharing common data elements, while building good governance, risk andcompliance practices into core business processes.

Specific business needs include:

Sharing of organization, process and control structures for compliance, riskand access management.Supporting end-to-end processes that leverage these shared structuresto better manage risk, lower compliance cost, and increase operationalefficiencies.Promoting proactive management of risks through effective decision support,timely risk responses, and alignment of multiple stakeholder groups.


GRC100 Lesson: Common Functions and Data Overview

Sharing Common Functions Across GRC Solutions

Figure 87: Overview of Common Functions

Figure 88: Policy Management Overview

Policy Management is a common function available to those companies licensingSAP BusinessObjects Process Control 10.0 or SAP BusinessObjects RiskManagement 10.0.

The end-to-end process begins with creating and approving policies, which ofteninvolves attaching or linking the policy documents. You indicate the scope of eachpolicy by assigning it to organizations, processes or activities, and people. You alsomay associate controls or ERM risks to the policy. Thereafter, you distribute thepolicy to those affected by it and, if desired, you may require formal acceptance oracknowledgment. In addition, you may require that survey assessments or quizzesbe completed to indicate understanding of the policy. Information on acceptance,



assessments or quizzes can be reported to demonstrate the level of compliance.For the reason that policies may be widely distributed throughout an organization,an SAP logon is not required to receive the policy nor to acknowledge it.

Note that a policy may act as a response to a risk managed in the Risk Managementcomponent. So, for example, if you have one or more risks associated with safehandling of materials, you may create or use your safety and material handlingpolicies to help mitigate that risk.

Figure 89: Ad Hoc Issues Overview

Ad hoc issues management is a common function available to those companieslicensing SAP BusinessObjects Process Control 10.0 or SAP BusinessObjectsRisk Management 10.0.

This feature is designed to enable identification, remediation and tracking ofissues not associated with scheduled compliance evaluations. Examples of adhoc issues include external audit findings, issues discovered by inspections, andproblems reported by individuals outside formal compliance processes. If anissue is not fully complete, it is routed via workflow to an issue administrator,who reviews, completes and assigns the issue. Thereafter, the issue is similarto an evaluation-based issue reported in PC—that is, it may be remediated andthen closed. You may associate issues with a variety of business entities such asorganizations, risks, regulations, and controls. You may also assign a source of theissue; the sources available are configurable in the IMG.



Ad hoc issues can be associated with the following objects for the RM component:organizations, risks, opportunities, incidents, responses and key risk indicators.For compliance, they can be associated with the following in the PC component:organizations, regulations, processes, subprocesses, controls and indirectentity-level controls

Figure 90: Content Lifecycle Management Overview

The Content Lifecycle Management (CLM) function allows external contentto be packaged and imported to the CLM repository. This external contentcould be company data imported for the first time into the GRC solution duringimplementation, or it could be content developed by third parties.

Once imported to CLM, you can review the content, decide what to deploy,and resolve any content conflicts (if the content has been previously deployed).Deploy the content you select, then manage it as needed in GRC (currently RMand PC components). As needed, you may checkpoint and export the contentmanaged in GRC and import it again to the CLM repository. This is done so thatit can be edited on a mass basis or used to compare your current content withupdated external content you receive.

Sharing Common Functions Across GRC Solutions



Shared Master Data Overview

Figure 91: Key Master Data Pre-GRC 10.0

In prior versions, sharing of master data was limited by different technicalplatforms.

Figure 92: Shared Master Data in GRC 10.0

In the GRC 10.0 solutions shown above, technical platforms unite on SAPNetWeaver (ABAP), enabling increased harmonization of key master data.Organization, process and control structures can now be shared across components,which supports a more integrated approach to governance, risk and compliance.Note that control extensions are used to expand the control entity so it can be usedfor different purposes (for example, as a control that mitigates access violations).



Figure 93: Integrated GRC Example

This example shows an integrated approach to detecting and preventing fraudrelated to the procure-to-pay process. In short, the company has identified asignificant risk of fraud. While several types of risk responses are possible, thecompany has a hybrid approach to both reduce the risk through an updated securitypolicy and control the risk.

The controls include use of Access Control 10.0 to prevent most segregation ofduties conflicts. Where SoD violations are identified, one or more mitigatingcontrols are put in place or linked to controls already existing in Process Control.In addition, an automated control in Process Control monitors the status of accessrisks in Access Control to verify that access management is in place and operatingeffectively. As in prior versions, controls in Process Control can be assessed ortested to ensure appropriate design and effectiveness.

Policies—in this example, a security policy—are managed in the common PolicyManagement component. As mentioned previously, Policy Management includesthe ability to gather acknowledgments or even quizzes from those affected by thepolicy to determine policy effectiveness.



Lesson Summary

You should now be able to:• Describe how common functions are shared across GRC solutions.• Explain which master data can be shared relative to common functions.


GRC100 Lesson: User Interface Configuration Framework

Lesson:135

User Interface Configuration FrameworkLesson Duration: 20 Minutes

Lesson OverviewThis lesson presents how the User Interface Configuration Framework (UICF)enables you to maintain master data fields without programming.


• Describe key features of the User Interface Configuration Framework• Specify whether or not a field has regulation-specific values• Specify whether or not a field can be changed locally• Set the field status for individual application components or for individual

regulations

This lesson is about how the User Interface Configuration Framework (UICF)enables users to configure how they would like to maintain master data acrossapplication components and regulations.

Business ExampleSAP delivers default behavior for GRC solution master data fields, but yourorganization has determined that some field behavior should be changed to bettermap to your existing processes and data. It is important that this not involvecustom programming, as company policy severely limits SAP customization tofacilitate later upgrades.

Note: Your team has proposed these changes:

Field Components Regulation-Specific?

Field Status

ControlSignificance

PC Yes - Financial Required

Yes - FCPA Hidden

Yes -Operational

Optional



Control Nature All No Hidden

Control Purpose All No Required

Each of these changes can be performed without programming using theUI Configuration Framework described in this section.

For the Control Significance field, you determine that it should be required forvarious regulations related to financial compliance, that it is not relevant at all forthe Foreign Corrupt Practices Act, and that it might be useful for operationalcompliance initiatives. You do this via the regulation-specific configuration byfirst designating the field as being specific to regulations, then by configuringthe field status by regulation.

Your company does not consider the Control Nature field useful, so you want todisable it for all components. You determine that by default it is already hiddenfor AC, but that it is optional for both PC and RM. You configure the field statusby application component to make the field status hidden also for PC and RM.

For the Control Purpose field (typically used to indicate whether a control isdetective or preventive), you want to ensure that this field is required regardless ofwhich component creates or maintains the control. You determine that by defaultthis is required for PC, optional for RM, and hidden for AC. You configure thefield status by application component to make the field status required for allcomponents.

These changes involve configuration in the IMG and automatically update the userinterface. Therefore, this should be done and tested carefully in a non-productionsystem. It is best to severely limit changes after the system is in production.

User Interface Configuration Framework Overview

Figure 94: What the UCIF Enables



As mentioned earlier, the User Interface Configuration Framework (UICF) enablesyou to configure how you would like to maintain master data across applicationcomponents and regulations. For example, organizations can be optionally sharedamong PC, RM and AC, but some fields relevant to RM are not applicable to ACor PC. The UICF allows you to configure without programming which fields arerelevant to each application.

Figure 95: Configuration Steps for User Interface Status at the Field Level

The above steps relate to SAP Business Objects Process Control 10.0 onlyexcept as noted above because regulations and assignment of sub processes toorganizations are done in PC but not in RM or AC.



Figure 96: IMG Path for Configuration of UICF

The User Information Configuration Framework settings are all maintained underthe Maintain Field-Based Configuration node in the IMG.

IMG → Governance, Risk, and Compliance → Shared Master Data Settings →Maintain Field-Based Configuration



Regulation-Specific Values

Figure 97: Regulation-Specific Configuration

Only those fields that exist in control table GRFNFLDRGSP (also appear in the F4help list) can be regulation-specific fields. Keep in mind that regulation-specificfields relate to Process Control only.

Example: You may determine that the In Scope field for organizations can vary byregulation. That is, an organization may be in scope for one compliance initiativeor regulation and out of scope for others. To enable this, click New Entries,then use F4 help to select In Scope (OU_IN_SCOPE). Mark it as RegulationSpecific. This will cause the organization screen to show the In Scope field as aregulation-specific value.

It would be nice to demonstrate the example in the system.IMG → Governance,Risk, and Compliance → Shared Master Data Settings → Maintain Field-BasedConfiguration → Regulation-Specific Configuration



Local Field Changes

Figure 98: Allow Local Change Configuration

Only those fields exist in control table GRFNFLDLCHG (also appear in the F4help list) can be set to allow local changes. Local Changes Allowed fields relate toPC only because these are dependent upon the method of assigning subprocessesto organizations. That is, if during assignment of a subprocess to an organizationthe subprocess is set to not allow local changes (similar to assigning with referencein prior versions of PC), the settings here do not apply to that subprocess for thatorganization nor to subordinate controls within that subprocess.

Example: You determine that the Automation field for controls cannot vary byorganization. The default system behavior is to allow local changes to the 24fields shown above. Therefore, to ensure that the Automation field cannot bechanged locally, you must select it and ensure that the Local Changes Allowedcheckbox is not selected.



Setting Field Status for Applications or Regulations

Figure 99: Field Status Configuration by Application Component

Users can only maintain the UI status for those fields that exist in control tableGRFNFLD (also appears in the F4 help list for Field ID). The default UI fieldstatus is Optional.

The predefined Field UI Status Configuration by Application is maintained in thetable GRFNAPPFLD. It is recommended that you do not make changes directly tothe GRFNAPPFLD table, but instead use this IMG activity.

IMG → Governance, Risk, and Compliance → Shared Master Data Settings→ Maintain Field-Based Configuration → Field Status Configuration by Appl.Component



Figure 100: Field Status Configuration by Regulation

Users can only maintain the UI status for those fields that exist in control tableGRFNFLDRGSP (also appear in the F4 help list for Field ID), which is configuredby performing the Regulation-Specific Configuration discussed earlier.

Once one or more regulation-specific fields have been maintained, they can befurther configured here to set the field status by regulation, if desired. The defaultUI field status is Optional.

The predefined Field UI Status Configuration by Regulation is maintained inControl table GRFNREGFLD. Currently the table GRFNREGFLD is empty, asSAP does not deliver pre-configured UI status for different regulations.

IMG → Governance, Risk, and Compliance → Shared Master Data Settings →Maintain Field-Based Configuration → Field Status Configuration by Regulation



Lesson Summary

You should now be able to:• Describe key features of the User Interface Configuration Framework• Specify whether or not a field has regulation-specific values• Specify whether or not a field can be changed locally• Set the field status for individual application components or for individual

regulations



Lesson:142

Shared Master DataLesson Duration: 20 Minutes

Lesson OverviewThis lesson presents how unified master data for organizations and controls aredisplayed in each GRC solution component and implementation considerationsrelated to shared master data.


• Discuss shared master data examples• Discuss master data related implementation considerations for organizations• Describe various organization hierarchy views and advanced date options

[Enter a description of what the instructor should discuss with the participantsabout the context of the lesson. ]

Business ExampleSAP BusinessObjects GRC 10.0 is an integrated solution with Risk Management,Process Control and Access Control being contained in a single SAP component.These solutions work together to product a more harmonized and complete pictureof the GRC environment. Several configuration items and attributes are shareditems between 2 or more of the components. These shared items now can be setup one time and consumed by any of the installed programs as needed rather thanmaintaining the same information in multiple spots. This reduces the amount ofconfiguration and / or maintenance involved as well as the need to synchronizemaster data (whether manually or by system) between the components andtherefore reduces the amount of time and the possibility of the data being out ofsync with the other solutions within the GRC solution.


GRC100 Lesson: Shared Master Data

Shared Master Data Examples

Figure 101: Master Data for Organizations Before GRC 10.0

Similar master data was created for each module, which could involve:

• Redundant Maintenance• Manual synchronization of data• Increased risk of missing, inconsistent or incorrect master data

Manual synchronization of data is more difficult when different employees areresponsible for the data.

Example: A change in the organization structure might not have beencommunicated in a timely manner to the different silos.



Figure 102: GRC 10.0: Unified Master Data for Organizations

GRC 10.0 allows creation of shared master data for organizations.

As you learned in the UI Configuration Framework lesson, you can controlwhich fields are used for which components by configuring the User InterfaceConfiguration Framework in the IMG.

Figure 103: Master Data for Controls Before GRC 10.0

Control master data for prior Access Control and Process Control products werecreated separately in each product.



Control master data for the in-market AC and PC products were created separatelyin each product. That is, a mitigating control added in AC was not automaticallycreated or maintained in PC, nor was a control created in PC directly available foruse as a mitigating control in AC. Instead, the controls were separate, resultingin additional effort and potential inconsistency. In addition, AC was not able todirectly leverage the continuous monitoring framework for these controls.

Figure 104: GRC 10.0: Unified Master Data for Controls

In GRC 10.0, the control data can be shared and only those fields relevant forthe specific view are displayed. Continuous control monitoring and automatedtesting functionality in Process Control can be used for controls used to mitigateaccess risks in Access Control.



Master Data Related Implementation Considerationsfor Organizations

Figure 105: Implementation Considerations for Organizations

Each company may have different organizational needs for supporting existingprocesses and people. These are some examples. Given the importance of GRCconvergence, you may wish to consider what your company does now and how itmight like to evolve as you plan your organization structures to be used in yourGRC implementation.



Examples of Different Views of the Same Master DataEntity for Different Users

Figure 106: Organization Hierarchy Views

The available views can be used by different components in different ways. Asingle view can act as either the default view, or it can be the available view fornone, one, or multiple components. Furthermore, each component can have onedefault view and multiple available views. A view that is available to a componentbut is not the default view for the component is only used for hierarchicalorganization display and reporting purposes.



Figure 107: Sample Organization Hierarchies

The above examples show the following:

1. The first hierarchy shows what a typical Compliance user might see2. The second hierarchy shows what a Risk Management user might see3. The third example shows what an Access Control user might see4. The fourth example shows the Standard Hierarchy, which is defined as an

available view for Access Control

Discuss the above examples:

1. The first hierarchy shows what a typical compliance user might see. Notethe period and year with a standard hierarchy which was defined as thedefault for the PC component. Based upon the prior slide, other organizationhierarchy views are available for PC.

2. The second hierarchy shows what a risk management user might see. Notethe single date option which can default to today’s date, based upon theadvanced options. Again, The Risk Hierarchy view is shown, but otherviews are available.

3. The third example shows what an AC user might see. TheDEV_AC_ORGANIZATION view was created as the default for the ACcomponent. Note that no date is shown for AC views.

4. The fourth example shows a user with AC access, but this shows theStandard Hierarchy, which is defined as an available view for AC.



Ask the class how they can tell that the fourth view is Access Control. Answer:They can tell by the lack of date.

Figure 108: Advanced Date Options

Advanced Date Options are available for Process Control and Risk Managementand can be personalized by user. Access Control sees hierarchies as of the currentdate.

Compliance users often work in arrears, hence the need for availability of a Periodwith Yearoption. Risk managers more often work as of today’s date, hence theneed for Date and Today options.

Advanced Date Options are available for PC and RM and can be personalized byuser. AC sees hierarchies as of the current date.

Compliance users often work in arrears, hence the need for availability of aPeriod with Year option. As an example, a company with a calendar year-endmight update their compliance activities until late January or even February thefollowing year, after which they perform sign-off certification. In some cases,they work in advance—for example, to restructure organizations or documentnew controls as of a future date.

Risk managers more often work as of today’s date, hence the need for Date andToday options.

Both types of users may, however, use other advanced date options. For example,if a compliance user is making significant organization changes as of a fixed date(say January 1 next year), he or she might use the Date with a Fixed Date optionand set the fixed date to January 1.






149 Exercise 5: View Shared Master DataExamplesExercise Duration: 30 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• View shared components for organizations in the IMG• Review locally managed controls setting in the IMG• View roles shared between business role management and access request

management

Business ExampleOne key benefit of harmonization is that objects, such as roles and organizations,are created or loaded once and then used by more than one component of theGRC solution. Another benefit is that you can configure shared settings once andthey will apply throughout the solution, for example, the ability to allow controlsto be managed locally.

System DataSystem: ZMCClient: 800User ID: XX_CUSTOMPassword: The password has been reset by the participant,following initial logon for this class.Set up instructions:

1. System setup has already been done for this exercise.

Task 1: View Shared Components for OrganizationsIn this task, you will access the IMG to view shared components for organizations.


2. Enter SPRO, then choose the system OK icon or press Enter.

3. Click SAP Reference IMG

4. Expand Governance, Risk, and Compliance

5. Expand Shared Master Data Settings

6. Choose Maintain Organization Views




7. Select Maintain Organization Views Configurations, then click Choose.

8. View the Application Components listed for the Organization Views. Do notmake any changes to this information.

9. Close this popup window when finished, using the system Cancel icon .

Task 2: Allow Locally Managed ControlsIn this task, you will review where to maintain the ability to allow locally managedcontrols.

1. From Display IMG, choose Shared Master Data Settings.

2. Click the Execute icon next to Maintain Ability to Add Locally-DefinedControls.

3. Note that the Customizing Item ADD_LOCAL_DEFINED_CN is set toActive.

Task 3: View Shared RolesView roles shared between business role management and access requestmanagement.

1. Choose the Access Management work center.

2. Scroll down to the Role Management work set, and then choose Role Search.

3. Enter Z_GRC_PR* in the Role Name field, then click Search.

4. From the search results, choose Z_GRC_PR_APM_VENDOR_MASTERto view role details.

5. On the Define Role tab, click More Details.

6. Choose the Owners/Approvers tab. On this tab you can see that this role isused for both access request management and business role management.



Solution 5: View Shared Master DataExamplesTask 1: View Shared Components for OrganizationsIn this task, you will access the IMG to view shared components for organizations.


a)

2. Enter SPRO, then choose the system OK icon or press Enter.

a) You should be in the ABAP client and not NWBC.

3. Click SAP Reference IMG

a) SAP Reference ID is located at the top left of the screen, just underthe transaction entry field.

4. Expand Governance, Risk, and Compliance

a)

5. Expand Shared Master Data Settings

a) This is a sub-node under Governance, Risk, and Compliance.

6. Choose Maintain Organization Views

a)

7. Select Maintain Organization Views Configurations, then click Choose.

a)

8. View the Application Components listed for the Organization Views. Do notmake any changes to this information.

a)

9. Close this popup window when finished, using the system Cancel icon .

a)

Task 2: Allow Locally Managed ControlsIn this task, you will review where to maintain the ability to allow locally managedcontrols.

1. From Display IMG, choose Shared Master Data Settings.

a)




2. Click the Execute icon next to Maintain Ability to Add Locally-DefinedControls.

a)

3. Note that the Customizing Item ADD_LOCAL_DEFINED_CN is set toActive.

a)

Task 3: View Shared RolesView roles shared between business role management and access requestmanagement.

1. Choose the Access Management work center.

a) Launch NWBC to view work centers. Enter /nnwbc, then click thesystem OK icon or press Enter.

2. Scroll down to the Role Management work set, and then choose Role Search.

a)

3. Enter Z_GRC_PR* in the Role Name field, then click Search.

a)

4. From the search results, choose Z_GRC_PR_APM_VENDOR_MASTERto view role details.

a)

5. On the Define Role tab, click More Details.

a)

6. Choose the Owners/Approvers tab. On this tab you can see that this role isused for both access request management and business role management.

a)



Lesson Summary

You should now be able to:• Discuss shared master data examples• Discuss master data related implementation considerations for organizations• Describe various organization hierarchy views and advanced date options


Unit Summary GRC100

Unit SummaryYou should now be able to:• Describe how common functions are shared across GRC solutions.• Explain which master data can be shared relative to common functions.• Describe key features of the User Interface Configuration Framework• Specify whether or not a field has regulation-specific values• Specify whether or not a field can be changed locally• Set the field status for individual application components or for individual

regulations• Discuss shared master data examples• Discuss master data related implementation considerations for organizations• Describe various organization hierarchy views and advanced date options




1. Ad hoc issues are issues not associated with compliance evaluations, yet areassociated with a variety of business entities, such as organizations, risk,regulations, and controls..Determine whether this statement is true or false.□ True□ False

2. Policy Management is a common function available to those companieslicensing SAP BusinessObjects Process Control 10.0 or SAP BusinessObjectsRisk Management 10.0.Determine whether this statement is true or false.□ True□ False

3. Ad hoc issues management is a common function available to thosecompanies licensing:Choose the correct answer(s).□ A Access Control□ B Risk Management□ C Process Control□ D Access Control and Process Control□ E Process Control and Risk Management□ F Risk Management and Access Control

4. Thefunction

allows external content to be packaged and imported to therepository.

Fill in the blanks to complete the sentence.

5. Organization structures, process structures, and control structures can beshared across components in the GRC 10.0 solution.Determine whether this statement is true or false.□ True□ False



6. Where SoD violations are identified, one or more mitigating controls are putin place or linked to controls already existing in Process Control.Determine whether this statement is true or false.□ True□ False

7. An automated control in the solution moni-tors the status of access risks in the solutionto verify that access management is in place and operating effectively.Fill in the blanks to complete the sentence.

8. The User Interface Configuration Framework enables using a single userinterface launch point for maintaining shared master data across:Choose the correct answer(s).□ A Applications only□ B Regulations only□ C Applications and regulations□ D None of the above

9. The User Interface Configuration framework enables using common andcentralized master data, while supporting entity attributes that can be specificto regulations.Determine whether this statement is true or false.□ True□ False

10. The User Interface Configuration Framework requires programming in orderto configure which fields are relevant to each solution component (AC, PC,RM).Determine whether this statement is true or false.□ True□ False

11. Only those fields that exist in the control table GRFNFLDRGSP can beregulation-specific fields.Determine whether this statement is true or false.□ True□ False



12. Regulation-specific fields relate to Access Control only.Determine whether this statement is true or false.□ True□ False

13. Local Changes Allowed fields relate to Process Control only because theseare dependent upon the method of assigning subprocesses to organizations.Determine whether this statement is true or false.□ True□ False

14. Setting field status for applications or regulations is maintained in.

Fill in the blanks to complete the sentence.

15. Shared master data involves:Choose the correct answer(s).□ A Manual synchronization of data□ B Decreased risk of inconsistent master data□ C Redundant maintenance□ D Required sharing of organizations

16. Prior to GRC 10.0, master data for Access Control and Process Control werecreated once and shared by both solution components.Determine whether this statement is true or false.□ True□ False

17. In GRC 10.0 control data can be shared by Access Control and ProcessControl, and only those fields relevant for the specific view are displayed.Determine whether this statement is true or false.□ True□ False



18. Master data-related implementation considerations for organizations include:Choose the correct answer(s).□ A To what extent will companies share harmonized structures□ B To what extent does the company work in separate silos□ C Who is responsible for maintaining organization hierarchies□ D How does a company plan to evolve in the future

19. Organization hierarchy views are initially set up in the IMG.Determine whether this statement is true or false.□ True□ False

20. Each solution component can have one default view and multiple availableviews, which are used only for hierarchical organization display andreporting purposes.Determine whether this statement is true or false.□ True□ False



159Answers

1. Ad hoc issues are issues not associated with compliance evaluations, yet areassociated with a variety of business entities, such as organizations, risk,regulations, and controls..

Answer: True


2. Policy Management is a common function available to those companieslicensing SAP BusinessObjects Process Control 10.0 or SAP BusinessObjectsRisk Management 10.0.

Answer: True


3. Ad hoc issues management is a common function available to thosecompanies licensing:

Answer: B, C, E

B, C, and E are correct. Ad hoc issues management is a common functionavailable to those companies licensing Process Control, RiskManagement,or both.

4. The Content Lifecycle Management (CLM) function allows external contentto be packaged and imported to the CLM repository.

Answer: Content Lifecycle Management (CLM) , CLM

The Content LIfecycle Management (CLM) function allows external contentto be packaged and imported to the CLM repository.

5. Organization structures, process structures, and control structures can beshared across components in the GRC 10.0 solution.

Answer: True




6. Where SoD violations are identified, one or more mitigating controls are putin place or linked to controls already existing in Process Control.

Answer: True


7. An automated control in the Process Control solution monitors the status ofaccess risks in the Access Control solution to verify that access managementis in place and operating effectively.

Answer: Process Control , Access Control

An automated control in the Process Control solution monitors the status ofaccess risks in the Access Control solution to verify that access managementis in place and operating effectively.

8. The User Interface Configuration Framework enables using a single userinterface launch point for maintaining shared master data across:

Answer: C

C is correct: Applications and regulations

9. The User Interface Configuration framework enables using common andcentralized master data, while supporting entity attributes that can be specificto regulations.

Answer: True


10. The User Interface Configuration Framework requires programming in orderto configure which fields are relevant to each solution component (AC, PC,RM).

Answer: False

The UCIF allows you to configure without programming which fields arerelevant to each solution component.

11. Only those fields that exist in the control table GRFNFLDRGSP can beregulation-specific fields.

Answer: True




12. Regulation-specific fields relate to Access Control only.

Answer: False

Regulation-specific fields relate to Process Control only.

13. Local Changes Allowed fields relate to Process Control only because theseare dependent upon the method of assigning subprocesses to organizations.

Answer: True


14. Setting field status for applications or regulations is maintained in the IMG.

Answer: the IMG

Setting field status for applications or regulations is maintained in the IMG.

15. Shared master data involves:

Answer: B

Shared master data involves decreased risk of inconsistent master data.Sharing of organizations is optional, but not required.

16. Prior to GRC 10.0, master data for Access Control and Process Control werecreated once and shared by both solution components.

Answer: False

The statement is false. Prior to GRC 10.0, master data for Access Controland Process Control were created separately in each product.

17. In GRC 10.0 control data can be shared by Access Control and ProcessControl, and only those fields relevant for the specific view are displayed.

Answer: True


18. Master data-related implementation considerations for organizations include:

Answer: A, B, C, D

All choices are correct.



19. Organization hierarchy views are initially set up in the IMG.

Answer: True


20. Each solution component can have one default view and multiple availableviews, which are used only for hierarchical organization display andreporting purposes.

Answer: True



Unit 5163 Implementation and Configuration

This unit is intended to provide an overview of the functional implementationprocess. This process is covered in more detail during GRC300 and GRC330,which are focused on configuration and implementation of AC and PC,respectively. Also in this unit is information about members of project teamsand implementation prerequisite tasks.

Unit OverviewThis unit presents IMG organization for GRC 10.0 and how to navigate the IMGby solution and common settings. Basic and common customizing tasks arehighlighted, as well as configuring application-specific IMG nodes. Functionalimplementation is introduced, including project teams, prerequisite tasks, and anoverview of the implementation process.


• Describe the IMG organization for GRC 10.0• Identify basic and common customizing tasks for Access Control, Process

Control, and Risk Management• Access IMG customizing documentation• Identify members of typical project teams• Perform prerequisite tasks• Describe key, high-level steps in the GRC 10.0 implementation process

Unit ContentsLesson: Streamlined Configuration... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

Exercise 6: Review the IMG Structure... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203Lesson: Functional Implementation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210

Exercise 7: Review System Configuration ... . . . . . . . . . . . . . . . . . . . . . . . . . . .219


Unit 5: Implementation and Configuration GRC100

Lesson:164

Streamlined ConfigurationLesson Duration: 15 Minutes

Lesson OverviewThis lesson describes the IMG (Implementation Guide) organization for GRC10.0,including shared configuration and product-specific configuration.


• Describe the IMG organization for GRC 10.0• Identify basic and common customizing tasks for Access Control, Process

Control, and Risk Management• Access IMG customizing documentation

In this lesson, we’ll look at the IMG organization for GRC 10.0 and wherecommon and product-specific customizing tasks are performed.

Business ExampleIn prior releases, configuration of Process Control and Risk Management wereseparate IMG activities with some overlap. Prior Access Control releases did notprovide configuration using the IMG. To streamline configuration, the GRC 10.0solutions’ IMG identifies activities which are shared among multiple products


GRC100 Lesson: Streamlined Configuration

IMG Organization for GRC 10.0

Figure 109: GRC Implementation Guide (IMG)

On the left is an example of collapsed activities in the IMG for Process Control andRisk Management 3.0. In this IMG structure, if you implemented both products,you would have to do some similar activities twice, that is once for each product.

On the right side is an example of partially collapsed activities for GRC 10.0solutions. Activities that relate to more than one product are configured in oneplace.

On the left side, you see collapsed activities in the Implementation Guide (IMG)for SAP BusinessObjects Process Control 3.0 and SAP BusinessObjects RiskManagement 3.0. If you were to expand the configuration activities for eachproduct, you would see some activities that were substantially the same for RMand PC, which meant that if you implemented both products, you would need todo some activities twice—that is, once for each product.

On the right side, you see partially collapsed IMG activities for GRC 10.0solutions. Activities that relate to more than one GRC product are shared toeliminate duplicate configuration.

Because some functions are now shared with multiple applications in GRC, thenew IMG structure provides a clear picture about common customizing activitiesand application-specific ones. For detailed usage and customizing steps, pleaserefer to the IMG documentation and Installation Guide.



Figure 110: Customizing IMG Structure for GRC 10.0

Basic and Common Customizing TasksTo access the IMG, first log into the ABAP client for GRC 10.0, then executetransaction SPRO. Click SAP Reference IMG to view the IMG nodes andcustomizing activities. From here, you can configure:

General settings as needed for Access Control, Process Control, or RiskManagementShared master data settingsReportingCommon component settings for those components in use



Figure 111: Basic and Common Customizing for Access Control, ProcessControl, and Risk Management

Prerequisites Before Beginning the Functional Implementation

1. Complete technical setup2. Activate applicable BC sets based upon customer requirements3. Obtain the authorization roles necessary for access to the IMG

Note: Only activate the timeframe-related BC sets if the customer is on acalendar year because January to December is delivered in the BC set.

Some IMG activities are only needed if you would like to change the deliveredstructure or behavior of the system. Look at the help icon to the left of each taskfor in-depth instructions in the IMG.

More information about the prerequisites is listed below. This information is alsocovered in the Functional Implementation lesson, so just providing an overviewof the main points here should suffice.

1. Technical setup should be complete before you begin these steps.2. Activate applicable Business Configuration (BC) sets based upon customer

requirements. While in the IMG, click the Existing BC Sets to see theBC sets display in a column to the right of the tasks. Only activate thetimeframe-related BC sets if the customer is on a calendar year, as January toDecember is delivered in the BC set.

3. You must have the necessary authorization roles that allow access to theIMG: SAP_GRAC_SETUP for AC, SAP_GRC_SPC_CUSTOMIZING forPC, and SAP_GRC_RM_CUSTOMIZING for RM configuration.SAP_GRAC_SETUP for AC



SAP_GRC_SPC_CUSTOMIZING for PCSAP_GRC_RM_CUSTOMIZING for RM

Configuring Product-Specific IMG NodesAfter basic and common customizing, configure the product-specific IMG nodesfor licensed products to be implemented. If some products are licensed but not yetto be implemented, there is no need to configure them.

Figure 112: Product-Specific Customizing for Access Control, ProcessControl, and Risk Management

IMG Customizing DocumentationDocumentation for IMG customizing is contained within the IMG itself. IMGcustomizing is performed by users assigned the following roles:

SAP_GRAC_SETUP for ACSAP_GRC_SPC_CUSTOMIZING for PCSAP_GRC_RM_CUSTOMIZING for RM

Please demonstrate or review key steps in the exercise.



169 Exercise 6: Review the IMG StructureExercise Duration: 20 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Locate IMG nodes for general and report settings• Locate IMG nodes for common component settings• Locate IMG nodes for Access Control, Process Control, and Risk

Management

Business ExampleBefore you begin configuration, it is important to familiarize yourself with thesections of the IMG that pertain to general and shared settings across the GRCsolution, as well as component-specific sections that pertain to each applicationcomponent.

System DataSystem: ZMCClient: 800User ID: XX_CUSTOMPassword: The password has been reset by each participant,following initial logon.Set up instructions:

1. Setup has already been completed for this exercise.

Task 1: View General SettingsView general settings in the IMG.

1. Log on to the ABAP client (ZMC) as user XX_CUSTOM, where XX is yourParticipant ID.

2. Enter SPRO in the transaction field, then click the system OK icon orpress Enter.


4. Expand Governance, Risk, and Compliance.

5. Expand the General Settings node.

6. Explore the various settings and sub-nodes.

7. Click the Execute icon next to Maintain Entity Role Assignment.




8. What are the roles associated with the RISK Entity?

Task 2: View Report SettingsView common report settings in the IMG.

1. Click the system Back icon to return to the Display IMG screen.

2. Expand the Reporting node to explore the various settings and sub-nodes.

3. Click the Execute icon next to Maintain Report Configuration

4. Click the Checked icon when you receive the cross-client message.

5. Review the report configuration settings in this area.

6. What are the two report types displayed on the first screen?

Task 3: View Common Component SettingsView settings common to all GRC solution components in the IMG.


2. Expand the Common Component Settings node.

3. Expand the nodes in this section and explore the various settings.

4. Click the Execute icon next to Maintain Policy Types and DistributionMethods.

5. What are the Policy Type Descriptions listed here?

Task 4: View Access Control SettingsView Access Control-specific settings in the IMG.

1. Locate and expand the Access Control node to explore the various settingsand sub-nodes.

2. Click the Execute icon next to Maintain Access Risk Levels.

3. What risk levels are listed here?

Task 5: View Process Control SettingsView Process Control-specific settings in the IMG.


2. Locate and expand the Process Control node to explore the various settingsand sub-nodes.




3. Expand the Reporting sub-node. Note that you viewed general Reportingsettings earlier and that this Reporting section is specific to Process Control.

4. Click the Execute icon next to Activate BAdI for Weighting of a Report LineDuring Aggregation.

5. What is the Return Weight for every line?

Task 6: View Risk Management SettingsView Risk Management-specific settings in the IMG.

1. Click the Cancel icon to exit the BAdI Weighting window.

2. Click the systemBack icon to return to the Display IMG screen.

3. Locate and expand the Risk Management node to explore the various settingsand sub-nodes.

4. Expand the Incident Loss Database node.

5. Click the Execute icon next to Maintain Risk and Opportunity Priority IDs.

6. What are the priority descriptions listed here?



Solution 6: Review the IMG StructureTask 1: View General SettingsView general settings in the IMG.

1. Log on to the ABAP client (ZMC) as user XX_CUSTOM, where XX is yourParticipant ID.

a) Your password is the one you chose when you first logged onto thesystem with this user ID.

2. Enter SPRO in the transaction field, then click the system OK icon orpress Enter.

a) Perform this task in the ABAP client, not in the NWBC.


a)

4. Expand Governance, Risk, and Compliance.

a)

5. Expand the General Settings node.

a)

6. Explore the various settings and sub-nodes.

a)

7. Click the Execute icon next to Maintain Entity Role Assignment.

a)

8. What are the roles associated with the RISK Entity?

a) SAP_GRC_RM_API_RISK_OWNER andSAP_GRC_RM_API_RISK_EXPERT

Task 2: View Report SettingsView common report settings in the IMG.


a)

2. Expand the Reporting node to explore the various settings and sub-nodes.

a)




3. Click the Execute icon next to Maintain Report Configuration

a)

4. Click the Checked icon when you receive the cross-client message.

a)

5. Review the report configuration settings in this area.

a)

6. What are the two report types displayed on the first screen?

a) End-User and System

Task 3: View Common Component SettingsView settings common to all GRC solution components in the IMG.


a)

2. Expand the Common Component Settings node.

a)

3. Expand the nodes in this section and explore the various settings.

a)

4. Click the Execute icon next to Maintain Policy Types and DistributionMethods.

a)

5. What are the Policy Type Descriptions listed here?

a) Policy, Procedure, Work Instruction, Standard, SOP

Task 4: View Access Control SettingsView Access Control-specific settings in the IMG.

1. Locate and expand the Access Control node to explore the various settingsand sub-nodes.

a)

2. Click the Execute icon next to Maintain Access Risk Levels.

a)

3. What risk levels are listed here?

a) Medium, High, Low, Critical




Task 5: View Process Control SettingsView Process Control-specific settings in the IMG.


a)

2. Locate and expand the Process Control node to explore the various settingsand sub-nodes.

a)

3. Expand the Reporting sub-node. Note that you viewed general Reportingsettings earlier and that this Reporting section is specific to Process Control.

a)

4. Click the Execute icon next to Activate BAdI for Weighting of a Report LineDuring Aggregation.

a)

5. What is the Return Weight for every line?

a) The return weight = 1

Task 6: View Risk Management SettingsView Risk Management-specific settings in the IMG.

1. Click the Cancel icon to exit the BAdI Weighting window.

a)

2. Click the systemBack icon to return to the Display IMG screen.

a)

3. Locate and expand the Risk Management node to explore the various settingsand sub-nodes.

a)

4. Expand the Incident Loss Database node.

a)

5. Click the Execute icon next to Maintain Risk and Opportunity Priority IDs.

a)

6. What are the priority descriptions listed here?

a) Least Important, Important, Very Important



Lesson Summary

You should now be able to:• Describe the IMG organization for GRC 10.0• Identify basic and common customizing tasks for Access Control, Process

Control, and Risk Management• Access IMG customizing documentation



Lesson:176

Functional ImplementationLesson Duration: 30 Minutes

Lesson OverviewThis lesson presents an overview of the functional implementation process,including potential project team members and their roles, prerequisite tasks, andimplementation tasks performed during each phase of the project.


• Identify members of typical project teams• Perform prerequisite tasks• Describe key, high-level steps in the GRC 10.0 implementation process

This lesson is meant to be an overview of the implementation process. Detailedinformation about this process and the tasks therein is included in the GRC300class for AC and the GRC330 class for PC.

Business ExampleA company is embarking on an SAP BusinessObjects GRC 10.0 implementation.During the Project Preparation and Blueprinting phase, the project manager willneed to identify the necessary members of the project team, including those whomay be the stakeholders, as well as understand the necessary prerequisites neededto be completed prior to engaging the functional team. During this time as well,the Project Manager will need to create a Project Timeline of tasks that will needto be completed depending upon the solution or solutions being implemented (orin some cases to be implemented in the future).

Project TeamsYou will most likely work on a team to complete a functional implementation.Project teams vary, depending on which applications are in use.


GRC100 Lesson: Functional Implementation

Figure 113: GRC Project Teams

Solution or Application Consultants are experts in specific solution or applicationareas and focus on implementation. Tasks include analyzing business processrequirements and then transferring those into the software, as well as performingconfiguration tasks. These consultants advise a customer about the genericfunctionality and the options for customizing in order to suit the specific customerrequirements.

Technology Consultants perform tasks such as evaluating landscape choices,analyzing hardware and software requirements, and evaluating sizingrequirements. These consultants install software, activate and set up required tools,and activate Business Configuration (BC) sets, in addition to other technical tasks.In general, they prepare the system to be ready for the functional implementation.

Security Consultants may perform similar tasks as a Solution or Applicationconsultant, and have some overlapping areas with a Technology Consultant, forexample, evaluating sizing requirements.

IT Administrators perform tasks such as setting up automated mail service,copying and modifying user roles, setting up users and assigning roles,performing functional and integration tests, and monitoring the go-live process.IT Administrators may also monitor ongoing system performance and providesupport for workflow administration.

Project Managers in a software implementation are responsible for managing aproject team and the successful "going live" of a solution within time and budget.Among other duties, they plan project phases, monitor the project progress, handlechange requests, and lead communication with the client, as well as between theproject and steering committee.

Business Users are a subset of users that typically reference non-transactionalactivities. They use the software to collect and analyze data that help them supportmaking business decisions. These users are focused on creating new strategiesand making decisions based on information from a variety of sources. Examplesof business users include Internal and External Auditors, Risk Managers, andCompliance Managers.



Power Users are a subset of End Users who perform additional tasks beyondan End User’s profile in a specific application area, for example, assigning userprofiles. They often serve as first support and fulfill a training role for other endusers.

Executives are responsible for business transformation and SAP selection anddeployment. They have a very broad responsibility, but require expert assistancein specific areas, for example, they may be in charge of IT landscape strategy andthe implementation of business requirements. They may also monitor the degreeof user acceptance and system optimization after implementation.

A Works Council typically reviews generic user tasks against tasks that theWorks Council represents. Popular in Europe, a Works Council has the task ofpromoting the interests both of the enterprise and of its workforce and servesto reduce workplace conflict by improving and systematizing communicationchannels. They give representatives of workers in large multinational companies adirect line of communication to top management and make sure that workers indifferent countries are all told the same thing at the same time about transnationalpolicies and plans.

Prerequisite Tasks

Figure 114: Prerequisite Tasks



Prerequisites before beginning the functional implementation include:

1. Technical setup should be complete before you begin these steps. Technicalsetup is typically performed by the Technology Consultant and ITAdministrator. Example tasks include specifying system architecture,such as identifying front end and reporting components, defining transportmechanisms and the integration framework, validating different steps duringinstallation, including validating proper ABAP installation.

2. Activate applicable Business Configuration (BC) sets based upon customerrequirements. While in the IMG, click on Existing BC Sets to see theBC sets appear in a column to the right of the tasks. Only activate thetimeframe-related BC sets if the customer is on a calendar year, as January toDecember is delivered in the BC set.

3. You must have the necessary authorization roles that allow access to the IMG:

• SAP_GRAC_SETUP for Access Control configuration• SAP_GRC_SPC_CUSTOMIZING for Process Control configuration• SAP_GRC_RM_CUSTOMIZING for Risk Management configuration

Technical setup means that the Technology Consultant has completed all stepsindicated in the GRC 10.0 Installation Guide.

Some IMG activities are only needed if you would like to change the deliveredstructure or behavior of the system. Look at the help icon to the left of each taskfor in-depth instructions in the IMG. The tasks are presented in a logical flow,so usually you should try to do them in order to the extent possible given thecomponents you are implementing.

Implementation Process

Figure 115: Implementation Process Overview



Once the implementation is complete, you will conduct daily, regular business.While doing this, you will enjoy the benefits of preventive governance, risk, andcompliance management.

Figure 116: Design the Solution

Listed here are general tasks for the Design phase of implementation and maydiffer, depending on regions and business needs. For example, Security consultantstypically ensure and discuss regional data security requirements and act as a NBWorks Council liaison. When gathering parameters regarding processes, Securityconsultants may also define a responsibility matrix during this phase.



Figure 117: Install or Upgrade and Migrate

Note: During this implementation phase, it is important to ensure thatthe Pre-10.0 production system data is preserved for auditing purposes,including old log files.

Figure 118: Configure Access Control



Figure 119: Implement

Add features that are not in the POC means integrate with optionsl featuers andthird party or other systems.

Figure 120: Optimize and Enhance








183 Exercise 7: Review System ConfigurationExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• Review configuration settings in the IMG• Review existing BC sets in the IMG

Business ExampleBefore beginning the functional implementation, it is important to verify technicalsettings and activated BC sets.

System DataSystem: ZMCClient: 800User ID: XX_CUSTOMPassword: Participant-defined password following initial logon.Set up instructions:

1. No additional setup required.

Task 1: View General Configuration Settings andActivated BC SetsView general configuration settings and the associated activated BC sets in theIMG.


2. Enter SPRO in the Transaction Entry field and click the system OK icon orpress Enter.


Caution: Do not make configuration changes. Review currentsettings only.

4. Click Existing BC Sets at the top of the screen.

5. Expand nodes to view configuration that is maintained in each section, aswell as the activated BC sets. Begin with expanding Governance, Risk, andCompliance → General Settings.




View Maintain Customer Specific Menus, Key Attributes, Authorizations,Workflow, Shared Master Data Settings, and Reporting.

Task 2: View Component-Specific Settings andActivated BC SetsView component-specific configuration settings and associated activated BC setsin the IMG.

1. Expand the Access Control node, then note the configuration settings andactivated BC sets for this section.

2. Expand the Process Control node, then note the configuration settings andactivated BC sets for this section.

3. Expand the Risk Management node, then note the configuration settings andactivated BC sets for this section.



Solution 7: Review System ConfigurationTask 1: View General Configuration Settings andActivated BC SetsView general configuration settings and the associated activated BC sets in theIMG.


a) You changed your password upon initial system logon.

2. Enter SPRO in the Transaction Entry field and click the system OK icon orpress Enter.

a) You are working in the ABAP Client and not in the NWBC.


Caution: Do not make configuration changes. Review currentsettings only.

a)

4. Click Existing BC Sets at the top of the screen.

a) Existing BC Sets is located just under Display IMG.

5. Expand nodes to view configuration that is maintained in each section, aswell as the activated BC sets. Begin with expanding Governance, Risk, andCompliance → General Settings.

View Maintain Customer Specific Menus, Key Attributes, Authorizations,Workflow, Shared Master Data Settings, and Reporting.

a)

Task 2: View Component-Specific Settings andActivated BC SetsView component-specific configuration settings and associated activated BC setsin the IMG.

1. Expand the Access Control node, then note the configuration settings andactivated BC sets for this section.

a)




2. Expand the Process Control node, then note the configuration settings andactivated BC sets for this section.

a)

3. Expand the Risk Management node, then note the configuration settings andactivated BC sets for this section.

a)



Lesson Summary

You should now be able to:• Identify members of typical project teams• Perform prerequisite tasks• Describe key, high-level steps in the GRC 10.0 implementation process


Unit Summary GRC100

Unit SummaryYou should now be able to:• Describe the IMG organization for GRC 10.0• Identify basic and common customizing tasks for Access Control, Process

Control, and Risk Management• Access IMG customizing documentation• Identify members of typical project teams• Perform prerequisite tasks• Describe key, high-level steps in the GRC 10.0 implementation process




1. To access the IMG, first log onto the ABAP client for GRC 10.0, thenexecute transaction SPRO.Determine whether this statement is true or false.□ True□ False

2. From the IMG, you can configure:Choose the correct answer(s).□ A General settings for Access Control, Process Control, or Risk

Management□ B Shared master data settings□ C Reporting□ D Common component settings for those solution components in

use.

3. Before beginning the functional implementation, you must activate BC sets,based upon customer requirements.Determine whether this statement is true or false.□ True□ False

4. Documentation for IMG Customizing is contained within the IMG itself.Determine whether this statement is true or false.□ True□ False

5. IMG customizing is performed by users assigned the following roles:Choose the correct answer(s).□ A SAP_GRAC_SETUP□ B SAP_GRC_SAC_CUSTOMIZING□ C SAP_GRC_RM_CUSTOMIZING□ D SAP_GRC_SPC_CUSTOMIZING□ E SAP_GRPC_SETUP□ F SAP_GRC_PC_CUSTOMIZING



6. Business Users, such as Internal and External Auditors, are a subset of usersthat typically:Choose the correct answer(s).□ A Reference non-transactional activities□ B Use the software to collect and analyze data to support business

decisions□ C Serve as first support for end users□ D Fulfill a training role for other end users

7. Which of the following are not part of the project team?Choose the correct answer(s).□ A Executives□ B Works Council□ C All end users□ D Power users

8. Technical setup should be complete before beginning the functionalimplementation.Determine whether this statement is true or false.□ True□ False

9. A POC, prototype, or integration plan is typically developed during whichphase?Choose the correct answer(s).□ A Implement□ B Configure□ C Optimize/Enhance□ D Design

10. During the Install/Upgrade & Migrate phase, you do not have to preservePre-10.0 production system data or old log files.Determine whether this statement is true or false.□ True□ False



191Answers

1. To access the IMG, first log onto the ABAP client for GRC 10.0, thenexecute transaction SPRO.

Answer: True


2. From the IMG, you can configure:

Answer: A, B, C, D

All choices are correct.

3. Before beginning the functional implementation, you must activate BC sets,based upon customer requirements.

Answer: True


4. Documentation for IMG Customizing is contained within the IMG itself.

Answer: True


5. IMG customizing is performed by users assigned the following roles:

Answer: A, C, D

The correct answers are A, C, and D: SAP_GRAC_SETUP forAC, SAP_GRC_RM_CUSTOMIZING for Risk Management, andSAP_GRC_SPC_CUSTOMIZING for Process Control.

6. Business Users, such as Internal and External Auditors, are a subset of usersthat typically:

Answer: A, B

A and B are correct: Business Users reference non-transactional activitiesand use the software to collect and analyze data to support business decisions.



7. Which of the following are not part of the project team?

Answer: C

All end users are not included in the project team.

8. Technical setup should be complete before beginning the functionalimplementation.

Answer: True


9. A POC, prototype, or integration plan is typically developed during whichphase?

Answer: D

The correct answer is the Design phase.

10. During the Install/Upgrade & Migrate phase, you do not have to preservePre-10.0 production system data or old log files.

Answer: False

The statement is false; during this phase, it is important to ensure thatthe Pre-10.0 production system data is preserved for auditing purposes,including old log files.


Unit 6193 Reporting

This unit is intended to provide an overview of the harmonized reportingframework and to illustrate how users can create new reports without having todo any programming.

Unit OverviewThis unit presents an overview of the harmonized reporting framework, as well asnavigating and customizing reports, and Crystal report integration.


• Describe key capabilities of the GRC 10.0 Harmonized Reporting Framework• Navigate reports• Create a report without programming• Describe Crystal integration options and report layouts

Unit ContentsLesson: Harmonized Reporting Framework... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230

Exercise 8: Run Reports and View Dashboards ... . . . . . . . . . . . . . . . . . . . .239


Unit 6: Reporting GRC100

Lesson:194

Harmonized Reporting FrameworkLesson Duration: 20 Minutes

Lesson OverviewThis lesson presents an overview of the reporting framework in GRC 10.0 andhow to configure reports without programming.


• Describe key capabilities of the GRC 10.0 Harmonized Reporting Framework• Navigate reports• Create a report without programming• Describe Crystal integration options and report layouts

In this lesson, present the key capabilities of the harmonized reporting framework,provide some report navigation points about how reports are organized based onbusiness relevance and target user function, show an example of how to create anew report without having to do any programming, and discuss the options forCrystal report solutions.

Business ExampleA company wants to provide the necessary reporting tools needed to supply theinformation needed from a governance, risk and compliance perspective. SAPBusinessObjects GRC 10.0 allows the flexibility to deliver reports in differentformats (OnScreen, Excel, Crystal Reports, Dashboards) and with specificattributes. The flexibility provided by the Reporting Framework makes it easy tocreate variants that can be save and re-utilized at a later date or in continuingoperations.


GRC100 Lesson: Harmonized Reporting Framework

Harmonized Reporting Framework Overview

Figure 121: GRC 10.0 Harmonized Reporting Framework Key Capabilities

IMG Report Configuration

Figure 122: IMG Report Configuration

Access Control will use the reporting infrastructure to define the reports andattributes, but not the Reporting Datamart.



To configure report settings in the IMG: Execute Transaction SPRO → SAPReference IMG → Governance, Risk, and Compliance → Reporting Additionalreport settings for Process Control can be found at SPRO → SAP Reference IMG→ Governance, Risk, and Compliance → Process Control → Reporting

Report Navigation

Figure 123: Report Navigation - Work Center Example

Each work center contains reports relevant to its business function. For example,the master data work center displayed above shows reports directly related tomaster data structures from the point of view of a Process Control user. If youwere to go to the Assessments work center, you would instead see reports relevantto assessments and other evaluations. The actual reports available in each workcenter will vary based upon user authorization.



Figure 124: Report Navigation: Reports and Analytics Work Center

The delivered Reports and Analytics work center is set up with an area forfrequently used management, compliance and access management reports.However, this can also be adapted by the customer. If desired, the reports shownhere can be configured to include reports also shown in the other work centers.

A discussion of what determines service map contents is included in the Securityand Authorizations lesson.

Reporting Framework for Customizing ReportsTo configure a new report without programming, you don’t need to create thereport from scratch. First, copy an existing report and then to make changes to it.



Figure 125: Create a New Report: Maintain View Cluster VC_GRFNREPCUST

This transaction may be added to the IMG to make it easier to configure reports. Asshown above, this is done by maintaining the view cluster VC_GRFNREPCUST.

Figure 126: Create a New Report: Copy Source Report



Figure 127: Create a New Report: Maintain Columns and Filters

Maintaining Columns allows you to determine the order to columns in the report.There may be other options available depending upon the product to which thereport relates. For example, for a Process Control report, you may be able toindicate the behavior of columns related to regulations.

Maintaining Filters allows you to determine selection screen filters and relatedbehavior.

Figure 128: Setting Default Columns - Process Control and RiskManagement Only

Default columns for a report can be defined in VC_GRFNREPCOLUMNSC.This is similar to the procedure shown on prior screens. However, the outputdetermines what is shown on the personalization screens for Process Control and



Risk Management, as shown above. The initial population of the fields selectedis taken from the default columns in VC_GRFNREPCOLUMNSC, and you canthen further personalize the columns by moving fields between the Selected andAvailable columns.

Crystal IntegrationGRC 10.0 reports are delivered with three layout options, which providesignificant flexibility without programming.

Figure 129: Layout Options for Delivered Reports

Figure 130: Crystal Integration Comparison of Options

There is no dominating or best practice reporting option here. Choose which reportoption(s) you will support based on business requirements. As you see above, theALV grid and the output of the ALV grid to the generic Crystal template is thesame, except for the ability to collapse and expand hierarchies.



Figure 131: Examples of Report Display Options

The above figure shows a hierarchical report displayed using the three options.Each options takes the same data and presents it with the benefits and constraintsof its technology and format.






201 Exercise 8: Run Reports and ViewDashboardsExercise Duration: 30 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:• View Risk Management dashboards• View Compliance dashboards for Process Control• View Access Management dashboards for Access Control• Save a report variant

Business ExampleYou want to review information about your company’s risks, compliance status,and access risks. With the Harmonized Reporting Framework, you can viewreports and dashboards for all of these areas from one work center, Reports andAnalytics.

System DataSystem: ZMCClient: 800User ID: XX-CUSTOMPassword: Password was changed by participant upon initiallogon.Set up instructions:

1. Setup has already been completed for this exercise.

Task 1: View Risk Management DashboardsView Management dashboards for Risk Management.

1. Launch the NetWeaver Business Client or log into the SAP GUI.

2. Choose the Reports and Analytics work center.

3. Under the Management work set, you will find dashboards for RiskManagement. Choose Heatmap.

4. Choose a currency, then click OK.

5. Explore the Risk Heatmap. Do you recall the configuration settings youviewed in the IMG for this display, for example, colors associated with risklevels? Those display settings are seen here.




6. Close the Heatmap when finished.

Task 2: View Compliance Dashboards for ProcessControlView Compliance Dashboards for Process Control from the Reports and Analyticswork center.

1. Choose the Overall Compliance Status dashboard under the Compliancework set.

2. Enter Year for the Period and 2010 for the Year, then click Refresh.

3. View the Compliance Metrics displayed. Click the links to view details,beginning with % of Ineffective Controls.

4. Choose different display and sort settings. Switch between Number andPercentage views.

Task 3: View Access Management DashboardsView Access Management Dashboards for Access Control in the Reports andAnalytics work center.

1. Under the Access Management work set, choose User Risk Violation

2. Use the drop down arrows to view the analysis criteria options available.

3. the following information on the Risk Analysis: User Level screen:

Field Data Value

System ZMGCLNT800

User GRCRA2

User Group (Leave Blank)

Custom Group (Leave Blank)

RIsk Level High

Rule Set Global

User Type Dialog

Remaining Fields Accept default values

4. Save this variant as XX_Variant, where XX is your Participant ID.

5. Click Save.

6. Choose the Saved Variants drop down arrow. Your newly saved variantshould be listed here.

7. Click Run in Foreground, then view analysis results.



Solution 8: Run Reports and ViewDashboardsTask 1: View Risk Management DashboardsView Management dashboards for Risk Management.

1. Launch the NetWeaver Business Client or log into the SAP GUI.

a) From the ABAP client, enter /nnwbc, then choose /nwbc in theNWBC launchpad window.

2. Choose the Reports and Analytics work center.

a)

3. Under the Management work set, you will find dashboards for RiskManagement. Choose Heatmap.

a) Choose Reports and Analytics → Management → Heatmap

4. Choose a currency, then click OK.

a)

5. Explore the Risk Heatmap. Do you recall the configuration settings youviewed in the IMG for this display, for example, colors associated with risklevels? Those display settings are seen here.

a)

6. Close the Heatmap when finished.

a)

Task 2: View Compliance Dashboards for ProcessControlView Compliance Dashboards for Process Control from the Reports and Analyticswork center.

1. Choose the Overall Compliance Status dashboard under the Compliancework set.

a) Choose Reports and Analytics → Compliance work set → OverallCompliance Status

2. Enter Year for the Period and 2010 for the Year, then click Refresh.

a) Period: Year; Year: 2010




3. View the Compliance Metrics displayed. Click the links to view details,beginning with % of Ineffective Controls.

a)

4. Choose different display and sort settings. Switch between Number andPercentage views.

a)

Task 3: View Access Management DashboardsView Access Management Dashboards for Access Control in the Reports andAnalytics work center.

1. Under the Access Management work set, choose User Risk Violation

a) Choose Reports and Analytics → Access Management → User RiskViolation

2. Use the drop down arrows to view the analysis criteria options available.

a)

3. the following information on the Risk Analysis: User Level screen:

Field Data Value

System ZMGCLNT800

User GRCRA2

User Group (Leave Blank)

Custom Group (Leave Blank)

RIsk Level High

Rule Set Global

User Type Dialog

Remaining Fields Accept default values

a)

4. Save this variant as XX_Variant, where XX is your Participant ID.

a)

5. Click Save.

a)




6. Choose the Saved Variants drop down arrow. Your newly saved variantshould be listed here.

a)

7. Click Run in Foreground, then view analysis results.

a)



Lesson Summary

You should now be able to:• Describe key capabilities of the GRC 10.0 Harmonized Reporting Framework• Navigate reports• Create a report without programming• Describe Crystal integration options and report layouts


GRC100 Unit Summary

Unit SummaryYou should now be able to:• Describe key capabilities of the GRC 10.0 Harmonized Reporting Framework• Navigate reports• Create a report without programming• Describe Crystal integration options and report layouts


Unit Summary GRC100




1. Users can see all reports presented in the information architecture, regardlessof their user authorization.Determine whether this statement is true or false.□ True□ False

2. Which of the following reports might you find in the Master Data WorkCenter?Choose the correct answer(s).□ A Reports related to compliance structure□ B Reports related to user authorization analysis□ C Reports related to audit analysis□ D Reports related to access rule detail

3. Which transaction is executed in order to maintain view clusterVC_GRFNREPCUST?

4. Reports can be displayed in Crystal while leveraging built-in ABAP ListViewer (ALV) functionality.Determine whether this statement is true or false.□ True□ False



210Answers

1. Users can see all reports presented in the information architecture, regardlessof their user authorization.

Answer: False

Reports are presented in the information architecture based upon userauthorization.

2. Which of the following reports might you find in the Master Data WorkCenter?

Answer: A, C

Reports related to compliance structure and audit analysis can be found inthe Master Data work center. Reports related to user authorization analysisand access rules share a target user function and can be found in the Reportsand Analytics work center under Access Management.

3. Which transaction is executed in order to maintain view clusterVC_GRFNREPCUST?

Answer: SM34

4. Reports can be displayed in Crystal while leveraging built-in ABAP ListViewer (ALV) functionality.

Answer: True

The statement is True.


GRC100 Course Summary

Course SummaryYou should now be able to:

• Introduce SAP BusinessObjects Governance, Risk, and Compliance(GRC)10.0

• Identify key governance, risk, and compliance processes supported in theGRC 10.0 solution

• Describe key features and business benefits of the integrated solution• Identify applications that integrate with the GRC 10.0 solution• Describe the purpose and location of key user interface components• Discuss harmonized navigation and how authorizations affect what users see• Describe how common functions and relative master data are shared across

GRC solutions• Describe the IMG organization for GRC 10.0• Describe a general implementation process and key steps• Configure report presentation, structure, and content


Course Summary GRC100


FeedbackSAP AG has made every effort in the preparation of this course to ensure theaccuracy and completeness of the materials. If you have any corrections orsuggestions for improvement, please record them in the appropriate place in thecourse evaluation.


Investor Relations

Grc100 en col96_fv_inst_a4