SAP GRC -SAP Governance, Risk and Compliance solution enables organizations to manage regulations

and compliance and remove any risk in managing organizations' key operations.

Risk Classification
Risks should be classified as per the company policy. The following are the various risk classifications
that you can define as per risk priority and company policy −
 Critical-Critical classification is done for risks that contain company’s critical assets that are very
likely to be compromised by fraud or system disruptions.

 High-This includes physical or monetary loss or system-wide disruption that includes fraud, loss
of any asset or failure of a system.

 Medium-This includes multiple system disruption like overwriting master data in the system.

 Low-This includes risk where the productivity losses or system failures compromised by fraud or
system disruptions and loss is minimum.

SAP GRC — Report Type

You can generate different Risk Analysis reports as per the required analysis −
 Action Level − You can use it to perform SoD analysis at action level.

 Permission Level − This can be used to perform SoD analysis at action and permission levels.

 Critical Actions − This can be used to analyze the users who have access to one of the critical
functions.

 Critical Permissions − This can be used to analyze users having access to one critical function.

 Critical Roles/Profiles − This can be used to analyze the users who has access to critical roles or
profiles.

The SAP Segregation of Duties (SoD) Risk Analyzer module of the Access Control Suite enables you to
conduct real-time SAP governance, risk and compliance (GRC) analysis. It also enables you to define and
address separation of duties, determine sensitive authorizations, and prevent excessive user access

Risk:
Risk associate’s risks to functions, business processes, defines the priority of the risk, what type of risk,
and active vs non-active status.

Risk Description:
Risk Description defines the risk, language and risk description.

Business role:
Business roles can be used to determine the access necessary for the function or process the user is
involved with, helping organizations better manage changes to access.