Question Re: Mitigating Controls in Additional Q&A

Mitigating Controls

Former Member — Wed, 09 May 2012 15:42:07 GMT

Hi Experts

I have just tried to create a mitigating control via RAR > MITIGATION > MITIGATING CONTROLS > CREATE > BUSINESS UNIT but the business unit field is empty please can you tell me why and how I can fix this please.

Also the field "Management Approver" is empty.

Thanks

Re: Mitigating Controls

kevin_tucholke1 — Wed, 09 May 2012 15:47:33 GMT

Mark:

Have you set up your business units Under Business Units under the mitigation tab??

Thanks.

Kevin Tucholke

Re: Mitigating Controls

Former Member — Wed, 09 May 2012 16:06:15 GMT

Hi Kevin

Thank you for your prompt reply. From where do I get my Business Units info from?

Regards

Re: Mitigating Controls

kevin_tucholke1 — Wed, 09 May 2012 17:53:18 GMT

Mark:

You create these for your company. They do not have to match anything if you don't want it too.

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 05:53:57 GMT

Hi Mark,

Here is how you can create Mitigating controls:

1. Create Administrators (RAR-->Mitigation-->Administrators), only these can be assigned as Approvers or monitors

2. Create Business Units(RAR-->BU-->Create), Can be given any name & description ( Say like HR, FI, MM). Also Assign Approvers & monitor, dropdown will list admins created in Step 1

3. Create Mitigating Controls (RAR-->MC-->Create). Here fill all the details, assign Risks that can be mitigated by this Mitigation Control, Approvers & Monitors.

Regards,

Ajesh.

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 07:03:24 GMT

Hi Ajesh

Thank you very much once again. In the "administrators ID" what do you put in there?? anything????

Regards

Mark

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 08:09:34 GMT

Hi Mark,

Maintain USER ID of the administrator.

Regards,

Ajesh.

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 08:37:03 GMT

Hi Ajesh

OK thanks for that. So as an example I could use WilsonJ??

I have added all the business units to the system. For demonstration purposes I have created the following

Approver

Risk Owner

Monitor & Risk Owner

Monitor & Approver

Is there anything else I need to do to create a mitigation demo??

Regards

Mark

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 09:13:00 GMT

Hi Mark,

Use the User ID, which users use to login to the GRC System. Once you create the mitigating control, you can assign it to the User or role and show the before and after difference in Risk Analysis.

Regards,

Ajesh.

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 09:36:05 GMT

Hi Ajesh

No one logs onto GRC except me at the moment as it is a new implementation and I am trying to get it up and running.

For the demo we have chosen a role now I need to set mitigating control for this role. So I am trying to find out how to create a mitigation ID which has to be a unique alphanumeric identification for the mitigating control ID. It is a HR role so I choose HR as the business unit, choose an approver etc

The SMTP server has been set up, the question is I am not sure how I can test this to make sure it all works, I had thought about setting the system up so it will send me an email, so is this possible???

Can you tell me how to add Management Approvers as well please

Thanks

regards

Mark

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 10:20:31 GMT

Hi Mark,

Not possible to send a mail. You can run risk analysis on a role. If its a HR role, say you get risks H001XXXX. Now you mitigate role (Mitigation Tab-->Migtigated Role--> Search--> Add). Make you have created relevant Control ID with the associated risks H001*. You can choose control ID same as Risk i.e H001. Once you mitigate, you can now run risk analysis on Role. The risks related to H001* should not show up.

Similarly you can do for a user.

Regards,

Ajesh.

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 10:35:25 GMT

Hi Ajesh

Thanks for that. So I have to create the mitigation control against the role before I can assign user i.e.

Management Approver to it, is this correct??

I cannot get the "Management Approver" field to populate can you tell me why??

Regards

Mark

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 10:47:49 GMT

Hi Mark,

The mitigation control can be assinged to a user or role. If assigned to a role its risk mitigated to all the user connected to the role. If assigned to a user its mitigated only to the user.

Regards,

Ajesh.

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 10:54:08 GMT

Hi Ajesh

I cannot get the "Management Approver" field to populate can you tell me why??

Thanks

Mark

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 11:11:05 GMT

Hi Mark,

When creating Business Unit, You need to give approvers. These entries will come as dropdown list for Managment Approvers.

Regards,

Ajesh.

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 11:59:41 GMT

Hi Ajesh

This field is empty. No one in the drop down list.

Thanks

Regards

Mark

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 12:15:44 GMT

Hi Mark,

Make sure you have created the Administrators. As part of the first step I had given.

Regards,

Ajesh.

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 12:26:37 GMT

Hi Ajesh

OK I have everything working now but when I click on CREATE I get this error

Request Creation Error

What has gone wrong here??

Regards

Mark

PS once this problem is sorted out should the approvers and monitors get an email when the user tries to access this role????

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 13:36:54 GMT

Hi Mark,

Looks like you have configured workflows for mitigation creation and changes.

Goto RAR-->Config-->Workflow, Set all option to NO.

Else it will try to trigger a workflow.

Regards,

Ajesh.

Re: Mitigating Controls

Former Member — Thu, 10 May 2012 13:40:25 GMT

Neither approvers not monitors will get an email when try to access the role. That would be a whole different game to setup.

Regards,

Ajesh.