Question Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s) in Financial Management Q&A

GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

former_member458446 — Mon, 03 Jun 2019 18:40:32 GMT

Our current Production setup is like Role owner can approve the request even if the request has risks and it would next goto risk mitigation team to approve the request, this was working fine in development also, all of a sudden things changed, now role owner is unable to approve the request if the request has risks, I checked everything, all the msmp configurations are same as production.

I checked the path ID and the check box to approve despite risk,tried both (Checked and unchecked) it dint work

Checked the Role owner Routing enable and Rule ID GRAC_SOD.... violation is linked and the agents, I am still confused what is missing, any help would be apprecicated

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

RameshVithanala — Mon, 03 Jun 2019 19:41:22 GMT

Sudhakar,

Did you check DEBUG Monitor,SLG1 logs,Any configuration/parameter/MSMP/EUP changed in your development system and also share your GRC version and SP level.

Thanks

Ramesh

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

former_member458446 — Mon, 03 Jun 2019 19:55:48 GMT

GRCFND_A V110000 22 I dont see any error messages in SLG1, yes 1071,72 and 73 are YES and EUP i dont think its related with this

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

Sri_S1 — Mon, 03 Jun 2019 20:06:44 GMT

Sudhakar,

Please try by generating a new MSMP version and see if it works?

Thanks,

Sri.

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

former_member458446 — Tue, 04 Jun 2019 01:13:20 GMT

Thanks Sri, when I unchecked/checked the despite risk message, I generated the version, but no luck

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

madhusap — Tue, 04 Jun 2019 01:49:55 GMT

Hi Sudhakar,

Can you check following settings:

Configuration Setting 1

Stage Level setting “Approver Despite Risk” is set to “No” for your Role Owner stage

Configuration Setting 2

Parameter 1072 – Mitigation of critical risk required before approving the request is set as “NO”.

Configuration Setting 3

SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application “Request Mitigation Policy”.

Check if request mitigation policy entry exists or not. If it does not exist this could be the reason for your issue.

These 3 settings are related to configuration to enforce approvers to mitigate the risk before approving the request.

Let me know the outcome after verification.

Regards,

Madhu

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

former_member458446 — Tue, 04 Jun 2019 05:46:48 GMT

Hi Madhu, you are correct, I tested by only adding back the risk mitigation policy back

SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application “Request Mitigation Policy”. and Config 1 we already had unchecked and config two, I still kept it as YES. and role owner was able to approve the request without mitigating means its now back to operation how it was working before Thanks, but we want to achieve something else like risk mitigation should be done at risk mitigation stage and the request should pass or complete with getting mitigated, as part of that solution suggested by SAP we removed the request mitigation policy from SPRO, please suggest if you have any better suggestion to force mitigation at risk mitigation stage and not allow them to approve until the request is mitigated.

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

madhusap — Tue, 04 Jun 2019 08:52:28 GMT

Hi Sudhakar,

Can i understand your workflow process flow?

Following is my approach: (May not work with all clients but so far I am able to make clients agree for this approach)

I will usually design my workflows in a way that they will go to risk reviewers or compliance team for review before they get routed to Managers or Role Owners. I will make compliance team as the people who review the risk violations and provide their recommendations together with assignment of mitigating controls. If there are HIGH or CRITICAL risks which are not allowed for end users then the request should be REJECTED by compliance team.

Now Managers or Role Owners will approve the assignments access as well as proposed mitigating control assignments by compliance team as these MC assignments will not get assigned to user until the request is completed and for request completion Managers and Role Owners need to provide their approval.

This way first stage will be compliance team or Risk Reviewers who must take some action on risks and other approvers have the capability to approve/reject assignments.

Regards,

Madhu

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

RameshVithanala — Tue, 04 Jun 2019 12:25:08 GMT

Hi Sudhakar,

Can you share more details(screenshots would help) about the your paths(stage level settings)/agents/routing rules?

Thanks

Ramesh

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

former_member458446 — Tue, 04 Jun 2019 14:44:34 GMT

Hi Madhu, I agreeing with your approach but selling your idea to existing landscape will be a challenge, I will share the details of work flow shortly

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

former_member458446 — Tue, 04 Jun 2019 14:57:22 GMT

Please find the details, let me know if you need any additional screenshots, I can share1.jpg 2.jpg 3.jpg 4.jpg 5.jpg

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

RameshVithanala — Tue, 04 Jun 2019 16:14:58 GMT

Approve Despite Risk is not checked and also is change user path going to manager for approval?(as per the path I see only one stage)

Thanks

Ramesh

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

RameshVithanala — Tue, 04 Jun 2019 16:18:48 GMT

And also I noticied RT Config Change OK is not checked.

Thanks

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

former_member458446 — Wed, 05 Jun 2019 00:53:12 GMT

Hi Ramesh,

if Approve Despite Risk is checked, then role owner might be forced to approve the risk after mitigation right, our requirement is role owner should be allowed to approve the request even if it had risks and risk mitigation team should be not be allowed to approve without mitigation.

The change user is routing to Role owner not manager, yes we have one stage as role owner approval and detour path is to send the request to Risk mitigation team

What is RT config change? where do you see this? does it needs to be checked?

let me know if you need any additional details

Thanks

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

RameshVithanala — Wed, 05 Jun 2019 13:53:03 GMT

Hi Sudhakar,

If Approve Despite Risk is checked then role owner can approve the GRC request with out any mitigation control.

RT Config change is your task setting screenshot,what it do is the configuration applies to the existing GRC requests.

Thanks

Ramesh

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

former_member458446 — Wed, 05 Jun 2019 14:02:48 GMT

Hi Ramesh,Thank you I will try that now and update you how it went

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

former_member458446 — Wed, 05 Jun 2019 14:41:22 GMT

failed.jpg, done with the recommended settings and activated the msmp version, still failed.

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

former_member458446 — Wed, 05 Jun 2019 17:49:36 GMT

I all, I guess I fixed the issue by doing some other changes in MSMP and AC(SPRO), I will shortly post the steps I have done, so that it would help others

Re: GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

arpita_deshpande — Sun, 22 Mar 2020 07:25:40 GMT

hi, can you please share the fixes you have made since I am also facing the same issue.

Thanks

Arpita