Financial Management Blogs by Members
Dive into a treasure trove of SAP financial management wisdom shared by a vibrant community of bloggers. Submit a blog post of your own to share knowledge.
Showing results for 
Search instead for 
Did you mean: 
Access Request Management (ARM) ensures secure and controlled access to sensitive systems and data within organizations. To implement an effective risk management strategy, it is essential to identify and mitigate authorization risks. However, have you ever been required to mitigate only high and medium risks and ignore low ones? This blog discusses a solution to validate and enforce mitigation of high and medium risks in ARM and the importance of mitigating them.

If your requirement is to validate and enforce mitigation of other risk types, the decision table can be tweaked depending on your business requirements.

Why High & Medium SoD Risks Deserve Priority Attention?

There are several critical factors that organizations must consider when mitigating high and medium segregation of duties (SoD) risks:

  • Impact on Critical Business Processes: Often, high and medium SoD risks exist within critical business processes that directly affect an organization's operations, finances, and compliance. A failure to mitigate these risks can lead to severe consequences, such as financial loss, disruptions in operations, and non-compliance with regulatory requirements.

  • Increased Likelihood of Fraud: High and medium SoD risks are more likely to be exploited by malicious individuals for fraudulent purposes. It involves access to sensitive systems, data manipulation, and control over key financial functions. Leaving these risks unmitigated leaves the organization vulnerable to fraud and compromises its financial integrity.

  • Compliance Requirements: Due to their impact on financial reporting, data privacy, and security, regulatory frameworks and industry standards often prioritize mitigating high and medium SoD risks. An organization's reputation can be damaged if it does not comply with these requirements. Legal consequences, fines, and penalties can result from non-compliance.

  • Magnitude of Potential Losses: The potential losses associated with high and medium SoD risks are greater than those associated with low-level risks. Data breaches, unauthorized access, and financial misstatements resulting from these risks can cause significant financial damage, operational disruptions, and irreparable brand damage.

  • Resource Optimization: Mitigating high and medium SoD risks allows organizations to allocate their limited resources more efficiently. A more efficient allocation of time, budget, and personnel can be achieved by prioritizing the risks that are most likely and have the highest impact.

While low-level SoD risks should not be ignored completely, mitigation efforts should be prioritized based on the likelihood and impact of risks, with high and medium risks being the primary focus to ensure effective risk management within the organization.

Before you start implementing the solution, note that the default mitigation policy in the BRFplus Configuration in SPRO Settings  Governance, Risk and Compliance  Access Control  Maintain AC Applications and BRFplus Function Mapping can be enabled to enforce mitigation of all the risks along with the Task setting “Approve Despite of Risks”. This can be disabled (unchecked) so that the stage owner can’t approve the request.

Removing these will allow the approver to approve any request without a mitigation.

How to achieve?

The purpose of creating this BRFplus rule is to determine which risks require mitigation and which risks do not. Ensure that the default BRF+ Mitigation Policy is maintained and associated with MSMP Process ID in SPRO Settings as shown in figure 1.0

Figure 1.0 - BRF Function ID Screen

Copy the Default BRFplus Mitigation Policy Rule ID from the SPRO Settings and open the BRFplus Rule ID in Expert Mode using BRFplus transaction code. (You may need to search it from the existing objects).

Creating a Decision Table to define the Mitigation Policy Rules

Under the Function: MITIGATION_POLICY_FUNCTION, change the Mode to “Functional and Event Mode” and create the Decision Table in Top Expression, as shown in figure 1.1.

Figure 1.1 – Setting up Function Mode for MITIGATION_POLICY_FUNCTION

Once the Function Mode is changed, Click on Top Expression, choose Create, Decision Table and enter the details as shown below in figure 1.2:

Figure 1.2 – Decision Table definition screen

Click “Create And Navigate To Object” and Navigate to Table settings in Decision Table.
Select the Result Data Object as “Mitigate Risk” and define the Condition & Result Columns as shown below and click “OK”.

Figure 1.3 – Decision table definition

Set up the Decision Table by specifying the desired risk level that you want to mitigate. In this blog, we are only considering High and Medium, click Save and Activate the Decision Table.


Figure 1.4 – Decision table rule results definition

Make sure the Top Expression in Function is mapped to Decision Table and the Result Data Object Should be “Mitigate Risk”, as shown in the figure 1.5

Figure 1.5 – Top Expression and Data Object mapping

Click Save and Activate.

NOTE: You may use the simulate option to check the output by giving the request number as an input. You may see the result. Refer to figure 1.6, and 1.7 to know the input and output screens from the simulation.

Figure 1.6 – Simulation input screen

Figure 1.7 – Simulation output screen

Important: Configuring the MSMP Stage Level setting “Approve Despite Risk” to unchecked and maintaining the parameter 1072 – Mitigation of critical risk required before approving the request to “YES”, will overwrite these settings based on the mitigation policy rules configured in BRF+.


It is essential for organizations to minimize high and medium separation of duties (SoD) risks to protect critical business processes, prevent fraud, comply with regulations, minimize potential losses, and optimize resources. Organizations can improve their risk management practices and ensure a secure and controlled access environment by prioritizing mitigation of these risks. The article discussed the importance of focusing on high and medium SoD risks, discussing their impact on critical processes, the likelihood of fraud, compliance requirements, and the magnitude of potential losses. It also provided insights into how to configure BRFplus rules and set up decision tables to achieve effective mitigation. It is possible to strengthen organizations' security posture and protect sensitive systems and data by enforcing appropriate mitigation strategies for high and medium SoD risks.