Hi Arivind,
Can you try addressing this requirement using following approach?
- First set parameters 3041 and 3042 to YES which make risk analysis incumbent and cannot move forward if there are risk violations in the role.
Note: These parameters work only for risk analysis violations and not for impact analysis violations
- Role Changes resulting in HIGH risk violations should never be allowed and in that scenario inform the requestors that role authorization data need to be modified.
- Role Changes resulting in MEDIUM or LOW risk violations should be mitigated before you move to next phase in BRM.
Who initiates the control assignment request? (You need to sort this out with the client)
Approvers of control assignment request can be your risk owners.
So, any risk violations which are MEDIUM or LOW will be mitigated or the risk owners can suggest to revert back the changes.
So, everything gets sorted out at Risk Analysis phase and only when the risk violations are properly mitigated or remediated the role can move to next phase in BRM.
This way risk owners are involved in the BRM process.
Let me know if any queries.
Regards,
Madhu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.