During the years that we have implemented Access Risk Management risk rulesets for accesses we have seen and also created very different sized rulesets. Either by ourselves or by others. Some have been huge, with hundreds of risks and some have been very concise and held only some tens of risks.
The first question is what do you use the ruleset for? In what processes does it operate as a control? If it is only used for providing visibility to who has central master data access as opposed to proactively stopping the provisioning of critical SoD risks, we may want to say we follow less or more risks.
The scope of systems and processes involved also impact the size of the ruleset. Logically, if you are following the risks across a multitude of processes and systems you will end up with more risks than with a smaller scope.
The ruleset content can be defined to hold priorities if we want to fulfill different purposes with the ruleset. This helps in managing the size of the ruleset. Also, the ruleset can hold different types of risks that you may want to use differently. Some risks are important to highlight critical IT access, that you want to have only in IT roles, not in the business end user roles.
Good practice is to have yearly process to sign-off the ruleset by CFO or equal. This allows to maintain the focus on right risk management activities.
Summary wise, it is important to know why and what your ruleset holds. The actual size as a number is not a key number to follow. However, it can indicate things and that is why we consultants may ask; how big is your ruleset? What do you think, what is the size of a good ruleset?
Share your thoughts with us! Post your comments on LinkedIn – GRC Nordic.
Contact Mikko Syrjänen firstname.lastname@example.org to get more information about SAP Access Risk Management services.