Hi
Needed you expert opinion
I am implementing GRC for a customer with 10 R3 systems
We have to implement one instance of GRC connected to 10 R3 systems
Each of these R3 belongs to a Business Unit ( 10 different business units in all)
Each of this business Unit is as good as a independent company have their own business and IT processes, roles and user. ( No user would have access in more than one R3 system)
Though many business process and risks would be common amongst the Business units. The risk owner would be different and so would be the mitigation process etc
In the above scenario I have following choices
Choice one - Use Logical system
This would have the least flexibility for the Business unit to manage their risks, actions and permission
Choice Two - Physical systems
Have a choice of common Risk ruleset and connect the 10 R3 systems as physical systems .
In this case the Risks would be common so would have issues related to risk owner, mitigation etc would remain. This would have limited flexibility. Also we may hit the 46000 rules limit
Choice three
Have 10 rulesets (10 sets of risks/functions etc, one each for the business unit)
Each business unit would have their individual risk and thereby greater control
I am inclined towards last choice. My concern is multiple rulesets/risks will lead to an greater number of rules thereby affecting performance
There would be around 6000 users and around 30000 roles in all these 10 systems put together
Can somebody share their experience/expertise on this
Regards