Hi Mark,

Here is how you can create Mitigating controls:

1. Create Administrators (RAR-->Mitigation-->Administrators), only these can be assigned as Approvers or monitors

2. Create Business Units(RAR-->BU-->Create), Can be given any name & description ( Say like HR, FI, MM). Also Assign Approvers & monitor, dropdown will list admins created in Step 1

3. Create Mitigating Controls (RAR-->MC-->Create). Here fill all the details, assign Risks that can be mitigated by this Mitigation Control, Approvers & Monitors.

Regards,

Ajesh.

Hi Ajesh

Thank you very much once again. In the "administrators ID" what do you put in there?? anything????

Regards

Mark

Hi Mark,

Maintain USER ID of the administrator.

Regards,

Ajesh.

Hi Ajesh

OK thanks for that. So as an example I could use WilsonJ??

I have added all the business units to the system. For demonstration purposes I have created the following

Approver

Risk Owner

Monitor & Risk Owner

Monitor & Approver

Is there anything else I need to do to create a mitigation demo??

Regards

Mark

Hi Mark,

Use the User ID, which users use to login to the GRC System. Once you create the mitigating control, you can assign it to the User or role and show the before and after difference in Risk Analysis.

Regards,

Ajesh.

Hi Ajesh

No one logs onto GRC except me at the moment as it is a new implementation and I am trying to get it up and running.

For the demo we have chosen a role now I need to set mitigating control for this role. So I am trying to find out how to create a mitigation ID which has to be a unique alphanumeric identification for the mitigating control ID. It is a HR role so I choose HR as the business unit, choose an approver etc

The SMTP server has been set up, the question is I am not sure how I can test this to make sure it all works, I had thought about setting the system up so it will send me an email, so is this possible???

Can you tell me how to add Management Approvers as well please

Thanks

regards

Mark

Hi Mark,

Not possible to send a mail. You can run risk analysis on a role. If its a HR role, say you get risks H001XXXX. Now you mitigate role (Mitigation Tab-->Migtigated Role--> Search--> Add). Make you have created relevant Control ID with the associated risks H001*. You can choose control ID same as Risk i.e H001. Once you mitigate, you can now run risk analysis on Role. The risks related to H001* should not show up.

Similarly you can do for a user.

Regards,

Ajesh.

Hi Ajesh

Thanks for that. So I have to create the mitigation control against the role before I can assign user i.e.

Management Approver to it, is this correct??

I cannot get the "Management Approver" field to populate can you tell me why??

Regards

Mark

Hi Mark,

The mitigation control can be assinged to a user or role. If assigned to a role its risk mitigated to all the user connected to the role. If assigned to a user its mitigated only to the user.

Regards,

Ajesh.

Hi Ajesh

I cannot get the "Management Approver" field to populate can you tell me why??

Thanks

Mark

Hi Mark,

When creating Business Unit, You need to give approvers. These entries will come as dropdown list for Managment Approvers.

Regards,

Ajesh.

Hi Ajesh

This field is empty. No one in the drop down list.

Thanks

Regards

Mark

Hi Mark,

Make sure you have created the Administrators. As part of the first step I had given.

Regards,

Ajesh.

Hi Ajesh

OK I have everything working now but when I click on CREATE I get this error

Request Creation Error

What has gone wrong here??

Regards

Mark

PS once this problem is sorted out should the approvers and monitors get an email when the user tries to access this role????

Hi Mark,

Looks like you have configured workflows for mitigation creation and changes.

Goto RAR-->Config-->Workflow, Set all option to NO.

Else it will try to trigger a workflow.

Regards,

Ajesh.

Neither approvers not monitors will get an email when try to access the role. That would be a whole different game to setup.

Regards,

Ajesh.

Hi Ajesh

I thought the whole idea of mitigation was so that workflow would be triggered and an approver could say yes or no. So why do we not want approvers or monitors to get an email.???

I have set the RAR-->Config-->Workflow > NO

Regards

Mark

PS I found this on another blog

RAR alert notification functionality doesn't use any of CUP workflows, instead based on Configuration of Risk owner / mitigating control approver email address, RAR sends notification email to them.  format of alert notification email is hardcoded in RAR.