{"id":6176,"date":"2020-06-10T07:21:31","date_gmt":"2020-06-10T05:21:31","guid":{"rendered":"http:\/\/inprosec.com\/sod-risk-matrix-for-sap-grc\/"},"modified":"2025-07-07T11:21:06","modified_gmt":"2025-07-07T09:21:06","slug":"sod-risk-matrix-for-sap-grc","status":"publish","type":"post","link":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/","title":{"rendered":"SoD Risk Matrix for SAP GRC"},"content":{"rendered":"<p><a href=\"https:\/\/www.linkedin.com\/in\/david-torres-izquierdo-20446926\/\">David<\/a>, our SAP Business Line Department Manager, explains the steps to be taken to define our own risk matrix for segregation of duties (SoD) in an SAP system and the strategy for designing compensating controls.<\/p>\n\n<p><span style=\"font-weight: 400;\">Segregation of Duties Risk is a common topic in all Companies. Let\u00b4s try to divide and conquer. The meaning of Risk is \u201cthe probability of an unfortunate event occurring, multiplied by the potential impact or damage incurred by the event\u201d:\u00a0<\/span><\/p>\n<p style=\"text-align: center;\"><b>RISK=LIKEHOOD x IMPACT\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">On the other side, the definition of Segregation of Duty is: \u201c<\/span><i><span style=\"font-weight: 400;\">Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users.\u201d<\/span><\/i><span style=\"font-weight: 400;\">. Once we have the concept of Segregation of Duties Risk clear let\u2019s move forward with the SoD Matrix definition.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">When a company requires to establish their SoD Risk Matrix inside SAP GRC it is required to follow a Key principle \u201c<\/span><b>Start Small Work Big<\/b><span style=\"font-weight: 400;\">\u201d. But what does this mean? <strong>The SAP Standard Risk Matrix is having close to 200 SoD Risk<\/strong>s, if the company it is just starting in Risk\u00a0<\/span><span style=\"font-weight: 400;\">Management Area and decide to activate the entire SAP Standard Risk Matrix without a prior analysis, the data and results will be so huge that no one will be able to perform any decision regarding Remediation\/Mitigation of SoD Risks.\u00a0<\/span><\/p>\n<h2><b>Phase I \u2013 Keep it Simple<\/b><b>\u00a0<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Establish a Risk Matrix which will cover what Internal and External Audits are monitoring nowadays. Since those SoD Risks are familiar inside the\u00a0<\/span><span style=\"font-weight: 400;\">Organization, it is a great beginning inside the Risk Management Area. <strong>With SAP GRC you will be able to monitor those Risk much more frequently and therefore you will be able to plan Remediation and Mitigation activities.\u00a0<\/strong><\/span><\/p>\n<h2><b>Phase II \u2013 Continuous Improvement<\/b><b>\u00a0<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">As we described previously, it is a great decision to start with a SoD Risk Matrix that is familiar inside your Organization. However, it is important to comply with Continuous Improvement concept, therefore <strong>it is recommended to activate new SoD Risk on a periodic basis<\/strong>. The recommendation will be to focus on two of the most important processes inside the Organization: Purchase to Pay and Order to Cash, which can be linked to Cash Outflows and Cash Inflows, respectively. Since those two processes are having 67 and 29 SoD Risks, it is recommended to classify them based in Risk Levels. As a criteria, you can establish the most critical risk the ones that are related with Cash Flows activities.\u00a0<\/span><\/p>\n<h2><b>Phase III \u2013 Deep Dive<\/b><b>\u00a0<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Once your organization is in this phase, it is because <strong>all the previous Risks are monitored and under control<\/strong>. Therefore, it is required to move forward within the Risk Management Area, reviewing and monitoring all the Standard SoD Risk and even create new ones if they are required by the Organization. It is important to document all the Key Process, establish the Process Owner for each of them and details the Controls that are included in each of these Key Processes.\u00a0\u00a0<\/span><\/p>\n<h3><b>Strategy for Risk Management<\/b><b>\u00a0<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Since the Risk Matrix includes Risks with different business processes, it is recommended to schedule meetings for each of the Key Processes individually, which means, that as an example, it is required to have a meetings for:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Purchase to Pay\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Make to Deliver\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Record to Report\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Order to Cash\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Hire to Retire\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">In all these meetings, <strong>it is important to follow the same criteria:\u00a0<\/strong><\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><strong>Risk Levels<\/strong>: 3 or 5 but you cannot have one process with 3 and other with 5.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><strong>Definition of Inherent Risk<\/strong>: It is common to establish the Risk Level thinking that some controls are in place inside the Organization. However, it is recommended to think about the Risk Level excluding the Controls that are currently in place.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><strong>Clear Definition of the Functions that are included inside the SoD Risk<\/strong>: In some cases, the description of the function is confuse and therefore, it is recommended to include clear examples of the SoD Risk.\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">As an example, if you are using the Standard Risk Matrix as a base, it is important to record all the changes performed to it and the reason behind those changes. If you are going to Disable a SoD Risk because the process within this Risk is not applicable inside your organization, it is recommended to include that comment, so<strong> when auditors ask the reason why the risk was disable, you can provide the specific reason behind that decision<\/strong>. Same it is applicable to the Risk Levels, if you are going to downgrade the Risk Level of a SoD Risk it is important to record the justification.\u00a0<\/span><\/p>\n<h3><b>Design of Mitigating Controls<\/b><b>\u00a0<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Once you have the first version of your SoD Risk Matrix, it is important to understand which are the controls that are currently in place and therefore, they reduce the impact or probability of the SoD Risk. In general, people think about the Controls that can mitigate a\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Risk, Risk by Risk, but the recommendation will be to focus on the Functions that generates the SoD Risks. Extract all the Functions that are included inside your SoD Risk Matrix and think about the controls that are currently in place for each Function.\u00a0 Map each Control to each Function (one control can mitigate more than one Function). This strategy will provide you much more visibility about Functions that have strong or weak controls and even Functions which have no control. This last status is more common than what you think, so nothing to be worried. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Once you have mapped the Function and the Control(s) for each of them, you need to <strong>map the Controls to the SoD Risks inside your Risk Matrix<\/strong>. With this mapping you will be able to see which SoD Risks have Controls in place and which not. Now you know where you need to put the effort regarding the Design or Definition of the Mitigating Controls. Each SoD Risk need to have at least one Control assigned.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">On the other side, since you know how many times a Control is mapped to the SoD Risk, you will be able to understand the impact if that control fails (losing the mitigation in several SoD Risks).\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0<\/span> <span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The recommendation for documenting each control contains the following Categories:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Type <\/strong><span style=\"font-weight: 400;\"><strong>I<\/strong>: <\/span> <span style=\"font-weight: 400;\">Automated, <\/span> <span style=\"font-weight: 400;\">Semi-<\/span>Automated or Manual.<\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><strong>Type <\/strong><span style=\"font-weight: 400;\"><strong>II<\/strong>: <\/span> <span style=\"font-weight: 400;\">Preventive <\/span> <span style=\"font-weight: 400;\">or <\/span>Detective.<\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><strong>Frequency<\/strong>: Event Driven, Daily, Weekly, Bi-Weekly, Monthly, Quarterly, Bi-Annual, Annual.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><strong>Key or Non-Key Control.<\/strong> <\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><strong>Strength<\/strong>: Strong, Medium or Weak.\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">As soon as you have this information for each Control, you will be able to understand the <strong>Residual Risk that will remain after the application of the Mitigating Control<\/strong>. After that, the best strategy will be to focus on the SoD Risks that after the application of the Mitigating Controls the Residual Risk Level is still High (having no control or the strength of the Control is Weak).\u00a0\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>David, our SAP Business Line Department Manager, explains the steps to be taken to define our own risk matrix for segregation of duties (SoD) in an SAP system and the strategy for designing compensating controls. Segregation of Duties Risk is a common topic in all Companies. Let\u00b4s try to divide and conquer. The meaning of&#8230;<\/p>\n","protected":false},"author":6,"featured_media":4807,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[54,60],"tags":[151],"class_list":["post-6176","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-en","category-sap-grc-en","tag-sap-grc-en"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.3 (Yoast SEO v27.6) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>SoD Risk Matrix for SAP GRC - Inprosec<\/title>\n<meta name=\"description\" content=\"David, our SAP Business Line Department Manager, explains the steps to be taken to define our own risk matrix for segregation of duties (SoD) in an SAP system and the strategy for designing compensating controls.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SoD Risk Matrix for SAP GRC\" \/>\n<meta property=\"og:description\" content=\"David, our SAP Business Line Department Manager, explains the steps to be taken to define our own risk matrix for segregation of duties (SoD) in an SAP system and the strategy for designing compensating controls.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/\" \/>\n<meta property=\"og:site_name\" content=\"Inprosec\" \/>\n<meta property=\"article:published_time\" content=\"2020-06-10T05:21:31+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-07T09:21:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/10\/SOD.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"768\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Fernando Mosquera\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fernando Mosquera\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sod-risk-matrix-for-sap-grc\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sod-risk-matrix-for-sap-grc\\\/\"},\"author\":{\"name\":\"Fernando Mosquera\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"headline\":\"SoD Risk Matrix for SAP GRC\",\"datePublished\":\"2020-06-10T05:21:31+00:00\",\"dateModified\":\"2025-07-07T09:21:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sod-risk-matrix-for-sap-grc\\\/\"},\"wordCount\":1149,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sod-risk-matrix-for-sap-grc\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/SOD.jpg\",\"keywords\":[\"SAP GRC\"],\"articleSection\":[\"Cybersecurity\",\"SAP GRC\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sod-risk-matrix-for-sap-grc\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sod-risk-matrix-for-sap-grc\\\/\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sod-risk-matrix-for-sap-grc\\\/\",\"name\":\"SoD Risk Matrix for SAP GRC - Inprosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sod-risk-matrix-for-sap-grc\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sod-risk-matrix-for-sap-grc\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/SOD.jpg\",\"datePublished\":\"2020-06-10T05:21:31+00:00\",\"dateModified\":\"2025-07-07T09:21:06+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"description\":\"David, our SAP Business Line Department Manager, explains the steps to be taken to define our own risk matrix for segregation of duties (SoD) in an SAP system and the strategy for designing compensating controls.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sod-risk-matrix-for-sap-grc\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sod-risk-matrix-for-sap-grc\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sod-risk-matrix-for-sap-grc\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/SOD.jpg\",\"contentUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/SOD.jpg\",\"width\":1536,\"height\":768},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sod-risk-matrix-for-sap-grc\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SoD Risk Matrix for SAP GRC\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\",\"name\":\"Inprosec\",\"description\":\"Information security is our priority.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\",\"name\":\"Fernando Mosquera\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"caption\":\"Fernando Mosquera\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SoD Risk Matrix for SAP GRC - Inprosec","description":"David, our SAP Business Line Department Manager, explains the steps to be taken to define our own risk matrix for segregation of duties (SoD) in an SAP system and the strategy for designing compensating controls.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/","og_locale":"en_US","og_type":"article","og_title":"SoD Risk Matrix for SAP GRC","og_description":"David, our SAP Business Line Department Manager, explains the steps to be taken to define our own risk matrix for segregation of duties (SoD) in an SAP system and the strategy for designing compensating controls.","og_url":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/","og_site_name":"Inprosec","article_published_time":"2020-06-10T05:21:31+00:00","article_modified_time":"2025-07-07T09:21:06+00:00","og_image":[{"width":1536,"height":768,"url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/10\/SOD.jpg","type":"image\/jpeg"}],"author":"Fernando Mosquera","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Fernando Mosquera","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/#article","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/"},"author":{"name":"Fernando Mosquera","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"headline":"SoD Risk Matrix for SAP GRC","datePublished":"2020-06-10T05:21:31+00:00","dateModified":"2025-07-07T09:21:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/"},"wordCount":1149,"commentCount":0,"image":{"@id":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/10\/SOD.jpg","keywords":["SAP GRC"],"articleSection":["Cybersecurity","SAP GRC"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/","url":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/","name":"SoD Risk Matrix for SAP GRC - Inprosec","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/#primaryimage"},"image":{"@id":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/10\/SOD.jpg","datePublished":"2020-06-10T05:21:31+00:00","dateModified":"2025-07-07T09:21:06+00:00","author":{"@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"description":"David, our SAP Business Line Department Manager, explains the steps to be taken to define our own risk matrix for segregation of duties (SoD) in an SAP system and the strategy for designing compensating controls.","breadcrumb":{"@id":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/#primaryimage","url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/10\/SOD.jpg","contentUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2021\/10\/SOD.jpg","width":1536,"height":768},{"@type":"BreadcrumbList","@id":"https:\/\/www.inprosec.com\/en\/sod-risk-matrix-for-sap-grc\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inprosec.com\/en\/"},{"@type":"ListItem","position":2,"name":"SoD Risk Matrix for SAP GRC"}]},{"@type":"WebSite","@id":"https:\/\/www.inprosec.com\/en\/#website","url":"https:\/\/www.inprosec.com\/en\/","name":"Inprosec","description":"Information security is our priority.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inprosec.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2","name":"Fernando Mosquera","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","caption":"Fernando Mosquera"}}]}},"_links":{"self":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/6176","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/comments?post=6176"}],"version-history":[{"count":3,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/6176\/revisions"}],"predecessor-version":[{"id":8253,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/6176\/revisions\/8253"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media\/4807"}],"wp:attachment":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media?parent=6176"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/categories?post=6176"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/tags?post=6176"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}