About Risk Management

Owned by Phillip Hanegan
Last updated: Aug 23, 2024
5 min read

In today’s complex business landscape, effective risk management is essential to safeguard IT resources and ensure uninterrupted operations. EmpowerID’s risk management approach identifies and mitigates potential threats and ensures that access to systems remains compliant with regulatory requirements, industry standards, and organizational policies.

What is Compliant Access?

Compliant access refers to aligning access permissions with an employee’s role while ensuring adherence to regulatory standards, industry guidelines, and internal policies. This approach categorizes access as acceptable, risky, or non-compliant based on the alignment with these predefined criteria, thereby minimizing the risk of unauthorized or excessive access.

Challenges with Traditional Risk Management

Traditional risk management methods often struggle to keep up with the complexity of managing access across multiple cloud-based and on-premise systems. Overlapping access rights can lead to excessive permissions, increasing the risk of security breaches. To effectively manage these risks, companies must thoroughly understand the permissions model for every application, ensuring that access remains tightly controlled.

EmpowerID’s Approach to Bridging Gaps

Despite the technical prowess of many Identity and Access Management (IAM) solutions, they often fail to link system entitlements to business processes in a user-friendly manner. For example, in an SAP system, the entitlement to create a purchase order is represented by the TCode ME21N. While this may be clear to application specialists, it can confuse business users. EmpowerID addresses this gap by translating complex entitlements into easily understandable terms, thus enhancing both transparency and control.

 

 

Example of a native system entitlement

 

 

EmpowerID Risk Management Strategy

Tailoring Risk Management to Organizational Needs

EmpowerID recognizes that each organization has unique process definitions and policy needs. It tailors its risk management solutions to accommodate these characteristics, simplifying complex terminologies into plain language for business users while preserving the necessary technical details for IT professionals.

Integrating Business Models in Risk Management

Understanding that businesses operate through continuous processes to deliver products or services, EmpowerID breaks down these processes into smaller, manageable "business-defined activities." These activities are then mapped to specific rights and roles within the system, a practice known as "function mapping." This mapping clarifies roles and responsibilities and enhances visibility into potential risk areas.

Business Process

 

Function Mapping and Risk Management

EmpowerID distinguishes between global functions—actions performable in multiple applications—and local functions—actions specific to a location or application. These functions are linked to global and local risks, respectively. Global risks might include actions like "Create Purchase Order," which are standardized across the organization. In contrast, local risks pertain to actions within specific applications, such as creating a purchase order in a particular SAP environment.

 

Understanding and Managing Risks

Define Risk Policies

Organizations establish risk policies that define critical or sensitive functions within their IT infrastructure and identify toxic combinations or Segregation of Duties (SOD) violations. These risks range from users having access to high-risk functions unrelated to their daily tasks to the ability to perform end-to-end functions within an application. Risks consist of risk rules, which are functions added to the risk; a risk must have at least one function for the risk engine to evaluate it, while SOD risks require a minimum of two functions—a risk function and a risk-segregated function.

Global and Local Risks

Global risks represent actions that users can perform in one or more applications that an organization considers potentially risky. For example, a global risk named "Create Purchase Order" would map to a global function of the same name, enabling the risk engine to identify all users capable of performing this action. Local risks, on the other hand, are tied to specific applications or locations and are often added to global risks to provide more granular control.

Risk Rules

Risk rules are the functions added to a risk. A risk can have multiple functions as required, but it must have at least one for the risk engine to calculate the rule. SOD risks require a minimum of two—one risk function and one risk-segregated function.

 

Risk Violations and Controls

EmpowerID’s risk management controls are divided into two main categories: Preventative Controls and Detective Controls:

  • Preventative Controls operate in real-time during access requests, alerting users to potential policy breaches before they can proceed. This proactive approach helps prevent non-compliant actions from occurring.

  • Detective Controls work by reanalyzing all access and attribute changes on a scheduled basis, identifying any new risk violations that may have arisen since the last analysis. This ensures that all risks are continuously monitored and managed.

When a violation is detected during a user's shopping experience, EmpowerID immediately presents the violation within the shopping cart interface. Users are then prompted to decide whether to proceed with the request, acknowledging the potential risk, or to cancel the request to avoid the violation. This process allows users to make informed decisions while maintaining compliance with organizational policies.

Risk Owner Decisions

Violations detected through preventative or detective means are routed to risk owners, who decide whether risky access should be allowed or denied. Risk owners analyze how the access was obtained and decide on potential mitigation or correction actions. This proactive approach ensures that all access within the organization adheres to established risk policies and maintains the security integrity of the IT environment.

Conclusion

EmpowerID’s risk management approach combines detailed technical controls with simple, business-focused explanations. This ensures that enterprises can maintain strict access controls while increasing understanding and management of these controls across all organizational levels. As businesses evolve and new threats emerge, leveraging EmpowerID’s comprehensive risk management strategies will be crucial to protecting sensitive data and systems, ultimately promoting strong compliance and operational integrity.

 

Â