Hi Alessandro,
firstly, many thanks for all your contributions to the community.
i would like to know more on the process of changing the process to eliminate risks but wasn't sure where to start. i have the below queries based on your statement -
"During my last projects we could eliminate more than 90% of SOD conflicts by changing processes and the organization of an entity"
Can you please elaborate on the above around changing process as in role redesign or business process in general with an example if possible?
2. say i have 20 risks of which around 12 dont reflect in my violation reports as of now..do controls need to be defined for these 12 - to plan for future access changes and the likelihood of some of these showing and so have a control ready?
Also, if i define a control that mitigates a risk that is not currently reflecting for any of my users, how is that documented as the control may have to be redesigned in the future owing to several factors (especially with four eyes concept).
hope i am clear enough..