Remediation vs. Mitigation 2.0

The aim of Remediation is not to suppress all the conflicts but to have them all under control.

For each identified risk, there are  4 possible solutions for remediation/mitigation.


  • Modify user authorizations/roles to remove risk.
  • Change the organization’s job roles and responsibilities matrix so that the user no longer requires the access.


  • Remove user authorizations/roles and give user periodic access to risk by provisioning a firefighter ID that will be appropriately monitored.
  • Create and apply the appropriate mitigating or compensating control to the risk.Slide15

Remediation vs. Mitigation 1.0

Remediation: Actions taken to eliminate an identified risk. Typical SAP remediation activities include, but not limited to:

  • Simple Security Roles Modifications
  • Functional Activity Groups Modifications
  • Updating SoD Risk
  • Creating New SoD Risks
  • Updates to Functions
  • Creation of New Functions
  • Updates to Actions
  • Restricting Users Access

Mitigation: Actions taken to monitor risks which cannot be remediated. Mitigation is a less desirable action due the costs associated with the maintenance, execution and traceability requirements of the mitigating control.