To configure a new risk in SAP GRC, you first log into the system and navigate to the Risk Management module, typically under Access Control → Risk Analysis → Maintain Risk. From there, you create a new risk entry by providing a unique Risk ID, a descriptive Risk Name, selecting a Risk Category (such as Compliance, Operational, or IT), defining the Risk Type (like Access or Process Risk), and assigning a Risk Severity Level. You then specify the transactions, business functions, or role combinations that, if assigned together, would trigger the risk—this is especially important for segregation-of-duties (SoD) risks. Next, you define the mitigating controls, indicating whether they are preventive or detective, along with the responsible owner and control frequency. After entering all relevant details, the risk is saved and activated, making it available for use in risk analysis and mitigation workflows. Finally, it’s recommended to test the newly created risk against sample users or roles to ensure it is correctly configured and triggers under the defined conditions.