In this overview, all risks and opportunities from the different management systems are displayed. It is also possible to display only the risks and opportunities of the current management system. Furthermore, risks and opportunities can be set to private, so that they are only displayed in the management system in which they were created.

If you click on a risk or opportunity, you can edit or view it. Then it is possible to view which gaps, threats, measures, or controls are assigned to this risk or opportunity.

Caution:

• A risk/opportunity that is not "private" can be assessed separately for each management system that uses different classifications of damage and benefit. That is, assessments apply only to management systems that use the same classifications.

A risk can be a collection of negative gaps that form a concrete danger for the linked entities. An opportunity can be a collection of positive gaps that form a concrete potential for the linked entities.

Gaps occur in the course of a review. This is the case, for example, when review questions of review objects are answered "negatively" or below the target score. Subsequently, the gaps can be assigned to risks. Positive gaps are answers that are "positive", or corresponding to or above the target score.

The review objects containing the review questions can also be associated with entities (resources, data categories, processes, and/or organizational units). This association creates a specific risk or a specific opportunity for the affected entities, which is visible in the structural analysis.

Risks and opportunities can also be recorded freely.

Freely recorded risks/opportunities normally have no linked gaps, but such gaps can be assigned to them. Freely entered risks can, for example, be a list of risks that was already maintained before HITGuard was implemented, e.g. with Excel. Such lists can be imported using the data importer. The same goes for opportunities.

Risks and opportunities can then be evaluated by selecting a probability of occurrence and an extent of damage or a benefit. This results in the risk score according to which the risk or opportunity is displayed in the risk management dashboard, for example. This evaluation is done according to the classification of extend of damage and benefit. This means: if a risk/opportunity was evaluated in one management system with classification "Standard", it can be evaluated differently in another management system with classification "Privacy" (as long as it is not marked as "Private").

The assessment/review of risks and opportunities can be delegated to the registered advisor (see workflow button). They will then find the risks and opportunities under their tasks to assess/review.

Within the risk itself:

• the key data are displayed.
• all gaps assigned to the risk or opportunity are displayed.
• the measures/controls assigned to the gaps are listed.
• the measures/controls that are manually assigned to the risk or opportunityare listed.

Furthermore, every change in the assessment is logged. This documentation can be found in the menu item "Temporal development".

Important: These should be post-documented for risks created before HITGuard Release October 2020. More on this can be found under Temporal development.

Code:

• In the abbreviation, enter the abbreviated title of the risk/opportunity.

Status:

• Active: The risk/opportunity still exists.
• Closed: The risk/opportunity has been resolved.
• Accepted: You are aware of the risk/opportunity, but will not fix it at this time for various reasons.
• Changes here are logged (Temporal development).

Private:

• If you set the risk/opportunity to private, it will only be displayed in the current management system. Otherwise, it is visible in every management system and can be evaluated for every classification of impact and benefit.
• Measures, controls, threats, and gaps, however, are only visible in the respective management systems in which they were created, regardless of whether the risk or opportunity is marked as private.

Book button:

• 

  Here you can access templates for risks and opportunities stored in knowledge bases. The button is only available when you create a risk for the first time. When cyou click it, first choose the knowledge base you want to access. After that, you can search through the available risk templates. There are also “categories” that classify the risks by topic. Note that importing a risk does not create any risk categories in the risk policy.

Name and description:

• In the name, write what the risk/opportunity should be named.
• In the description, describe/explain the risk/opportunity.

Remarks:

• Here, it can be explained how it came to the assessment of the risk/opportunity.

Strategy:

• Coping strategies: these options describe how the risk will be dealt with.
  • Undefined (it has not yet been determined how to deal with it)
  • Avoidance (Waiver of the activity; in fact, the risk should then also be closed)
  • Reduction (Probability of occurrence is reduced by measures)
  • Transfer (Outsourcing of the hazard; e.g. by rolling over the hazard)
  • Acceptance
• Treatment strategies: these options describe how the potential will be dealt with.
  • Exploit
  • Ignore
  • Share
  • Enhance

Probability of occurrence:

• Here, you can enter how likely it is that the risk will affect the company or an opportunity presents itself to the company.
  For more information, see Probability of occurrence
• Changes here are logged (Temporal development).

Extent of damage/benefit:

• Here, you can enter how big is the potential damage or benefit that can be caused by the risk/opportunity.
• Only damage extents and benefits of the classification of the current management system are available.
• Changes here are logged (Temporal development).

Monetary impact:

• Here, you can record how big the possible monetary impact of the risk or opportunity is.

Categories of risks and opportunities:

• Here, you can record which categories you are assigning the risk/opportunity to.
  For more information, see Categories of risks and opportunities.

Responsibility and advisors:

• The person in charge is the primary contact for the risk/opportunity.
• The advisors are responsible for risk/opportunity handling. If a review of the risk/opportunity is requested, the advisors are responsible for the review.

Assigned protection goals and weightings:

• Here you can specify which protection goals your risk (or opportunity) affects. Through which protection goal will the damages that the risk represents likely manifest? For example, if the risk is “server outage”, it is reasonable to rate availability high, integrity low, and confidentiality barely at all. You can also display the protection goals in the overview of risks and opportunities and sort by them.

Norm mapping:

• If the risk/opportunity deals with one or more norm chapters they should be entered here.

Affected structural elements:

• All structural elements are listed here that are related to the risk/opportunity via gaps.
• By opening the drop-down menu, structural elements can be linked to the risk/opportunity. Furthermore, it can be seen here from which review object the automatically set links come.
• Example:

The risk "Temperature problems in server rooms", for example, is linked to the structural element "Server room" via a gap from checking the server rooms.

External ID:

• Through this ID, the risk/opportunity can be updated via an import. For this to work, the “Record ID” in the import file must match the “ID in third‑party system” of the risk/opportunity being updated. This field should only be adjusted manually if the risk/opportunity was already created manually and is intended to be updated through imports in the future.

Attachments:

• Here you can add documents or links as attachments to the risk.

This tab lists all gaps that are assigned to the risk/opportunity. This is normally the result of the gap handling of a review. However, you can also assign existing gaps to the risk/opportunity here.

Target score weighting:

• If enabled, the sorting of protection targets is based on the target score weighting. The greater the deviation from the target score and the greater the weighting of the protection target, the greater the target score weighting. More about the target score weighting can be found here.

Caution: Only gaps of the current management system are displayed. Just because the risk/opportunity in this management system has no gaps does not mean that none exist.

Display of gaps:

• Black: Gaps assigned to this risk/opportunity that have not been corrected.
• Green: Gaps assigned to this risk/opportunity that have been remediated or indicated as having at least the target score.
• Gray: These are historical gaps. These were identified in previous reviews and assigned to the risk. In the meantime, the review objects of these reviews have already been subject to a reassessment.
• Moved to Risk xx: The gap was originally assigned to the currently presented risk/opportunity. In a further step, the assignment changed to another risk/opportunity: Risk/opportunity xx.

Assign gaps Click on "Assign gaps" to open a screen for assigning gaps.

In diesem Reiter werden alle Bedrohungen gelistet, die dem Risiko/der Chance zugewiesen sind. Die Bedrohungen kommen entweder aus der Verknüpfung mit einer Abweichung, werden von den verfügbaren ausgewählt (Link Button) oder werden hier speziell für das Risiko/die Chance erstellt ("Plus" Button).

This tab lists all measures and controls that have been assigned to the risk/opportunity and therefore contribute to the treatment. Depending on their state they are displayed either in the top or the bottom table, more on this below. The measures and controls either come from the assignment of a gap, are selected from the available list (link button) or are created here specifically for the risk/opportunity (plus button). If a measure is created here, the responsible is preset with the responsible of the risk, but can be changed.

Find out more about creating measures here and more about creating controls here.

If measures and controls come from a gap, the assignment to the risk/opportunity can only be removed by removing the assignment to the respective gap. Assignments of measures or controls selected from the available list or created here can be removed with the button to the right of the measure or control.

Caution: Only measures and controls of the current management system are displayed. The risk/opportunity not having any measures or controls in this management system does not mean it doesn't have assigned measures or controls in a different management system.

Gross (inherent) is the evaluation that evaluates the initial risk. It depicts the original situation before any measures and controls for its treatment were put into effect. The gross risk/opportunity is marked with a badge in the temporal development page when it is first recorded. The information in the tab Measures and controls reflects this and cannot be changed manually.

The button to the right opens a risk matrix that vizualizes the risk/opportunity.

These measures and controls were introduced to treat the original gross risk/opportunity. Through them the risk/opportunity is turned from the gross (inherent) risk/opportunity into the current risk/opportunity. They are completed and/or canceled measures, as well as active control definitions with successful executions.

If a new measure or control is implemented and thus inserted into this table, it is recommended to revaluate the risk/opportunity. The risk/opportunity and the triggering measure or control are then marked with "Revaluation recommended". The revaluation shows whether the current risk/opportunity has changed with the impact of the implementation. In the case of measures, this is only triggered if the "Completed" date was set and doesn't fall on the same day of the last relevant revaluation (a relevant revaluation in this context is a change entry in the temporal development log where either extent of damage or benefit or probability of occurrence were changed).

If measures were implemented or controls executed that did have an impact on the risk/opportunity, but not enough of one to actually change the probability of occurrence or the extent of damage or benefit, the revaluation can also show that no sufficiently significant change was made. To do this, create a new entry in the temporal development with the "plus" button and set the same values that applied until then. The current risk/opportunity is therefore not changed. The justification can be used to document why a measure and/or control did not have more of an impact on the risk/opportunity.

Ability to control:

• This is the evaluation of the quality of the set of treatment measures and controls that has already been implemented.
• The abilities to control available for selection can be configured in the Risk policy.

Current risk/opportunity:

• Current is the evaluation of the risk/opportunity after all already implemented measures and executed controls for its treatment have been taken, and before the still planned measures and controls have been implemented.
• Again, a matrix to show the position of the current risk/opportunity is available through the button to the right.

These measures and controls are planned for the treatment of the current risk/opportunity and are meant to reduce it to the planned net (residual) risk or enhance it to the planned net opportunity. They are open, planned and/or suspended measures (not implemented), as well as suspended, deactivated and/or active control definitions without executions.

Net risk/opportunity:

• Net (residual) is the evaluation in the following scenario: 1) all implemented and planned, yet-to-be-implemented measures have been taken AND 2) all implemented and yet-to-be-implemented controls have been put into effect. As this is a prognosis for the future, three variations are to be recorded: best case, most likely case, worst case.
• The evaluation of the net risk/opportunity can be done either with the dropdown boxes or directly in the displayed matrices. A click into a square in a matrix sets the corresponding values for probability of occurrence and extent of damage or benefit.

The temporal development page is a change log that records every change to the risk (or opportunity). This includes changes made by experts as well as changes in the workflow (see below). If an expert user changes the probability of occurrence, the severity/senefit, or the status, the user must enter a justification for their changes in the change log. Only then will the change be saved. If a workflow user makes a change to the risk, they must also provide a justification, for the change log.

A log entry then appears in the temporal development page of the risk (or opportunity). The oldest entry in which the probability of occurrence and the severity/benefit are defined is marked here as “Gross Risk” or “Gross Opportunity” and is listed under the “Measures and Controls” tab for the respective risk or opportunity.

You can also manually create an entry for the temporal development. To do so, simply click the “Plus” button in the overview. You can also edit existing entries in this overview by double-clicking on the respective entry.

Note: Since risks can be shared with other management systems by unchecking the “Private” box, the management systems also share the temporal development page. If the risk is modified in one management system, the entry in the change log will also be visible in the other management systems. Changes created under a different classification of damage extent and benefits are also visible. However, entries can only be edited in the management system in which they were created.

At the very bottom of the edit risk page you will find three buttons. Here you can Save, Close, or send the risk into the workflow via “Request update”. With every step in the workflow, an entry for the temporal development page (see above) is created. These entries can be edited by expert users. The workflow is explained in detail below:

• Save: In case you adjusted Probability of occurrence, Severity/Benefit, or Strategy, HITGuard will require you to enter a justification for the change log, which is then stored under in the temporal development page.
• Request update: This button starts the workflow. HITGuard sends the risk to the users listed in the Advisor field and gives them the option to update it. In a pop up you can write a message to the Advisors to provide context. Additionally, HITGuard sends an automatic e mail to the Advisors.

Note: Advisors can also start the workflow on their own. Under My Tasks > Risks and Opportunities, they can report a risk (or opportunity) or update an existing risk (or opportunity) using two corresponding buttons.

When Advisors open the risk assigned to them, they are first greeted by the message that the expert entered when requesting the update. The expert is labeled as “Examiner”:

Advisors can view the risk and edit several data fields:

• Name, Description, & Remarks
• Strategy, probability of occurrence, & Severity/Benefit
• Monetary impact, Identified on date
• They may also link or unlink measures and controls for which they themselves are defined as the responsible user.

Finally, Advisors also have several buttons available:

• Messages & History: Opens the modal containing the expert’s message, which first appeared when the risk was opened.
• Show changes: Opens an overview of the changes the Advisor has made so far.
• Submit update: Ends the Advisor’s editing mode and sends the update back to the expert. The Advisor must provide a justification for the changes, which is then stored in the temporal development page. Additionally, a message to the reviewer can be added. This modal is shown in the screenshot below:

With each workflow step, users leave a message. The expert is marked as “Examiner”. An example of a message exchange between the requesting expert and the responding Advisor is shown in the screenshot on the right.

In this example, the expert has requested another revision of the risk after the Advisor returned it the first time.
The users listed as “Responsible” in the risk are not notified by e mail, but they can also edit data. They can do everything that Advisors can do. Additionally, they can edit the Advisor field, meaning they can replace or add Advisors.

As long as the risk is with the Advisor, it is set to read-only for all other users. However, they can view the changes made so far:

• Update pending: Here experts can view the changes made so far by the Advisor and decide to already accept or discard them.
• Notes: Here experts can see the message history, including their messages to the Advisor.

If the Advisor has already returned the risk, experts can review the changes before they are applied:

• Review update: Opens an overview of the changes made by the practitioner.

You can see this overview in the screenshot below:

• Decline update: Discards the Advisor’s updates. The risk remains as it was before the workflow started.
• Request changes: Sends the update back to the Advisor. When clicking this, you may add another message for the Advisor.
• Accept update: Applies all changes made by the Advisor and updates the risk.
• Cancel: Closes the modal without completing the workflow.

Regardless of whether you ultimately accept or reject the update, HITGuard will require an entry for the temporal development page. In any case, the Advisor’s justification is also recorded there. The entries under temporal development are editable for expert users.