The review objects containing the review questions can also be associated with entities (resources, data categories, processes and/or organizational units). This association creates a specific risk for the affected entities, which is visible in the structural analysis.

Risks can also be recorded freely.

Freely recorded risks normally have no linked gaps, but such gaps can be assigned to them. Freely entered risks can, for example, be a list of risks that was already maintained before HITGuard was implemented, e.g. with Excel. Such lists can be imported using the data importer.

Risks can then be evaluated by selecting a probability of occurrence and an extent of damage. This results in the risk score according to which the risk is displayed in the risk management dashboard, for example. This evaluation is done according to the extent of damage classification. This means: if a risk was evaluated in one management system with classification "Standard", it can be evaluated differently in another management system with classification "Privacy" (as long as it is not marked as "Private").

The assessment/review of risks can be delegated to the registered advisor (see workflow button). They will then find the risk under their tasks to assess/review.

Within the risk itself:

• the key data are displayed.
• all gaps assigned to the risk are displayed.
• the measures/controls assigned to the gaps are listed.
• the measures/controls that are manually assigned to the risk are listed.

Furthermore, every change in the risk assessment is logged. This documentation can be found in the menu item "Temporal development".

Cpde:

• In the abbreviation, enter the abbreviated title of the risk.

Status:

• Active: The risk still exists.
• Closed: The risk has been resolved.
• Accepted: They are aware of the risk, but will not fix it at this time for various reasons.
• Changes here are logged (Temporal development).

Private:

• If you set the risk to private, the risk will only be displayed in the current management system. Otherwise, it is visible in any management system and can be evaluated for any damage extent classification.
• However, measures, controls, and gaps are only visible in the respective management systems in which they were created, regardless of whether the risk was marked as private.

Workflow Button:

• Request review

This allows advisors to request a review/reassessment of the risk. Advisors will find requested reviews in their tasks in "My Tasks → Risk".

• Accept review

If the review is returned by the advisor, it can be accepted here. If the review is incorrect or insufficient, it can also be requested again.

Designation and description:

• In the designation, write what the risk should be named.
• In the description, describe/explain the risk.

Notes:

• Here, it can be explained how it came to the assessment of the risk.

Coping srategy:

• This option should describe how the risk will be dealt with.
  • Undefined (it has not yet been determined how to deal with it)
  • Avoidance (Waiver of the activity; in fact, the risk should then also be closed)
  • Reduction (Probability of occurrence is reduced by measures)
  • Transfer (Outsourcing of the hazard; e.g. by rolling over the hazard)
  • Acceptance

Probability of occurrence:

• Here, you can enter how likely it is that the risk will affect the company.
  For more information, see Probability of occurrence
• Changes here are logged (Temporal development).

Extent of damage:

• Here, you can enter how big is the potential damage that can be caused by the risk.
• Only damage extents of the classification of the current management system are available.
• Changes here are logged (Temporal development).

Risk categories:

• Here, you can record which categories you are assigning the risk to.
  For more information, see Risk categories.

Responsibility and Advisors:

• The person in charge is the primary contact for the risk.
• The advisors are responsible for risk handling. If a review of the risk is requested, the advisors are responsible for the review.

Assigned protection goals and weightings:

• Here, you can record which protection goals are affected to what extent when the risk occurs.
  Example:

Risk: Break-in in the server room.

Norm mapping:

• If the risk deals with one or more norm chapters they should be entered here.

Affected structural elements:

• All structural elements are listed here that are related to the risk via the gaps.
• By opening the drop-down menu, structural elements can be linked to the risk. Furthermore, it can be seen here from which review object the automatically set links come.
• Example:

The risk "Temperature problems in server rooms", for example, is linked to the structural element "Server room" via a gap when checking the server rooms.

ID in third-party systems:

By this ID the risk can be updated by an import of a risk. For this, the ID must match the ID of the risk of the import. This field should only be set manually if the risk actually originates from a third-party system, but the risk was already created manually before an import and is to be updated by imports in the future.

This tab lists all gaps that are assigned to the risk. This is normally the result of the gap handling of a review. However, you can also assign existing gaps to the risk here.

Caution: Only gaps of the current management system are displayed. Just because the risk in this management system has no gaps does not mean that none exist.

Display of gaps:

• Black: Gaps assigned to this risk that have not been corrected.
• Green: Gaps assigned to this risk that have been remediated or indicated as having at least the target score.
• Gray: These are historical gaps. These were identified in previous reviews and assigned to the risk. In the meantime, the review objects of these reviews have already been subject to a reassessment.
• Moved to Risk xx: The gap was originally assigned to the currently presented risk. In a further step, the assignment changed to another risk: Risk xx.

This tab lists all measures and controls that have been assigned to the risk and therefore contribute to the risk treatment. Depending on their state they are displayed either in the top or the bottom table, more on this below. The measures and controls either come from the assignment of a gap, are selected from the available list (link button) or are created here specifically for the risk (plus button).

Find out more about creating measures here and more about creating controls here.

If measures and controls come from a gap, the assignment to the risk can only be removed by removing the assignment to the respective gap. Assignments of measures or controls selected from the available list or created here can be removed with the button to the right of the measure or control.

Caution: Only measures and controls of the current management system are displayed. The risk not having any measures or controls in this management system does not mean it doesn't have assigned measures or controls in a different management system.

The gross (inherent) risk is the evaluation of the risk before any measures and controls for its treatment have been put into effect. The gross risk is marked with a badge in the tab Temporal development when it is first recorded. The information in the tab Measures and controls reflects that and cannot be changed manually.

The button to the right opens a risk matrix that shows a graphic visualization of the risk.

These measures and controls were introduced to treat the original gross risk. Through them the risk is turned from the gross (inherent) risk into the current risk. They are completed and/or canceled measures, as well as active control definitions with successful executions.

If a new measure or control is implemented and thus inserted into this table, it is recommended to revaluate the risk. The risk and the triggering measure or control are then marked with "Revaluation recommended". The revaluation shows whether the current risk has changed with the impact of the implementation. In the case of measures, this is only triggered if the "Completed" date was set and doesn't fall on the same day of the last relevant revaluation (a relevant revaluation in this context is a change entry in the temporal development log where either extent of damage or probability of occurrence were changed).

If measures were implemented or controls executed that did have an impact on the risk, but not enough of one to actually change the probability of occurrence or the extent of damage, the revaluation can also show that no sufficiently significant change was made. To do this, create a new entry in the temporal development with the "plus" button and set the same values that applied until then. The current risk is therefore not changed. The justification can be used to document why a measure and/or control did not have more of an impact on the risk.

Ability to Control:

• This is the evaluation of the quality of the set of risk treatment measures and controls that has already been implemented.
• The abilities to control available for selection can be configured in the Risk policy.

Current risk:

• The current risk is the evaluation of the risk after all already implemented measures and executed controls for its treatment have been taken, and before the still planned measures and controls have been implemented.
• Again, a risk matrix to show the position of the current risk is available through the button to the right.

These measures and controls are planned for the treatment of the current risk and are meant to reduce it to the planned net (residual) risk. They are open, planned and/or suspended measures (not implemented), as well as suspended, deactivated and/or active control definitions without executions.

Net risk:

• The net (residual) risk is the evaluation of the risk in the following scenario: 1) all implemented and planned, yet-to-be-implemented measures have been taken AND 2) all implemented and yet-to-be-implemented controls have been put into effect. As this is a prognosis for the future, three variations are to be recorded: best case, most likely case, worst case.
• The evaluation of the net risk can be done either with the dropdown boxes or directly in the displayed risk matrices. A click into a square in a matrix sets the corresponding values for probability of occurrence and extent of damage.

For each change in the probability of occurrence, extent of damage and/or status, the person making the change must make an entry to the change log with the reason and date for their change. Only when this is entered can the change be made. A log subsequently appears in the temporal development of the risk. Changes to the extent of damage assessment only appear in the management systems that use the same extent of damage classification.

The first entry defining both probability of occurrence and extent of damage is marked with "Gross risk" here and is shown as the gross risk in the tab measures and controls.