Reports for risk management

HITGuard offers the possibility of generating various risk management reports under "Risk management → Reports".

To create a report, first choose a type of report. Subsequently, choose which data to include in the report (e.g. risks or reviews). Most reports also have additional report options which allow further specification of the report's contents.

Knowledge bases can be made available in different languages due to stored translations for used knowledge bases. For example, to generate a report with the English texts, the language must be changed using the flag icon at the top right of the screen, next to the logout button. This will load all content for the reports in the desired language, provided that a translation in that language is available for the knowledge base.

Download options:
The reports are available for download as PDF or DOCX files. Click the pink button to generate and download a report. Then, choose whether the report should be downloaded as a PDF or DOCX.

Additionally, there is the option to generate and archive the reports including revision information. In doing this, the report can be viewed, generated anew, or downloaded again by an expert under "Administration → Report archive". More information about this can be found under "Administration → Report archive".

When generating reports with revision information in the archive, there is also the option to send the report by e-mail to various recipients right away. More information about this can be found in the report archive and under "Administration → Report archive".

Remembering report options:Some of the report options can be found for various reports. For these, the selected options are remembered within the management system and for the individual user, and then also applied for other reports with that same option. For example, if the option "Table of contents" is selected, then it will already be selected when accessing any other report pages that use this option.

Licenses:
If no valid license for HITGuard is available, this will be displayed in the footer of the report! To change this, an expert or administrator has to request/upload a license under "Administration → Licensing".

The following reports are offered in the risk management section of HITGuard:

In this report, details on risks and opportunities are presented. In addition, the risks and opportunities are positioned in a risk matrix according to their criticality. The measures and controls to be taken or already taken can be displayed for the individual risks and opportunities. Furthermore, the development of the risks and opportunities over time can be displayed.

Caution:Users with the Compliance Manager role will also see measures and controls from all other management systems.

Example risk management report: Risks without M/C details incl. temporal development

Generate risk/opportunity report

To generate a risk/opportunity report, you have to navigate to "Risk Management → Reports → Risks & opportunities → General". There you have several options to generate the report:

1. Risks and opportunities: You can generate a risk/opportunity report for one or more risks. However, you can only generate reports in management systems to which you are assigned.
2. Structural elements: You can list all the risks and opportunities assigned to the selected structural elements.
3. Responsible person(s) (compliance manager only): You can generate a risk/opportunity report in which all risks and opportunities are listed for which a specific team or a person is responsible.
   After that, just click on the pink download button to generate the report.

This report lists details about the development of a risk or opportunity. The focus of the report, therefore, lies on the aspect of the gross-net-risk/opportunity, which is managed with measures and controls. All to-be-implemented as well as already implemented measures and controls are listed for the individual risks or opportunities. The gross risk/opportunity as well as the possible net scenarios can be displayed separately. If desired, the development over time of the risk/opportunity can also be displayed.

Caution: The measures and controls from other management systems are only visible for users with the role "Compliance manager".

Example gross-net-risk report: Gross and net risk with matrices, no details for M/C

Create gross-net report

To generate a gross-net report, you have to navigate to "Risk Management → Reports → Risks & opportunities → Gross-net". There you can generate the report for a selected risk or opportunity with different characteristics. Reports can only be created for risks or opportunities in management systems one is authorized for. (The exception are compliance managers, who can generate reports for all risks and opportunities in all management systems.)

Click the pink download button to generate the report.

Reports on fields of action can be created here. In addition to the fields of action, detailed information on the risks, opportunities and effects of the fields of action is also printed. The report can be configured with a variety of reporting options so that risks, opportunities and impacts are presented according to your needs.

Create ESG report

To create an ESG report navigate to "Risk management → Reports → ESG". Then, choose the topic followed by the fields of action for which you want to generate a report, and configure it via the report options.

To generate the report click the pink download button.

In this report, the results of either one or multiple protection needs analyses are displayed. Choices can be made regarding the summary of the results as well as their details. Additionally, it's possible to add an appendix with explanations for the basis of the assessment in the protection needs analysis.

Generate protection needs report

To generate a protection needs analysis, you have to navigate to "Risk management → Reports → Protection needs". Then, choose which protection needs analysis to generate the report for and configure this via the report options.

To generate the report click on the pink download button.

In this report, the results of either one or multiple gap analyses are displayed. When choosing the reviews, take note that they are limited by the chosen analysis period. An array of report options allow you to configure the reports to be displayed the way you need them.

Example gap report: reviews without proposals ZR 5
Example gap report: responsible with proposals ZR 3
Example gap report: organizational unit all audit questions without proposals ZR 2

Generate gap analysis report

To generate a deviation report navigate to "Risk management → Reports → Gap analyses". There, you have several options to generate such a report depending on your role:

1. Reviews: This report contains all information about the selected reviews. The selection shows only reviews from the current management system in the selected analysis period (with the report options to the right).
2. Responsible(s) (Compliance manager only): This report contains all reviews the selected person(s) or team(s) is/are responsible for.
3. Organizational unit (Compliance manager only): This report contains all reviews that have been created for an organizational unit. The selection shows only organizational units for which reviews exist in the current management system and within the selected analysis period.

It is possible to create a report for several analysis periods. For this, change the analysis period among the report options to the right. Then, the reviews of the chosen analysis period are made available.
Caution: If you select a new analysis period, the reviews from the previous ones will no longer be displayed, but will remain selected.

After that, click on the respective pink download button to generate the gap report.

Here, you can generate reports to show the conformity with a standard or norm as well as the results of gap analyses.

These reports show a distinct average score for each requirement or norm chapter.

Weightings of review questions are not considered.

Review questions mapped to chapters of standards and norms are considered for the calculation of score values. These can be answered in reviews. Review questions from various reviews can populate this evaluation. Review questions can be mapped to all chapter levels.

Example: ISO 9001 chapter 6 Planning, which consists of 3 subchapters.

• Chapter 6 Planning (Score = 2.85)
  • Review question 1: Score = 2
  • Review question 2: Score = 2
  • Score for calculation: (2 + 2) / 2 = 2
• 6.1 Measures for the handling of risks and opportunities (Score = 4)
  • Review question 3: Score = 3
  • Review question 4: Score = 5
  • Score for 6.1: (3 + 5) / 2 = 4
• 6.2 Quality objectives and planning to their achievement (Score = 4)
  • Review question 5: Score = 4
  • Score for 6.2: (4) / 1 = 4
• 6.3 Planning of Changes (Score = 3)
  • Review question 6: Score = 3
  • Review question 7: Score = 3
  • Score for 6.3: (3 + 3) / 2 = 3

To get the score for chapter 6, first the averages of the subchapters must be calculated (4 + 4 + 3) / 3 = 3.7. Then the value is calculated with the averages of the review questions of the main chapter (3.7 + 2) / 2 = 2.85.

Die Auswertungen nach Überprüfungen erfolgen auf Basis enthaltenen geprüften Themen (Prüfobjekte). Der Gesamtscore einer Überprüfung ergibt sich aus dem Durchschnitt der Ergebnisse der einzelnen Prüfobjekte. Der Score der Prüfobjekte ergibt sich aus dem Durchschnitt der enthaltenen Prüffragen.

Beispiel: Überprüfung nach ISO 9001 zum Kapitel 5 Führung (Score = 3.66) und Kapitel 6 Planung (Score = 3.14)

• Chapter 5 Management (Score = 3.66)
  • Review question 1: Score = 3
  • Review question 2: Score = 5
  • Review question 3: Score = 3
  • Score = (3 + 5 +3) / 3 = 3.66
• Chapter 6 Planning (Score = 3.14)
  • Review question 1: Score = 2
  • Review question 2: Score = 2
  • Review question 3: Score = 3
  • Review question 4: Score = 5
  • Review question 5: Score = 4
  • Review question 6: Score = 3
  • Review question 7: Score = 3
  • Score = (2 + 2 + 3 + 5 + 4 + 3 + 3) / 7 = 3.14

Note: For chapter 6 the same review questions were used as for the evaluation by standards and norms.

The purpose of this report is to graphically illustrate the fulfillment of the prerequisites based on individual reviews. The fulfillment of the prerequisite points is presented visually in the form of spider diagrams, pie charts or tachometers.

Generate conformity report by reviews

Depending on your role there are different ways of generating this report.

1. Reviews: You can generate a conformity report for the selected reviews.
2. Responsible (Compliance manager only): You can generate a compliance report for one responsible person or team, where all reviews assigned to this responsible person or team are listed with their respective evaluation.
3. Organizational units (Compliance manager only): You can generate a compliance report for an organizational unit, where all reviews assigned in this organizational unit are listed with their respective evaluation.

Example conformity report: Reviews
Example conformity report: Responsible

The purpose of this report is to graphically illustrate the fulfillment of the prerequisites in each requirement area of the standard. The fulfillment of the prerequisite items will be visually represented in the form of spider diagrams, pie charts, or tachometers. After selecting a standard, a list of applicable knowledge bases and their various versions will appear. From this, choose all knowledge bases and versions thereof which are to be part of the report's data basis.

For display purposes, questions answered Yes, No, or Partially are converted to scores. "No" corresponds to score 1, "Partial" corresponds to score 3, and "Yes" corresponds to score 5.

Generate conformity report by standards and norms

First, the desired norm or standard must sbe selected for which a conformity report is to be generated. If the option "Include mapped standard chapters" is selected, the mapped standard/the mapped norm can be selected from a second list. Then, the knowledge bases to be considered in the report must be selected.

The selected knowledge bases form the basis for the evaluations in the report. Only knowledge bases that have a mapping to the selected standard and at least one review object (of a gap analysis) are displayed. If a review object exists in several versions, only the one with the highest version is considered. If a restriction is also made to an OrgUnit, the highest version of the review object that is linked to the OrgUnit is used. In addition, note that reviews may not be in the state "Draft" or the respective knowledge bases will also not be listed.

Reports about standards and norms can be generated here.

The chapter applicability for the reports is calculated as follows:

This report shows which chapters of the standard are "applicable" or "not applicable" in the management system. It also includes the justification for each chapter's applicability and the measures and controls associated with the chapters.

• Donut charts show the number and status of assigned measures & controls. The total number of chapters in the evaluation corresponds to the number of chapters at the lowest level. If a measure or control has been assigned to a chapter, it is also assigned to all its sub-chapters. Thus, if a super-chapter has assigned a measure or control, it behaves in the same way as if all sub-chapters had assigned that measure or control.
• In the donut diagrams, the scope of the standard is taken into account. If this has been restricted, chapters marked as not applicable are not taken into account. This can be canceled by activating the option Include not applicable chapters in the statistics.

The data basis can thereby be restricted to an earlier analysis period. In this case, only measures and controls that already existed in the selected analysis period are taken into account.

With the option "Include mapped standard chapters", the database can be extended to mapped standard chapters. This means that if standard S1 has a chapter C that is mapped to standard S2 chapter C (S1.C => S2.C) and a report is generated from standard S1, the report will also include actions and controls that are mapped to standard S2 chapter C. This behavior also applies to chapters mapped from S2.C.

Generate Statement of Applicability (SOA)

To generate an SOA, choose a standard/norm and configure the SOA via the report options. Click on the pink download button to generate the report.

This report provides a management overview of the measures and controls assigned to a standard/norm:

• Donut charts show the number and status of assigned measures & controls. The total number of chapters in the evaluation corresponds to the number of chapters at the lowest level. If a measure or control has been assigned to a chapter, it is also assigned to all its sub-chapters. Thus, if a super-chapter has assigned a measure or control, it behaves in the same way as if all sub-chapters had assigned that measure or control.
• A bar chart shows the number of measures & controls by main chapters. The number is the sum of the measures or controls assigned to the main chapter and each sub-chapter below it. A measure or control assigned several times is only counted once per main chapter.
• The report takes into account the scope of the standard. If the scope is limited, chapters marked as not applicable are not taken into account. This can be canceled by activating the option "Include not applicable chapters in the statistics".
  The data basis can thereby be restricted to an earlier analysis period. In this case, only measures and controls that already existed in the selected analysis period are taken into account.

Example report: Management Summary

Generate Management Summary

To generate a management summary, choose a standard/norm and configure the management summary via the report options. Click on the pink download button to generate the report.

Reports on RTO and RPO fulfilment can be generated here. You can find more information on RTO and RPO under "Risk management → Structural analysis".

This report shows whether or not the requirements derived from the various protection needs analyses (PNAs) for the resources can be met in terms of the maximum justifiable recovery time in each case.

The report can be generated without restriction to a resource. Then it is shown how well the requirements derived from all PNAs are met for all involved resources with regard to the maximum justifiable recovery time.

If the report is restricted to a resource (e.g., a specific hardware component), only resources that require this resource (e.g., specific applications and databases) to be able to work functionally are included in the evaluation. Only PNAs that define requirements for these resources are then considered. Generate RTO-Fulfillment report

To generate a RTO fulfillment report, click the pink download button.

This report shows whether the requirements derived from the various protection needs assessments (PNAs) for the resources in terms of maximum acceptable data loss can be met in each case or not.

The report can be generated without restriction to a resource. Then it is shown how well the requirements derived from all PNAs are met for all involved resources with regard to the maximum acceptable data loss.

If the report is restricted to one resource (e.g., a specific hardware component), only resources that require this resource (e.g., specific applications and databases) to be able to work functionally are included in the evaluation. Only PNAs that define requirements for these resources are then considered. Generate RPO-Fulfillment report

To generate an RPO fulfillment report, click the pink download button.