In this overview, all risks and opportunities from the different management systems are displayed. It is also possible to display only the risks and opportunities of the current management system. Furthermore, risks and opportunities can be set to private, so that they are only displayed in the management system in which they were created.

If you click on a risk or opportunity, you can edit or view it. Then it is possible to view which gaps, threats, measures, or controls are assigned to this risk or opportunity.

Caution:

• A risk/opportunity that is not "private" can be assessed separately for each management system that uses different classifications of damage and benefit. That is, assessments apply only to management systems that use the same classifications.

A risk can be a collection of negative gaps that form a concrete danger for the linked entities. An opportunity can be a collection of positive gaps that form a concrete potential for the linked entities.

Gaps occur in the course of a review. This is the case, for example, when review questions of review objects are answered "negatively" or below the target score. Subsequently, the gaps can be assigned to risks. Positive gaps are answers that are "positive", or corresponding to or above the target score.

The review objects containing the review questions can also be associated with entities (resources, data categories, processes, and/or organizational units). This association creates a specific risk or a specific opportunity for the affected entities, which is visible in the structural analysis.

Risks and opportunities can also be recorded freely.

Freely recorded risks/opportunities normally have no linked gaps, but such gaps can be assigned to them. Freely entered risks can, for example, be a list of risks that was already maintained before HITGuard was implemented, e.g. with Excel. Such lists can be imported using the data importer. The same goes for opportunities.

Risks and opportunities can then be evaluated by selecting a probability of occurrence and an extent of damage or a benefit. This results in the risk score according to which the risk or opportunity is displayed in the risk management dashboard, for example. This evaluation is done according to the classification of extend of damage and benefit. This means: if a risk/opportunity was evaluated in one management system with classification "Standard", it can be evaluated differently in another management system with classification "Privacy" (as long as it is not marked as "Private").

The assessment/review of risks and opportunities can be delegated to the registered advisor (see workflow button). They will then find the risks and opportunities under their tasks to assess/review.

Within the risk itself:

• the key data are displayed.
• all gaps assigned to the risk or opportunity are displayed.
• the measures/controls assigned to the gaps are listed.
• the measures/controls that are manually assigned to the risk or opportunityare listed.

Furthermore, every change in the assessment is logged. This documentation can be found in the menu item "Temporal development".

Important: These should be post-documented for risks created before HITGuard Release October 2020. More on this can be found under Temporal development.

Code:

• In the abbreviation, enter the abbreviated title of the risk/opportunity.

Status:

• Active: The risk/opportunity still exists.
• Closed: The risk/opportunity has been resolved.
• Accepted: You are aware of the risk/opportunity, but will not fix it at this time for various reasons.
• Changes here are logged (Temporal development).

Private:

• If you set the risk/opportunity to private, the risk/opportunity will only be displayed in the current management system. Otherwise, it is visible in any management system and can be evaluated for any classification of extent of damage and benefit.
• However, measures, controls, threats, and gaps are only visible in the respective management systems in which they were created, regardless of whether the risk/opportunity was marked as private.

Workflow button:

• Request review

This allows advisors to request a review/reassessment of the risk/opportunity. Advisors will find requested reviews in their tasks in "My Tasks → Risks & opportunities".

• Accept review

If the review is returned by the advisor, it can be accepted here. If the review is incorrect or insufficient, it can also be requested again.

Name and description:

• In the name, write what the risk/opportunity should be named.
• In the description, describe/explain the risk/opportunity.

Remarks:

• Here, it can be explained how it came to the assessment of the risk/opportunity.

Strategy:

• Coping strategies: these options describe how the risk will be dealt with.
  • Undefined (it has not yet been determined how to deal with it)
  • Avoidance (Waiver of the activity; in fact, the risk should then also be closed)
  • Reduction (Probability of occurrence is reduced by measures)
  • Transfer (Outsourcing of the hazard; e.g. by rolling over the hazard)
  • Acceptance
• Treatment strategies: these options describe how the potential will be dealt with.
  • Exploit
  • Ignore
  • Share
  • Enhance

Probability of occurrence:

• Here, you can enter how likely it is that the risk will affect the company or an opportunity presents itself to the company.
  For more information, see Probability of occurrence
• Changes here are logged (Temporal development).

Extent of damage/benefit:

• Here, you can enter how big is the potential damage or benefit that can be caused by the risk/opportunity.
• Only damage extents and benefits of the classification of the current management system are available.
• Changes here are logged (Temporal development).

Monetary impact:

• Here, you can record how big the possible monetary impact of the risk or opportunity is.

Categories of risks and opportunities:

• Here, you can record which categories you are assigning the risk/opportunity to.
  For more information, see Categories of risks and opportunities.

Responsibility and advisors:

• The person in charge is the primary contact for the risk/opportunity.
• The advisors are responsible for risk/opportunity handling. If a review of the risk/opportunity is requested, the advisors are responsible for the review.

Assigned protection targets and weightings:

• Here, you can record which protection goals are affected to what extent when the risk/opportunity occurs.
  Example:

Risk: Break-in in the server room.

Norm mapping:

• If the risk/opportunity deals with one or more norm chapters they should be entered here.

Affected structural elements:

• All structural elements are listed here that are related to the risk/opportunity via gaps.
• By opening the drop-down menu, structural elements can be linked to the risk/opportunity. Furthermore, it can be seen here from which review object the automatically set links come.
• Example:

The risk "Temperature problems in server rooms", for example, is linked to the structural element "Server room" via a gap from checking the server rooms.

ID in third-party systems:

By this ID the risk/opportunity can be updated by an import of a risk/opportunity. For this, the ID must match the ID of the risk/opportunity of the import. This field should only be set manually if the risk/opportunity actually originates from a third-party system, but the risk/opportunity was already created manually before an import and is to be updated by imports in the future.

This tab lists all gaps that are assigned to the risk/opportunity. This is normally the result of the gap handling of a review. However, you can also assign existing gaps to the risk/opportunity here.

Target score weighting:

• If enabled, the sorting of protection targets is based on the target score weighting. The greater the deviation from the target score and the greater the weighting of the protection target, the greater the target score weighting. More about the target score weighting can be found here.

Caution: Only gaps of the current management system are displayed. Just because the risk/opportunity in this management system has no gaps does not mean that none exist.

Display of gaps:

• Black: Gaps assigned to this risk/opportunity that have not been corrected.
• Green: Gaps assigned to this risk/opportunity that have been remediated or indicated as having at least the target score.
• Gray: These are historical gaps. These were identified in previous reviews and assigned to the risk. In the meantime, the review objects of these reviews have already been subject to a reassessment.
• Moved to Risk xx: The gap was originally assigned to the currently presented risk/opportunity. In a further step, the assignment changed to another risk/opportunity: Risk/opportunity xx.

Click on "Assign gaps" to open a screen for assigning gaps.

This tab lists all threats that are assigned to the risk/opportunity. The threats either come from the linking with a gap, are selected from the available ones ("link" button) or are created specifically for the risk/the opportunity right here ("plus" button).

Find out more about creating measures here and more about creating controls here.

If measures and controls come from a gap, the assignment to the risk/opportunity can only be removed by removing the assignment to the respective gap. Assignments of measures or controls selected from the available list or created here can be removed with the button to the right of the measure or control.

Caution: Only measures and controls of the current management system are displayed. The risk/opportunity not having any measures or controls in this management system does not mean it doesn't have assigned measures or controls in a different management system.

Gross (inherent) is the evaluation before any measures and controls for treatment have been put into effect. The gross risk/opportunity is marked with a badge in the tab Temporal development when it is first recorded. The information in the tab Measures and controls reflects that and cannot be changed manually.

The button to the right opens a matrix that shows a graphic visualization of the risk/opportunity.

These measures and controls were introduced to treat the original gross risk/opportunity. Through them the risk/opportunity is turned from the gross (inherent) risk/opportunity into the current risk/opportunity. They are completed and/or canceled measures, as well as active control definitions with successful executions.

If a new measure or control is implemented and thus inserted into this table, it is recommended to revaluate the risk/opportunity. The risk/opportunity and the triggering measure or control are then marked with "Revaluation recommended". The revaluation shows whether the current risk/opportunity has changed with the impact of the implementation. In the case of measures, this is only triggered if the "Completed" date was set and doesn't fall on the same day of the last relevant revaluation (a relevant revaluation in this context is a change entry in the temporal development log where either extent of damage or benefit or probability of occurrence were changed).

If measures were implemented or controls executed that did have an impact on the risk/opportunity, but not enough of one to actually change the probability of occurrence or the extent of damage or benefit, the revaluation can also show that no sufficiently significant change was made. To do this, create a new entry in the temporal development with the "plus" button and set the same values that applied until then. The current risk/opportunity is therefore not changed. The justification can be used to document why a measure and/or control did not have more of an impact on the risk/opportunity.

Ability to control:

• This is the evaluation of the quality of the set of treatment measures and controls that has already been implemented.
• The abilities to control available for selection can be configured in the Risk policy.

Current risk/opportunity:

• Current is the evaluation of the risk/opportunity after all already implemented measures and executed controls for its treatment have been taken, and before the still planned measures and controls have been implemented.
• Again, a matrix to show the position of the current risk/opportunity is available through the button to the right.

These measures and controls are planned for the treatment of the current risk/opportunity and are meant to reduce it to the planned net (residual) risk or enhance it to the planned net opportunity. They are open, planned and/or suspended measures (not implemented), as well as suspended, deactivated and/or active control definitions without executions.

Net risk/opportunity:

• Net (residual) is the evaluation in the following scenario: 1) all implemented and planned, yet-to-be-implemented measures have been taken AND 2) all implemented and yet-to-be-implemented controls have been put into effect. As this is a prognosis for the future, three variations are to be recorded: best case, most likely case, worst case.
• The evaluation of the net risk/opportunity can be done either with the dropdown boxes or directly in the displayed matrices. A click into a square in a matrix sets the corresponding values for probability of occurrence and extent of damage or benefit.

For each change in the probability of occurrence, extent of damage, benefit, and/or status, the person making the change must make an entry to the change log with the reason and date for their change. Only when this is entered can the change be made. A log subsequently appears in the temporal development of the risk/opportunity. Changes to the extent of damage or benefit assessment only appear in the management systems that use the same classification of extent of damage and benefit.

The first entry defining both probability of occurrence and extent of damage is marked with "Gross risk"/"Gross opportunity" here and is shown as the gross risk/opportunity in the tab measures and controls.

Important: Temporal developments can also be entered manually. To do this, click on the "Plus" button in the overview.

Entries in this overview can be edited by double-clicking the respective entry.