This section provides orientation on how to generate both generic and organizational risk reports, how to customize them so that they can be adapted to your needs, as well as how to schedule them to be generated and sent via e-mail.
Generic Reports
In the Manage Templates section, you can create generic report templates from scratch, using any of the following types of queries as data sources: those created in the Organization, Risk, and Workflow modules; those created in the Events and Dispatch solutions; and SQL queries, created in this same section (step 1 in the diagram below). Once registered, these blank templates can then be exported for editing in Report Designer, a report editor provided by Modulo (step 2). When editing a report template, you can insert custom logos, cover pages, sections, charts, and tables to assemble the report. For example, you can design your own report with a layout that includes the colors of your organization, a custom introduction for each section of the report, and tables that display mixed information from both the Workflow and Organization modules. Each template must then be imported back to the system and enabled for use (step 3), after which a report can be generated based on it (step 4). Throughout the process, filters can be set for the data sources and the report itself to limit its scope.
Note that you can only edit templates of which you are the author or to which you were assigned as editor. Similarly, you can only generate generic reports based on templates of which you are the author, editor, or a part of the audience.
If the author of a generic report template is deleted from the system, the report template will also be deleted if no audience members or editors are assigned. Otherwise, the template will not be deleted and the word "(deleted)" will be displayed next to the name of the author.
Organizational Risk Reports
Organizational risk reports have default templates provided by Modulo and allow managers to view consolidated risk results for the organization through charts, tables, and text. They are not restricted and can be generated by anyone with access to the Generate Reports page; however, their scope will be restricted to objects to which you have access. Keep in mind that templates for organizational risk reports are managed in the Risk module. For details, see Chapter 5: Risk -> Risk Reports -> How to Manage Risk Report Templates.
The results displayed in these reports are based on the non-implemented controls identified in the analysis phase of risk projects from closed questionnaires. The decision-making process on investments and prioritization of which controls to implement can then be optimized. Unlike risk reports generated in the Risk module, here you will be able to view consolidated results for specific objects or the organization as a whole, and not only for specific projects. Thus, these reports will always display the most recent information on the organization, making them a fundamental part of a solid risk management process.
Filters can be set before generating an organizational risk report in order to limit its scope. In addition, the template for each type of risk report can be customized in the Risk module. Note that it is possible to disable all report templates, both custom and those provided by Modulo, in which case no reports will be available in this section. For details on managing risk report templates and editing them, see Chapter 5: Risk -> Risk Reports -> How to Manage Risk Report Templates.
Described below are the four types of organizational risk reports and the information they provide on the latest results of risk projects.
•Risk Analysis Report: Displays consolidated risk results from the latest closed questionnaires in the analysis phase of risk projects for all the assets in the scope of the report. It should be used to guide the decision-making process on which measures should be taken to reduce the risk levels in the organization (see figure below).
This report contains six sections, namely: Analysis Summary, Introduction, Limitations, Context, Consolidated Analysis, and Recommendations.
Using charts and tables, the Analysis Summary section presents the consolidated results of the analysis for all closed questionnaires from risk management projects. The information contained in this section includes: number of controls by status, PSR by status of the analyzed risks, risk distribution by risk level, risk levels of the non-implemented controls, and risks identified in the assets.
The Introduction explains what the risk indices are (PSR, Risk Index, Security Index, Control Index, and Gap Index) and how they are calculated.
The Limitations section explains the reach of the results contained in the report, which are essentially based on the knowledge bases used in the risk management projects.
The Context section presents the types of assets investigated and the scope of the risk analysis (perimeters, assets, and threat sources considered; knowledge bases used; and the team involved in the analysis). See the figures below for examples of tables found in this section.
Using tables, the Consolidated Analysis presents the consolidated risks for the main business components. Next, the risks for each of the components are presented. Lastly, risks are presented by threat source, threat, asset type, asset, and risk level by asset. Thus, the risks are presented in different perspectives, supporting the decision-making process for the evaluation and treatment activities for the organization.
The Recommendations section presents the measures to be taken in order to lend continuity to the risk management process.
•Executive Analysis Report: Displays a summarized version of the results of risk analyses for the organization (see figure below).
This report contains three sections, namely: Introduction, Summary, and Next Steps.
The Introduction presents the contents of the report and explains what the PSR is, how it is calculated, and what the risk indices are (PSR, Risk Index, Security Index, Control Index, and Gap Index).
Using charts and tables, the Summary presents the consolidated results of the analysis for all the latest closed questionnaires from risk projects related to the assets in the scope of the report. The information contained in this section includes: number of controls by status, PSR by status of the analyzed risks, distribution of risks by levels, risks by threat and by business component, risks at strategic and operational levels, risks found in assets, and risk levels of the non-implemented controls (see figures below for examples of tables found in this section).
The Next Steps section presents the steps to be taken to lend continuity to the risk management process.
•Detailed Risk Report: Helps managers prioritize the recommendations to be applied, according to the risk level. This report should also be used as an instrument to implement controls in the assets analyzed (see figure below).
This report presents two tables to support the process for prioritizing risk treatments: List of Non-Implemented Controls and Detailed List of Non-Implemented Controls (see figure below for examples of tables found in this section).
The first contains information on the controls that should be implemented, their priority, and the asset component to which the non-implemented control refers. The table is ordered by grouping and, within the groupings, by the PSR of each control in descending order.
The second contains more detailed information on which controls should be implemented, the sum of the total risk for the asset components according to the non-implemented controls (PSR total), the number of asset components for which controls will be implemented, the justification for each control, and the recommendation on how to implement each control (see figure below).
In addition, any image in BMP, JPEG, PNG, or GIF format that was attached as evidence for the answer to a control (either by the analyst or by interviewees and reviewers) can be displayed. Files in other formats are also listed and can be accessed through their respective links. Note that the user must be authenticated in the system and connected to the internet to be able to access this content through the PDF version of a report. Also available for use in this report template are data sources providing information on the implemented controls, including evidence and comments provided by analysts and during interviews.
•Detailed Risk Report by Threat: Orients managers on how to prioritize the recommendations to be applied according to the risk level. This report should also be used as an instrument to manage threats that may affect the progress of the organization’s activities (see figure below).
This report presents two tables to support the process for prioritizing risk treatments: List of Non-Implemented Controls by Threat and Detailed List of Non-Implemented Controls by Threat (see figures below for examples of tables found in this section).
The first lists all controls analyzed in the latest closed questionnaires related to the assets in the scope of the report, grouped by threat and ordered by descending level of risk (PSR).
The second table, also grouped by threat, contains more detailed information on which controls should be implemented, namely: the sum of the total risk related to the asset component, according to the non-implemented controls (total PSR); the justification for each control; the recommendation on how to implement each control; and the number of asset components with implemented controls (see figure below).
In addition, any image in BMP, JPEG, PNG, or GIF format that was attached as evidence for the answer to a control (either by the analyst or by interviewees and reviewers) can be displayed. Files in other formats are also listed and can be accessed through their respective links. Note that the user must be authenticated in the system and connected to the internet to be able to access this content through the PDF version of a report. Also available for use in this report template are data sources providing information on the implemented controls, including evidence and comments provided by analysts and during interviews.
Note: Reports are best viewed in PDF format.
You can also schedule a report to be sent by specifying the recipients, the date on which they will begin to be sent, the frequency with which they will be sent, and the number of times. For example, if you want to receive a weekly report on the risks in your organization, you can schedule a report that includes all the assets registered in the Organization module that were analyzed in risk projects. A daily time must be set in the Administration module for these reports to be sent. For details on how to set this time, see Chapter 17: Administration -> Scheduled Reports.