Results produced

Citicus ONE produces high-quality, business-oriented results for a range of audiences:

  • top management, who need a high-level view of the risk status of their organisation
  • risk managers in different specialist areas - such as information risk or information security managers, supply chain risk managers, physical security managers and internal auditors - who need a systematic and consistent method of evaluating risk in their areas of responsibility, and for identifying improvement priorities
  • ‘owners’ responsible for the risk of individual information resources, suppliers, outsourced services or physical sites who need to understand how to drive risk down to the level that is acceptable to top management

All reports can be presented in HTML format or as PDF documents. Risk and compliance management data can also be exported from Citicus ONE in an XML-based format that can be processed by external reporting tools.

Results for top management

Citicus ONE produces an excellent overview for top management that tells them what they need to know about the information risk status of their enterprise.

Some of the graphical reports or elements of them are illustrated below.

Risk dashboard report

A report showing an aggregated view of risk and its main drivers

This report pulls together the results of risk assessments conducted across the enterprise and gives management an aggregated view of risk. The risk dashboard can be configured to consolidate data from different areas of risk – such as information risk, supplier risk, site risk – or can be used to focus on a specific area of risk.

Risk dashboards can be produced at the enterprise level or at a business unit level giving managers an overview of risk in their areas of responsibility. The report is interactive, allowing users to drill down on the drivers of risk in specific areas.

 

Risk league tables

Risk league tables present a list of the organisation’s evaluated targets sorted according to their measured risk. They provide an excellent overview for top management and allow attention to be focused on the areas posing greatest risk.

A risk league table showing the risk ranking of an organization’s information resources is illustrated below. Similar league tables can be generated, for example to rank suppliers or supplied services in terms of the risks they pose to the organization.

Risk league tables provide an overview of the risk status of the organisation

Compliance reports

Senior management can obtain an overview of the status of compliance with their internal policies and standards and/or with external standards or regulatory requirements.

These consolidated compliance status reports can be broken down by business unit or enterprise structure (as illustrated below) or by individual areas of compliance (eg contingency planning, vendor management, physical security).

Chart showing the status of compliance across different business units

The organization’s progress towards full compliance can also be tracked through a compliance trend report such as illustrated below.

Chart showing the change in compliance status of the enterprise over time

Business impact of incidents

Incidents are a feature of day-to-day business life in most organisations. Most have a small impact on the enterprise concerned – though their cumulative effect degrades business performance and erodes profit. Others have a major impact.

By keeping track of their impact, in terms decision-makers can relate to, Citicus ONE helps you get across that risk is real and allows you to track the effectiveness of risk management activities.

The effect that incidents have on the enterprise is shown graphically by the business impact charts that Citicus ONE provides for decision-makers.

Chart showing the business impact of security incidents

Financial impact of incidents

The financial impact of incidents is also identified, to help you make the business case for improvements.

Table showing the cost of incidents

Results for risk managers

Risk managers such as information risk or information security managers, supply chain risk managers, physical security managers and internal auditors need to win the support of the business and make best use of the resources available.

Citicus ONE helps do so, firstly by establishing the business criticality of the organisation’s information resources, suppliers, sites and other targets of evaluation in an objective and consistent way. Using the simple, business-oriented criticality assessment forms provided by Citicus ONE, large numbers of targets of evaluation can be assessed with very little effort.

The results can be presented in a criticality league table and an example of this illustrating an inventory of an organization’s critical information resources is shown below.

Table providing an inventory of information assets ranked according to their criticality to the business

Effort can then be focused on evaluating the risk posed by the things that are most critical, using the risk scorecard provided by Citicus ONE. The risk scorecard can be supported by checklists to probe the status of controls, threats and other factors that drive risk up in more detail.

Following evaluation, risk / security managers at corporate and local level can use Citicus ONE to draw the results together to highlight control areas that are most in need of improvement across the enterprise, as shown below.

Chart showing the status of controls across the enterprise

They can also identify the types of incident that occur most often as a result of such control weaknesses, as illustrated below. The incident categories reported can be customized according to the different areas of risk of interest. Example charts showing incidents affecting information resources and suppliers are displayed below.

Chart showing the breakdown of incidents affecting information systems

Breakdown of incidents affecting information resources

Breakdown of incidents affecting supplier relationships

Risk ‘pinch points’ requiring improvement can also be identified systematically, using the graphical ‘dependency risk maps’ produced by Citicus ONE.

These factual insights will help you come up with well-informed, well-focused action programmes at local and corporate level, aimed at bringing information risk down to an acceptable level across your enterprise.

Results for business ‘owners’

Risk is heavily influenced by the behaviour of business ‘owners’ who have responsibility for individual information resources, supplier relationships, outsourced services, facilities and other assets and processes.

Citicus ONE helps ‘owners’ to understand risk and drive it down to an acceptable level by providing succinct, easily-understood results. These include:

  • a criticality status report showing the potential business impact of incidents in their area of responsibility
  • a risk status report and risk heat map showing the current status of the key factors that determine or indicate risk for their particular ’target of evaluation’ and changes in their risk profile since last evaluated
  • a dependency risk map, highlighting the risk status of dependent information systems, suppliers, services etc
  • a compliance status and compliance trend report showing how well their area of responsibility implements the organization’s internal and regulatory
  • a schedule of issues recording the findings of a risk or compliance assessment that need addressing by the ‘owner’
  • an action plan, recording the remedial actions needed to drive risk down, and their current status.

 

Some extracts of these reports are illustrated below.

A graphical representation of the business criticality of a particular information system

Extract from the criticality status report

A risk status report for a business owner highlighting the main drivers of risk in their area of responsibility

A risk status report

A report showing the extent compliance with the organization’s framework of controls

A compliance status report