Since I know SWORD is rebuilding standard reports for v2020, I wanted to make recommendations for one of their existing reports: the Risk Process Health report
I wanted to recommend that SWORD work to incorporate some/all of the following metrics that our enterprise group has found useful. Unfortunately, it's been quite difficult to build a report that can produce these metrics (we put them together manually) but was hoping that SWORD could make this possible in the future or create a standard report that does it for users of the tool.
Informational
* # Risks (impact IDs)
* # Plans
* # Actions
* % Risks using 'Review' functionality i.e. Last Review Note (not required but a best practice)
* % Risks with a Plan and 'Accept' Strategy selected
* % Risks with a Plan and 'Mitigate' Strategy selected
Missing Information
* % Risks with no Current Score ('required' but not a required field since it's not something users would know 'from day 1')
* % Risks with no Assessment Rationale ('required' but not a required field since it's not something users would know 'from day 1')
* % Risks with a Plan but no Strategy selected ('required' but not a required field since it's not something users would know 'from day 1')
* % Risks with no Preventive Controls ('required' but not a required field since it's not something users would populate 'from day 1')
* % Risks with no Recovery Controls('required' but not a required field since it's not something users would populate 'from day 1')
* % Risks with a Plan and 'Mitigate' Strategy selected but …
** No Target Score (if they're mitigating the risk, what level are they mitigating to?)
** No Action items (if they're mitigating, what actions are they taking to mitigate the risk further?)
* % Action items with no Action Owner ('required' but not a required field since it's not something users would know 'from day 1')
* % Action items with no Action Due Date ('required' but not a required field since it's not something users would know 'from day 1')
Data Integrity (incorrect data)
* # risks with Target Score > Current Score
* # Risks with no Plan
* % Risks with a Plan and 'Mitigate' Strategy selected but …
** Current Score = Target Score (fully mitigated, Strategy should probably be updated)
* # risks assessed with wrong scoring scheme
* # risks where that Record Type doesn't belong in its current folder
Original Active Risk ID: ARM-I-134