The IT GRC Process Pack provides two different mechanisms for reporting your IT GRC management program information. A predefined and customized Microsoft Online Analytical Processing (OLAP) compliance data cube that connects to the data warehouse to retrieve data so that you can manipulate it by using Microsoft Excel® in a tabular fashion. More information can be found in the Using Advanced Analyticstopic from Microsoft TechNet.

Several predefined IT GRC control and risk management reports are also provided to help you manage IT GRC controls and risks in your organization. One set of reports is specifically designed for control management, one set for program management, and another set for risk management.

These reports provide IT GRC status at a program level, control objective level, control activity level, and risk level. The reports also include hyperlinks to subordinate reports that provide information about the configuration information for individual programs, control objectives, control activities, and risks.

You can run IT GRC management reports in the Reporting pane in the System Center Service Manager console. The IT GRC management reports are generated by the SQL Reporting Services, which is installed on the System Center Service Manager Data Warehouse Server.

The parameters for running each report can be configured through the Parameter Control Header section of each report. For example, you can filter report results by a specific IT GRC program in the “Parameter Control Header” section of the Control Management Progress Report.

For more information about troubleshooting running reports, see the following sections in the System Center Service Manager Deployment Guide, which is installed as a part of the System Center Service Manager download:

Predefined IT GRC Program Management Reports

The following table lists the IT GRC program management reports that are included in the Process Pack for IT GRC and a brief description of each report. The IT GRC control management reports are located in the Reporting/Compliance Reports Library folder.

Report

Description

Program Health Dashboard Report

Added in Service Pack 1, this report provides comprehensive information about the health and status of one or more of your IT GRC programs. This report can be filtered by:

  • Start date

  • End date

  • Time Zone

  • Status

  • Program – an optional field. If no program is specified, all programs in the system will be returned.

  • Owned By – an optional field that will limit the list of returned programs to ones owned by the specified user.

Program Incidents List Report

Added in Service Pack 1, this report lists all compliance incidents related to any control objective, control activity, or risk managed in your IT GRC program. This report can be filtered by:

  • Start date

  • End date

  • Time Zone

  • ID

  • Program – a single, specific IT GRC program

  • Support Group – Tier 1, 2, or 3 support

  • Resolution Category – how the incident was resolved

  • Classification Category – of the incident

  • Status – of the incident

  • Priority – of the incident

  • Urgency – of the incident

  • Source – of the incident

  • Assigned To – the person the incident is assigned to

  • Affected Configuration Item – limits the report to incidents affecting one or more configuration items

Program Detail Report

Added in Service Pack 1, this report provides comprehensive information about all attributes of a single IT GRC program and can be filtered by:

  • Start date

  • End date

  • Time Zone

  • Program – a single, specific IT GRC program

Program Non-Compliance Report

Added in Service Pack 1, this report is similar to the Program Detail Report but only displays items that are negatively affecting the health of the program. This report can be filtered by:

  • Start date

  • End date

  • Time Zone

  • Program – a single, specific IT GRC program

Program List Report

This report lists the existing IT GRC programs and can be filtered by:

  • Start date

  • End date

  • Time Zone

  • Program – an optional field. If no program is specified, all programs in the system will be returned.

  • Owned By – an optional field that will limit the list of returned programs to ones owned by the specified user

  • Status

Program Readiness Review Status Report

This report lists the readiness status of an IT GRC program and can be filtered by:

  • Start date

  • End date

  • Time Zone

  • Review Start Date

  • Review End Date

  • Review time zone

  • Review stage

  • Level

  • Priority

  • Program

  • Owned By

  • Assigned to

  • Authority document ID

  • Status

  • Category

  • Type – to optionally filter the report to only include the specified types of control objectives

Program Scope Report

This report lists the scope of an IT GRC program and can be filtered by:

  • Program

  • Start date

  • End date

  • Time Zone

Predefined IT GRC Control Management Reports

The following table lists the IT GRC control management reports that are included in the Process Pack for IT GRC and a brief description of each report. The IT GRC control management reports are located in the Reporting/Compliance Reports Library/Control Management folder.

Report

Description

Control Activity Score Report

Added in Service Pack 1, this is the primary report used to view the program’s control activities and their compliance scores. This report can be filtered by:

  • Start date

  • End date

  • Time Zone

  • Program – a single, specific IT GRC program

  • Owned By – an optional field that will limit the list of returned control activities to ones owned by the specified user

  • Last Score – limits the returned control activities to ones with the specified last compliance score

  • Result Start Date

  • Result End Date

  • Time Zone

Control Activity Details Report

This report provides a comprehensive view of a single control activity and can be filtered by:

  • Control Activity

Control Activity List Report

This report lists control activities in the system and can be filtered by:

  • Start date

  • End date

  • Time Zone

  • Program – an optional field. If no program is specified, all programs in the system will be returned.

  • Owned By – an optional field that will limit the list of returned control activities to ones owned by the specified user

  • Last Score – limits the returned control activities to ones with the specified last compliance score

  • Result Start Date

  • Result End Date

  • Time Zone

  • Authority Document

  • Status

  • Validation Type

  • Level

  • Priority

Control Objective Health Report

Added in Service Pack 1, this is the primary report used to view the health of your control objectives. This report can be filtered by:

  • Start date

  • End date

  • Time Zone

  • Program – a single, specific IT GRC program

  • Owned By – an optional field that will limit the list of returned control activities to ones owned by the specified user

Control Management Change Report

This report displays the changes in control objectives between two points in time as specified in the Start Date and the End Date report parameters. This report allows you to click hyperlinks so that you can see additional details about control objects and control activities in the report.

Control Objective Details Report

This report provides a comprehensive view of a single control objective and can be filtered by:

  • Control Objective

Control Objective List Report

This report lists control objectives in the system and can be filtered by:

  • Program

  • Authority document category

  • Authority document title

  • Start date

  • End date

  • Owned by

  • Status

  • Assigned to

Control Objective Progress Report

This report lists the progress of control objectives between two points in time as specified in the Start Date and the End Date report parameters. This report allows you to click hyperlinks so that you can see further details about control objects and control activities in the report.

Managed Entity Result List Report

This report lists the configuration items that are included in the scope of your IT GRC program and that are used to calculate a score for their associated control activity. This report can be filtered by:

  • Program

  • Control activity

  • Result start date

  • Result end date

  • Time Zone

  • Result Value

Predefined IT GRC Risk Management Reports

The following table lists the IT GRC risk management reports that are included in the Process Pack for IT GRC and a brief description of each report. The IT GRC risk management reports are located in the Reporting/GRC Reports Library/Risk Management folder.

Report

Description

Program Risks Report

Added in Service Pack 1, this report lists all risks associated with the program or any control objective or control activity managed in your IT GRC program. This report can be filtered by:

  • Start date

  • End date

  • Time Zone

  • Program – a single, specific IT GRC program

  • Owned By – an optional field that will limit the list of returned control activities to ones owned by the specified user

  • Risk Response

  • Rank

  • Inherent Risk Greater Than

Inherent Risk Map

This report displays a scatter chart of the risks based on their likelihood to occur (on the x axis) and their impact if they occur (on the y axis). The report is divided into four quadrants which represent the risk classification and helps identify the top risks.

Residual Risk Map

This report displays a scatter chart of the risks based on the level of control over the risk (on the x axis) and their impact if they occur (on the y axis).The report is divided into four quadrants which represent the risk classification and helps identify the top risks.

Risk Details

This report lists the configuration details of a single risk and is linked from other reports.

Risk List by Rank Report

This report lists risks in the system grouped by Risk Rank and can be filtered by:

  • Program

  • Start date

  • End date

  • Time Zone

  • Owned by

  • Status

  • Assigned to

  • Due Date

  • Impact

  • Likelihood

  • Control Level

Risk List Report

This report lists risks in the system and can be filtered by:

  • Program

  • Start date

  • End date

  • Time Zone

  • Owner

  • Rank

  • Due Date

  • Status

  • Assigned to

  • Impact

  • Likelihood

  • Control Level