Skip to content
English
Customer portal
Contact us
  • There are no suggestions because the search field is empty.

08.02 The Built-In Reports

Tour of the 30+ reports SimpleRisk ships, organized by domain — what each report answers, who reads it, and how to find the right one for the question you have.

Why this matters

SimpleRisk ships a substantial library of built-in reports — 30+ entries registered in simplerisk/includes/reports_catalog.php, each answering a specific GRC question against the program's data. Knowing the catalog is what lets you answer "is there already a report for that?" before building a custom one. Most of the questions a GRC program needs to answer day-to-day already have a seeded report; reaching for a custom solution before knowing the library produces overlap and maintenance overhead.

The other reason this matters: the reports are permission-filtered. Each report's permissions entry in the catalog defines who can see it; the Reports Hub at /reports/dashboards.php shows each user only the reports their role grants. This means audience-targeting works partly through role assignment — give a user only the risk-management permission and they see only the risk-management reports, even if compliance and governance reports exist in the catalog.

The third thing worth knowing: the reports cluster around the four GRC domains SimpleRisk's catalog tags use — Risk Management, Compliance, Governance, Asset. Some reports are cross-domain (Connectivity Visualizer requires permissions in any of the four; Risks and Assets requires both risk-management and asset). The cross-domain reports are usually the most analytically useful because they surface relationships the single-domain reports can't show.

Before you start

Have these in hand before working with the report library:

  • The Reports Hub permission. Most reports require the domain-specific permission (Allow Access to "Risk Management" Menu for the risk-management reports, similarly for compliance, governance, asset). The hub at /reports/dashboards.php only shows reports the current user can access. (See Permission Reference.)
  • A clear question to answer. "Show me a report" is too broad. "Show me all open High and Very High risks across the org sorted by team" maps to a specific report (the High Risk Report or All Open Risks by Team by Level depending on the cut). Picking the question first makes the report selection straightforward.
  • A read on which domain the question lives in. Risk-trend questions land in Risk Management; control-test questions in Compliance; document-program questions in Governance; asset-by-risk questions in cross-domain reports. The Reports Hub category filter is the navigation aid for this.

Step-by-step

1. Open the Reports Hub

Sidebar: Reporting → Reports (or equivalent in your install) opens /reports/dashboards.php. The page renders as a tile-grid of dashboards and reports filterable by category (All, Favorites, Risk Management, Compliance, Governance). Each tile shows the report's name and a one-line description from the catalog.

The catalog is loaded server-side via simplerisk/includes/reports_catalog.php; the API endpoint GET /api/v2/reports/catalog exposes the same data programmatically (returns only reports the calling user has permission to view).

2. Pick the right report for your question

The catalog organizes by domain. Below is a working tour grouped by the most common questions each report answers. The list isn't exhaustive (33 reports plus 3 dashboards in total); it covers the ones programs reach for most often.

Risk Management reports

For "what's in the register and how is it changing":

  • Risk Charts (/reports/dashboard.php) — pre-built charts covering risk levels, ages, and submission trends. Useful for quick visual overview when the dashboard widgets aren't enough.
  • Risk Trend (/reports/trend.php) — cumulative open and closed risk counts plotted over time. Answers "are we identifying faster than we're closing?"
  • Risk Average Over Time (/reports/risk_average_baseline_metric.php) — average inherent and residual risk score over time, by category or team. Answers "is our average exposure trending up or down?"
  • Risk Appetite Report (/reports/risk_appetite.php) — current open risks compared against your configured risk-appetite thresholds. Answers "are we within tolerance?" — see admin configuration to set the thresholds.

For "show me specific subsets":

  • All Open Risks Assigned to Me by Risk Level (/reports/my_open.php) — risks where you're the owner, manager, or stakeholder, sorted by level. The personal view.
  • All Open Risks Needing Review (/reports/review_needed.php) — risks past their next review date or never reviewed. The cleanup queue.
  • All Open Risks by Team by Level (/reports/risks_open_by_team.php) — risks grouped by team, then by risk level. Useful for ownership reporting and for cross-team visibility.
  • High Risk Report (/reports/high.php) — High and Very High risks across all teams. The exec-readout view.

For "show me activity over a date range":

  • Submitted Risks by Date (/reports/submitted_by_date.php) — submission counts and trend over a date range. Answers "are submissions accelerating?"
  • Mitigations by Date (/reports/mitigations_by_date.php) — mitigations recorded over time, by status and team. Answers "is the mitigation pipeline keeping up?"
  • Management Reviews by Date (/reports/mgmt_reviews_by_date.php) — management review actions logged over a date range. The review-cadence visibility.
  • Closed Risks by Date (/reports/closed_by_date.php) — risks closed within a date range, with closure-reason distribution.

For "specific analyses":

  • Mean Time to Remediate (/reports/mean_time_to_remediate.php) — how long open risks take to mitigate or close, segmented by severity. The cycle-time metric.
  • Likelihood and Impact (/reports/likelihood_impact.php) — heatmap of open risks plotted on the likelihood-impact grid.
  • Risk Advice (/reports/riskadvice.php) — residual risk level distribution with prioritized mitigation recommendations based on effort-to-impact ratio.
  • Graphical Risk Analysis (/reports/graphical_risk_analysis.php) — visualize risks across multiple dimensions with line and bar chart views.
  • Dynamic Risk Report (/reports/dynamic_risk_report.php) — configurable, exportable report builder for ad-hoc risk queries. The only built-in report with a CSV download (Extra-gated, see Exporting Data and Evidence).
  • Current Risk Comments (/reports/recent_commented.php) — recent comments on risks across the program, newest first.
  • Risks and Issues (/reports/risks_and_issues.php) — cross-reference of open risks and the issues they relate to.

Compliance reports

  • Audit Timeline (/reports/audit_timeline.php) — chronological view of audit activities, status changes, and findings.
  • Audit Remediation Cycle Time (/reports/audit_remediation_cycle_time.php) — average time from audit finding to remediation, by framework. The compliance-equivalent of Mean Time to Remediate.
  • Dynamic Audit Report (/reports/dynamic_audit_report.php) — configurable audit-progress report with framework and control filters. The compliance-equivalent of the Dynamic Risk Report.

Governance reports

  • Control Gap Analysis (/reports/control_gap_analysis.php) — controls that are missing tests, owners, or are out of date. The "what's not being managed" view.
  • Document Program Report (/reports/document_program_report.php) — status of the document program: counts, approvals, and pending reviews.
  • Exception Report (/reports/exception_report.php) — open exceptions with expiration dates and approval state. The "what are we currently allowing" view.
  • Document to Control Mapping (/reports/documents_to_controls.php) — mapping of governance documents to the controls they document.

Cross-domain reports

These reports require permissions in multiple domains (the catalog uses 'mode' => 'all' to require all listed permissions, or 'mode' => 'any' to require at least one):

  • Connectivity Visualizer (/reports/connectivity_visualizer.php) — interactive graph of how risks, assets, controls, and frameworks connect. Requires any of: riskmanagement, asset, governance, compliance. The most analytically interesting cross-domain report — useful for "show me the impact radius of this asset" or "show me everything tied to this control."
  • Risks and Assets (/reports/risks_and_assets.php) — cross-reference of open risks and the assets they affect. Requires both riskmanagement and asset.
  • Risks and Controls (/reports/risks_and_controls.php) — cross-reference of risks and the controls mitigating them. Requires both riskmanagement and governance.
  • Assets and Controls (/reports/assets_and_controls.php) — cross-reference of assets and the controls protecting them. Requires both asset and governance.

3. Filter and read the report

Most reports support per-report filters (date ranges, team selectors, status filters, framework selectors). The filter UI varies by report — some use dropdowns at the top of the page, some use sidebar facets, some use URL query parameters. Apply the filter that narrows the data to the question you're actually answering.

Reading conventions:

  • Tables — sortable by column. Click the column header to sort ascending; click again to descend.
  • Charts — usually rendered via Chart.js. Hover for detailed values; some charts support click-through to filtered detail.
  • Tree-grids — used for hierarchical data (frameworks/controls, document/sub-document). Expand or collapse nodes to navigate.

4. Use favorites for the reports you reach for often

The Reports Hub supports per-user favorites — clicking the star on a report tile adds it to your Favorites category. The favorites list is per-user (one user's favorites don't appear for another) and persists across sessions.

The API equivalents: GET /api/v2/reports/favorites (list), POST /api/v2/reports/favorites (add), DELETE /api/v2/reports/favorites (remove). The favorites are stored in the user_favorite_reports table.

Most working users converge on 5–10 reports they read regularly; favoriting them keeps the Reports Hub navigable.

5. For the questions the catalog doesn't answer

Some questions don't map cleanly to a built-in report. Three options:

  • Use the Dynamic Risk Report or Dynamic Audit Report. Both are configurable report builders with column selection, filtering, and grouping. They're the right starting point for ad-hoc queries that don't have their own dedicated report.
  • Query the v2 API directly. Most data the reports surface is also available through the v2 API (the risks endpoints, the assessments endpoints, the compliance endpoints). For programmatic or scripted reporting, the API is more flexible than the UI reports.
  • Build a custom report. The Customization Extra supports building custom reports against the SimpleRisk database (with appropriate care around permissions and SQL safety). This is the path for genuinely novel reporting needs that recur often enough to justify the build effort.

Common pitfalls

A handful of patterns recur with the report library.

  • Building custom reports before checking the catalog. The single biggest waste-of-effort pattern. A team identifies a reporting need, builds a custom solution, and discovers months later that a built-in report covered the same question. Spend the time to walk the catalog before reaching for custom; the seeded reports cover most of the common questions.

  • Using the wrong report for the question. Risks and Issues and Risks and Controls sound similar; they answer different questions. The Dynamic Risk Report and the Risk Charts page sound similar; they're for different audiences (Dynamic for analysts, Charts for executives). Read the report's description before clicking.

  • Reading reports without the as-of-date context. Most reports show "current state as of right now." A report opened in the morning and referenced in an afternoon meeting may already be stale (a risk was closed in the intervening hours, a new submission landed). For any report you'll reference later, screenshot it with the timestamp visible.

  • Permission gaps that hide the right report. A user trying to find the right report sometimes can't see it because their role doesn't grant the relevant permission. The Reports Hub silently filters; the user assumes the report doesn't exist. If the question seems like it should have a report, check whether your role has permissions across the relevant domains.

  • Treating the Connectivity Visualizer as decoration. The Connectivity Visualizer is one of the most analytically useful reports, especially for incident response (show me everything connected to this asset) and for compliance gap analysis (show me all the orphaned controls). Many programs never open it because the visual is intimidating; spend the time to learn it.

  • Ignoring the cross-domain reports. Single-domain reports answer single-domain questions. The cross-domain reports (Risks and Assets, Risks and Controls, Assets and Controls) answer the questions about the relationships between domains, which is usually where the program's most useful insights live. Programs reading only single-domain reports are missing the relationship view.

  • Treating the Risk Advice report as authoritative. Risk Advice surfaces "prioritized mitigation recommendations based on effort-to-impact ratio" — this is a heuristic, not a directive. The recommendations are useful starting points for mitigation prioritization conversations; they aren't substitutes for the conversation itself.

  • No regular cadence for reading the reports. A program with 30+ available reports and no recurring schedule for reading any of them produces no operational benefit from the library. Pick five or six reports for a recurring program-review session (e.g., the Risk Management Dashboard plus Mean Time to Remediate plus Mitigations By Date plus Audit Remediation Cycle Time plus Control Gap Analysis); read them on a fixed cadence.

Related