What is an RMF report?
An RMF report is a document that consolidates data from multiple sources (e.g., risk assessments, compliance audits, incident reports) to track and display key performance indicators (KPIs) (e.g., risk levels, compliance status, incident response times), enabling teams to monitor risk management and compliance performance and create presentations for stakeholders and executives.
RMF reports are typically created using flexible tools like Google Looker Studio, Power BI, Google Sheets, or platform-specific solutions to enable high customization and integration of multiple data sources.
What to include in an RMF report?
An actionable RMF report balances context and specificity based on the audience (executives, managers, and analysts) and their use cases.
Executive RMF reports
Executive reports for CISOs, CEOs, and stakeholders show the organization's risk management and compliance status. Reviewed weekly, monthly, or quarterly, they include:
- Risk assessment analysis: by category, using risk scoring and prioritization for large-scale assessments.
- Compliance status: tracking adherence to regulations and standards (e.g., NIST, ISO).
- Incident response analysis: response times, resolution rates, and impact assessments.
- Add text for additional context to translate metrics for non-technical audiences. Present in slide decks and simplified Looker Studio reports.
RMF manager reports
Manager reports have cross-functional views with drill-downs to see performance by department, region, team member, and compliance area. They help align teams, define tactics, and include:
- Cross-functional reporting: overall risk and compliance reporting across departments.
- Goal tracking: compare current performance vs objectives.
- Audits for prioritization and spotting issues
- Benchmarking for compliance and risk management practices.
- Policy, procedure, and control reviews
Operational RMF reports
Operational reports for analysts and risk managers have granular, customizable KPIs to solve technical issues. Monitored hourly, daily, or weekly, they cover:
- Risk monitoring: risk levels, mitigation status, control effectiveness.
- Compliance tracking: audit findings, corrective actions, compliance deadlines.
- Incident management: incident logs, response times, resolution status.
- Policy enforcement: policy violations, adherence rates, training completion.
Operational RMF reports are highly customized, built in flexible tools like Google Sheets or Looker Studio to enable data cleaning, blending, annotations, and integrating multiple sources.
How to build an RMF report?
To build an RMF report, connect your data sources, choose a template on Looker Studio or Sheets, build your queries by selecting metrics and dimensions, choose charts to visualize your data, customize the report, design and share via link, PDF or email.
Here’s the breakdown:
Connect data sources
Define and connect the data sources to bring to your report. Common sources are risk management systems, compliance databases, incident management tools, and audit reports.
To connect your data sources, go to portermetrics.com, choose the data sources to bring to your report.
You can follow these tutorials on connecting your data:
Choose a template
Choose from dozens of RMF report templates in Google Sheets or Looker Studio, designed for use cases like risk monitoring, compliance tracking, incident management, and policy enforcement.
Learn to copy Looker Studio templates.
While templates are the starting point. Make them specific for your organization. Map your specific metrics, especially custom risk scores, compliance data, incident logs, and all the fields and metrics that you define as "risks" and "compliance status".
Depending on your reporting tool—Google Sheets or Google Looker Studio, pick any of the dozens of templates created by our team and customers to solve your RMF reporting use cases, such as risk monitoring, compliance tracking, incident management, and policy enforcement.
Select metrics, dimensions, and charts
Once your report template is downloaded, you may 1)modify it or 2) create a blank page to build it from scratch. Whatever the case, setting up a query always follows these steps:
- Select the data source and the account connected to it
- Choose metrics (e.g. Risk score, compliance rate, incident count, etc.).
- Choose breakdowns to segment your data (e.g. by date, department, risk category, etc.)
You can follow these tutorials on adding data to your reports
Design
To make your RMF reports truly white-label you can add logos, colors, fonts, and styling to mirror your brand.
Follow these tutorials to design your RMF reports:
Share
Share your RMF reports via links, PDF, schedule emails, and control permissions.
KPIs to include in an RMF report?
RMF reports should include a mix of risk, compliance, incident, and policy metrics and KPIs to fully understand the performance of risk management and compliance efforts towards organizational goals. They include:
Risk management KPIs measure the risk landscape and mitigation efforts:
- Risk metrics: risk score, risk level, mitigation status
- Compliance metrics: compliance rate, audit findings, corrective actions
- Incident metrics: incident count, response time, resolution rate
Efficiency KPIs compare your risk management outputs to the cost, including:
- Risk: cost of mitigation
- Compliance: cost of compliance
- Incident: cost of incidents
Effectiveness KPIs compare the input with the output from one risk management stage to another
- Risk: risk reduction rate
- Compliance: compliance improvement rate
- Incident: incident resolution rate
Cost KPIs show the bottom-line impact of your risk management and compliance performance:
- Cost: risk management spend, compliance spend, incident management spend
- Efficiency: ROI, cost-benefit ratio
- Effectiveness: risk reduction per dollar spent
To analyze these RMF KPIs, segment them by:
- Department: IT, HR, Finance
- Time: Hourly, daily, weekly, monthly
- Risk category: operational, strategic, compliance
- Region: local, national, international
- Policy: security, privacy, operational
- Incident type: cybersecurity, operational, compliance
