Drata's Risk Assessment module helps you identify, evaluate, and manage potential threats to your organization. This article breaks down what each header in the Risk Register means, giving you a clear understanding of your risk landscape.
Risk Library Overview
First and foremost, Drata's Risk Library is a valuable resource, pre-loaded with over 200 risks based on industry standards like NIST SP 800-30, ISO 27005, and OCR SRA. While this library covers a wide range of common risks, you can always add custom risks to your Risk Register to address your organization's unique concerns.
You can add any of Drata's library risks to your register. Once a risk is added, you'll see a "Manage in Register" button linking directly to that risk.. Keep in mind that standard Drata risks cannot be edited directly within the library; you must first add them to your register. If you ever need to refer back to Drata's original language for a standard risk, you can always find it in the library.
Here's a breakdown of the headers you'll find in the Risk Register:
Risk Register Headers
ID: This is the unique Drata Risk ID. For risks pulled directly from Drata's library, this ID is non-editable.
Name: This is the specific name of the risk.
Description: This section provides a detailed description of the risk and its potential implications.
Controls: This header displays the Drata Control Framework (DCF) controls mapped to the specific risk. You can link or unlink DCF controls to risks from here. The colors indicate the control's status:
Green: The control is available and ready.
Red: The control is not ready.
Gray: The control is Out of Scope.
Categories: Risks are organized by categories such as Asset Management, Access Control, and Assessments & Audits.
You can assign or remove categories for each risk.
To untag a category from a specific risk: Click the "X" icon next to it.
To delete a category entirely from your risk register: Click the recycle bin icon next to the category name in the dropdown.
Treatment: This header describes the strategy or plan for addressing the risk.
Inherent Impact: This represents the potential severity of the risk before any controls or mitigation efforts are applied.
Inherent Likelihood: This indicates the probability of the risk occurring before any controls or mitigation efforts are applied.
Inherent Score: This is the calculated risk score before any controls are in place, typically derived from the Inherent Impact and Inherent Likelihood.
Residual Impact: This represents the potential severity of the risk after controls and mitigation efforts have been applied.
Residual Likelihood: This indicates the probability of the risk occurring after controls and mitigation efforts have been applied.
Residual Score: This is the calculated risk score after controls are in place, typically derived from the Residual Impact and Residual Likelihood.
Type: This defines whether the risk is internal or external to your organization.
Status: This indicates the current status of the risk, whether it is active or closed.
Owner: This field designates the individual(s) responsible for managing and overseeing the risk. You can add multiple owners to a single risk.
Anticipated Completion Date: This is the projected date by which the risk treatment or mitigation efforts are expected to be completed.
Completed Date: This is the actual date when the risk treatment or mitigation efforts were finalized.
Reviewers: This lists the individuals involved in reviewing the risk and its associated information.