⚠️ Select your experience
The steps to manage your vendors depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
Overview
Risk Management in Drata helps you identify, evaluate, and manage risks that could affect your organization. Many compliance frameworks, including SOC 2 and ISO 27001, require organizations to perform risk assessments as part of an ongoing risk management program.
A risk assessment is the process of identifying and evaluating potential risks. While risk management is continuous, most organizations review and update risks on a regular cadence to reflect changes in technology, business operations, and the threat landscape.
Prerequisite
Applies to the following plans: Risk Management Standard or Risk Management Pro
Note: Some configuration options described below require Risk Management Pro.
Only controls from frameworks you’ve purchased are pre-mapped in the module.
Getting started
You can access Risk Management from the Risk section.
The layout may vary depending on your role and permissions, but core functionality remains the same.
Register Tab
The Register tab displays your organization’s active risks, assessment progress, and Residual risk posture.
Key metrics include:
Assessment Progress: The number of active risks with applied inherent scores.
Risk Posture: A visualization of your organization’s current risk exposure based on inherent or residual risk scores and internal or external risk types.
External risks apply to Risk Management Pro customers only.
Tracking risks
The Assessment Progress graph shows the percentage of risks that have been assessed and your Residual risk posture. A risk is considered assessed once it has an inherent score.
Risk Posture
You can view the Risk Posture graph directly on the Risk Management page or from Risk Insights.
The Risk Posture graph groups risks into severity categories based on score ranges. Each color block represents a severity level and displays the number of risks within that range. You can select a block to view associated risks in the table below the graph.
This table displays the default colors, severity labels, and the threshold values.
Color | Severity | Threshold (No Customization) |
Green | Low risk | 1–4 |
Yellow | Medium risk | 5–9 |
Light orange | High risk | 10–19 |
Orange | Critical risk | 20–25 |
Pro feature
With Risk Management Pro, you can customize the thresholds, including the threshold names and their meanings in the Risk Settings.
Filters on the Register tab
Risk status: This filter allows you to filter in either the active, closed, or archived status
Active risks: Risks that you are actively working to manage, treat, or mitigate the risk.
Closed risks: Risks that you have completed all the work for and are more or less "done".
Archived risks: Risks that are a historical risk. These risks you may want to continue to track for only documentation purposes because they do not pose a risk (due to non-applicable or obsolete).
Assessment: Each risk without an inherent score
Treatment: This filter is used to categorize risk by the treatment option selected.
Risks:
Needs attention: Risks mapped to controls that are not ready will display under the "Needs Attention" filter results. This applies to both DCF and custom controls.
Custom Risks: These are risks you added to the register yourself as opposed to ones you added from Drata's risk library
Internal Risks: These are risks not attached to or pertaining to a vendor in Drata
External Risks: These are risks attached to or pertaining to a vendor in Drata
Risk Owners: You may filter risks based on ownership status— whether or not an owner has been assigned.
Owners: You may filter based on the assigned owner.
Categories: You may filter threats based on the categories selected for the risk. These could be either pre-loaded by Drata if you copied the risk from Drata’s risk library, or added by you.
How scoring works
In Risk Management, risks are evaluated using impact and likelihood values, which are used to calculate risk scores.
The table below explains how each scoring-related column is used.
Column Name | What it represents |
Inherent impact | How severe the consequences would be if a risk occurred before any treatment or controls are applied. |
Inherent likelihood | How probable it is that a risk will occur before any treatment or controls are applied. |
Inherent score | The overall severity of a risk before treatment, calculated as: |
Residual impact | How severe the consequences would be if a risk occurred after treatment or controls are applied. |
Residual likelihood | How probable it is that a risk will occur after treatment or controls are applied. |
Residual score | The remaining severity of a risk after mitigation, calculated as: |
By default, Risk Management uses a fixed 1–5 scoring scale for both Impact and Likelihood:
1 represents the lowest level of impact or likelihood
5 represents the highest level of impact or likelihood
These scoring values are preset to ensure consistency across risk evaluations.
Pro feature
Custom scoring options are available with Risk Management Pro. To customize scoring, an upgrade to Risk Management Pro is required.
Bulk actions and reports
You can manage risks in bulk by selecting multiple risks in the table and choosing an available action.
Bulk actions include:
Assigning risk owners or categories
Updating risk statuses
Deleting multiple risks
Select Download to view additional export options, including risk reports, treatment plans, and CSV exports. You can also create custom risks to reflect scenarios unique to your organization.
Risk Assessment Report: Requires company-specific details to be added for audit readiness (marked as <info>). Once completed, upload it to your Evidence Library in Drata.
CSV Downloads:
Risk Treatment: Contains all risk treatment metadata, allowing you to track and manage treatment plans.
All Risks CSV: Exports a complete list of all data for all risks in your register.
Filtered View CSV: Exports only the risks shown in your currently applied filtered view.
To learn more, view: How to Manage Custom Risks
Instructions for the Classic Experience
Risk Management is a continuous process of identifying, assessing, managing, and monitoring risks that could impact the security, reputation, and financial health of a company. In an ever connected world where cyber attacks are evolving and increasing in frequency and severity, the need for a proactive and integrated risk management program is critical to the security posture of any organization.
BEFORE DIVING IN
Availability: Included in the Risk Management Pro package.
Only Drata controls specific to the frameworks you've purchased are pre-mapped to the module.
OVERVIEW
You can access the Risk Management module on the left navigation menu.
The appearance of the following screenshot may differ based on your roles and permissions. However, the Risk Management module will still be located in the left navigation menu.
Register tab
At the top of the page, you'll find an overview of your risk register posture, which includes two key metrics:
Assessment Progress: Displays the total number of active risks that have an inherent score assigned.
Risk posture for active risks: Allows you to filter risks based on:
Risk type: Internal, external, or all risks.
Risk score: Inherent or residual score.
These active risks collectively define your risk posture, helping you assess and prioritize mitigation efforts.
Filter
To filter risks, select the Filter button and choose your desired criteria.
To display the filter menu, select the first option next to the filter heading:
To hide the filter menu, select the second option next to the filter heading:
Filters on the Register tab
Risk status: This filter allows you to filter in either the active, closed, or archived status
Active risks: Risks that you are actively working to manage, treat, or mitigate the risk.
Closed risks: Risks that you have completed all the work for and are more or less "done".
Archived risks: Risks that are a historical risk. These risks you may want to continue to track for only documentation purposes because they do not pose a risk (due to non-applicable or obsolete).
Assessment: Each threat is marked as "not scored" until it is assessed (likelihood and impact is assigned).
Treatment: This filter is used to categorize threats by treatment options.
Risks:
Needs attention: Risks mapped to controls that are not ready will display under the "Needs Attention" filter results. This applies to both DCF and custom controls.
Custom Risks: These are risks you added to the register yourself as opposed to ones you added from Drata's risk library
Internal Risks: These are risks not attached to or pertaining to a vendor in Drata
External Risks: These are risks attached to or pertaining to a vendor in Drata
Risk Owners: You may filter risks based on ownership status— whether or not an owner has been assigned.
Owners: You may filter based on the assigned owner.
Categories: You may filter threats based on tags. These could be either pre-loaded by Drata or added by you.
Downloads
Select the Download button to select which report you'd like to download.
Download Report:
Risk Assessment Report: Requires company-specific details to be added for audit readiness (marked as <info>). Once completed, upload it to your Evidence Library in Drata.
Download CSV:
Risk Treatment: Contains all risk treatment metadata, allowing you to track and manage treatment plans.
All Risks CSV: Exports a complete list of all risks in your register.
Filtered View CSV: Exports only the risks shown in your filtered view.
Actions
In order to see available actions, you must select risks from within your register using the checkboxes on each row. Select which risks you would like to perform a bulk action on, and then select the "Actions" menu.
To access available actions:
Select risks in your register using the checkboxes in each row or select all the risks.
Select the "Actions" menu to apply the desired action.
Risk Sections
Each threat-based risk item includes key details such as Risk ID, description, category, control mapping, assessment score, and more—displayed in the risk register table.
Pre-assigned categories
Risks from Drata's library come with a default category, which can be modified as needed.
Ownership visibility
Hover over the owner’s icon to view the list of assigned owners for a risk.
Control mapping:
Risks from Drata’s library are pre-mapped to your in-scope DCF controls.
Mapped controls appear in the controls column and are color-coded:
Green – Control is ready.
Red – Control is not ready.
Gray – Control is marked out of scope.
By default, three controls are visible per risk in the table, but you can expand the row to see all mapped controls.
Analyzing and Assessing a risk
Each risk needs to be analyzed through the threat impact and likelihood, and scored to be considered an assessed risk. You can select a score for your impact and your likelihood. The total score will be the impact multiplied by likelihood.
Note: We support custom scoring. To customize your scoring, go to Custom Risk Scoring & Legend. It is critical to ensure that the scoring on your report mirror the same scoring on your Risk Assessment Policy
To score from the risk row, click on the dropdown and select a score. You may have to scroll the table to the left.
RISK DRAWER
When scoring from the risk row, a default value of “Needs Treatment” will be applied to the risk until you select an actual treatment response/method.
Note: You may also assess a risk by opening the drawer and scrolling down to the “Assessment” section of the drawer
Clicking on a row will open the risk drawer. From here you can edit all of the risk's data. It contains the following fields, all of which are editable and optional unless noted:
Risk ID (non-editable for risks from Drata's library)
Title (required)
Description (required)
Categories. You can assign or remove categories from the system from here. To untag a category from a specific risk, you can click on the X icon. In order to completely remove a category from your risk register, you may click on the recycle bin icon next to the category name in the dropdown.
Owner: You may add as many owners as you want to a specific ris
File Upload.
Note: Up to 10 files can be uploaded for a risk.
Under Assessment section:
Impact: This is the threat impact (can be also set from the table directly).
Likelihood: This is the likelihood of a threat occurring (can be also set from the table directly).
Total Score: This represents the risk calculated by Impact x Likelihood (not directly editable)
Treatment Plan: By default, a risk is marked as "Untreated". Depending on a chosen Treatment response, you may get the following fields:
Mitigate or Transfer.
Treatment Details
Anticipated Completion Date
Completed Date
Reviewer
Residual Impact
Residual Likelihood
Residual Total Score
Accepted or Avoid:
Treatment Details
Completed Date
Reviewer
Mapped Controls. You can unlink or link DCF controls to risks from here. Each will have a different color:
Green: Available and ready
Red: Not ready
Gray: Out of Scope
Internal Notes. You can add, edit or delete multiple notes for a risk.
Drata's Risk Library
Drata's Risk Library is pre-loaded with over 200 risks based on NIST SP 800-30, ISO 27005, OCR SRA, and other industry standards, from which you can use to build your Risk Register.
Each of Drata's risks in the library can be added to your register. Once added, you'll see a link to the risk in your register on the "Manage in Register" button.
Drata's standard risks cannot be edited within the context of the library. Once you add them to your register, they can be edited. If you ever need to refer back to Drata's standard language for risks, you can find them in the library.