Skip to main content

Assess and Manage Individual Risks

⚠️ Select your experience

The steps to manage your risks depend on your interface version. Select a link to skip to the instructions for your version.

Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.

Instructions for the New Experience ⬇️

Overview

Each risk in Drata is assessed based on its impact and likelihood. These values are used to calculate a risk score, which contributes to the Residual risk posture within the Risk Register. The risk score is calculated by multiplying impact by likelihood.

By default, risks are marked as Untreated until a treatment option is selected.

You can assess risks directly from the Risk Register or from an individual risk's details page. This article explains how to view and manage risk information from an individual risk.

Access an individual risk's details page

From Risk Management, select a risk to open its details page.

Assessment section

The Assessment section is used to evaluate the severity of a risk and determine how it will be addressed.

  • Inherent Impact: The potential severity of the risk before any controls or mitigation efforts are applied.

  • Inherent Likelihood: The probability of the risk occurring before controls or mitigation efforts are applied.

  • Inherent Score: The calculated risk score based on Impact × Likelihood. This field is not editable.

Current Treatment section

The Treatment Plan indicates how the risk is addressed. Risks default to Untreated until a treatment option is selected.

Depending on the selected treatment, additional fields may appear.

Mitigate or Transfer

  • Treatment Details: Describes how the risk is mitigated or transferred.

  • Anticipated Completion Date: The expected date the treatment will be completed.

  • Completed Date: The date the treatment was completed.

  • Reviewer: The individual responsible for reviewing the treatment.

  • Residual Impact: The potential severity of the risk after controls are applied.

  • Residual Likelihood: The probability of the risk occurring after controls are applied.

  • Residual Score: The calculated risk score after controls are applied.

Accept or Avoid

  • Treatment Details: Describes why the risk is accepted or avoided.

  • Completed Date: The date the treatment decision was finalized.

  • Reviewer: The individual responsible for reviewing the treatment.

Source and status section

  • Risk Source: Indicates whether the risk is internal or external to your organization.

  • Status: Indicates whether the risk is active, closed, or archived.

Detail section

  • Title (required): The name of the risk.

  • Description (required): A detailed explanation of the risk and its potential impact.

  • Categories: Used to group and organize risks. Categories are managed in Risk Settings. Creating or deleting categories is available with Risk Management Pro.

  • Supporting Documents: Upload up to 10 files per risk. File uploads are available with Risk Management Pro.

Owner section

  • Owner: One or more individuals responsible for managing and overseeing the risk.

Mapped Controls

Go to Mitigate controls tab to view your mapped controls. Mapped Controls allow you to associate Drata Control Framework (DCF) or custom controls with a risk. Only controls from the primary workspace can be linked.

  • Green: Available and ready

  • Red: Not ready

Displays the Mitigating controls tab

Internal Notes

You can add, edit, or delete notes related to the risk from the risk's internal notes panel. From the same panel, you can also create and view tickets and tasks related to the risk.

Displays the sidebar where you can leave internal notes, create tickets and tasks

Key Notes

  • Risks are marked as Untreated until a treatment option is selected.

  • You can assess risks either from the Risk Register or from an individual risk's details page.

  • Some features, such as category management and file uploads, require Risk Management Pro.

Instructions for the Classic Experience ⬇️

Residual Risk represents the remaining risk after mitigation or transfer. The inherent risk is the untreated risk, calculated as Likelihood × Impact (e.g., 5 × 5). The difference between the inherent risk score and the residual risk score helps assess the effectiveness of risk mitigation efforts—a larger gap suggests stronger risk reduction.

On the Risk Management page within the Register tab, the table displays both the inherent score and the residual score for easy comparison.

Add residual risk score

The residual risk only applies to risks for which you've applied one of the following treatment types: 'Mitigated' or 'Transferred'.

  1. Select a risk.

  2. Enter the Impact and Likelihood under Assessment section.

  3. Select Mitigated or Transferred for the treatment to add the residual risk score.

  4. Save and the risk register will update with the changes.

Related Articles
Risk Assessment overview
Getting started with a risk assessment (Concept Guide)
Understanding the Drata Risk Register
Risk management in Drata: An overview
Add and View Residual Risk in the Risk Register (New Experience)
Did this answer your question?