💡 Still using the classic Drata experience? Refer to Residual Risk for the original UI.
Overview
Each risk in Drata is assessed based on its impact and likelihood. These values are used to calculate a risk score, which contributes to the overall risk posture within the Risk Register. The risk score is calculated by multiplying impact by likelihood.
By default, risks are marked as Untreated until a treatment option is selected.
You can assess risks directly from the Risk Register or from an individual risk’s details page. This article explains how to view and manage risk information from an individual risk.
Access an individual risk’s details page
From Risk Management, select a risk to open its details page.
Assessment section
The Assessment section is used to evaluate the severity of a risk and determine how it will be addressed.
Inherent Impact: The potential severity of the risk before any controls or mitigation efforts are applied.
Inherent Likelihood: The probability of the risk occurring before controls or mitigation efforts are applied.
Inherent Score: The calculated risk score based on Impact × Likelihood. This field is not editable.
Current Treatment section
The Treatment Plan indicates how the risk is addressed. Risks default to Untreated until a treatment option is selected.
Depending on the selected treatment, additional fields may appear.
Mitigate or Transfer
Treatment Details: Describes how the risk is mitigated or transferred.
Anticipated Completion Date: The expected date the treatment will be completed.
Completed Date: The date the treatment was completed.
Reviewer: The individual responsible for reviewing the treatment.
Residual Impact: The potential severity of the risk after controls are applied.
Residual Likelihood: The probability of the risk occurring after controls are applied.
Residual Score: The calculated risk score after controls are applied.
Accept or Avoid
Treatment Details: Describes why the risk is accepted or avoided.
Completed Date: The date the treatment decision was finalized.
Reviewer: The individual responsible for reviewing the treatment.
Source and status section
Risk Source: Indicates whether the risk is internal or external to your organization.
Status: Indicates whether the risk is active, closed, or archived.
Detail section
Title (required): The name of the risk.
Description (required): A detailed explanation of the risk and its potential impact.
Categories: Used to group and organize risks. Categories are managed in Risk Settings. Creating or deleting categories is available with Risk Management Pro.
Supporting Documents: Upload up to 10 files per risk. File uploads are available with Risk Management Pro.
Owner section
Owner: One or more individuals responsible for managing and overseeing the risk.
Mapped Controls
Go to Mitigate controls tab to view your mapped controls. Mapped Controls allow you to associate Drata Control Framework (DCF) or custom controls with a risk. Only controls from the primary workspace can be linked.
Green: Available and ready
Red: Not ready
Internal Notes
You can add, edit, or delete notes related to the risk from the risk’s internal notes panel. From the same panel, you can also create and view tickets and tasks related to the risk.
Key Notes
Risks are marked as Untreated until a treatment option is selected.
You can assess risks either from the Risk Register or from an individual risk’s details page.
Some features, such as category management and file uploads, require Risk Management Pro.