Skip to main content

Streamlined Risk Register Set Up

⚠️ Select your experience

The steps to set up your risk register depend on your interface version. Select a link to skip to the instructions for your version.

Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.

Instructions for the New Experience ⬇️

Managing organizational risk can feel daunting, but Drata makes it simple. With our Risk Management Standard offering, you can jumpstart your risk register in minutes by answering just seven key questions.

A risk register is the central hub for identifying, assessing, and tracking risks within your organization. It provides visibility into the severity of each risk and outlines the actions needed to mitigate them. By automating this process, Drata helps you establish a strong foundation for ongoing risk management.

Note: The risk register setup survey is only available in Risk Management Standard. It is not included in Risk Management Pro.

Getting started

If your risk register is empty, you have two options:

  1. Learn about risk management principles through the in-app survey.

  2. Populate your risk register automatically by answering the guided questions.

Risk register setup options

Keep in mind:

  • Once you complete the survey, the populated risks remain in your register for continuous tracking.

  • If you believe you answered incorrectly, you can restart the survey—but only after deleting all existing risks. It's not recommended to regularly delete all risks in your register in order to restart the survey.

  • You can always add or copy additional risks later from the Risk Library.

How to launch the survey

  1. Navigate to the Risk Management page > Register tab. If your register is empty, select Help me build my register or Teach me about Risk Management.

  2. Answer each question about the systems, environments, and practices relevant to your business.

At the end of the survey, you'll be able to decide whether to automatically populate your register with the recommended risks.

Survey questions

The survey asks about seven key areas that commonly introduce organizational risk:

  1. Artificial Intelligence – Do you use your own AI systems, third-party AI systems, or both?

  2. Physical Site – Does your organization own or operate physical office space, including leased locations?

  3. Cloud Environment – Do you rely on platforms such as AWS, Azure, or GCP?

  4. Regulatory Requirements – Are you required to follow standards like GDPR, ISO 27001, or HIPAA?

  5. Software Development – Do you develop software in-house?

  6. Unsecured Devices – Are company-issued devices used in non-secure settings (e.g., coffee shops)?

  7. Device Delivery – Does your organization ship devices physically?

Building and customizing your register

Based on your responses, Drata automatically generates a tailored set of risks in your register. From there, you can:

  • Add more risks by exploring the pre-populated options in the Risk Library, or add your own custom risks that are unique to your organization.

  • Remove or close risks if they no longer apply to your business.

This flexibility ensures your risk register always reflects the unique needs of your organization while keeping risk management efficient and actionable.

Pro Tip: Regularly review and update your register to ensure it evolves alongside your business and compliance landscape.

Instructions for the Classic Experience ⬇️

When setting up your Risk Assessment, you can answer seven simple questions to automatically populate your risk register, eliminating the need to manually add each risk into the register. A risk register is used to identify, assess, and manage risks associated with an organization. It serves as a log or database that tracks all identified risks, their severity, and the action steps to mitigate them. This automation enhances efficiency and streamlines risk management.

It is crucial to answer the survey questions accurately to ensure all potential risks are covered. This accuracy helps in building a robust risk management framework that enhances your organization's compliance and operational resilience.

Get your Risk Assessment started

When accessing Risk Assessment, if you do not have any risk added to your risk register, you can answer seven questions to automatically populate your risk register instead of manually adding risks into your risk registry.

By the end of the survey, you can either retake the survey, automatically build your risk register, or exit the onboarding process.

If you exit the survey and need to retake it, you must delete all risks from your register. However, users with the Risk Management Pro subscription tier cannot re-trigger the survey even after deleting all risks. Archiving a risk is different from deleting a risk and will not allow you to retake the survey. To delete risks, select all risks, then go to Actions > Delete.

Risk Assessment setup screen

Start the survey

Note: This is only for those who have Risk Assessment. Those who have Risk Management won't have access to this survey option.

To start the survey to automatically populate your risk register, follow these instructions. At the end of the survey, you will have the option to automatically populate your risk register or not.

Please Note: At this time, the risk assessment survey question can only be completed once. Users with the Risk Management Pro subscription tier cannot access the survey, and downgrading to Risk Management Standard to complete the survey and then re-upgrading to Pro is not officially supported and is generally not recommended.

Risk Assessment survey questions

  1. Artificial Intelligence: Confirm if your organization uses its own AI systems or utilizes third-party AI systems. If your company uses its own AI system and a third party AI system, ensure to confirm both options.

  2. Physical Site: Confirm if your organization owns or operates a physical site, including leased or operated office spaces.

  3. Cloud Environment: Confirm if your organization uses cloud environments such as AWS, Azure, or GCP.

  4. Regulatory Requirements: Confirm if your organization needs to adhere to guidelines like GDPR, ISO 27001, or HIPAA.

  5. Software Development: Confirm if your organization develops software in-house, which involves certain risks.

  6. Unsecured Devices: Confirm if your organization uses company-issued devices in non-secure settings like coffee shops.

  7. Device Delivery: Confirm if your organization physically ships devices.

Build your risk register

After completing the survey, if you decided to build your risk register, your Risk Register will be automatically populated with the applicable risks based on your responses.

You can customize the Risk Register by adding or removing risks as needed. To add a risk, go to the Risk Library and view all of the available pre-populated risks, and add the desired risks you would like to manage into Risk Register. To remove a risk, you can easily remove the risk from the Risk Register.

Other resources

Learn more about Risk Assessment at Risk Assessment overview.

Related Articles
Risk Assessment overview
Understanding the Drata Risk Register
Risk management in Drata: An overview
Assess and Manage Individual Risks
Drata's Risk Library (New Experience)
Did this answer your question?