💡 Still using the classic Drata experience? Refer to Streamlined Risk Assessment Set Up for the original UI.
Managing organizational risk can feel daunting, but Drata makes it simple. With our Risk Management Standard offering, you can jumpstart your risk register in minutes by answering just seven key questions.
A risk register is the central hub for identifying, assessing, and tracking risks within your organization. It provides visibility into the severity of each risk and outlines the actions needed to mitigate them. By automating this process, Drata helps you establish a strong foundation for ongoing risk management.
Note: The risk register setup survey is only available in Risk Management Standard. It is not included in Risk Management Pro.
Getting started
If your risk register is empty, you have two options:
Learn about risk management principles through the in-app survey.
Populate your risk register automatically by answering the guided questions.
Keep in mind:
Once you complete the survey, the populated risks remain in your register for continuous tracking.
If you believe you answered incorrectly, you can restart the survey—but only after deleting all existing risks. It’s not recommended to regularly delete all risks in your register in order to restart the survey.
You can always add or copy additional risks later from the Risk Library.
How to launch the survey
Navigate to the Risk Management page > Register tab. If your register is empty, select Help me build my register or Teach me about Risk Management.
Answer each question about the systems, environments, and practices relevant to your business.
At the end of the survey, you’ll be able to decide whether to automatically populate your register with the recommended risks.
Survey questions
The survey asks about seven key areas that commonly introduce organizational risk:
Artificial Intelligence – Do you use your own AI systems, third-party AI systems, or both?
Physical Site – Does your organization own or operate physical office space, including leased locations?
Cloud Environment – Do you rely on platforms such as AWS, Azure, or GCP?
Regulatory Requirements – Are you required to follow standards like GDPR, ISO 27001, or HIPAA?
Software Development – Do you develop software in-house?
Unsecured Devices – Are company-issued devices used in non-secure settings (e.g., coffee shops)?
Device Delivery – Does your organization ship devices physically?
Building and customizing your register
Based on your responses, Drata automatically generates a tailored set of risks in your register. From there, you can:
Add more risks by exploring the pre-populated options in the Risk Library, or add your own custom risks that are unique to your organization.
Remove or close risks if they no longer apply to your business.
This flexibility ensures your risk register always reflects the unique needs of your organization while keeping risk management efficient and actionable.
✅ Pro Tip: Regularly review and update your register to ensure it evolves alongside your business and compliance landscape.