⚠️ Select your experience
The steps to manage Custom Formulas for Risks depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
Overview
There are multiple ways to measure and evaluate risk. Drata provides a flexible and configurable approach to risk measurement, allowing you to tailor calculations to match your organization's workflows.
You can use custom formulas to calculate values such as risk appetite, risk modifiers, or financial impact. Drata also supports Advanced Formulas, which allow you to use one custom formula inside another.
Prerequisites
Plan availability: Drata Enterprise
Permissions: Admin, Information Security Lead, or Workspace Manager
Risk Managers must also be assigned one of the roles listed above
Field limitations: Only numeric and currency-based fields can be used
Formula limits: Up to 50 custom formulas per account
The following field types can be used in the expression builder within Risk Management:
Number
Currency
Dropdown (number)
Common Use Cases
The following examples demonstrate how custom formulas can be used to support common risk assessment workflows. These examples are illustrative and can be adapted to meet your organization's needs.
Financial Impact
Use a custom formula to estimate the potential financial impact of a risk event.
Create a custom field representing Risk Probability, or use Drata's Inherent Likelihood field.
Create a custom field representing Financial Loss using a Currency field.
Create a custom formula using these fields.
Note: Divide the risk probability value by 100 if it is entered as a percentage.
The calculated result appears in the Risk drawer and updates dynamically as values change.
Risk Appetite
You can calculate an individual financial risk appetite for each risk using a custom formula. While risk appetite is often aggregated across risks, this approach allows for per-risk evaluation using the same method as the financial impact example.
Operational Risk Tolerance
To calculate operational risk tolerance (for example, related to business continuity or temporary system outages):
Create numeric or currency-based fields representing operational impact.
Use a custom formula to calculate tolerance based on downtime, cost, or likelihood.
Create a Custom Formula
Navigate to Settings > Configuration > Fields and formulas page.
Select Formulas tab.
Select Create formula.
In the Details step, enter a name for the formula, then select Next.
Choose the section the formula should appear.
Build the expression using operators, custom fields, and risk fields.
The expression builder provides real-time validation and allows:
Up to 35 terms per expression
Manual entry of numeric values and operators
Note: Only valid expressions can be saved.
Once saved, the formula result displays in the Risk drawer and updates in real time as inputs change.
More complex formulas
Advanced Formulas is when you use an existing custom formula inside another formula. Important considerations:
If a custom formula is used within another formula, it cannot be deleted until it is removed from all dependent formulas.
Formula chaining is not supported.
If a formula already references another formula, it cannot be used inside a third formula.
View a Custom Formula in a Risk
To view a custom formula and its calculated result:
Select a risk to open the specific details.
Locate the section (Details, Assessment, Treatment) where the formula was placed during setup.
The result updates in real time. You can also:
View the formula beneath the field name
Hover over individual terms to see the values used in the calculation
Instructions for the Classic Experience ⬇️
Risk Management Custom Risk Scoring & Legend
Many customers use methodologies other than the standard 5x5 Impact vs. Likelihood risk scoring. For those who do, this feature allows you to configure your risk scores and thresholds to better align with how your organization assesses, scores, and treats risks.
Note: Risk Management and Risk Assessments are distinct features.
Prerequisite
Ensure you have an Admin or Risk Manager role in Drata. Only Admins and Risk Managers have the ability to configure and modify scoring methodology.
Update scoring
⚠️ Important Notes
If you've modified your risk scoring, you may need to complete some sections manually such as the heatmap and definitions.
Changing the impact or likelihood to values lower than your current scores will clear existing scores and require a reassessment of risks.
For example, if you used a 5x5 method scoring but changed it to 3x3, your scores will be reset.
It may take a few minutes for your risk register to update with the new scoring methodology.
On the Risk Management page and the Register tab, select the gear icon.
The 'Risk register settings' drawer will open and displays the Scoring and Thresholds tab.
On the Scoring tab, you can:
Update the default scoring system. The default scoring is set to 5 x 5 (Impact x Likelihood).
Select any permutation (combination) between 3 and 10 for impact and likelihood, respectively.
The number of values will automatically re-adjust based on your impact and likelihood selections.
Define the impact and likelihood levels with numerical values. For example, Impact level 1 means there is no Impact, and Impact level 2 means there is a slight impact.
On the Thresholds tab, you will be presented with the default of 4 thresholds: Low, Medium, High, and Critical.
The threshold values will automatically readjust based on your impact and likelihood selections.
Select the Plus (+) button on the threshold chart to add up to five (5) thresholds.
Remove a threshold by selecting the trash icon next to its name and description, ensuring at least two (2) thresholds remain.
Adjust the threshold range by clicking and dragging the selector.
Insights tab
The visualizations on the insights tab will expand/contract based on the scoring configuration.
On selection of any of the visualizations, you will be directed to the risk register to a filtered view of the risks within that criteria.
Custom Formulas for Risks
There can be multiple methods to measure risk. Therefore, we offer a flexible and configurable approach to risk measurement and management. Whether you are calculating your risk appetite, adding a risk modifier, or measuring financial risk, Drata allows you to configure inputs to match your specific workflow.
You can also utilize a custom formula within another formula which will create an Advance formula. To learn more, go to the Creating advance formula section.
Prerequisite
You must have the Advanced or Essential bundles
You must have an Admin, Information Security Lead, or Workspace Manager role.
Even if you are a Risk Manager, you must be assigned one of the previously mentioned roles.
Only currency and numerical fields can be used.
You can create a maximum of 50 custom formulas within each account.
The following field types within Risk Assessment or Risk Management can be used in the expression builder:
Number
Currency
Dropdown (number)
Common use cases
The following examples utilize Custom Formulas for risks to solve business needs. This is meant to give you just a few examples of how custom formulas may be used to serve your organization's specific workflows when assessing and evaluating a Risk.
Financial Impact
Financial Impact: Measure the potential financial impact for each risk event.
Create a custom field that equates to the Likelihood field or use Drata's own Inherent Likelihood field in regard to the probability of your the Risk event occurring.
Create another custom field that equates to the Financial Loss for the Risk, utilizing a Currency field type.
Finally, create a Custom Formula with the following expression:
Note: The Risk Probability field is divided by 100 in case you want to measure the percentage as an input of the formula.
You can view your formula in the Risk Drawer:
Create Custom Formulas
Navigate to the Company Settings page.
There, you will find a card displaying Custom Fields and Formulas, where the previously mentioned roles can configure the custom fields and formulas to evaluate risks.
Ensure you are on the Custom formula tab. Then, select Create custom formula.
Follow the 3-part wizard to create a custom formula, starting with the Details section. First, enter the name of your custom formula. After you are done, select Next.
Then, select the placement of the formula within a specific section of the Risk Drawer.
In the final step, you can build your expression using operators, custom fields, and risk fields.
The expression builder provides real-time feedback on whether your expression is valid.
The builder allows a maximum of 35 terms.
You can manually input numerical values and operators within the expression.
Note: Only valid expressions can be saved.
The result of your custom formula displays inside the Risk drawer and updates in real-time as you modify applicable inputs and fields used in the formula.
Creating advance formula
You can now use your custom formulas inside other formulas to make building them even easier. This is considered an Advance Formula. Here are some things to consider:
Formulas being used in other formulas can't be deleted.
This helps make sure everything continues to work correctly.
You can't chain formulas.
If a formula already uses another formula (making it an Advanced Formula), it can't be used again inside a third formula.
To create an Advanced Formula, simply choose an existing custom formula.
View the Custom Formula and calculation within a Risk
To view the custom formula and its result, select the Risk to open the drawer and locate the field where you configured the Placement step during the initial creation.
The result updates in real-time, allowing you to adjust inputs and view the output instantly. Additionally, you can see the formula beneath the field name (and description if available), as well as the values used when hovering over the individual terms.
Modifications to a Custom Field
Note: Modifications to a custom field used in a formula are limited.
When a field is used in a formula, it cannot be deleted, and the Risk placement cannot be updated.
Any custom field actively used within a custom formula is limited to updating the name and description cannot be deleted. A banner displays above the custom field indicating which custom formula uses that field.
