💡 Still using the classic Drata experience? Refer to Risk Management Custom Risk Scoring & Legend for the original UI.
Overview
There are multiple ways to measure and evaluate risk. Drata provides a flexible and configurable approach to risk measurement, allowing you to tailor calculations to match your organization’s workflows.
You can use custom formulas to calculate values such as risk appetite, risk modifiers, or financial impact. Drata also supports Advanced Formulas, which allow you to use one custom formula inside another.
Prerequisites
Plan availability: Drata Enterprise
Permissions: Admin, Information Security Lead, or Workspace Manager
Risk Managers must also be assigned one of the roles listed above
Field limitations: Only numeric and currency-based fields can be used
Formula limits: Up to 50 custom formulas per account
The following field types can be used in the expression builder within Risk Management:
Number
Currency
Dropdown (number)
Common Use Cases
The following examples demonstrate how custom formulas can be used to support common risk assessment workflows. These examples are illustrative and can be adapted to meet your organization’s needs.
Financial Impact
Use a custom formula to estimate the potential financial impact of a risk event.
Create a custom field representing Risk Probability, or use Drata’s Inherent Likelihood field.
Create a custom field representing Financial Loss using a Currency field.
Create a custom formula using these fields.
Note: Divide the risk probability value by 100 if it is entered as a percentage.
The calculated result appears in the Risk drawer and updates dynamically as values change.
Risk Appetite
You can calculate an individual financial risk appetite for each risk using a custom formula. While risk appetite is often aggregated across risks, this approach allows for per-risk evaluation using the same method as the financial impact example.
Operational Risk Tolerance
To calculate operational risk tolerance (for example, related to business continuity or temporary system outages):
Create numeric or currency-based fields representing operational impact.
Use a custom formula to calculate tolerance based on downtime, cost, or likelihood.
Create a Custom Formula
Navigate to Settings > Configuration > Fields and formulas page.
Select Formulas tab.
Select Create formula.
In the Details step, enter a name for the formula, then select Next.
Choose the section the formula should appear.
Build the expression using operators, custom fields, and risk fields.
The expression builder provides real-time validation and allows:
Up to 35 terms per expression
Manual entry of numeric values and operators
Note: Only valid expressions can be saved.
Once saved, the formula result displays in the Risk drawer and updates in real time as inputs change.
More complex formulas
Advanced Formulas is when you use an existing custom formula inside another formula. Important considerations:
If a custom formula is used within another formula, it cannot be deleted until it is removed from all dependent formulas.
Formula chaining is not supported.
If a formula already references another formula, it cannot be used inside a third formula.
View a Custom Formula in a Risk
To view a custom formula and its calculated result:
Select a risk to open the specific details.
Locate the section (Details, Assessment, Treatment) where the formula was placed during setup.
The result updates in real time. You can also:
View the formula beneath the field name
Hover over individual terms to see the values used in the calculation