⚠️ Select your experience
The steps to manage vendor risks depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
The Vendor risks page centralizes risks associated with your vendors so you can assess, track, and treat third-party risk in one place.
Vendor risk management is commonly reviewed during audits (such as SOC 2). Drata helps you document identified vendor risks, evaluate impact and likelihood, and track remediation or acceptance decisions over time.
How vendor risk management works in Drata
Vendor risks represent security, compliance, or operational concerns identified during vendor reviews or ongoing monitoring. Examples include:
Vendor does not meet internal password or MFA requirements
Vendor does not complete penetration testing
Vendor does not have a SOC 2 report
Vendor lacks required security controls or device management
Each vendor risk is evaluated using impact, likelihood, and treatment status. Risks can be reviewed individually or across all vendors.
Prerequisites
Vendor risks are available to customers with TPRM Pro
Vendors must exist in Current vendors before risks can be associated
Access vendor risks
To view vendor risks, select Vendors → Vendor risks.
From this page, you can:
View all vendor risks across your organization
Filter risks by status, impact, likelihood, risk score, owner, or vendor
Search for risks by name
Download risk data for reporting or audit review
This page provides a consolidated view of your vendor risk posture.
Add a vendor risk
You can add a risk from a vendor profile or directly from the Vendor risks page.
Step 1: Add a risk from a vendor profile
Open Vendors → Current vendors.
Select a vendor.
Open the Risks tab.
Select Add risk.
Step 2: Complete risk details
When adding or editing a vendor risk, provide details to help your team understand the source of the risk, assess severity, and track remediation.
Start by selecting whether the risk is internal (originating within your organization) or external (introduced by a third party such as a vendor or subcontractor).
The vendor will already be selected.
Choose the appropriate risk status to reflect its current stage.
Next, enter the core risk information, including a title, description, the date the risk was identified, and any relevant fields such as category, owner, or supporting documentation.
You can optionally complete an inherent risk assessment by selecting impact (the potential severity if the risk occurs) and likelihood (the probability of occurrence). Drata automatically calculates the Residual risk based on these values.
View vendor risk status
From Vendors → Vendor risks, you can:
Track active, closed, and archived risks
Monitor overdue or untreated risks
Review or update inherent vs residual risk levels
Assess overall vendor risk exposure
This view helps prioritize remediation and supports audit evidence.
Instructions for the Classic Experience ⬇️
The Vendor Risk tab and Risk Overview dashboard allow you to add and track all the risks associated with your vendors in a single place.
HERE'S WHY
Today, it is more important than ever to track all of your organization's ongoing risks in a single centralized place and avoid the challenges of tracking different risks in different tools.
Once you've identified risks from your security review, Drata enables you to easily monitor, track, treat those risks. We have included below an example list of vendor risks that our customers have tracked in Drata:
Vendor has a password policy that does not meet our internal policy requirements for passwords
Vendor does not meet our requirements for security controls
Vendor does not complete Pen Tests
Vendor does not have MDM
Vendor does not have MFA
Vendor does not have SOC 2
BEFORE DIVING IN
This feature is only available to our TPRM Pro customers.
HERE'S HOW
In your Vendor Directory, click on a Vendor.
Once you've entered the Vendor Profile, click on the "Risks" tab.
To add a risk, click "Add A Risk" and a drawer will open.
Enter information about the risk into the drawer. It contains the following fields, all of which are editable and optional unless noted:
Risk ID (non-editable): This will be pre-filled.
Risk Identified Date: This is the date you've identified the risk.
Title (required): Title of your risk. Example Risks included in the "Here's Why" if you scroll above to that section.
Description (required): Description of your risk
Categories. You can assign or remove categories from the system from here. To untag a category from a specific risk, you can click on the X icon. In order to completely remove a category from your risk register, you may click on the recycle bin icon next to the category name in the dropdown.
Risk Owner: You may add as many owners as you want to a specific risk
Supporting Documents: Up to 10 files can be uploaded for a risk.
Once you scroll further, you'll find more information, including assessment, treatment and internal notes.
Impact: This is the threat impact (can be also set from the Risk Overview or Risk tab table directly).
Likelihood: This is the likelihood of a threat occurring (can be also set from the table directly).
Total Score: This represents the risk calculated by Impact x Likelihood.
Note: For those with Risk Management, the assessment will be the same scale as the custom risk scoring in your Risk Management.
Treatment Plan: By default, a risk is marked as "Needs Treatment". Depending on a chosen Treatment response, you may get the following fields:
Mitigate or Transfer:
Treatment Details
Anticipated Completion Date
Completed Date
Reviewer
Residual Impact
Residual Likelihood
Residual Total Score
Accepted or Avoid:
Treatment Details
Completed Date
Reviewer
Internal Notes. You can add, edit or delete multiple notes for a risk.
Once you've clicked "Save" and added your risk, if you have Risk Management, you will be informed that your Risk has also been added to the Risk Management section. More details below in Vendor Risks and Risk Management section.
On the profile page, you can view the lists of Risks associated with your vendors.
Vendor Risks Overview Dashboard
After you've added your Risks, you can navigate to the Directory page and click on "Vendor risks overview"
On the dashboard page, you will see an overview of all the Risks associated with your vendors and the overview of your vendor Risk posture.
Vendor Risks and Risk Management
For those of you with Risk Management, Vendor Risk and Risk Management will be connected.
As shown above, once you've clicked "Save" and added your risk to a Vendor, if you have Risk Management, you will be informed that your Risk has also been added to the Risk Management section.
If you click the "View VR-01 in Risk Management" in the modal or if you click the "Risk management related to [Vendor]" in the tab (both shown below).
You will be taken to the Risk Management module and have a list of all your Risks related to this vendor.
From the Risk Management page, you can also add a Vendor Risk, by clicking Add Risk and selecting "External Risk".
The drawer details will be the same as adding a risk through the Vendor profile. You will have an additional Vendor field, where you will have to choose the vendor the External Risk is associated with. The field will show a drop-down of all your vendors (as seen below)
On this Vendor Risk Overview page, you can also click "View more insights"
This will take you to the Risk Management Insights page filtered to "External Risks"
