Drata

💡 Still using the classic Drata experience? Refer to <a href="https://help.drata.com/en/articles/8706077-vendor-risks-risk-overview">Vendor Risks &amp; Risk Overview</a> for the original UI.

The Vendor risks page centralizes risks associated with your vendors so you can assess, track, and treat third-party risk in one place.

Vendor risk management is commonly reviewed during audits (such as SOC 2). Drata helps you document identified vendor risks, evaluate impact and likelihood, and track remediation or acceptance decisions over time.

___________________________________________________________

How vendor risk management works in Drata

Vendor risks represent security, compliance, or operational concerns identified during vendor reviews or ongoing monitoring. Examples include:

Vendor does not meet internal password or MFA requirements

Vendor does not complete penetration testing

Vendor lacks required security controls or device management

- Vendor does not meet internal password or MFA requirements
- Vendor does not complete penetration testing
- Vendor does not have a SOC 2 report
- Vendor lacks required security controls or device management

Each vendor risk is evaluated using impact, likelihood, and treatment status. Risks can be reviewed individually or across all vendors.

Vendor risks are available to customers with TPRM Pro

Vendors must exist in Current vendors before risks can be associated

- Vendor risks are available to customers with TPRM Pro
- Vendors must exist in Current vendors before risks can be associated

To view vendor risks, select Vendors → Vendor risks.

View all vendor risks across your organization

Filter risks by status, impact, likelihood, risk score, owner, or vendor

Download risk data for reporting or audit review

- View all vendor risks across your organization
- Filter risks by status, impact, likelihood, risk score, owner, or vendor
- Search for risks by name
- Download risk data for reporting or audit review

This page provides a consolidated view of your vendor risk posture.

You can add a risk from a vendor profile or directly from the Vendor risks page.

1. Open Vendors → Current vendors.
2. Select a vendor.
3. Open the Risks tab.
4. Select Add risk.

When adding or editing a vendor risk, provide details to help your team understand the source of the risk, assess severity, and track remediation.

Start by selecting whether the risk is internal (originating within your organization) or external (introduced by a third party such as a vendor or subcontractor).

Choose the appropriate risk status to reflect its current stage.

1. Start by selecting whether the risk is internal (originating within your organization) or external (introduced by a third party such as a vendor or subcontractor). 
2. The vendor will already be selected.
3. Choose the appropriate risk status to reflect its current stage.

Next, enter the core risk information, including a title, description, the date the risk was identified, and any relevant fields such as category, owner, or supporting documentation.

You can optionally complete an inherent risk assessment by selecting impact (the potential severity if the risk occurs) and likelihood (the probability of occurrence). Drata automatically calculates the overall risk score based on these values.

From Vendors → Vendor risks, you can:

Review or update inherent vs residual risk levels

- Track active, closed, and archived risks
- Monitor overdue or untreated risks
- Review or update inherent vs residual risk levels
- Assess overall vendor risk exposure

This view helps prioritize remediation and supports audit evidence.

Vendor risks (New Experience)

Home

Contact Sales

Support

Find answers and get help from Intercom Support and Community Experts

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Vendor risks (New Experience)

How vendor risk management works in Drata

Prerequisites

Access vendor risks

Add a vendor risk

Step 1: Add a risk from a vendor profile

Step 2: Complete risk details

View vendor risk status