Skip to main content

Vendor Automated Impact Assessment

⚠️ Select your experience

The steps to complete your Vendor Automated Impact Assessment depend on your interface version. Select a link to skip to the instructions for your version.

Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.

Instructions for the New Experience ⬇️

Automated Impact Assessment helps you determine the potential impact a vendor poses to your organization based on how they interact with your data, operations, and environments. Drata uses this assessment to recommend an Inherent risk and guide appropriate security review actions.

Availability

⚠️ Plan requirement: Automated Impact Assessment is available only to customers on the TPRM Pro plan.

Why impact assessment matters

Impact assessment helps you:

  • Consistently evaluate vendor risk during onboarding

  • Prioritize security reviews based on vendor criticality

  • Support audit requirements for vendor risk classification

  • Drive downstream workflows such as review scope and risk creation

When impact assessment occurs

Impact assessment is completed when you:

  • Add a prospective vendor, or

  • Add a new vendor and choose to assess impact

If the assessment is not completed, the vendor's Inherent risk is marked as Unscored.

Complete an impact assessment

To complete an impact assessment during vendor creation:

  1. Go to Vendors.

  2. Select Prospective vendors or Current vendors.

  3. Select Add vendor.

  4. In the Impact assessment section, select the best-fit options for:

    • Data accessed or processed

    • Operational impact

    • Access to environments

Drata evaluates your selections and displays a recommended Inherent risk.

Impact assessment section showing recommended Inherent risk

Recommended vs modified Inherent risk

  • The recommended Inherent risk is calculated automatically based on your inputs.

  • You can override this recommendation if needed.

  • If overridden, the field updates to Modified Inherent risk.

  • You can revert back to Drata's recommendation at any time.

Operational impact scale

Level

Impact

Description

None

1

No or negligible operational, financial, or reputational impact

Low

2

Limited process disruption, minimal financial or reputational impact

Normal

3

Some reduction in effectiveness, moderate financial or reputational impact

Important

4

Significant disruption to primary processes, measurable financial loss

Critical

5

Loss of mission-critical operations, severe financial and reputational damage

Inherent risk definitions

Inherent risk

Description

Insignificant

Minimal loss or damage, no regulatory reporting

Minor

Minor financial loss, limited reputational impact

Moderate

Noticeable process disruption and financial loss

Major

Significant financial loss, regulatory reporting required

Critical

Severe financial loss, regulatory action, major reputational damage

Unscored

Impact assessment not completed

Instructions for the Classic Experience ⬇️

Drata's Automated Impact Analysis helps you determine the impact that your vendor poses to your organization based on their data accessed or processed, their operational impact, and their access to your environments.

Based on the Impact that a vendor poses to your organization, you can decide the necessary security review actions to conduct.

BEFORE DIVING IN

This feature is only available to customers with TPRM Pro.

Set up impact assessment

On your Vendors page, select the "My vendors" tab, "Add vendor" button, and then "Add a single vendor" button.

Vendors page showing Add vendor button

On the Add Vendor drawer, go to the Impact assessment section. Select the best fit options for "Data accessed or processed", the "Operational impact", and the "Access to environment" for this vendor.

The following table displays the industry definitions for the Operational Impact scale.

Field Options

Impact

Description

None

1

  • No/negligible effect on processes

  • No/negligible financial loss

  • No/negligible relational harms

Low

2

  • Limited reduction in the effectiveness of processes

  • Minimal to cause financial loss

  • Minimal relational harms

Normal

3

  • Some reduction in the effectiveness of processes

  • Some financial loss

  • Some relational harms

Important

4

  • Loss of ability to perform high-importance process, but not mission essential and core business operations

  • Significant reduction in the effectiveness of primary processes, currently or in the future

  • Measurable financial loss

  • Significant relational impacts

Critical

5

  • Loss of ability to perform mission and core business operations

  • Severe degradation in capability, to an extent and duration that the business is not able to perform primary functions, current or in the future

  • Severe financial loss

  • Severe relational harms

After you complete the selections, there is a recommended impact level which is Drata's recommendation.

Recommended impact level shown after completing selections

This impact level can be changed. If you change the impact level, the field name updates to "Modified Impact level". You can always revert to Drata's recommendation as well.

Modified Impact level field shown after overriding recommendation

The following table displays the industry definitions for the Impact Level scale.

The "Unscored" impact level means you did not complete the impact assessment.

Field Options

Impact

Description

Insignificant

1

  • Minimal loss/damage

  • Local media attention quickly remedied

  • Not reportable to regulator

  • Isolated staff dissatisfaction

Minor

2

  • Minor financial loss

  • Local reputational damage

  • Reportable incident to regulator, no follow up

  • General staff morale problems and increase in turnover

Moderate

3

  • Some reduction in the effectiveness of processes.

  • Some financial loss.

  • Some relational harms.

Major

4

  • Significant financial loss

  • National long-term negative media coverage; significant loss of market share

  • Report to regulator requiring major project for corrective action

  • Some senior managers leave, high turnover of experienced staff, not perceived as employer of choice

Critical

5

  • Massive financial loss

  • International long-term negative media coverage; game-changing loss of market share

  • Significant prosecution and fines, litigation including class action

  • Multiple senior leaders leave

Update impact assessment

You can always adjust the assessment or change the impact level for the existing vendors. Go to the vendor's profile and edit the Impact assessment section.

Vendor profile showing Impact assessment section for editing
Related Articles
Risk Assessment Policy Guidance
Risk Assessment overview
Vendor risks
Add a prospective vendor
Terminology Updates: Inherent and Residual Risk in Vendor Risk Management
Did this answer your question?