Risk Management is all about the continuous process to identify, assess and manage, and monitor risks that could impact the security, reputation and financial health of a company. In an ever connected world where cyber attacks are evolving and increasing in frequency and severity, the need for a proactive and integrated risk management program is critical to the security posture of any organization. While Drata's Standard Risk Assessment Questionnaire covers standard compliance related requirements, with this module we provide a full-fledged risk management solution.

The Risk Management module is available as an add-on capability. Please contact your CSM or Support if you're interested in learning more and adding Risk Management to your account.

Only Drata controls specific to the frameworks you've purchased are pre-mapped to the module.

You can access the Risk Management module on the left navigation menu.

Total Risks: You can view the total number of risks in your risk register at the top left.

Risks Assessed. Shows your progress towards assessing all your risks.

On the left side, you may access various filters and sorts to apply to the risk table

Here is a list of filters available for Drata Risk Management:

Assessment: Each threat is marked as "not scored" until it is assessed (likelihood and impact is assigned).

Treatment plan: This filter is used to categorize threats by treatment options.

Needs attention: Drata threat library comes with pre-mapped controls to assist with monitoring. If any of the controls is not ready, the associated threats will show up under "needs Attention" section to help with monitoring.

Categories: You may filter threats based on custom tags.

Risk Owners: You may filter risks based on ownership status— whether or not an owner has been assigned.

Owners: You may filter based on the assigned owner.

The Risk Library is pre-loaded with 178 risks based on NIST SP 800-30, ISO 27005, OCR SRA, and other industry standards, from which you can build your Risk Register.

Risk Library: Risks that you decide are not applicable to your organization can be moved to the “Risk Library” from the risk drawer or Actions Menu. Those risks will be listed under the “Risk Library” section.

Note: Risks in the Risk Library will not be counted towards the “Total Risks” and the number of risks left for assessment in the counts at the top of the page or in the Insights tab.

Search: You can search for a score by the ID, Title or Description

Assessment Report: You can download your risk assessment report from the “Download” button.

Note: You will need to fill in company-specific info on the downloaded report in order for it to be audit-ready. Those sections are marked as <info>.

Note: Once you have filled out the info, you should add the report file to your “Evidence Library” page in Drata.

Risk Treatment Plan: You may also download a CSV of your risk treatment plan containing all of your risk metadata.

Action: You may apply bulk actions to multiple risks by selecting risk(s) and clicking on one of the available actions.

Add Risk: If risks applicable to your company are not in Drata’s risk library, you could add custom risks by clicking on the “Add Risk” button at any time.

Each threat-based risk item contains associated data such as risk id, description, category, control mapping, assessment score, etc. Hovering over the “i” icon will display the risk code, title, and full description

Each pre-loaded risk comes with a pre-assigned category (which can be changed)

Hovering over the owners icon will display the list of owners for that risk once you have assigned an owner

Each risk comes pre-mapped to your in-scope DCF controls in Drata. Mapped controls are displayed on the risk row underneath the risk title. Controls that are “ready” will be green. Drata controls that are not ready will be displayed in red. Mapped controls that you have marked as out of scope will be grayed out.

Analyzing and Assessing a risk: Each risk needs to be analyzed through the threat impact and likelihood, and scored to be considered an assessed risk. You can select a score for your impact and your likelihood. The total score will be the impact multiplied by likelihood.

Note: We support custom scoring. To customize your scoring, go to Custom Risk Scoring & Legend. It is critical to ensure that the scoring on your report mirror the same scoring on your Risk Assessment Policy

To score from the risk row, click on the dropdown and select a score.

Once you have input the scores for both impact and likelihood, the “check” button next to the drop-downs will be enabled. Clicking on this will calculate your risk score and confirm your assessment of that risk.

Note: The orange line next to the risk will disappear as soon as you have completed the assessment.

When scoring from the risk row, a default value of “Needs Treatment” will be applied to the risk until you select an actual treatment response/method.

Note: You may also assess a risk by opening the drawer and scrolling down to the “Assessment” section of the drawer

Clicking on a row will open the risk drawer. From here you can edit all of the risk's data. It contains the following fields, all of which are editable and optional unless noted:

Risk ID (non-editable)

Title (required)

Description (required)

Categories. You can assign or remove categories from the system from here. To untag a category from a specific risk, you can click on the X icon. In order to completely remove a category from your risk register, you may click on the recycle bin icon next to the category name in the dropdown.

Owner: You may add as many owners as you want to a specific risk

File Upload.

Note: Up to 10 files can be uploaded for a risk.

Impact: This is the threat impact (can be also set from the table directly).

Likelihood: This is the likelihood of a threat occurring (can be also set from the table directly).

Total Score: This represents the risk calculated by Impact x Likelihood (not directly editable)

Treatment Plan: By default, a risk is marked as "Needs Treatment" . Depending on a chosen Treatment response, you may get the following fields:

Mitigate or Transfer:

Accepted or Avoid:

Mapped Controls. You can unlink or link DCF controls to risks from here. Each will have a different color:

Internal Notes. You can add, edit or delete multiple notes for a risk.