Risk Management is all about the continuous process to identify, assess and manage, and monitor risks that could impact the security, reputation and financial health of a company. In an ever connected world where cyber attacks are evolving and increasing in frequency and severity, the need for a proactive and integrated risk management program is critical to the security posture of any organization. While Drata's Standard Risk Assessment Questionnaire covers standard compliance related requirements, with this module we provide a full-fledged risk management solution.

The Risk Management module is available as an add-on capability. Please contact your CSM or Support if you're interested in learning more and adding Risk Management to your account.

Only Drata controls specific to the frameworks you've purchased are pre-mapped to the module.

You can access the Risk Management module on the left navigation menu.

The appearance of the following screenshot may differ based on your roles and permissions. However, the Risk Management module will still be located in the left navigation menu.

On the top, you'll see your the overall posture of your risk register. You can switch between seeing your inherent vs. your residual score. The risks that make up your risk posture are active risks. You'll also see your assessment progress, which is measured by the total active risks that contain an inherent score. Add an inherent score by choosing the impact and likelihood.

On the left side, you may access various filters and sorts to apply to the risk table

Drata's Risk Library is pre-loaded with over 200 risks based on NIST SP 800-30, ISO 27005, OCR SRA, and other industry standards, from which you can use to build your Risk Register.

One copy of each of Drata's risks in the library can be added to your register at a time. Once added, you'll see a link to the risk in your register on the "Manage in Register" button.

Drata's standard risks cannot be edited within the context of the library. Once you add them to your register, they can be edited however it makes sense for your organization. If you ever need to refer back to Drata's standard language for risks, you can find them in the library.

Select the Download button to select which report you'd like to download.

Risk Assessment Report tips:

You may also download a Risk Treatment Plan CSV file of your risk treatment plan containing all of your risk treatment metadata.

As for the "All Risks" and "Filtered View" downloads, you may download a CSV of all the risks within your register, or all risks within the filtered view of your register.

In order to see available actions, you must first select risks from within your register using the checkboxes on each row. Select which risks you would like to perform a bulk action on, and then select the "Actions" menu.

Each threat-based risk item contains associated data such as risk id, description, category, control mapping, assessment score, etc. Hovering over the information icon () will display the risk code, title, and full description

Each risk from Drata's library comes with a pre-assigned category (which can be changed)

Hovering over the owners icon will display the list of owners for that risk once you have assigned an owner

Each risk from Drata's library comes pre-mapped to your in-scope DCF controls in Drata. Mapped controls are displayed on the risk row underneath the risk title. Controls that are “ready” will be green. Drata controls that are not ready will be displayed in red. Mapped controls that you have marked as out of scope will be grayed out. By default, you can see 3 controls on each risk from the table, but you can always expand the row to see them all.

Each risk needs to be analyzed through the threat impact and likelihood, and scored to be considered an assessed risk. You can select a score for your impact and your likelihood. The total score will be the impact multiplied by likelihood.

Note: We support custom scoring. To customize your scoring, go to Custom Risk Scoring & Legend. It is critical to ensure that the scoring on your report mirror the same scoring on your Risk Assessment Policy

To score from the risk row, click on the dropdown and select a score.

Once you have input the scores for both impact and likelihood, the “check” button next to the drop-downs will be enabled. Clicking on this will calculate your risk score and confirm your assessment of that risk.

When scoring from the risk row, a default value of “Needs Treatment” will be applied to the risk until you select an actual treatment response/method.

Note: You may also assess a risk by opening the drawer and scrolling down to the “Assessment” section of the drawer

Clicking on a row will open the risk drawer. From here you can edit all of the risk's data. It contains the following fields, all of which are editable and optional unless noted:

Risk ID (non-editable for risks from Drata's library)

Title (required)

Description (required)

Categories. You can assign or remove categories from the system from here. To untag a category from a specific risk, you can click on the X icon. In order to completely remove a category from your risk register, you may click on the recycle bin icon next to the category name in the dropdown.

Owner: You may add as many owners as you want to a specific risk

File Upload.

Note: Up to 10 files can be uploaded for a risk.

Impact: This is the threat impact (can be also set from the table directly).

Likelihood: This is the likelihood of a threat occurring (can be also set from the table directly).

Total Score: This represents the risk calculated by Impact x Likelihood (not directly editable)

Treatment Plan: By default, a risk is marked as "Untreated". Depending on a chosen Treatment response, you may get the following fields:

Mitigate or Transfer:

Accepted or Avoid:

Mapped Controls. You can unlink or link DCF controls to risks from here. Each will have a different color:

Internal Notes. You can add, edit or delete multiple notes for a risk.