HERE'S WHY
Risk Management is a continuous process of identifying, assessing, managing, and monitoring risks that could impact the security, reputation, and financial health of a company. In an ever connected world where cyber attacks are evolving and increasing in frequency and severity, the need for a proactive and integrated risk management program is critical to the security posture of any organization.
BEFORE DIVING IN
Note: Risk Management is part of the Advanced package and is separate from Risk Assessment. Learn more at https://drata.com/plans.
Please contact your CSM or Support if you're interested in learning more and adding Risk Management to your account.
Only Drata controls specific to the frameworks you've purchased are pre-mapped to the module.
OVERVIEW
You can access the Risk Management module on the left navigation menu.
The appearance of the following screenshot may differ based on your roles and permissions. However, the Risk Management module will still be located in the left navigation menu.
Register tab
At the top of the page, you'll find an overview of your risk register posture, which includes two key metrics:
Assessment Progress: Displays the total number of active risks that have an inherent score assigned.
Risk posture for active risks: Allows you to filter risks based on:
Risk type: Internal, external, or all risks.
Risk score: Inherent or residual score.
These active risks collectively define your risk posture, helping you assess and prioritize mitigation efforts.
Filter
To filter risks, select the Filter button and choose your desired criteria.
To display the filter menu, select the first option next to the filter heading:
To hide the filter menu, select the second option next to the filter heading:
Filters on the Register tab
Risk status: This filter allows you to filter in either the active, closed, or archived status
Active risks: Risks that you are actively working to manage, treat, or mitigate the risk.
Closed risks: Risks that you have completed all the work for and are more or less "done".
Archived risks: Risks that are a historical risk. These risks you may want to continue to track for only documentation purposes because they do not pose a risk (due to non-applicable or obsolete).
Assessment: Each threat is marked as "not scored" until it is assessed (likelihood and impact is assigned).
Treatment: This filter is used to categorize threats by treatment options.
Risks:
Needs attention: Risks mapped to controls that are not ready will display under the "Needs Attention" filter results. This applies to both DCF and custom controls.
Custom Risks: These are risks you added to the register yourself as opposed to ones you added from Drata's risk library
Internal Risks: These are risks not attached to or pertaining to a vendor in Drata
External Risks: These are risks attached to or pertaining to a vendor in Drata
Risk Owners: You may filter risks based on ownership status— whether or not an owner has been assigned.
Owners: You may filter based on the assigned owner.
Categories: You may filter threats based on tags. These could be either pre-loaded by Drata or added by you.
Downloads
Select the Download button to select which report you'd like to download.
Download Report:
Risk Assessment Report: Requires company-specific details to be added for audit readiness (marked as <info>). Once completed, upload it to your Evidence Library in Drata.
Download CSV:
Risk Treatment: Contains all risk treatment metadata, allowing you to track and manage treatment plans.
All Risks CSV: Exports a complete list of all risks in your register.
Filtered View CSV: Exports only the risks shown in your filtered view.
Actions
In order to see available actions, you must select risks from within your register using the checkboxes on each row. Select which risks you would like to perform a bulk action on, and then select the "Actions" menu.
To access available actions:
Select risks in your register using the checkboxes in each row or select all the risks.
Select the "Actions" menu to apply the desired action.
Risk Sections
Each threat-based risk item includes key details such as Risk ID, description, category, control mapping, assessment score, and more—displayed in the risk register table.
Pre-assigned categories
Risks from Drata's library come with a default category, which can be modified as needed.
Ownership visibility
Hover over the owner’s icon to view the list of assigned owners for a risk.
Control mapping:
Risks from Drata’s library are pre-mapped to your in-scope DCF controls.
Mapped controls appear in the controls column and are color-coded:
Green – Control is ready.
Red – Control is not ready.
Gray – Control is marked out of scope.
By default, three controls are visible per risk in the table, but you can expand the row to see all mapped controls.
Analyzing and Assessing a risk
Each risk needs to be analyzed through the threat impact and likelihood, and scored to be considered an assessed risk. You can select a score for your impact and your likelihood. The total score will be the impact multiplied by likelihood.
Note: We support custom scoring. To customize your scoring, go to Custom Risk Scoring & Legend. It is critical to ensure that the scoring on your report mirror the same scoring on your Risk Assessment Policy
To score from the risk row, click on the dropdown and select a score. You may have to scroll the table to the left.
RISK DRAWER
When scoring from the risk row, a default value of “Needs Treatment” will be applied to the risk until you select an actual treatment response/method.
Note: You may also assess a risk by opening the drawer and scrolling down to the “Assessment” section of the drawer
Clicking on a row will open the risk drawer. From here you can edit all of the risk's data. It contains the following fields, all of which are editable and optional unless noted:
Risk ID (non-editable for risks from Drata's library)
Title (required)
Description (required)
Categories. You can assign or remove categories from the system from here. To untag a category from a specific risk, you can click on the X icon. In order to completely remove a category from your risk register, you may click on the recycle bin icon next to the category name in the dropdown.
Owner: You may add as many owners as you want to a specific ris
File Upload.
Note: Up to 10 files can be uploaded for a risk.
Under Assessment section:
Impact: This is the threat impact (can be also set from the table directly).
Likelihood: This is the likelihood of a threat occurring (can be also set from the table directly).
Total Score: This represents the risk calculated by Impact x Likelihood (not directly editable)
Treatment Plan: By default, a risk is marked as "Untreated". Depending on a chosen Treatment response, you may get the following fields:
Mitigate or Transfer.
Treatment Details
Anticipated Completion Date
Completed Date
Reviewer
Residual Impact
Residual Likelihood
Residual Total Score
Accepted or Avoid:
Treatment Details
Completed Date
Reviewer
Mapped Controls. You can unlink or link DCF controls to risks from here. Each will have a different color:
Green: Available and ready
Red: Not ready
Gray: Out of Scope
Internal Notes. You can add, edit or delete multiple notes for a risk.
Drata's Risk Library
Drata's Risk Library is pre-loaded with over 200 risks based on NIST SP 800-30, ISO 27005, OCR SRA, and other industry standards, from which you can use to build your Risk Register.
Each of Drata's risks in the library can be added to your register. Once added, you'll see a link to the risk in your register on the "Manage in Register" button.
Drata's standard risks cannot be edited within the context of the library. Once you add them to your register, they can be edited. If you ever need to refer back to Drata's standard language for risks, you can find them in the library.