Skip to main content
All CollectionsRisksRisk Management
Risk Management overview
Risk Management overview

This article covers Drata Risk Management functionalities.

Updated over a week ago

HERE'S WHY

Risk Management is all about the continuous process to identify, assess and manage, and monitor risks that could impact the security, reputation and financial health of a company. In an ever connected world where cyber attacks are evolving and increasing in frequency and severity, the need for a proactive and integrated risk management program is critical to the security posture of any organization. While Drata's Standard Risk Assessment Questionnaire covers standard compliance related requirements, with this module we provide a full-fledged risk management solution.

BEFORE DIVING IN

The Risk Management module is available as an add-on capability. Please contact your CSM or Support if you're interested in learning more and adding Risk Management to your account.

Only Drata controls specific to the frameworks you've purchased are pre-mapped to the module.

OVERVIEW

You can access the Risk Management module on the left navigation menu.


The appearance of the following screenshot may differ based on your roles and permissions. However, the Risk Management module will still be located in the left navigation menu.

Risk Register

On the top, you'll see your the overall posture of your risk register. You can switch between seeing your inherent vs. your residual score. The risks that make up your risk posture are active risks. You'll also see your assessment progress, which is measured by the total active risks that contain an inherent score. Add an inherent score by choosing the impact and likelihood.

On the left side, you may access various filters and sorts to apply to the risk table

  • Risk Status: This filter allows you to filter in either the active or the archived status

  • Assessment: Each threat is marked as "not scored" until it is assessed (likelihood and impact is assigned).

  • Treatment: This filter is used to categorize threats by treatment options.

  • Risks:

    • Needs attention: The risks from Drata's risk library comes with pre-mapped controls to assist with monitoring. If any of the controls is not ready, the associated threats will show up under "needs Attention" section to help with monitoring.

    • Custom Risks: These are risks you added to the register yourself as opposed to ones you added from Drata's risk library

    • Internal Risks: These are risks not attached to or pertaining to a vendor in Drata

    • External Risks: These are risks attached to or pertaining to a vendor in Drata

  • Tickets: Filter by risks that have tickets attached to them that are either in progress or done.

  • Risk Owners: You may filter risks based on ownership status— whether or not an owner has been assigned.

  • Owners: You may filter based on the assigned owner.

  • Categories: You may filter threats based on tags. These could be either pre-loaded by Drata or added by you.

Drata's Risk Library

Drata's Risk Library is pre-loaded with over 200 risks based on NIST SP 800-30, ISO 27005, OCR SRA, and other industry standards, from which you can use to build your Risk Register.

One copy of each of Drata's risks in the library can be added to your register at a time. Once added, you'll see a link to the risk in your register on the "Manage in Register" button.

Drata's standard risks cannot be edited within the context of the library. Once you add them to your register, they can be edited however it makes sense for your organization. If you ever need to refer back to Drata's standard language for risks, you can find them in the library.

Downloads

Select the Download button to select which report you'd like to download.

Risk Assessment Report tips:

  • You will need to fill in company-specific info on the downloaded report in order for it to be audit-ready. Those sections are marked as <info>.

  • Once you have filled out the info, you should add the report file to your “Evidence Library” page in Drata.

You may also download a Risk Treatment Plan CSV file of your risk treatment plan containing all of your risk treatment metadata.

As for the "All Risks" and "Filtered View" downloads, you may download a CSV of all the risks within your register, or all risks within the filtered view of your register.

Actions

In order to see available actions, you must first select risks from within your register using the checkboxes on each row. Select which risks you would like to perform a bulk action on, and then select the "Actions" menu.

Risk Sections

Each threat-based risk item contains associated data such as risk id, description, category, control mapping, assessment score, etc. Hovering over the information icon () will display the risk code, title, and full description

Each risk from Drata's library comes with a pre-assigned category (which can be changed)

Hovering over the owners icon will display the list of owners for that risk once you have assigned an owner

Each risk from Drata's library comes pre-mapped to your in-scope DCF controls in Drata. Mapped controls are displayed on the risk row underneath the risk title. Controls that are “ready” will be green. Drata controls that are not ready will be displayed in red. Mapped controls that you have marked as out of scope will be grayed out. By default, you can see 3 controls on each risk from the table, but you can always expand the row to see them all.

Analyzing and Assessing a risk

Each risk needs to be analyzed through the threat impact and likelihood, and scored to be considered an assessed risk. You can select a score for your impact and your likelihood. The total score will be the impact multiplied by likelihood.

Note: We support custom scoring. To customize your scoring, go to Custom Risk Scoring & Legend. It is critical to ensure that the scoring on your report mirror the same scoring on your Risk Assessment Policy

To score from the risk row, click on the dropdown and select a score.

Once you have input the scores for both impact and likelihood, the “check” button next to the drop-downs will be enabled. Clicking on this will calculate your risk score and confirm your assessment of that risk.

When scoring from the risk row, a default value of “Needs Treatment” will be applied to the risk until you select an actual treatment response/method.

Note: You may also assess a risk by opening the drawer and scrolling down to the “Assessment” section of the drawer

RISK DRAWER

Clicking on a row will open the risk drawer. From here you can edit all of the risk's data. It contains the following fields, all of which are editable and optional unless noted:

Risk ID (non-editable for risks from Drata's library)

Title (required)

Description (required)

Categories. You can assign or remove categories from the system from here. To untag a category from a specific risk, you can click on the X icon. In order to completely remove a category from your risk register, you may click on the recycle bin icon next to the category name in the dropdown.

Owner: You may add as many owners as you want to a specific risk

File Upload.

Note: Up to 10 files can be uploaded for a risk.

Impact: This is the threat impact (can be also set from the table directly).

Likelihood: This is the likelihood of a threat occurring (can be also set from the table directly).

Total Score: This represents the risk calculated by Impact x Likelihood (not directly editable)

Treatment Plan: By default, a risk is marked as "Untreated". Depending on a chosen Treatment response, you may get the following fields:

Mitigate or Transfer:

  • Treatment Details

  • Anticipated Completion Date

  • Completed Date

  • Reviewer

  • Residual Impact

  • Residual Likelihood

  • Residual Total Score

Accepted or Avoid:

  • Treatment Details

  • Completed Date

  • Reviewer

Mapped Controls. You can unlink or link DCF controls to risks from here. Each will have a different color:

  • Green: Available and ready

  • Red: Not ready

  • Gray: Out of Scope

Internal Notes. You can add, edit or delete multiple notes for a risk.

Did this answer your question?