Skip to main content
All CollectionsVendor Management
Vendor Risks & Risk Overview
Vendor Risks & Risk Overview
Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago

The Vendor Risk tab and Risk Overview dashboard allow you to add and track all the risks associated with your vendors in a single place.

HERE'S WHY

Today, it is more important than ever to track all of your organization’s ongoing risks in a single centralized place and avoid the challenges of tracking different risks in different tools.

Once you’ve identified risks from your security review, Drata enables you to easily monitor, track, treat those risks. We have included below an example list of vendor risks that our customers have tracked in Drata:

  • Vendor has a password policy that does not meet our internal policy requirements for passwords

  • Vendor does not meet our requirements for security controls

  • Vendor does not complete Pen Tests

  • Vendor does not have MDM

  • Vendor does not have MFA

  • Vendor does not have SOC 2

BEFORE DIVING IN

This feature is only available to our TPRM Pro customers.

HERE'S HOW

  • In your Vendor Directory, click on a Vendor.

  • Once you’ve entered the Vendor Profile, click on the “Risks” tab.

  • To add a risk, click “Add A Risk” and a drawer will open.

  • Enter information about the risk into the drawer. It contains the following fields, all of which are editable and optional unless noted:

Risk ID (non-editable): This will be pre-filled.

Risk Identified Date: This is the date you’ve identified the risk.

Title (required): Title of your risk. Example Risks included in the “Here’s Why” if you scroll above to that section.

Description (required): Description of your risk

Categories. You can assign or remove categories from the system from here. To untag a category from a specific risk, you can click on the X icon. In order to completely remove a category from your risk register, you may click on the recycle bin icon next to the category name in the dropdown.

Risk Owner: You may add as many owners as you want to a specific risk

Supporting Documents: Up to 10 files can be uploaded for a risk.

  • Once you scroll further, you’ll find more information, including assessment, treatment and internal notes.

Impact: This is the threat impact (can be also set from the Risk Overview or Risk tab table directly).

Likelihood: This is the likelihood of a threat occurring (can be also set from the table directly).

Total Score: This represents the risk calculated by Impact x Likelihood.

Note: For those with Risk Management, the assessment will be the same scale as the custom risk scoring in your Risk Management.

Treatment Plan: By default, a risk is marked as "Needs Treatment" . Depending on a chosen Treatment response, you may get the following fields:

Mitigate or Transfer:

  • Treatment Details

  • Anticipated Completion Date

  • Completed Date

  • Reviewer

  • Residual Impact

  • Residual Likelihood

  • Residual Total Score

Accepted or Avoid:

  • Treatment Details

  • Completed Date

  • Reviewer

Internal Notes. You can add, edit or delete multiple notes for a risk.

  • Once you’ve clicked “Save” and added your risk, if you have Risk Management, you will be informed that your Risk has also been added to the Risk Management section. More details below in Vendor Risks and Risk Management section.

  • On the profile page, you can view the lists of Risks associated with your vendors.

Vendor Risks Overview Dashboard

  • After you’ve added your Risks, you can navigate to the Directory page and click on “Vendor risks overview”

  • On the dashboard page, you will see an overview of all the Risks associated with your vendors and the overview of your vendor Risk posture.

Vendor Risks and Risk Management

For those of you with Risk Management, Vendor Risk and Risk Management will be connected.

  • As shown above, once you’ve clicked “Save” and added your risk to a Vendor, if you have Risk Management, you will be informed that your Risk has also been added to the Risk Management section.

  • If you click the “View VR-01 in Risk Management” in the modal or if you click the “Risk management related to [Vendor]” in the tab (both shown below).

  • You will be taken to the Risk Management module and have a list of all your Risks related to this vendor.

  • From the Risk Management page, you can also add a Vendor Risk, by clicking Add Risk and selecting “External Risk”.

  • The drawer details will be the same as adding a risk through the Vendor profile. You will have an additional Vendor field, where you will have to choose the vendor the External Risk is associated with. The field will show a drop-down of all your vendors (as seen below)

  • On this Vendor Risk Overview page, you can also click “View more insights”

  • This will take you to the Risk Management Insights page filtered to “External Risks”

Did this answer your question?