Skip to main content
Risk Assessment overview
Jane Baik avatar
Written by Jane Baik
Updated over a week ago

Many compliance frameworks, such as SOC 2, ISO 27001, require you to identify and evaluate potential risks and uncertainties that could affect your organization. This process is called “risk assessment”.While risk assessment is an ongoing process, most organizations follow a yearly cadence to make sure risks are reviewed and updated to reflect changing environments, technologies, and business strategies.

Drata’s Risk Assessment helps you streamline the process for evaluating and managing your risks.

Getting started with Risk Assessment

You’ll have access to several resources the first time you open Risk Assessment in Drata. These resources are designed to help you become familiar with risk assessment (if you’re unfamiliar with it) and give you a starting point for populating your risk register.

Tracking risks

At the top of the page, you can view graphs that showcase how many risks are assessed and how vulnerable or prepared you are against security threats.

Risks assessed are the risks that have a score. A scored risk means that you have analyzed the impact of the risk and it has an inherent risk score or a residual risk score.

You can view how many risks are assessed and how many are not assessed. You can also go to the table and select the desired filters under Assessment to view the risks that have scores and do not.

Inherent risk score and Residual risk score

Each assessed risk has either an inherent risk score or residual risk score.

  • Inherent risk score: is a measurement of how severe a risk is before it is mitigated or otherwise treated

  • Residual risk scores: is a measurement of how severe a risk remains after it has been mitigated. Mapping a control to a risk is a part of creating the Treatment plan.

Each score is calculated based on the likelihood and impact.

Risk posture

Identify your overall preparedness against cyber attacks and other security threats by viewing the graph displayed under Risk posture.

The graph displays the risks that have scores and groups them into buckets depending on the it’s score. Underneath each colored block is the total number of risks.

You can select the blocks on the graph and the table displayed underneath displays the risks that have the score range. For example, if you select the green block of color, then the table below displays risks that have a score between 1 and 4.

Table of Risk Posture graph scoring


Severity of Risk

Score Range


Low Risk



Medium Risk


Light Orange

High Risk



Critical Risk


Download reports, risk treatments, or risks

Select Download to download the following reports and CSV files.

Manage your risks

Select the Actions button to assign risk owners or risk categories, move risks to the risk library or delete custom risks in bulk. You can assign multiple risk owners or risk categories.

Select the desired risks and then select the desired action.

You can also create custom risks. To learn more about custom risks, go to Manage custom risks.

Did this answer your question?