Many compliance frameworks, such as SOC 2, ISO 27001, require you to identify and evaluate potential risks and uncertainties that could affect your organization. This process is called “risk assessment”.While risk assessment is an ongoing process, most organizations follow a yearly cadence to make sure risks are reviewed and updated to reflect changing environments, technologies, and business strategies.
Drata’s Risk Assessment helps you streamline the process for evaluating and managing your risks.
Getting started with Risk Assessment
You’ll have access to several resources the first time you open Risk Assessment in Drata. These resources are designed to help you become familiar with risk assessment (if you’re unfamiliar with it) and give you a starting point for populating your risk register.
To learn more about how to automatically populate your Risk Register, go to Streamlined Risk Assessment set up.
To learn more about Risk Assessment and the processes, go to Getting started with Risk Assessment.
Tracking risks
At the top of the page, you can view graphs that showcase how many risks are assessed and how vulnerable or prepared you are against security threats.
Risks assessed are the risks that have a score. A scored risk means that you have analyzed the impact of the risk and it has an inherent risk score or a residual risk score.
You can view how many risks are assessed and how many are not assessed. You can also go to the table and select the desired filters under Assessment to view the risks that have scores and do not.
Inherent risk score and Residual risk score
Each assessed risk has either an inherent risk score or residual risk score.
Inherent risk score: is a measurement of how severe a risk is before it is mitigated or otherwise treated
Residual risk scores: is a measurement of how severe a risk remains after it has been mitigated. Mapping a control to a risk is a part of creating the Treatment plan.
To learn more, go to the Residual Risk help article.
Each score is calculated based on the likelihood and impact.
Risk posture
Identify your overall preparedness against cyber attacks and other security threats by viewing the graph displayed under Risk posture.
The graph displays the risks that have scores and groups them into buckets depending on the it’s score. Underneath each colored block is the total number of risks.
You can select the blocks on the graph and the table displayed underneath displays the risks that have the score range. For example, if you select the green block of color, then the table below displays risks that have a score between 1 and 4.
Table of Risk Posture graph scoring
Color | Severity of Risk | Score Range |
| Low Risk | 1-4 |
| Medium Risk | 5-9 |
| High Risk | 10-16 |
| Critical Risk | 17-20 |
Green
Yellow
Light Orange
OrangeDownload reports, risk treatments, or risks
Select Download to download the following reports and CSV files.
Manage your risks
Select the Actions button to assign risk owners or risk categories, move risks to the risk library or delete custom risks in bulk. You can assign multiple risk owners or risk categories.
Select the desired risks and then select the desired action.
You can also create custom risks. To learn more about custom risks, go to Manage custom risks.