There can be multiple methods to measure risk. Therefore, we offer a flexible and configurable approach to risk measurement and management. Whether you are calculating your risk appetite, adding a risk modifier, or measuring financial risk, Drata allows you to configure inputs to match your specific workflow.
You can also utilize a custom formula within another formula which will create an Advance formula. To learn more, go to the Creating advance formula section.
Prerequisite
You must have the Advanced or Foundation package.
You must have an Admin, Information Security Lead, or Workspace Manager role.
Even if you are a Risk Manager, you must be assigned one of the previously mentioned roles.
Only currency and numerical fields can be used.
You can create a maximum of 50 custom formulas within each account.
The following field types within Risk Assessment or Risk Management can be used in the expression builder:
Number
Currency
Dropdown (number)
Common use cases
The following examples utilize Custom Formulas for risks to solve business needs. This is meant to give you just a few examples of how custom formulas may be used to serve your organization’s specific workflows when assessing and evaluating a Risk.
Financial Impact
Financial Impact: Measure the potential financial impact for each risk event.
Create a custom field that equates to the Likelihood field or use Drata’s own Inherent Likelihood field in regard to the probability of your the Risk event occurring.
Create another custom field that equates to the Financial Loss for the Risk, utilizing a Currency field type.
Finally, create a Custom Formula with the following expression:
Note: The Risk Probability field is divided it by 100 in case you want to measure the percentage as an input of the formula.
You can view your formula in the Risk Drawer:
Risk Appetite use case
Here is another use case, in which you can also apply Custom Formulas similar to the previous example.
Risk Appetite: While this can an aggregated number of all your Risks, you can calculate the individual (financial) Risk Appetite by using the following formula:
Operational Risk Tolerance
Operational Risk Tolerance: Let’s say you want to calculate the potential Operational Risk Tolerance related to a Risk surrounding Business Continuity, in the event of your system(s) going down temporarily.
You can use the following formula:
Create Custom Formulas
Navigate to the Company Settings page. There, you will find a card displaying Custom Fields and Formulas, where the previously mentioned roles can configure the custom fields and formulas to evaluate risks.
On the Custom Fields and Formulas page, ensure you are on the Custom formula tab. Then, select Create custom formula.
Follow the 3-part wizard to create a custom formula, starting with the Details section. First, enter the name of your custom formula. After you are done, select Next.
Then, select the placement of the formula within a specific section of the Risk Drawer.
The default location is Risks, as Custom Formulas are only available within Risk Management and Risk Assessment.
Risk Management is only available in the Advanced package.
In the final step, you can either build your expression using operators, custom fields, and risk fields or create an Advance formula.
The expression builder provides real-time feedback on whether your expression is valid.
The builder allows a maximum of 35 terms.
You can manually input numerical values and operators within the expression.
Note: Only valid expressions can be saved.
The result of your custom formula displays inside the Risk drawer and updates in real-time as you modify applicable inputs and fields used in the formula.
Creating advance formula
Now, you can utilize one of your custom formulas within a new formula to make it even easier to create formulas. Here are some things to consider when creating custom formulas:
A formula that is being referenced or utilized within another formula cannot be deleted, meaning that referenced formula cannot be deleted.
This is so that we can ensure all formulas you are using is working as expected.
You cannot reference or utilize a formula that is already referencing another formula.
A formula that is utilizing another formula is considered to be an advance formula. These advance formulas cannot be used in another formula.
To make a Advance a formula, when creating a custom formula, within the Formula section, add a formula (that is not an advance formula). The following image showcases a user selecting a formula within their expression. Now, all they need to do is complete that expression and save.
Troubleshooting tips:
If you selected an advance formula, you will not be able to save and must correct the issue. For example, the following image showcases a user attempting to utilize an advance formula when creating a new formula:
If you selected a formula with a different currency, you will not be able to save that formula. Ensure that both formulas have the same currency locale. The following image showcases when a formula with a different currency locale is being utilized:
View the Custom Formula and calculation within a Risk
To view the custom formula and its result, select the Risk to open the drawer and locate the field where you configured the Placement step during the initial creation.
The result updates in real-time, allowing you to adjust inputs and view the output instantly. Additionally, you can see the formula beneath the field name (and description if available), as well as the values used when hovering over the individual terms.
Modifications to a Custom Field
Note: Modifications to a custom field used in a formula are limited.
When a field is used in a formula, it cannot be deleted, and the Risk placement cannot be updated.
Any custom field actively used within a custom formula is limited to updating the name and description cannot be deleted. A banner displays above the custom field indicating which custom formula uses that field.
