Vanta’s Risk Management page helps you identify and manage risks across your organization so you can take action where it matters most. This is especially helpful for security and compliance leads who need to track, review, and approve risk assessments as part of audits or internal processes. With customizable risk scenarios, multi-step approval workflows, and snapshot sharing, you can confidently manage your risk posture.
View the Risk Management Overview
The Risk Management overview allows you to view the current and residual scores for your risk scenarios.
Navigate to the Overview tab to view your current and residual scores for risk scenarios.
Use this overview to quickly assess the level of risk across your organization
Use the Guided Tour
On the Risk Register tab, select View guided tours
Then select Show me how to walk through setup steps
Risk Registers
Risk registers are the current risks associated with your organization, and be categorized based on the needs of your program.
Use Quick Actions
In the Quick Actions section, you can:
View all risks you own
View all scenarios you have access to
Create a snapshot
Generate an assessment report
Understand the Default Risk Register
A Default register is created automatically
All existing risks are moved into this default register
You can also rename the default register to better fit your organization’s needs
If you are working with the core risk management product, you will have access to one risk register.
Manage Access
Admins, Editors, and custom roles with risk module access can see all registers
To restrict access:
Assign users the Collaborator role or a custom role without risk access
Add those users to the specific register(s) they should see as a Viewer or Manager
You can change a user’s role at any time by following the steps in Assigning User Roles and Permissions
Leveraging Multiple Risk Registers
Multiple risk registers is a feature available on our tiered pricing plans.
Create a New Register
From the left-hand navigation panel, select Risks. From here you can view risk scenarios by category, and add additional risk registers.
To create a new register type, select Add register.
Provide a name and description.
Select Create
Edit a Register
Select the three-dot menu on the left hand side of the Register, and select Edit register details
Risk Scenarios
A risk scenario is a detailed description of a potential event or situation that could negatively impact an organization’s operations, assets, or reputation. It outlines how a specific threat might exploit a vulnerability to cause harm, often including the source of risk, the event itself, and its possible consequences. Risk scenarios help organizations visualize and understand what could go wrong so they can prioritize and plan mitigation strategies. In compliance and security frameworks, these scenarios are used to assess likelihood and impact, guiding the development of effective controls. Essentially, they turn abstract risks into concrete, actionable examples for better decision-making.
Add a Custom Risk Scenario
You can also create custom risk scenarios from the risk register page by selecting + Scenario.
Complete the pop-up modal with
Name: Name of the risk scenario
Description: Describe the actual or potential risk to your company's people, facilities, technology, and data
Register: The register the risk should belong to
Risk ID (optional)
Import Risk Scenarios
Choose the +Add scenario button
Select Via Import
Upload the file using the risk scenario template
Required fields include:
Risk Scenario Required | This describes an actual or potential risk to your organization's people, processes, technology, data, and facilities. |
Risk ID | The unique ID of the risk. Used to reference and update existing risks. We will auto-generate one if you don't specify it. |
Inherent Likelihood | Select a score that represents how likely an intentional or accidental incident will occur based on this risk. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Inherent Impact | Select a score that represents how much the exploitation of this risk would harm your organization's ability to continue to operate. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Residual Likelihood | Select a score that represents how likely an intentional or accidental incident will occur based on this risk. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Residual Impact | Select a score that represents how much the exploitation of this risk would harm your organization's ability to continue to operate. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Note | Additional context about the risk scenario and why it has a specific impact and likelihood scores. |
Risk Treatment | Indicate how your leadership team wants to address an identified risk. Please note: not all risks need to be addressed immediately (or at all). The value must be one of the supported options. |
Categories | A comma-separated list of categories this risk scenario belongs to. You can reference the current category options in your Risk Management settings and/or enter new values. |
Owner | The person responsible for tracking and mitigating this risk scenario. This should be the email address of a valid Vanta user. |
Risk Type (CIA) | Risk Type (CIA) classifies risks using the Confidentiality, Integrity, and Availability (CIA) triad. |
Additional notes | A place to enter additional notes about this risk scenario The value must be "text" |
Extra column | Place more info in this column The value must be "text" |
Cost | Estimate the cost of a risk scenario The value must be "integer" |
Impact | Estimate the cost of a risk scenario The value must be "integer" |
Equipment Needed | What equipment is required to mitigate this risk The value must be "text" |
Controls | The controls this risk is associated with. You need to provide a list of comma-separated control IDs. |
Select Import
Adding Scenarios from the Risk Library
Go to the Risk Library tab or click + Add Scenario
Select prebuilt risk scenarios and add them to your register
Move Scenarios Between Registers
Multiple risk registers is a feature available on our tiered pricing plans.
Open the register containing the scenario
Select the scenario you want to move
Choose the destination register
Reviewing Risk Scenarios
Assign Risk Owners and Approvers
After creating a risk scenario, it enters a review and approval workflow.To update or change the approver for a risk scenario, open the risk and click to make an edit, which moves the risk to a "Needs Review" status. Users can then resubmit the risk for approval by selecting new approvers in the workflow. If an approval request is pending, approvers can be updated by canceling the existing approval and restarting the approval workflow.
You can assign an owner to track the risk
All customers can submit a risk for approval when ready
Core plan: The approver can be the owner, a risk admin, or a risk editor
Growth+ plan: Assign multiple approvers across up to 5 approval steps, with up to 3 approvers per step- Approvers can also be changed during the workflow process by canceling the existing approval from the approval screen's three-dot menu and restarting the approval process with new details.
Please note: Risks must be approved before you can add controls or tasks. Vendors can still be linked while the risk is pending approval.Risks can also be self-approved if the owner is added as the approver in the "Add approver(s)" search box when resubmitting the risk for approval.
Understanding Risk Statuses
Overview of Approval Permissions
Managing access and permissions in the Risk Register ensures roles align with organizational needs. Admins, Editors, and users with Custom roles (that include view/edit permissions) can access and edit risks. The Direct access field allows non-Admins or Collaborators to gain access to specific risks.
Each risk moves through a series of statuses based on its progress:
Draft
Risk has not been started or is partially filled out
Needs Review
Risk is ready for submission but hasn’t been submitted yet
Risk was edited after approval or had approval canceled
An approver requested changes
Pending Approval
Risk was submitted and is waiting for one or more approvers
Approved
All approvers have signed off
Once a risk is approved, any edits to the assessment will move it back to Needs Review.
Review and Mitigate a Risk
Click into the risk you would like to review, complete the required information from the side modal.
Choose a mitigation strategy:
Accept: Decide to live with the risk and take no further actions
Transfer: Move risk outside your organization's responsibilities, e.g., get cyber liability insurance
Mitigate: Identify controls to put in place or tasks to be done that will reduce the risk score.
Avoid: Fix the risk and underlying vulnerabilities to remove them entirely from your environment.
Create a task that details your actions to mitigate the risk by selecting Create Task. Add a due date and assign the task to the appropriate person
Include any controls related to the risk scenario. Vanta can suggest controls if you toggle the Recommended only to on
Estimate Residual Score
Residual risk is what remains after implementing controls. Enter updated Likelihood and Impact scores; a rough estimate is fine.
Archive or Restart a Risk
Archived risk scenarios won't show up in any new snapshots you generate in the future. All the tasks related to this risk scenario will be removed. You can unarchive the risk scenario at any time in the future, and the tasks will be restored.
Select the three-dot menu next to the risk
Selecting Archive will archive the risk
Use Filters to Find Risks
Use filters to narrow down and review specific risks.
The default filters in the risk register are
Owner: Owner of the risk scenario
Categories: Risk category
Status: Status of a risk assessment
Additional filters are available and can be added to your risk register by selecting + Add Filter.
From here, you can select
Treatment: The remediation strategy for a risk
Residual risk: The risk score after security controls and processes have been implemented
CIA Categories: Confidentiality, Integrity, and Availability
Source: Custom risk scenario or from the Vanta risk library
Status: Assessment status
Identified: The date the risk scenario was identified in your organization
Vendor: Vendors link to the scenario
Impact: Who will the risk scenario impact if it were to come to fruition
Risk Settings
Creating Custom Risk Categories
Risk Customization is a feature available on our tiered pricing plans.
Under Settings, Scroll to Custom Categories
Select Add to create a custom category
Enter the category name and select Add Category
The new custom category will be available to leverage for risk scenarios by editing the risk scenario and using the category dropdown
Preferences
Risk preferences allow you to choose when adding risk scenarios from Vanta library
Always add recommended controls
Ask me every time if I want to add recommended controls
Never add recommended controls
Custom Fields
From the Settings page, you add in custom fields to provide additional levels of awareness and information to each risk scenario.
Custom fields will be consistently available for every risk scenario.
To add a new field, select Add
Enter a name
Enter a description
Select the data type
Currency
Date
Number
Multi-select
Text
Creating a Risk Snapshot
A snapshot captures your risk assessment at a specific point in time.
Create Snapshots per Register
On the snapshots page or from a given register, you can create a snapshot for a that register.
Create Assessment Reports per Register
In a register, click the … menu and then Generate report
View and Manage Snapshots
Go to the Snapshots page
Click a snapshot to view, download, or delete
Generate a Risk Assessment Report
Create a risk assessment report on the Vanta platform to showcase the security posture of your company to team members outside of the Vanta platform. To share your risk assessment:
From the Risk scenario tab, select Generate report
Click Export to download a PDF copy