Vanta’s Risk Management page helps you identify and manage risks across your organization so you can take action where it matters most. This is especially helpful for security and compliance leads who need to track, review, and approve risk assessments as part of audits or internal processes. With customizable risk scenarios, multi-step approval workflows, and snapshot sharing, you can confidently manage your risk posture.
View the Risk Management Overview
The Risk Management overview allows you to view the current and residual scores for your risk scenarios.
Navigate to the Risk Management tab to view your current and residual scores for risk scenarios
Use this overview to quickly assess the level of risk across your organization
Use the Guided Tour
On the Risk Register tab, select View guided tours
Then select Show me how to walk through setup steps
Review and Create Risk Scenarios
From the Risk Register, you can review existing risks or add new ones to document potential threats to your business.
Add a Risk Scenario
You can also create custom risk scenarios from the risk register page by selecting + Scenario.
Creating a Manual Risk Scenario
Complete the pop-up modal with
Description: Describe the actual or potential risk to your company's people, facilities, technology, and data
Category: The category of risk
Likelihood: how likely an intentional or accidental incident will occur based on this risk.
Impact: How much would the exploitation of this risk harm your organization's ability to continue to operate
Notes (optional): Describe actions you are already taking that may mitigate or negate this risk. This field can be left blank if no existing actions apply here.
Select Create Risk scenario
Please note: Marking a scenario as sensitive limits visibility to admins only.
Import Risk Scenarios
Choose the +Add scenario button
Select Via Import
Upload the file using the risk scenario template
Required fields include:
Risk Scenario Required | This describes an actual or potential risk to your organization's people, processes, technology, data, and facilities. |
Risk ID | The unique ID of the risk. Used to reference and update existing risks. We will auto-generate one if you don't specify it. |
Inherent Likelihood | Select a score that represents how likely an intentional or accidental incident will occur based on this risk. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Inherent Impact | Select a score that represents how much the exploitation of this risk would harm your organization's ability to continue to operate. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Residual Likelihood | Select a score that represents how likely an intentional or accidental incident will occur based on this risk. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Residual Impact | Select a score that represents how much the exploitation of this risk would harm your organization's ability to continue to operate. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Note | Additional context about the risk scenario and why it has a specific impact and likelihood scores. |
Risk Treatment | Indicate how your leadership team wants to address an identified risk. Please note: not all risks need to be addressed immediately (or at all). The value must be one of the supported options. |
Categories | A comma-separated list of categories this risk scenario belongs to. You can reference the current category options in your Risk Management settings and/or enter new values. |
Owner | The person responsible for tracking and mitigating this risk scenario. This should be the email address of a valid Vanta user. |
Risk Type (CIA) | Risk Type (CIA) classifies risks using the Confidentiality, Integrity, and Availability (CIA) triad. |
Additional notes | A place to enter additional notes about this risk scenario The value must be "text" |
Extra column | Place more info in this column The value must be "text" |
Cost | Estimate the cost of a risk scenario The value must be "integer" |
Impact | Estimate the cost of a risk scenario The value must be "integer" |
Equipment Needed | What equipment is required to mitigate this risk The value must be "text" |
Controls | The controls this risk is associated with. You need to provide a list of comma-separated control IDs. |
Select Import
Adding Scenarios from the Risk Library
Go to the Risk Library tab or click + Add Scenario
Select prebuilt risk scenarios and add them to your register
Reviewing Risk Scenarios
Assign Risk Owners and Approvers
After creating a risk scenario, it enters a review and approval workflow.
You can assign an owner to track the risk
All customers can submit a risk for approval when ready
Core plan: The approver can be the owner, a risk admin, or a risk editor
(Beta) Growth+ plan: Assign multiple approvers across up to 5 approval steps, with up to 3 approvers per step
Please note: Risks must be approved before you can add controls or tasks. Vendors can still be linked while the risk is pending approval.
(Beta) Understand Risk Statuses
Each risk moves through a series of statuses based on its progress:
Draft
Risk has not been started or is partially filled out
Needs Review
Risk is ready for submission but hasn’t been submitted yet
Risk was edited after approval or had approval canceled
An approver requested changes
Pending Approval
Risk was submitted and is waiting for one or more approvers
Approved
All approvers have signed off
Once a risk is approved, any edits will move it back to Needs Review.
Review and Mitigate a Risk
Click into the risk you would like to review, complete the required information from the side modal.
Choose a mitigation strategy:
Accept: Decide to live with the risk and take no further actions
Transfer: Move risk outside your organization's responsibilities, e.g., get cyber liability insurance
Mitigate: Identify controls to put in place or tasks to be done that will reduce the risk score.
Avoid: Fix the risk and underlying vulnerabilities to remove them entirely from your environment.
Create a task that details your actions to mitigate the risk by selecting Create Task. Add a due date and assign the task to the appropriate person
Include any controls related to the risk scenario. Vanta can suggest controls if you toggle the Recommended only to on
Estimate Residual Score
Residual risk is what remains after implementing controls. Enter updated Likelihood and Impact scores; a rough estimate is fine.
Archive or Restart a Risk
Archived risk scenarios won't show up in any new snapshots you generate in the future. All the tasks related to this risk scenario will be removed. You can unarchive the risk scenario at any time in the future, and the tasks will be restored.
Select the three-dot menu next to the risk
Selecting Archive will archive the risk
Selecting Mark as sensitive will ensure only admins can see and edit the risk
Use Filters to Find Risks
Use filters to narrow down and review specific risks.
The default filters in the risk register are
Owner: Owner of the risk scenario
Categories: Risk category
Status: Status of a risk assessment
Additional filters are available and can be added to your risk register by selecting + Add Filter.
From here, you can select
Treatment: The remediation strategy for a risk
Residual risk: The risk score after security controls and processes have been implemented
CIA Categories: Confidentiality, Integrity, and Availability
Source: Custom risk scenario or from the Vanta risk library
Status: Assessment status
Identified: The date the risk scenario was identified in your organization
Vendor: Vendors link to the scenario
Impact: Who will the risk scenario impact if it were to come to fruition
Creating Custom Risk Categories
Under Settings, Scroll to Custom Categories
Select Add to create a custom category
Enter the category name and select Add Category
The new custom category will be available to leverage for risk scenarios by editing the risk scenario and using the category dropdown
Creating a Risk Snapshot
A snapshot captures your risk assessment at a specific point in time.
From the Risk Register, select Share, then Create Snapshot
Choose to include All Risks or Approved Only
Select whether auditors can view the snapshot
Snapshot settings can be updated anytime.
View and Manage Snapshots
Go to the Snapshots page
Click a snapshot to view, download, or delete
Generate a Risk Assessment Report
Create a risk assessment report on the Vanta platform to showcase the security posture of your company to team members outside of the Vanta platform. To share your risk assessment:
From the Risk Register, select Share, then Generate Risk Assessment Report
Click Export to download a PDF copy