How to conduct your risk assessments and log risks in Drata
OVERVIEW
Drata has two forms of risk assessments:
- Risk Assessment Questionnaire: The basic risk assessment functionality includes six (6) questionnaires based on the Cloud Security Alliance risk assessment guidance, to generate a risk report and prompt risk treatment actions for higher rated risks. This module does not include a risk register functionality. A key aspect of any risk management program is the logging and monitoring of risks. You should consider maintaining a register, including the outcome of your Drata Risk Assessment Questionnaire, in your central logging tool, a spreadsheet or other appropriate medium.
- Risk Assessment Module: An add-on module that centralises the identification, assessment, linkage to the controls, the risk treatment actions, and continuous monitoring in Drata. This is more commonly used by larger organisations.
RISK ASSESSMENT QUESTIONNAIRE
Accessed from the Risk Assessment section of Drata, there are six questionnaires to be completed, followed by a risk report to populate treatment actions before finalising.
STEP 1: Complete each questionnaire in Drata. This may be completed by different personnel based on responsibilities, and should generally be completed by senior management that are accountable for each function.
Each question will ask how you manage certain processes and activities. The answer to these questions will either:
a. Identify that the process or activity is managed effectively, and prompt you to input how this is documented/evidenced.
a. Identify a risk, in which case it will prompt you to input the potential consequences, and then the likelihood and severity ratings of those consequences.
STEP 2: Upon completion of the six (6) assessments, the Drata team will generate your risk report. You might need to contact your CS Manager if you don't receive it within a couple of business days. The Risk Assessment Results section will highlight the identified risks for your risk register. The Risk Treatment Plan section (example below) should then be completed for each identified risk to form a treatment plan, to assign an owner and a target remediation date.
It's recommended that these plans are realistic and achievable when considering the scale of work involved. In some cases, this might include multiple phases of implementation or uplift in your systems and processes.
STEP 3: The risk assessment and risk report can then be finalised by uploading into the Drata Reports & Docs section with the report type as "Risk Assessment" to link to the respective controls in Drata.
RISK MANAGEMENT MODULE
Accessed from the Risk Management section of Drata (if the module has been enabled), there are ~150+ predefined risks to assess, that are linked to the controls in Drata to automatically map the risk mitigations and support continuous monitoring of the risks.
STEP 1: Determine a risk tolerance level. The risk tolerance is the level of risk that can be accepted, recognising that taking risk is imperative in pursuit of the company objectives. For simplicity, this risk tolerance is best defined as a specific risk score aligned to the Drata risk module scoring. This level determines which risks can be accepted as is, or require further risk mitigation actions. A score level of 4-6 is generally recommended as the tolerance level. For example, if the risk tolerance was a score of 5, a risk with the impact of 2 and likelihood of 3, results in a score of 6. That requires further treatment. This risk tolerance level can be set universally, or specifically for each functional area. For example, you might have a higher risk tolerance when it comes to financial risks, than when it comes to the safety or security of your team, systems and data.
STEP 2: Assign risk owners, complete the assessment and treatment option for each risk. This is done by clicking into each risk, typing the name(s) of the risk owner(s), selecting an Impact and Likelihood score to complete a risk assessment rating, and then selecting the Treatment option drop down menu. This should consider your risk tolerance from Step 1 for whether the risk can be accepted, whether there's an action devised to mitigate, transfer, or avoid the risk, or if further risk treatment that hasn't been devised yet is required.
If there is a risk treatment action to mitigate, transfer, or avoid the risk, you will be prompted to populate the details and the residual risk rating, which may bring it within the tolerance level like the example below.
STEP 3: Risk treatment actions should be devised for risks that are flagged as needing further risk treatment based on the last step. You can create a ticket to log risk treatment actions that need to be devised and completed accordingly.
The risk assessments are considered completed for compliance purposes once all risks have been considered and addressed by the above three steps. By nature, there should always be ongoing risk treatment actions as part of the continual improvement methodology to your internal controls. The risks do not need to all be within tolerance to finalise the risk assessment, that is best conducted quarterly to continue to revise and update the risk assessments and treatment actions.