Skip to content
English
Ask our team
Go to sensiba.com
  • There are no suggestions because the search field is empty.

Risk Management in Vanta

How to Complete an Annual Risk Assessment

Quick checklist:

  • Scope your risks in Vanta (start with 10–20)

  • Assess inherent and residual risk ratings

  • Define treatment plans and log actions for high residual risks

  • Assign owners for accountability

  • Review your risk action tracker for feasibility

  • Share your risk assessment with auditors (enable access in Vanta)

Overview

Risk management is a key part of compliance, and Vanta makes it simple to scope and assess your most important risk areas.

💡 Tip: Start small. Including too many risks can dilute your focus. We recommend beginning with 10–20 risks and expanding over time.

 

Step 1: Scope Your Risks

Begin in the Vanta Risk Library, where you can:

  • Add predefined risks to your register with a click.
  • Add custom “scenarios” individually or upload in bulk.

💡 Tip: Using Vanta’s predefined risks saves time because they’re already mapped to your Vanta control framework.

For SOC 2 coverage, we recommend including at least one risk in these areas:

  • Asset management
  • Access control / communications security
  • Business continuity & disaster recovery
  • Fraud
  • Software development & acquisition
  • Third-party risk

💡 Tip: Smaller, early-stage companies can define risks at a higher level for simplicity. Larger organizations may want more granular detail.

 

Refer to Sensiba's example risk register for a simplified set of risks defined at a high level for broad coverage, empowering smaller and earlier stage companies to manage risk more holistically with centralised responsibility. 

Step 2: Assess Risk Ratings

For each risk in your register:

  • Rate inherent likelihood and impact.
  • Define a treatment plan.
  • Rate residual likelihood and impact after controls.
  • Map mitigating controls and log any future actions.

💡 Tip: If residual risk is 6 or higher, log an action for improvement. Assign an owner for accountability and ongoing management.

Remember: The goal is continuous risk reduction. Most treatment plans will aim to mitigate risks. Acknowledging material residual risks does not compromise compliance.

Step 3: Track Actions & Monitor

Review your risk action tracker to confirm tasks are realistic and timeframes achievable.

  • For Type 1 audits, your risk register and action plans demonstrate effective design.
  • For Type 2 audits, auditors look for evidence of ongoing improvements and monitoring.

💡 Tip: Auditors want to see a system that identifies, assesses, treats, and monitors risks continuously. The ratings and actions are up to management to determine what’s appropriate.

Step 4: Sharing Your Risk Assessment with Auditors

Once your risk register or manual risk assessment is ready, please enable auditor access in Vanta so we can review your documentation.

How to share: https://help.vanta.com/en/articles/11345504-creating-a-risk-snapshot 

Need Help?

We’re here for you! If you have questions or something feels unclear, reach out anytime at csplatform@sensiba.com 

To discuss the above, book a meeting with a Customer Success team member, use this link.

Ready to kick off your audit? Book a meeting here.