How to complete risk assessments and manage your risks in Vanta
OVERVIEW
Risk management is a critical area of compliance. Vanta makes it easy to scope and assess the important risk areas.
💡Tip: Including too many risks can dilute your focus and undermine the goals of risk management. We recommend starting with 10-20 risks and building on that over time.
STEP 1: SCOPING YOUR RISKS
Start in the Vanta risk library where you can click to add predefined risks to your register. You can also add "scenarios" individually or in bulk upload into the risk register directly.
💡Tip: Using Vanta's predefined risks saves time with mapping to the controls in your Vanta control framework.
To cover the SOC 2 criteria; you should select or define at least one risk for the following areas:
- Asset management
- Access control / communications security
- Business continuity and disaster recovery
- Fraud
- Software development and acquisition
- Third-party risk
💡Tip: Define risks at a higher level for a smaller, early stage company, or at a more granular level for a larger, later stage company.
Refer to AssuranceLab's example risk register for a simplified set of risks defined at a high level for broad coverage, empowering smaller and earlier stage companies to manage risk more holistically with centralised responsibility.
STEP 2: ASSESS THE RISK RATINGS
Click into each of the risks in the risk register and complete the assessment of inherent risk likelihood and impact, the treatment plan, and the residual risk likelihood and impact. Review or map the controls that mitigate the risk, and consider if the risk warrants any further actions that can be logged against the risk for future improvements. It is typically expected to log an action for risks with a residual risk rating greater than or equal to "6". You will then assign an owner to the risk for accountability of the risk rating and any ongoing management of the risk.
💡Tip: The goal of risk management is to support the ongoing reduction of risk. Most treatment plans will be to "mitigate" the risks and may include future actions. It does not compromise your compliance to acknowledge material residual risks.
STEP 3: ASSESS THE RISK RATINGS
Review your risk action tracker to ensure the tasks planned for ongoing risk management efforts are feasible and effectively planned for with realistic timeframes. The risk register and these action plans will demonstrate effective design of your risk management activities for a Type 1 audit. The ongoing actions will be reviewed for Type 2 audits to demonstrate continuous improvement and effective management of your risks.
💡Tip: Auditors are looking to see that you have an effective system to identify, assess, treat and monitor the risks on an ongoing basis to meet the SOC 2 criteria. The ratings and actions devised are up to management to determine what is appropriate.