Skip to main content

Risk Snapshots and Reports

✅ Feature availability: While the Risks page is included on all plans, Advanced Risk Management features (including risk reports) are only available as an upgrade or add-on. Refer to Vanta Plans and Pricing for details.

Risk Management provides multiple ways to capture, analyze, and share your risk posture. Use snapshots to preserve a point-in-time view of your risk register, generate risk assessment reports to share structured summaries, and use risk reports to monitor trends and communicate insights over time.

⚙️ User permissions: Admins and Editors can view and manage risk snapshots, risk assessment reports, and risk reports. Collaborators can only view or generate risk assessment reports for specific registers they can access as a Viewer or Manager. Learn more: User Permissions by Product Area

Getting started

Vanta provides four primary ways to view and share risk data from your risk assessments, shaped by how you've configured your risk scoring rubric, and each designed for a different use case:

Report

What it’s for

What it provides

Risk overview

Monitoring current risk posture

Real-time view of your risk distribution across risk scenarios

Risk snapshots

Audit evidence and point-in-time records

A fixed snapshot of approved risk scenarios at a specific moment in time, preserving historical state for audits

Risk assessment reports

Formal reporting and exports

A structured, exportable report (PDF) summarizing risk scenarios, scores, and key details for a given register

Risk reports

Ongoing analysis and stakeholder communication

Customizable charts and dashboards to track trends, compare data, and communicate insights over time

ℹ️ Note: Archived risk scenarios are excluded from snapshots, assessment reports, and reports.

Risk overview

The Overview page shows how risk scenarios are distributed based on inherent or residual risk score calculated using your risk scoring rubric.

Chart

Description

Current risk

Distribution of risk scenarios based on current risk from your risk assessments. Uses residual risk if treatment is complete, or inherent risk if treatment is incomplete.

Residual risk

Distribution of risk scenarios based on residual risk, regardless of risk assessment status.

On some plans, the Overview page includes additional charts for deeper analysis—these charts are powered by the default risk report.

Risk snapshots

A snapshot captures your risk scenarios at a specific moment so you can track changes over time and share a fixed view with auditors. Once created, snapshots are locked—changes to your risks or scoring rubric only apply to new snapshots, not existing ones.

Creating snapshots

The snapshot captures the selected scenarios and their current data.

To create a snapshot:

  1. From the Risks page, click the ••• menu and select View snapshots.

  2. Click Create a snapshot.

    • If your plan includes multiple risk registers, choose whether to include risk scenarios from a single register, all registers, or enterprise risks.

    • If your plan includes one risk register, you won’t see these options.

  3. Choose which scenarios to include:

    • Only include approved risk scenarios, meaning completed risk assessments.

    • Include all risk scenarios, including risk assessments in progress.

  4. Select whether an auditor can view this snapshot.

    • You can edit this selection after the snapshot is created.

Viewing and managing snapshots

Snapshots are stored in an archive and remain available as historical records.

To view snapshots:

  1. Go to the Risks page

  2. Click the ••• menu.

  3. Select View snapshots.

From the Snapshots page, you can:

  • View all snapshots by capture date, register, and visibility

  • Open a snapshot to view, download, or delete the snapshot

  • Manage which snapshots are shared with auditors

Sharing snapshots with auditors

Snapshots can be shared with auditors to provide a fixed, read-only view of your risk posture.

  • When sharing is on: The snapshot is visible in the auditor’s audit portal, as long as it falls within the audit’s observation window.

  • When sharing is off: The snapshot is only visible to Admins and Editors in your workspace.

ℹ️ Note: Auditors only see snapshots that are shared and created within the audit’s observation window. Snapshots outside that window won’t appear unless the window is updated.

Example snapshot

Risk assessment reports

A risk assessment report is an exportable PDF of your risk scenarios, used to share your current risk posture with auditors and stakeholders. The report includes a breakdown of current and residual risk, a snapshot of your risk scenarios, and your risk scoring rubric.

Creating risk assessment reports

To create a risk assessment report:

  1. From the Risks page, open a risk register.

  2. Depending on your plan, generate a report from one of two places:

    • From the Share menu, click Generate assessment report.

    • From the ••• menu, click Generate report.

  3. Click the Export button to download the report as a PDF.

ℹ️ Note: If all your registers use the default risk scoring rubric, you can generate a report across all registers from the Risks page. If any register uses a register-specific rubric, you'll need to generate a report one register at a time.

Sharing risk assessment reports

After generating a report, export it as a PDF to share. Reports capture your data at a specific moment and don’t refresh. They’re not stored in your account, so you’ll need to generate and export a new report each time—there’s no saved history like snapshots.

Example risk assessment report

Risk reports

Risk reports are customizable dashboards found on the Reports page. They include charts like risk trends, risk distributions, treatment status, control status, and category breakdowns, and can be filtered and rearranged to fit your needs. If available on your plan, the default Risk report also powers the charts shown on the Overview page.

ℹ️ Note: If you've set up register-specific rubrics, some charts may require you to select a single register using the Register filter. Registers can be combined in a single view when two conditions are met: their likelihood and impact scales use the same number of points, and their risk levels use the same thresholds and labels.

Editing the default report

You can edit the default Risk report to control which charts display on the Overview page, as well as apply default filters.

To edit the default report:

  1. From your account navigation, go to the Reports page.

  2. Open the Risk report.

  3. From the ••• menu, click Edit.

  4. Use the filters at the top of the report to choose the default filters that display. People viewing the report can still change these filters, but if they refresh the page, the filters go back to default.

  5. Use the toggle at the top of each chart to control visibility. If you turn off a chart here, it can’t be viewed by people viewing the report.

  6. Click the Save & apply changes button.

Creating risk reports

You can duplicate the default Risk report to create your own.

To create a report:

  1. From your account navigation, go to the Reports page.

  2. Open the Risk report.

  3. Click the Duplicate & Customize button.

  4. Customize the report:

    • Edit the name and description

    • Add and delete charts

    • Drag and drop charts

    • Change the chart size

  5. When you’re done, click the Save & apply changes button.

Sharing risk reports

Click the Share button within a report to take the following actions:

  • Manage access: Control which users can view the live version of the report.

  • Manage report schedules: Email specific users a link to the report on a recurring basis.

  • Copy link: Share the link with users.

⚠️ Note: Users need to be assigned an Admin, View-only Admin, or Editor role before you can enter their name or email to share reports with them.

Example risk report