Skip to main content

Adding and Managing Risks

✅ Feature availability: While the Core Risk Management is included on all plans, Advanced Risk Management features are only available as an upgrade or add-on. Refer to Vanta Plans and Pricing for details. Enterprise risks are currently in Preview—you can request access via your Customer Success Manager.

Risk Management in Vanta is part of your broader security and compliance program. The Risks page is where you define, organize, and manage your risk scenarios in one place—set up your risk registers, customize how risks are structured with fields and categories, add risk scenarios, and manage them as your program evolves. For more advanced use cases, enterprise risks let you group related scenarios and connect them to broader organizational impact.

By maintaining a structured and up-to-date risk inventory, you create a single source of truth that supports consistent assessments, mitigation efforts, and ongoing visibility into your risk posture.

⚙️ User permissions: Admins and Editors can create and manage all risk registers and risk scenarios. Collaborators can be added to specific risk registers as Viewers or Managers for all risks in that register, or they can be assigned as owners on specific risk scenarios. Refer to Understanding User Roles and Permissions in Vanta for details.

Getting started

Start by setting your risk register and risk settings, then adding and managing risk scenarios within it. If needed, you can later group related scenarios under enterprise risks for a more strategic view.

Risk management is built around three core objects:

Object

Description

Feature availability

Risk register

A folder that organizes your risk scenarios. You can use registers to group risks by team, product, or business unit and control who has access.

All plans include one default register, multiple registers included with Advanced Risk Management

Risk scenario

A specific potential risk to your organization. This is the core unit of work—you’ll assess, track, and manage risk at the scenario level.

Available on all plans

Enterprise risk

A higher-level risk that groups related scenarios across registers, helping you connect team-level risks to broader organizational impact.

Available with Advanced Risk Management

Setting up risk registers

A risk register is a folder that contains your risk scenarios. You can use registers to group risks by team, product, or business unit and control who can view or edit them.

Depending on your plan, you may have a single default register or be able to create multiple registers to organize your risks. The below experience depicts what you see when you have access to multiple risk registers.

💡 Tip: If you plan to import risks in bulk, set up your registers first so you can map each risk to the correct register during import.

Adding risk registers

If your account has access to create multiple risk registers, a register is created automatically with the name Default. New risks are added to this register unless you create additional registers. You can rename the default register at any time.

Create additional risk registers to organize risk scenarios based on how your program is structured—for example, by team, product, location, or risk domain.

To add a risk register:

  1. On the Risks page, click the Add button.

  2. Select Add register.

  3. Enter a Name and Description for the register.

  4. Click Add.

  5. Manage access to control who can view or edit the risks in each register.

Editing risk registers

  • To edit a register’s name or description, click the ••• menu and select Edit register details.

  • To delete a register, click the ••• menu and select Delete register.

⚠️ Note: Deleting a register permanently deletes all risk scenarios within it. Move risk scenarios you want to keep to another register before deleting.

Managing register access

If your account has access to create multiple risk registers, you can control who can access each set of risks. Use register access to ensure the right people can view or manage risks while keeping sensitive information restricted.

To grant access to a risk register:

  1. On the Risks page, click the ••• menu next to the risk register.

  2. Select Manage access.

  3. Add a user and assign their access level:

    • Viewer: Can view risks in the register.

    • Manager: Can view, add, and edit risks in the register.

⚠️ Note: Users need to granted the proper user permissions before they can be added to a register.

Customizing risk fields

Customize the fields your team will use to define and evaluate risk scenarios. This includes adding categories and metadata to capture the right context, and aligning your scoring framework with how your organization assesses risk.

Setting this up early ensures your risk data is consistent, meaningful, and ready to support assessments and reporting.

Adding custom fields

Custom fields let you capture additional details for your risk scenarios beyond the default fields. Once added, these fields appear when editing a risk scenario so your team can consistently track the information that matters most.

You can apply custom fields to all registers or limit them to specific registers. When you add a risk register, it inherits all custom risk fields by default. Enterprise risks include all custom fields by default since they map across registers.

To add custom fields:

  1. In your account header, click the Settings icon.

  2. In the page menu, scroll to the Features section and select Risk.

  3. Scroll to Custom fields and click Add.

  4. Enter a Field label and Description.

  5. Select a Data type: Currency, Date, Number, Multi-select, Text, or User. You can’t change the data type after creating the field.

  6. Choose the risk registers the field applies to.

To edit custom fields per risk register:

  • Use the dropdown menu to select a risk register.

  • Click the ••• menu next to a field to update which registers it applies to.

  • Drag and drop fields to reorder them.

Adding custom categories

Custom categories let you label and group risk scenarios based on your organization’s needs. Once added, categories are available as a selectable field when editing a risk scenario, making it easier to classify and filter risks.

To add custom categories:

  1. In your account header, click the Settings icon.

  2. In the page menu, scroll to the Features section and select Risk.

  3. Scroll to the Custom categories section.

  4. Click Add and enter a category name.

  5. Click Add category.

Editing your scoring framework

Depending on your plan, you can customize your risk scoring framework to reflect how your organization evaluates risk.

Adding risk scenarios

A risk scenario is a specific potential risk to your organization and the core unit you’ll assess, track, and manage. Once your registers and fields are set up, it's time to start building your risk inventory by adding risk scenarios.

You can add scenarios manually, use Vanta’s risk library, or import them in bulk from a spreadsheet. You can also add risks via API or using our MCP.

Adding manually

To manually add a risk:

  1. From the Risks page, open a risk register.

  2. Click the Add button.

  3. Enter a Description for the risk scenario.

  4. If you’re using multiple risk registers, select the register to add the risk to.

  5. If you use your own ID convention, add a Risk ID. Otherwise, leave it blank and we’ll generate one for you.

  6. Click Add.

Adding from risk library

Vanta’s risk library includes common risk scenarios you can use to quickly build your risk inventory. You can choose whether to automatically add recommended controls to each risk so they map to your frameworks.

To edit your risk preferences:

  1. In your account header, click the Settings icon.

  2. In the page menu, scroll to the Features section and select Risk.

  3. Go to the Preferences section.

  4. Choose between:

    • Always add recommended controls

    • Ask me every time if I want to add recommended controls

    • Never add recommended controls

To add risks from the risk library:

  1. Go to the Risk library page.

  2. Browse the available risk scenarios.

  3. Click Add to register on a risk you want to use.

  4. If you’re using multiple risk registers, select the register to add the risk to.

ℹ️ Note: To add the same risk to multiple registers, you’ll need to add the risk twice—once to each register.

Importing a spreadsheet

Import risk scenarios in bulk using a spreadsheet. Before importing, make sure any custom fields you want to include are already set up in your risk settings.

To import risks from a spreadsheet:

  1. From the Risks page, open a risk register.

  2. Click the Add button and select Import.

  3. Review the instructions on the import page, download the CSV template, and prepare your file.

  4. Upload a CSV file with your risk details. The only required column is Risk Scenario.

  5. Map your spreadsheet columns to the corresponding fields in Vanta, then click Next.

  6. Review your import, especially rows with issues, then click Import.

💡 Tip: You can export risks, make updates in a spreadsheet, and upload a file to bulk update existing risks using Risk ID. Before re-uploading, make sure the spreadsheet matches Vanta’s import template.

Creating via API

You can use the Vanta API to create risk scenarios.

Creating via MCP

You can use the Vanta MCP to create risk scenarios.

Managing risk scenarios

Once your risk scenarios are added, use the Risks page to keep them organized and up to date as your program evolves. Many actions, like viewing archived risks, exporting data, and generating assessment reports or snapshots, are available from the menu options on this page and within individual risk registers.

Viewing and filtering risks

  • Use the tools above the table to search, filter, and sort your risk scenarios based on available fields.

  • Customize your table view using the controls icon to choose which columns to display and adjust how data is shown.

💡 Tip: You can generate snapshots or reports at any time to better understand and share your current risk posture.

Updating risk details

Keep risk scenarios up to date by maintaining their details and completing assessments as needed:

  • Update fields, categories, and other metadata as your risk context changes.

  • Map risks to related objects across Vanta to build a more complete picture of your risk program.

  • Conduct risk assessments to evaluate and update risk status.

Organizing risks

Keep your risk register organized by moving, archiving, and cleaning up risk scenarios over time:

  • Select risks from the table to move them between registers or to archive them.

  • Export risks to a spreadsheet and import them to update risks in bulk.

  • View archived risks to restore them or permanently delete them.

⚠️ Note: Deleting a risk scenario permanently deletes all risk details, assessment history, and associated tasks.

Using enterprise risks

Enterprise risks are higher-level risk scenarios used to group related risks. They work the same way as risk scenarios, but live in a separate risk register and represent broader, cross-team visibility.

Use enterprise risks when you want to organize related risks or report on risk at a higher level across your organization:

  • Enterprise risks act as a parent to group related risk scenarios.

  • An enterprise risk links to multiple risk scenarios.

  • An individual risk scenario can be linked to one enterprise risk.

  • Enterprise risks use the same fields, assessments, and workflows as risk scenarios.

  • Only Admins and Editors can view, manage, own, or approve enterprise risks.