✅ Feature availability: While the Risks page is included on all plans, Advanced Risk Management features are only available as an upgrade or add-on. Refer to Vanta Plans and Pricing for details.
Risk assessments are a core part of Risk Management in Vanta, helping you understand your exposure and decide how to handle each risk. Each assessment follows a simple workflow: a risk scenario is assigned, evaluated by an owner, and approved. Once all steps are complete, the assessment is marked done.
Owners document impact, likelihood, and treatment plans, while approvers review and confirm the outcome. As conditions change or new information becomes available, you can update and reapprove assessments to reflect the current state of risk. Each assessment can also link to your controls, connecting risk management to your audit evidence.
⚙️ User permissions: Collaborators, Editors, and Admins can be assigned as owners for risk scenarios. Admins and Editors can edit, manage, and approve all risk scenarios. Collaborators can edit and approve the risk scenarios they own or have access to as a Manager of a risk register. Refer to Understanding User Roles and Permissions in Vanta for details.
Getting started
Before conducting assessments, make sure you’ve added risk scenarios and configured your risk settings.
Risk assessments are designed to be collaborative and move through a shared workflow:
Assign risk owners: Admins or Editors assign risk scenarios to the right owners.
Complete risk assessments: Owners score each scenario, document treatment plans, and track any actions needed to reduce residual risk.
Approve risk assessments: Owners submit assessments for approval, or approve them directly if they're also the assigned approver.
💡 Tip: Use the Comments tab to ask your teammates questions as you review and approve risks. You can @ mention the risk scenario owner and approver, as well as any Admins or Editors.
Assigning owners to risk scenarios
Assign each risk scenario to the person responsible for completing the assessment and tracking any follow-up work. You can assign an owner directly from the risk register or within the risk scenario.
Understanding risk status
Each risk scenario has a status that reflects where it is in the assessment and approval workflow:
Status | Description |
Draft | Default state when a risk scenario is created. The assessment has not been completed or submitted. |
Needs review | The assessment is complete but hasn't been submitted, or it was returned because changes were requested or made after approval |
Pending approval | The assessment has been submitted and is waiting for approval. Assessment is now read only. |
Approved | The assessment has been approved. |
⚠️ Note: Define risk tasks before submitting risks for approval. If a risk is Pending approval, you can’t add new tasks. If a risk is Approved, adding a task moves it to Needs review.
Completing risk assessments
As a risk owner, review each risk scenario assigned to you, complete the assessment, and submit it for approval.
For each risk scenario, you should:
Confirm risk details: Review and update the description of the risk, and fill out any categories or custom fields.
Map risks: Link the risk to related controls, assets, and other objects across Vanta to add context before you assess it.
Assess inherent risk: Score likelihood and impact based on your risk scoring framework.
Document treatment plan: Choose a treatment type and track tasks needed to reduce residual risk.
Assess residual risk: Re-score the risk considering how your treatment plan makes an impact.
Submit for approval: Select an approver and send the assessment for review and sign-off.
Mapping risks
Mapping risks
Within a risk scenario, you can link related objects across Vanta to build a more complete picture of your risk program:
What you can map | Description |
Assets | From the risk details section, you can link supported integrations and view their underlying impacted assets on the risk. |
Controls | From the risk assessment section, link related controls in your treatment plan to show how your existing controls help reduce the risk. |
Enterprise risks | From the risk details section, link an enterprise risk to connect this scenario to broader organizational risk tracking. |
Issues | From the Issues page, link a risk scenario to an issue to connect a specific finding or remediation item to the broader risk it relates to. |
Tasks | From the risk assessment section, create or link risk tasks to track the work needed to reduce the risk. |
Vendors | From a vendor security assessment, link findings to a risk scenario to connect third-party risk findings to the risks they relate to. |
Choosing a treatment plan
Choosing a treatment plan
Choose how you want to handle each risk by selecting a treatment type:
Treatment type | Description |
Mitigate | Reduce the risk by implementing controls or completing tasks. |
Accept | Acknowledge the risk and take no further action. |
Transfer | Shift the risk to a third party, such as through insurance or outsourcing. |
Avoid | Eliminate the risk by stopping the activity causing it. |
💡 Tip: To track risk treatment, manage tasks directly in Vanta or connect a task tracker integration to work in the tools your team already uses.
Adding approval steps
Adding approval steps
Depending on your plan, you can assign one or more approvers to review and sign off on a risk assessment.
For multi-step approvals, you can add up to 5 approval steps with up to 3 approvers per step. All approvers in a step must approve before the next step begins.
To set up multi-step approvals:
Click Submit for approval.
Add approver(s) to Approval step 1.
Click Add new approval step to add more steps and assign approvers to each.
Submit the workflow.
Once submitted, the risk moves to Pending approval until all required approvers sign off. Approvers are notified by email, and in multi-step workflows, Step 1 approvers are notified first.
⚠️ Note: If you need to change approvers after submitting the workflow, cancel the current approval request and restart the workflow with the updated approvers.
Approving risk assessments
Once an assessment is submitted, it becomes read-only and moves to Pending approval. You'll receive an email notification when a risk is assigned to you for approval.
You can access assessments pending your review from the My work page or by filtering the risk register by approver.
To approve a risk assessment:
Open the risk scenario.
Review the assessment details, including the risk scores, treatment plan, and any linked controls or tasks.
Add comments if needed.
Click Submit approval decision, then choose:
Approve: Confirm the assessment is complete. The approval is saved to the assessment's approval history.
Request changes: Send it back to the owner for updates and resubmission.
A risk is only marked Approved once all required approvers sign off. For multi-step workflows, you'll be notified when it's your turn—approvers are notified when the previous step is completed.
⚠️ Note: If the assessment is edited after approval, it moves back to Needs review and must go through approval again.