✅ Feature availability: While the Risks page is included on all plans, Advanced Risk Management features are only available as an upgrade or add-on. Refer to Vanta Plans and Pricing for details.
Risk scoring is a core part of Risk Management in Vanta, helping you evaluate, prioritize, and report on risk consistently across your organization. Your risk scoring framework standardizes how risks are assessed and categorized. It defines how risk scores and risk levels are determined and powers the insights shown in reports and snapshots.
⚙️ User permissions: Admins and Editors can view and edit the risk scoring framework in risk settings. Refer to Understanding User Roles and Permissions in Vanta for details.
Understanding risk scoring
Risk scoring has three parts: ratings, scores, and levels. You assign likelihood and impact ratings to evaluate a risk. These ratings are multiplied to calculate a risk score, which is then mapped to a risk level used to prioritize and report on risk, including in reports and snapshots.
During a risk assessment, you score each risk twice: once before selecting a treatment approach and again after. The first set of ratings determines the inherent risk score, and the second determines the residual risk score. For both, likelihood and impact ratings are used to calculate a score and determine a risk level.
Metric | What it represents | How it’s used |
Likelihood rating | How likely a risk is to occur | You assign a rating for both inherent risk (before treatment) and residual risk (after treatment). |
Impact rating | The severity of the risk if it occurs | You assign a rating for both inherent risk (before treatment) and residual risk (after treatment). |
Inherent risk score | Likelihood × impact before treatment | Vanta calculates a score from your inputs and maps it to an inherent risk level. |
Residual risk score | Likelihood × impact after treatment | Vanta calculates a score from your inputs and maps it to a residual risk level. |
Risk level | The classification of a risk based on its risk score | Vanta maps each inherent and residual risk score to a risk level, which is used to prioritize and report on risk. |
💡 Tip: We recommend configuring your scoring framework before adding or importing risks so that risk scores and risk levels reflect your methodology from the start.
Editing your scoring framework
Depending on your plan, you may be able to customize your risk scoring framework. If editing isn’t available, your account is using Vanta’s default framework, which is designed by our GRC experts to support common risk assessment methodologies.
To edit your scoring framework:
In your account header, click the Settings icon.
In the page menu, scroll to the Features section and select Risk.
Go to the following sections: Likelihood scoring scale, Impact scoring scale, and Risk levels.
⚠️ Note: Changes apply immediately. Live risks update to the new framework, reports reflect changes going forward, and existing snapshots remain unchanged. Updating scoring scales may also reset previously approved risks for review.
Scoring scales
Scoring scales
Likelihood and impact ratings define how risks are evaluated during assessments. By default, Vanta uses a 5-point scale, but you can customize both the structure and meaning of each rating to match your organization’s approach.
For both the Likelihood scoring scale and Impact scoring scale, you can:
Adjust the number of ratings in the scale (for example, 1–5 or 1–10)
Rename the dimension
Update the dimension description
Define labels for each rating
Define descriptions for each rating
These settings determine the options available when assigning likelihood ratings and impact ratings during a risk assessment.
Risk levels
Risk levels
Risk levels define how risk scores are grouped and interpreted. By default, risk levels are grouped into Low, Medium, and High, but you can customize both the number of levels and how risk scores map to each level.
You can edit how risk scores are grouped into levels:
Set the number of levels: Choose how many risk levels to use (for example, 3 for Low, Medium, High or up to 5 total levels)
Define score ranges: Use the slider to set the range for each level; each level is defined by a lower bound, and upper bounds are calculated automatically
Customize each level: Set the label, color, and description for each risk level to reflect how your organization interprets risk
These settings determine how both inherent risk scores and residual risk scores are categorized and displayed in reports and snapshots. When browsing the risk register, these ratings and colors provide a clear visual cue to help better understand the risks. Ratings are also incorporated into a risk distribution heat map that summarizes the entire risk register in a single visual.
