✅ Feature availability: While the Risks page is included on all plans, Advanced Risk Management features (including custom risk rubrics and using multiple risk registers) are only available as an upgrade or add-on. Refer to Vanta Plans and Pricing for details.
Risk scoring is a core part of Risk Management in Vanta, helping you evaluate, prioritize, and report on risk consistently across your organization. Your risk scoring rubric standardizes how risks are assessed and categorized. It defines how risk scores and risk levels are determined and powers the insights shown in reports and snapshots.
⚙️ User permissions: Admins and Editors can view and edit the risk scoring rubric in risk settings. Learn more: User Permissions by Product Area
Understanding risk scoring
A risk scoring rubric has three parts: ratings, scores, and levels. You assign likelihood and impact ratings to evaluate a risk during a risk assessment. These ratings are multiplied to calculate a risk score, which is then mapped to a risk level used to prioritize and report on risk, including in reports and snapshots.
Metric | What it represents | How it’s used |
Likelihood rating | How likely a risk is to occur | You assign a rating for both inherent risk (before treatment) and residual risk (after treatment). |
Impact rating | The severity of the risk if it occurs | You assign a rating for both inherent risk (before treatment) and residual risk (after treatment). |
Inherent risk score | Likelihood × impact before treatment | Vanta calculates a score from your inputs and maps it to an inherent risk level. |
Residual risk score | Likelihood × impact after treatment | Vanta calculates a score from your inputs and maps it to a residual risk level. |
Risk level | The classification of a risk based on its risk score | Vanta maps each inherent and residual risk score to a risk level, which is used to prioritize and report on risk. |
💡 Tip: During a risk assessment, you score each risk twice using the same rubric: once before selecting a treatment approach to determine the inherent risk score, and once after to determine the residual risk score. We recommend configuring your risk scoring rubric before adding or importing risks so that risk scores and risk levels reflect your methodology from the start.
Editing risk scoring rubrics
Depending on your plan, you may be able to customize your risk scoring rubric. You can customize the rating scales, labels, descriptions, and risk levels, but not the underlying scoring formula. Otherwise, your account will use Vanta's default rubric, which is designed by our GRC experts to support common risk assessment methodologies.
⚠️ Note: If you edit rating scales, scores will be recalculated for impacted risks and owners may need to reapprove them.
Default rubric
Default rubric
Your default rubric is the baseline scoring framework used across your risk registers.
To edit the default rubric:
Go to Settings.
From the page menu, select Risk and go to the Scoring tab.
Under Default rubric, click Edit.
Edit the Risk level groups and Dimensions as needed.
Click Save to review the confirmation dialog and select which registers to apply your changes to.
Click Update rubric.
ℹ️ Note: Any registers you exclude from the update automatically use their own register-specific rubric going forward.
Rubrics by register
Rubrics by register
If you're using multiple risk registers, each register can use the default rubric or its own register-specific rubric.
To edit a register-specific rubric:
Go to Settings.
From the page menu, select Risk and go to the Scoring tab.
Under Rubrics by register, you can see whether a register is using the default rubric or a register-specific rubric.
Find the register you want to update and click to open its settings:
Click Edit to customize the Risk level groups and Dimensions as needed.
Click ••• to revert to the default rubric.
A few things to keep in mind when using register-specific rubrics:
If your registers use different rating scales or risk level configurations, you'll need to filter by register in your risk reports. This is because charts can't combine registers that use different scoring configurations into a single view.
CSV import and export across all registers are disabled when using register-specific rubrics—you'll need to import or export one register at a time.
Register-specific rubrics are managed one register at a time. If you want to update multiple registers at once, you can edit the default rubric and choose which registers should receive the update.
Risk level groups
Risk level groups
Risk levels define how risk scores are grouped and interpreted. By default, risk levels are grouped into three levels, and you can customize both the number of levels and how risk scores map to each level.
Set the number of levels: Choose how many risk levels to use (between 2–5).
Define score ranges: Use the slider to set the range to use for risk scores.
Customize each level: Edit the label and description for each risk level to reflect how your organization interprets risk.
These settings determine how both inherent risk scores and residual risk scores are categorized and displayed in reports and snapshots.
Dimensions (likelihood and impact scales)
Dimensions (likelihood and impact scales)
Likelihood and impact ratings define how risks are evaluated during assessments. By default, Vanta uses a 5-point rating scale, but you can customize both the structure and meaning of each rating to match your organization’s approach.
Adjust the number of ratings in the scale (between 2–10)
Rename the dimension
Update the dimension description
Define labels for each rating
Define descriptions for each rating
These settings determine the options available when assigning likelihood ratings and impact ratings during a risk assessment.