Risks

Risks are potential events that could impact the security, reputation, and financial health of a company.

Find Risks by search terms and filters

List all Risks

🔒 Requires Risk Management: List Risks permission.

💎 Requires your account have the Risk Management Pro feature. Contact your CSM for help upgrading.

Securitybearer
Request
path Parameters
riskRegisterId
required
number

In the near future risks will be scoped under risk registers, for now always use a value of 1

Example: 1
query Parameters
cursor
string

This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a pagination.cursor value that can be used in the subsequent request to retrieve the next page of results

size
number [ 1 .. 50 ]
Default: 20

Number of results to return

sort
string (SortTypeLimitedEnum)

Which field to sort by

Enum: "createdAt" "updatedAt"
sortDir
string (SortDirectionEnum)

The direction to sort the data

Enum: "ASC" "DESC"
expand[]
Array of strings (RiskExpandEnum)

List of subcollections and sub-objects to expand

Items Enum: "categories" "controls" "customFields" "documents" "notes" "owners" "reviewers" "tasks" "tickets"
currentVersionTitle
string

Filter Risks by title. Performs a case-insensitive partial match on the Risk title field.

Example: currentVersionTitle=Activity Log Evaluation - Unauthorized System Access
applicable
boolean

Filter Risks by their applicability to the organization. When true, returns only Risks that are applicable/relevant to your organization. When false, returns only Risks marked as not applicable. When omitted, returns all Risks regardless of applicability status.

status
string (RiskStatusTypeEnum)

Filter Risks by status

Enum: "ACTIVE" "ARCHIVED" "CLOSED"
treatmentPlan
string (RiskTreatmentPlanEnum)

Filter Risks by their treatment strategy. Treatment plans define how the organization addresses each Risk: ACCEPT (acknowledge and monitor), AVOID (eliminate the Risk source), MITIGATE (reduce impact/likelihood), TRANSFER (shift to third party via insurance/contracts), or UNTREATED (no action taken yet).

Enum: "UNTREATED" "ACCEPT" "TRANSFER" "AVOID" "MITIGATE"
minScore
number or null [ 1 .. 25 ]

Filter Risks by minimum calculated Risk score (impact × likelihood). Score range depends on organization settings (1-25 with thresholds 1-4=low, 5-9=medium, 10-16=high, 17-25=critical)

Example: minScore=5
maxScore
number or null [ 1 .. 25 ]

Filter Risks by maximum calculated Risk score (impact × likelihood). Score range depends on organization settings (1-25 with thresholds 1-4=low, 5-9=medium, 10-16=high, 17-25=critical)

Example: maxScore=16
vendorId
number or null

Filter Risks by vendor/third-party provider. Specify the unique vendor identifier to return only Risks associated with that specific vendor, such as Risks related to vendor security assessments, data processing agreements, or third-party service dependencies.

Example: vendorId=1
Responses
200
400

Malformed data and/or validation errors

401

Invalid Authorization

402

You must upgrade your plan to use this feature

403

You are not allowed to perform this action

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/risk-registers/{riskRegisterId}/risks
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": 1,
      • "riskId": "AC-04",
      • "title": "Password Management - Password Cracking",
      • "description": "An attacker attempts to gain access to organizational information by guessing of passwords.",
      • "treatmentPlan": "UNTREATED",
      • "treatmentDetails": "Implementing multi-factor authentication and password complexity requirements to reduce likelihood of successful password attacks.",
      • "anticipatedCompletionDate": "2025-07-01T16:45:55.246Z",
      • "completionDate": "2025-07-01T16:45:55.246Z",
      • "score": 25,
      • "residualScore": 9,
      • "status": "ACTIVE",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z",
      • "controls": [
        • {
          • "id": 1,
          • "code": "AC-1",
          • "name": "Access Control",
          • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n                 predetermined criteria. Incidents are escalated per policy.",
          • "isReady": true,
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "categories": [
        • {
          • "id": 1,
          • "name": "Access Control",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "owners": [
        • {
          • "id": 1,
          • "email": "[email protected]",
          • "firstName": "Sally",
          • "lastName": "Smith",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "reviewers": [
        • {
          • "id": 1,
          • "email": "[email protected]",
          • "firstName": "Sally",
          • "lastName": "Smith",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "documents": [
        • {
          • "id": 1,
          • "name": "Risk Assessment Report Q4 2023.pdf",
          • "downloadUrl": "https://example.com/document.pdf",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "notes": [
        • {
          • "id": 1,
          • "comment": "This Risk has been reviewed and approved by the security team. Implementation timeline updated.",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "tickets": [
        • {
          • "id": 1,
          • "externalTicketId": "ENG-11245",
          • "isDone": false,
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "tasks": [
        • {
          • "id": 1,
          • "title": "Review quarterly security policies",
          • "description": "Conduct a comprehensive review of all security policies to ensure compliance with current regulations.",
          • "dueDate": "2020-07-06",
          • "completedAt": "2025-07-01T16:45:55.246Z",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "customFields": [
        • {
          • "customFieldId": 1,
          • "name": "Stakeholders",
          • "value": "Security & IT"
          }
        ]
      }
    ],
  • "pagination": {
    • "cursor": "string"
    }
}
Create Risk
Create a new custom Risk in the Risk register.


🔒 Requires Risk Management: Create Risk permission.


💎 Requires your account have the Risk Management Pro feature. Contact your CSM for help upgrading.


Securitybearer 
Request 
path Parameters
riskRegisterId
required
number
In the near future risks will be scoped under risk registers, for now always use a value of 1


 
 Example:  1
Request Body schema: application/json
required
title
required
string  <= 191 characters 
Descriptive title that clearly identifies the nature and scope of the Risk


 
description
required
string  <= 768 characters 
Comprehensive description of the Risk scenario, potential threats, business impact, and affected systems or processes


 
identifiedAt
string or null <date> 
Date when the Risk was first identified (accepts date-only or full ISO8601 format)


 
impact
number  [ 1 .. 5 ] 
Impact score representing the potential severity of consequences if the Risk materializes (1-5 scale, where 5 is most severe)


 
likelihood
number  [ 1 .. 5 ] 
Likelihood score representing the probability of the Risk occurring (1-5 scale, where 5 is most likely)


 
treatmentPlan
string
 Default:  0
Strategy for addressing the Risk: ACCEPT (acknowledge and monitor), AVOID (eliminate source), MITIGATE (reduce impact/likelihood), TRANSFER (shift to third party), UNTREATED (no action taken)


 Enum: "UNTREATED" "ACCEPT" "TRANSFER" "AVOID" "MITIGATE"  
treatmentDetails
string  <= 30000 characters 
Detailed explanation of the specific actions, controls, or measures being implemented to address the Risk. Cannot be provided when treatmentPlan is UNTREATED


 
anticipatedCompletionDate
string <date-time> 
Target date for completing Risk treatment activities (accepts date-only or full ISO8601 format). Cannot be provided when treatmentPlan is UNTREATED


 
completionDate
string <date> 
Actual date when Risk treatment was completed (accepts date-only or full ISO8601 format). Cannot be provided when treatmentPlan is UNTREATED


 
residualImpact
number  [ 1 .. 5 ] 
Residual impact score after treatment implementation (1-5 scale). Cannot be provided when treatmentPlan is UNTREATED


 
residualLikelihood
number  [ 1 .. 5 ] 
Residual likelihood score after treatment implementation (1-5 scale). Cannot be provided when treatmentPlan is UNTREATED


 
status
string
 Default:  "ACTIVE"
Current status of the Risk in the Risk management lifecycle


 Enum: "ACTIVE" "ARCHIVED" "CLOSED"  
Array of objects (CategoryRequestPublicV2Dto)   unique 
Risk categories for classification and reporting purposes


 
Array of objects (RiskOwnerRequestPublicV2Dto)   unique 
Users responsible for managing and monitoring this Risk


 
Array of objects (ReviewerRequestPublicV2Dto)   unique 
Users responsible for reviewing and approving Risk treatment plans. Cannot be provided when treatmentPlan is UNTREATED


 
Array of objects (RiskControlRequestPublicV2Dto)   unique 
Security controls implemented to mitigate this Risk


 
Responses 
201
Created


400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


409
There is a conflict in the business rules with this request


412
You must accept the Drata terms and conditions to use the API


422
Unprocessable Entity


500
Internal server error


post/risk-registers/{riskRegisterId}/risks
Request samples 
application/json
{
  • "title": "Password Management - Weak Password Policies",
  • "description": "Weak password policies may allow unauthorized access to organizational systems and data through password-based attacks such as brute force, dictionary attacks, or credential stuffing.",
  • "identifiedAt": "2020-07-06",
  • "impact": 4,
  • "likelihood": 3,
  • "treatmentPlan": "MITIGATE",
  • "treatmentDetails": "Implement multi-factor authentication and enforce strong password complexity requirements across all systems.",
  • "anticipatedCompletionDate": "2020-07-06",
  • "completionDate": "2020-07-06",
  • "residualImpact": 2,
  • "residualLikelihood": 2,
  • "status": "ACTIVE",
  • "categories": [
    • {
      • "id": 1
      }
    ],
  • "owners": [
    • {
      • "id": 1
      }
    ],
  • "reviewers": [
    • {
      • "id": 1
      }
    ],
  • "controls": [
    • {
      • "id": 1
      }
    ]
}
Response samples 
application/json
{
  • "id": 1,
  • "riskId": "AC-04",
  • "title": "Password Management - Password Cracking",
  • "description": "An attacker attempts to gain access to organizational information by guessing of passwords.",
  • "treatmentPlan": "UNTREATED",
  • "treatmentDetails": "Implementing multi-factor authentication and password complexity requirements to reduce likelihood of successful password attacks.",
  • "anticipatedCompletionDate": "2025-07-01T16:45:55.246Z",
  • "completionDate": "2025-07-01T16:45:55.246Z",
  • "score": 25,
  • "residualScore": 9,
  • "status": "ACTIVE",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "controls": [
    • {
      • "id": 1,
      • "code": "AC-1",
      • "name": "Access Control",
      • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n                 predetermined criteria. Incidents are escalated per policy.",
      • "isReady": true,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "categories": [
    • {
      • "id": 1,
      • "name": "Access Control",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "owners": [
    • {
      • "id": 1,
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "reviewers": [
    • {
      • "id": 1,
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "documents": [
    • {
      • "id": 1,
      • "name": "Risk Assessment Report Q4 2023.pdf",
      • "downloadUrl": "https://example.com/document.pdf",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "notes": [
    • {
      • "id": 1,
      • "comment": "This Risk has been reviewed and approved by the security team. Implementation timeline updated.",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "tickets": [
    • {
      • "id": 1,
      • "externalTicketId": "ENG-11245",
      • "isDone": false,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "tasks": [
    • {
      • "id": 1,
      • "title": "Review quarterly security policies",
      • "description": "Conduct a comprehensive review of all security policies to ensure compliance with current regulations.",
      • "dueDate": "2020-07-06",
      • "completedAt": "2025-07-01T16:45:55.246Z",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "customFields": [
    • {
      • "customFieldId": 1,
      • "name": "Stakeholders",
      • "value": "Security & IT"
      }
    ]
}
Get a specific Risk by ID.
Get Risk


🔒 Requires Risk Management: Get Risk permission.


💎 Requires your account have the Risk Management Pro feature. Contact your CSM for help upgrading.


Securitybearer 
Request 
path Parameters
riskRegisterId
required
number
In the near future risks will be scoped under risk registers, for now always use a value of 1


 
 Example:  1
required
number or string
An integer Risk ID or string Risk ID prefixed with riskId:


 
query Parameters
expand[]
Array of strings (RiskExpandEnum) 
List of subcollections and sub-objects to expand


Items Enum: "categories" "controls" "customFields" "documents" "notes" "owners" "reviewers" "tasks" "tickets"  
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/risk-registers/{riskRegisterId}/risks/{riskId}
Request samples 
Response samples 
application/json
{
  • "id": 1,
  • "riskId": "AC-04",
  • "title": "Password Management - Password Cracking",
  • "description": "An attacker attempts to gain access to organizational information by guessing of passwords.",
  • "treatmentPlan": "UNTREATED",
  • "treatmentDetails": "Implementing multi-factor authentication and password complexity requirements to reduce likelihood of successful password attacks.",
  • "anticipatedCompletionDate": "2025-07-01T16:45:55.246Z",
  • "completionDate": "2025-07-01T16:45:55.246Z",
  • "score": 25,
  • "residualScore": 9,
  • "status": "ACTIVE",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "controls": [
    • {
      • "id": 1,
      • "code": "AC-1",
      • "name": "Access Control",
      • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n                 predetermined criteria. Incidents are escalated per policy.",
      • "isReady": true,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "categories": [
    • {
      • "id": 1,
      • "name": "Access Control",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "owners": [
    • {
      • "id": 1,
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "reviewers": [
    • {
      • "id": 1,
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "documents": [
    • {
      • "id": 1,
      • "name": "Risk Assessment Report Q4 2023.pdf",
      • "downloadUrl": "https://example.com/document.pdf",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "notes": [
    • {
      • "id": 1,
      • "comment": "This Risk has been reviewed and approved by the security team. Implementation timeline updated.",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "tickets": [
    • {
      • "id": 1,
      • "externalTicketId": "ENG-11245",
      • "isDone": false,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "tasks": [
    • {
      • "id": 1,
      • "title": "Review quarterly security policies",
      • "description": "Conduct a comprehensive review of all security policies to ensure compliance with current regulations.",
      • "dueDate": "2020-07-06",
      • "completedAt": "2025-07-01T16:45:55.246Z",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "customFields": [
    • {
      • "customFieldId": 1,
      • "name": "Stakeholders",
      • "value": "Security & IT"
      }
    ]
}
Update Risk
Update an existing Risk.


🔒 Requires Risk Management: Update Risk permission.


💎 Requires your account have the Risk Management Pro feature. Contact your CSM for help upgrading.


Securitybearer 
Request 
path Parameters
riskRegisterId
required
number
In the near future risks will be scoped under risk registers, for now always use a value of 1


 
 Example:  1
required
number or string
An integer Risk ID or string Risk ID prefixed with riskId:


 
Request Body schema: application/json
required
title
string  <= 191 characters 
Descriptive title that clearly identifies the nature and scope of the Risk


 
description
string  <= 768 characters 
Comprehensive description of the Risk scenario, potential threats, business impact, and affected systems or processes


 
identifiedAt
string or null <date> 
Date when the Risk was first identified


 
impact
number  [ 1 .. 5 ] 
Impact score representing the potential severity of consequences if the Risk materializes (1-5 scale, where 5 is most severe)


 
likelihood
number  [ 1 .. 10 ] 
Likelihood score representing the probability of the Risk occurring (1-5 scale, where 5 is most likely)


 
treatmentPlan
string
Strategy for addressing the Risk: ACCEPT (acknowledge and monitor), AVOID (eliminate source), MITIGATE (reduce impact/likelihood), TRANSFER (shift to third party), UNTREATED (no action taken)


 Enum: "UNTREATED" "ACCEPT" "TRANSFER" "AVOID" "MITIGATE"  
treatmentDetails
string  <= 30000 characters 
Detailed explanation of the specific actions, controls, or measures being implemented to address the Risk. Cannot be provided when treatmentPlan is UNTREATED


 
anticipatedCompletionDate
string <date> 
Target date for completing Risk treatment activities. Cannot be provided when treatmentPlan is UNTREATED


 
completionDate
string <date> 
Actual date when Risk treatment was completed. Cannot be provided when treatmentPlan is UNTREATED


 
residualImpact
number  [ 1 .. 5 ] 
Residual impact score after treatment implementation (1-5 scale). Cannot be provided when treatmentPlan is UNTREATED


 
residualLikelihood
number  [ 1 .. 5 ] 
Residual likelihood score after treatment implementation (1-5 scale). Cannot be provided when treatmentPlan is UNTREATED


 
status
string
Current status of the Risk in the Risk management lifecycle


 Enum: "ACTIVE" "ARCHIVED" "CLOSED"  
Array of objects (CategoryRequestPublicV2Dto)   unique 
Risk categories for classification and reporting purposes


 
Array of objects (RiskOwnerRequestPublicV2Dto)   unique 
Users responsible for managing and monitoring this Risk


 
Array of objects (ReviewerRequestPublicV2Dto)   unique 
Users responsible for reviewing and approving Risk treatment plans. Cannot be provided when treatmentPlan is UNTREATED


 
Array of objects (RiskControlRequestPublicV2Dto)   unique 
Security controls implemented to mitigate this Risk


 
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


422
Unprocessable Entity


500
Internal server error


put/risk-registers/{riskRegisterId}/risks/{riskId}
Request samples 
application/json
{
  • "title": "Password Management - Weak Password Policies",
  • "description": "Weak password policies may allow unauthorized access to organizational systems and data through password-based attacks such as brute force, dictionary attacks, or credential stuffing.",
  • "identifiedAt": "2020-07-06",
  • "impact": 4,
  • "likelihood": 3,
  • "treatmentPlan": "MITIGATE",
  • "treatmentDetails": "Implement multi-factor authentication and enforce strong password complexity requirements across all systems.",
  • "anticipatedCompletionDate": "2020-07-06",
  • "completionDate": "2024-12-01",
  • "residualImpact": 2,
  • "residualLikelihood": 2,
  • "status": "ACTIVE",
  • "categories": [
    • {
      • "id": 1
      }
    ],
  • "owners": [
    • {
      • "id": 1
      }
    ],
  • "reviewers": [
    • {
      • "id": 1
      }
    ],
  • "controls": [
    • {
      • "id": 1
      }
    ]
}
Response samples 
application/json
{
  • "id": 1,
  • "riskId": "AC-04",
  • "title": "Password Management - Password Cracking",
  • "description": "An attacker attempts to gain access to organizational information by guessing of passwords.",
  • "treatmentPlan": "UNTREATED",
  • "treatmentDetails": "Implementing multi-factor authentication and password complexity requirements to reduce likelihood of successful password attacks.",
  • "anticipatedCompletionDate": "2025-07-01T16:45:55.246Z",
  • "completionDate": "2025-07-01T16:45:55.246Z",
  • "score": 25,
  • "residualScore": 9,
  • "status": "ACTIVE",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "controls": [
    • {
      • "id": 1,
      • "code": "AC-1",
      • "name": "Access Control",
      • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n                 predetermined criteria. Incidents are escalated per policy.",
      • "isReady": true,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "categories": [
    • {
      • "id": 1,
      • "name": "Access Control",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "owners": [
    • {
      • "id": 1,
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "reviewers": [
    • {
      • "id": 1,
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "documents": [
    • {
      • "id": 1,
      • "name": "Risk Assessment Report Q4 2023.pdf",
      • "downloadUrl": "https://example.com/document.pdf",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "notes": [
    • {
      • "id": 1,
      • "comment": "This Risk has been reviewed and approved by the security team. Implementation timeline updated.",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "tickets": [
    • {
      • "id": 1,
      • "externalTicketId": "ENG-11245",
      • "isDone": false,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "tasks": [
    • {
      • "id": 1,
      • "title": "Review quarterly security policies",
      • "description": "Conduct a comprehensive review of all security policies to ensure compliance with current regulations.",
      • "dueDate": "2020-07-06",
      • "completedAt": "2025-07-01T16:45:55.246Z",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "customFields": [
    • {
      • "customFieldId": 1,
      • "name": "Stakeholders",
      • "value": "Security & IT"
      }
    ]
}