> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Get risk scenario by ID

> Get a risk scenario by ID (can be the Risk ID or the object ID).



## OpenAPI

````yaml /reference/manage-vanta.json get /risk-scenarios/{riskScenarioId}
openapi: 3.0.0
info:
  title: Manage Vanta
  version: 1.0.0
  description: >-
    The REST API lets customers query and mutate Vanta's data. Use this API to
    automate bulk actions, query data for custom workflows and dashboards, and
    bolster your security operations


    **Note for Vanta Gov (FedRAMP) customers:** Select `Vanta Gov (FedRAMP)`
    from the server dropdown to issue requests against
    `https://api.vanta-gov.com`. The OAuth token URL shown below defaults to the
    commercial host — replace it with `https://api.vanta-gov.com/oauth/token`.
  termsOfService: https://www.vanta.com/terms
  license:
    name: UNLICENSED
  contact:
    name: API Support
    url: https://help.vanta.com/
    email: support@vanta.com
servers:
  - url: https://api.vanta.com/v1
    description: Vanta (Commercial)
  - url: https://api.vanta-gov.com/v1
    description: Vanta Gov (FedRAMP)
security: []
paths:
  /risk-scenarios/{riskScenarioId}:
    get:
      tags:
        - Risk Scenarios
      summary: Get risk scenario by ID
      description: Get a risk scenario by ID (can be the Risk ID or the object ID).
      operationId: GetRiskScenario
      parameters:
        - in: path
          name: riskScenarioId
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Ok
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RiskScenario'
              examples:
                Example 1:
                  value:
                    riskId: assets-not-identified-and-protected
                    description: >-
                      Assets are not identified and protected according to
                      company requirements.
                    detailedDescription: null
                    isSensitive: false
                    likelihood: 4
                    impact: 4
                    residualLikelihood: 2
                    residualImpact: 1
                    categories:
                      - Access control
                    ciaCategories:
                      - Confidentiality
                    treatment: Avoid
                    owner: null
                    note: null
                    riskRegister: Default
                    customFields: []
                    isArchived: false
                    reviewStatus: DRAFT
                    requiredApprovers: []
                    type: Risk Scenario
                    identificationDate: '2024-03-07T18:46:05.944Z'
      security:
        - bearerAuth: []
components:
  schemas:
    RiskScenario:
      properties:
        riskId:
          type: string
          description: >-
            The unique ID of the risk specified by the user. Used to reference
            and update existing risks.
        description:
          type: string
          description: >-
            This describes an actual or potential risk to your organization's
            people, processes, technology, data, and facilities.

            Document actual issues or likely scenarios based on your specific
            environment or a potential vulnerability.


            Naming note: in the UI, `description` is labelled "Title" and

            `detailedDescription` is labelled "Description". The field names

            are preserved for backwards compatibility with the public REST API

            and existing data.
        detailedDescription:
          type: string
          nullable: true
          description: >-
            Optional long-form description providing extended context for the
            risk scenario.

            Maximum 10000 characters.


            Naming note: in the UI, `description` is labelled "Title" and

            `detailedDescription` is labelled "Description". The field names

            are preserved for backwards compatibility with the public REST API

            and existing data.
        isSensitive:
          type: boolean
          nullable: true
          description: >-
            If set to true this risk can only be seen by its owner or users with
            Admin, RiskSensitiveManage or RiskSensitiveView permissions.
          deprecated: true
        likelihood:
          type: integer
          format: int32
          nullable: true
          description: >-
            Represents the probability of an incident occurring due to this risk
            or vulnerability, expressed as a numerical score.

            Defaults to a range of 1-5, where higher values indicate greater
            likelihood. The range can be customized in the Risk Management
            settings.

            A value of `null` indicates that no score has been assigned.
        impact:
          type: integer
          format: int32
          nullable: true
          description: >-
            Represents the potential severity of harm to your organization’s
            operations if this risk is exploited, expressed as a numerical
            score.

            Defaults to a range of 1-5, where higher values indicate greater
            impact. The range can be customized in the Risk Management settings.

            A value of `null` indicates that no score has been assigned.
        residualLikelihood:
          type: integer
          format: int32
          nullable: true
          description: >-
            Represents the adjusted probability of this risk being exploited or
            affecting operations after implementing risk treatments, such as
            controls or mitigations.

            Expressed as a numerical score, defaulting to a range of 1-5. The
            range can be customized in the Risk Management settings.

            A value of `null` indicates that no score has been assigned.
        residualImpact:
          type: integer
          format: int32
          nullable: true
          description: >-
            Represents the adjusted severity of harm to your organization’s
            operations if this risk is exploited after implementing risk
            treatments, such as controls or mitigations.

            Expressed as a numerical score, defaulting to a range of 1-5. The
            range can be customized in the Risk Management settings.

            A value of `null` indicates that no score has been assigned.
        categories:
          items:
            type: string
          type: array
          description: The list of categories this risk scenario belongs to.
        ciaCategories:
          items:
            $ref: '#/components/schemas/CIA'
          type: array
          description: >-
            A list of the following for the type of risk documented:

            - Confidentiality: Risk to data stores, customer/sensitive
            information, etc.

            - Integrity: Risk to accuracy or integrity of system settings and/or
            data

            - Availability: Risk to normal service operations and critical
            system functionality
        treatment:
          allOf:
            - $ref: '#/components/schemas/Treatment'
          nullable: true
          description: >-
            Indicate how your leadership team wants to address an identified
            risk. Please note: not all risks need to be addressed immediately
            (or at all). Your Risk Treatment decision will depend on multiple
            factors, such as your organization's risk tolerance and the value of
            the asset that the risk is associated with. The options are:

            - Mitigate: Identify controls to put in place or tasks to be done
            that will reduce the risk score.

            - Transfer: Move risk outside of your organization's set of
            responsibilities e.g. get cyber liability insurance.

            - Avoid: Stop doing the activity which is causing the risk to your
            organization and its assets.

            - Accept: Decide to live with the risk and take no further actions.
            - Accept: decide to live with the risk; this may be because it is
            highly unlikely, has a low financial or operational impact, or the
            cost and effort to treat the risk far exceeds the value of the asset
        owner:
          type: string
          nullable: true
          description: >-
            The email of the person responsible for tracking and mitigating this
            risk scenario.
        note:
          type: string
          nullable: true
          description: >-
            Additional context about the risk scenario and why it has specific
            impact and likelihood scores.
        riskRegister:
          type: string
          nullable: true
          description: Name of the risk register associated with this scenario.
        customFields:
          items:
            $ref: '#/components/schemas/CustomAttribute'
          type: array
          description: >-
            The list of custom fields.

            You can reference existing custom fields in the Risk Management
            settings and/or create new ones.

            The format is:

            - {label: "field-name", value: "string-representation"} for text,
            date, number and currency fields

            - {label: "field-name", value: ["option1", "option2"]} for picklist
            fields
        isArchived:
          type: boolean
          description: Whether this scenario is archived.
        reviewStatus:
          $ref: '#/components/schemas/ReviewStatus'
          description: The current review status of this risk scenario
        requiredApprovers:
          items:
            type: string
          type: array
          description: The list of required approvers for this risk scenario.
        type:
          $ref: '#/components/schemas/RiskScenarioType'
          description: |-
            The type of risk scenario.
            - "Risk Scenario": Standard risk scenario
            - "Enterprise Risk": Enterprise-level risk
        identificationDate:
          type: string
          format: date-time
          description: >-
            The date this risk was identified. Matches the "Identified Date"
            field in the Vanta UI. Set by the customer when a risk is created;
            defaults to the scenario's creation time when not explicitly
            provided.
      required:
        - riskId
        - description
        - isSensitive
        - likelihood
        - impact
        - residualLikelihood
        - residualImpact
        - categories
        - ciaCategories
        - treatment
        - owner
        - note
        - riskRegister
        - customFields
        - isArchived
        - reviewStatus
        - requiredApprovers
        - type
        - identificationDate
      type: object
      additionalProperties: false
    CIA:
      type: string
      enum:
        - Confidentiality
        - Integrity
        - Availability
    Treatment:
      type: string
      enum:
        - Mitigate
        - Transfer
        - Avoid
        - Accept
    CustomAttribute:
      properties:
        label:
          type: string
        value:
          anyOf:
            - type: string
            - items:
                type: string
              type: array
      required:
        - label
        - value
      type: object
      additionalProperties: false
    ReviewStatus:
      type: string
      enum:
        - APPROVED
        - DRAFT
        - NOT_REVIEWED
        - AWAITING_SUBMISSION
        - PENDING_APPROVAL
        - REQUESTED_CHANGES
    RiskScenarioType:
      type: string
      enum:
        - Risk Scenario
        - Enterprise Risk
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

````