RiskWatch
RiskWatch International · Founded 1993 · Sarasota, FL, USA
Risk-led integrated GRC platform: one register for enterprise, IT, vendor, and audit risk, with KRI auto-escalation and 40+ frameworks underneath.
Summary
RiskWatch is a risk-led integrated GRC platform built around a Global Risk Register that consolidates enterprise, IT, vendor, and operational risk into one view, with business-unit-to-enterprise rollup for the board. It runs a risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk breaches its threshold, a risk treatment workflow with owner assignment and tasks tracked to closure, and threat and vulnerability libraries that feed risk scores, plus heat maps and executive dashboards aligned to COSO ERM 2017 and ISO 31000:2018. Risk-to-Compliance bi-directional mapping is the unifier that puts risk and compliance in one platform: audit findings flow back into risk scores and the register feeds control-assessment scope and the audit universe. Underneath sit pre-mapped control libraries for 40+ regulatory frameworks including SOX 404, COSO 2013, COSO ERM 2017, ISO 31000:2018, NIST CSF 2.0, NIST 800-53 r5, NIST 800-171 r3, ISO 27001:2022, HIPAA, PCI DSS v4, SOC 2 TSC 2017, GDPR, CMMC 2.0, and CCPA, with a cross-mapping engine that auto-detects shared controls across frameworks. Customers include state governments in all 50 US states, healthcare networks, financial-services holding companies, and federal agencies; the product has been in the field since 1993. RiskWatch is sold quote-only.
Strengths
- Global Risk Register consolidates enterprise, IT, vendor, and operational risk into one register with business-unit-to-enterprise rollup for the board
- Risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk crosses its threshold, so exposure surfaces between annual review cycles
- Risk treatment workflow with owner assignment, tasks, and recommendations; mitigation is tracked to closure, not just logged
- Threat and vulnerability libraries plus heat maps and executive risk dashboards aligned to COSO ERM 2017 and ISO 31000:2018
- Risk-to-Compliance bi-directional mapping puts risk and compliance in one platform: audit findings flow back into risk scores and the register feeds control-assessment scope and the audit universe
- 40+ pre-built framework libraries with cross-mapping between common controls (ISO 27001 / SOC 2 / NIST 800-53 / SOX 404 overlap is auto-detected, not manually built)
- Physical security, vendor risk, policy management, and compliance management are first-party modules in the same tenant
- Survey-based assessment engine works for non-technical control owners; no SQL or workflow-builder skills required
- Single-tenant deployment with customer-owned data residency and a 33-year operating history with federal customers (US Department of Defense, VA, DOJ, NSA per public press)
Weaknesses
- Not a Tier-1 enterprise IRM at MetricStream or IBM OpenPages depth; Fortune 500 global banks running 5+ programmes with $750K+ budgets may want the bigger module library
- Quote-only pricing across all tiers because deployment topology varies materially
Mid-market and regulated-industry risk and compliance teams running 3+ GRC programmes who want one global register for enterprise, IT, vendor, and operational risk, with KRI-driven escalation, treatment workflows, and board-ready heat maps, plus internal audit, TPRM, and compliance mapping across 40+ frameworks in one tenant, risk and compliance unified rather than split across two tools.
Fortune 500 global banks running 5+ programmes with $750K+ annual budgets and on-premises deployment requirements; MetricStream, IBM OpenPages, or Archer fit that brief better.
Key features
- Global Risk Register with business-unit-to-enterprise rollup across enterprise, IT, vendor, and operational risk
- Risk assessment engine with a KRI (Key Risk Indicator) library and threshold auto-escalation
- Risk treatment workflow with owner assignment, tasks, and recommendations
- Threat and vulnerability libraries, heat maps, and executive / board risk dashboards
- Risk-to-Compliance bi-directional mapping (audit findings update risk scores; register feeds the audit universe)
- Audit-universe-to-control linkage with annual risk-assessment workflow aligned to COSO ERM 2017 and ISO 31000:2018
- Pre-built control libraries for 40+ frameworks (SOX 404, COSO 2013, COSO ERM 2017, ISO 31000:2018, NIST CSF 2.0, NIST 800-53 r5, NIST 800-171 r3, ISO 27001:2022, HIPAA, PCI DSS v4, SOC 2 TSC 2017, GDPR, CMMC 2.0, CCPA, FFIEC, NERC CIP)
- Cross-mapping engine that auto-detects shared controls across frameworks
- Evidence vault with versioning and audit-ready export
- Vendor risk management with BAA and SOC 2 tracking; policy management with approval and attestation workflows
- Physical security assessment module (ASIS-aligned) inside the same tenant; single-tenant deployment for data-residency requirements
Integrations
25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Slack, Jira, Salesforce, Custom REST API.
Target size
100 to 25,000 employees · US · Canada · EU · UK · AU