RiskWatch
RiskWatch International · Founded 1993 · Sarasota, FL, USA
Community and regional-bank risk platform: one global register from threat to treatment, with KRI auto-escalation and examiner-mapped frameworks underneath.
Summary
RiskWatch is an enterprise risk management platform built around a Global Risk Register that rolls up operational, IT, vendor, and physical risk into one view, with business-unit-to-enterprise aggregation for the board. It runs a risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk breaches its threshold, an RCSA and scenario-analysis workflow suited to community-bank operational risk teams, a treatment workflow with owner assignment and tasks, and native threat and vulnerability libraries that feed risk scores. Its differentiator is Risk-to-Compliance bi-directional mapping: examination and audit findings flow back into risk scores and the register feeds control-assessment scope, so bank risk and compliance are not two disconnected tools. Pre-mapped control libraries for 40+ frameworks (FFIEC IT Examination Handbook booklets, GLBA Safeguards Rule, BSA / AML control objectives, SOX 404, NIST 800-53 r5, SOC 2 TSC 2017, ISO 27001:2022, PCI DSS v4, CMMC 2.0) sit underneath, cross-mapped so the same evidence file satisfies multiple bank audits. Bank customers include state-chartered community banks, regional bank holding companies, and several state banking departments. Single-tenant deployment supports OCC, FRB, FDIC, and state examiner evidence requests without exporting data out of the customer tenant.
Strengths
- Global Risk Register consolidates operational, IT, vendor, and physical risk into one register with business-unit-to-enterprise rollup for the board and community-bank RCSA and scenario-analysis workflow
- Risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk crosses its threshold, so breaches surface between annual exam cycles
- Risk treatment workflow with owner assignment, tasks, and recommendations; mitigation is tracked to closure, not just logged
- Native threat and vulnerability libraries plus heat maps and executive risk dashboards for board-ready reporting
- Risk-to-Compliance bi-directional mapping: examination and audit findings flow back into risk scores and the register feeds control-assessment scope across FFIEC IT Exam Handbook booklets, GLBA Safeguards Rule, BSA / AML control objectives, SOX, NIST 800-53, SOC 2, and PCI DSS, so the same evidence file satisfies multiple bank audits
- 33-year operating history including state banking departments and federal customers; the customer reference base survives an OCC examiner conversation
- Single-tenant deployment with customer-owned data residency for OCC, FRB, FDIC, and state examination evidence requests
- Vendor risk management, policy management, and physical security assessment run in one tenant, useful for Interagency Third-Party Guidance vendor diligence and bank branch and ATM site controls
Weaknesses
- No native CECL / ALLL impairment engine or IRRBB modeling; the platform covers the operational and IT side of bank ERM, not the quantitative-capital side
- Pricing is quote-only; like most platforms in this category RiskWatch does not publish a public list price, so buyers must book a scoping call to get a number
Community and regional banks, state-chartered banks, and bank holding companies under $25B in assets that want one global register for operational, IT, vendor, and physical risk, with KRI-driven escalation, RCSA and scenario-analysis workflow, treatment tracking, and board-ready heat maps, plus cross-mapped FFIEC, GLBA, BSA / AML, SOX, NIST 800-53, and SOC 2 compliance underneath.
Tier 1 global banks that need native quantitative Basel III/IV market-risk, FRTB, CECL, CCAR, or DFAST capital-stress engines; Wolters Kluwer OneSumX or IBM OpenPages fit that brief better.
Key features
- Global Risk Register with business-unit-to-enterprise rollup across operational, IT, vendor, and physical risk
- Risk assessment engine with a KRI (Key Risk Indicator) library and threshold auto-escalation
- RCSA and scenario-analysis workflow for community-bank operational risk teams
- Risk treatment workflow with owner assignment, tasks, and recommendations
- Threat and vulnerability libraries plus heat maps, risk dashboards, and executive / board risk reporting
- Risk-to-Compliance bi-directional mapping (examination and audit findings update risk scores)
- Cross-mapped control libraries for 40+ frameworks (FFIEC IT Examination Handbook booklets, GLBA Safeguards Rule, BSA / AML control objectives, SOX 404, NIST 800-53 r5, SOC 2, ISO 27001:2022, PCI DSS v4, CCPA, CMMC 2.0)
- Evidence vault with versioning and OCC / FRB / FDIC / state examiner-ready export
- Vendor risk management with Interagency Third-Party Risk Management Guidance (June 2023) diligence workflow
- Policy management with approval and attestation for SOX 302 sign-off and board-policy lifecycle
- Physical security assessment module for bank branch and ATM site controls
- Single-tenant deployment for customer-owned data residency
Integrations
25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Slack, Jira, Salesforce, Custom REST API.
Target size
100 to 25,000 employees · US · Canada · EU · UK · AU