RiskWatch
RiskWatch International · Founded 1993 · Sarasota, FL, USA
Higher-ed and K-12 risk platform: one register from threat to treatment, with KRI auto-escalation and NACUBO ERM built in.
Summary
RiskWatch is an enterprise risk management platform built around a Global Risk Register that rolls up institutional, IT, vendor, and physical risk into one view, with department-and-campus-to-enterprise aggregation for the board of trustees. It runs a risk assessment engine with a KRI (Key Risk Indicator) library that auto-escalates a risk when it breaches its threshold, a treatment workflow with owner assignment and tasks tracked to closure, and native threat and vulnerability libraries that feed risk scores into heat maps and executive dashboards. Its differentiator is Risk-to-Compliance bi-directional mapping: audit findings flow back into risk scores and the register feeds control-assessment scope, so risk and regulatory compliance run together rather than as two disconnected tools. The register aligns to the NACUBO and AGB Enterprise Risk Management Framework for Higher Education with the 2024 update, and pre-built control libraries for 40+ frameworks sit underneath, including FERPA (20 USC 1232g / 34 CFR Part 99), Title IX (34 CFR Part 106 2024 Final Rule), Clery Act (20 USC 1092(f) / 34 CFR 668.46 with VAWA Section 304), NIST SP 800-171 r3 for Controlled Unclassified Information on federally-funded research, NIST CSF 2.0 for K-12 districts, GLBA Safeguards Rule for Title IV institutions, HIPAA for university health centres, and PCI DSS v4.0.1 for campus payment operations, cross-mapped so one control answer can satisfy several regulators at once. Customers include state agencies, multi-campus university systems, K-12 district consortia, and community college systems, and the survey-based assessment engine lets non-technical control owners respond directly. Single-tenant deployment keeps student-record data in the institution's control under FERPA.
Strengths
- Global Risk Register consolidates institutional, IT, vendor, and physical risk into one register with department-and-campus-to-enterprise rollup for the board of trustees, aligned to the NACUBO and AGB ERM Framework
- Risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk crosses its threshold, so exposure surfaces between assessment cycles
- Risk treatment workflow with owner assignment, tasks, and recommendations tracked to closure; native threat and vulnerability libraries feed heat maps and executive risk dashboards
- Risk-to-Compliance bi-directional mapping ties audit findings back into risk scores and feeds the register into control-assessment scope, so risk and regulatory compliance run together
- FERPA (20 USC 1232g / 34 CFR Part 99), Title IX (34 CFR Part 106 2024 Final Rule), Clery Act (20 USC 1092(f) / 34 CFR 668.46 with VAWA Section 304), NIST SP 800-171 r3, NIST CSF 2.0 for K-12, GLBA Safeguards, HIPAA, and PCI DSS v4.0.1 pre-mapped and cross-mapped so one evidence item satisfies Department of Education, OCR, state attorney general, and accreditor audits
- Single-tenant deployment with customer-owned data residency, which matters for FERPA student-record data, Title IX adjudication records, Clery Act incident logs, and CUI under NIST 800-171 for federally-funded research grants
- Vendor risk management module supports the third-party SaaS-vendor diligence workflow under FERPA 34 CFR 99.31(a)(1)(i)(B) school-official exception, the California SOPIPA, Illinois SOPPA, and New York Education Law 2-d requirements that 40+ states now layer on top of FERPA
- Physical security assessment module supports Clery Act-aligned campus security plans, K-12 site security under CISA School Safety guidance, and Behavioural Intervention Team (BIT) facility-risk inputs
- Survey-based assessment engine works for non-technical control owners; Title IX Coordinators, Clery Compliance Officers, FERPA Compliance Officers, and K-12 superintendents can complete control attestations without IT translation
- 33-year operating history with state government customers across all 50 states, and quote-only pricing with a published support tier ladder in a category where nine of ten vendors gate pricing entirely
Weaknesses
- Not a purpose-built URMIA risk-pool RMIS at the depth that Origami Risk or Riskonnect ship; insurance, claims management, and TCOR aggregation across pool members run through the assessment and evidence layer rather than a dedicated RMIS claims database
- Not a purpose-built Title IX case-management point tool at the depth Maxient, Symplicity Advocate, or Guardian Conduct ship; Title IX adjudication records live in the evidence vault rather than a dedicated Title-IX case-management UI with grievance-process workflow and live-hearing module
- RiskWatch is quote-only across all tiers because campus topology, multi-campus rollout, and federal research portfolio vary materially
- No native NCAA Compliance Office workflow at the depth ARMS (Athletics Risk Management Software) or LSDBi tools ship; NCAA institutional integrity records run through the evidence vault rather than a dedicated NCAA compliance UI
K-12 districts, public and private colleges, universities, state university systems, community colleges, and research-intensive R1 institutions that want one global risk register rolled up to the board of trustees under the NACUBO ERM Framework, with KRI-driven escalation, treatment workflows, and board-ready heat maps, plus FERPA, Title IX, Clery, and NIST 800-171 compliance mapped in and single-tenant student-record data residency.
Single-campus institutions whose only need is a URMIA risk-pool RMIS workflow; Origami Risk fits that brief better. Or single-campus institutions whose only need is a Title IX case-management tool with grievance-process workflow; Maxient fits that brief better as a point tool.
Key features
- Global Risk Register with department-and-campus-to-enterprise rollup for the board of trustees, aligned to the NACUBO and AGB ERM Framework (2024 update)
- Risk assessment engine with a KRI (Key Risk Indicator) library and threshold auto-escalation
- Risk treatment workflow with owner assignment, tasks, and recommendations
- Threat and vulnerability libraries that feed risk scores, heat maps, and executive dashboards
- Risk-to-Compliance bi-directional mapping (audit findings update risk scores), cross-mapped across FERPA, GLBA, and NIST 800-171
- FERPA 20 USC 1232g and 34 CFR Part 99 pre-mapped (record-of-disclosure log + school-official exception workflow + annual notification template)
- Title IX 34 CFR Part 106 2024 Final Rule pre-mapped (Coordinator records + grievance-process workflow + supportive-measures log + 2020-rule fallback for 26-state injunction)
- Clery Act 20 USC 1092(f) and 34 CFR 668.46 pre-mapped (Annual Security Report + Daily Crime Log + Timely Warnings + VAWA Section 304 dating-violence + stalking categories + geography classification + 65-day reporting cycle)
- NIST SP 800-171 r3 for Controlled Unclassified Information (DFARS 252.204-7012 + research grants under NIH + NSF + DOD)
- NIST CSF 2.0 for K-12 districts (K12 SIX baseline + CISA School Safety alignment)
- GLBA Safeguards Rule for Title IV institutions (FTC Final Rule 2023 amendments)
- HIPAA for university health centres operating as covered entities
- PCI DSS v4.0.1 for campus payment operations (tuition + housing + dining + bookstore + ticketing)
- Single-tenant deployment for student-record data residency under FERPA
Integrations
25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Shibboleth / InCommon, Microsoft 365 / SharePoint, Slack, Jira, Salesforce, Custom REST API.
Target size
100 to 50,000 employees · US · Canada · EU · UK · AU