RiskWatch
RiskWatch International · Founded 1993 · Sarasota, FL, USA
Insurance enterprise risk platform: one global register from threat to treatment, with KRIs, ORSA support, and NAIC / NYDFS / MAR overlays underneath.
Summary
RiskWatch is an enterprise risk management platform built around a Global Risk Register that consolidates operational, IT, vendor, and physical risk into one view, with business-unit-to-enterprise aggregation for the board and the ORSA process. It runs a risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk breaches its threshold, a treatment workflow with owner assignment and tasks, and native threat and vulnerability libraries that feed risk scores; heat maps and executive dashboards turn the register into board- and DOI-ready reporting. Its differentiator is Risk-to-Compliance bi-directional mapping: audit and examination findings flow back into risk scores and the register feeds control-assessment scope, so a carrier's ORSA material-risk view, MAR §404 ICFR, and cyber controls draw on one evidence base instead of duplicate workpapers. Pre-mapped control libraries for 40+ frameworks (NAIC Insurance Data Security Model Law with state-by-state overlays, adopted in 25+ US states, NYDFS Part 500, MAR §404 ICFR, ORSA, HIPAA for health insurers, RESPA for title carriers, GLBA Safeguards, PCI DSS v4, NIST 800-53, SOC 2) sit underneath, cross-mapped so one control answer satisfies multiple examinations. Insurance customers include US state-chartered carriers, regional P&C insurers, health-insurance subsidiaries, title companies, and broker-distribution institutions; the product has been in the field since 1993. The single-tenant deploy-as-tenant architecture means carriers retain full control of their data and can answer DOI data-locality questions without a vendor escalation.
Strengths
- Global Risk Register consolidates operational, IT, vendor, and physical risk into one view with business-unit-to-enterprise rollup for the board and the ORSA process
- Risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk crosses its threshold, so exposure surfaces between annual ORSA cycles
- Risk treatment workflow with owner assignment, tasks, and recommendations tracked to closure, plus native threat and vulnerability libraries, heat maps, and DOI- and board-ready dashboards
- Risk-to-Compliance bi-directional mapping: ORSA material risks, MAR §404 ICFR, and cyber controls share one evidence vault so internal audit captures once and ORSA refreshes annually without duplicate workpapers
- NAIC Insurance Data Security Model Law overlay with state-specific variants for each adopting jurisdiction; new state adoption surfaces as a coverage gap, not a separate programme build
- 40+ frameworks cross-mapped underneath (NAIC Model Law, NYDFS Part 500, MAR §404, ORSA, HIPAA for health insurers, RESPA for title carriers, GLBA Safeguards, PCI DSS, NIST 800-53, SOC 2), with DOI examiner export packs as first-class output, not a custom report build
- 33-year operating history with examiner-recognised assessment artefacts; single-tenant deployment with customer-owned data residency for state-chartered carriers under DOI data-locality rules and health insurers under the HIPAA Security Rule
- Vendor risk management with BAA and SOC 2 tracking aligned to NYDFS Part 500 §500.11 and NAIC Model Law third-party-service-provider obligations
Weaknesses
- No native quantitative capital-adequacy or Solvency II SCR / MCR calculation engine; carriers running internal-model Solvency II or pre-positioning for IAIS ICS Pillar 1 should pair RiskWatch with Moody's RiskIntegrity or Wolters Kluwer OneSumX
- No native actuarial modelling or stochastic ALM; carriers running internal capital models keep that engine separate
- No native claims administration or RMIS workflow at Origami / Riskonnect depth; carriers needing claims-and-policy on the same platform should pair RiskWatch with an RMIS
- Public pricing is quote-only across all tiers, so buyers need a scoping call before seeing a number; this listicle marks the category transparency problem with an opaque badge for RiskWatch
Mid-market and regional multi-state insurance carriers, health-insurance subsidiaries, title carriers, broker-distribution institutions, and reinsurance brokers that want one global register for operational, IT, vendor, and physical risk, with KRI-driven escalation, treatment tracking, ORSA support, and board- and DOI-ready heat maps, plus NAIC Model Law, MAR, and state DOI compliance mapped underneath on one tenant.
Tier-1 global insurers and reinsurers running internal-model Solvency II Pillar 1 capital or pre-positioning for IAIS ICS standard-formula Pillar 1; pair RiskWatch with Moody's RiskIntegrity or OneSumX for the quantitative capital engine.
Key features
- Global Risk Register with business-unit-to-enterprise rollup across operational, IT, vendor, and physical risk, feeding the ORSA process
- Risk assessment engine with a KRI (Key Risk Indicator) library and threshold auto-escalation
- Risk treatment workflow with owner assignment, tasks, and recommendations
- Threat and vulnerability libraries plus heat maps, risk dashboards, and board- and DOI-ready reporting
- Risk-to-Compliance bi-directional mapping (audit and examination findings update risk scores)
- Cross-mapped control libraries for 40+ frameworks (NAIC Insurance Data Security Model Law with 25+ adopting-state variants, NYDFS Part 500, MAR §404 ICFR, ORSA, HIPAA, RESPA, GLBA Safeguards, PCI DSS v4, ISO 27001:2022, NIST 800-53 r5, NIST 800-171 r3, GDPR)
- DOI-examiner-export packs (PDF + Excel) ready for state insurance department reviews
- Evidence vault with versioning and audit-ready export for MAR §404 ICFR attestation
- Vendor risk management with BAA + SOC 2 tracking aligned to NAIC Model Law third-party-service-provider obligations
- Policy management with approval and attestation workflows for ORSA governance documents
- Single-tenant deployment with customer-owned data residency for state-DOI data-locality requirements
Integrations
25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Slack, Jira, Salesforce, Custom REST API.
Target size
100 to 25,000 employees · US · Canada · EU · UK · AU