RiskWatch
RiskWatch International · Founded 1993 · Sarasota, FL, USA
Enterprise risk platform for law firms: one global register and a partner-level risk roll-up to the Executive Committee, with ISO 27001, SOC 2, NIST CSF, and OCG response mapped underneath.
Summary
RiskWatch is an enterprise risk management platform built around a Global Risk Register that rolls up the firm's enterprise, IT, vendor, and information-security risk into one view, with business-unit-to-enterprise aggregation so the General Counsel of the firm can present a partner-level risk register to the Executive Committee. It runs a risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk breaches its threshold, a treatment workflow with owner assignment and tasks, and native threat and vulnerability libraries that feed risk scores. Its differentiator is Risk-to-Compliance bi-directional mapping: OCG cyber-audit findings flow back into risk scores and the register feeds control-assessment scope, so a firm's ISO 27001 or SOC 2 evidence is both an audit artefact and a live risk input. Pre-built control libraries for ISO 27001:2022, SOC 2 TSC 2017, NIST CSF 2.0, NIST 800-53 r5, NIST 800-171 r3, HIPAA (healthcare clients), PCI DSS v4 (class-action settlement payment data), GDPR (EU clients), and state breach notification overlays (40+ frameworks total) sit underneath, cross-mapped so one control answer assembles once and re-uses across Fortune 500 clients on the firm roster. Single-tenant deployment with customer-owned data residency satisfies ABA Model Rule 1.6 client confidentiality and the data-locality questions that Fortune 500 OCG security audits routinely raise. In the field since 1993 with US state, federal, healthcare, and financial-services customers; the brand carries weight on RFP shortlists when a firm General Counsel justifies the choice to the Executive Committee.
Strengths
- Global Risk Register consolidates the firm's enterprise, IT, vendor, and information-security risk into one register with business-unit-to-enterprise rollup, so the General Counsel of the firm can present a partner-level risk register to the Executive Committee
- Risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk crosses its threshold, so exposure surfaces between annual audit cycles
- Risk treatment workflow with owner assignment, tasks, and recommendations tracked to closure, plus native threat and vulnerability libraries, heat maps, and board-ready dashboards for the Executive Committee and Audit Committee
- Risk-to-Compliance bi-directional mapping: OCG cyber-audit and ISO 27001 / SOC 2 findings flow back into risk scores and the register feeds control-assessment scope (competitors usually split this across two products)
- Pre-built control libraries for ISO 27001:2022, SOC 2 TSC 2017, NIST CSF 2.0, NIST 800-53 r5, NIST 800-171 r3, HIPAA, PCI DSS v4, GDPR, CCPA, and state breach notification overlays (40+ frameworks), cross-mapped so OCG cyber-audit evidence assembles once and re-uses across Fortune 500 clients on the firm roster
- OCG response library workflow lets the firm CISO maintain a per-client OCG question-bank with re-usable evidence rather than rebuilding the answer for every Shared Assessments SIG + CAIQ + custom client questionnaire
- Single-tenant deployment with customer-owned data residency answers ABA Model Rule 1.6 confidentiality and the client data-locality questions that Fortune 500 OCG security audits routinely raise
- ABA Formal Opinion 483 breach-notification readiness workflow with state-breach-law overlays for the firm's resident states (CA + NY + IL + MA + TX + FL + WA + others) assembled in an incident-response playbook
- Vendor and third-party risk management for the firm's outside service-providers (DMS hosting, e-discovery vendors, document review providers, expert witnesses) with SOC 2, ISO 27001, and BAA tracking
- 33-year operating history; client procurement teams recognise the brand when a firm General Counsel justifies the choice to the Executive Committee or the Audit Committee, and the survey-based assessment engine works for non-technical control owners (Practice Group Risk Partners, Office Managing Partners) without a workflow-builder learning curve
Weaknesses
- Not a conflicts-of-interest engine at Intapp Open or Aderant Conflicts depth; ABA Model Rule 1.7 and 1.10 conflicts workflow, party-name searching, and imputation rules are managed via assessment and policy workflow, not a legal-data-model conflicts search across millions of party records. Pair with Intapp or Aderant if conflicts at thousands-of-new-matters-per-year scale is the load-bearing brief.
- Not a new-business-intake (NBI) platform at Intapp Intake or Mitratech depth; engagement-letter workflow, AML and KYC questionnaires, and matter-opening checklists managed via assessment workflow rather than a legal-NBI-specific data model.
- Not a document-management-system ethical-wall enforcement engine at iManage Security Policy Manager or NetDocuments depth; ethical walls assumed to live in the firm's DMS (iManage or NetDocuments) with RiskWatch covering the firm-wide policy and audit layer rather than the document layer.
- RiskWatch is sold quote-only because deployment topology varies materially across multi-office international firms with EU + UK + APAC data-residency obligations, so there is no public list price to compare line-by-line.
Am Law 200, full-service mid-market, regional, and international top-tier firms (300-5,000 lawyers and staff) that want one Global Risk Register with a partner-level risk roll-up to the Executive Committee, KRI-driven escalation, and treatment workflows, plus vendor and third-party risk for the firm's outside service-providers, ISO 27001 + SOC 2 + NIST CSF + state breach + OCG response mapped in, an ABA Formal Opinion 483 breach-notification workflow, and first-class evidence-export packs for Fortune 500 client cyber audits.
Firms where the dominant requirement is conflicts of interest at thousands of new matters per year (Intapp or Aderant fit that brief better) or where ethical-wall enforcement must live at the DMS document layer (iManage or NetDocuments fit that brief better). Also wrong for SaaS-shaped legal-tech startups under 50 staff chasing a single SOC 2; Hyperproof or Sprinto fit that brief better.
Key features
- Global Risk Register with business-unit-to-enterprise rollup and a partner-level risk register for the Executive Committee
- Risk assessment engine with a KRI (Key Risk Indicator) library and threshold auto-escalation
- Risk treatment workflow with owner assignment, tasks, and recommendations
- Threat and vulnerability libraries, heat maps, and executive / Audit-Committee risk reporting
- Risk-to-Compliance bi-directional mapping (OCG cyber-audit and ISO 27001 / SOC 2 findings update risk scores)
- Pre-built control libraries for ISO 27001:2022, SOC 2 TSC 2017, NIST CSF 2.0, NIST 800-53 r5, NIST 800-171 r3, HIPAA, PCI DSS v4, GDPR, CCPA, and state breach notification (40+ frameworks), cross-mapped
- OCG response library with per-client question-bank and reusable evidence
- ABA Formal Opinion 483 breach-notification workflow with state-breach-law overlays
- Vendor and third-party risk management for firm outside service-providers (DMS hosting, e-discovery, document review)
- Policy management with attestation workflow, plus a survey-based assessment engine for non-technical control owners (Practice Group Risk Partners, Office Managing Partners)
- Single-tenant deployment for EU + UK + APAC data-residency and client confidentiality under ABA Model Rule 1.6
Integrations
25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, iManage Work (via API), NetDocuments (via API), Slack, Jira, Custom REST API.
Target size
100 to 10,000 employees · US · Canada · UK · EU · AU