RiskWatch
RiskWatch International · Founded 1993 · Sarasota, FL, USA
Medical device enterprise risk platform: one global register with ISO 14971 risk management and KRI auto-escalation, and ISO 13485, FDA QMSR, EU MDR, IEC 62366, and IEC 62304 mapped underneath.
Summary
RiskWatch is an enterprise risk management platform built around a Global Risk Register that rolls up enterprise, IT, vendor / supplier, and physical (manufacturing-site) risk into one view, with business-unit-to-enterprise aggregation for the board. It runs a risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk breaches its threshold, a treatment workflow with owner assignment and tasks, and native threat and vulnerability libraries that feed risk scores; the evidence vault supports the ISO 14971:2019 risk management file directly. Its differentiator is Risk-to-Compliance bi-directional mapping: FDA, EU notified-body, and ISO 13485 audit findings flow back into risk scores and the register feeds control-assessment scope, so an ISO 14971 hazard analysis is both an audit artefact and a live risk input. Pre-built control libraries for ISO 14971:2019 application of risk management, ISO 13485:2016 quality management for medical devices, FDA Quality Management System Regulation (QMSR) under 21 CFR Part 820 effective February 2 2026, EU Medical Device Regulation 2017/745 (MDR) and In Vitro Diagnostic Regulation 2017/746 (IVDR), IEC 62366-1:2015 usability engineering, IEC 62304 medical device software lifecycle, and the FDA Cybersecurity in Medical Devices premarket guidance finalised October 2023 sit underneath (40+ frameworks total), cross-mapped so shared QMSR and ISO 13485 controls (now harmonised by reference) satisfy multiple audits from one answer. In the field since 1993 with state agencies, multi-hospital health systems, payers, medical device companies, and contract manufacturers; single-tenant deployment keeps design history file (DHF) and device master record (DMR) data in the customer's control.
Strengths
- Global Risk Register consolidates enterprise, IT, vendor / supplier, and physical (manufacturing-site) risk into one register with business-unit-to-enterprise rollup for the board
- Risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk crosses its threshold, so exposure surfaces between FDA inspection and EU notified-body cycles
- Risk treatment workflow with owner assignment, tasks, and recommendations tracked to closure, plus native threat and vulnerability libraries, heat maps, and board-ready executive dashboards
- Risk-to-Compliance bi-directional mapping: FDA, EU notified-body, and ISO 13485 audit findings flow back into risk scores and the register feeds control-assessment scope (competitors usually split this across two products)
- ISO 14971:2019, ISO 13485:2016, FDA QMSR / 21 CFR Part 820, EU MDR 2017/745, IVDR 2017/746, IEC 62366-1, IEC 62304, and FDA cybersecurity premarket guidance pre-mapped (40+ frameworks total) so one evidence item satisfies FDA, EU notified-body, and ISO 13485 audits
- Single-tenant deployment with customer-owned data residency, which matters for DHF and DMR retention required under 21 CFR 820.181 and for EU MDR Article 10(8) technical documentation retention
- Vendor risk management module supports supplier qualification and supplier audit required under 21 CFR 820.50 and ISO 13485 section 7.4 purchasing controls, including critical-supplier risk classification
- Physical security assessment module supports IEC 81001-5-1 and FDA cybersecurity guidance physical-security controls for connected device manufacturing sites
- 33-year operating history with federal customers (US Department of Defense, VA, DOJ per public press); survey-based assessment engine lets design engineers, regulatory affairs, and quality engineers complete ISO 14971 hazard-analysis surveys without IT translation
Weaknesses
- Not a purpose-built device eQMS at the depth that Greenlight Guru, MasterControl, Veeva Vault QualityOne, ETQ Reliance, Sparta TrackWise Digital, Qualio, or Pilgrim SmartSolve ship; RiskWatch runs the risk and assessment layer rather than a closed-loop Design Controls, CAPA, and change-control workflow tied to the DHF and DMR
- Pricing is quote-only with no public list price, because device-deployment topology and FDA inspection-readiness profile vary materially across buyers
- No native ISO 14971:2019 risk-matrix engine at the depth that Greenlight Guru ships; risk-matrix and risk-control documentation runs through the survey and evidence layer rather than a dedicated hazard-trace UI
Class II and Class III medical device manufacturers, IVD makers, and contract manufacturers that want one Global Risk Register with ISO 14971 risk management, KRI-driven escalation, and treatment workflows, plus supplier qualification and 3+ compliance frameworks (FDA QMSR + ISO 13485 + EU MDR + ISO 14971) mapped in and single-tenant DHF data residency.
Single-product venture-stage device startups whose only need is a closed-loop Design Controls and DHF workflow; Greenlight Guru and Qualio fit that brief better as primary device-native eQMS tools.
Key features
- Global Risk Register with business-unit-to-enterprise rollup (enterprise, IT, vendor / supplier, and manufacturing-site risk)
- Risk assessment engine with a KRI (Key Risk Indicator) library and threshold auto-escalation
- Risk treatment workflow with owner assignment, tasks, and recommendations
- Threat and vulnerability libraries that feed risk scores
- Heat maps, risk dashboards, and executive / board risk reporting
- Risk-to-Compliance bi-directional mapping (FDA, EU notified-body, and ISO 13485 findings update risk scores)
- ISO 14971:2019 risk management process aligned (hazard identification, risk analysis, risk evaluation, risk control, residual risk, benefit-risk)
- ISO 13485:2016 medical-device QMS controls (now incorporated by reference into FDA QMSR) and FDA QMSR / 21 CFR Part 820 aligned (effective February 2 2026)
- EU MDR 2017/745 + IVDR 2017/746 technical documentation library, IEC 62366-1 usability engineering, IEC 62304 software lifecycle, and FDA October 2023 premarket cybersecurity content (40+ frameworks), cross-mapped
- Supplier qualification + supplier audit tracking aligned to 21 CFR 820.50 and ISO 13485 section 7.4
- Evidence vault with versioning and audit-ready export (FDA + EU notified-body inspection pack)
- Single-tenant deployment for DHF and DMR data residency
Integrations
25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Slack, Jira, Salesforce, Custom REST API.
Target size
50 to 50,000 employees · US · Canada · EU · UK · AU