RiskWatch
RiskWatch International · Founded 1993 · Sarasota, FL, USA
Enterprise risk platform for nonprofits: one global register from threat to treatment, with KRI auto-escalation across governance, grant, safeguarding, and donor-data risk.
Summary
RiskWatch is an enterprise risk management platform built around a Global Risk Register that rolls governance, grant-compliance, financial, safeguarding, cyber, and donor-data risk up to a business-unit-to-enterprise view for the Board of Directors Audit Committee. It runs a risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk breaches its threshold, a risk treatment workflow with owner assignment and tasks tracked to closure, and native threat and vulnerability libraries that feed risk scores. Its differentiator is Risk-to-Compliance bi-directional mapping: audit findings flow back into risk scores and the register feeds control-assessment scope, so nonprofit risk and regulatory compliance are not two disconnected tools. Pre-built, cross-mapped control libraries for 40+ frameworks sit underneath, including IRS Form 990 governance disclosures, OMB Uniform Guidance 2 CFR Part 200 (2024 revision effective October 1 2024), Single Audit under 2 CFR 200 Subpart F (new $1M federal-expenditure threshold), UPMIFA endowment-policy attestation, FASB ASC 958 net-asset classification, multi-state Charity Commission registration with Unified Registration Statement reuse, SafeSport and NCFY safeguarding overlays, PCI DSS v4.0.1 for donor credit-card data, CCPA / CPRA, and HIPAA for nonprofit health-services arms. Single-tenant deployment with customer-owned data residency answers state Attorney General data-residency expectations on donor records and the Form 990 Part VI Question 17 data-breach disclosure obligation. The platform has been in the field since 1993 with state and federal customers, and the brand carries weight on RFP shortlists when a nonprofit CFO justifies the choice to the Board of Directors Audit Committee.
Strengths
- Global Risk Register consolidates governance, grant-compliance, financial, safeguarding, cyber, and donor-data risk into one register with business-unit-to-enterprise rollup for the Board of Directors Audit Committee
- Risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk crosses its threshold, so breaches surface between annual cycles
- Risk treatment workflow with owner assignment, tasks, and recommendations tracked to closure; program directors, finance staff, and volunteer coordinators self-serve without a workflow-builder learning curve
- Risk-to-Compliance bi-directional mapping with a cross-mapping engine that auto-detects shared controls across IRS Form 990, OMB Uniform Guidance, Single Audit, and UPMIFA, so the audit-evidence pack assembles once and re-uses across the Audit Committee, the state Attorney General registration filing, and the grant-funder diligence questionnaire
- Native threat and vulnerability libraries plus heat maps and executive risk dashboards for board-ready reporting
- 40+ pre-built framework libraries sit underneath the risk layer, including IRS Form 990 governance disclosures (Part VI Question 17 data-breach + Schedule O + Schedule R), OMB Uniform Guidance 2 CFR 200 (Subpart D + E + F), Single Audit under the new $1M threshold effective October 1 2024, UPMIFA endowment management, FASB ASC 958 net-asset classification, and 41-state Charity Commission registration with Unified Registration Statement reuse
- Safeguarding incident workflow aligned to the SafeSport Code, NCFY youth-program standards, Praesidium Standards, and state mandated-reporter laws with case-file evidence retention that survives a state Attorney General investigation
- Vendor and third-party risk management for the nonprofit's outside service-providers (fiscal sponsor, donor-CRM vendor, payment processor, professional fundraiser, grants-management SaaS, mass-notification provider) with SOC 2 and BAA tracking for HIPAA-adjacent health arms, plus PCI DSS v4.0.1 SAQ and CCPA / CPRA donor-record DSAR workflow for credit-card and California donor data
- Single-tenant deployment with customer-owned data residency answers state Attorney General data-residency expectations on donor records and the Form 990 Part VI Question 17 data-breach disclosure obligation; 33-year operating history recognised by state Charity Commission and grant-funder procurement teams
Weaknesses
- Not a nonprofit-accounting or fund-accounting platform at Sage Intacct or Blackbaud Financial Edge NXT depth; UPMIFA endowment policy and FASB ASC 958 net-asset classifications managed via assessment workflow, not a fund-accounting GL. Pair with Sage Intacct, Blackbaud Financial Edge NXT, NetSuite for Nonprofits, or QuickBooks Nonprofit for the actual books of account.
- Not a donor-CRM at Salesforce Nonprofit Cloud, Blackbaud Raiser's Edge, or Bloomerang depth; donor records and gift-receipting workflow assumed to live in the nonprofit's CRM. RiskWatch covers the donor-data-privacy risk layer (PCI DSS + CCPA + GDPR) rather than the donor-relationship workflow.
- Not a grants-management platform at Submittable, Foundant, Fluxx, or GivingData depth; grant-application workflow, reviewer scoring, and grant-disbursement tracking live in dedicated grants-management tools. RiskWatch covers the OMB Uniform Guidance subrecipient monitoring + Single Audit working-paper layer above the grants-management tool.
- Not a risk-pool RMIS at Origami Risk depth for nonprofits operating a 501(c)(3) captive insurance arrangement or a national-affiliate insurance pool; pair with Origami Risk or Riskonnect for claims, broker-of-record, and policy-administration depth.
- RiskWatch is sold quote-only with no public list price, because deployment topology varies materially across small-charity (under 50 staff, $5M budget), mid-market nonprofit (200-2,000 staff, $50M-$200M budget), and national-foundation (5,000+ staff, $1B+ assets) tiers.
501(c)(3) public charities, community foundations, federally-funded nonprofits expending $1M+ in federal awards, faith-based and youth-serving charities, and university and hospital foundations (50-5,000 staff) that want one global register for governance, grant-compliance, safeguarding, and donor-data risk, with KRI-driven escalation, treatment workflows, and board-ready heat maps for the Audit Committee, plus 40+ framework compliance mapping (Form 990, OMB Uniform Guidance, Single Audit, UPMIFA, multi-state Charity Commission registration) and vendor risk management for fiscal sponsors, donor-CRM vendors, payment processors, and grants-management SaaS built in.
Nonprofits where the dominant requirement is fund-accounting at Sage Intacct or Blackbaud Financial Edge NXT depth (pair with those tools), or donor relationship management at Salesforce Nonprofit Cloud or Blackbaud Raiser's Edge depth (pair with those CRMs), or a 501(c)(3) captive insurance RMIS at Origami Risk depth (use Origami Risk for the claims engine and RiskWatch for the firm-wide policy and audit layer above it).
Key features
- Global Risk Register with business-unit-to-enterprise rollup for the Board of Directors Audit Committee
- Risk assessment engine with a KRI (Key Risk Indicator) library and threshold auto-escalation
- Risk treatment workflow with owner assignment, tasks, and recommendations tracked to closure
- Threat and vulnerability libraries that feed risk scores
- Heat maps, risk dashboards, and executive / board risk reporting
- Risk-to-Compliance bi-directional mapping with a cross-mapping engine across Form 990 + Uniform Guidance + Single Audit + UPMIFA + state Charity Commission
- Pre-built control libraries for 40+ frameworks including IRS Form 990 governance, OMB Uniform Guidance 2 CFR 200, Single Audit, UPMIFA, FASB ASC 958, multi-state Charity Commission registration with URS reuse, SafeSport / NCFY safeguarding, PCI DSS v4.0.1, CCPA / CPRA, GDPR, and HIPAA
- Form 990 Part VI Question 17 data-breach disclosure workflow with state-breach-law overlays
- Single Audit working-paper builder under the new $1M threshold, UPMIFA endowment-policy attestation, and multi-state Charity Commission registration evidence pack with URS reuse across 41 states
- SafeSport / NCFY / Praesidium safeguarding incident workflow with mandated-reporter tracking; vendor and third-party risk management for fiscal sponsors, donor-CRM vendors, payment processors, grants-management SaaS, and mass-notification providers
Integrations
25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Salesforce Nonprofit Cloud (via API), Blackbaud Raiser's Edge NXT (via API), Sage Intacct (via API), Slack, Custom REST API.
Target size
25 to 10,000 employees · US · Canada · UK · EU · AU