RiskWatch
RiskWatch International · Founded 1993 · Sarasota, FL, USA
Enterprise risk platform for oil & gas operators: one global register from threat to treatment, with KRI auto-escalation.
Summary
RiskWatch is an enterprise risk management platform built around a Global Risk Register that rolls process-safety, asset-integrity, cyber/OT, and physical risk up to a business-unit-to-enterprise view for the board. It runs a risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk breaches its threshold, a risk treatment workflow with owner assignment and tasks tracked to closure, and native threat and vulnerability libraries that feed risk scores. Its differentiator is Risk-to-Compliance bi-directional mapping: audit findings flow back into risk scores and the register feeds control-assessment scope, so operational risk and regulatory compliance are not two disconnected tools. Pre-built control libraries for 40+ frameworks sit underneath, including OSHA Process Safety Management 29 CFR 1910.119, EPA Risk Management Program 40 CFR Part 68 (March 11 2024 Final Rule under the SCCAP initiative), PHMSA 49 CFR Part 192 (gas transmission and distribution) and Part 195 (hazardous liquid), API 510 / 570 / 653 inspection codes, ASME B31.4 / B31.8 pipeline design codes, IOGP Life-Saving Rules content, EPA Subpart OOOOb / OOOOc methane disclosure, TSA SD-2021-02 Series F, NIST 800-82 r3 alignment for OT / ICS, NIST 800-171, CMMC 2.0, ISO 27001:2022, and IEC 62443-aligned controls, plus physical security against ASIS and API SS 780. Oil & gas customers include upstream independents, midstream operators, and refining and petrochemical groups; the product has been in the field since 1993 with federal customers (DoD, VA, DOJ, NSA per public press). RiskWatch is sold quote-only, and single-tenant deployment keeps SCADA-adjacent and process-safety-information data in the operator's control.
Strengths
- Global Risk Register consolidates process-safety, asset-integrity, cyber/OT, and physical risk into one register with business-unit-to-enterprise rollup for the board
- Risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk crosses its threshold, so breaches surface between annual cycles
- Risk treatment workflow with owner assignment, tasks, and recommendations tracked to closure and assignable to operators, mechanical-integrity inspectors, OIMs (offshore installation managers), and control-room supervisors without a workflow-builder learning curve
- Risk-to-Compliance bi-directional mapping: audit findings flow back into risk scores and the register feeds control-assessment scope (competitors usually split this across two products); the cross-mapping engine auto-detects shared controls (OSHA PSM Element 4 Operating Procedures to API 570 piping-inspection schedules; EPA RMP Subpart D Hazard Assessment to PSM Element 3 PHA; IEC 62443 SR 7.1 to NIST 800-82 r3 SI-4)
- Native threat and vulnerability libraries plus heat maps and executive risk dashboards for board-ready reporting
- Process-safety, integrity, cyber, and physical risk run in one tenant, with a physical security module aligned to ASIS and API SS 780 for refinery and pipeline-terminal security risk assessments and TSA SD-2021-02 cybersecurity programmes
- Vendor risk management with contractor and pre-startup safety review tracking is a first-party module, useful for OSHA PSM Element 6 Contractors and IOGP Life-Saving Rules contractor-workforce attestation
- 40+ pre-built framework libraries sit underneath the risk layer, covering OSHA PSM 29 CFR 1910.119, EPA RMP 40 CFR Part 68 (March 2024 Final Rule), PHMSA 49 CFR Part 192 and Part 195, API 510 / 570 / 653, ASME B31.4 / B31.8, IOGP Life-Saving Rules, EPA OOOOb / OOOOc methane, TSA SD-2021-02 Series F, NIST 800-82 r3 alignment, ISO 27001:2022, and IEC 62443-aligned controls
- 33-year operating history with federal and regulated-industry customers; PHMSA-audit and OSHA-PSM-audit export packs are first-class output, and single-tenant deployment with customer-owned data residency suits SCADA-adjacent control-room data, proprietary reservoir data, and EU-domiciled midstream operators
Weaknesses
- No native real-time SCADA / DCS historian ingest at the depth of AVEVA PI, Honeywell PHD, or Yokogawa Exaquantum; RiskWatch ingests asset-inventory and incident data via REST API but does not run real-time time-series storage itself, so process-safety-data archive still requires a paired historian
- No native PHA / HAZOP / LOPA / MOC purpose-built module at Sphera or Enablon depth; we deliver process-safety risk via assessment scoring and the control library, but supermajor-scale process-safety teams running full LOPA quantification typically want Sphera as the process-safety layer alongside RiskWatch as the GRC layer
- Pricing is quote-only with no public list price, so buyers must request a quote to size a deal
Mid-market and regional oil & gas operators (200-5,000 employees: upstream independents, midstream operators, regional refining and petrochemical groups) that want one global register for process-safety, asset-integrity, cyber/OT, and physical risk, with KRI-driven escalation, treatment workflows, and board-ready heat maps, plus 40+ framework compliance mapping (OSHA PSM, EPA RMP, PHMSA, API 510/570/653, IOGP, IEC 62443) and a PHMSA-audit and OSHA-PSM-audit response pack built in.
Supermajor-scale process-safety teams whose primary requirement is purpose-built PHA / HAZOP / LOPA / MOC quantification at refinery scale; pair RiskWatch with Sphera for that brief, and pick Enablon or Sphera if your buying committee insists on one vendor across process-safety quantification plus EHS plus GRC.
Key features
- Global Risk Register with business-unit-to-enterprise rollup
- Risk assessment engine with a KRI (Key Risk Indicator) library and threshold auto-escalation
- Risk treatment workflow with owner assignment, tasks, and recommendations for operators, mechanical-integrity inspectors, OIMs, and control-room supervisors
- Threat and vulnerability libraries that feed risk scores
- Heat maps, risk dashboards, and executive / board risk reporting
- Risk-to-Compliance bi-directional mapping with a cross-mapping engine across OSHA PSM, API inspection codes, IOGP, NIST, ISO, and IEC 62443
- Pre-built control libraries for 40+ frameworks including OSHA PSM 29 CFR 1910.119 (14 elements), EPA RMP 40 CFR Part 68 (March 2024 Final Rule), PHMSA 49 CFR Part 192 and Part 195, API 510 / 570 / 653, ASME B31.4 / B31.8, IOGP Life-Saving Rules, EPA Subpart OOOOb / OOOOc, TSA SD-2021-02 Series F, NIST 800-82 r3 alignment, ISO 27001:2022, and IEC 62443-aligned
- Physical security assessment module aligned to ASIS and API SS 780 for refinery and pipeline-terminal SRAs
- Vendor risk management with contractor pre-qualification and PSSR attestation for OSHA PSM Element 6 and IOGP; policy management with approval and attestation workflows
- Evidence vault with versioning and PHMSA-audit-ready and OSHA-PSM-audit-ready export; single-tenant deployment for SCADA-adjacent and proprietary-reservoir data-residency requirements
Integrations
25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Slack, Jira, Salesforce, Custom REST API for asset inventory and SCADA tag ingest.
Target size
100 to 25,000 employees · US · Canada · EU · UK · AU