RiskWatch
RiskWatch International · Founded 1993 · Sarasota, FL, USA
Supply-chain risk register from threat to treatment, with KRI auto-escalation; ISO 28000, C-TPAT, TAPA, UFLPA, and CSRD underneath.
Summary
RiskWatch is a risk management platform built around a Global Risk Register that consolidates supplier, third-party, concentration, and cyber-supply-chain risk into one view, with business-unit-to-enterprise rollup for the board. It runs a risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a supplier-concentration or single-source-dependency risk breaches its threshold, a treatment workflow with owner assignment and tasks tracked to closure, and threat and vulnerability libraries that feed risk scores, plus heat maps and executive dashboards for board-ready reporting. Risk-to-Compliance bi-directional mapping ties supplier-audit findings back into risk scores and lets the register feed control-assessment scope. Underneath sit pre-mapped control libraries for 40+ regulatory frameworks including ISO 28000 / 28001 supply-chain security management, C-TPAT Minimum Security Criteria (importer, carrier, broker, marine port authority roles), TAPA FSR and TSR cargo standards, AEO mutual-recognition, UFLPA-aligned forced-labor due-diligence controls, CSRD ESRS S1 to S4-aligned value-chain-workers controls, NIST 800-161 r1 cyber supply chain risk management, OFAC sanctions screening control families, ISO 27001:2022, NIST 800-53 r5, NIST 800-171 r3, CMMC 2.0, and ASIS Facility Physical Security Control Standards, cross-mapped so customs-broker, procurement, and supplier-risk teams draw from one evidence vault. Supply-chain customers include 3PLs, contract manufacturers, freight forwarders, regional shippers, and federal supply-chain primes. The product has been in the field since 1993, and single-tenant deployment is available for ITAR / EAR-controlled defence supply chains and EU customs-broker data residency.
Strengths
- Global Risk Register consolidates supplier, third-party, concentration, and cyber-supply-chain risk into one register with business-unit-to-enterprise rollup for the board
- Risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a supplier-concentration or single-source-dependency risk crosses its threshold, so exposure surfaces between annual review cycles
- Risk treatment workflow with owner assignment, tasks, and recommendations; supplier mitigation is tracked to closure, not just logged
- Native threat and vulnerability libraries plus heat maps and executive risk dashboards for board-ready supply-chain risk reporting
- Risk-to-Compliance bi-directional mapping: supplier-audit findings flow back into risk scores and the register feeds control-assessment scope
- Pre-built control libraries for ISO 28000 / 28001, C-TPAT MSC, TAPA FSR / TSR, AEO, UFLPA-aligned forced-labor controls, CSRD ESRS S1 to S4-aligned value-chain controls, NIST 800-161 r1 cyber supply chain, and OFAC sanctions screening, cross-mapped so procurement, customs, and ESG teams reuse evidence rather than rebuild it
- Vendor / supplier risk management with BAA + SOC 2 + cyber-supply-chain tracking for tier-1 supplier audits across multi-3PL networks
- Physical security assessment module (ASIS-aligned) for warehouses, distribution centres, cross-docks, and marine terminals with crime-data overlay; pairs naturally with supplier-site assessments
- Single-tenant deployment with customer-owned data residency and a 33-year operating history, useful when a Tier-1 retailer, DoD prime, or EU customs authority requests an ISO 28000 or C-TPAT evidence pack
Weaknesses
- No native multi-tier supplier-graph at Everstream Analytics or Resilinc depth; manual supplier-audit workflow rather than a 450,000-supplier mapped network with sub-tier-N visibility
- No native predictive disruption sensing at the Everstream EventWatchAI level; relies on customer-fed risk inputs rather than AI-driven SKU and lane-level disruption forecasting
- No native supplier sustainability rating network at the EcoVadis 130,000-rated-company scale; CSRD readiness lives in the assessment engine rather than a procurement-side network effect
- No native motor-truck-cargo or auto-liability claims module at Riskonnect or Origami Risk depth; pair with a dedicated RMIS if MTC claims volume is the load-bearing brief
- RiskWatch is sold quote-only; published list prices are not on the site, so you negotiate pricing per deployment across multi-region supply chains
Mid-market and regulated-industry supply-chain risk teams (500 to 5,000 employees, 100 to 2,000 active suppliers) that want one global register for supplier, third-party, concentration, and cyber-supply-chain risk, with KRI-driven escalation, treatment workflows, and board-ready heat maps, plus ISO 28000, C-TPAT, TAPA, UFLPA, CSRD, and sanctions mapping built in and supplier-audit response packs in the same evidence vault.
Tier-1 OEMs whose dominant requirement is sub-tier-N supplier-graph visibility across 100,000+ suppliers; Everstream Analytics or Resilinc fit that brief better. Also wrong for procurement organisations whose dominant requirement is supplier sustainability scorecards across 50,000+ trading partners; EcoVadis fits that brief better.
Key features
- Global Risk Register with business-unit-to-enterprise rollup across supplier, third-party, concentration, and cyber-supply-chain risk
- Risk assessment engine with a KRI (Key Risk Indicator) library and threshold auto-escalation for supplier-concentration and single-source-dependency risk
- Risk treatment workflow with owner assignment, tasks, and recommendations
- Threat and vulnerability libraries, heat maps, and executive / board risk dashboards
- Risk-to-Compliance bi-directional mapping (supplier-audit findings update risk scores)
- Pre-built control libraries for ISO 28000 / 28001, C-TPAT MSC, TAPA FSR / TSR, AEO, UFLPA-aligned, CSRD ESRS S1 to S4-aligned, NIST 800-161 r1, OFAC sanctions, ISO 27001:2022, NIST 800-53, NIST 800-171, CMMC 2.0
- Cross-mapping engine that auto-detects shared controls across supply-chain-security and ESG frameworks
- Survey-based supplier risk assessment engine for non-technical procurement and customs staff
- Evidence vault with versioning and customer-audit-ready export packs (Tier-1 retailer, DoD prime, EU customs)
- Vendor and supplier risk management with BAA, SOC 2, cyber-supply-chain, and SBOM tracking
- Physical security assessment module (ASIS-aligned) for warehouses, DCs, cross-docks, marine terminals; single-tenant deployment for ITAR / EAR and EU customs-broker data residency
Integrations
25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Slack, Jira, Salesforce, Custom REST API.
Target size
200 to 25,000 employees · US · Canada · EU · UK · AU