RiskWatch
RiskWatch International · Founded 1993 · Sarasota, FL, USA
Mid-market utility risk register from threat to treatment, with KRI auto-escalation; NERC CIP, AWIA, and TSA underneath.
Summary
RiskWatch is a risk management platform built around a Global Risk Register that consolidates OT-adjacent cyber, physical, operational, and compliance risk across an electric, water, or gas utility into one view, with business-unit-to-enterprise rollup for the board. It runs a risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk breaches its threshold, a risk treatment workflow with owner assignment and tasks tracked to closure, and threat and vulnerability libraries that feed risk scores, plus heat maps and executive dashboards for board-ready reporting. Risk-to-Compliance bi-directional mapping ties FERC-audit and control findings back into risk scores and lets the register feed control-assessment scope. Underneath sit pre-mapped control libraries for 40+ regulatory frameworks including NERC CIP-002 through CIP-015 INSM, EPA AWIA Risk + Resilience Assessment, TSA SD-2021-02 pipeline cybersecurity, EPA Risk Management Program (40 CFR Part 68), NIST 800-53 r5, NIST 800-82 r3 alignment for OT/ICS, NIST 800-171, CMMC 2.0, ISO 27001:2022, IEC 62443-aligned controls, SOC 2, PCI DSS v4, HIPAA, and physical security against ASIS and CIP-014 R4/R5, cross-mapped so the same evidence satisfies multiple audits. Utility customers include investor-owned utilities, electric cooperatives, and water authorities. The product has been in the field since 1993 with federal customers (DoD, VA, DOJ, NSA per public press), and single-tenant deployment keeps OT and BES-cyber-system data in the customer's control.
Strengths
- Global Risk Register consolidates OT-adjacent cyber, physical, operational, and compliance risk into one register with business-unit-to-enterprise rollup for the board
- Risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk crosses its threshold, so exposure surfaces between annual review cycles
- Risk treatment workflow with owner assignment, tasks, and recommendations; mitigation is tracked to closure, not just logged
- Native threat and vulnerability libraries plus heat maps and executive risk dashboards for board-ready utility risk reporting
- Risk-to-Compliance bi-directional mapping: FERC-audit and control findings flow back into risk scores and the register feeds control-assessment scope
- 40+ pre-built framework libraries covering NERC CIP-002 through CIP-015 INSM, EPA AWIA RRA, TSA SD-2021-02, EPA Risk Management Program 40 CFR Part 68, NIST 800-53 r5, NIST 800-82 r3 alignment, NIST 800-171, CMMC 2.0, ISO 27001:2022, and IEC 62443-aligned controls, cross-mapped (NERC CIP-007 to NIST 800-53 SI-4, CIP-005 to NIST 800-82 SC-7) so the same evidence satisfies multiple audits
- Physical security assessment software is in the same tenant as cyber and compliance risk, useful for CIP-014 R4/R5 critical-substation programmes and EPA RMP facility access controls
- Vendor risk management with BAA and SOC 2 tracking is a first-party module, useful for CIP-013-2 supply-chain and TSA Series F third-party requirements
- Single-tenant deployment with customer-owned data residency and a 33-year operating history with federal and state customers; FERC-audit and PUC-audit export packs are first-class output, an advantage for ITAR-controlled defence-utility customers, CEII data, and EU-data-locality water utilities
Weaknesses
- No native OT-detection integrations at the depth of Dragos, Nozomi, or Claroty; RiskWatch ingests asset-inventory and incident data via REST API but does not run east-west INSM monitoring itself, so CIP-015 INSM still requires a paired OT-detection platform
- Public pricing is quote-only; buyers cannot self-serve a list price and must request a quote scoped to their team size and framework count
Mid-market and regional utility risk teams (200-5,000 employees: municipal utilities, electric cooperatives, water authorities, regional IOUs) that want one global register for OT-adjacent cyber, physical, operational, and compliance risk, with KRI-driven escalation, treatment workflows, and board-ready heat maps, plus NERC CIP, AWIA, TSA, IEC 62443, and ISO 27001 mapping built in across 3+ frameworks and a FERC-audit response pack in the same evidence vault.
Pure OT-detection buyers who need east-west INSM monitoring on the bulk electric system as the load-bearing requirement; pair RiskWatch with Dragos, Nozomi, or Claroty for that brief, and pick Archer or ServiceNow IRM if your buying committee insists on one vendor across detection plus GRC.
Key features
- Global Risk Register with business-unit-to-enterprise rollup across OT-adjacent cyber, physical, operational, and compliance risk
- Risk assessment engine with a KRI (Key Risk Indicator) library and threshold auto-escalation
- Risk treatment workflow with owner assignment, tasks, and recommendations
- Threat and vulnerability libraries, heat maps, and executive / board risk dashboards
- Risk-to-Compliance bi-directional mapping (FERC-audit findings update risk scores)
- Pre-built control libraries for NERC CIP-002 through CIP-015 INSM, EPA AWIA RRA, TSA SD-2021-02, EPA RMP 40 CFR Part 68, NIST 800-53 r5, NIST 800-82 r3 alignment, NIST 800-171, CMMC 2.0, ISO 27001:2022, IEC 62443-aligned, FERC Order 706, FERC Order 907
- Cross-mapping engine auto-detects shared controls across NERC CIP, NIST, ISO, and IEC 62443
- Physical security assessment module aligned to ASIS and CIP-014 R4/R5 for critical-substation programmes
- Evidence vault with versioning and FERC-audit-ready export
- Vendor risk management with CIP-013-2 supply-chain attestation and TSA Series F third-party
- Single-tenant deployment for CEII and data-residency requirements
Integrations
25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Slack, Jira, Salesforce, Custom REST API for OT asset inventory ingest.
Target size
100 to 25,000 employees · US · Canada · EU · UK · AU