Enterprise Risk Management Platform

Know your risks.
Build your security.

RiskRiver unifies risk management, compliance, data protection and BCM in one intelligent platform: Swiss-hosted, GDPR-compliant, fully integrated.

Open app
SSO & role-based access
Audit log & traceability
Cross-module graph
Share portal & questionnaires
Dashboard
3 Kritisch
9 Total
Critical
3Critical Risks
High
2High Risks
Open
14Open Measures
68%
68%Fulfilment rate
Top Risks
All →
IDRiskScore%
R-001Data loss through cyber attack25
30%
R-002Failure of critical IT systems20
55%
R-003Ransomware infection20
40%
R-005Supplier failure (single source)16
38%
R-004GDPR compliance violation15
70%
Open Measures
All →
IDMeasureDueStatus
M-012MFA for all admin accounts⚠ 12.03.2026Overdue
M-018Revise backup concept28.04.2026Active
M-023Phishing awareness training15.05.2026Open
M-027Network segmentation30.05.2026Active
Gross vs. Residual
Gross
9Total
Critical
High
Medium
Low
Residual
9Total
Action required
4 entries require your attention
Crisis P-004 Online-Shop Ausfall Seit 2d
Measure M-012 MFA for admin accounts Since 35d
Risk R-003 Ransomware incident: review overdue Since 8d
Supplier S-007 Cloud provider: assessment due Since 14d
Risk Management & Heatmap
Supplier Management
Data Protection & DPIA
BCM & Business Continuity
ISMS & Frameworks
Numbers that convince

One platform.
Complete overview.

8+
Integrated compliance frameworks
360°
Risk & threat analysis
100%
Swiss Hosted
User roles & permissions
Risk management

Risk register & interactive risk heatmap

Unmanaged risks cost money, reputation and, in a crisis, the ability to operate. Risks you don't know about can't be prioritised and can't be addressed effectively. Structured risk management creates transparency, makes decisions traceable and is the foundation of any serious compliance effort.

Configurable risk matrix (default 5×5)
Gross & residual assessment
Measures with due dates & progress
Links to assets, threats & suppliers
Risk sharing for team editing
Comments, favourites & activity log
Owners, categories & status models
Change history & CSV export
Risk heatmap
3 Critical
9 Total
Gross Residual
← Impact →
All risks
Connections & analysis

Interactive dependency view

In spreadsheets, connections stay invisible. Yet the biggest risks appear exactly where dependencies converge: a failing supplier that blocks a critical process, a missing measure that leaves several risks open at once. The dependency view makes these connections visible at a glance and helps you focus on what really matters.

All objects and their relationships on one canvas
Risks, measures, assets, threats & suppliers
One-click filter per object type
Search & focus on individual nodes
Zoom, pan & fullscreen view
Click a node to open details
Dependency view
14 Nodes
18 Edges
Risks (3) Measures (3) Assets (4) Threats (2) Suppliers (2)
⚠️ Data loss through cyber attack R-001 ⚠️ Failure of critical IT systems R-002 🛡️ MFA Admin-Konten M-012 · 30% 🛡️ Backup-Konzept M-018 · 55% 🛡️ Phishing-Training M-023 · 65% 🖥️ Kundendatenbank A-003 💻 Laptop-Flotte A-008 🖥️ Produktions-Server A-001 ☁️ Cloud-Storage A-012 🕵️ Phishing-Kampagne T-004 · Hoch 🕵️ Ransomware T-007 · Kritisch 🏢 Cloud-Provider AG S-007 🏢 Rechenzentrum Zürich S-011
Crisis and continuity planning

BCM recovery topology

When critical processes fail, it usually isn't IT that takes the first hit — it's revenue, customers and regulators. Yet continuity plans often sit in static documents no one can find when they're needed. Business Continuity Management makes sure you know your critical processes, set realistic recovery times and, when it matters, everyone knows what to do.

Processes with RTO, RPO, MTPD & MBCO
BIA collection by the process owner
Recovery topology: process → resources → assets
Fallback strategies per resource
Incidents with timeline & actions taken
Public status page for stakeholders & customers
BCM cockpit with status, tests & criticality
BCM · Recovery topology
● Live
Recovery topology · Process → Resources / Technology → Assets
Process Resource Supplier Technology Asset Fallback
Process
Resources3
Technology4
Assets3
SOC Operations P-014 · 24/7 Monitoring SOC-Analysten L1-L3 Team · 12 FTE · CISO-Office Incident Response Plan Runbook · v3.2 · 12.02.2026 Managed Detection AG MSSP · SLA 15min Splunk Enterprise SIEM · 2.4TB/Tag CrowdStrike Falcon EDR · 2'400 Endpoints SOAR Platform Playbook-Engine Entra ID + PAM Identity & Access Log-Hot-Index Asset · 90 Tage · 180 TB MISP / IOC-Feeds Asset · Threat-Intel DR-SOC Zürich-West Fallback · Hot-Standby
RTO
2h
Target met
RPO
15min
max. data loss
MTPD
4h
max. tolerable
MBCO
80%
Min. service level
Aktiver Incident
SIEM-Ingest degradiert
INC-2041 · seit 00:47h · L2 zugewiesen
Get in touch

Ready for more Überblick?

Fordern Sie eine Demo an oder starten Sie direkt in der App. Unser Team begleitet Sie beim Onboarding.

Open app
All modules

Everything you need. On one platform.

Risk management, data protection, business continuity, information security, supplier management and technical security checks on a shared data foundation. No silos, no exports, no duplicate data entry.

7Modules
40+Functions
4Frameworks
1 Data model All connected
How it all fits together

A data model that mirrors reality.

A risk is attached to a protected asset. The asset belongs to a process. The process relies on services provided by a supplier. The supplier is governed by a data processing agreement. The agreement references a policy, the policy fulfils a control, and the control is addressed by a concrete measure that, in turn, reduces the risk.

RiskRiver maps this chain as one connected graph, not as seven separate tables. Change a node and you immediately see what depends on it. Audit trails, dependency analyses and gap checks run across every module.

Data model · One graph
Live
8 node types
Asset
Process
Threat
Risk
Supplier
Measure
Policy
Control
Core module
Risk Management
A central register for every material enterprise risk: strategic, operational, financial and legal risks alongside information security and supply chain risks. Each risk is assigned an owner, assessed in gross and residual terms and backed by concrete measures with due dates. Executive management can see at any time which risks are prioritised and how they are being treated.
Includes
Central risk register
Gross and residual assessment
Configurable risk matrix
Measures with due dates
Protected assets
Threat catalogue
Team collaboration
Change history
Gross / Residual Share token Audit log
Suppliers and third parties
Supplier Management
A central registry of all suppliers and service providers, with master data, contacts, certificates, contracts and risk classification. Questionnaires are sent by link and completed by the supplier through a public portal. The answers feed directly into the risk assessment. Critical dependencies and data processing agreements are documented transparently and linked to the affected business processes.
Includes
Supplier registry
Supplier dossier
Questionnaire editor
External portal
Criticality rating
Document requests
Secure upload link
Linked to processes
ISO 27001 SOC 2 TISAX
Data protection and privacy
Data Protection Management
A complete cockpit for the Data Protection Officer: records of processing activities with legal bases, data processing agreements with sub-processor chains, data protection impact assessments including necessity and proportionality reviews. The cockpit also covers reporting of data breaches, public portals for subject access and erasure requests, and versioned data protection policies. Compliance status is available at the click of a button.
Includes
DPO cockpit
Records of processing
DPA management
Impact assessment (DPIA)
Data protection policies
Breach reporting portal
Subject access (SAR)
Erasure (RTBF)
GDPR revDPA nDPA
Crisis and continuity planning
Business Continuity (BCM)
Business processes, resources and critical dependencies in one continuous topology. For every process, recovery time objectives, acceptable data loss and minimum business continuity objectives are recorded. An integrated business impact analysis shows what must come back online first in a crisis. In an actual event, the cockpit guides you through alerting, crisis communication and a public situation board for customers, regulators and partners.
Includes
BCM cockpit
Business processes
Impact analysis
Recovery topology
Disruption events
Crisis management
Critical resources
Public situation board
RTO · RPO RTA · MBCO Public situation board
Compliance and frameworks
ISMS and frameworks
All of your management system documentation in one place, with versioning, owners and PDF export. The leading frameworks ISO 27001, NIST CSF 2.0, SOC 2 and HIPAA are pre-installed. Each control is tracked with status, implementation level, owner and linked measures. The result is an audit-ready record for internal audits, external certifications and questions from the board.
Includes
ISMS documentation
Policies
Versioning
PDF export
ISO 27001
NIST CSF 2.0
SOC 2
HIPAA
ISO 27001 NIST SOC 2 HIPAA
Technical security check
Live Recon and security checks
An automated technical security assessment of your Microsoft 365 environment instead of mere self-attestation. Two established scan engines test your environment against Microsoft Security Benchmarks and the CIS Foundations Benchmark. Results are presented as prioritised findings with severity, history and manual overrides for deviations you have consciously accepted. The result is an objective fact base for audits and reporting.
Includes
MISA BPA scan
CIS M365 v6.0.1
E3 and E5 profiles
Scan history
Findings register
Manual overrides
Live worker
Azure connection
MISA BPA CIS Benchmark Microsoft Graph
Platform
Platform and reporting
Behind every module sits a shared platform that gives executives and managers a clear view at all times. Reports for the board, audits or regulators are produced at the click of a button, without piecing data together from different tools. In their personal cockpit, each employee sees exactly the items they are responsible for. Sign-in works through your existing corporate identity, permissions are granular by role, and every action is documented in an audit-proof manner.
Includes
Dashboard widgets
Report generator
PDF export
Users and roles
Entra ID single sign-on
Two-factor auth
REST API
Personal cockpit
Entra ID SSO REST API Audit log
All modules · one login · one database

Seven modules that don't just sit next to each other.

A risk references a process. The process depends on a supplier. The supplier is governed by a data processing agreement. The agreement covers a control. The control belongs to a policy. Make a change in one place and the effect is visible everywhere. That is the difference compared with seven separate tools.

See pricing Start live demo
Pricing and contact

Tailored. Personal.

Individual offers based on size and requirements. Reply within 24 hours.

Our credo

One price. All modules.

Whether you have 10 or 5,000 employees, you always get all 7 modules and every function. The price scales with company size, not by restricting individual features. No hidden modules, no functions reserved for higher tiers, no surcharges for connectors or API access.

No artificial tiers
Risk Managementincluded
Supplier Managementincluded
Data Protection Managementincluded
Business Continuity (BCM)included
ISMS and frameworksincluded
Live Recon (MISA / CIS)included
Dashboard, reports, APIincluded
The difference

With us, everything is included. With others, you pay per module.

RiskRiver
All included
All 7 modules unlocked from day 1
All frameworks (ISO, NIST, SOC 2, HIPAA)
REST API and Live Recon included
Unlimited users and roles
Swiss hosting included
Pricing scaled to company size
Typical GRC vendors
Modular and tiered
Core risk free, BCM and ISMS only as add-on
Each framework licensed separately
API and integrations only in the top tier
Per-user pricing with seat limits
EU hosting often only in the top tier
Upgrade required for new modules
Our promise

SME or enterprise: everyone gets the same.

Same feature set
All 7 modules, all frameworks and all integrations are available to every customer from day one. No locked features, no tier limits, no upsell prompts inside the application.
Same user experience
A 20-person company works in the same interface as an enterprise with 5,000 employees. Same updates, same release cycles, same performance, no stripped-down "Light" versions.
Same security
Swiss hosting, tenant-separated data storage, audit log, single sign-on and encryption apply equally to every customer, regardless of company size or contract value.
Free demo
Personal walkthrough with a specialist
Swiss Hosted
Data stays in Switzerland
Partner network
Specialists for your rollout
Standard support
Reply within one business day
The process

What happens after your request?

1
Within 24 hours
First contact
We get in touch by email and arrange a time for a personal walkthrough.
2
The following week
Walkthrough and consultation
30 to 45 minutes of personal walkthrough, tailored to your industry and requirements.
3
After that
Offer and partner matching
You receive a transparent offer from us and, if needed, the right onboarding partner from our network.
Get in touch

We look forward to
your enquiry.

Tell us briefly what this is about — we'll get back to you within 24 hours. No automated replies, no lead scoring, no time-pressure sales calls.

Directly by email
[email protected]
Contact form
Fields marked with * are required.
By submitting, you agree to our privacy policy.
Frequently asked questions

Before you ask.

Are all modules really included for every customer?+
Yes. Every customer gets access to every module: risk management, supplier management, data protection, business continuity, ISMS and frameworks, Live Recon and the platform features (dashboard, reports, API). You decide which modules you actively use, but no one is artificially excluded.
How exactly is the price calculated?+
We calculate individually based on company size. Reach out. After a short conversation, you will receive a transparent offer with no setup fees and no hidden cost items. You pay a fair price appropriate to your size and get the complete platform in return.
Where is the data stored?+
In Switzerland, in an ISO-certified data centre. RiskRiver is a pure SaaS solution: we operate the platform, you use it through your browser. Each customer organisation has its own tenant, with data handling that is GDPR- and revDPA-compliant.
Is there a minimum contract term?+
The standard contract term is 12 months. For multi-year contracts, we offer attractive conditions. We discuss the exact contract terms, including cancellation periods and exit options, transparently in a personal conversation.
Can we test RiskRiver before purchasing?+
Yes. We offer a free personal walkthrough in which we go through the platform with you based on your specific use cases. Upon request, we then set up a test tenant with your own data so you can try the platform internally.
How does migration from our existing tool work?+
For common data types (risks, measures, assets, suppliers, controls), RiskRiver supports import from Excel and CSV. The actual migration and functional rollout runs through our partner network: certified consulting firms that support you with data preparation, model mapping and rollout, with their own conditions agreed directly with you.
Who handles rollout and training?+
RiskRiver works with a network of specialised consulting partners. They take care of implementation, user training and functional support for building your GRC programme. We connect you with the right partner for your industry and size. The engagement and offer then happen directly between you and the partner.
Is there a limit on users or API access?+
Users are unlimited within your contract. You can invite as many colleagues as you like, with different roles and permissions. The open REST API with token authentication is also included at no extra cost.
Resources

Insights and practical examples.

The platform's central views at a glance. This is how the modules work in practice.

Modules in action

See what matters.

Six real views from the application showing how RiskRiver works in everyday use. No staged visuals, just excerpts from the live product.

Live Recon
CIS M365 Foundations Benchmark
An objective security assessment of your Microsoft 365 environment.
Microsoft 365 Admin Center
admin.microsoft.com · Section 1 · Administration
3 1 1
1.1.2 Graph Ensure two emergency access accounts have been defined Pass
1.1.3 Graph Ensure that between two and four global admins are designated Pass
1.3.1 PowerShell Ensure the 'Password expiration policy' is set to 'Set passwords to never expire' Pass
1.3.3 PowerShell Ensure 'External sharing' of calendars is not available
Fail
1.3.6 Manual Ensure the customer lockbox feature is enabled
Warning
Instead of self-attestation, you get an objective picture: your Microsoft 365 environment is checked automatically against the CIS benchmark, an internationally recognised standard for configuration security. Weaknesses are displayed with priority, remediation guidance and a direct link into risk management. You can see at a glance where your environment meets the recognised standards and where action is required.
Supplier Management
Supplier dossier
A central dossier for every supplier, with risk classification.
☁️
SUP-0014 High Active ✓ ISO 27001 ✓ SOC 2
Nexavault AG
Cloud · Switzerland
Cloud security provider for infrastructure monitoring, SIEM integration and incident response retainer.
Contact
Sandra Wirth
+41 43 500 77 88
High
58%
Risk level
All clear
0
Open incidents
Good
72%
Assessment
Elevated
52%
Classification
Every supplier and service provider is kept in one place, with master data, contacts, certificates, contracts and a risk classification. Questionnaires are sent by link and completed by the supplier through a public portal, with answers flowing automatically into the risk assessment. Executive management and procurement know at any time which suppliers represent an elevated risk and where follow-up is required.
Risk Management
Risk Register
All risks at a glance, prioritised and traceable.
R-001 Critical In treatment Cyber 2
Ransomware attack on critical systems
Ransomware encryption of central production systems. Potential losses of customer, financial and personnel data; multi-day operational disruption possible.
Gross risk
20/25
Residual risk
12/25
Fulfilment rate
60%
3 M
Strategic, operational, financial and legal risks are brought together with information security and supply chain risks in a single register. Each entry shows the gross risk, the active measures and the remaining residual risk, with a clearly assigned owner and deadline. Risks can be shared selectively with external parties without them needing their own account. Executive management always sees which risks are prioritised and how far their treatment has progressed.
Platform
Roles and Permissions
Each person sees and edits exactly what they are responsible for.
User
Permissions
2FA
AM
Anna Müller
CISO
✎ Risks ✎ ME 👁 HM
SSO
TK
Thomas Keller
IT Manager
👁 Risks ✎ Assets ✎ ISO
2FA
SB
Sandra Berger
DPO
✎ Rep
Contact
On the platform, users and their permissions are assigned granularly per module, so sensitive information is only accessible to those who really need it. Sign-in works through your existing corporate identity, complemented by two-factor authentication. External contacts can be kept on file without active access to the application. Access remains traceable and controllable, without IT having to step in for every change.
Data Protection
Record of Processing Activities
A complete, current register, ready for inspection at any time.
VVT-018
Active 🌍 Third country
Employees · payroll & HR administration
Processing of payroll data, social security numbers and bank details for payroll and HR administration, including reporting to authorities.
⚖ Contract (Art. 6(1)(b)) 🗓 10 yrs 👤 Sandra Berger
Data protection authorities expect a complete, up-to-date register. RiskRiver maintains it automatically and in a structured way, including legal basis, retention periods, third-country transfers and owners. In case of an audit you have everything ready at once, instead of searching through spreadsheets for days.
Crisis and continuity planning
Crisis Management · Public Status Page
In an emergency, every person involved knows immediately what to do.
BCM-P-004 Crisis active Critical
Datacenter outage North
Infrastructure · Lukas Mäder
RTO
4h
RPO
1h
MTPD
72h
Deadline
21.05.26
Team check-in
Enter your name to log actions.
Your name…
LM
Lukas Mäder checked in
Trigger
Power outage after lightning strike, UPS systems overloaded. Primary datacenter unreachable, backup connections unstable. Automatic failover did not trigger.
Critical suppliers
Swisscom Datacenter AG
Hosting · ↳ Failover: DC Zurich South
📞 044 200 11 22
NetGuard Solutions
Network · MPLS backup active
📞 031 550 88 00
Process details
CodeBCM-P-004
RTO4h
RPO1h
MTPD72h
OwnerLukas Mäder
1. Immediate actions
2 / 3
Alert IT emergency team and declare incident
Lukas Mäder · 08:44
Activate BCP and initiate failover to DC South
Anna Berger · 08:51
Publish public situation board and inform stakeholders
2. Alarm chain
1 Lukas Mäder CISO 079 111 22 33
2 Sandra Berger CEO 079 222 33 44
3 Markus Huber IT Manager 079 333 44 55
3. Recovery steps
0–30 min
Verify failover to DC South, set DNS TTL to 60s
30–120 min
Start backup restore from last snapshot (RPO 1h)
2–4h
Full system check, sign-off by IT manager and CISO
RiskRiver BCM · Confidential, authorised personnel only
In a crisis, a public situation board is provided that is reachable without sign-in, even when your own systems are unavailable. The alert chain, immediate actions and recovery steps are prepared as interactive lists. Team members register on the board, document the steps they have completed and see the status of every other task. Executive management keeps an overview in a critical situation, instead of relying on phone chains and improvisation.