The Challenge
Risk and compliance failures are no longer contained events.
Enterprise risk has become a board-level conversation. Regulatory scrutiny is intensifying across every jurisdiction. Third-party vendor populations are growing faster than the governance programs meant to oversee them. Cybersecurity breaches now carry direct financial consequences measured in millions before the incident report is written.
Most enterprise legal, risk, and compliance teams know where the exposure is. The gap is between knowing the risk and having the operational and strategic capability to manage it at enterprise scale, without building a function the business routes around because it operates as an enforcement office rather than a strategic partner.
Where enterprise risk and compliance programs typically break down
Risk assessment treated as an annual exercise, not a continuous, live view of exposure tied to the business outcomes that matter to the board
Third-party vendor risk managed by contract only, no risk tiering, no ongoing monitoring, no structured due diligence across a vendor population that spans cyber, data privacy, regulatory, and reputational exposure
Cybersecurity risk owned by IT, not legal or compliance, leaving a governance gap when a breach triggers regulatory notification obligations, contractual consequences, and reputational damage simultaneously
Corporate investigations managed on email threads and shared drives, no consistent workflow, no audit trail, documentation gaps that create liability when regulators or outside counsel start asking questions
Compliance programs designed for the regulator, not the business, creating a culture of enforcement that business units route around rather than engage with
Board and C-suite risk reporting that confirms what leadership already knows, not the forward-looking, business-impact framing that earns the risk function a seat at the strategy table
Services Offered
Each engagement begins where your exposure is greatest.
Many clients start with one service area and expand as the relationship deepens. Each capability below is available as a standalone engagement or as part of a broader risk and compliance program.
01
Enterprise Risk Strategy & Assessment
GMAP-based enterprise risk identification and assessment across Growth, Margin, Assets, and Purpose. Built to give boards and C-suite executives the forward-looking risk insight that drives decisions, not the backward-looking audit summary they already know. Includes Board and C-suite risk workshops that business leaders ask to attend.
02
Third-Party Risk Management
Structured TPRM programs for organizations managing large vendor populations with widely varying risk profiles: cybersecurity exposure, data privacy obligations, regulatory compliance, contract performance, and reputational risk. Risk tiering, due diligence workflows, ongoing monitoring, and regulatory documentation maintained at enterprise scale.
03
Cybersecurity Risk Governance
The legal, regulatory, and contractual layer of cyber risk, not the technical implementation. Vendor cybersecurity assessments, breach response governance frameworks, regulatory notification protocols, and the documentation that protects the organization when an incident triggers legal and regulatory scrutiny simultaneously.
04
Regulatory Compliance Program Design
Compliance programs designed to enable the business, not just satisfy the regulator. Simplified, standardized global processes that reduce the compliance burden on business units while strengthening the function's defensibility and standing with regulators across jurisdictions.
05
Corporate Investigation Management
Structured, technology-enabled corporate investigation workflows, delivered on the Onit platform. Misconduct, fraud, conflict of interest, insider threat, and regulatory inquiry investigations managed with consistent documentation, clear chain of custody, and outcomes that hold up to external scrutiny. Where digital forensics is required, Swiftwater works in partnership with Digitas Consulting.
06
Privacy Review & Data Governance
Ongoing privacy review and data governance support across GDPR, CCPA, HIPAA, and cross-jurisdictional frameworks: vendor data sharing reviews, breach response protocols, and the compliance documentation required across multiple regulatory environments simultaneously.
07
AI & Technology for Risk and Compliance
Digital and AI-powered solutions to scale risk and compliance operations: automated risk reporting, AI-driven compliance monitoring, workflow automation for investigation management, and the analytics layer that turns compliance data into operational insight the business can act on.
08
Cost Reduction for Legal, Risk & Compliance Spend
AI-powered analysis of external legal, investigation, and compliance provider costs, targeting 8–21% reduction in third-party spend through smart procurement, invoice analysis, and fee benchmarking across outside counsel and specialist providers.
The Swiftwater Difference
We manage risk as a business function, not a compliance obligation.
Most risk and compliance engagements deliver a framework and leave. The function is then expected to implement recommendations with the same constraints (capacity, capability, and culture) that created the gap in the first place. The frameworks are often sound. The execution gap is where enterprise risk programs fail.
Mirat Dave built and ran risk and compliance functions from inside a $40 billion regulated organization operating in 150+ countries. He developed the GMAP framework, a risk management methodology that reframes risk around the four dimensions boards actually care about: Growth, Margin, Assets, and Purpose.
Scale of the regulated organization Mirat Dave ran risk and compliance functions from inside
Operating across 150+ countries
Reduction in external R&C spend through AI-powered cost analysis and fee benchmarking
Mirat's background: Managing Director at EY Global and BDO before founding his own firm and joining Swiftwater
How the GMAP Framework Works
Risk management built around what boards actually care about.
Most enterprise risk programs identify the top ten risks, present them to the board, and receive a response along the lines of “this aligns with our understanding.” Leadership already knew. The function spent months confirming it. GMAP reframes the conversation.
Growth
Risks to revenue growth, market share, new products, and competitive positioning, the risks that show up in the CEO's earnings call narrative.
Margin
Risks to EBITDA, earnings per share, operating cost, and reserves, the numbers the CFO defends in every board pack and analyst briefing.
Assets
Risks to physical, financial, intellectual property, and reputational assets, the things the organization has built that can be lost faster than they were created.
Purpose
Risks to ethical conduct, regulatory compliance, ESG obligations, and stakeholder trust, the dimension that determines whether the organization retains its license to operate.
By mapping risk to these four dimensions (the ones that show up in earnings calls, board packs, and CFO conversations), the risk function moves from reporting on risk to contributing to the management of business performance. Boards ask to be involved. Business units treat the function as a resource, not a regulator.
The Practice Team
People who have managed risk, not just written about it.
Mirat Dave
Risk & Compliance Lead
Mirat's career spans Big 4 and global advisory at the most senior level. At EY he served as Managing Director of EY Global covering Accounts, Learning, and Enterprise Risk Management, US Risk Management Services Leader for Pharmaceutical and Life Sciences, and Northeast Enterprise Risk Management Services Leader. He went on to serve as Managing Director at BDO before founding iFUELmd and joining Swiftwater. His experience spans governance, enterprise risk management, digital strategy, and regulatory compliance across pharmaceutical, technology, entertainment, and manufacturing sectors. He developed the GMAP framework and advises boards and C-suite executives on managing risks to Growth, Margin, Assets, and Purpose.
Enterprise Risk • GMAP Framework • Board Advisory • EY • BDO • Pharmaceutical • Technology • EMEA • APAC
Hassan El Asraoui
CEO & Co-Founder
Hassan brings over three decades of experience at the intersection of legal, risk, and information governance. He ran the Information Management and Governance practice at Kroll, one of the most recognized names in corporate investigations and risk advisory globally. Prior to Kroll he held senior roles at Huron Consulting, PwC, and AT&T. Within Swiftwater's risk practice, his focus is third-party risk management and cybersecurity risk governance, areas where he has designed and implemented enterprise-scale programs for clients across technology, manufacturing, and financial services.
Kroll • Huron • PwC • AT&T • Third-Party Risk • Cybersecurity Risk Governance • Information Governance • Americas • EMEA
Corporate Investigation Management
A structured investigation platform built on Onit, delivered by Swiftwater.
Corporate investigations are one of the highest-risk operational workstreams a legal or compliance team runs, and one of the least structured. Most organizations manage them across email threads, shared drives, and ad hoc outside counsel assignments. The result is documentation that cannot withstand regulatory scrutiny, costs that are difficult to control, and outcomes that vary based on who happens to be running the matter.
Swiftwater and Onit have expanded their partnership specifically to address this. The corporate investigation management solution brings the full investigation lifecycle onto the Onit platform: intake and triage, investigation workflow, evidence and document management, outside counsel and cost management, and standardized reporting for GC, CCO, board, and regulatory audiences.
Where digital forensics capability is required, Swiftwater works in active partnership with Digitas Consulting, staffed by former law enforcement and intelligence professionals specializing in digital forensics, cybersecurity investigations, and insider threat mitigation.
Book a Discovery Call with Mirat →Also relevant to this practice
Implement Legal Technology
→The Onit investigation management solution is implemented by the same team that delivers ELM and CLM, a single partner for the full Onit platform.
Operate Your Legal Function
→Ongoing TPRM oversight and compliance program support are also available as part of a broader managed services engagement.
Reduce Legal Spend
→Outside counsel costs for investigations and regulatory matters are subject to the same spend management and eBilling governance as any other legal spend.