Risk intelligence reads the records you already collect - grantee reports, investee updates, case notes - and surfaces the outcome risk before it fails.
Sopact is the risk-intelligence layer that reads every applicant, grantee, and investee record the moment it lands. It surfaces the outcome risk — the write-down, the audit finding, the indefensible claim — while there is still a quarter left to act on it. It is built for the funds, foundations, and programs who are paid to not lose.
By Unmesh Sheth · Founder & CEO, Sopact · Updated May 22, 2026
Risk management is not wrong — it is a discipline built around a calendar. Risk intelligence keeps the same goal and changes the clock: it reads every record the day it lands. Here is the same risk, on both timelines.
Risk management is a calendar. The register is only ever as current as the last meeting — and the risk that matters is the one that moved since.
Risk intelligence is a loop. It runs the moment a record arrives — so the risk surfaces the week it appears, not the quarter the committee reconvenes.
It is the same risk on both tracks. Risk management names it at the post-mortem; risk intelligence names it on arrival. The months between those two dates are the months you had to act — and closing that gap is the whole job.
Risk intelligence is the practice of reading the records an organization already collects — applications, grantee reports, investee updates, surveys, case notes — to surface an outcome risk before it becomes a failure. The weak version waits for the quarterly export and learns from the post-mortem. The strong version reads every record on arrival, ties it to one persistent record per stakeholder, and flags what is slipping while there is still time to act.
Enterprise risk intelligence watches threats, fraud, and supply chains. This page is about risk intelligence for outcomes — the failure a fund, a foundation, or a program cannot afford to miss.
A foundation watches grantees drift. An impact fund watches a portfolio company fail. A nonprofit watches an at-risk participant wait for support. An applications team watches reviewers disagree. Different records, different failures — and one layer that reads every one of them.
LOIs, budgets, narrative reports, attachments — filed each quarter, read at renewal. By the time an audit flags the drift, the grant is spent and the finding is already public.
Forty portfolio companies filing quarterly KPI reports and compliance attestations. When one misses payroll, the signals were in the documents all along — just never read together.
Intake forms in one system, case notes in another, severity flags in a document. The early sign a participant is falling behind sits in a note one worker wrote and no one else read.
Hundreds of essays, a handful of reviewers, weeks until the board meets. When two readers disagree, the decision is hard to defend — and the equity claim harder still.
None of these failures is a surprise in hindsight. Each one was written down — in a report, a note, an attestation, an essay — and read too late to matter. Risk intelligence is reading it in time.
Search “risk intelligence” and most of what returns is built for corporate security — threats, fraud, supply chains. That is a real and separate category. Sopact is the other one: risk intelligence for outcomes, for the organizations measuring whether something worked.
| The question | Enterprise risk intelligence | Risk intelligence for outcomes |
|---|---|---|
| What it watches | Threats, fraud, sanctions, supply-chain exposure | Whether a grant, a portfolio company, or a participant is on track to the outcome |
| Who it serves | Security, compliance, and procurement teams | Foundations, impact funds, grantmakers, and direct-service programs |
| The record it reads | News feeds, watchlists, transaction logs | Applications, grantee reports, investee updates, case notes, surveys |
| The failure it prevents | A breach, a fraud loss, a sanctioned counterparty | A write-down, an audit finding, a missed participant, an indefensible claim |
| A name in the category | Recorded Future, RANE, Dataminr and similar | Sopact |
Recorded Future, RANE, and Dataminr are category names in enterprise security risk; they are not competitors to Sopact and serve a different buyer. Product names are trademarks of their respective owners.
This page is for foundations, impact funds, grantmakers, and programs measuring outcomes. If you came here for security, threat, or supply-chain risk intelligence, that is a different category — and a different vendor. Everything below is about the risk that an outcome does not hold.
For two decades, the system an organization ran to manage its stakeholders was a CRM or a grants database. It did one job well: it recorded. A contact, a grant, an application, a status, a date. That was the right design for an era when the question a board asked was “how many” — how many grants made, how many applicants reviewed, how many people served.
But a CRM gives you contacts, not comprehension. Most of them collect documents — the grantee report, the investee update, the open-ended survey answer, the case note — and then never read them. A survey gives you responses, not a relationship; each round is a fresh export with no link to the one before it. The evidence that an outcome was drifting was almost always there. It was filed, not read.
Meanwhile the analysis itself got easier. Modern tools turn clean, contextual data into a recommendation in minutes. So the value moved. It is no longer in the survey screen or the CRM list — it is in the layer that reads every document on arrival and holds the context underneath. The CRM era recorded what happened. Risk intelligence reads it in time to change what happens next.
This is not an argument that CRMs and grants databases are bad — they are good at the records job they were built for, and risk intelligence does not replace them. It reads what they already collect. You point it at the data you already have — there is no migration to survive.
Sopact is a risk-intelligence layer that reads what an organization already collects. It does not replace the CRM or the grants database that holds the records. It reads the material those systems store and never interpret — the grantee reports, the investee updates, the case notes, the open-ended answers, the application essays — against the outcomes and risks the organization defined, the moment each one arrives.
Three things happen on every record, in order. None of them waits for the quarterly export.
Every report, note, survey answer, and attachment is read the day it lands — in any language it was written in, tied to one Persistent Contact ID. Nothing is filed unread.
Each record is scored on the outcomes and risks you defined — the drift, the slip, the chance the result does not hold — with the source sentence kept behind every score. The story sits beside the number.
A standing risk view shows what is slipping, across the whole portfolio or caseload. The team acts on the grantee, the company, or the participant while there is still a quarter left — not a report left to write.
A record read at the post-mortem is evidence of a failure. The same record read on arrival is a chance to prevent it. The only variable is when it gets read.
AI is now on the label of almost every tool that touches risk. Two paragraphs on what it genuinely changes, then the test.
What AI genuinely changes is the cost of reading documents — grantee reports, case notes, open-ended answers, application essays — against a defined set of outcomes and risks. Work that took a consultant weeks of manual coding now runs in minutes, and re-runs every time a new record arrives. That is the single change that makes a continuous risk view possible at all.
What AI does not change is where the reading has to sit. There is a real difference between asking a general AI to summarize an export and a layer reading each record against your framework on arrival. Run the same portfolio through a chat window twice and the scores drift — a four one day, a three point eight the next — because nothing holds the definitions still.
You paste the spreadsheet into a chat window and ask where the risk is. It answers — once. There is no fixed definition of what “at risk” means, no link between this quarter and the last, and no source sentence behind the score. Ask again next month and the answer has moved.
The outcomes and risks are defined once and held. Every record is read against that same definition, tied to the same Persistent Contact ID, with the source sentence kept behind every score. Ask the same question in March and in June and the method is identical — what changed is the portfolio, not the ruler.
Ask any AI risk tool: run the same portfolio twice, a month apart — does the score hold, and can you see the sentence behind it? A locked answer is a risk you can defend. A drifting one is a guess with a confidence interval.
AI is now on the label of almost every tool that touches risk. Two paragraphs on what it genuinely changes, then the test.
What AI genuinely changes is the cost of reading documents — grantee reports, case notes, open-ended answers, application essays — against a defined set of outcomes and risks. Work that took a consultant weeks of manual coding now runs in minutes, and re-runs every time a new record arrives. That is the single change that makes a continuous risk view possible at all.
What AI does not change is where the reading has to sit. There is a real difference between asking a general AI to summarize an export and a layer reading each record against your framework on arrival. Run the same portfolio through a chat window twice and the scores drift — a four one day, a three point eight the next — because nothing holds the definitions still.
You paste the spreadsheet into a chat window and ask where the risk is. It answers — once. There is no fixed definition of what “at risk” means, no link between this quarter and the last, and no source sentence behind the score. Ask again next month and the answer has moved.
The outcomes and risks are defined once and held. Every record is read against that same definition, tied to the same Persistent Contact ID, with the source sentence kept behind every score. Ask the same question in March and in June and the method is identical — what changed is the portfolio, not the ruler.
Ask any AI risk tool: run the same portfolio twice, a month apart — does the score hold, and can you see the sentence behind it? A locked answer is a risk you can defend. A drifting one is a guess with a confidence interval.
Foundations, impact funds, applications teams, direct-service nonprofits — different records, different failures, the same job: see the risk while there is still time to act on it.
Grant portfolios tracked across years of reports, budgets, and narratives — where drift hides quietly between one renewal and the next.
300+ program officer hours returned to portfolio work each year.
Audit findings caught before they become public.
Drift caught one quarter early — not one year late.
Portfolio companies filing quarterly KPIs and compliance attestations — where the write-down is visible long before it lands.
IC pre-meeting prep cut from days to about an hour.
The cost of one missed write-down dwarfs the cost of catching it early.
Nine months of warning — not nine days.
Hundreds of essays, a handful of reviewers, a board date — where decision variance turns into a claim no one can defend.
About 70% less reviewer time per applicant.
Higher yield from a tighter, defensible cohort.
Equity claims defensible — every score traceable to its source.
Intake forms, case notes, and severity flags scattered across tools — where an at-risk participant waits unseen.
Intake to support in the same week, not the next quarter.
Less time lost to intake friction — more clients served per worker.
Safety flags surfaced same-day — not at the next case review.
A foundation, an impact fund, an applications office, and a direct-service nonprofit run the same loop: a record arrives, a risk is in it, someone has to read it in time. They differ on the funder’s template and the name on the file — not on where the risk hides, and not on what it costs to miss it.
Risk intelligence for outcomes is not a metaphor borrowed from corporate security. In impact measurement, risk is a defined dimension of the work — the chance the outcome does not occur as expected. The frameworks that define it are well established.
The Impact Management framework defines five dimensions of impact — What, Who, How Much, Contribution, and Risk. Impact risk is the likelihood that impact differs from what was expected, across nine recognised types.
IRIS+, the GIIN’s system for measuring and managing impact, treats impact risk as part of the evidence an investor or funder is expected to assess — not an afterthought to the metrics.
Every theory of change rests on assumptions about what will hold. Risk intelligence is the discipline of watching whether those assumptions are holding — in the records, as they arrive.
Sopact cites these frameworks to share their vocabulary, not to claim certification against them. Compliance is a conversation for your auditor. Shared language is one we can have on this page.
A risk intelligence platform is not a dashboard with a risk tab. It is the set of jobs that turn the records you already collect into a risk you can see and defend. Sopact runs six, in one place.
Primary collection through Sopact Sense, or a clean read of what your existing systems already gather. One record per stakeholder from the first form.
Every document read on arrival, in any language — the grantee report, the case note, the investee update, the essay. Nothing is filed unread.
Each record scored against the outcomes and risks you defined, with the source sentence kept behind every score.
Structured fields and narrative evidence on the same record — the number and the story, tied to one Persistent Contact ID.
The same framework applied every cycle, so a change is the stakeholder moving — not the method drifting underneath it.
A standing risk view and a board-ready report, generated from the live record — every figure traceable to its source.
Bring four quarters of grantee reports, investee updates, or case notes. We will run them through Sopact and show you the risk read on arrival.
Most risk intelligence searches start with the wrong question. “Which platform should we buy” returns a shortlist of dashboards and databases that all demo well. The useful question is narrower: walk one grant, one company, or one participant from the first record to the last, and find the seam where the risk goes unseen.
If the same stakeholder scatters across reports with no reliable link, the gap is persistent identity. If grantee reports and case notes pile up unread, the gap is qualitative reading — software that reads text, not one that stores it. If the risk is always noticed at the post-mortem, the gap is that nothing reads the records on arrival; only people do, one file at a time. And if the board report takes weeks to assemble, the gap is a report that does not build from the record.
That diagnosis decides whether you need a better database or a different layer over the whole process. An organization that skips it buys a faster version of the CRM it already had — and the report that held the risk is still sitting unread, in exactly the same place.
Take one grantee report or case note from two quarters ago that, in hindsight, showed the risk starting. Ask of any tool you are evaluating: would this have surfaced that record in time? If the answer is “only if someone went looking,” it stores records — it does not read risk.
A risk lives on one of two sides. Either a person is slipping, or an organization is. Sopact reads both — on one layer, with the same persistent record.
Applicants, scholars, mentees, participants, grantees as individuals — every essay, check-in, and case note read against the outcome, on one record from intake onward.
Investees, grantee organizations, suppliers, cohort companies — every report and attestation read for the drift before it becomes a write-down.
Stakeholder Intelligence and Partner Intelligence are not two separate products. They are the two engines under one risk-intelligence layer — the same persistent record, the same reading on arrival, the same locked answer. A risk is a risk, whether it wears a name or a logo.
Risk intelligence is the practice of reading the records an organization already collects — applications, grantee reports, investee updates, surveys, case notes — to surface an outcome risk before it becomes a failure. The weak version waits for the quarterly export and the post-mortem. The strong version reads every record on arrival, ties it to one persistent record per stakeholder, and flags what is slipping while there is still time to act.
A risk intelligence platform is the software that does that reading in one place. It collects or connects to the records, reads each one on arrival against a defined framework of outcomes and risks, scores it with the source sentence kept, and surfaces a standing view of what is at risk. Sopact runs six jobs — collect, read, score, connect, compare, report — so the risk is visible without a separate analyst assembling it each cycle.
Risk management is a discipline built around a calendar: identify, assess, mitigate, and review on a quarterly or annual cycle. It is sound, but the register is only ever as current as the last meeting. Risk intelligence keeps the same goal and changes the clock — it reads every record the day it arrives, so a risk surfaces the week it appears rather than at the next committee. One is periodic. The other is continuous.
Enterprise risk intelligence is built for corporate security: it watches threats, fraud, sanctions, and supply-chain exposure for security and compliance teams. Risk intelligence for outcomes watches whether a grant, a portfolio company, or a participant is on track to its intended result. The records are different, the buyers are different, and the failure prevented is different — a write-down or an audit finding, not a breach. This page is about the second.
For a foundation, risk intelligence reads the LOIs, budgets, and narrative reports a grant portfolio produces across years, and flags the grantee drifting off plan between renewals. The failure it prevents is an audit finding caught only after it becomes public, and a program officer’s year lost to assembling reports by hand. It surfaces the drift one quarter early, while a renewal conversation can still change the outcome.
For an impact fund, risk intelligence reads the quarterly KPI reports, compliance attestations, and updates a portfolio produces, and flags the company sliding toward a write-down. The signals are usually in the documents long before the company misses payroll — they were just never read together. Reading every update on arrival turns a nine-day warning into a nine-month one, and cuts investment-committee prep from days to about an hour.
For a direct-service nonprofit, risk intelligence reads the intake forms, case notes, and check-ins a program collects, and flags the participant whose outcome is slipping. The early sign is almost always in a note one worker wrote and no one else read. Reading every note on arrival surfaces a safety flag the same day, not at the next case review — and lets a program act while there is still a term left to change the year.
AI changes the cost of the most expensive step: reading documents — reports, notes, open-ended answers — against a defined set of outcomes and risks. Work that took a consultant weeks now runs in minutes and re-runs on every new record. The distinction that matters is when the AI runs. AI on the final export only speeds up the report. AI on arrival reads each record as it lands and flags the risk in week one.
No. A risk intelligence layer reads what those systems collect; it does not replace them. The CRM and the grants database keep the records, the scheduling, and the compliance trail they were built for. Risk intelligence is the layer on top that reads every record they store but never interpret, and turns it into a risk you can see. You point it at the data you already have — there is no migration.
Risk is one of the five dimensions of impact in the widely used Impact Management framework, alongside What, Who, How Much, and Contribution. Impact risk is the likelihood that impact differs from expectation. IRIS+, the GIIN’s system, treats it as core evidence an investor or funder assesses. Risk intelligence is the practice of measuring that dimension continuously — reading the records as they arrive, rather than estimating it once a year.
Yes — and that is the point. The early sign of a risk usually sits in qualitative evidence: a narrative report, an open-ended answer, a case note, an interview. Numbers and attendance are simple to count; drift shows up first in language. Sopact reads the qualitative evidence against the same framework as the quantitative metrics and puts the story beside the number on one record. The risk a board asks about is usually the qualitative one.
A survey tool collects responses and ends its job when the response is submitted. It does not link rounds, read the open text, or tell you which stakeholder is at risk. Risk intelligence treats the survey as one input among several — reports, notes, attestations, intake forms — and reads all of them against the outcomes you defined. The survey asks the question. Risk intelligence keeps the answer current and flags when it turns.
Start from where your current process breaks, not from a feature list. Walk one grant, company, or participant from the first record to the last and find the seam where the risk goes unseen. If stakeholders scatter across reports, the gap is persistent identity. If reports pile up unread, the gap is qualitative reading. If the risk is always found at the post-mortem, the gap is that nothing reads on arrival. The diagnosis decides what you actually need.
Product and company names referenced on this page are trademarks of their respective owners. Information is based on publicly available documentation as of May 2026 and may have changed since. To suggest a correction, email unmesh@sopact.com.
The people side of risk intelligence — applicants, scholars, participants, and grantees as individuals, read on one record.
Risk intelligence across the grant lifecycle — applications and grantee reports read on arrival, not at renewal.
How the evidence risk intelligence produces becomes a defensible answer for a board and a funder.
Bring one portfolio’s real material — a batch of grantee reports, investee updates, or case notes, in whatever languages they arrived. We will run it through Sopact and show you the risk read on arrival, the story beside the number on each record, and a standing view of what is slipping — every signal traceable to the document it came from. A parallel pilot you can run alongside the systems you have today.
30 minutes · your real records · no migration commitment
