Magic Quadrant for Operational Risk Management
Software for Financial Services
6 June 2008
Douglas McKibben, David Furlonger
Gartner Industry Research Note G00157289
The use of ORM software by financial services firms requires capabilities beyond generic audit, control and compliance applications. In addition to
qualitative self-assessment capabilities, leading institutions are seeking solutions that support quantitative, performance-based models.
What You Need to Know Note 1
SunGard Disclaimer
Operational risk is an all-inclusive term that covers front-office (for example, customer and supplier-facing)
SunGard is a portfolio company of Silver Lake
processes, as well as back-office activities. Exposure to operational risk is inherent in all business processes Partners, a private investment firm that also
and IT operations. Operational risk relates to the uncertainty of daily tactical business activities and risk events owns a substantial, publicly disclosed interest
in Gartner, and has two seats on Gartner's 11-
resulting from inadequate or failed internal processes, people or systems, or from external events. The Basel II
member board of directors. Gartner research is
Capital Accord (Basel II) created by the Bank of International Settlements requires banks to align their capital produced independently by the company's
adequacy assessments with underlying risk exposures to determine the adequacy of their capital reserves. analysts, without the influence, review or
approval of our investors, shareholders or
Basel II is more risk-sensitive and risk-specific than Basel I. It specifically includes operational risk in risk
directors. For further information on the
capital calculations and deliberately links the provision of capital to risk measurement and management independence and integrity of Gartner
activities for all aspects of business. research, see \"Guiding Principles on
Independence and Objectivity\" on our Web
site, www.gartner.com/it/about/omb_guide.jsp
Basel II and other industry regulatory initiatives, including Markets in Financial Instruments Directive (MiFID) .
and Solvency II, as well as cross-industry initiatives such as Sarbanes-Oxley, have also given greater visibility Vendors Added or Dropped
to concerns about operational risk as it applies to compliance. While legal and regulatory compliance are
primary subsets of operational risk, operational risk is not just concerned with meeting regulatory objectives.
We review and adjust our inclusion criteria for
Operational risk management (ORM) is driven by business challenges such as the real-time business Magic Quadrants and MarketScopes as markets
environment, concerns about business continuity and organizational reputation, customer expectations, and change. As a result of these adjustments, the
mix of vendors in any Magic Quadrant or
protection of intellectual property. ORM also includes such areas as the management of fraud and anti-money-
MarketScope may change over time. A vendor
laundering (AML), which are frequently treated as separate and parallel initiatives. appearing in a Magic Quadrant or MarketScope
one year and not the next does not necessarily
indicate that we have changed our opinion of
ORM, in general, has traditionally focused on system failure, not process. Merely continuing the traditional that vendor. This may be a reflection of a
method of internal and regulatory audits ignores the forward-looking requirements of managing operational change in the market and, therefore, changed
risk and the broader implications of operational risk beyond what can be observed or experienced directly by evaluation criteria, or a change of focus by a
vendor.
an institution. This requires extending the focus of ORM beyond the rudimentary compliance and reporting
Evaluation Criteria Definitions
regime of the typical governance, risk and compliance (GRC) initiative.
Ability to Execute
While an appropriate emphasis on the competitive value of effective governance is necessary, decisions on
how to run a business should not be linked exclusively to regulatory action. Rather than focusing only on
Product/Service: Core goods and services
preventing or reporting losses and risk events, the objective of ORM is performance improvement to deliver offered by the vendor that compete in/serve
maximum return to the organization. the defined market. This includes current
product/service capabilities, quality, feature
sets, skills and so on, whether offered natively
This includes a holistic approach to risk management across the enterprise that addresses operational risk and or through OEM agreements/partnerships as
its interdependencies and correlations with market and credit risks to capitalize on the positive potential of defined in the market definition and detailed in
the subcriteria.
properly managed risk. This duality can challenge IT departments, which tend to incorrectly view risk
management as just the reduction or elimination of IT risk. The challenge for IT groups is to determine which
Overall Viability (Business Unit, Financial,
risk software and technical processes offer the capability to detect and capitalize on risk events significant to Strategy, Organization): Viability includes
corporate performance, and can measure and report on — and potentially reduce — risk through automation an assessment of the overall organization's
financial health, the financial and practical
and standardization.
success of the business unit, and the likelihood
of the individual business unit to continue
Risk management is also a component of corporate performance management (CPM), which encompasses the investing in the product, to continue offering
the product and to advance the state of the art
methodologies, metrics, processes and systems used to monitor and manage the business performance of a within the organization's portfolio of products.
company. Risk events must be modeled against CPM priorities to determine risk management priorities and
establish metrics and context for management decision making, regulatory reporting and the effect of risk on Sales Execution/Pricing: The vendor’s
CPM. In line with the holistic requirements of enterprise risk management, managers of these areas, and not capabilities in all pre-sales activities and the
structure that supports them. This includes
internal auditors, should have primary risk assessment and frontline risk accountability for managing the risks
deal management, pricing and negotiation,
created in their areas. This includes integrating risk assessment into business planning activities. The IT pre-sales support and the overall effectiveness
organization should enable the provision of consistent risk management processes — using intranet or Web- of the sales channel.
based applications — to enable access to this risk information, permit the sharing of risk information across
business lines, and facilitate the aggregation of data for centralized decision making regarding risk acceptance, Market Responsiveness and Track Record:
Ability to respond, change direction, be flexible
mitigation or transfer.
and achieve competitive success as
opportunities develop, competitors act,
customer needs evolve and market dynamics
Return to Top
change. This criterion also considers the
vendor's history of responsiveness.
Magic Quadrant Marketing Execution: The clarity, quality,
creativity and efficacy of programs designed to
deliver the organization's message to influence
Figure 1. Magic Quadrant for Operational Risk Management Software for Financial Services the market, promote the brand and business,
increase awareness of the products, and
establish a positive identification with the
product/brand and organization in the minds of
buyers. This \"mind share\" can be driven by a
combination of publicity, promotional, thought
leadership, word-of-mouth and sales activities.

Customer Experience: Relationships,
products and services/programs that enable
clients to be successful with the products
evaluated. Specifically, this includes the ways
customers receive technical support or account
support. This can also include ancillary tools,
customer support programs (and the quality
thereof), availability of user groups, service-
level agreements and so on.
Operations: The ability of the organization to
meet its goals and commitments. Factors
include the quality of the organizational
structure including skills, experiences,
programs, systems and other vehicles that
enable the organization to operate effectively
and efficiently on an ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor
to understand buyers' wants and needs and to
translate those into products and services.
Vendors that show the highest degree of vision
listen and understand buyers' wants and
needs, and can shape or enhance those with
their added vision.
Marketing Strategy: A clear, differentiated
set of messages consistently communicated
throughout the organization and externalized
through the Web site, advertising, customer
Source: Gartner (June 2008) programs and positioning statements.
Sales Strategy: The strategy for selling
product that uses the appropriate network of
Return to Top direct and indirect sales, marketing, service
and communication affiliates that extend the
scope and depth of market reach, skills,
expertise, technologies, services and the
customer base.
Market Overview
Offering (Product) Strategy: The vendor's
approach to product development and delivery
The market for ORM software is immature; however, it continues to evolve rapidly. Various vendors contend that emphasizes differentiation, functionality,
that they provide software for managing operational risk; however, most address only elements of an methodology and feature set as they map to
current and future requirements.
institution's portfolio of operational risk exposures.
Business Model: The soundness and logic of
Most frequently, ORM applications are considered synonymous with GRC suites that predominantly focus on the vendor's underlying business proposition.
qualitative self-assessment, audit and control processes, and regulatory reporting. Specialized applications for
managing IT functions such as security, business continuity and privacy, which are elements of operational Vertical/Industry Strategy: The vendor's
risk, are sometimes also given the broader designation of \"operational risk\" solutions. Other vendors have strategy to direct resources, skills and
offerings to meet the specific needs of
labeled any number of workflow, dashboarding and data management tools as operational risk solutions. individual market segments, including
Among financial institutions, functional specifications and risk management approaches are also evolving. verticals.
Differences remain between more-quantitative approaches, where the calculation is deemed critical based on
historical datasets (which may not always be deep or robust enough to be reliable), and more-qualitative or Innovation: Direct, related, complementary
and synergistic layouts of resources, expertise
process-based approaches. There is evidence that these approaches (qualitative/quantitative measurement)
or capital for investment, consolidation,
are converging at Tier 1 financial institutions; however, this trend is occurring unevenly. Even at the largest defensive or pre-emptive purposes.
financial institutions, efforts to create a holistic view of operational risk exposures across the entire enterprise
are not fully formed, although many of these institutions are compelled to follow an Advanced Measurement Geographic Strategy: The vendor's strategy
Approach to operational risk as prescribed by their boards of directors in reference to Basel II. A qualitative, to direct resources, skills and offerings to meet
the specific needs of geographies outside the
self-assessment approach to operational risk management is prevalent at most national and regional Tier 2
\"home\" or native geography, either directly or
and Tier 3 organizations as well as smaller financial institutions that typically lack robust enough governance through partners, channels and subsidiaries as
structures or sufficiently mature risk management methodologies. Most have been permitted by regulators to appropriate for that geography and market.
use the Basel II Basic Indicator or Standardized Approaches for operational risk. Absent the direction of
regulators, such institutions have been slow to recognize the value of extending ORM efforts beyond qualitative
self-assessment and regulatory compliance to a performance-based approach.
Return to Top
Expansion/Consolidation
Those vendors coming from a compliance/GRC background will find it difficult to extend their solutions to meet
the requirements of Advanced Measurement because they lack the sophisticated knowledge required to
address complex capital calculation within the context of the financial services industry. Several vendors have
based their product offerings on the current market demand and do not have the functionality to support a
move by customers to an Advanced Measurement Approach and quantitative, performance-based activity.
Financial institutions that purchase qualitative self-assessment solutions run the risk of having to replace them
with quantitative functionality if they desire to leverage ORM for improved performance, or if they are forced
by regulators to move to an Advanced Measurement Approach. Over time, large national and regional
institutions in various countries that are currently permitted by national regulators to use the Basic Indicator or
Standardized Approach for managing operational risk under Basel II will be pushed to the Advanced
Measurement Approach. This will require many to replace existing qualitative self-assessment-only applications
with those that provide broader quantitative tools and capital calculation engines. Such actions will cause
further consolidation of the vendor market and drive other vendors to expand functional capabilities to survive.
Return to Top
Business Challenges
The issues of data quality and integrity, the difficulties of reconciling capital requirements across diverse
multiproduct and multinational firms, and validation of those same requirements across comparable
institutions continue to be major challenges. This includes the lack of consistently defined and recorded
information for operational risk events within institutions and across the industry, which inhibits modeling most
operational risk activities and loss events. Various models are being tried, including actuarial loss-based
approaches, even though some insurance companies do not necessarily have sufficient experience in relation
to operational risk or sufficient historical data on which to base valid risk assumptions — this is particularly the

case when looking at those same firms' internal practices.
The lack of definition and consensus regarding risk/data models and methodologies, as well as the difficulty of
devising a precise economic expression of operational risk, is a challenge for the vendors of technology and for
chief risk officers and CIOs, along with bank supervisors. Model design is critical to the overall risk and IT
architectural strategy in terms of workflow, data collection, quality control, normalization and mapping, speed
of that information flow, and attendant analysis, as well as the treatment of risks. Vendors and financial
services providers (FSPs) will require sufficiently flexible architectures that can maintain alignment with
evolving industry consensus. FSPs will also need to be aware that, during this rapid evolution in vendor
solutions and while there remains patchy coalescence regarding a model definition, there will be greater model
variability in terms of assumptions about the data elements and the completeness of the data. This means that
institutions must rely heavily on an internal risk management core competence, which while growing is
certainly not holistically present across most institutions, or external consulting support. Rather than view this
as an additional cost of operations, efforts should be made to link those support requirements to the overall
goal of more-efficient capital allocation and, therefore, profitable growth. This will require significant input from
senior management, as well as having a well-developed change management capability to ensure the smooth
assimilation of changing business processes and employee behaviors.
In addition, philosophical differences continue within and among FSPs regarding overall approaches to risk
management methodologies. This is compounded by geographical differences, for example \"home hosting\"
issues or the standoff between compliance and principle-based methodology. While there may be an innate,
operational desire on the part of CIOs to try to normalize their institutions' approaches to risk across their
enterprises, most Gartner clients continue to operate credit/market risk functions separately from operational
risk functions, and lack an enterprise approach to risk management. This is made worse when competing
business units within the same firm choose different risk management vendors for the same task. For
example, various vendors claim the same global Tier 1 institution as a Basel II or ORM customer, but this
usually is the result of different divisions of a global institution (for example, retail bank or investment bank)
choosing a vendor thought to meet the specific requirements of a particular business segment. It also remains
the case that some vendors inflate their claims to numbers of installed clients by counting multiple divisions
within the same institution as a separate client. We have yet to find a vendor, regardless of its claims, that is
being used as the sole risk management vendor. In addition, we have yet to find an example of a vendor that
is being used to cover every aspect of enterprise risk, in isolation of other solutions.
Return to Top
Technology Challenges
The lack of an organizationwide view and risk management program plan, as well as the treatment of
operational risk as a series of disjointed tasks or projects as opposed to a holistic strategy, has resulted in an
inconsistent and often incompatible approach to data management risk engine calculations and
dashboarding/reporting. From a management perspective, this means context concerning the nature of the
risk event or loss is often lost or hidden. Effective enterprise data governance, including metadata
management, reconciliation of calculations from various models (as opposed to mere aggregation), and the
movement to real-time workflow management and alerting necessary for enterprise-level management and
control are not possible with an ad hoc approach. However, many vendors with limited offerings will support
and even encourage compartmentalized or piecemeal tactics to gain a foothold in an institution with a promise
of building out the solutions over time, even though they have not previously demonstrated such capabilities
with others. While risk management should be a centralized enterprise strategy, there is and will be the need
for specialized risk management functionality within various business units. It is acceptable to maintain such
functionality and extend it, but only in the context of a broader enterprise strategy and solution architecture.
Additionally, functional extension should be evaluated in the context of a risk management methodology
blueprint or framework to avoid redundancy, and facilitate integration and data sharing across the enterprise.
Return to Top
Conclusions
There are no shortcuts, and pursuing multiple project initiatives without working out interdependencies and
conflicts will complicate and delay implementation, as well as escalate costs and potential losses. While some
FSPs have found vendors capable of addressing flexible and integrated architectures required to address Basel
II and talk about service orientation, organizations must not be lured into vendor offerings that lack
fundamental, pre-existing capabilities, and that have not achieved a level of market acceptance and scale in
live installations. Moreover, risk management services have not received sufficient treatment to be widely
developed or deployed. Also, financial institutions must avoid building, under vendor influence, a heavily
customized solution that cannot be readily assimilated into the buyer's broader IT architecture. While smaller
vendors will happily use financial institution suggestions to enhance and extend code to improve their product
viability, financial institutions must still pay close attention to the long-term viability of many of the vendors
offering ORM solutions. Functional breadth alone will not necessarily guarantee long-term market presence.
Moreover, many of the larger, seemingly viable vendors that perhaps lack sufficient stand-alone functional
capabilities and seek to entrench themselves in an institution as the \"vendor of choice\" may encourage custom
code generation as a tactic to inhibit any future vendor replacement due to the mission criticality of this type
of application.
Return to Top
Market Definition/Description
The ORM market is an emerging one within financial services with potentially more than 39 vendors purporting
to have software solutions. The first products appeared on the market to address extensions of compliance
initiatives from industry regulations and relied largely on qualitative measures of self-assessment. Basel II has
put increased emphasis on the quantification of operational risk as part of an economic capital framework.
However, many institutions have yet to forge the link between operational risk and corporate performance.
This includes those that are permitted to employ the standard or basic indicator approaches for Basel
operational risk capital calculations. In the U.S., the control and compliance focus of Sarbanes-Oxley and the
absence of Basel II adoption contribute to a more qualitative approach. Some vendor solutions have been
extended beyond qualitative self-assessment tools to incorporate functionality that quantifies operational risk
as a financial measurement. To meet the business performance needs as well as regulatory requirements for
determining risk capital charges, ORM tools can now be expected to include:

Risk model stress testing
External loss database integration
Multiformat data management
Capital calculation engines
Risk policy and controls management
Business process rule engines with modeling and mapping tools
Auditing and certification
Enterprisewide and departmental or line-of-business evaluations
Return to Top
Inclusion and Exclusion Criteria
Offerings included in this Magic Quadrant must be stand-alone software products intended solely for the
control of operational risks. (Products that provide some level of ORM as part of a greater generic compliance
suite were not considered for analysis, although such products and representative vendors may be mentioned
within this research.)
Return to Top
Inclusion Criteria
To be included in this Magic Quadrant evaluation, vendors must:
Have offerings that are delivered via a traditional software license or alternatively through a software as
a service (SaaS) or an application service provider (ASP) business model.
Have at least 15 paying, unique financial institutions as customers using their products for ORM
purposes and be able to demonstrate at least one year of live implementations.
Be able to demonstrate that financial institution customers make up at least 51% of their overall client
base, or can demonstrate that they have generated at least $2.5 million in software license revenue
from ORM software applications sold to the financial services industry during the past four rolling
quarters.
Products must be able to demonstrate:
Enterprise reach (as opposed to just departmental or line-of-business capabilities)
Risk management, escalation and alerting functionality for early warnings and loss events
Broad spectrum reporting (including, for example, loss events) for senior managers, boards of directors
and auditors, as well as bank examiners
Capability for business process identification, mapping and evaluation
Risk policy definition and controls, including organizational framework
Audit and certification
Assessment and integration of qualitative and quantitative metrics and management controls
Capital calculation functionality, including statistical and scenario analysis, stress testing, and simulation
Risk and performance data/indicator monitoring, assessment, and integration
Data management functionality that incorporates or allows for the integration of a risk data repository,
risk metadata library, performance data repository, risk rule engine, tools to extract, transform and load
(ETL) data and multitype loss data collection, storage, and retrieval functions
Return to Top
Exclusion Criteria
Vendors and products that do not sufficiently meet the specifics of the inclusion criteria, and those that are
focused on multiple industries that do not have a majority of clients/implementations represented in financial
services, were not considered for this Magic Quadrant.
Vendors with products that are delivered via a \"services-based\" or \"consulting-lead\" offering were not
included, although we recognize IT and business services are an important element of risk management
solutions.
Return to Top
Magic Quadrant Vendors
From an initial pool of 39 vendors, 15 were selected for the Magic Quadrant based on analyst selection criteria,
client feedback, general industry visibility, responses to our operational risk software criteria survey and
relevant fit to the market. The survey requested information about company size, distribution channels,
financials, unit sales and product features/functionality, alliances, and technical architecture.
We advised all vendors that they would be ranked by comparing their products against our criteria and with
those of other vendors. Here are the vendors and products included in our initial financial services ORM
software Magic Quadrant:
Algorithmics — Algo OpVar 6
BWise — v.3.3
Chase Cooper — ACCelerate Suite v.3
Ci3 — Sword v.8.0
eFront — GRC Suite v.3.5
FRSGlobal — FinancialAnalytics Suite v.2.12
List S.p.A. — OpRisk Evolution v.3.4
Mega International — GRC Suite v.3.0
OpenPages — ORM v.5.1
Optial — Operational Risk Platform v.6.0

Methodware — Enterprise Risk Assessor v.6.2
Riskmanagement Concepts Systems (RCS) — OpRisk Suite v.4.1
Oracle Financial Services — Reveleus Operational Risk v.4.3
RimaOne — Survey One v.2.0
SAS Institute — SAS ORM suite, OpRisk Global Data, OpRisk Monitor v.3.4 and OpRisk VaR v.3.2
This Magic Quadrant focuses on those technology vendors that offer ORM software applications for financial
institutions. It does not include vendors with only dashboard or reporting applications or tools. Nor does it
include consulting companies or professional service providers that do not offer a discrete ORM software
application or toolset, although those services may be part of the application provider's overall offerings.
Vendors were excluded from the Magic Quadrant because they did not meet the stated inclusion criterion or
because their lack of active participation in the review process precluded the acquisition of suitable data to
properly assess their offerings. These vendors were considered but omitted: AcrysConsult, Asparity Decision
Solutions (formerly Portiva) Business Objects, Centerprise Services, Cognos, Consul Risk Management, Cura
Group, Fernbach-Software, Fermat, Financial Objects, FinArch, Garrulus, Hexaware Technologies, HSBC
Operational Risk, IBM, IRIS, Kalypto Risk Technologies, Paisley, Protiviti, Quadrant, Reuters, SAP,
StrategicThought and SunGard.
In evaluating this vendor set, FSPs should be aware that not all the vendors deliver capabilities for operational
risk across all qualitative and quantitative functionalities. For example, several vendors provide suitable
qualitative capabilities and support structures to support Basic or Standard Basel II approaches for operational
risk, but lack the calculation engine necessary to support an Advanced Approach.
Return to Top
Added
None. This is the initial Magic Quadrant for Financial Services ORM Software.
Return to Top
Dropped
None.
Return to Top
Evaluation Criteria
Ability to Execute
This axis evaluates ORM software application vendors on the quality and efficiency of the processes, systems,
methods or procedures that enable their performance to be competitive, efficient and effective, and to
positively affect revenue, retention and reputation. Ultimately, these software application providers are judged
on their ability and success in capitalizing on their vision. Our evaluation of a vendor's ability to execute is
based on these criteria:
Product — The breadth and availability of the vendor's products that compete in and serve the ORM
market
Overall Viability — Product quality and consistency, as well as the vendor's financial strength, including
the likelihood of the continued investment in ORM software for the financial services industry and
advancing the state of the art within the provider's portfolio of products
Sales Execution/Pricing — Capabilities of presales structures and management activities, including
pricing and negotiation, as well as overall effectiveness of sales channels
Market Responsiveness and Track Record — Ability and responsiveness to meet changing market
dynamics
Market Execution — Market share in the global enterprise market
Customer Experience — Ability to provide technical and relationship support and services that drive
customer satisfaction
Operations — Effectiveness in meeting organizational goals and commitments
Table 1. Ability to Execute Evaluation Criteria
Evaluation Criteria Weighting
Product/Service High
Overall Viability (Business Unit, Financial, Strategy, Organization) Standard
Sales Execution/Pricing Standard
Market Responsiveness and Track Record Standard
Marketing Execution Low
Customer Experience Standard
Operations High
Source: Gartner (June 2008)
Return to Top
Completeness of Vision
This axis evaluates ORM application vendors on their ability to convincingly articulate logical statements about

current and future market direction, innovation, customer needs and competitive forces, and how well they
map to the Gartner position. Ultimately, these application providers are rated on their understanding of how
market forces can be exploited to create opportunity for the provider. Our evaluation of a vendor's
completeness of vision is based on these criteria:
Market Understanding — Competitive position, market knowledge and mechanisms for customer
feedback
Marketing Strategy — Ability to provide various professional services
Sales Strategy — Ability to work with customers through its sales force and sales tools
Offering (Product) Strategy — Strength of R&D, capability in product design and its ability to offer image
stability
Business Model — Soundness and logic of the underlying business proposition
Vertical/Industry Strategy — Ability to provide a vertical-specific product and service
Innovation — Ability to have investment resources, expertise or capital for consolidation, defensive or
pre-emptive purposes
Geographic Strategy — Ability to provide products and services globally
Table 2. Completeness of Vision
Evaluation Criteria
Evaluation Criteria Weighting
Market Understanding Standard
Marketing Strategy Standard
Sales Strategy Low
Offering (Product) Strategy High
Business Model Low
Vertical/Industry Strategy High
Innovation Low
Geographic Strategy High
Source: Gartner (June 2008)
Return to Top
Leaders
This quadrant tends to be occupied by vendors with software applications that are addressing qualitative as
well as quantitative aspects of risk management of ORM. These vendors have achieved a high level of market
acceptance and enable a consistent view of operational risk across the organization as compared to separately
designed and implemented risk calculation engines or audit, control and compliance reporting tools. Such
vendors approach operational risk more comprehensively and holistically across the enterprise and link
operational risk to CPM. They have robust organizational structures and professional services resources.
Return to Top
Challengers
Challengers typically have demonstrated offerings that meet the qualitative as well as quantitative
requirements for managing operational risk and have software that is readily integrable with other
applications. They have implemented sales and marketing strategies for expanding market penetration and
improving the customer experience through enhanced support and professional services capabilities using their
own resources or in partnership with others.
Return to Top
Visionaries
Although visionaries may not necessarily have a comprehensive product offering, they take a strategic
approach to service delivery and are moving toward a technology platform that encompasses qualitative as
well as quantitative capabilities using their own software applications or through partnerships with others.
Innovative product and market approaches or enhanced business models for service delivery that extend the
vendor's market penetration or geographical reach may also characterize those in the Visionaries quadrant.
Return to Top
Niche Players
Niche players deliver software offerings to support ORM, but lack the vision or ability to execute across the
range of evaluation criteria. These tend to be smaller companies with limited geographical reach or financial
resources that depend to varying degrees on partnership relationships for implementation or sales.
Return to Top
Vendor Strengths and Cautions
Algorithmics

Strengths
Acquired by the Fitch Group in 2005, Algorithmics has a strong corporate base and ORM knowledge.
Algo OpVar 6 is a multimodule ORM offering across self-assessment, key risk indicators (KRIs), capital
modeling scenario analysis and loss data collection.
Modules operate on a single integrated data architecture with a calculation engine, data management
specific to operational risk, reporting and dashboard functions, and two external operational-loss
databases.
Algo OpVar6 SE is designed specifically for Tier 2 and Tier 3 institutions seeking to reduce software cost
and resource requirements.
Nineteen offices worldwide with strong professional services capability with global reach.
Strong client base.
Return to Top
Cautions
Flexibility constraints generally require customization of workflow, data fields, and reporting to
accommodate internal risk controls requirements and regulatory compliance. This does not apply to
clients that select the Standard Edition solution.
Qualitative self-assessment and action planning results can be used in the scenario analysis module;
however, there is no direct technological link to the capital calculation engine.
No prepopulated libraries of business rules or regulations, and no specific capability to update based on
regulatory changes.
Limited out-of-the-box capabilities for mapping risk and control elements to specific regulatory
compliance and reporting requirements.
Return to Top
BWise
Strengths
BWise v.3.3 has solid capability in qualitative self-assessment, internal control, KRIs, process modeling,
and optimization for operational risk and regulatory compliance.
It provides a configurable loss incident database with many prestructured elements as well as templates
for Basel II, MiFID and other generic frameworks such as COSO and CobiT.
BWise has an OEM relationship with and sources dashboard functions from Business Objects.
Return to Top
Cautions
It has offices globally; however, 80% of its installed base is in Europe, the Middle East and Africa
(EMEA).
BWise is a horizontal industry solution not specific to financial services and with no specific industry
regulatory features, although the company has a dedicated financial services sales force.
Beyond loss and scenario analysis using value-at-risk (VaR) calculations and a Monte Carlo simulation,
the software uses qualitative self-assessment for risk management, governance and compliance. BWise
supports the standard or basic Basel II approaches to operational risk; however, the absence of an
engine to calculate and allocate risk capital leaves it unable to meet the requirements of an advanced
approach.
There's no external operational loss database; import capabilities are provided to other external sources.
Its approach to CPM is qualitatively based.
KRI templates are provided, but not predefined.
Return to Top
Chase Cooper
Strengths
Chase Cooper aCCelerate Suite v3 provides functions across risk control self-assessment, KRIs and loss
event, as well as a multilevel hierarchy framework to support various risk management structures.
Control failure, self-assessment, and a calculation engine are linked to determine and allocate regulatory
and economic capital. The ultimate objective is for aCCelerate to be an institution's risk and compliance
hub.
It has the ability to scale from large to midtier institutions and includes professional services for
procedures and methodology as well as prestructured modeling tools that don't require users to have
mathematical expertise.
Its modeling handles quantitative as well as qualitative process-based scenarios.
It has flexible process and organizational mapping. It partners with Business Objects for its dashboard.
It delivers standard as well as Crystal reports.
It has its own external loss database.
Return to Top
Cautions
It is privately held, although it is self-sustaining through operations.
About two-thirds of the installed base is in Europe with the balance in the Middle East and South
America. Its geographic reach is limited by distribution partners that are not particularly deep or broad
in their operational risk capabilities or subject matter expertise.
Rules and regulations are not provided in a prepopulated framework.
Orientation is balanced between software sales and consulting services.

Return to Top
Ci3
Strengths
Ci3 Sword v8 provides risk control self-assessment, loss event capture, KRIs and an issues/actions
component for problem tracking and resolution. The framework is preconfigured for Basel II and can be
employed from a standard to an advanced approach. Capital calculations are delivered through custom-
made consulting-derived solutions or sourced from SunGard's BancWare toolkit (see Note 1).
A nonexclusive reseller arrangement with SunGard has given it a global (except Africa) presence and
mitigates the need for additional capital for sales and marketing. Ci3 also leverages the SunGard
relationship for professional services support, and SunGard private-labels Sword as SunGard BancWare
Operational Risk.
Return to Top
Cautions
Ci3 is a relatively small company that is 100% privately owned. It is self-funding (including R&D) from
operations, which determines the extent of growth opportunities.
The solution presents a challenge in the flexibility of workflow and for customers to configure, present
and report data to their specific requirements. Version 8 may create more reporting flexibility.
Its capital calculators are sourced from third-party providers.
Ci3 IT support capabilities are limited.
Return to Top
eFront
Strengths
eFront is funded through venture capital and a public offering. eFront GRC Suite 3.5 is designed
specifically for the financial services market with data structures that are specific to Basel II and
Solvency II.
The product includes five modules with common shared components and a data model that can be
purchased separately: ORM, Internal Control, Audit, Business Continuity Planning and Legal
Management. They cover risk data collection, process mapping, self-assessment, KRIs, action plans, a
BPM graphical interface, and VaR and capital calculation capabilities. It has its own dashboard
technology with standard as well as custom templates.
eFront offers a license or hosted (ASP) model based on native, full Web architecture.
eFront focuses exclusively on financial services.
Return to Top
Cautions
eFront is a small company that entered the market in 2003 with an installed base heavily weighted to
Europe, and the French market in particular, with some clients in Africa. Its ability to serve a more
global market is still in question.
Its batch-oriented uploads of data — statistical models — require users to customize data and develop
their own scripts.
There is no external loss database.
Its ORM focus is limited to Basel II and Solvency II.
The company had an initial public offering in 2006, but organic growth has been limited by internal cash
flow resources. It is studying acquisition opportunities to support penetration of the North American and
Asian markets.
Return to Top
FRSGlobal
Strengths
FRS Risk Resolve is a qualitative ORM product that supports traditional risk control self-assessment,
audit, role-based workflow, and loss-event and near-miss collection and management. It has the
flexibility to support multiple customer-determined configuration structures out of the box, including loss
data structures specific to Basel II requirements.
It has strong regulatory reporting capabilities specific to a variety of national regulations, as well as Pillar
II of Basel II. It also delivers its reporting functions in partnership with Algorithmics, Reveleus and SAP.
Return to Top
Cautions
It has been owned by the Carlyle Group and Kennet Partners investment firms since its 2006 spinoff
from S1.
Its installed base is almost exclusively in North America, and there was some shrinkage in its sales
activity/installed base after the Providus acquisition. The product relaunched in 3Q07.
It depends on OEM relationships, such as with Business Objects, for ETL tools, dashboard capabilities
and scenario analysis.
It is basically a pure-play risk qualitative self-assessment tool that supports the Basic or Standard Basel
II approaches and other frameworks such as COSO and ISO 5229.
It currently lacks a quantitative analytics engine, Monte Carlo simulation or a capital calculation engine.

Its loss data capture is not specific to Basel II.
Customer support is primarily through its Web site and by phone. There is some use of account
managers and extended support agreements.
Return to Top
List S.p.A.
Strengths
A privately held Italian company, List's OpRisk Evolution v.3.4 includes six modules that use a common
platform and data structure that can support standard/basic to advanced measurement approaches to
ORM. All software elements are included and enabled at purchase, and individual components are then
switched on as needed/when licensed.
It includes risk framework, mapping, risk/control self-assessment, loss data collection and KRI
capabilities.
It has a calculation engine for risk capital as well as scenario analysis, quantitative analytics and
Bayesian integration.
It provides the platform for the Italian Operational Risk Data Consortium (DIPO) sponsored by Italian
banking institutions and Bank of Italy.
There are offices in the U.S., Asia and Europe, and the company has an OEM arrangement with Fermat
for sales of this product.
It provides support in all regions on a 24/7 basis.
Return to Top
Cautions
It is a relatively small company that began to expand internationally in 2005.
Its installed base is still heavily based in Italy, and the brand is still evolving.
It does not provide risk methodologies.
It depends on relationships with system integrators for professional services.
Return to Top
Mega International
Strengths
Mega International, a closely held 1991 spinoff from Capgemini, is based in Paris and launched the Mega
GRC Suite 3.0 in 2007. The underlying ORM software was purchased from List S.p.A. in 2006, and
additional software from Control Metrics for internal audit and control was purchased and integrated in
2007. There is no corporate connection with List S.p.A., which is a separate and independent company.
It supports standard/basic to advanced measurement approaches to ORM.
All software elements are included and enabled when purchased, and individual components are then
switched on as needed when licensed.
It includes a risk framework with a Basel II events library (as well as Sarbanes-Oxley and other libraries
planned in the product road map), mapping, risk/control self-assessment, loss data collection and KRI
capabilities.
It has a calculation engine for risk capital as well as scenario analysis, quantitative analytics and
Bayesian integration.
It has strong professional services and consulting support.
A SaaS licensing model is planned for 2009.
Return to Top
Cautions
Mega's sales and business model is a mix of software sales and professional services delivery.
Its installed base is heavily weighted to Europe but has subsidiaries in various countries and is
reorienting its global partner arrangements from an audit and consulting services focus.
Its main market perception is still that of a compliance/qualitative self-assessment product.
With a staff size of 250 people, Mega is relatively large compared to its competitors but still transitioning
from a business process analysis focus to ORM.
Return to Top
Methodware
Strengths
With 15 years of market history, Methodware has a large installed client base for its Enterprise Risk
Assessor v.6.2 product, with more than half its clients banks, especially in Tier 2 and Tier 3.
Its strength is its audit, compliance and internal risk self-assessment methodology, and it also captures
KRI and loss data information.
It has global penetration through a large network of distributors with good domain knowledge.
Its risk-based compliance frameworks are available for Basel II clauses and provisions (which can be
prepopulated for an additional fee), MiFID TCF and Solvency II.
It offers a 90-day money-back warranty.
It has an enterprise sales approach.
It has a strong client base for compliance/audit functionality.
Return to Top

Cautions
Methodware is a small, privately held company that was purchased in 2007 by Jade Software, a custom
designer of information systems. Methodware continues to operate independently. Integration of the two
companies is a work in progress.
Its Basel II capabilities are limited to the support of the standard and basic approaches, and it would be
a stretch to use Methodware for an advanced measurement approach to operational risk. It does not
have a calculation engine or simulation tools, but through a partnership with Palisades Software (@Risk
Monte Carlo product), a U.S. company, these elements can be integrated. Scenario analysis is not
available through Palisades or Methodware.
It has dashboarding, but currently no facility for third-party reporting tools.
Its consulting services are provided through a partner network.
Return to Top
OpenPages
Strengths
Established in 1996, OpenPages ORM v.5.1 has an installed base about evenly split among North
America and EMEA.
It provides process and risk-mapping specific to banks with out-of-the-box Basel II definitional
hierarchies.
It supports workflow automation, including event tracing, risk control self-assessment, loss data
collection database and KRI.
It correlates risk events with risk control self-assessment, scenario analysis and KRIs.
It has metadata-driven configurability with dashboard and heat mapping.
Return to Top
Cautions
Its customers are primarily Tier 1 or other institutions with the desire to self-configure an operational
risk framework, database, organizational structure and workflow. However, preconfigured out-of-the-box
versions are available.
It does not include Monte Carlo, VaR or capital calculation engine elements necessary to execute a Basel
II Advanced Measurement Approach.
It provides data input for CPM without statistical analysis. Key performance indicators (KPIs) and KRIs
are customer-defined.
Its external loss data is provided by a link to ORX or other third-party sources.
Return to Top
Optial
Strengths
Optial Operational Risk Platform v6.0 is a suite of modular components for qualitative self-assessment,
workflow, process mapping, loss data collection and KRIs, including a standard list of KRI values. It
includes links. controls, risks, audit findings and losses, and it employs a business rule engine.
Optial has a particular focus on data quality and modeling.
Its Smart-Start version is preconfigured for smaller institutions and is configurable and scalable for large
institutions across thousands of users/profit centers.
Return to Top
Cautions
Basel II event types for business lines are preloaded; however, users require configuration to address
specific regulatory needs.
Based in the U.K., it is a small, privately held firm. While self-funding, its current resources are an
inhibitor to expanding its global footprint. Current sales are limited to Europe, and its partner program is
still evolving.
Its solution does not address quantitative aspects of operational risk and lacks modeling and capital
calculation capabilities.
There is no external operational loss database.
It has consulting partnerships with niche providers.
Return to Top
Oracle Financial Services
Strengths
Oracle now owns 83% of i-flex (Reveleus), which increases Reveleus's viability, resources and global
reach.
Version 4.3 is targeted at Tier 1 banks.
It provides a full-range operational risk framework across assessment, process mapping, workflow
management, KRIs and loss event capture, including data management and ETL tools for quantitative
operational risk and compliance management.
It supports the Advanced approach for Basel II with capital calculation engine, scenario and sensitivity
analysis.
It has an extensive library of bank processes and documents that can be attached electronically to the
self-assessment process.
Through integration of its Mantas product, Reveleus can also provide surveillance and behavior detection
related to AML, know-your-customer, fraud and trading compliance.

It has strong professional services capabilities.
It offers an insurance policy library, insurance claims management and linkages with risks.
It uses the Oracle engine for information flows based on Business Process Execution Language (BPEL)
standards.
Return to Top
Cautions
It classifies all regulatory clauses and procedures; however, it does not provide templates — these are
sold via consulting.
The sophistication and cost of this solution may limit its attractiveness to smaller Tier 2 and Tier 3
institutions, particularly if they are not taking a qualitative approach to operational risk.
Its integration with and ability to leverage Oracle sales and professional services staff are still evolving
and unclear.
Return to Top
Riskmanagement Concepts Systems
Strengths
OpRisk Suite v4.1 by Riskmanagement Concepts Systems (RCS), a privately held Swiss company, is a
modular application targeted at the midsize banking market. It supports operational risk and Basel II
requirements from the standard/basic through the advanced approaches.
Its platform uses a single-data model for loss data collection, risk self-assessment, mapping losses and
controls, as well as workflow and KRI management. Performance metrics may be incorporated and
linked to the calculation engine for statistical and scenario analysis and capital calculations.
Dashboarding and reporting capabilities are included.
Return to Top
Cautions
Its customers are highly concentrated in Europe, and it has yet to attain broader market recognition
through its partnerships with IRIS, COMIT and other distributors.
Its generic risk framework is not delivered with preconfigured settings; however, it can be configured to
support various structures and regulatory requirements.
Its small, thinly staffed organization depends heavily on partners for sales, distribution, professional
services and customer support.
Return to Top
RimaOne
Strengths
It is suitable for Basel II, BaFin (Bundesbank and German Financial Supervisory Authority) and other
regulatory requirements.
It provides process, workflow, framework, internal control and KRI tools from RimaOne, and a capital
calculation engine through a 2003 merger with Quetzal.
Return to Top
Cautions
A privately held company, RimaOne is a generic, user-configured, build-to-order toolkit that is not
particularly unique to financial services or ORM.
Its primary focus is governance, with delivery of standard risk indicators, controls and several modules
to support loss data capture. It does not develop methodologies for customers, has no road map for
doing so, and provides no regulation-specific content.
Reporting is customer-driven and, beyond some standard regulatory reports, is created through Crystal
or other third-party reporting tools.
The company lacks a global sales and distribution strategy, selling directly to the U.S. and through a
regional partner in Europe. RimaOne and Quetzal remain separate legal entities and segment sales by
country. Existing customers are primarily in Germany and France.
Return to Top
SAS Institute
Strengths
SAS Institute (SAS) is a privately held U.S. company with a substantial quantitative and qualitative ORM
application suite as well as its own external loss database that is well represented in institutions globally.
SAS approaches operational risk and compliance collectively, and delivers a modular solution for risk
assessment, loss data, KRI collection and management, as well as workflow control and action planning
with its SAS ORM suite, OpRisk Global Data, OpRisk Monitor v3.4 and OpRisk VaR v3.2.
Documents can be electronically attached to support these processes. Data cleaning and transformation
capabilities to ensure data quality are included as part of the SAS ORM solution.
Quantitative requirements are supported with a capital calculation engine, as well as scenario and
sensitivity analysis with a view to improving corporate performance and facilitating advanced compliance
reporting.
Although it has a substantial professional services staff, the company focuses on delivering an integrated

solution that minimizes the need for professional services. Its strategy focuses on selling an enterprise-
level solution.
It has a substantial loss database with accompanying scenarios.
It has architectural integration with other risk/compliance components.
It has strong geographic presence, although Europe and Asia penetration dominates.
It includes strong dashboarding and reporting.
Return to Top
Cautions
SAS sells to small institutions; however, it focuses primarily on large-end institutions. Institutions with
basic operational risk and compliance requirements, and a limited budget, may find the SAS offering
exceeding their requirements and resources.
The comparatively high cost of the SAS offering should be viewed in the context of the total cost of
ownership, and the breadth of the functional and data management capabilities that it provides.
It does not supply a library of controls; it uses a generic framework.
Return to Top
The Magic Quadrant is copyrighted 6 June 2008 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical
representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against
criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic
Quadrant, and does not advise technology users to select only those vendors placed in the “Leaders” quadrant. The Magic Quadrant is
intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with
respect to this research, including any warranties of merchantability or fitness for a particular purpose.
© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior
written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims
all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues
related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or
used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations
thereof. The opinions expressed herein are subject to change without notice.