Magic Quadrant for Operational Risk Management
Software for Financial Services
6 June 2008

Douglas McKibben, David Furlon...
Customer Experience: Relationships,
case when looking at those same firms' internal practices.

The lack of definition and consensus regarding risk/data model...
Risk model stress testing
      External loss database integration
      Multiformat data management
      Capital calcula...
Methodware — Enterprise Risk Assessor v.6.2
        Riskmanagement Concepts Systems (RCS) — OpRisk Suite v.4.1
current and future market direction, innovation, customer needs and competitive forces, and how well they
map to the Gartn...

     Acquired by the Fitch Group in 2005, Algorithmics has a strong corporate base and ORM knowledge.
Return to Top


      Ci3 Sword v8 provides risk control self-assessment, loss event capture, KRIs and an...
Its loss data capture is not specific to Basel II.
     Customer support is primarily through its Web site and by phone. T...

     Methodware is a small, privately held company that was purchased in 2007 by Jade Software, a custom
It has strong professional services capabilities.
     It offers an insurance policy library, insurance claims management ...
solution that minimizes the need for professional services. Its strategy focuses on selling an enterprise-
        level s...
Upcoming SlideShare
Loading in …5

Gartner Positions Sas In The Leaders Quadrant Of The Magic Quadrant For Operational Risk Management Software For Financial Services


Published on

Published in: Business, Economy & Finance
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Gartner Positions Sas In The Leaders Quadrant Of The Magic Quadrant For Operational Risk Management Software For Financial Services

  1. 1. Magic Quadrant for Operational Risk Management Software for Financial Services 6 June 2008 Douglas McKibben, David Furlonger Gartner Industry Research Note G00157289 The use of ORM software by financial services firms requires capabilities beyond generic audit, control and compliance applications. In addition to qualitative self-assessment capabilities, leading institutions are seeking solutions that support quantitative, performance-based models. What You Need to Know Note 1 SunGard Disclaimer Operational risk is an all-inclusive term that covers front-office (for example, customer and supplier-facing) SunGard is a portfolio company of Silver Lake processes, as well as back-office activities. Exposure to operational risk is inherent in all business processes Partners, a private investment firm that also and IT operations. Operational risk relates to the uncertainty of daily tactical business activities and risk events owns a substantial, publicly disclosed interest in Gartner, and has two seats on Gartner's 11- resulting from inadequate or failed internal processes, people or systems, or from external events. The Basel II member board of directors. Gartner research is Capital Accord (Basel II) created by the Bank of International Settlements requires banks to align their capital produced independently by the company's adequacy assessments with underlying risk exposures to determine the adequacy of their capital reserves. analysts, without the influence, review or approval of our investors, shareholders or Basel II is more risk-sensitive and risk-specific than Basel I. It specifically includes operational risk in risk directors. For further information on the capital calculations and deliberately links the provision of capital to risk measurement and management independence and integrity of Gartner activities for all aspects of business. research, see quot;Guiding Principles on Independence and Objectivityquot; on our Web site, Basel II and other industry regulatory initiatives, including Markets in Financial Instruments Directive (MiFID) . and Solvency II, as well as cross-industry initiatives such as Sarbanes-Oxley, have also given greater visibility Vendors Added or Dropped to concerns about operational risk as it applies to compliance. While legal and regulatory compliance are primary subsets of operational risk, operational risk is not just concerned with meeting regulatory objectives. We review and adjust our inclusion criteria for Operational risk management (ORM) is driven by business challenges such as the real-time business Magic Quadrants and MarketScopes as markets environment, concerns about business continuity and organizational reputation, customer expectations, and change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or protection of intellectual property. ORM also includes such areas as the management of fraud and anti-money- MarketScope may change over time. A vendor laundering (AML), which are frequently treated as separate and parallel initiatives. appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of ORM, in general, has traditionally focused on system failure, not process. Merely continuing the traditional that vendor. This may be a reflection of a method of internal and regulatory audits ignores the forward-looking requirements of managing operational change in the market and, therefore, changed risk and the broader implications of operational risk beyond what can be observed or experienced directly by evaluation criteria, or a change of focus by a vendor. an institution. This requires extending the focus of ORM beyond the rudimentary compliance and reporting Evaluation Criteria Definitions regime of the typical governance, risk and compliance (GRC) initiative. Ability to Execute While an appropriate emphasis on the competitive value of effective governance is necessary, decisions on how to run a business should not be linked exclusively to regulatory action. Rather than focusing only on Product/Service: Core goods and services preventing or reporting losses and risk events, the objective of ORM is performance improvement to deliver offered by the vendor that compete in/serve maximum return to the organization. the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively This includes a holistic approach to risk management across the enterprise that addresses operational risk and or through OEM agreements/partnerships as its interdependencies and correlations with market and credit risks to capitalize on the positive potential of defined in the market definition and detailed in the subcriteria. properly managed risk. This duality can challenge IT departments, which tend to incorrectly view risk management as just the reduction or elimination of IT risk. The challenge for IT groups is to determine which Overall Viability (Business Unit, Financial, risk software and technical processes offer the capability to detect and capitalize on risk events significant to Strategy, Organization): Viability includes corporate performance, and can measure and report on — and potentially reduce — risk through automation an assessment of the overall organization's financial health, the financial and practical and standardization. success of the business unit, and the likelihood of the individual business unit to continue Risk management is also a component of corporate performance management (CPM), which encompasses the investing in the product, to continue offering the product and to advance the state of the art methodologies, metrics, processes and systems used to monitor and manage the business performance of a within the organization's portfolio of products. company. Risk events must be modeled against CPM priorities to determine risk management priorities and establish metrics and context for management decision making, regulatory reporting and the effect of risk on Sales Execution/Pricing: The vendor’s CPM. In line with the holistic requirements of enterprise risk management, managers of these areas, and not capabilities in all pre-sales activities and the structure that supports them. This includes internal auditors, should have primary risk assessment and frontline risk accountability for managing the risks deal management, pricing and negotiation, created in their areas. This includes integrating risk assessment into business planning activities. The IT pre-sales support and the overall effectiveness organization should enable the provision of consistent risk management processes — using intranet or Web- of the sales channel. based applications — to enable access to this risk information, permit the sharing of risk information across business lines, and facilitate the aggregation of data for centralized decision making regarding risk acceptance, Market Responsiveness and Track Record: Ability to respond, change direction, be flexible mitigation or transfer. and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics Return to Top change. This criterion also considers the vendor's history of responsiveness. Magic Quadrant Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence Figure 1. Magic Quadrant for Operational Risk Management Software for Financial Services the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This quot;mind sharequot; can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities.
  2. 2. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service- level agreements and so on. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers' wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the Web site, advertising, customer Source: Gartner (June 2008) programs and positioning statements. Sales Strategy: The strategy for selling product that uses the appropriate network of Return to Top direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Market Overview Offering (Product) Strategy: The vendor's approach to product development and delivery The market for ORM software is immature; however, it continues to evolve rapidly. Various vendors contend that emphasizes differentiation, functionality, that they provide software for managing operational risk; however, most address only elements of an methodology and feature set as they map to current and future requirements. institution's portfolio of operational risk exposures. Business Model: The soundness and logic of Most frequently, ORM applications are considered synonymous with GRC suites that predominantly focus on the vendor's underlying business proposition. qualitative self-assessment, audit and control processes, and regulatory reporting. Specialized applications for managing IT functions such as security, business continuity and privacy, which are elements of operational Vertical/Industry Strategy: The vendor's risk, are sometimes also given the broader designation of quot;operational riskquot; solutions. Other vendors have strategy to direct resources, skills and offerings to meet the specific needs of labeled any number of workflow, dashboarding and data management tools as operational risk solutions. individual market segments, including Among financial institutions, functional specifications and risk management approaches are also evolving. verticals. Differences remain between more-quantitative approaches, where the calculation is deemed critical based on historical datasets (which may not always be deep or robust enough to be reliable), and more-qualitative or Innovation: Direct, related, complementary and synergistic layouts of resources, expertise process-based approaches. There is evidence that these approaches (qualitative/quantitative measurement) or capital for investment, consolidation, are converging at Tier 1 financial institutions; however, this trend is occurring unevenly. Even at the largest defensive or pre-emptive purposes. financial institutions, efforts to create a holistic view of operational risk exposures across the entire enterprise are not fully formed, although many of these institutions are compelled to follow an Advanced Measurement Geographic Strategy: The vendor's strategy Approach to operational risk as prescribed by their boards of directors in reference to Basel II. A qualitative, to direct resources, skills and offerings to meet the specific needs of geographies outside the self-assessment approach to operational risk management is prevalent at most national and regional Tier 2 quot;homequot; or native geography, either directly or and Tier 3 organizations as well as smaller financial institutions that typically lack robust enough governance through partners, channels and subsidiaries as structures or sufficiently mature risk management methodologies. Most have been permitted by regulators to appropriate for that geography and market. use the Basel II Basic Indicator or Standardized Approaches for operational risk. Absent the direction of regulators, such institutions have been slow to recognize the value of extending ORM efforts beyond qualitative self-assessment and regulatory compliance to a performance-based approach. Return to Top Expansion/Consolidation Those vendors coming from a compliance/GRC background will find it difficult to extend their solutions to meet the requirements of Advanced Measurement because they lack the sophisticated knowledge required to address complex capital calculation within the context of the financial services industry. Several vendors have based their product offerings on the current market demand and do not have the functionality to support a move by customers to an Advanced Measurement Approach and quantitative, performance-based activity. Financial institutions that purchase qualitative self-assessment solutions run the risk of having to replace them with quantitative functionality if they desire to leverage ORM for improved performance, or if they are forced by regulators to move to an Advanced Measurement Approach. Over time, large national and regional institutions in various countries that are currently permitted by national regulators to use the Basic Indicator or Standardized Approach for managing operational risk under Basel II will be pushed to the Advanced Measurement Approach. This will require many to replace existing qualitative self-assessment-only applications with those that provide broader quantitative tools and capital calculation engines. Such actions will cause further consolidation of the vendor market and drive other vendors to expand functional capabilities to survive. Return to Top Business Challenges The issues of data quality and integrity, the difficulties of reconciling capital requirements across diverse multiproduct and multinational firms, and validation of those same requirements across comparable institutions continue to be major challenges. This includes the lack of consistently defined and recorded information for operational risk events within institutions and across the industry, which inhibits modeling most operational risk activities and loss events. Various models are being tried, including actuarial loss-based approaches, even though some insurance companies do not necessarily have sufficient experience in relation to operational risk or sufficient historical data on which to base valid risk assumptions — this is particularly the
  3. 3. case when looking at those same firms' internal practices. The lack of definition and consensus regarding risk/data models and methodologies, as well as the difficulty of devising a precise economic expression of operational risk, is a challenge for the vendors of technology and for chief risk officers and CIOs, along with bank supervisors. Model design is critical to the overall risk and IT architectural strategy in terms of workflow, data collection, quality control, normalization and mapping, speed of that information flow, and attendant analysis, as well as the treatment of risks. Vendors and financial services providers (FSPs) will require sufficiently flexible architectures that can maintain alignment with evolving industry consensus. FSPs will also need to be aware that, during this rapid evolution in vendor solutions and while there remains patchy coalescence regarding a model definition, there will be greater model variability in terms of assumptions about the data elements and the completeness of the data. This means that institutions must rely heavily on an internal risk management core competence, which while growing is certainly not holistically present across most institutions, or external consulting support. Rather than view this as an additional cost of operations, efforts should be made to link those support requirements to the overall goal of more-efficient capital allocation and, therefore, profitable growth. This will require significant input from senior management, as well as having a well-developed change management capability to ensure the smooth assimilation of changing business processes and employee behaviors. In addition, philosophical differences continue within and among FSPs regarding overall approaches to risk management methodologies. This is compounded by geographical differences, for example quot;home hostingquot; issues or the standoff between compliance and principle-based methodology. While there may be an innate, operational desire on the part of CIOs to try to normalize their institutions' approaches to risk across their enterprises, most Gartner clients continue to operate credit/market risk functions separately from operational risk functions, and lack an enterprise approach to risk management. This is made worse when competing business units within the same firm choose different risk management vendors for the same task. For example, various vendors claim the same global Tier 1 institution as a Basel II or ORM customer, but this usually is the result of different divisions of a global institution (for example, retail bank or investment bank) choosing a vendor thought to meet the specific requirements of a particular business segment. It also remains the case that some vendors inflate their claims to numbers of installed clients by counting multiple divisions within the same institution as a separate client. We have yet to find a vendor, regardless of its claims, that is being used as the sole risk management vendor. In addition, we have yet to find an example of a vendor that is being used to cover every aspect of enterprise risk, in isolation of other solutions. Return to Top Technology Challenges The lack of an organizationwide view and risk management program plan, as well as the treatment of operational risk as a series of disjointed tasks or projects as opposed to a holistic strategy, has resulted in an inconsistent and often incompatible approach to data management risk engine calculations and dashboarding/reporting. From a management perspective, this means context concerning the nature of the risk event or loss is often lost or hidden. Effective enterprise data governance, including metadata management, reconciliation of calculations from various models (as opposed to mere aggregation), and the movement to real-time workflow management and alerting necessary for enterprise-level management and control are not possible with an ad hoc approach. However, many vendors with limited offerings will support and even encourage compartmentalized or piecemeal tactics to gain a foothold in an institution with a promise of building out the solutions over time, even though they have not previously demonstrated such capabilities with others. While risk management should be a centralized enterprise strategy, there is and will be the need for specialized risk management functionality within various business units. It is acceptable to maintain such functionality and extend it, but only in the context of a broader enterprise strategy and solution architecture. Additionally, functional extension should be evaluated in the context of a risk management methodology blueprint or framework to avoid redundancy, and facilitate integration and data sharing across the enterprise. Return to Top Conclusions There are no shortcuts, and pursuing multiple project initiatives without working out interdependencies and conflicts will complicate and delay implementation, as well as escalate costs and potential losses. While some FSPs have found vendors capable of addressing flexible and integrated architectures required to address Basel II and talk about service orientation, organizations must not be lured into vendor offerings that lack fundamental, pre-existing capabilities, and that have not achieved a level of market acceptance and scale in live installations. Moreover, risk management services have not received sufficient treatment to be widely developed or deployed. Also, financial institutions must avoid building, under vendor influence, a heavily customized solution that cannot be readily assimilated into the buyer's broader IT architecture. While smaller vendors will happily use financial institution suggestions to enhance and extend code to improve their product viability, financial institutions must still pay close attention to the long-term viability of many of the vendors offering ORM solutions. Functional breadth alone will not necessarily guarantee long-term market presence. Moreover, many of the larger, seemingly viable vendors that perhaps lack sufficient stand-alone functional capabilities and seek to entrench themselves in an institution as the quot;vendor of choicequot; may encourage custom code generation as a tactic to inhibit any future vendor replacement due to the mission criticality of this type of application. Return to Top Market Definition/Description The ORM market is an emerging one within financial services with potentially more than 39 vendors purporting to have software solutions. The first products appeared on the market to address extensions of compliance initiatives from industry regulations and relied largely on qualitative measures of self-assessment. Basel II has put increased emphasis on the quantification of operational risk as part of an economic capital framework. However, many institutions have yet to forge the link between operational risk and corporate performance. This includes those that are permitted to employ the standard or basic indicator approaches for Basel operational risk capital calculations. In the U.S., the control and compliance focus of Sarbanes-Oxley and the absence of Basel II adoption contribute to a more qualitative approach. Some vendor solutions have been extended beyond qualitative self-assessment tools to incorporate functionality that quantifies operational risk as a financial measurement. To meet the business performance needs as well as regulatory requirements for determining risk capital charges, ORM tools can now be expected to include:
  4. 4. Risk model stress testing External loss database integration Multiformat data management Capital calculation engines Risk policy and controls management Business process rule engines with modeling and mapping tools Auditing and certification Enterprisewide and departmental or line-of-business evaluations Return to Top Inclusion and Exclusion Criteria Offerings included in this Magic Quadrant must be stand-alone software products intended solely for the control of operational risks. (Products that provide some level of ORM as part of a greater generic compliance suite were not considered for analysis, although such products and representative vendors may be mentioned within this research.) Return to Top Inclusion Criteria To be included in this Magic Quadrant evaluation, vendors must: Have offerings that are delivered via a traditional software license or alternatively through a software as a service (SaaS) or an application service provider (ASP) business model. Have at least 15 paying, unique financial institutions as customers using their products for ORM purposes and be able to demonstrate at least one year of live implementations. Be able to demonstrate that financial institution customers make up at least 51% of their overall client base, or can demonstrate that they have generated at least $2.5 million in software license revenue from ORM software applications sold to the financial services industry during the past four rolling quarters. Products must be able to demonstrate: Enterprise reach (as opposed to just departmental or line-of-business capabilities) Risk management, escalation and alerting functionality for early warnings and loss events Broad spectrum reporting (including, for example, loss events) for senior managers, boards of directors and auditors, as well as bank examiners Capability for business process identification, mapping and evaluation Risk policy definition and controls, including organizational framework Audit and certification Assessment and integration of qualitative and quantitative metrics and management controls Capital calculation functionality, including statistical and scenario analysis, stress testing, and simulation Risk and performance data/indicator monitoring, assessment, and integration Data management functionality that incorporates or allows for the integration of a risk data repository, risk metadata library, performance data repository, risk rule engine, tools to extract, transform and load (ETL) data and multitype loss data collection, storage, and retrieval functions Return to Top Exclusion Criteria Vendors and products that do not sufficiently meet the specifics of the inclusion criteria, and those that are focused on multiple industries that do not have a majority of clients/implementations represented in financial services, were not considered for this Magic Quadrant. Vendors with products that are delivered via a quot;services-basedquot; or quot;consulting-leadquot; offering were not included, although we recognize IT and business services are an important element of risk management solutions. Return to Top Magic Quadrant Vendors From an initial pool of 39 vendors, 15 were selected for the Magic Quadrant based on analyst selection criteria, client feedback, general industry visibility, responses to our operational risk software criteria survey and relevant fit to the market. The survey requested information about company size, distribution channels, financials, unit sales and product features/functionality, alliances, and technical architecture. We advised all vendors that they would be ranked by comparing their products against our criteria and with those of other vendors. Here are the vendors and products included in our initial financial services ORM software Magic Quadrant: Algorithmics — Algo OpVar 6 BWise — v.3.3 Chase Cooper — ACCelerate Suite v.3 Ci3 — Sword v.8.0 eFront — GRC Suite v.3.5 FRSGlobal — FinancialAnalytics Suite v.2.12 List S.p.A. — OpRisk Evolution v.3.4 Mega International — GRC Suite v.3.0 OpenPages — ORM v.5.1 Optial — Operational Risk Platform v.6.0
  5. 5. Methodware — Enterprise Risk Assessor v.6.2 Riskmanagement Concepts Systems (RCS) — OpRisk Suite v.4.1 Oracle Financial Services — Reveleus Operational Risk v.4.3 RimaOne — Survey One v.2.0 SAS Institute — SAS ORM suite, OpRisk Global Data, OpRisk Monitor v.3.4 and OpRisk VaR v.3.2 This Magic Quadrant focuses on those technology vendors that offer ORM software applications for financial institutions. It does not include vendors with only dashboard or reporting applications or tools. Nor does it include consulting companies or professional service providers that do not offer a discrete ORM software application or toolset, although those services may be part of the application provider's overall offerings. Vendors were excluded from the Magic Quadrant because they did not meet the stated inclusion criterion or because their lack of active participation in the review process precluded the acquisition of suitable data to properly assess their offerings. These vendors were considered but omitted: AcrysConsult, Asparity Decision Solutions (formerly Portiva) Business Objects, Centerprise Services, Cognos, Consul Risk Management, Cura Group, Fernbach-Software, Fermat, Financial Objects, FinArch, Garrulus, Hexaware Technologies, HSBC Operational Risk, IBM, IRIS, Kalypto Risk Technologies, Paisley, Protiviti, Quadrant, Reuters, SAP, StrategicThought and SunGard. In evaluating this vendor set, FSPs should be aware that not all the vendors deliver capabilities for operational risk across all qualitative and quantitative functionalities. For example, several vendors provide suitable qualitative capabilities and support structures to support Basic or Standard Basel II approaches for operational risk, but lack the calculation engine necessary to support an Advanced Approach. Return to Top Added None. This is the initial Magic Quadrant for Financial Services ORM Software. Return to Top Dropped None. Return to Top Evaluation Criteria Ability to Execute This axis evaluates ORM software application vendors on the quality and efficiency of the processes, systems, methods or procedures that enable their performance to be competitive, efficient and effective, and to positively affect revenue, retention and reputation. Ultimately, these software application providers are judged on their ability and success in capitalizing on their vision. Our evaluation of a vendor's ability to execute is based on these criteria: Product — The breadth and availability of the vendor's products that compete in and serve the ORM market Overall Viability — Product quality and consistency, as well as the vendor's financial strength, including the likelihood of the continued investment in ORM software for the financial services industry and advancing the state of the art within the provider's portfolio of products Sales Execution/Pricing — Capabilities of presales structures and management activities, including pricing and negotiation, as well as overall effectiveness of sales channels Market Responsiveness and Track Record — Ability and responsiveness to meet changing market dynamics Market Execution — Market share in the global enterprise market Customer Experience — Ability to provide technical and relationship support and services that drive customer satisfaction Operations — Effectiveness in meeting organizational goals and commitments Table 1. Ability to Execute Evaluation Criteria Evaluation Criteria Weighting Product/Service High Overall Viability (Business Unit, Financial, Strategy, Organization) Standard Sales Execution/Pricing Standard Market Responsiveness and Track Record Standard Marketing Execution Low Customer Experience Standard Operations High Source: Gartner (June 2008) Return to Top Completeness of Vision This axis evaluates ORM application vendors on their ability to convincingly articulate logical statements about
  6. 6. current and future market direction, innovation, customer needs and competitive forces, and how well they map to the Gartner position. Ultimately, these application providers are rated on their understanding of how market forces can be exploited to create opportunity for the provider. Our evaluation of a vendor's completeness of vision is based on these criteria: Market Understanding — Competitive position, market knowledge and mechanisms for customer feedback Marketing Strategy — Ability to provide various professional services Sales Strategy — Ability to work with customers through its sales force and sales tools Offering (Product) Strategy — Strength of R&D, capability in product design and its ability to offer image stability Business Model — Soundness and logic of the underlying business proposition Vertical/Industry Strategy — Ability to provide a vertical-specific product and service Innovation — Ability to have investment resources, expertise or capital for consolidation, defensive or pre-emptive purposes Geographic Strategy — Ability to provide products and services globally Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Weighting Market Understanding Standard Marketing Strategy Standard Sales Strategy Low Offering (Product) Strategy High Business Model Low Vertical/Industry Strategy High Innovation Low Geographic Strategy High Source: Gartner (June 2008) Return to Top Leaders This quadrant tends to be occupied by vendors with software applications that are addressing qualitative as well as quantitative aspects of risk management of ORM. These vendors have achieved a high level of market acceptance and enable a consistent view of operational risk across the organization as compared to separately designed and implemented risk calculation engines or audit, control and compliance reporting tools. Such vendors approach operational risk more comprehensively and holistically across the enterprise and link operational risk to CPM. They have robust organizational structures and professional services resources. Return to Top Challengers Challengers typically have demonstrated offerings that meet the qualitative as well as quantitative requirements for managing operational risk and have software that is readily integrable with other applications. They have implemented sales and marketing strategies for expanding market penetration and improving the customer experience through enhanced support and professional services capabilities using their own resources or in partnership with others. Return to Top Visionaries Although visionaries may not necessarily have a comprehensive product offering, they take a strategic approach to service delivery and are moving toward a technology platform that encompasses qualitative as well as quantitative capabilities using their own software applications or through partnerships with others. Innovative product and market approaches or enhanced business models for service delivery that extend the vendor's market penetration or geographical reach may also characterize those in the Visionaries quadrant. Return to Top Niche Players Niche players deliver software offerings to support ORM, but lack the vision or ability to execute across the range of evaluation criteria. These tend to be smaller companies with limited geographical reach or financial resources that depend to varying degrees on partnership relationships for implementation or sales. Return to Top Vendor Strengths and Cautions Algorithmics
  7. 7. Strengths Acquired by the Fitch Group in 2005, Algorithmics has a strong corporate base and ORM knowledge. Algo OpVar 6 is a multimodule ORM offering across self-assessment, key risk indicators (KRIs), capital modeling scenario analysis and loss data collection. Modules operate on a single integrated data architecture with a calculation engine, data management specific to operational risk, reporting and dashboard functions, and two external operational-loss databases. Algo OpVar6 SE is designed specifically for Tier 2 and Tier 3 institutions seeking to reduce software cost and resource requirements. Nineteen offices worldwide with strong professional services capability with global reach. Strong client base. Return to Top Cautions Flexibility constraints generally require customization of workflow, data fields, and reporting to accommodate internal risk controls requirements and regulatory compliance. This does not apply to clients that select the Standard Edition solution. Qualitative self-assessment and action planning results can be used in the scenario analysis module; however, there is no direct technological link to the capital calculation engine. No prepopulated libraries of business rules or regulations, and no specific capability to update based on regulatory changes. Limited out-of-the-box capabilities for mapping risk and control elements to specific regulatory compliance and reporting requirements. Return to Top BWise Strengths BWise v.3.3 has solid capability in qualitative self-assessment, internal control, KRIs, process modeling, and optimization for operational risk and regulatory compliance. It provides a configurable loss incident database with many prestructured elements as well as templates for Basel II, MiFID and other generic frameworks such as COSO and CobiT. BWise has an OEM relationship with and sources dashboard functions from Business Objects. Return to Top Cautions It has offices globally; however, 80% of its installed base is in Europe, the Middle East and Africa (EMEA). BWise is a horizontal industry solution not specific to financial services and with no specific industry regulatory features, although the company has a dedicated financial services sales force. Beyond loss and scenario analysis using value-at-risk (VaR) calculations and a Monte Carlo simulation, the software uses qualitative self-assessment for risk management, governance and compliance. BWise supports the standard or basic Basel II approaches to operational risk; however, the absence of an engine to calculate and allocate risk capital leaves it unable to meet the requirements of an advanced approach. There's no external operational loss database; import capabilities are provided to other external sources. Its approach to CPM is qualitatively based. KRI templates are provided, but not predefined. Return to Top Chase Cooper Strengths Chase Cooper aCCelerate Suite v3 provides functions across risk control self-assessment, KRIs and loss event, as well as a multilevel hierarchy framework to support various risk management structures. Control failure, self-assessment, and a calculation engine are linked to determine and allocate regulatory and economic capital. The ultimate objective is for aCCelerate to be an institution's risk and compliance hub. It has the ability to scale from large to midtier institutions and includes professional services for procedures and methodology as well as prestructured modeling tools that don't require users to have mathematical expertise. Its modeling handles quantitative as well as qualitative process-based scenarios. It has flexible process and organizational mapping. It partners with Business Objects for its dashboard. It delivers standard as well as Crystal reports. It has its own external loss database. Return to Top Cautions It is privately held, although it is self-sustaining through operations. About two-thirds of the installed base is in Europe with the balance in the Middle East and South America. Its geographic reach is limited by distribution partners that are not particularly deep or broad in their operational risk capabilities or subject matter expertise. Rules and regulations are not provided in a prepopulated framework. Orientation is balanced between software sales and consulting services.
  8. 8. Return to Top Ci3 Strengths Ci3 Sword v8 provides risk control self-assessment, loss event capture, KRIs and an issues/actions component for problem tracking and resolution. The framework is preconfigured for Basel II and can be employed from a standard to an advanced approach. Capital calculations are delivered through custom- made consulting-derived solutions or sourced from SunGard's BancWare toolkit (see Note 1). A nonexclusive reseller arrangement with SunGard has given it a global (except Africa) presence and mitigates the need for additional capital for sales and marketing. Ci3 also leverages the SunGard relationship for professional services support, and SunGard private-labels Sword as SunGard BancWare Operational Risk. Return to Top Cautions Ci3 is a relatively small company that is 100% privately owned. It is self-funding (including R&D) from operations, which determines the extent of growth opportunities. The solution presents a challenge in the flexibility of workflow and for customers to configure, present and report data to their specific requirements. Version 8 may create more reporting flexibility. Its capital calculators are sourced from third-party providers. Ci3 IT support capabilities are limited. Return to Top eFront Strengths eFront is funded through venture capital and a public offering. eFront GRC Suite 3.5 is designed specifically for the financial services market with data structures that are specific to Basel II and Solvency II. The product includes five modules with common shared components and a data model that can be purchased separately: ORM, Internal Control, Audit, Business Continuity Planning and Legal Management. They cover risk data collection, process mapping, self-assessment, KRIs, action plans, a BPM graphical interface, and VaR and capital calculation capabilities. It has its own dashboard technology with standard as well as custom templates. eFront offers a license or hosted (ASP) model based on native, full Web architecture. eFront focuses exclusively on financial services. Return to Top Cautions eFront is a small company that entered the market in 2003 with an installed base heavily weighted to Europe, and the French market in particular, with some clients in Africa. Its ability to serve a more global market is still in question. Its batch-oriented uploads of data — statistical models — require users to customize data and develop their own scripts. There is no external loss database. Its ORM focus is limited to Basel II and Solvency II. The company had an initial public offering in 2006, but organic growth has been limited by internal cash flow resources. It is studying acquisition opportunities to support penetration of the North American and Asian markets. Return to Top FRSGlobal Strengths FRS Risk Resolve is a qualitative ORM product that supports traditional risk control self-assessment, audit, role-based workflow, and loss-event and near-miss collection and management. It has the flexibility to support multiple customer-determined configuration structures out of the box, including loss data structures specific to Basel II requirements. It has strong regulatory reporting capabilities specific to a variety of national regulations, as well as Pillar II of Basel II. It also delivers its reporting functions in partnership with Algorithmics, Reveleus and SAP. Return to Top Cautions It has been owned by the Carlyle Group and Kennet Partners investment firms since its 2006 spinoff from S1. Its installed base is almost exclusively in North America, and there was some shrinkage in its sales activity/installed base after the Providus acquisition. The product relaunched in 3Q07. It depends on OEM relationships, such as with Business Objects, for ETL tools, dashboard capabilities and scenario analysis. It is basically a pure-play risk qualitative self-assessment tool that supports the Basic or Standard Basel II approaches and other frameworks such as COSO and ISO 5229. It currently lacks a quantitative analytics engine, Monte Carlo simulation or a capital calculation engine.
  9. 9. Its loss data capture is not specific to Basel II. Customer support is primarily through its Web site and by phone. There is some use of account managers and extended support agreements. Return to Top List S.p.A. Strengths A privately held Italian company, List's OpRisk Evolution v.3.4 includes six modules that use a common platform and data structure that can support standard/basic to advanced measurement approaches to ORM. All software elements are included and enabled at purchase, and individual components are then switched on as needed/when licensed. It includes risk framework, mapping, risk/control self-assessment, loss data collection and KRI capabilities. It has a calculation engine for risk capital as well as scenario analysis, quantitative analytics and Bayesian integration. It provides the platform for the Italian Operational Risk Data Consortium (DIPO) sponsored by Italian banking institutions and Bank of Italy. There are offices in the U.S., Asia and Europe, and the company has an OEM arrangement with Fermat for sales of this product. It provides support in all regions on a 24/7 basis. Return to Top Cautions It is a relatively small company that began to expand internationally in 2005. Its installed base is still heavily based in Italy, and the brand is still evolving. It does not provide risk methodologies. It depends on relationships with system integrators for professional services. Return to Top Mega International Strengths Mega International, a closely held 1991 spinoff from Capgemini, is based in Paris and launched the Mega GRC Suite 3.0 in 2007. The underlying ORM software was purchased from List S.p.A. in 2006, and additional software from Control Metrics for internal audit and control was purchased and integrated in 2007. There is no corporate connection with List S.p.A., which is a separate and independent company. It supports standard/basic to advanced measurement approaches to ORM. All software elements are included and enabled when purchased, and individual components are then switched on as needed when licensed. It includes a risk framework with a Basel II events library (as well as Sarbanes-Oxley and other libraries planned in the product road map), mapping, risk/control self-assessment, loss data collection and KRI capabilities. It has a calculation engine for risk capital as well as scenario analysis, quantitative analytics and Bayesian integration. It has strong professional services and consulting support. A SaaS licensing model is planned for 2009. Return to Top Cautions Mega's sales and business model is a mix of software sales and professional services delivery. Its installed base is heavily weighted to Europe but has subsidiaries in various countries and is reorienting its global partner arrangements from an audit and consulting services focus. Its main market perception is still that of a compliance/qualitative self-assessment product. With a staff size of 250 people, Mega is relatively large compared to its competitors but still transitioning from a business process analysis focus to ORM. Return to Top Methodware Strengths With 15 years of market history, Methodware has a large installed client base for its Enterprise Risk Assessor v.6.2 product, with more than half its clients banks, especially in Tier 2 and Tier 3. Its strength is its audit, compliance and internal risk self-assessment methodology, and it also captures KRI and loss data information. It has global penetration through a large network of distributors with good domain knowledge. Its risk-based compliance frameworks are available for Basel II clauses and provisions (which can be prepopulated for an additional fee), MiFID TCF and Solvency II. It offers a 90-day money-back warranty. It has an enterprise sales approach. It has a strong client base for compliance/audit functionality. Return to Top
  10. 10. Cautions Methodware is a small, privately held company that was purchased in 2007 by Jade Software, a custom designer of information systems. Methodware continues to operate independently. Integration of the two companies is a work in progress. Its Basel II capabilities are limited to the support of the standard and basic approaches, and it would be a stretch to use Methodware for an advanced measurement approach to operational risk. It does not have a calculation engine or simulation tools, but through a partnership with Palisades Software (@Risk Monte Carlo product), a U.S. company, these elements can be integrated. Scenario analysis is not available through Palisades or Methodware. It has dashboarding, but currently no facility for third-party reporting tools. Its consulting services are provided through a partner network. Return to Top OpenPages Strengths Established in 1996, OpenPages ORM v.5.1 has an installed base about evenly split among North America and EMEA. It provides process and risk-mapping specific to banks with out-of-the-box Basel II definitional hierarchies. It supports workflow automation, including event tracing, risk control self-assessment, loss data collection database and KRI. It correlates risk events with risk control self-assessment, scenario analysis and KRIs. It has metadata-driven configurability with dashboard and heat mapping. Return to Top Cautions Its customers are primarily Tier 1 or other institutions with the desire to self-configure an operational risk framework, database, organizational structure and workflow. However, preconfigured out-of-the-box versions are available. It does not include Monte Carlo, VaR or capital calculation engine elements necessary to execute a Basel II Advanced Measurement Approach. It provides data input for CPM without statistical analysis. Key performance indicators (KPIs) and KRIs are customer-defined. Its external loss data is provided by a link to ORX or other third-party sources. Return to Top Optial Strengths Optial Operational Risk Platform v6.0 is a suite of modular components for qualitative self-assessment, workflow, process mapping, loss data collection and KRIs, including a standard list of KRI values. It includes links. controls, risks, audit findings and losses, and it employs a business rule engine. Optial has a particular focus on data quality and modeling. Its Smart-Start version is preconfigured for smaller institutions and is configurable and scalable for large institutions across thousands of users/profit centers. Return to Top Cautions Basel II event types for business lines are preloaded; however, users require configuration to address specific regulatory needs. Based in the U.K., it is a small, privately held firm. While self-funding, its current resources are an inhibitor to expanding its global footprint. Current sales are limited to Europe, and its partner program is still evolving. Its solution does not address quantitative aspects of operational risk and lacks modeling and capital calculation capabilities. There is no external operational loss database. It has consulting partnerships with niche providers. Return to Top Oracle Financial Services Strengths Oracle now owns 83% of i-flex (Reveleus), which increases Reveleus's viability, resources and global reach. Version 4.3 is targeted at Tier 1 banks. It provides a full-range operational risk framework across assessment, process mapping, workflow management, KRIs and loss event capture, including data management and ETL tools for quantitative operational risk and compliance management. It supports the Advanced approach for Basel II with capital calculation engine, scenario and sensitivity analysis. It has an extensive library of bank processes and documents that can be attached electronically to the self-assessment process. Through integration of its Mantas product, Reveleus can also provide surveillance and behavior detection related to AML, know-your-customer, fraud and trading compliance.
  11. 11. It has strong professional services capabilities. It offers an insurance policy library, insurance claims management and linkages with risks. It uses the Oracle engine for information flows based on Business Process Execution Language (BPEL) standards. Return to Top Cautions It classifies all regulatory clauses and procedures; however, it does not provide templates — these are sold via consulting. The sophistication and cost of this solution may limit its attractiveness to smaller Tier 2 and Tier 3 institutions, particularly if they are not taking a qualitative approach to operational risk. Its integration with and ability to leverage Oracle sales and professional services staff are still evolving and unclear. Return to Top Riskmanagement Concepts Systems Strengths OpRisk Suite v4.1 by Riskmanagement Concepts Systems (RCS), a privately held Swiss company, is a modular application targeted at the midsize banking market. It supports operational risk and Basel II requirements from the standard/basic through the advanced approaches. Its platform uses a single-data model for loss data collection, risk self-assessment, mapping losses and controls, as well as workflow and KRI management. Performance metrics may be incorporated and linked to the calculation engine for statistical and scenario analysis and capital calculations. Dashboarding and reporting capabilities are included. Return to Top Cautions Its customers are highly concentrated in Europe, and it has yet to attain broader market recognition through its partnerships with IRIS, COMIT and other distributors. Its generic risk framework is not delivered with preconfigured settings; however, it can be configured to support various structures and regulatory requirements. Its small, thinly staffed organization depends heavily on partners for sales, distribution, professional services and customer support. Return to Top RimaOne Strengths It is suitable for Basel II, BaFin (Bundesbank and German Financial Supervisory Authority) and other regulatory requirements. It provides process, workflow, framework, internal control and KRI tools from RimaOne, and a capital calculation engine through a 2003 merger with Quetzal. Return to Top Cautions A privately held company, RimaOne is a generic, user-configured, build-to-order toolkit that is not particularly unique to financial services or ORM. Its primary focus is governance, with delivery of standard risk indicators, controls and several modules to support loss data capture. It does not develop methodologies for customers, has no road map for doing so, and provides no regulation-specific content. Reporting is customer-driven and, beyond some standard regulatory reports, is created through Crystal or other third-party reporting tools. The company lacks a global sales and distribution strategy, selling directly to the U.S. and through a regional partner in Europe. RimaOne and Quetzal remain separate legal entities and segment sales by country. Existing customers are primarily in Germany and France. Return to Top SAS Institute Strengths SAS Institute (SAS) is a privately held U.S. company with a substantial quantitative and qualitative ORM application suite as well as its own external loss database that is well represented in institutions globally. SAS approaches operational risk and compliance collectively, and delivers a modular solution for risk assessment, loss data, KRI collection and management, as well as workflow control and action planning with its SAS ORM suite, OpRisk Global Data, OpRisk Monitor v3.4 and OpRisk VaR v3.2. Documents can be electronically attached to support these processes. Data cleaning and transformation capabilities to ensure data quality are included as part of the SAS ORM solution. Quantitative requirements are supported with a capital calculation engine, as well as scenario and sensitivity analysis with a view to improving corporate performance and facilitating advanced compliance reporting. Although it has a substantial professional services staff, the company focuses on delivering an integrated
  12. 12. solution that minimizes the need for professional services. Its strategy focuses on selling an enterprise- level solution. It has a substantial loss database with accompanying scenarios. It has architectural integration with other risk/compliance components. It has strong geographic presence, although Europe and Asia penetration dominates. It includes strong dashboarding and reporting. Return to Top Cautions SAS sells to small institutions; however, it focuses primarily on large-end institutions. Institutions with basic operational risk and compliance requirements, and a limited budget, may find the SAS offering exceeding their requirements and resources. The comparatively high cost of the SAS offering should be viewed in the context of the total cost of ownership, and the breadth of the functional and data management capabilities that it provides. It does not supply a library of controls; it uses a generic framework. Return to Top The Magic Quadrant is copyrighted 6 June 2008 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the “Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. © 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.