This 2009 version of the Magic Quadrant for Operational Risk Management Software for Financial Services (see Figure 1) focuses on those technology vendors that offer operational risk management (ORM) software applications for financial institutions. It does not include vendors with only dashboard, or reporting applications or tools. Nor does it include consulting companies or professional service providers that do not offer a discrete ORM software application or toolset, although those services may be part of the application provider's overall offerings.

There are three primary reasons that financial institutions buy ORM software:

• To handle the complexity of risks across functions and roles
• To acquire a risk management framework or methodology
• To quantify in terms of capital adequacy the extent of incurred operational risk for regulatory purposes

In evaluating this vendor set, financial services providers (FSPs) should be aware that not all the vendors deliver capabilities for operational risk across all qualitative and quantitative functionalities. For example, several vendors provide suitable qualitative capabilities and support structures to support Basic or Standard Basel II approaches for operational risk, but lack the calculation engines necessary to support an Advanced Approach. Others may provide ORM calculation capabilities but lack an organizational risk framework, and risk policy and control capabilities.

This year's Magic Quadrant research has again highlighted that many FSPs continue to view ORM as a back-office or compliance issue, only related to managing controls and encompassing IT risks that are the purview of internal auditors. However, operational risk extends beyond mere IT activities and pure policy compliance. It also includes managing the business consequences of inappropriate risk taking, deficient management practices, and strategic risk and capital management. It is part of all business activities and is a direct contributor to many situations that result in credit and market risk losses, as well as enterprise operational performance.

Key things that FSPs need to know are:

• The vendor market continues to be fragmented between those vendors offering a purely qualitative self-assessment approach to ORM, those with a more blended approach with some quantitative calculation capability, and those mainly quantitative-oriented vendors that are building out qualitative capabilities.
• Vendors are starting to recognize the importance of the synergy between the ORM and governance, risk and compliance (GRC) market segments, and are beginning to merge or enhance functionality to include aspects of both markets.
• Vendor capabilities outside Europe and North America, from a direct service and support perspective, are patchy.
• The market for ORM applications is smaller than much marketing material would have you believe in terms of viable offerings able to robustly support a significant aspect of a bank's enterprise risk management (ERM) strategy.
• Several ORM vendors lack sufficient clients and/or market presence, and significant market consolidation is likely through 2010.
• Vendors will need to rethink pricing models and offering scope if they are to substantially capture Tier 3 and Tier 4 bank business.

The Convergence of GRC and Operational Risk

The 2008 "Magic Quadrant for Operational Risk Management Software for Financial Services" highlighted two broad categories of systems:

1. Those based largely on compliance-oriented process control
2. Those based on mathematical formulas that calculate the risk attributes of historical data streams

The outputs from compliance-oriented applications are qualitative in nature and concentrate on control effectiveness and have a relatively low technical dependency. From the other perspective, the calculator-oriented solutions rely heavily on the efficacy and quantity of available historical data, regardless of process or, perhaps, business context.

However, our 2009 analysis reveals that there are signs of a changing approach (albeit embryonic) to ORM in the financial industry. Some of this is driven by vendor application and market understanding maturity, and some of it by institutions themselves as they face potential regulator censure. Of particular importance is the convergence of the more-IT and audit-related concepts of GRC, and managing broader business operations risk within FSPs. This convergence is seen in the changing nature of ORM tools supplied by vendors and how they are being deployed by end users. Evidence of this has been gleaned from customer reference checks, client inquiry and secondary research.

Regulatory pressures and risk management immaturity have compelled institutions to initially formalize risk management structures around compliance. Based on client inquiries, interviews with vendor references and secondary research, Gartner finds that in 2009 more-evolved institutions are now developing more-integrated strategies that leverage and extend compliance-based capabilities to also include risk event capture and process management. As a starting point, some institutions are now moving away from viewing GRC only as a bottom-up exercise to document and audit an adherence to individual internal and external mandates. Instead, they are shifting their risk management philosophies to include a broader context for managing control objectives with the highest risk exposures. Such combined capabilities are becoming increasingly available from ORM software vendor offerings targeted at the banking industry.

The Intersection of Qualitative and Quantitative ORM

In our 2009 research, we have found a greater incidence of firms using qualitative self-assessment approaches to operational risk, including Tier 2 and Tier 3 banks. Permitted to employ the Basic Indicator or Standardized approaches for operational risk under Basel II, smaller firms have emphasized the implementation of compliance and control technologies. This is often described to us as the "doing just enough" approach, and is largely the result of the perception of risk management as an increasing cost burden on firms, as opposed to a potential performance illuminator. Gartner views this as both a dangerous approach and a missed opportunity. For the 2009 Magic Quadrant, it is apparent that firms taking a purely qualitative approach do not see enterprise data management as a point of emphasis in selecting software.

Also for 2009, as it was in 2008, there is little evidence to indicate broader adoption of quantitative tools to manage operational risk exposures in the near term. Issues of data quality and integrity are a particular challenge to validating operational risk measures across compatible institutions and for capital allocation or risk-based performance measurement. Competing initiatives to capture and analyze external loss data do not necessarily help, and can contribute to additional challenges in vendor/software selection.

Functional Expansion and Vendor Consolidation

In 2008, large, global ORM software vendors, and particularly those that held leading positions in the quantitative areas of ORM (for example, calculations and analytics-related economic and regulatory capital), captured the competitive high ground within the global Tier 1 bank market. These vendors typical have maintained long-lived relationships with large banks across a variety of areas (including credit and market risk management, fraud, and so on), and were first to market with sophisticated risk data management structures and analytics for operational risk.

The 2008 decisions for ORM software purchased by Tier 1 institutions were primarily focused on the data and analytics related to economic and risk capital calculations, scenario analysis, and stress testing. For 2009, in some of these institutions, risk data is still collected in multiple data marts sourced — from different business areas — using different applications, data formats and methodologies. However, the 2009 research reveals such institutions, in an effort to create a "single version of the truth," are also consolidating and extending operational risk processes and structures to create a single, consistent flow of data (ranging from their information management infrastructures to performance management applications) to better manage service execution and decision making. This has increased the demand among these institutions for an institutionwide ORM framework that is easily configurable to accommodate current and future organizational structures, and ties together risk self-assessment, audit, and controls with risk indicator and incident information, as well as associated calculations and compliance.

Our 2009 research highlights that, while some vendors that evolved from a quantitative legacy also have developed greater qualitative ORM capabilities, most of these vendors have had limited success with leveraging their incumbent status to extend their qualitative offerings more broadly and deeply into existing relationships. They are facing increased competition from vendors that focus on GRC and qualitative aspects of ORM to create a common ORM framework for the institution. In 2009, clients have expressed the general perception that these "qualitative" vendors offer more-flexible and configurable ORM applications, and that previous leaders are not as adept at promoting, packaging and cross-selling their qualitative capabilities.

In 2009, the convergence among end users of traditional GRC with an enterprise approach to ORM has also led to broader adoption of ORM software by smaller banks seeking a framework and methodology to deal with the complexity of managing risk activities. This market segment is typically dominated by niche ORM software providers with various combinations of qualitative and quantitative capabilities and frequently with only a regional or national footprint. Their appeal centers on software packaging that is structured and priced to the immediate needs of their target markets. In 2009, most of the large, global purveyors of ORM software applications are now also attempting to pursue this smaller bank segment, particularly in light of the imminent saturation of the Tier 1 market; however, their approaches to packaging and pricing their offerings for smaller institutions has resulted in a perception of inflexibility on the part of the vendors and that their applications offer more than is required at a price that is higher than buyers wish to pay. Being a regional provider actually can, therefore, provide a competitive advantage to these smaller vendors when dealing with national and regional banks of any size.

In our 2009 research, it remains true that vendors coming from an industry-neutral compliance/GRC background will find it difficult to extend their solutions to meet the quantitative requirements of the financial services market, because they lack the sophisticated knowledge required to address complex capital calculations within the context of the industry. They also do not have the functionality to support a move by customers to measure operational risk as part of performance-based decision making. Consequently, Gartner anticipates continued market consolidation during the next two years.

Gartner believes that end-user clients should view risk management technology with the same degree of mission criticality and substance as other significant enterprise platforms, core banking, ERP, payments, and so on. Therefore, Gartner believes:

• End users need to evaluate their purchasing decisions based on the viability, commitment (to risk management and financial services) and deep product capability as it relates to a bank's ERM strategy.
• Making risk management technology choices based on an amalgamation of point solutions to address individual functional requirements is less than desirable over the long term.
• Banks that minimize the number of point solutions and decrease process duplication and process integration complexity across the enterprise will improve ORM effectiveness.

Financial institutions that lack applications or functionality to perform quantitative risk measurements may well be required by their domestic regulators to develop or acquire the same by year-end 2010. This means that clients should review the cost and efficacy of maintaining existing qualitative self-assessment-only applications with those that also provide broader quantitative tools and capital calculation engines. Reuse of business logic and data components is evolving as a means to reduce redundancy and integration costs, although none of the vendors in the 2009 Magic Quadrant offers a componentized solution that can inhibit integration efficiency and flexibility. Regardless of whether one or more vendors are included as part of a bank's risk management architecture, it is clear that every firm will need to invest in interface management, integration and configuration to build more-robust risk management platforms.

As mentioned, vendor consolidation is likely to continue through 2010. Those vendors with limited geographical presence lack the organic capabilities to expand and will need to merge, especially if legislative consensus is achieved at the global level. Mergers are also anticipated through 2010 across the various risk/compliance domains, particularly to fill functional gaps. Many vendors will also need to improve their relationships with professional services firms to cope with increasing customer demands for configurability.

Our 2009 research also highlights that Asia and Latin America are two regions where ORM software adoption and vendor market penetration is currently very limited. Banks in those regions will likely need to seek solutions from North America and Europe since operational risk in Asia lags practices there. FSPs in Asia and Latin America also will need to recognize that many vendors will have significant difficulty supporting these regions, which will increase total cost of ownership.

Data Management, Risk Methodology and Vendor Claims

The lack of definition and consensus regarding risk/data models and methodologies, as well as the difficulty of devising a precise economic expression of operational risk, is a challenge for all concerned — the technology vendors, chief risk officers and CIOs, and bank supervisors. Model design is critical to the overall risk and IT architectural strategy in terms of workflow, data collection, quality control, normalization and mapping, speed of that information flow, and attendant analysis, as well as the treatment of risks. Vendors and FSPs will require sufficiently flexible architectures that can maintain alignment with evolving industry consensus.

Our 2009 research highlights patchy coalescence regarding a model definition and an evolving vendor landscape. Consequently, there is greater model variability in terms of assumptions about the data elements and the completeness of the data. This means that institutions must rely heavily on an internal risk management core competence, which, while growing, is certainly not holistically present across most institutions or external consulting support, which may not be immediately present in terms of depth of domain expertise in every country. End users that lack access to this support should plan to factor in as much as of 100% of the license fee to fund vendor-supplied professional services and business consulting. However, the cost for professional services will be significantly higher if "Big Four" companies or even some second tier professionals are required to provide more in-depth consulting.

Our 2009 research also reveals a continuation of philosophical differences within and among FSPs regarding overall approaches to risk management methodologies. While there may be an innate, operational desire on the part of corporate risk officers (CROs) to normalize their approaches to risk support across their enterprises, most Gartner clients continue to operate credit/market risk functions separately from operational risk functions, and continue to buy technology to support point-specific requirements. This is made worse when competing business units within the same firm choose different risk management vendors for the same task. For example, Gartner still finds various vendors claiming the same global Tier 1 or Tier 2 institution as a Basel II or ORM customer, but this usually is the result of different divisions of a global institution (for example, retail bank or investment bank) choosing a vendor thought to meet the specific requirements of a particular business segment in a specific location. Vendors also continue to inflate their claims of installed clients by counting multiple divisions within the same institution as separate clients. We have yet to find a vendor, regardless of its claims, that is being used as the sole risk management vendor by an enterprise. In addition, we have yet to find an example of a vendor that is being used to cover every aspect of enterprise risk, in isolation of other solutions.

Conclusions

• Financial institutions should not be distracted by regulatory complexity or volatility. They will benefit from a holistic approach to risk and performance management that is founded in the concept that good governance is a competitive differentiator.
• Of immediate importance is the need to mature data capabilities to improve the completeness, timeliness and quality of information for risk and performance management decisions.
• Risk management strategies should have an ultimate goal of improving corporate performance.
• Technology decisions should be made against an architectural blueprint that supports that goal, including realistic stress-testing capabilities and scenario-analysis frameworks.
• There are no shortcuts. Pursuing multiple risk management initiatives, without working out interdependencies and conflicts, will complicate and delay implementation, as well as escalate costs and potential losses.
• While some FSPs have found vendors capable of addressing flexible and integrated architectures required to address Basel II and that also talk about service orientation, organizations must not be lured into vendor offerings:
  • That lack fundamental, pre-existing capabilities for structuring and managing data flows and risk processes
  • That have not achieved a level of market acceptance and scale in live installations
  • Whose risk management services have not received sufficient treatment to be widely developed or deployed
• Financial institutions must avoid building (independently or under vendor influence) a heavily customized solution that cannot be readily assimilated into their broader IT architectures. It is clear that configurability will be required in most institutions. However, clients must balance the needs of configuration with the total cost of ownership for their risk platforms and the downstream and upstream impacts such configuration may have on interdependent systems such as accounting and reporting.
• While less-established vendors will happily use financial institution suggestions to enhance and extend code to improve their products' viability, financial institutions must still pay close attention to the long-term viability of many of the vendors offering ORM solutions. Functional breadth alone will not necessarily guarantee long-term market presence. Moreover, many of the larger, seemingly viable, vendors can lack sufficient stand-alone functional capabilities. These vendors continue to seek to entrench themselves in an institution as the "vendor of choice," but they often also encourage custom code generation as a tactic to inhibit any future vendor replacement due to the mission criticality of this type of application.
• Clients should immediately focus on these core activities with respect to anticipated regulatory change:
  • Set aside resources to monitor closely the announcements and proposals that are made by relevant national regulators; be prepared to contribute to discussion documents.
  • Review existing data management strategies to ensure consistent, timely, granular data for enterprise risk decisioning, and ensure that architectural paradigms include capabilities to link to multiple external loss databases.
  • Review current policies for data sharing at an industry level in terms of encryption, data format, intellectual property management, privacy, etc., to ensure the security and usability of the risk information aligns with relevant corporate strategy and compliance directives.

Nearly 40 vendors purported to have ORM software solutions during 2009. The first products appeared on the market then to address extensions of compliance initiatives from industry regulations, largely relying on qualitative measures of self-assessment. The expectation is that competition among vendors for ORM will continue to increase as the GRC and ORM markets and their application sets continue to converge. Basel II has put increased emphasis on the quantification of operational risk as part of an economic capital framework. However, most institutions have yet to forge the link between operational risk and corporate performance, and lack a structured approach to the data and process management necessary to advance to that level in the near feature. This includes those FSPs that are permitted to employ the standard or basic indicator approaches for Basel operational risk capital calculations. In the U.S., the control and compliance focus of Sarbanes-Oxley, and the absence of mandatory Basel II adoption, have contributed to a more qualitative approach. Some vendor solutions have been extended beyond qualitative self-assessment tools to incorporate functionality that quantifies operational risk as a financial measurement. To meet the business performance needs, as well as regulatory requirements for determining risk capital charges, ORM tools can now be expected to include:

• Risk model stress testing and scenario analysis
• External loss database integration
• Multiformat data management, including risk data integration, a risk rule engine, and tools to extract, transform and load (ETL) data.
• Capital calculation engines
• Risk policy and controls management
• Business process rule engines with modeling and mapping tools
• Auditing and certification
• Enterprisewide and departmental or line-of-business evaluations

Offerings included in the 2009 edition of the ORM Magic Quadrant must be stand-alone software products intended solely for the control of operational risks. (Products that provide some level of ORM as part of a greater generic compliance suite were not considered for analysis, although such products and representative vendors may be mentioned within this research.)

The following inclusion and exclusion criteria were initially sent to vendors identified as possible candidates for the 2009 ORM Magic Quadrant. Some of the vendors included in this Magic Quadrant demonstrated sufficient capabilities to warrant inclusion, even though some specific elements of their offerings or organizations did not meet the letter of the inclusion criteria. In many cases, this was due to organizational size and track records.

Inclusion Criteria

We told vendors that offerings included in this Magic Quadrant must be stand-alone software products intended solely for the management of operational risks. (Products that provide less than 50% of the functionality required by the inclusion criteria would not be considered for analysis, although such products and representative vendors may be mentioned within the Magic Quadrant research.) Included products would be:

• Offerings that are delivered via a traditional software license and/or application service provider (ASP) or software as a service (SaaS) business models.
• From vendors that have at least 15 paying, individually identifiable FSPs as customers using their products for ORM purposes. They must be able to demonstrate at least two years of live implementations. (Note: FSPs with global offices will be considered as one client regardless, of the number of implementations within that institution.)
• From vendors that demonstrate FSP customers make up at least 51% of their overall client base.
• From vendors that can demonstrate at least five new client purchases in 2008.
• From vendors that can demonstrate at least $10 million attributed to ORM software license revenue.
• The products should demonstrate:
  • Enterprise reach (as opposed to only departmental or line-of-business capabilities)
  • Complete capital calculation functionality including statistical and scenario analysis, stress testing and simulation
  • Risk and performance data/indicator monitoring, assessment and integration
  • Risk management, escalation and alerting functionality for early warnings and loss events
  • Broad spectrum reporting (including, for example, loss events) for senior managers, boards of directors and auditors, as well as bank examiners
  • Assessment and integration of qualitative and quantitative metrics, as well as management controls
  • Business process identification, mapping and evaluation
  • Risk policy definition and controls, including organizational framework
  • Audit and certification
  • Data management functionality that incorporates or allows for the integration of a risk data repository, risk metadata library, performance data repository, risk rule engine, ETL, and multitype loss data collection, storage and retrieval

Exclusion Criteria

Vendors and products that do not sufficiently meet the specifics of the inclusion criteria, and those focused on multiple industries without a majority of clients/implementations represented in financial services will not be included in this Magic Quadrant.

Vendors with products that are delivered via a "services-based" or "consulting-lead" offering will not be included, although we recognize IT and business services are an important element of risk management solutions. We encourage software vendors to notate their competencies in these areas where requested in the survey.

Products that support one or more of the described functional categories, but are not being used to satisfy ORM requirements or in line with the requirements defined by Basel II framework, will not qualify for this Magic Quadrant.

Magic Quadrant Vendors

From an initial pool of close to 40 vendors, 18 were selected for the 2009 ORM Magic Quadrant based on analyst selection criteria, client feedback, general industry visibility, responses to our operational risk software criteria survey and relevant fit to the market. The survey requested information about company size, distribution channels, financials, unit sales, product features/functionality, alliances and technical architecture. All vendors included in the Magic Quadrant also conducted a demonstration of their offerings as part of the evaluation process.

We advised all vendors that they would be ranked by comparing their products against our criteria and with those of other vendors. Here are the vendors and products included in the 2009 financial services ORM software Magic Quadrant:

• Algorithmics — Algo OpVar v.6.3
• Avanon (formerly Riskmanagement Concepts Systems) — OpRisk Suite v.4.2
• BWise — v.4.0
• CCH Sword (formerly Ci3) — Sword v.8
• Centerprise Services — GRC Suite v.4.3
• Chase Cooper — ACCelerate Suite v.3
• eFront — GRC Suite v.3.8
• Financial Architects (FinArch) — Financial Studio
• interexa — Operational Risk Center v3.1
• List S.p.A. — OpRisk Evolution v.4.1
• Mega International — GRC Suite v.3.1
• Methodware — Enterprise Risk Assessor v.7.0
• OpenPages — ORM v.5.5
• Optial — Operational Risk Platform v.7.0
• Oracle Financial Services — Reveleus Operational Risk v.4.5
• Quadrant Risk Management — B2 v.3, SAB2 v.3.2
• RimaOne — Survey One v.4.3
• SAS Institute — SAS ORM suite v.4.1, OpRisk Global Data, OpRisk Monitor v.4.1 and OpRisk VaR v.4.1

Gartner has included a descriptive classification for the purposes of this Magic Quadrant based on a vendor's full-time equivalents (FTEs):

• Very Small equates to fewer than 10
• Small equates to fewer than 40
• Medium equates to fewer than 200
• Large equates to greater than 200

Centerprise Services, FinArch, interexa and Quadrant Risk Management.

FRSGlobal. The company no longer sells its own ORM software application and partners with Avanon (formerly Riskmanagement Concepts Systems) for those applications.

This axis evaluates ORM software application vendors on the quality and efficiency of the processes, systems, methods or procedures that enable their performance to be competitive, efficient and effective, and to positively affect revenue, retention and reputation. Ultimately, these software application providers are judged on their ability and success in capitalizing on their vision. Our evaluation of a vendor's ability to execute (see Table 1) is based on these criteria:

• Product — The breadth and availability of the vendor's products that compete in and serve the ORM market
• Overall Viability — Product quality and consistency, as well as the vendor's financial strength, including the likelihood of the continued investment in ORM software for the financial services industry and advancing the state of the art within the provider's portfolio of products
• Sales Execution/Pricing — Capabilities of presales structures and management activities, including pricing and negotiation, as well as overall effectiveness of sales channels
• Market Responsiveness and Track Record — Ability and responsiveness to meet changing market dynamics
• Market Execution — Market share in the global enterprise market
• Customer Experience — Ability to provide technical and relationship support and services that drive customer satisfaction
• Operations — Effectiveness in meeting organizational goals and commitments

This axis evaluates ORM application vendors on their ability to convincingly articulate logical statements about current and future market direction, innovation, customer needs and competitive forces, and how well they map to the Gartner position. Ultimately, these application providers are rated on their understanding of how market forces can be exploited to create opportunity for the provider. Our evaluation of a vendor's completeness of vision (see Table 2) is based on these criteria:

• Market Understanding — Competitive position, market knowledge and mechanisms for customer feedback
• Marketing Strategy — Ability to provide various professional services
• Sales Strategy — Ability to work with customers through its sales force and sales tools
• Offering (Product) Strategy — Strength of R&D, capability in product design and its ability to offer image stability
• Business Model — Soundness and logic of the underlying business proposition
• Vertical/Industry Strategy — Ability to provide a vertical-specific product and service
• Innovation — Ability to have investment resources, expertise or capital for consolidation, defensive or pre-emptive purposes
• Geographic Strategy — Ability to provide products and services globally

This quadrant tends to be occupied by vendors with software applications that are addressing qualitative as well as quantitative aspects of risk management of ORM. These vendors have achieved a high level of market acceptance and enable a consistent view of operational risk across the organization, as compared to separately designed and implemented risk calculation engines or audit, control and compliance reporting tools. Such vendors approach operational risk more comprehensively and holistically across the enterprise and link operational risk to corporate performance management (CPM). They have robust organizational structures and professional services resources.

Challengers typically have demonstrated offerings that meet the qualitative as well as quantitative requirements for managing operational risk and have software that can be readily integrated with other applications. They have implemented sales and marketing strategies for expanding market penetration and improving the customer experience through enhanced support and professional services capabilities using their own resources or in partnership with others.

Although visionaries may not necessarily have a comprehensive product offering, they take a strategic approach to service delivery and are moving toward a technology platform that encompasses qualitative as well as quantitative capabilities using their own software applications or through partnerships with others. Innovative product and market approaches, or enhanced business models for service delivery that extend the vendor's market penetration or geographical reach may also characterize those in the Visionaries quadrant.

Niche players deliver software offerings to support ORM, but lack the vision or ability to execute across the range of evaluation criteria. These tend to be smaller companies with limited geographical reach or financial resources that depend to varying degrees on partnership relationships for implementation or sales.

Acquired by the Fitch Group in 2005, Algorithmics has a strong ORM knowledge.

Algo OpVar 6 is a multimodule ORM offering with broad functionality, including self-assessment, KRI analysis, capital modeling scenario analysis and loss data collection.

Algo OpVar Standard Edition is designed for institutions seeking a predefined methodology for ORM, and for Tier 3 and Tier 4 institutions, which constitute 49% of its client base

Geographic penetration is 73% Americas, with 20% in Europe and the balance in Asia.

• Modules that operate on a single integrated data architecture with data management specific to operational risk, reporting and dashboard functions
• All aspects of Algo OpVar are security-aware in terms of access
• Two external operational-loss databases, including Algo First, that have 8,200 case studies of loss events
• Twenty-two offices worldwide with professional services capability if delivered from those offices
• Large, long-standing client base
• Clean graphical user interface (GUI) — easy/intuitive executive dashboard and navigation
• Strategic focus on providing framework to develop and enhance ORM best practice, as opposed to management of specific regulations
• Multilingual text and presentation layers
• SaaS offering is possible via third-party hosting (e.g., Mexico) or through an Algorithmics-hosted facility in Canada

• Architectural rigidity generally requires customization of workflow, data fields and reporting to accommodate client-specific internal risk control requirements and regulatory compliance (this does not apply to clients that select the Standard Edition solution)
• Qualitative self-assessment and action planning results can be used in the scenario analysis module; there is no direct technological link to the capital calculation engine
• Apart from reference data for Basel II requirements, there are no prepopulated libraries of business rules or regulations; no specific capability to update libraries based on regulatory changes
• Limited out-of-the-box capabilities for mapping risk and control elements to specific regulatory compliance and reporting requirements
• Strategic focus is on providing a framework to develop and enhance ORM best practice, as opposed to management of specific regulations
• Hard to read/interpret the operational or capital modeling tool, which runs as a separate module (albeit from the same administrator)
• Vendor support in geographic regions where Algorithmics lacks a direct presence can be challenging

Formerly RiskConceptsSystems (RCS), it was rebranded as Avanon earlier this year.

Its target market is Tier 2, Tier 3 and Tier 4 FSPs; more than 70% of its clients are in Western Europe. Its capabilities include loss data collection, risk self-assessment, mapping for losses and controls, as well as workflow and key risk indicator (KRI) management. Performance metrics may be incorporated and linked to the calculation engine for statistical and scenario analysis, and capital calculations.

• A sales strategy with a continued focus on GRC
• Single data model and source code used by all clients
• Can manage insurance processes and risks (for example, claims events and management)
• Focus on software development, not professional services
• A strategy to grow industry focus (for example, into the energy industry)
• Hosted solution for selected Swiss clients
• Supply FRS Global with ORM platform
• Executive dashboarding and reporting preconfigured based on client requirements

• Small, Swiss/German-focused vendor
• System not preconfigured with specific rules or regulations except for Austria, Germany, Switzerland (regulations and controls); if Avanon has the data, the new client gets it for free — focus is on providing a framework for uploading any information
• Growth beyond Switzerland predicated on partnership capabilities — no direct sales force growth planned
• Professional services capability limited — focus is on software sales

BWISE, a privately held company, was founded in 1994. It has five offices globally; however, two-thirds of its ORM business is in Europe.

BWise has concentrated on Tier 3 FSPs, with 75% of its current installed base in the Tier 3 and Tier 4 segments of banks by size.

It can offer a hosted solution, but currently has no FSPs using this capability.

• BWise v.4.0 has solid capability in qualitative self-assessment, internal control, KRIs, process modeling, and optimization for operational risk and regulatory compliance
• Provides a configurable loss incident database with many prestructured elements as well as templates for Basel II, Markets in Financial Instruments Directive (MiFID) and other generic frameworks such as Committee of Sponsoring Organizations (COSO) and Control Objectives for Information and Related Technology (CobiT)
• Has an OEM relationship with and sources dashboard functionality from Business Objects, which is embedded in the offering and transparent to users
• Enhanced functionality for reporting, including drag-and-drop usability
• Integration of internal audit functionality, including planning, scheduling and execution of audits as part of a broader GRC platform
• Integration of process management and improved process workflow
• Improved usability
• Controls can be mapped to multiple compliance objectives (such as Sarbanes-Oxley or ISO attestation)
• Contains populated library for generic controls (for example, ISO 27002)
• Recent augmentation of U.S. professional services employee base
• Functionality to identify and manage risks on a project and process basis
• Document management capability allowing users to attach supporting documents and linkages to controls
• Supports up to nine languages based on a single instance of content
• SAS 70 certified

• A horizontal industry solution not specific to financial services and with no specific industry regulatory features (the company has a dedicated financial services sales force)
• Beyond loss and scenario analysis using value-at-risk (VaR) calculations and a Monte Carlo simulation, the software uses qualitative self-assessment for risk management, governance and compliance
• Supports the standard or basic Basel II approaches to operational risk; the absence of an engine to calculate and allocate risk capital leaves it unable to meet the requirements of an advanced approach
• Risk templates are baseline for smaller institutions, although not predefined; also would require enhancement for large institutions
• No external operational loss database; import capabilities are provided to other external sources
• Approach to CPM is qualitatively based
• Service and support capabilities outside of Europe have been predominantly supported from Europe
• User configurability has to be aligned with customer risk methodology; while configurable, customers will have the product configured to their methodologies
• No integration of operational risk with credit and market risk (the broader implications of credit incidents resulting from process failure are not captured or identified as a credit loss)

CCH Sword v.8 provides risk control self-assessment, loss event capture, KRIs, scenario analysis and an issues/actions component for problem tracking and resolution.

• Acquisition of Sword (formerly Ci3 Sword) by CCH, a Wolters Kluwer company, in September 2008 improves financial viability and enables greater market visibility and global reach
• Framework can be delivered preconfigured for Basel II and can be employed from a standard to an advanced approach
• Nonexclusive reseller arrangement with SunGard (see Note 1) mitigates the need for additional capital for sales and marketing (Sword also sells through resellers in Australia, Israel and Central America; it leverages the SunGard relationship for professional services support; SunGard private-labels Sword as SunGard BancWare Operational Risk)
• Multilanguage capability for text and compliance terms
• Clean, user-friendly interface; good navigational capability for executive dashboard
• Preconfigured audit/compliance capabilities loaded from Wolters Kluwer products (for example, Teammate shipped with the Sword offering)
• Predefined templates capture data from loss events
• New offering, Sword Essential, targeted at midtier financial institutions with preconfigured libraries covering all controls and risk events, including embedded U.S. federal regulations
• Partnership with Operational Risk Insurance Consortia to provide ORM platform via ASP offering
• Well-penetrated across multiple segments of the industry by institutional size
• Integrated the Microsoft Reporting Tool from Microsoft Reporting Services to enhance reporting and executive dashboarding — road map is to use it to enhance the "MySword" capability
• Provides technology platform for Operational Risk Insurance Consortium (ORIC)

• Capital calculations delivered through custom-made, consulting-derived solutions or sourced from SunGard's BancWare toolkit
• CCH IT services and support capabilities are limited until better integrated with Wolters Kluwer
• Sword provides data integration for multiple Wolters Kluwer compliance applications; clients have to purchase and maintain the Wolters Kluwer compliance point solutions separately
• Limited embedded general ledger integration, directly supports only SAP with XML structures
• Nonexclusive nature of reseller agreements may inhibit growth
• Enhanced direct sales capability with Wolters Kluwer mitigated by continuation of Wolters Kluwer point solutions

Founded in 1998, Centerprise has solid capability in qualitative self-assessment, internal control, KRIs, process modeling, loss event capture and optimization for operational risk and regulatory compliance.

• Strong domain expertise
• Document management capability allows users to attach supporting information (including integration with IBM Content Manager as a standard interface, but separate license)
• Multiple controls can be assessed to individual risks
• Strong usability and navigational capability
• Standard taxonomies (for example, Basel or Operational Riskdata eXchange Association [ORX] is prepopulated out of the box); clients can add to prepopulated regulatory content
• Partnership with IBM to provide technology and implementation (not marketing) support for engagements sourced by Centerprise or IBM.

• Small, North America-based company with limited market penetration
• No marketing and sales group; leads generated through partners and referrals
• No support for scenario analysis or stress testing
• No capital calculation or quantitative analysis capabilities
• No configurable dashboard for reporting
• Mothballed ASP/SaaS offering
• Focus is Tier 1 banks, but limited professional services and support staff

The Chase Cooper aCCelerate Suite was launched in 2005, and v.3 provides functions across risk control self-assessment, KRIs and loss event, as well as a multilevel hierarchy framework to support various risk management structures.

The product is positioned to be an institution's risk and compliance hub. Seventy-five percent of its business is from Europe, with the balance in the Middle East and South America.

• Control failure, self-assessment and a calculation engine linked to determine and allocate regulatory and economic capital
• Ability to scale from large to midtier institutions
• 33% of deals include business consulting embedded in agreements for risk procedures and methodology as well as prestructured modeling tools that don't require users to have mathematical expertise
• Modeling handles quantitative as well as qualitative process-based scenarios
• Flexible process and organizational mapping; partners with Business Objects for dashboard and delivers standard and Crystal reports
• Has its own external loss database
• Product strategy relies heavily on user configurability
• Preconfigured library of controls; customers can attach specific regulatory requirements
• Partnership with Headstrong for code development and support
• SaaS offering available; ASP model hosted via a third party in development

• Small, privately held company; it is self-sustaining through operations
• Geographic reach limited by distribution partners that are not particularly deep or broad in their operational risk capabilities or subject matter expertise
• Product strategy relies heavily on user configurability, including customer knowledge of specific regulations and business consulting for process modeling and data integration
• Sales approach relies heavily on provision of professional services for rapid implementation; operational risk is not integrated with credit and market risk (the broader implications of credit incidents resulting from process failure are not captured or identified as a credit loss)
• Use of Business Objects technology for the dashboard (clients require a separate Business Objects license if they wish to use that application to develop custom reports beyond those provided by Chase Cooper)

eFront is a small company that entered the market in 2003, with an installed base heavily weighted to Europe, and the French market in particular, with some clients in Africa. eFront is funded through venture capital and a public offering. eFront GRC Suite 3.8 is designed specifically for the financial services market with data structures that are specific to Basel II and Solvency II.

• Five modules with common, shared components and a data model that can be purchased separately (ORM, Internal Control, Audit, Business Continuity Planning and Legal Management) covering risk data collection, process mapping, self-assessment, KRIs, action plans, a business process management (BPM) graphical interface, and VaR and capital calculation capabilities
• Risk mapping categorizes business entities in user-defined hierarchical structure
• In-house-developed executive dashboard technology with standard and custom templates
• Offers a license or hosted (ASP) model based on native, full Web architecture

• Ability to serve a more global market still in question; sales offices opened in Dubai, London and New York
• Initial public offering in 2006, but broader market expansion remains limited
• Batch-oriented uploads of data — statistical models — require users to customize data and develop their own scripts
• No external loss database

Founded in 1997, its focus is on financial resource planning, with a robust linkage between risk management and performance management. (Note: FinArch did not respond to requests for supplemental information or to review the draft contents of this document. Gartner's analysis is based, therefore, on other credible and accepted public sources.)

• Direct sales, with offices and sales in North America, Europe and Asia
• Professional services capability
• Business process mapping, operational risk loss recording, audit and certification, reporting, KRI and scenario analysis, external loss data, capital calculation
• Data management includes risk metadata library, performance data repository, risk rule engine, ETL, multitype, loss data collection and audit trail and history
• Microsoft SQL server-based, particularly suitable for Tier 2 and Tier 3 banks
• Integrated regulatory reporting
• Some executive dashboarding capability

• Small, privately held company
• ORM capabilities mainly focused on data collection and calculation capabilities, and performance reporting
• Sells a suite for management of credit, market and operational risk; ORM application available separately but not actively marketed
• No qualitative risk self-assessment or configurable organizational framework and workflow management capability
• Does not include risk policy and controls or control self-assessment capabilities
• Professional services comparatively limited and focused on internal resources

Founded 1998, interexa is a closely held stock company. Mainly focused on Germany, Austria and Switzerland, its offering includes risk event and loss data, risk and control self-assessment, KRI, action plans, reporting, and simulations.

• Exposure risk self-assessment, risk indicators, simulations and reporting
• RSA can combine controls with scenario analysis
• Connects to external loss database consortium in Germany (Dakor); technology based on interexa platform
• Partnership with Misys for international sales and support
• Library of indicative (examples) for controls, KRIs and action plans created from customer experiences
• Component-based architecture
• Users can customize ORC through configuration, using parameters or programming changes by interexa
• Ability to link operational risk exposures/events to credit and market risk exposures/events
• Quantitative functions: Monte Carlo, stress testing, economic/regulatory capital calculations, simulation/stress testing; provides "fat tail" analysis, distribution analysis (goodness of fit)
• ASP offering hosted by a third party

• Size and resources currently are impediments to expanding sales and servicing customers in broader geographies
• Limited executive dashboard capabilities; broader capabilities including more graphics, drag-and-drop being developed
• Standard reports only, enhanced via Crystal report writer for creating additional reports

Founded in 1985, List's OpRisk Evolution v.4.1 includes six modules that use a common platform and data structure that can support standard/basic to advanced measurement approaches to ORM. Its customer base is predominantly Tier 3 FSPs.

• All software elements included and enabled at purchase; individual components are switched on as needed/when licensed
• Risk framework included, as well as mapping, risk/control self-assessment, loss data collection and KRI capabilities
• Calculation engine for risk capital as well as scenario analysis, quantitative analytics and Bayesian integration
• Platform for the Italian Operational Risk Data Consortium (DIPO) sponsored by Italian banking institutions and Bank of Italy
• Offices in New York, Kuala Lumpur and Europe; OEM arrangement with Moody's Analytics for sales
• 24/7 support in all regions
• Multilingual with single code instance and translation
• Document management capability to attach supporting information
• User-configurable executive dashboard with strong graphics capability
• ASP offering hosted from Pisa

• Small, privately held Italian company
• Installed base is still heavily based in Italy; brand still evolving
• No provision of risk methodologies
• No content library for regulations (for example, Basel II)
• Dependent on relationships with system integrators for professional services
• No link to business-line metrics

Mega International, a closely held 1991 spinoff from Capgemini, is a midsize vendor based in Paris that launched Mega GRC in 2007. During the past few years, Mega International has gradually increased its portfolio of ORM functionality, including capital calculations, internal audit and control software.

Eighty percent of its sales are European-based, 10% in the U.S. and the balance in the Middle East, with the main concentration in Tier 2 and Tier 3 banks.

• Supports standard/basic to advanced measurement approaches to ORM
• All software elements included and enabled when purchased; individual components are switched on as needed when licensed
• Includes risk framework with Basel II events (as well as Sarbanes-Oxley; other regulatory templates are planned in the product road map), mapping, risk/control self-assessment, loss data collection and KRI capabilities
• Calculation engine for risk capital as well as quantitative analytics
• Robust professional services and consulting support — reorienting its global partner arrangements from an audit and consulting services focus
• Easy navigation and improved executive dashboard and alerts
• Document management and information attachment capability via Web services
• Ability to perform risk control cost analysis
• Enhanced sales capability in the U.S.
• Integrated ORM with business process analysis solutions
• Integration of DIPO and ORX external databases

• No prepopulated content libraries.
• No SaaS or ASP offering
• No linkage between operational, credit and market risk-related events
• No partnership arrangements with major system integrators or large financial services vendors

Methodware, founded in 1993, is a midsize privately held company that was purchased in 2007 by Jade Software, a custom designer of information systems. Methodware continues to operate independently.

With 15 years of market history, Methodware has a large installed client base for its Enterprise Risk Assessor v.7.0 product, with more than 75% of its client banks in Tier 3 and Tier 4 banking segments by size.

• Audit, compliance and internal risk self-assessment methodology strengths; changes to interdependent risks are captured and illuminated via workflow notification, including changes in assessment levels and tolerances
• Captures KRI and loss data information; capability to conduct cost-benefit control analysis
• Global penetration through large network of distributors with good domain knowledge
• Risk-based compliance frameworks available for Basel II clauses and provisions (can be prepopulated for an additional fee), MiFID TCF and Solvency II
• 90-day, money-back warranty
• Enterprise sales approach
• Good usability/navigational capability
• Strong client base for compliance/audit functionality
• ASP offering; currently only in use for a targeted group of clients, long-term ASP strategy is work in progress
• Wipro a sales and implementation partner in Europe
• Partnership with Quadrant to bundle Quadrant's market and credit risk solutions as a single offering for Quadrant
• Integration of Investigator (a case management/fraud investigation system migrated from Jade to the Methodware brand) within the overall ERA framework

• Basel II capabilities limited to support of standard and basic approaches
• No calculation engine or simulation tools, but through a partnership with Palisade Software (@Risk Monte Carlo product), a U.S. company, these elements can be integrated; scenario analysis not available through Palisade or Methodware
• No facility for secure access to third-party reporting tools; product offers standard reports and user-configurable report-writing capability — expected in 2010
• No browser-based configurable executive dashboard — expected in 2010
• Limited internal professional services capability; consulting services provided through a partner network
• Combination of Metavante and Fidelity leaves future of Metavante and Methodware relationship in question; Gartner perceives no immediate changes
• Partnership with Quadrant does not include use of Quadrant credit and market risk calculation engines and quantitative capabilities

Established in 1996, OpenPages ORM v.5.5 has an installed base about evenly split among North America and Europe, the Middle East and Africa (EMEA) and some Asia penetration.

It supports workflow automation, integrated reporting, including event tracking, risk control self-assessment, a loss data collection database and KRI. Target market is heavily focused on Tier 1 institutions.

• Process and risk-mapping specific to banks with out-of-the-box Basel II definitional hierarchies
• Correlates risk events with risk control self-assessment, scenario analysis and KRIs, including credit boundary events
• Metadata-driven configurability with executive dashboard and heat mapping
• Framework with content provided by Unified Compliance Framework, which supplies the content of the individual (400) regulations
• Some preconfigured generic control libraries using Deloitte's Risk Catalogue
• Provides core data platform for ORX industry consortia and offers clients a framework for mapping to ORX
• SaaS option offered using IBM hosting

• Customers and sales focused on institutions having desire to self-configure an operational risk framework, database, organizational structure and workflow
• No Monte Carlo, VaR or capital calculation engine elements necessary to execute a Basel II Advanced Measurement Approach
• Data input for CPM, but no statistical analysis
• Generic KPI and KRI framework
• User interface is not intuitive for understanding process linkages — lacks crispness
• Process and workflows largely opaque to executive dashboard/user

Optial was founded in 2000 and is based in the U.K. Its Operational Risk Platform v7.0 is a suite of modular components for qualitative self-assessment, workflow, process mapping, loss data collection and KRIs, including a standard list of KRI values. It includes links, controls, risks, audit findings and losses, and employs a business rule engine. Existing customer base is primarily in Europe.

• Focus on data quality and modeling
• SaaS offering hosted by third party
• Component-based architecture
• Smart-Start version preconfigured for smaller institutions and is configurable and scalable for large institutions across thousands of users/profit centers
• Document management capability for information attachments and linkages to other file servers and sources
• Loss calculation capability but no capital calculations
• Offices in London, Atlanta and Sydney

• Basel II event types for business lines are preloaded; users require configuration to address specific regulatory needs
• Small, privately held firm, limited client base (while self-funding, its current resources are an inhibitor to expanding global footprint)
• Distribution partner program still evolving
• No quantitative aspects of operational risk; lacks modeling and capital calculation capabilities
• No external operational loss database
• Consulting partnerships, but only with niche providers
• Dashboard based on Microsoft technology that stores data for online access and reporting; extended reporting and analytics are an overnight batch process
• No stress testing or scenario analysis

Oracle Financial Services' ORM offering is based on Oracle Reveleus product version 4.5, and the capabilities are particularly aligned to the requirements of Tier 1 banks.

• Full-range operational risk framework across assessment, process mapping, workflow management, KRIs and loss event capture, including data management and ETL tools for quantitative operational risk and compliance management
• Supports Advanced approach for Basel II with capital calculation engine, scenario and sensitivity analysis
• Extensive library of bank processes and documents that can be attached electronically to the self-assessment process
• Through integration of its Mantas product, Reveleus can also provide surveillance and behavior detection related to ant-money-laundering, know-your-customer, fraud and trading compliance
• Strong professional services capabilities
• Insurance policy library, insurance claims management and linkages with risks; framework has no prepopulated content
• Uses Oracle engine for information flows based on Business Process Execution Language (BPEL) standards
• Strong, holistic vision for risk management
• External losses captured from ORX, GOLD

• Classifies all regulatory clauses and procedures; templates now sold separately (Oracle is considering bundling them with future software releases)
• Sophistication, cost and pricing policy may limit attractiveness of solution to smaller Tier 2 and Tier 3 institutions, particularly if they are not taking a qualitative approach to operational risk; and, it may inhibit growth into mid- and lower-tier markets
• Ability of Oracle to cohesively leverage and integrate its sales and professional services staffs is still unclear, based on our analysis
• GUI and risk framework, workflow, for qualitative risk self-assessment are on a common stack; integration work required across some modules (anti-money-laundering, behavioral detection and fraud)
• Risk content framework not prepopulated or configured with specific regulations; population via professional services team or using a third party possible
• Clients cannot build questions into version 4.5 to create RSA questionnaires
• Not very intuitive dashboard/GUI

Founded in 1991, Quadrant Risk Management offers two integrated service — domain consultancy and risk data provisioning platforms, including B2 for advanced and SAB2 for standard Basel II approaches. It provides data-provisioning platforms for quantitative aspects of ORM, but its business focus is on integrated risk information across all risk classes. Eighty-five percent of its customers are in the Middle East and Africa, with the balance in Europe.

• Risk factor modeling and capital adequacy calculations for operational risk (also credit and market), regulatory quantitative, qualitative and ad hoc reporting
• Predefined, extensible data model with group or business unit consolidation and individual reporting
• Integrated risk management platform to correlate risk across the enterprise
• Includes Basel II Pillar II calculations and results, including capital calculations with risk-adjusted rate of capital (RAROC)
• Data provisioning for analytical modeling/predictive modeling, including stress testing and scenario analysis
• Partnerships with HP and Sybase for data warehouse and platform integration with Quadrant informational/analytical models; integrates with other data platforms

• Data provisioning for quantitative aspects of ORM, but business focus is primarily consulting to integrate risk information across all risk classes
• No organizational framework, business process identification, mapping and evaluation, and risk control self-assessment
• Partnership with Methodware for qualitative self-assessment
• No loss data collection or process management
• No embedded alerting or workflow capabilities — received via partnership with MicroStrategy
• Informatica provides ETL tools and data quality management
• Software implementation provided by third parties

A small, privately owned company with customers based in Europe (mainly U.K., France and Germany) and the U.S. Its focus is on automating GRC.

• Small company with accounting compliance background
• Suitable for Basel II, BaFin (Bundesbank and German Financial Supervisory Authority), common reporting (COREP) and other regulatory requirements
• Process, workflow, framework, internal control and KRI tools from RimaOne; capital calculation engine through a 2005 merger with Quetzal
• Maintains prebuilt libraries of regulations (such as instructor-led training [ITL], CobiT, anti-money-laundering, Sarbanes-Oxley, Basel II); control linkage is provided through third-party relationships
• Strategy/vision is to fully automate back office for GRC
• Technology strategy is based on data integration across multiple business lines
• ASP and SaaS offering hosted by a third party
• Document management capability allows for information to be attached to risk assessments

• A generic, user-configured, build-to-order toolkit not particularly unique to financial services or ORM
• Primary focus is governance, with delivery of standard risk indicators, controls and several modules to support loss data capture; methodologies and regulation-specific content provided through third-party relationships
• Reporting customer-driven and, beyond some standard regulatory reports, created through Crystal or other third-party reporting tools
• Navigation of dashboard and reporting cumbersome, requiring multiple clickthroughs
• Global sales and distribution strategy strongly driven by third-party relationships

SAS Institute (SAS) is a privately held U.S. company with a substantial quantitative and qualitative ORM application suite, as well as its own external loss database that is well represented in institutions globally.

SAS approaches operational risk and compliance collectively, and delivers a modular solution for risk assessment, loss data, KRI collection and management, as well as workflow control and action planning with its SAS ORM suite v.4.1, OpRisk Global Data, OpRisk Monitor v.4.1 and OpRisk VaR v.4.1.

Client installations are mainly in Tier 2 and Tier 3 institutions, but SAS also maintains a good number of Tier 1 clients.

• Documents can be electronically attached to support processes; data cleaning and transformation capabilities to ensure data quality are included as part of SAS ORM solution
• Quantitative requirements supported with a capital calculation engine; scenario and sensitivity analysis with a view to improving corporate performance and facilitating advanced compliance reporting
• Focus on delivering integrated solution that minimizes the need for professional services (SAS has a substantial professional services staff); strategy focuses on selling enterprise-level solution
• Substantial loss database with accompanying scenarios; clients can integrate with other third-party external loss databases
• Architectural and workflow integration with other risk/compliance components
• Strong geographic presence; Europe and Asia penetration dominates
• Good executive dashboarding and reporting
• Reinforced offering strategy based on SAS v.9 BI platform
• Highly configurable dashboard
• SAS focusing on usability for loss data collection (Create, Investigate, Approve) — Create was recently added; new form-based assessment approach for risk and control assessment; also more customization for screens related to various data items such as incident, issues, action plans
• New functionality adds collaboration capability for incidents — offline chat to add comments about incidents (time stamped) to aid investigations
• Document management functionality enhanced with additional e-mail integration capabilities and internal blogs; other information and links can be appended to risk assessments

• Sells to small institutions; however, it focuses primarily on large-end institutions; institutions with basic operational risk and compliance requirements, and limited budgets, may find offering exceeds their requirements and resources
• Sold based on a subscription model with annual renewals; cost determined by FSP asset size and breadth of project
• SAS ORM Suite comes bundled with SAS BI Suite; if SAS not used by client for business intelligence, the client needs to plug into third-party tool via data integration layer (buying Op Risk tool comes with bundled BI stack included — the BI tool is used only in the context of operational risk — restricted by license and pricing)
• No out-of-the-box for Tier 3 and Tier 4 institutions following a standardized approach to Basel II
• No library of controls; only uses a generic framework
• Integration of the three components of the ORM Suite still work in progress
• No SaaS or ASP offering