A holistic approach to enterprise risk management (ERM) requires software products that can maximize a firm's ability to capture, measure and manage risk exposures consistently across the organization. This research provides a guide to credit, market and operational risk management (CRM, MRM and ORM, respectively) vendor software that includes risk-specific functionality, as well as capabilities that support enterprise-level, cross-discipline management of risk and performance.

• The universe of risk management vendors has become segmented between a few large global providers and a cluster of specialized vendors with limited regional presence. Consolidation and acquisitions among vendors have increased to create scale, growth and market reach, but add risk and uncertainty about vendor viability for buyers.

• Few vendors directly offer applications across all risk types, but most provide software for either credit and market risk or for ORM. Using separate technology and data structures among risk types presents integration challenges for buyers seeking transparent, low-latency, cross-enterprise process performance and risk management.

• Vendors typically link calculation engines and risk self-assessment to allocate regulatory and economic capital for a particular risk type, but few have linked market and credit risk with ORM calculations and processes. This disconnect presents integration and reconciliation hurdles for customers seeking to achieve broader process and performance management value from risk management software.

• Deploy risk applications consistently across the entire institution (for all businesses and geographies). Siloed approaches inhibit interactive management and quick response to risk threats. Use configuration, not customization, to meet current and longer-term functional requirements.

• Plan technical architectures and data structures that are process-based rather than application-based to enable a single, coordinated mechanism to evaluate and respond to risk threats and opportunities. It is not possible to buy all the components for ERM in a single vendor suite. Technology, process and data integration can be minimized but not avoided.

• Meet immediate risk management needs in the context of an overall enterprise plan. Beyond tactical functionality, assess how vendors can improve the management of risk interdependencies and integrate risk with performance management

This document was revised on 1 June 2011. For more information, see the Corrections page on gartner.com.

Irrespective of current or future regulatory requirements, all financial institutions should embrace methodology that standardizes and integrates risk calculations, data management and reporting across all an institution's activities (business and technology). While there is an increasing trend in that direction, most Gartner clients still operate credit/market risk functions separately from operational risk and have yet to make the connection between risk and enterprise performance management. This holistic approach is necessary to reveal the overall nature of risk exposure, including correlation, dependencies and offsets, and to centralize the processes and decisions related to absorbing, limiting or transferring risk. It is also necessary to create a link between risk and performance management in order to identify risk priorities and to enable the information flows to support management and decision making related to those priorities. Beyond regulatory compliance, the financial and management benefits of such a consistent and interconnected approach to managing credit, market and or operational risks across all enterprise activities will continue to deliver competitive differentiation in the near term. 

A holistic approach to ERM requires software products that can maximize a firm's ability to capture, measure and report on specific risks in the organization. Gartner believes that end-user clients should view risk management technology with the same degree of mission-criticality and substance as other significant enterprise platforms, core banking, ERP, payments and so on. Therefore, Gartner believes:

• End users need to evaluate their purchasing decisions based on the viability, commitment (to risk management and financial services) and deep product capability as they relate to a bank's ERM strategy.

• Instead of an amalgamation of point solutions that address individual functional requirements, institutions should build out functional risk requirements against an enterprise-level technology plan.

• Banks that minimize the number of point solutions in favor of risk management suites will decrease process duplication, and process integration complexity across the enterprise will improve overall risk management effectiveness.

This research provides a guide to risk management software that can be used to support a financial institution's vendor identification and selection process, including the:

• Relative size, primary target market and geographical presence of vendors

• Risk types for which vendors directly provide software

• Credit, market and operational (quantitative and/or qualitative) software functionality by vendor

In July 2010, Gartner conducted a global survey of CRM, MRM and ORM software vendors that are selling to financial institutions. Vendors that offer only reporting and/or dashboard functionality; narrowly focused risk analytics or portfolio tools; and generic governance, risk and compliance applications, as well as consulting companies or professional service firms that do not offer a discrete risk management software application, were not included in the survey. Gartner identified more than 40 vendors of enterprise-level and treasury and trading risk management software for financial services. The following vendors either did not respond to the survey or did not provide the information requested: Brady Risk Management, Calypso Technology, Centerprise Services, eFront, Financial Architects (FinArch), Kalyptorisk, Quadrant Risk Management, RimaOne, RiskMetrics Groups, Temenos, Thomson Reuters, Viz Risk Management and Wall Street Systems.

Table 1 provides information from the 30 vendors that responded to the survey. Only four vendors (Algorithmics, Oracle Financial Services Software, SAS and SunGard) directly offer applications across credit, market, and both qualitative and quantitative ORM that do not involve components provided by partners. The specific content (or its absence) identified throughout this research reflects information provided to Gartner by the vendor and has not been independently verified. The capabilities noted for each type of risk reflect only those provided directly though vendor-owned software and do not include functionality offered through partnerships.

Figure 1 visually describes the relative size of vendors in terms of revenue (y-axis) and clients (x-axis) based on vendor-provided information and/or Gartner estimates. The size of the circles, which are segmented based on the risk type(s) addressed by the vendor, reflects the primary tier institution to which the vendor targets its offering or in which the vendor has the most customers. (See Note 1 for tier definitions.) The target tier is presented only as an indicator and does not mean that a particular vendor sells only to that tier. A number of vendors sell to all tiers or are seeking to expand their business with other banks, both large and small.

While smaller vendors will happily use client suggestions to enhance and extend code to improve their product viability, financial institutions must still pay close attention to the long-term viability of many of the vendors. Functional breadth alone will not necessarily guarantee long-term market presence. A number of firms in this market, particularly in the area of operational risk vendors, have been acquired (such as OpenPages by IBM, FRSGlobal by Wolters Kluwer and Sophis by Misys) to provide expanded functionality and/or to extend a firm's market. Additional market consolidation is afoot.

In terms of clients, Gartner has found that various vendors may, for example, claim the same global Tier 1 institution as a risk management customer. This usually is the result of different divisions of a global institution (for example, retail bank or investment bank) choosing a vendor thought to meet the specific requirements of a particular business segment. Potential buyers should also exercise due diligence in assessing vendor claims of numbers of installed clients. Some vendors inflate those numbers by counting multiple divisions within the same institution as a separate client.

Figure 2 provides a heat map of the where vendors report to have clients across six geographical regions. A white box indicates no current customers in that region, the lightest colors indicate fewer than 25 clients, and the darkest colors indicate more than 75. Different colors are for each geography.

This information is provided only as an indicator of the current environment, because it is not meant to suggest that a vendor cannot or will not support a particular geography. However, potential buyers should ascertain the level of direct vendor involvement in a region and to what extent partners are involved in sales, implementation and ongoing support.

Buyers should exercise particular caution when considering a vendor in a region where implementation is delegated to a third party, and the vendor is not a physical participant in that process. In those cases, it must be determined with whom the buyer would have the relationship for implementation, the competency of the firm providing the service, the level of input and control by vendor, and to what extent the vendor is responsible for the results.

Credit and market risk calculation engines are used to quantify and analyze risk exposures, as well as the likelihood and effect of potential default. To be effective, they should include at least the following components: capital computation; capital adequacy reporting; probability of default (PD), loss given default (LGD) and exposure at default (EAD) calculations; economic, regulatory capital and risk-adjusted return on capital (RAROC) calculations; and collateral management, stress testing, scenario analysis, value at risk and Monte Carlo simulations.

Credit and market risk calculation engines are necessary to more effectively relate capital reserves to actual levels of exposure, to quantify capital to absorb unexpected losses, and to quantitatively understand the interdependency of credit and market risk with operational risk exposures. Tables 2 through 7, separately, list specific credit and market risk management calculation functionality, respectively, by vendor.

In each table, an "X" indicates that the capability is provided directly by the vendor, and a "P" indicates that the functionality is delivered through a vendor partnership. Potential buyers should be aware that functionality provided directly by the vendor may involve multiple products from that vendor that do not necessarily employ the same technology platform or data structure. In that case, as with partnership arrangements, there may be separate licensing, additional cost and/or integration requirements.

Financial institutions that lack applications to perform quantitative risk measurements and to integrate qualitative and quantitative ORM activities should consider the increasing market, stakeholder and regulatory pressure, as well as the internal benefits of implementing these systems.

Liquidity risk is an operational risk with significant credit and market risk implications, is critical to institutional survival, and requires increasingly interactive management and measurement of liquidity process performance.

This means that potential customers of risk management software vendors should evaluate the cost and efficacy of maintaining separate quantitative or qualitative self-assessment-only ORM applications against those that combine qualitative functionality with quantitative tools and capital calculation engines for ORM. Reuse of business logic and data components is evolving as a means to reduce redundancy and integration costs. However, a fully formed componentized solution that can increase enterprise integration efficiency and flexibility has yet to emerge in the risk management software market.

Tables 8 through 10 provide a list of functionality offered by vendors for qualitative and/or quantitative ORM. Some vendors offer combined qualitative and quantitative ORM application. Others offer one or the other. Tables 8 through 10 do not include vendors for which all their ORM functionality is provided through partners or third parties.

An "X" indicates that the capability is provided directly by the vendor, and a "P" indicates that the functionality is delivered through a vendor partnership. An indication of "P" in the qualitative functionality or quantitative functionality box indicates that a vendor provides none of that functionality directly and uses a partner that may provide some or all that quantitative or qualitative ORM functionality.

Potential buyers should be aware that functionality provided directly by the vendor may involve multiple products from that vendor that do not necessarily employ the same technology platform or data structure. In that case, as with partnership arrangements, there may be separate licensing, additional cost and/or integration requirements.