MarketScope for Global Enterprise Risk Management Consulting Services

The enterprise risk management (ERM) consulting market is quickly evolving. As the market matures, consulting providers are continuing to augment their traditional focus on risk management strategy and program design with additional emphasis on technology. This includes the implementation of enterprise governance, risk and compliance (EGRC) platforms, as well as more advanced modeling and risk analytics services. To more appropriately reflect the scope of the consulting providers' service offerings, Gartner has renamed the "MarketScope for Global Enterprise Governance, Risk Management and Compliance Consulting Services" to the "MarketScope for Global Enterprise Risk Management Consulting Services."

Increasingly, Gartner is seeing technology wrapped around the consulting provider's risk management frameworks and methodologies, either through strategic alliances with leading technology vendors or through proprietary software. The consulting providers within this MarketScope are advancing the use of technology to help their clients improve their risk management approaches to adapt to the global complexities associated with the tumultuous economic and political environment. Gartner has observed through vendor and client reference interviews that EGRC platform implementation and regulatory compliance advisory services recently have become a larger focus for many of the consultants.

End users see the need for frameworks and methodologies, which represent a key factor in a client's decision in both engaging and selecting a risk management consulting provider. A consulting provider's methodology is indicative of its strategic approach to the marketplace. It may be primarily strategic and top-down-driven, or more tactical and bottom-up-driven, or a hybrid of the two. In fact, integrated governance, risk and compliance (GRC) — the underlying architecture that connects the top-down and bottom-up perspectives — is critical to an ERM program. As defined in "Gartner-Forbes 2012 Board of Directors Survey: How the Board Views Governance, Risk Management and Compliance Issues," "integrated GRC is an architectural, or strategic, approach to the technologies, processes and organizational support required to connect the various risk silos in the enterprise to provide better insights into the impact of risk and compliance on strategic objectives." Consulting providers that have flexible methodologies that allow for the integration of business processes across a client's enterprise will maintain a significant competitive advantage.

This year, Gartner has seen a marked improvement in providers' ability to use both methodology and technology to deliver a more holistic view of risk. The consulting providers are also investing in the advancement of risk management thought leadership and education to promote the integration of risk management disciplines across the enterprise.

Gartner defines ERM consulting services as the bundle of expert-driven consulting services that help enterprises mitigate the impact of uncertainty in achieving business outcomes. Management consulting providers of all shapes and sizes can offer a variety of specialized risk management services. This MarketScope evaluates how well global consulting providers deliver services to integrate business activities across an enterprise to increase both the efficiency and effectiveness of a client's ERM program.

Gartner asked client references for their top three most important factors when selecting a consulting provider for an ERM initiative, and the factors are as follows:

• Provider's ability to fulfill business needs — Shown in such factors as client references' prior relationships and demonstration of understanding of business needs
• Provider's ability to show vision, thought leadership and methodology — Integrating risk management concepts into an entire organization and strong risk management frameworks
• Provider's ability to demonstrate consulting capabilities — Including consulting firm's business process and industry expertise as well as its project management skills

Client references told Gartner that the top three factors they were most satisfied with their consultants are:

• Alternative contracting terms, such as value-based arrangements
• Vision, thought leadership and methodology, specifically in the areas for leading innovation capabilities
• Quality of team proposed, including consultant experience and tenure

Readers of this MarketScope should assess the evaluation of each consulting provider to match their project needs and cultural fit. Each provider has its strengths and cautions, and consulting providers should not be selected based solely on their overall rating.

Market/Market Segment Description

An integrated ERM program is a strategic and holistic treatment of all strategic, operational, financial reporting, and legal and compliance risks, including the IT and information management components of those risks.

These activities fall under the aegis of ERM consulting services:

• Strategy — Development and implementation of a risk management strategy and framework, to include performance improvement through effective governance as supported by risk management and compliance programs
• Assessment — Consultation on the identification, evaluation and prioritization of risks and program needs
• Response — Consultation on the identification and implementation of mechanisms to mitigate risks and address identified program needs
• Communication and reporting — Advice on the best or most appropriate means to communicate an enterprise's response to stakeholders
• Monitoring — The identification and implementation of processes that methodically track governance objectives, compliance with policies and decisions that are set through the governance process, risks to those objectives, and the effectiveness of risk mitigation and controls
• Technology — The design and implementation of an EGRC architecture and supporting software

While organizations can purchase specialized ERM consulting services for a single focus area (such as operational risk or IT risk), there is emerging demand for developing holistic, integrated approaches to risk management in support of business performance. In addition, organizations may seek to reduce compliance costs by pursuing a risk-based, multiregulatory approach to compliance that incorporates myriad government regulations, industry-specific rules and standards into a single cross-enterprise compliance program.

Inclusion and Exclusion Criteria

This research will evaluate consulting service providers on only their project-based ERM consulting services. Related projects will be broad-based and encompass predominantly integrated risk management approaches rather than individual risk categories, such as IT risk management. Gartner makes this distinction clear in order to evaluate consultants on the full scope of their ERM abilities, even though some projects may include individual risk elements. Assessed consultants will have the following:

• Evidence of strategies and methodologies that have been applied in client engagements, including the integration of risk management and compliance objectives
• At least 15 referenceable ERM consulting service deals
• Defined as at least $200 million in annual revenue from risk management consulting
• At least 15 customers able to be referenced for ERM consulting activities
• A commitment to the global ERM consulting marketplace, as expressed through the following:
  • Ability to service clients globally, specifically with market share and clients within three major regions (for example, North America, Western Europe, Latin America, Japan or Asia/Pacific)
  • Have a physical risk management consulting practice present on-site in more than three major regions (for example, North America, Western Europe, Latin America, Japan and Asia/Pacific)

Consultants were excluded if they did not meet the functional and revenue criteria or did not have adequate referenceability.

This MarketScope will include all vendors in a given sector. Assessed consultants evaluated in this MarketScope research are those that act as advisors and may also provide implementation services that encompass most or all levels of a solution, as outlined above. In addition, consultants will be evaluated in more detail using a combination of quantitative and qualitative criteria. Note that vendors cannot elect to be excluded from a MarketScope, assuming they meet the inclusion criteria.

Rating for Overall Market/Market Segment

Overall Market Rating: Positive

The market for ERM consulting services is driven by board- and senior-executive-level concerns about business uncertainty, including business risks and regulatory compliance. Risks have yet to be fully understood at the middle and lower management level, which provide opportunities for consulting firms to help their clients to bridge this gap. The consulting firms evaluated all have significant capabilities to deliver ERM services, and most of them have a mature understanding of risk and the relationship of risk to business objectives.

Evaluation Criteria

Source: Gartner

Source: Gartner (September 2012)

Vendor Product/Service Analysis

Accenture

Accenture has had a dedicated focus on risk management since the 1990s and formalized that by establishing its global risk management consulting practice in February 2010. This has grown rapidly in both revenue and head count since then. Broadly, Accenture's practice has a vertical focus on the financial services, resources, health and public sectors, consumer products, and consumer and high-tech industries. Gartner estimates Accenture has 2,600 to 2,800 full-time equivalents (FTEs) globally in risk-management-related consulting. In 2010, Accenture acquired RiskControl, a risk management consulting and software firm in Brazil. Accenture leverages its Accenture Technology Labs to support the practice. Accenture's customer support programs include its monthly Regulatory Insights, which updates and advises clients on the impacts of the ever-changing global regulatory landscape. Accenture also publishes regular thought leadership, including research-based initiatives, such as the Global Risk Management Study and the Accenture Risk Management Analytics Study.

Approach

Accenture's methodology and service offering center on two distinct sets of capabilities: management consulting and system integration. Management consulting services focus on delivering a set of risk management capabilities, developing GRC strategy/business requirements and assisting with EGRC vendor selection. Accenture provides these services within a formal Risk Management Capability Framework. System integration services focus on merging EGRC system functionality with business process to provide a sustainable risk management program.

Strengths

• Sales strategy — Accenture's clients are very satisfied with Accenture's ability to define project scope according to clients' needs, and the message of "understanding our current state'' was repeated by Accenture's client references. A higher percentage of Accenture clients also mentioned having a cost-plus contract arrangement with Accenture.
• Offering strategy — Accenture's dual focus on management consulting and system integration with a robust set of methodologies and frameworks is a clear strength. It is noted for the ability to integrate risk management concepts into operations through the implementation of EGRC-related technologies. Project management capabilities are also viewed as a primary strength, with a deliverable-focused approach to Accenture's engagements. In addition, clients are most satisfied with Accenture's leading innovation capabilities in areas such as risk analytics and data transformation.

Cautions

• Market understanding — Accenture works with primarily Fortune 100-500 companies, and it employs a highly leveraged resource model that promotes the use of a comparatively large number of generalists led by a few specialists. This is a strength for Accenture when it is engaged in large, system integration projects that are easily segmented into standard project tasks. However, most ERM consulting engagements require a deeper understanding of risk across an enterprise that is not well-suited to generalist consultants. As Accenture continues to mature its risk management capabilities, it will have the opportunity to adjust its model toward more dedicated risk management consultants.
• Market responsiveness and track record — Clients were least satisfied with Accenture's thought leadership and overall risk management vision. Many still view Accenture's primary focus pointed more toward IT risks rather than the broader set of enterprise risks. Despite Accenture's efforts to increase awareness of its capabilities and insight through initiatives such as its Global Risk Management and Risk Analytics survey, as quoted from an Accenture client reference, "they are seen serving the CIO and CISO rather than the CEO and the CRO." Again, this area may improve over time as Accenture's risk management engagement portfolio expands and as demand for risk analytics grows in industries beyond financial services.

Rating: Promising

Deloitte

Deloitte has long-established service line offerings for ERM, with Gartner estimating between 20,000 and 23,000 FTEs supporting the delivery of risk management projects. Deloitte is making focused risk management investments in the following verticals: financial services, consumer business, energy and resources, life sciences, and the public sector. Deloitte's customer support offerings include formal risk academy programs within its client-focused education center, Deloitte University.

Approach

Deloitte's approach centers on building what it calls a "Risk Intelligent Enterprise." It includes four primary areas:

• Risk Intelligence Thought Leadership — The core focus of Deloitte's thought leadership is the Risk Intelligence White Paper series. It is composed of 25 white papers and a book, "Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise."
• Risk Intelligence Program Methodology (RIPM) — RIPM applies nine fundamental principles for building a Risk Intelligent Enterprise to transform an organization's risk management capabilities. Within RIPM, Deloitte provides specific risk-related content through 65 modules, with more than 210 accelerator documents that include templates, samples and guides.
• Risk Intelligence Maps — The maps serve as templates to help clients determine their overall risk exposure, identify risk interactions, eliminate risk silos and plan risk mitigation strategies.
• Risk Intelligence Diagnostic and Maturity Model — The model provides a method for determining a client's current and desired level of risk intelligence as well as opportunities for improving risk capabilities.

Strengths

• Sales strategy — Deloitte client references mentioned having cost-plus arrangement contracts with Deloitte. Deloitte's client references are most satisfied with Deloitte regarding its tenure of consultants and its outcome-based value commitments and willingness to gain share.
• Market responsiveness and track record — Deloitte's thought leadership is viewed as a major strength by its clients. With the longest-running continuous risk management service line offerings, Deloitte has consistently provided thought leadership on topics ranging from Sarbanes-Oxley compliance, privacy and industry-specific regulations to the emerging focus on integrating risk management with business performance. Clients also value the tenure and risk-management-related experience offered by Deloitte's consultants.
• Offering strategy — Deloitte is noted by its clients for its robust methodologies, strong ERM frameworks and its EGRC platform competence. By focusing on risk intelligence, Deloitte differentiates its service offerings by linking risk management activities with business decision-making capabilities. Clients also rated Deloitte very highly on its deep level of industry expertise. This is demonstrated through Deloitte's recent investments in creating a new Center for Risk Modeling and Simulation, as well as the launch of the U.S. and EMEA Centers for Regulatory Strategies supporting clients in highly regulated industries, such as financial services, energy and resources, and life sciences and healthcare.

Caution

• Customer experience — While Deloitte possesses robust methodologies, some clients noted a lack of strong project management skills or the ability to integrate risk management concepts into the business structure. Gartner observes that in situations like these, consultants sometimes will rely too heavily on their methodology at the expense of the unique business requirements of the client.

Rating: Strong Positive

Ernst & Young

Ernst & Young has maintained a risk management practice since 1995. This practice covers risk management, compliance and regulations, risk-embedded performance improvement, internal audit, and internal controls. It has established centers of excellence to develop research and innovation focused on risk and performance models. The company has also made acquisitions, including those of EnteGreat, Hacktics and True Partners Consulting. Gartner estimates Ernst & Young has between 15,000 and 17,000 FTEs globally supporting its risk management projects. Ernst & Young's client support programs include surveys on "Turning Risk into Results" and the 10th Global Information Security Survey. In addition, Ernst & Young's Internal Audit Survey launched significant investments in controls transformation, internal audit, information security and technology enablement.

Approach

Ernst & Young's approach focuses on the transformation of risk and control functions. This focus is employed in an integrated "risk transformation" methodology that includes the following elements:

• GRC Technology Delivery — Analysis of client-risk-and-compliance-related business processes and enabling technologies to develop business insights for specific risk events or situations (for example, business and IT process and controls monitoring and testing; access controls and segregation of duties; data analytics; and data quality, structure, mapping and integration)
• Applied GRC Enablement — GRC technology development to generate business insights around a specific process or initiative to manage risk, improve control or enhance process performance (for example, GRC platform implementation, business intelligence dashboards, audit process enablement, risk system convergence and custom risk solutions)
• Enterprise GRC Technology Transformation — Creation of enterprisewide GRC technology strategy and infrastructure (for example, GRC technology road map and strategy; risk and controls convergence initiatives; client current-state GRC technology assessment; GRC architecture and proof of concept; GRC platform evaluation and selection; and information management program development and initiatives)

Strengths

• Market understanding — Ernst & Young rated highly in client surveys across a number of categories, including risk management consulting vision, leading innovation capabilities, objectivity and independence. This is most likely attributable to Ernst & Young's unique risk transformation approach that integrates business and IT risk management as well as its strategic alliances with key technology vendors, such as SAP.
• Market responsiveness and track record — Clients rate Ernst & Young highly for its strong references, tenure of consultants and its overall cultural fit with the client's organization. In addition, Ernst & Young staffs its risk management project engagements with consultants who possess a strong and deep business process consulting background.
• Customer experience — Ernst & Young's ability to influence senior management with respect to the changes required for successful risk transformation is a clear strength. In addition, prior positive experiences have equated to consistent re-engagement by clients.

Caution

• Sales strategy — Some of Ernst & Young's client references revealed the least satisfaction with the company's partnerships and alliances, as well as the overall "value for money" of contracted services. To Ernst & Young's credit, the firm is working to form stronger alliances, as evidenced by the recent addition of an Ernst & Young representative on SAP's Global Managing Board.

Rating: Strong Positive

KPMG

KPMG launched its risk management consulting practice in 1995. This practice covers GRC strategy, ERM, financial risk management, forensics, internal audit and regulatory compliance, IT risk and compliance, and information protection and business resilience. It has established a dedicated global "Innovation Council" that examines trends in the marketplace with an 18- to 36-month horizon. This group then provides the insight into KPMG's global service development group. Gartner estimates that KPMG has between 15,000 and 18,000 FTEs supporting its risk management projects globally.

Approach

KPMG takes an integrated approach to unify governance, risk, compliance and assurance functions using what it refers to as the KPMG ERM/GRC Holistic Model. The stated objective is to achieve a consistent and holistic vision across the organization that, according to KPMG, accomplishes the following:

• Protects and enhances business value by fostering a risk-aware culture, supporting informed decision making, and addressing multiple compliance and assurance layers
• Enhances operational efficiency by rationalizing risk management, controls, and assurance structures and processes, and intelligent use of IT and data management structures
• Provides a proactive and dynamic approach by enabling the organization to quickly, consistently and efficiently respond to challenges provided by evolving risk profiles and rapidly changing regulatory requirements
• Supports a link to strategy by enabling a company to meet compliance objectives while improving performance by using an integrated framework in support of its strategic objectives

KPMG has developed more than 50 unique risk and performance methodologies to support the ERM/GRC Holistic Model — such as governance; organization and infrastructure; technology; culture and behavior; risk profile; GRC operational model; and enterprise assurance.

Strengths

• Geographic strategy — Client surveys indicate KPMG has a strong geographic capability and global scale. This is most likely because it is well-represented with dedicated risk management consulting practices across the globe. Risk management solutions are developed centrally from its Global Services Center (GSC) in the United States and are deployed globally on a consistent basis. The GSC manages all service investments, and develops and launches proprietary new methods and toolsets through a rigorous innovation prioritization and development process.
• Market responsiveness and track record — KPMG is also noted for its strong network of contacts in the ERM discipline and its ability to implement EGRC technology platforms and related processes. It has enhanced its strategic alliances with technology vendors, and its consulting resources possess knowledge of a variety of EGRC technologies and have strong project management skills.

Caution

• Offering strategy — Client references rated KPMG relatively low for lacking robust methodologies. As many ERM/GRC engagements are transformational in nature, KPMG used a customized road map approach to deliver its services. KPMG's ERM/GRC Holistic Model is a high-level framework that provides each client with a range of service options that are complemented by one or more of KPMG's 50-plus operational methodologies. While some clients indicated that this customized approach meets their unique business requirements, others indicated a lack of continuity in approach. KPMG continues to refine their delivery model to create better transparency for its customers of the underlying methodologies supporting the customized road map.
• Customer experience — KPMG uses a lean approach to staffing large transformational projects, which results in the necessary transformational specialist being on-site and coordinating other subject matter expertise when needed. This approach can sometimes result in project delays due to the logistics surrounding necessary reviews with off-site subject matter resources, or can sometimes result in clients perceiving they don't have enough deep interaction time with risk experts.

Rating: Positive

Protiviti

Protiviti was founded in 2002 by former Arthur Andersen business and internal audit consultants. The company built its consulting practice on its core internal audit services and risk consulting competencies. In addition, Protiviti emerged as a leading provider of services associated with compliance requirements mandated by the Sarbanes-Oxley Act (SOX) of 2002. This led to a preponderance of its engagements and services involving EGRC-related activity. Protiviti's consulting services cover the following areas: risk management and compliance, IT consulting, business operations improvement, finance and accounting excellence, litigation, restructuring and investigative services, and internal audit and financial controls. The company also markets a proprietary EGRC software solution called "Governance Portal." Protiviti focuses on the manufacturing, financial services, retail and services industries, and Gartner estimates between 2,400 and 2,600 FTEs supporting risk management projects. Protiviti continues to invest in customer support programs and solutions such as its Performance/Risk Integration Management Model (PRIM2), KnowledgeLeader online, Governance Portal EGRC platform, Early Mover Circle of Excellence, Chief Risk Officer (CRO) Series and Risk Index.

Approach

Protiviti's risk management consulting approach follows an assess, design and build life cycle for all engagements. Supporting this life cycle is the Protiviti Solutions Methodology. The methodology serves as a common delivery mechanism for all Protiviti consultants to ensure a consistent work product for the client. Both business and technical requirements definition activities are included in the methodology to support an integrated risk management solution. In addition, the Solutions Methodology requires all Protiviti engagement teams to plan, envision, deliver and validate value on client projects. Protiviti describes the Solutions Methodology as a best-of-breed methodology, which emphasizes problem solving, benchmarking and change management.

Protiviti also provides several frameworks and tools to support its methodology. These include a detailed Protiviti Risk Model, which provides a detailed taxonomy and definitions for enterprise risks; a Capability Maturity Model, allowing a client to measure its risk management program maturity; and a Protiviti Risk Index, which provides a composite view of a company's risk profile.

Strengths

• Market responsiveness and track record — Protiviti's thought leadership in risk management is demonstrated through its ongoing investments in research activities, thought leadership programs, industrywide forums, regular methodology and framework updates, and professional training services/events. In addition, Protiviti markets two software products that augment its consulting services. One is its Governance Portal, a full-scope EGRC technology platform that clients can acquire to support their risk management program. The second is a subscription-based, online knowledgebase of internal audit and risk management best practices called KnowledgeLeader.
• Sales strategy — Protiviti is often viewed as an alternative to the traditional "Big Four" consulting providers and uses that market perception as a strength. In addition, it is aggressive in its pricing strategies and offers highly competitive rates.
• Customer experience — Protiviti clients note a strong cultural fit as well as very positive prior-engagement experiences. A majority of Protiviti clients expressed high levels of satisfaction with Protiviti's ability to define project scope and deliver expected results.

Cautions

• Market understanding — Protiviti is in a unique position as the only consulting provider in the MarketScope that markets its own proprietary EGRC technology platform. This creates both an opportunity and an obstacle with its clients. Some clients perceive a lack of objectivity and independence when seeking advice from Protiviti on the selection of EGRC platforms. This perception may not be warranted because Protiviti goes to great lengths to avoid this perceived conflict of interest. As a result, Protiviti most likely is missing opportunities to provide clients with a full risk management solution in its attempt to combat a negative perception.
• Offering strategy — Protiviti lags other consulting providers in its ability to implement a wide range of EGRC technology. While Protiviti maintains that it remains agnostic regarding its clients' choice of EGRC technology providers, it also emphasizes that its GRC technology platform is a key differentiator, allowing it "to deliver content-rich solutions to our clients through a single provider of risk management services and technology." Gartner observes that this offering strategy can inhibit Protiviti's ability to establish key strategic alliances — apart from SAP and Oracle — with other EGRC technology providers and, as a result, limits its opportunity to implement a wide range of EGRC technology.

Rating: Positive

PwC

PwC's risk management service line offering dates back to 1992, when the Committee of Sponsoring Organizations of the Treadway Commission (COSO) selected PwC as the author and project manager of its original COSO Internal Control - Integrated Framework. PwC was instrumental in the development of COSO's Internal Control - Integrated Framework, which has become the most commonly used framework for determining the effectiveness of internal controls, including SOX compliance. In 2004, COSO sought to create a risk management framework designed to build on and complement the Internal Control - Integrated Framework. COSO again selected PwC to serve as the project manager and author of its Enterprise Risk Management - Integrated Framework. COSO has again engaged PwC to serve as the author and project manager for the update of the original COSO Internal Control - Integrated Framework. The firm has a performance and risk management practice that includes the following: ERM, capital management, financial analytics and valuation, credit risk, market risk, supply chain risk, and operational risk. PwC has an estimated 1,500 to 1,800 FTEs globally who are involved in risk management consulting.

To link its risk management practices to other related service areas, PwC is actively investing in the creation of a center of excellence that it calls the "Strategy and Risk Institute (SRI)." The SRI has a dedicated focus on risk-management-related initiatives, such as the development of the Risk and Opportunity Assessment Dashboard (ROAD), a global business intelligence database designed to provide risk-related information to its consultants.

Approach

PwC describes its approach to ERM consulting as delivering change across three main areas — business platform, business management and business strategy — while driving change via its change management and program delivery capabilities. This approach is supported by its global delivery model and methodology. This model and methodology are designed to deliver services related to a client's risk management program, as it relates to the business strategy and structure, the operating model and business management, as well as the supporting business platform. Within the methodology are 16 building blocks that represent the primary components of an integrated risk management program.

Strengths

• Market understanding — PwC has a solid understanding of the market, as demonstrated by its current leadership in the first revision of COSO's Internal Control - Integrated Framework. PwC has produced an exposure draft of the revised framework with final publication expected in early 2013. Through efforts like these, PwC is a significant contributor to the future direction and growth of risk management as a widely accepted management discipline.
• Offering strategy — PwC is recognized as a leader as it relates to providing strong frameworks and robust methodologies. Its global delivery model and methodology, coupled with the new SRI and the ROAD, demonstrate PwC's understanding of the evolving global risk environment and its impact on companies' performance capabilities.

Caution

• Sales strategy — PwC tends to rely heavily on its senior-level consultants in key client engagements. Based on increasing demand for risk management consulting services, the firm has needed to integrate less-experienced consultants to define project scope and deliver services across a wide range of client engagements. Client survey results indicated staffing challenges and knowledge gaps in initial proposals, as well as an overreliance on certain key consultants.

Rating: Strong Positive