MarketScope for Global Risk Management Consulting Services

20 August 2013 ID:G00246276
Analyst(s): Jacqueline Heng, John A. Wheeler


This MarketScope assesses the risk management consulting capabilities of seven global consulting firms. Buyers should use it to identify and evaluate the right consultants to help develop their risk management and compliance programs and to select associated implementation services and technologies.

What You Need to Know

In the consulting marketplace, the leading firms are rapidly repositioning and evolving their delivery models, in response to their clients' increased sophistication and the complexities of a global economy. There is also a clear awareness among providers that genuine differentiation counts in the competitive landscape for risk management (RM) consulting. The repositioning and evolution of consulting delivery models are reflected in the inconsistent customer experience ratings given to the providers in this year's MarketScope. In previous years, client reference data demonstrated clear patterns and/or themes related to customer satisfaction across the whole practice of consulting. This year, however, the commentary mostly reflected individual project engagement teams. We regard this as an inflection point for the market — often referred to as the Trough of Disillusionment in our Hype Cycle reports. Heightened client expectations, together with evolving consulting skill sets in areas such as risk analytics, mean that the market is poised to move into the Slope of Enlightenment as consulting providers sharpen their focus. Leading providers in this MarketScope are investing and managing their resources through global centers of excellence (COEs), and they are using risk labs effectively to provide the necessary expertise that clients now demand.

Note: Unlike in the previous year's MarketScope, the full-time equivalent (FTE) numbers in this report estimate the number of consultants who are fully dedicated to RM consulting services for the consulting firm and excludes part-timers, contract staff and other FTEs who do some work on an RM consulting project, such as assurance, internal audit and financial management consultants. Hence, comparisons on FTEs should not be made against the past year's numbers because Gartner is now looking at FTEs from a dedicated RM consulting perspective; thus, the number of FTEs has not declined. Gartner needs to be consistent across all consulting service reports (that is, the numbers we estimate are consistent with the consulting revenue that we estimate in our published Market Share database [for more information, see "Competitive Landscape: Competing in the Digitally Shaped Future of Consulting"]).

Gartner has changed the name of this MarketScope to give a more focused description of the dynamics in the RM consulting market. These dynamics have evolved from the need to simply improve overall enterprise risk management (ERM) reporting for senior executives and the board, to using risk analytics to improve company performance.


The effects of the global economic crisis are still being felt: Companies remain bedeviled by uncertainty, and regulatory scrutiny has increased. The most urgent concern for companies — ensuring they simply survive — has largely abated, but there are still risks. According to Gartner's 2013 CEO and Senior Executive Survey (see "CEO and Senior Executive Survey 2013: Financial Services CEOs Grapple With Costs and Uncertainty"), 90% of respondents indicated that a high level of business uncertainty will dominate their operations throughout the year. The top five risks identified by the survey were: economic uncertainty (54%), regulatory risks (35%), market conditions (34%), public-sector policy and spending (25%), and financial risks (19%).

To navigate these risks and remain competitive in this unstable environment, business and IT leaders are turning to RM consulting providers for guidance and technology. As providers attempt to differentiate themselves, they can also create some confusion in the market about the RM services they offer: whether they can create an ERM framework or implement a governance, risk and compliance (GRC) technology solution. Gartner has created an ERM/GRC blueprint that describes how ERM and GRC solutions should be used to create a successful RM and compliance program (see "Introducing the ERM/GRC Blueprint for a Successful Risk Management and Compliance Program"). This can help companies determine their requirements and select the best RM consulting provider for their particular situation.

The consulting providers profiled in this MarketScope are evolving their delivery models to better meet their clients' needs. Last year, when Gartner asked client references for their top three criteria when selecting a provider, the responses gave a glimpse of just how immature and uncertain clients were with respect to RM. The three most important criteria were:

  • Providers' ability to fulfill business needs
  • Providers' ability to show vision, thought leadership and methodology
  • Providers' ability to demonstrate consulting capabilities

This year, the top three most important criteria focused more on the provider's ability to deliver practical RM solutions that will help drive the business forward. Clients' requirements included the following competencies:

  • Strong consulting abilities
  • Understanding of and familiarity with their business
  • Strong thought leadership for RM

Market/Market Segment Description

Gartner defines RM consulting services as "the collection of expert-driven business and IT consulting services aimed at helping enterprises mitigate the impact of uncertainty on their business performance." Different consulting firms offer a variety of RM services, but this MarketScope considers how well those services support corporate governance objectives and how well they integrate with companies' compliance requirements. In this MarketScope, we take an integrated view of RM, defined as the following:

  • RM is a continuous and integrated process that supports and informs the creation of an entity's strategy. It provides a mechanism for ensuring that important business processes and behaviors remain within the entity's overall risk appetite, and adhere to relevant policies, procedures, laws and regulations.

RM is the strategic and holistic treatment of all strategic, operational, financial reporting and legal and compliance risks, including the IT and information management components of those risks.

The following activities fall under the aegis of RM consulting services:

  • Strategy — Developing and implementing an RM strategy and framework, to include performance improvement through effective governance, as supported by RM and compliance programs
  • Assessment — Consulting on the identification, evaluation and prioritization of risks and RM program needs
  • Response — Consulting on the identification and implementation of mechanisms to mitigate risks and address the identified needs of an RM program
  • Communication and reporting — Advice on the best or most appropriate way to communicate an enterprise's RM response to stakeholders
  • Monitoring — The identification and implementation of processes that methodically track governance objectives, compliance with policies and decisions determined by the governance process, the risks to those objectives, and the effectiveness of risk mitigation and controls
  • Technology — The design and implementation of a GRC technology architecture and supporting software

While organizations can purchase RM consulting services for a single focus area (such as to comply with the Sarbanes-Oxley Act), much of the current demand — to support business performance — is for holistic, integrated approaches to RM. Organizations may also look to reduce their compliance costs by pursuing a risk-based, multiregulatory approach that incorporates myriad government regulations, industry-specific rules and standards into a single cross-enterprise compliance program.

Inclusion and Exclusion Criteria

This research evaluates service providers on only their project-based RM consulting services that lead with and encompass business RM approaches, and which are not solely focused on IT RM. We need to make this distinction clear to evaluate consultants on their RM abilities. These consultants should have the following:

  • Evidence of strategies and methodologies that have been applied in client engagements. This includes the integration of RM and compliance objectives.
  • At least five to nine RM consulting deals with client references.
  • At least $200 million in annual revenue from RM and directly IT-related consulting services.
  • A global reach and a commitment to the RM consulting marketplace, expressed through:
    • An ability to service clients globally. In particular, they must have market share and clients in three major regions (such as North America, Western Europe, Latin America, Japan or Asia/Pacific).
    • A physical RM consulting practice present on-site in more than three major regions (such as North America, Western Europe, Latin America, Japan and Asia/Pacific).

Consultants are excluded from our analysis if they do not meet the functional or revenue criteria, or if they did not have adequate client references. This MarketScope includes providers in a given sector only: consulting services, which begin with an assess and design phase and might lead into the build phase of a solution's life cycle.

The companies we consider for this MarketScope are those that act as advisors; they may also provide implementation services that encompass most or all levels of a solution, as outlined above. Providers will also be evaluated in more detail using a combination of quantitative and qualitative criteria. Note that vendors cannot choose to be excluded from a MarketScope, assuming they meet the inclusion criteria.

Rating for Overall Market/Market Segment

Overall Market Rating: Positive

The consulting firms evaluated here all have significant capabilities to deliver RM consulting services, and most have a mature understanding of risk and its relationship to business objectives. When evaluating whether a particular provider will fit with a project, you should consider all the consultants listed in this MarketScope, rather than focusing on consultants with Strong Positive ratings.

Evaluation Criteria

Table 1. Evaluation Criteria

Evaluation Criteria



Market Understanding

The consultant's ability to understand buyers' needs and translate these into RM consulting services and deliverables. This includes the ability to provide a sustainable RM solution for the client. For this category, consultants demonstrate three factors: the strongest vision; that they can listen to and understand their buyers' needs; and that they can shape or enhance those needs with their vision.


Offering (Product) Strategy

A consultant's approach to service delivery that emphasizes differentiation, thought leadership, methodology and business understanding as they map to current and future requirements. This includes having a dedicated RM practice, or demonstrating a proven service offering with an RM focus and approach. Consultants' methodologies should be able to demonstrate: (1) how RM is managed across the enterprise; and (2) how RM links directly to the client's business outcome.


Vertical/Industry Strategy

The consultant's strategy for developing, directing and deploying the resources, skills and offerings needed to provide a suitable depth of experience and knowledge within individual market segments, including vertical industry solutions.


Geographic Strategy

The consultant's strategy for developing, directing and deploying on-site resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography. This can be either directly or through partners, channels and subsidiaries, as appropriate for those geographies and markets. It includes the ongoing training of RM staff, both on-site and off-site.


Sales Strategy

The consultant's capabilities in all presales activities. This includes the ability to define the appropriate scope and nature of the effort needed to satisfy the client's needs. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel, including partners.


Customer Experience

Relationships, expertise and services/programs that enable clients to successfully adopt RM methods and practices. Specifically, this includes the ways that clients receive support in RM change management and the associated IT implementation, to ensure that RM methods and practices are fully embedded within their business. This can also include ancillary tools, customer support programs (and their quality), the availability of user groups, partners, SLAs, the qualitative working experience with the client, the seamless collaboration of internal business units with the client, and so on.


Market Responsiveness and Track Record

The consultant's ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customers' needs evolve, and market dynamics change. This criterion also considers the consultant's history of responsiveness. This will include a demonstrated commitment to advancing RM improvements through research activities, thought-leadership programs, industrywide forums, regular methodology and framework updates, professional training services and events, and so on.


Source: Gartner (August 2013)

Figure 1. MarketScope for Global Risk Management Consulting Services
Figure 1.MarketScope for Global Risk Management Consulting Services

Source: Gartner (August 2013)

Vendor Product/Service Analysis


Accenture has had a dedicated focus on RM since the 1990s and formalized that by establishing its global RM consulting practice in February 2010. Accenture's RM practice has grown rapidly in terms of revenue, head count and number of clients. Broadly, Accenture's practice focuses on the following vertical sectors: financial services, resources, the health and public sectors, consumer products, and consumer and high-tech industries. Gartner estimates that Accenture has 600 to 900 full-time dedicated RM consultants globally, excluding other risk-related IT FTEs that support the company's RM practice. Accenture supports its RM practice through multiple capability groups, including Accenture Technology Labs.

Accenture's Global Regulatory Database, which is utilized for clients, tracks and monitors 50 regulators with more than 500 key risk and regulatory developments globally.

For its RM offering, Accenture makes use of its network of resources:

  • Global Delivery Network
  • Risk Analytics COEs — Across four geographies, with competencies in Credit Risk Analytics, Fraud Analytics, Model Development and Validation, and Consumer Credit Analytics
  • Client Innovation Centers
  • Accenture Technology Labs
  • Industry COEs
  • Industry Solution Centers

Accenture's methodology and service offering center on two distinct capabilities: management consulting and system integration. Its management consulting services focus on delivering a set of RM capabilities, developing GRC strategy/business requirements and helping clients choose enterprise GRC (EGRC) vendors. Accenture provides these services within a formal Risk Management Capability Framework. Its system integration services focus on merging EGRC system functionality with business processes to provide a sustainable RM program.

  • Market understanding — Accenture has improved its ability to provide strategic RM advice, and it has proven, working client cases to highlight its ability to provide strategic advice. This capability supports the current needs of larger clients that are looking for more strategic advice that applies to their unique business situation.
  • Offering strategy — Accenture's continued focus on providing RM consulting, GRC, business operations controls and IT RM, coupled with a robust set of methodologies, frameworks and risk analytics use cases, is a clear strength. Accenture's clients give healthy satisfaction ratings for the company's strong industry expertise and influence with senior management.
  • Customer experience — While Accenture brings a unique project management focus and discipline to its engagements, some clients noted that the consultants may be too rigid in their thinking and unwilling to consider secondary options, particularly when met with differences of opinion with clients.
  • Market responsiveness and track record — As Accenture continues to develop a positive track record, with more strategic RM engagements, it must aggressively pursue those opportunities in which its other strengths complement its RM offering. These strengths include corporate performance management, data analytics and risk modeling.

Rating: Positive

Crowe Horwath Global Risk Consulting

Crowe Horwath Global Risk Consulting's practice started in Chicago in 2002. Between 2003 and 2010, it continued to bolster its practice by acquiring and opening offices in the U.S., and it now has more than 20 offices in the U.S. In 2011, the firm expanded its global risk consulting practice and opened offices in London and Montreal. Practices in Beijing, Paris and Toronto opened in 2012. Worldwide, Crowe Horwath Global Risk Consulting employs approximately 600 to 900 dedicated RM consultants, excluding other IT FTEs and contractors who support RM consulting services. Crowe Horwath Global Risk Consulting's key vertical expertise focuses on financial services and manufacturing. Its service offerings include corporate governance, ERM, internal audit, regulatory compliance, fraud, risk, internal controls, technology risk and third-party risk.


Crowe Horwath Global Risk Consulting's approach to RM consulting centers on its Sustainable Enterprise Risk Management (ERM) Framework. This framework provides a road map for clients to create an ERM infrastructure to support their organizational and change management requirements, so that they can address risks as their strategy evolves. As needs dictate, Crowe Horwath Global Risk Consulting will augment the ERM infrastructure with proprietary technology tools, such as its Crowe Risk Assessment Management Platform (Crowe RAMP) or the Crowe Activity Review System (CARS).

The firm has also developed several mechanisms to capitalize on its pool of resources around the globe. First, it has created individual RM competency COEs for each of the following areas:

  • Business process risk
  • Technology risk
  • Regulatory compliance risk
  • Fraud risk
  • Enterprise risk
  • Privacy risk

Then it uses "virtual communities" to connect resources outside the COEs to share thought leadership, common client issues and solutions, and technical expertise.

  • Offering strategy — Despite its smaller size and level of resources compared with its peers listed in this MarketScope, Crowe Horwath Global Risk Consulting is innovative in its approach to producing proprietary risk analysis and management solutions for its clients.
  • Market understanding — Crowe Horwath Global Risk Consulting received positive ratings from clients on its ability to add value through alliances, as well as its overall understanding of its clients' business. In addition, the firm invests a percentage of its annual revenue into R&D activity, to remain current in addressing the demands of the market.
  • Geographic strategy — Crowe Horwath Global Risk Consulting's geographical spread is not as wide as that of its peers listed in this MarketScope. As a result, the company must work harder to provide the geographical coverage to meet client demand while looking to achieve greater physical presence in new markets.
  • Customer experience — The company continues to train and build up its consulting resources. But it needs to accelerate its growth plans to manage its clients' concerns over its heavy reliance on key and senior consultants. In addition, clients' experience with Crowe Horwath Global Risk Consulting consultants was inconsistent in terms of relationship and project management.
  • Sales strategy — As Crowe Horwath Global Risk Consulting continues to grow, it must ensure that it has adequate staff to fill follow-on engagements and expand its client relationships.

Rating: Promising


Deloitte has long-established service line offerings for RM. Gartner estimates that it has between 5,800 and 6,100 dedicated RM consultants, excluding other IT FTEs who support the delivery of RM projects. Deloitte is making focused RM investments in the following verticals: financial services, consumer business, energy and resources, life sciences, and the public sector. Its practitioner development programs include formal risk academy education programs within its global leadership center, Deloitte University.

Recent acquisitions that bolster Deloitte's RM consulting service offering include Vigilant, a provider of security and cyberthreat intelligence services, and MN Security, a consulting firm specializing in SAP. Deloitte has also formed a strategic alliance with data analysis firm Kaggle, which has access to more than 100,000 data scientists worldwide to further support a strategic focus on analytics-driven services.


Deloitte's approach centers on building what it calls a "Risk Intelligent Enterprise," which includes four main areas:

  • Risk Intelligence Thought Leadership — The core focus of Deloitte's thought leadership is its Risk Intelligence White Paper series. This is composed of 26 white papers and a book, "Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise."
  • Risk Intelligence Program Methodology (RIPM) — RIPM applies nine fundamental principles for building a Risk Intelligent Enterprise to transform an organization's RM capabilities. Within RIPM, Deloitte provides specific risk-related content through 65 modules, with more than 210 documents in its accelerator program, including templates, samples and guides.
  • Risk Intelligence Maps — These serve as templates to help clients determine their overall risk exposure, identify risk interactions, eliminate risk silos and plan risk mitigation strategies.
  • Risk Intelligence Diagnostic and Maturity Model — This provides a way to determine clients' current and desired level of risk intelligence, as well as opportunities to improve their risk capabilities.

Deloitte is building on its foundation of Risk Intelligence tools to develop its "Risk Transformation" suite, which is based on governance and culture, strategy, operating model, and technology and infrastructure.

Deloitte differentiates its service offerings by linking RM activities with business decision-making capabilities, through its Centers for Corporate Governance (in 29 locations worldwide), its GRC COEs (in 25 locations worldwide), and specialist COEs, such as its Center for Risk Modeling and Simulation. In addition, it has a broader global delivery network, which encapsulates digital studios, security and forensics labs and analytics labs (Highly Immersive Visual Environment [HIVE]) across the world.

  • Sales strategy — Deloitte's client references continue to say how satisfied they are with the company's outcome-based value commitments, and consider its contracted services relationship to be "value for money." In fact, Deloitte's consultants were rated highest for "strong consulting competence."
  • Market responsiveness and track record — Deloitte is consistently working toward finding and producing new RM solutions, using analytics to help clients solve complex risk problems. The latest example is the Project Predictive Analytics Tool, which applies risk analytics to large projects and internal audit planning and offers a risk-sensing analytics solution.
  • Offering strategy — Deloitte's strength lies in its robust methodologies, its strong RM frameworks and its competence with EGRC platforms. Its clients rate the company very highly for both its capability to implement solutions and for its global scale.
  • Customer experience — Similar to other firms, when it comes to customer experience, Deloitte's clients point to inconsistent relationship management when working with the company. As Deloitte moves up the value chain to support and service the board levels, C-suites and new business leaders, it must continue to provide a consistent and similar degree of Deloitte client intimacy and experience that its loyal clients are familiar with.
  • Market responsiveness and track record — Several of Deloitte's client references commented on the lack of detail orientation as well as specific gaps in deliverable content. While this may not be indicative of a larger issue in the firm's quality, Deloitte must be watchful toward consistency in client deliverables as it continues to broaden the scope of its RM consulting offerings.

Rating: Strong Positive


EY's RM practice, which began in 1995, covers RM, compliance and regulations, risk-embedded performance improvement, internal audit, and internal controls. EY has established COEs to develop research and innovation focused on risk and performance models. EY takes a sector-led approach with its 18 priority sectors, which include financial services, life sciences, healthcare, power and utilities, oil and gas, and consumer products. The company also has made acquisitions, including EnteGreat, Hacktics and True Partners Consulting. Gartner estimates that EY has between 5,700 and 6,000 dedicated RM consultants, excluding other IT FTEs who support its RM projects globally. EY's client support programs include surveys, such as "Turning Risk into Results," Internal Audit survey and the 15th Global Information Security Survey. Furthermore, EY has made considerable investment in controls transformation, internal audits, information security and technology enablement. The firm also continues to invest and build out its partner ecosystem, including with SAP; Approva; RSA, The Security Division of EMC; McAfee (an Intel Company), IBM OpenPages, BlackLine Systems, and so forth.

To provide its RM offering, EY makes use of its network of resources:

  • Global Talent Hub (two locations) — This includes infrastructure security, predictive analysis, internal audit, internal controls, program RM and modeling of complex derivative products.
  • Global Family Business Center of Excellence.
  • Security Center of Excellence.
  • Security Operations Center.
  • Advanced Security Centers (seven locations).

EY's approach focuses on transforming the risk and control functions by using an integrated "risk transformation" methodology that includes the following elements:

  • GRC Technology Delivery — Analyzing business processes and enabling technologies related to client risk and compliance, to develop business insights for specific risk events or situations. Examples include business and IT process and controls monitoring and testing; access controls and segregation of duties; data analytics; and data quality, structure, mapping and integration.
  • Applied GRC Enablement — Developing GRC technology to generate business insights around a specific process or initiative. These insights allow companies to manage risk, improve risk control or enhance their processes (such as GRC platform implementation, business intelligence dashboards, audit process enablement, risk system convergence and custom risk solutions).
  • Enterprise GRC Technology Transformation — Creating enterprisewide GRC technology strategies and infrastructure. Examples include GRC technology road map and strategy, risk and controls convergence initiatives, client current-state GRC technology assessments, GRC architecture and proofs of concept, GRC platform evaluation and selection, and information management program development and initiatives.
  • Market understanding — EY has strengthened its overall consulting methodology, embedding RM, and taking into account risks, in its clients' entire enterprise strategies, operations, supply chain, finance functions, tax implications, and fraud detection and prevention.
  • Offering strategy — EY is aggressively building up its risk, security, data and analytics capabilities. By acquiring Hacktics, the company now has Advanced Security Centers in seven locations, enabling it to focus on solutions — from cloud computing and social media to smart grid services.
  • Sales strategy — EY's willingness to gain share and accept outcome-based value contracts are advantages to its clients. Many EY clients cited its consultants' strong flexibility in their project scoping and approach.


  • Customer experience — EY's client references noted a few challenges in recent engagements: inconsistencies in staffing levels, high turnover and pricing structure.
  • Market responsiveness and track record — As EY positions itself to offer more business transformation expertise that relates to RM, it must ensure that it has associated resources and tools available throughout the firm. A few clients indicated that the company lacked relevant industry benchmarking tools to support their engagements.

Rating: Strong Positive


KPMG's RM practice, which opened in 1995, covers GRC strategy, ERM, financial RM, forensics, internal audit and regulatory compliance, IT risk and compliance, and information protection and business resilience. The company has now established a dedicated global "Innovation Council" that examines trends in the marketplace, with an 18- to 36-month horizon. This group then provides insight to KPMG's global service development group. Gartner estimates that KPMG has between 5,400 and 5,700 dedicated RM consultants, excluding other IT FTEs who support its RM projects globally.

To provide its RM offering, KPMG makes use of its network of resources:

  • Global Service Center (GSC) (one location)
  • COEs — Vertical industries (10 centers), regional (two locations), and research and solutions for the market (one location)
  • IT advisory offshore centers (three locations)

KPMG takes an integrated approach to unify governance, risk, compliance and assurance functions, using what it refers to as the KPMG ERM/GRC Holistic Model. Its stated objective is to achieve a consistent and holistic vision across the organization that, according to KPMG, accomplishes the following:

  • Protects and enhances business value by fostering a risk-aware culture, supporting informed decision making, and addressing multiple compliance and assurance layers.
  • Enhances operational efficiency by rationalizing RM, controls, and assurance structures and processes, and by making intelligent use of IT and data management structures.
  • Provides a proactive and dynamic approach by enabling organizations to quickly, consistently and efficiently respond to the challenges created by evolving risk profiles and rapidly changing regulatory requirements.
  • Links to companies' strategies by enabling them to meet their compliance objectives while improving their performance. It does this by using an integrated framework to support its strategic objectives. KPMG has integrated unique risk and performance methodologies to support the ERM/GRC Holistic Model, including governance, organization and infrastructure, technology, culture and behavior, risk profile, GRC operational model, and enterprise assurance.
  • Offering strategy — KPMG utilizes a GRC road map to show clients how it will link its frameworks and methodologies to desired business outcomes. In addition, the company is increasing its focus on risk analytics to measure the impact of potential business outcomes. This includes its acquisition of WiseWindow's Mass Opinion Business Intelligence (MOBI) data aggregation and data relationship solution to provide risk indicators, and its Risk & Performance 360 predictive insights tool.
  • Market responsiveness and track record — KPMG's strategic alliances with technology vendors, coupled with its consultants, gives it insight into a variety of EGRC technologies, as well as gives it strong project management skills.
  • Geographic strategy — KPMG is increasing its RM staff numbers in key geographic locations. Its strong and innovative solutions are not limited to large clients based in the U.S., but are also well-received in countries in Asia/Pacific, including Australia, Indonesia and, recently, Singapore.
  • Customer experience — Client reference ratings indicate that KPMG can have inconsistencies among its key consultants in terms of their tenure and seniority. As KPMG builds up its strengths of resources and moves toward asset-based consulting, it must continue to ensure that the company's culture and philosophy of customer intimacy are consistently maintained, especially among its junior consultants, as some clients have inferred to the inconsistent proactive nature of KPMG's staff.
  • Market understanding — KPMG continues to innovate in key markets, but clients have not yet recognized those innovations consistently across geographies. KPMG needs to be more aggressive in driving the message of its analytical capabilities across all geographies.

Rating: Strong Positive


Protiviti was founded in 2002 by business and internal audit consultants that used to be with Andersen. Protiviti built its consulting practice on its core internal audit services and risk consulting competencies. In addition, the company emerged as a leading provider of services associated with the compliance requirements mandated by the Sarbanes-Oxley Act (SOX) of 2002. As a result, many of its engagements and services involved EGRC-related activity. Protiviti's consulting services cover the following areas: RM and compliance, IT consulting, business operations improvement, finance and accounting excellence, litigation, restructuring and investigative services, and internal audit and financial controls. The company also markets a proprietary EGRC software solution called "Governance Portal." Protiviti focuses on the manufacturing, financial services, healthcare, retail and services industries, and Gartner estimates that it has between 600 and 900 full-time dedicated RM consultants, excluding other IT FTEs and contractors who support RM projects globally.


Protiviti's RM consulting approach follows an assess, design and build life cycle for all engagements. Supporting this life cycle is the Protiviti Solutions Methodology. This serves as a common delivery mechanism for all Protiviti consultants, to ensure a consistent product for clients. The methodology includes definitions for both business and technical requirements to support an integrated RM solution. In addition, the Solutions Methodology requires all of Protiviti's engagement teams to plan, envision and prove value on client projects. The company describes the Solutions Methodology as a best-of-breed methodology, which emphasizes problem solving, benchmarking and change management. Protiviti also provides several frameworks and tools to support its methodology. These include a Protiviti Risk Model, which provides a detailed taxonomy and definitions for enterprise risks; a Capability Maturity Model, allowing clients to measure the maturity of their RM programs; and a Protiviti Risk Index, which provides a composite view of a company's risk profile.

  • Sales strategy — Protiviti is seen as a good alternative to its major consulting peers. Its clients cite good packaging targeted at senior management. In addition, Protiviti has aggressive pricing strategies, and it offers highly competitive rates.
  • Customer experience — Because of its size, Protiviti can develop strong client intimacy, and it is seen as flexible enough to make changes quickly without layers of approval. Protiviti's clients also rated it stronger than its peers in the areas of technical architecture expertise and implementation capabilities.
  • Market understanding — Protiviti has enhanced its market offerings to include a social media practice, security and privacy, SharePoint, and risk modeling. However, it could improve how it articulates these offerings to the market, and its pool of new clients could be widened to boost its growth, market awareness and image.
  • Offering strategy — Protiviti trails behind its peers in terms of scale, specifically the number of consultants and offerings it has. Examples cited by its clients include "small staff" and "not enough on-site engagement." Its move into risk modeling is a positive one, but clients believe that Protiviti would benefit from more experience in this area. Model risks require a large pool of specialist data scientists, who are not readily available to the firm and even to the industry.

Rating: Positive


PwC's RM service line offering dates back to 1992, when the Committee of Sponsoring Organizations of the Treadway Commission (COSO) selected the company to be author and project manager for the original COSO Internal Control — Integrated Framework. This has now become the most commonly used framework to determine the effectiveness of internal controls, including SOX compliance. In 2004, COSO sought to create an RM framework designed to build on and complement the Internal Control — Integrated Framework. COSO again selected PwC to serve as project manager and author of what became the Enterprise Risk Management — Integrated Framework. And COSO has engaged PwC again to serve as the author and project manager for the latest update of the original COSO Internal Control — Integrated Framework.

PwC's performance and RM practice includes the following: ERM, capital management, financial analytics and valuation, credit risk, market risk, supply chain risk, and operational risk. The company has an estimated 5,700 to 6,000 dedicated RM consultants globally, excluding other IT FTEs supporting RM.

To link its RM practice to other related service areas, PwC is investing in creating a COE that it calls the "Strategy and Risk Institute (SRI)." The SRI has a dedicated focus on RM-related initiatives, such as the development of the Risk and Opportunity Assessment Dashboard (ROAD), a global business intelligence database designed to provide risk-related information to the company's consultants.


PwC describes its approach to ERM consulting as delivering change across three main areas — business platform, business management and business strategy — while driving change via its change management and program delivery capabilities. This approach is supported by the firm's global delivery model and methodology. These are designed to deliver services related to clients' RM programs, as they relate to business strategy and structure, operating model and business management, as well as the supporting business platform. Within the methodology are 16 building blocks that represent the primary components of an integrated RM program.

  • Market understanding — PwC has capitalized on its strength in the areas of assurance, forensics, compliance, and finance and tax, coupling these areas to its RM consulting. It also has a solid position in terms of its current leadership position in COSO's Internal Control — Integrated Framework.
  • Offering strategy — PwC is recognized as a leader in providing strong frameworks and robust methodologies. Its methodology, coupled with the new SRI and the ROAD, demonstrate its understanding of the evolving global risk environment and its impact on companies' performance.
  • Market responsiveness and track record — From PwC's client ratings, it has improved in terms of market awareness, thanks to its stronger technology architecture and implementation capabilities. This is the result of PwC's global rollout of its training capabilities, following acquisitions of companies such as PRTM and Diamond Management and Technology Consultants.
  • Customer experience — Relationship management, communication and expectation setting could be improved, as well as consultants' ability to influence senior management.
  • Offering strategy — PwC relies primarily on its Risk Assurance practice to provide GRC technology implementation services. This could limit the firm's offerings, because of the nature of assurance work versus advisory work.

Rating: Strong Positive

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.

Gartner MarketScope Defined

Gartner's MarketScope provides specific guidance for users who are deploying, or have deployed, products or services. A Gartner MarketScope rating does not imply that the vendor meets all, few or none of the evaluation criteria. The Gartner MarketScope evaluation is based on a weighted evaluation of a vendor's products in comparison with the evaluation criteria. Consider Gartner's criteria as they apply to your specific requirements. Contact Gartner to discuss how this evaluation may affect your specific needs.

In the below table, the various ratings are defined:

MarketScope Rating Framework

Strong Positive
Is viewed as a provider of strategic products, services or solutions:

  • Customers: Continue with planned investments.
  • Potential customers: Consider this vendor a strong choice for strategic investments.

Demonstrates strength in specific areas, but execution in one or more areas may still be developing or inconsistent with other areas of performance:

  • Customers: Continue planned investments.
  • Potential customers: Consider this vendor a viable choice for strategic or tactical investments, while planning for known limitations.

Shows potential in specific areas; however, execution is inconsistent:

  • Customers: Consider the short- and long-term impact of possible changes in status.
  • Potential customers: Plan for and be aware of issues and opportunities related to the evolution and maturity of this vendor.

Faces challenges in one or more areas.

  • Customers: Understand challenges in relevant areas, and develop contingency plans based on risk tolerance and possible business impact.
  • Potential customers: Account for the vendor's challenges as part of due diligence.

Strong Negative
Has difficulty responding to problems in multiple areas.

  • Customers: Execute risk mitigation plans and contingency options.
  • Potential customers: Consider this vendor only for tactical investment with short-term, rapid payback.