magic quadrant for operational risk management solutions

2017-01-27, 08)50Gartner Reprint

of 33https://www.gartner.com/doc/reprints?id=1-3H0K2WN&ct=160906&st=sb

LICENSED FOR DISTRIBUTION (https://www.gartner.com/home)

Magic Quadrant forOperational RiskManagement SolutionsPublished: 13 December 2016 ID: G00297941Analyst(s): John A. Wheeler, Jie Zhang

SummarySecurity and risk management leaders are seeking tointegrate their risk management solutions to gain amore holistic view of risk across the enterprise.Operational risk management solutions serve as thecore element of integrated risk management.

Market Definition/DescriptionThis document was revised on 28 December 2016.The document you are viewing is the correctedversion. For more information, see the Corrections(http://www.gartner.com/technology/about/policies/current_corrections.jsp)page on gartner.com.

Operational risks refer to those risks that "relate tothe uncertainty of daily tactical business activities,as well as risk events resulting from inadequate orfailed internal processes, people or systems, or fromexternal events." Operational risk management(ORM) software solutions allow organizations toaggregate and normalize data from multiple datasources, including operational and financial systems,as well as from external sources such as regulatoryalerts and loss event databases.

By providing a better understanding of these risks tobusiness objectives, ORM enables better businessperformance and capital allocation. ORM solutions

(https://www.gartner.com/technology/contact/become-a-client.jsp?cm_sp=bac-_-reprint-_-banner)

https://www.gartner.com/home

http://www.gartner.com/technology/about/policies/current_corrections.jsp

https://www.gartner.com/technology/contact/become-a-client.jsp?cm_sp=bac-_-reprint-_-banner



also help companies address the increasingpressure from regulators to improve the riskreporting in annual reports, and to improve the boardof directors' role in enterprisewide ORM oversight.ORM solutions usually include functions for riskanalytics, as well as risk indicators to supportdecision making.

ORM is a central part of a growing category ofintegrated risk management (IRM) softwaresolutions focused on supporting a broader enterpriserisk management (ERM) program. Gartner definesIRM as a set of practices and processes, supportedby a risk-aware culture and enabling technologies,that improves decision making and performancethrough an integrated view of how well anorganization manages its unique set of risks (see"Transform Governance, Risk and Compliance toIntegrated Risk Management ").

IRM solutions (IRMS) have matured and remain a topbusiness priority for senior executives as we enterthe new age of digital business. IRMS represents theset of integrated risk management technologies andprocesses that enable an IRM program. Gartner'sresearch coverage of IRMS includes seven marketsegments containing a range of solutions, frompurpose-built applications to single-vendor,integrated solution sets. The seven defined GartnerIRMS (formerly known as governance, risk andcompliance [GRC] software) market segments arelisted in "Market Guide for Integrated RiskManagement Solutions."

The critical capabilities of ORM solutions center onproviding business leaders with a more effectivemeans of assessing risk and control effectiveness,identifying operational risk events, managingremediation efforts, and quantifying the associatedoperational risk exposure across the enterprise.What follows is an overview of the criticalcapabilities, as well as a description of their primaryusage.



Risk and ControlDocumentation/Assessment

Operational risks, and the related controls required tomitigate them to an acceptable level, must bedocumented sufficiently to satisfy a number of keystakeholders — including customers, the public,regulators, external auditors, businesspartners/associates and board members — as wellas to provide the basis for performing acomprehensive operational risk assessment.Features within this capability include:

Risk-related content, including a risktaxonomy/library, key risk indicator (KRI) catalog,regulatory compliance updates and so on

Risk assessment methodology and calculationcapabilities (for example, bow tie risk assessment)

Documentation authoring, versioning and approval

The ability to integrate with purpose-built risksystems, such as business continuity managementplanning (BCMP), IT risk management (ITRM), ITvendor risk management (VRM), corporatecompliance and oversight (CCO), enterprise legalmanagement (ELM), and audit management

Risk Mitigation Action Planning

When operational risks are assessed to be beyonddefined risk tolerance levels, action plans must bedeveloped to ensure that the appropriate mitigationsteps are taken to meet the operational risk appetiteset by the board of directors or other governancebody. ORM solutions can provide support to riskprofessionals and business leaders in managing theassociated risk mitigation efforts. Features withinthis capability include:

Business process mapping to IT assets

Project management capabilities to track progresson risk-related initiatives or tasks



Risk control testing capabilities, such ascontinuous control monitoring

Control mapping to risks and business processes

Control mapping to compliance mandates

KRI Monitoring/Reporting

To effectively monitor the operational risk levelsacross the enterprise, companies can utilize ORMsolutions to report the risk levels through KRIs (see"The Gartner Business Risk Model: A Framework forIntegrating Risk and Performance" ). Features withinthis capability include:

Risk scorecard/dashboard capabilities

The ability to link KRIs to performance metrics

Risk Quantification and Analytics

Beyond the exercise of assessing operational riskfrom a qualitative perspective, companies in manyindustries (including banking, insurance andsecurities) are seeking to measure operational riskon a quantitative basis. Some of the quantitativeanalysis is used to support capital calculationrequirements driven by regulatory mandates, such asBasel III and Solvency II. Other quantitative analysismethods are used to develop more precise predictivemodels to determine the potential for certainoperational risk events, such as fraud or theft. Assuch, the features within this capability include:

"What if" risk scenario analysis capabilities

Statistical modeling capabilities (for example,Monte Carlo simulation, value at risk, Bayesianstatistical inference and so on)

Predictive analytics

Capital allocation/calculation

Fraud detection capabilities



Incident Management/Loss Event Captureand Analysis

A history of operational incidents and/or loss eventscan be used to inform the risk assessment processand facilitate the identification of event causes. Inaddition, ORM solutions can integrate with externalloss event databases to identify potential risk eventsbased on the experience of peers and other relatedentities. Features within this capability include:

An external risk event repository

Incident management workflow (review, escalate,investigate, resolve, dispose) and reporting

Impact/consequence data and analytics

Magic QuadrantFigure 1. Magic Quadrant for Operational Risk ManagementSolutions

Source: Gartner (December 2016)

Vendor Strengths and Cautions



Cura SoftwareCura Software is a subsidiary of Cura Technologies, avendor headquartered in India. Within its softwareproduct set, Cura Assessor is mostly aligned withORM capabilities. Cura's main target buyers are chiefrisk officers (CROs) and chief compliance officers.ORM Lite (ISO 31000) and ORM Integrated were thetwo products demonstrated for this research. CuraAssessor can be deployed through on-premises,hosted and SaaS models. Technical support teamsare available in all major regions. The majority (about80%) of its customer base is in South Africa andAustralia.

STRENGTHS

Offering (Product) Strategy: Cura's strategy isclear and addresses the product flexibility needs ofcustomers in this market segment.

Vertical/Industry Strategy: Clients referenced byCura include a broad cross-industry focus in areassuch as manufacturing, natural resources,communications, services and banking.

CAUTIONS

Geographic Strategy: The vendor has a limitedglobal presence — its client base is currentlyconcentrated in India, Australia and South Africa.

Sales Strategy: Cura has a higher reliance onpartnerships with local resellers or consultingfirms.

Operations: Cura's support staff and its availabilityare limited, when compared to other solutionproviders.

Dell Technologies (RSA)RSA, a Dell Technologies business headquartered inRound Rock, Texas, offers its GRC platform to abroad set of roles, and supports a spectrum of ORMuse cases. RSA Archer release 6.1, demonstrated forthis research, has a set of use-case-based solutions



that can be deployed and purchased independently.RSA's ORM software can be deployed either on-premises or in a multitenant, private hostedenvironment. Implementation services are availablethrough the former EMC's consulting services and itspartners. Four multisolution support centers arelocated in the U.S., the U.K., India and Australia.

STRENGTHS

Geographic Strategy: RSA has a client base acrossthe entire globe, with a sales presence in over 50countries.

Vertical/Industry Strategy: The vendor has a broadvertical strategy, with 28% of its current client basein financial services and the remainder spreadacross nine additional verticals.

Marketing Strategy: There is a strong focus onmarketing to multiple buyers within anorganization in support of a broaderenterprisewide ORM program.

CAUTIONS

Customer Experience: Clients report lengthy timeto value related to more complex implementationrequirements than competitors.

Sales Strategy: A shift from direct sales to areseller model for new customers has resulted inlonger sales cycles and greater complexity indelivering solutions.

EnablonEnablon, now a part of Wolters Kluwer(headquartered in the Netherlands), targets thefollowing buyers: CROs; internal audit directorsand/or internal control directors; environmental,health and safety (EH&S) directors; and sustainabilitydirectors. The Enablon Platform v.8, demonstratedfor this research, can be deployed via on-premises,hosted or SaaS models. Enablon primarily targetsand has a large customer base in industries that



have high environmental and safety impacts; such asoil and gas, energy, mining, construction, chemical,engineering, heavy manufacturing, and life sciences.

STRENGTHS

Offering (Product) Strategy: The product roadmapis clear and detailed, reflecting Enablon's continuedenhancements in usability and risk assessmentcapabilities.

Sales Strategy: The vendor's extensiveimplementation partner and reseller network willbe bolstered by its new parent company, WoltersKluwer.

Overall Viability: Enablon has had solid revenueand customer growth with increased access tocapital via the recent acquisition.

CAUTIONS

Market Responsiveness/Track Record: Theproduct functionality and upgrade ratings by clientreferences are positive, yet slightly lower than withother solution providers .

Marketing Strategy: Enablon has a primary focuson the large-scale, enterprise market, which isincreasingly saturated.

Sales Execution/Pricing: Its pricing model ismoderately complex when compared to othersolution providers.

IBMIBM, publicly traded and headquartered in Armonk,New York, targets a broad set of buyers across theenterprise, including governance, risk managementand internal audit professionals. IBM's OpenPagesGRC Platform 7.2, reviewed for this research, isoffered as an on-premises or SaaS solution. IBM hasnine help center facilities, with locations in the U.S.and Canada, as well as in six other countries aroundthe world. OpenPages GRC Platform typically hasbeen deployed in larger, more complex environments;



however, it also has a small or midsize business(SMB) version with a slimmed down set offunctionalities. Approximately 50% of OpenPages'customers are in the financial services sector.

STRENGTHS

Marketing Strategy: IBM has a stated strategy toprovide solutions for all market sizes and isexpanding its focus on a wide array of industriesbeyond financial services.

Business Model: The vendor has highly maturesales, software development and managementteams.

Operations: Integrated global support is availablethrough IBM's standard support network — it hasgreat reach, but may impact the vendor's ability toprovide specialized subject matter expertise andsupport.

CAUTIONS

Vertical/Industry Strategy: While marketing abroad cross-industry focus, IBM's client base islargely centered in financial services.

Customer Experience: Clients report longerimplementation time frames, potentially resultingin longer time to value relative to other solutionproviders.

Market Responsiveness/Track Record: Someclients experience integration, migration andscalability problems — more so relative to othersolution providers.

LockPathLockPath, privately held and headquartered inOverland Park, Kansas, offers the Keylight platformas its ORM solution. It targets the following buyers:chief information security officers, complianceteams and CROs. Keylight 4.4, demonstrated for thisresearch, can be deployed via SaaS as well as an on-premises model. The majority of LockPath's



customers (over 70%) are on the SaaS model.Customers in healthcare, financial services andtechnology make up over 50% of its current installedbase. Almost all its market share today (98%) is inNorth America. LockPath leverages a network ofglobal partners for implementation services.

STRENGTHS

Offering (Product) Strategy: Clients have apositive view of the value LockPath's productprovides versus the money spent.

Market Understanding: The importance ofunderstanding a client's business needs is aprimary driver for clients that select LockPath.

Sales Execution/Pricing: Pricing and contractflexibility is noted as favorable relative to othersolution providers.

CAUTIONS

Geographic Strategy: The vendor's current focus islimited primarily to North America, with only a 5%growth projection for sales outside the U.S.

Operations: Customer support is limited to U.S.business hours.

Overall Viability: A limited ability to compete on aglobal basis may constrain future growthprospects.

MetricStreamMetricStream, privately held and headquartered inPalo Alto, California, targets a wide range of buyers,including all primary C-suite executives, plus buyerssuch as chief information security officers, VRMexecutives and quality management executives.MetricStream's Operational Risk Management App,demonstrated for this research, can be deployed viaSaaS or an on-premises model. Over 75% of itsrevenue comes from the financial services sector.About 65% of its customer base is outside the U.S.



Support is provided from centers in Palo Alto,California; New York; London; Milan; Dubai; andBangalore, India.

STRENGTHS

Marketing Execution/Understanding:MetricStream responds well to the evolvingbusiness needs and challenges of the ORMfunctions in large enterprises.

Sales Strategy: Clients have an overall positiveview of the sales process and ease of contractnegotiation.

Sales Execution/Pricing: Pricing and contractflexibility is noted as very favorable relative toother solution providers.

CAUTIONS

Business Model: Future growth is largelydependent on the successful transition from ahighly tailored, on-premises product architecture toa user-configurable, cloud-based productarchitecture.

Offering (Product) Strategy: The vendor's productexecution is tied to making continued R&Dinvestments in the newly released product version.

NasdaqHeadquartered in New York City, Nasdaq's primaryIRMS platform, BWise, targets the following buyers:all C-suite-level executives, including corporatecontrollers and chief audit executives. BWise is partof a broader offering of board and governancesoftware solutions and services. BWise RiskManagement module (4.1 SP7), demonstrated forthis research, can be deployed in a single-tenant,private hosted environment or on-premises. BWisehas customer distribution in all regions.Approximately 50% of its revenue is from thefinancial services sector. Support is provided acrossthe globe, but centralized in New York, theNetherlands and India.



STRENGTHS

Geographic Strategy: Thirty percent of Nasdaq'sclient base is in the U.S., 40% is in Europe and theremainder is spread across the globe. The strategyreflects the parent company's reach.

Business Model: A subscription-based, privatehosted model is driving strong sales growth.

Sales Execution/Pricing: Pricing and contractflexibility is noted as favorable relative to othersolution providers.

CAUTIONS

Customer Experience: A recent upgrade to real-time reporting has yielded issues with clientsupgrading and migrating. Nasdaq has addressedthe issues and continues to guarantee technicalupgrade.

Vertical/Industry Strategy: A heavy concentrationin financial services is represented by 50% of thevendor's client base.

ProtivitiProtiviti, headquartered in Menlo Park, California, anda wholly owned subsidiary of U.S.-based Robert HalfInternational, offers Protiviti's Governance Portalplatform. It targets the following buyers: chief auditexecutives, corporate controllers, chief complianceofficers, CROs and operational risk managers. TheGovernance Portal v.4, demonstrated for thisresearch, can be deployed on-premises, hosted orSaaS; 70% of its customers use the software via anon-premises model. Among its globally distributedcustomer base, consumer products/services,financial services and manufacturing make up 65%.Support is provided from locations in the U.S., India,Japan and the U.K.

STRENGTHS

Sales Execution/Pricing: The per-user pricingbased on role is very clear and simple.



Operations: Dedicated support centers in the U.S.,the U.K., India and Japan provide 24/5 accessacross the globe.

Sales Strategy: Protiviti utilizes its professionalservices arm as a key driver for sales growth.

CAUTIONS

Offering (Product) Strategy: A service-orientedapproach is emphasized over product. The focus ison incremental product enhancements and APIdevelopment for business intelligence tools andMicrosoft SharePoint.

Marketing Strategy: The base product fulfills ahorizontal market segment primarily focused onrisk and control management, but can beexpanded in its scope with SharePoint plug-ins.Protiviti seems to rely primarily on the demandfrom professional services.

Innovation: The vendor's R&D investment was notdisclosed, and known improvements are largelyincremental, based on client demand.

SAI GlobalSAI Global, headquartered in Australia, offers itsCompliance 360 platform to the following buyers:compliance teams, risk managers and CROs.Compliance 360 v.15.2, demonstrated for thisresearch, is exclusively offered via SaaS. Thissolution focuses on sectors such as retail, financialservices, agriculture/food, manufacturing, energy,and aerospace and defense. The client base isdistributed in EMEA, the Americas and theAsia/Pacific region, with 73% of its customers inNorth America. SAI Global has a joint venture inChina to support the growing customer needs in thatregion. Customer support is offered in the U.K.,Australia and the U.S. In August 2016, SAI Globalacquired Modulo (a former competitor), which joins



and combines two customer bases and technologyofferings, further deepening SAI Global's operationalrisk capabilities.

STRENGTHS

Market Responsiveness/Track Record: Clientsreport very few problems encountered in the use ofSAI Global's product.

Sales Execution/Pricing: Pricing and contractflexibility is viewed as very favorable by its clients.

CAUTIONS

Sales Strategy: The sales channel is limited todirect sales, with a few content partners and a jointventure in China.

Geographic Strategy: Seventy-three percent ofrevenue comes from North America, with aremaining presence in the Asia/Pacific region(22%) and other various locations (5%).

Marketing Strategy: The vendor has a broadstrategy, with limited focus on specific targetmarkets in terms of organization size orcomplexity.

SAPSAP is a publicly traded company headquartered inGermany, The main target buyers for SAP's riskmanagement solution are senior executives and riskmanagers. The offering includes SAP RiskManagement, SAP Process Control, SAP RegulatoryChange Management and SAP Audit Management,deployed via on-premises or SaaS. SAP's S/4HANAbusiness suite supports these four products byproviding continuous control monitoring ofintegrated ERP data, as well as KRI reporting.Product support is provided via three supportcenters located in the U.S., Brazil and India. SAP'srisk management solutions are typically consideredby customers already using SAP ERP or other SAPsoftware products for leveraging the requiredinfrastructure/support and easier integration. SAP



did not respond to requests for supplementalinformation or to review the draft contents of thisdocument. Gartner's analysis is therefore based onother credible sources, including discussions withusers of this product.

STRENGTHS

Sales Execution/Pricing: The quality and reliabilityof SAP's sales team received relatively high ratingsfrom customer references.

Operations: SAP's risk management solutionsleverage its centralized corporate supportresources to provide extensive customer coverageacross the globe.

CAUTIONS

Offering (Product) Strategy: SAP's productroadmap is not as detailed as those of its primarycompetitors.

Vertical/Industry Strategy: SAP's industryexperience is rated relatively low by its owncustomer references provided to Gartner as part ofthis evaluation. While the low ratings may not befully representative of the entire customer base,the vendor's broad cross-industry focus limits itsdepth of industry-specific knowledge andfunctionality.

SASSAS, privately held and headquartered in Cary, NorthCarolina, offers a suite of risk managementsolutions, and some are industry-specific (SAS RiskManagement for Banking) and some leverage itsdata analytics and statistical modeling (SAS RiskData Aggregation and Reporting, and SAS OpRiskVaR). SAS mainly targets risk managers, complianceofficers, auditors and strategy officers. SASEnterprise GRC, an integrated platform, includes theSAS OpRisk module, which can be deployed on-premises or via the Amazon Web Services (AWS)cloud platform. Primary customer support is



provided from three service centers in the U.S., theU.K. and Australia. SAS did not respond to requestsfor supplemental information or to review the draftcontents of this document. Gartner's analysis istherefore based on other credible sources, includingdiscussions with users of this product.

STRENGTHS

Operations: Support is provided out of 50-pluslocal offices across the globe. Advanced 24/7support is provided from the U.K. or Australia. It isa very mature organization.

Sales Strategy: The vendor has primarily directsales across 400 offices worldwide, with strategicpartnerships among the largest professionalservices and system integrator firms.

CAUTIONS

Vertical/Industry Strategy: This strategy is limitedprimarily to large, complex financial servicesorganizations.

Sales Execution/Pricing: The pricing model istiered based on financial asset size for financialservices clients and revenue size for nonfinancialclients. This model may prove to be adisadvantage for large, but less complex,companies.

Customer Experience: Customer referencesprovide relatively low ratings for SAS's ease ofinitial implementation and setup.

ServiceNowServiceNow, a public company based in Santa Clara,California, built ServiceNow Governance, Risk andCompliance on the ServiceNow Platform (platformas a service) offering. The ORM solution targetsbuyers such as IT security teams, risk managementdirectors and internal audit teams. ServiceNow GRC,version Helsinki, was demonstrated for this research.It is almost exclusively deployed via a SaaS model,although on-premises is optional for customers. Its



customer base is largely in North America, fromwhich 70% of its revenue is derived. Support isprovided in North America and Japan, plus sevenEuropean countries.

STRENGTHS

Customer Experience: Time to value is short, withan implementation time frame of just over twomonths on average.

Innovation: Rapid software development issupported by eight engineering centers globally.

Operations: Global support is offered through ninecenters on a 24/7 basis.

CAUTIONS

Offering (Product) Strategy: ServiceNow has an IT-centric strategy focused primarily on IT servicemanagement (ITSM) customers seeking to expandreach into real-time ORM capabilities.

Vertical/Industry Strategy: There is no clear focusbeyond financial services currently.

Sales Strategy: The vendor's strategy is to selladditional solutions opportunistically to existing orpotential customers of its ITSM solution.

Sphera SolutionsHeadquartered in Chicago, Sphera Solutions (theformer IHS Operational Excellence and RiskManagement [OERM] business) is a portfoliocompany of Genstar Capital, a leading middle-marketprivate equity firm focused on the software,industrial technology, financial services andhealthcare industries. Sphera's main target buyersare CROs and EH&S directors. The Spheraoperational risk solution can be deployed via on-premises, hosting or SaaS models. The majority(near 90%) of its customers use the software via anon-premises model. Sphera's primary customer baseis in North America and EMEA (91% of its revenue in2016). Support is provided through Sphera customer



care centers in North America, EMEA and India. Thesolution is used by asset-heavy sectors such asenergy, chemical, automobile, manufacturing andmining.

STRENGTHS

Geographic Strategy: The vendor has an evendistribution of clients across the globe.

Marketing Strategy: Sphera demonstrates a clearand concrete focus on current market trends andproduct development needs.

CAUTIONS

Business Model: The vendor is private-equity-backed and is being divested as a stand-alonecompany. It has an uncertain future, at least for theshort term.

Vertical/Industry Strategy: There is a heavyconcentration in energy, represented by 47% of thevendor's current revenue.

Customer Experience: There is a very lengthy timeto value, with an average implementation timeframe of greater than 12 months.

Innovation: Sphera has a limited R&D budgetcompared to other solution providers. It is largelyfocused on incremental feature improvements.

Thomson ReutersThomson Reuters, headquartered in New York City,offers a spectrum of risk-and-compliance-relatedtechnologies and services. Its ORM software andservices target the following buyers: CROs, andmanagers of enterprise compliance and risk teams.Thomson Reuters Enterprise Risk Manager v.5.9.5,demonstrated for this research, can be deployed viaon-premises, hosted and SaaS models. However, themajority of its customers are deployed on-premises.Thomson Reuters' customer base is widelydistributed across industry sectors and major



geographical regions. Product support is provided byservice centers in the U.S., India, Singapore andSwitzerland.

STRENGTHS

Geographic Strategy: The vendor has a specificgrowth strategy for markets across the globe. Ithas customers in more than 180 countries.

Business Model: There is a wide range of offeringsacross cloud, hosted and on-premises platforms.The business is well-funded and integrated withthe vendor's core regulatory publishing operation.

Operations: Global support is offered out of fourlocations to provide 24/7 service. It is a matureorganization.

CAUTIONS

Offering (Product) Strategy: The product roadmapis limited to incremental improvements.

Sales Execution/Pricing: The seat-based, modularand value proposition pricing is somewhat opaque.

Vendors Added and Dropped

We review and adjust our inclusion criteria for MagicQuadrants as markets change. As a result of theseadjustments, the mix of vendors in any MagicQuadrant may change over time. A vendor'sappearance in a Magic Quadrant one year and notthe next does not necessarily indicate that we havechanged our opinion of that vendor. It may be areflection of a change in the market and, therefore,changed evaluation criteria, or of a change of focusby that vendor.

AddedCura Software

LockPath

Sphera Solutions

ServiceNow



DroppedModulo was acquired by SAI Global.

Wolters Kluwer did not provide data on itsOneSumX product to qualify for inclusion this year.Enablon did participate and has since become partof Wolters Kluwer.

Covalent did not meet the revenue inclusioncriteria for the most recent fiscal year.

Riskonnect did not provide data to qualify forinclusion this year.

Inclusion and Exclusion CriteriaTo be included in this Magic Quadrant, vendors mustdemonstrate the ability to address (on anenterprisewide basis) at least four of the five criticalcapabilities listed in the MarketDefinition/Description section above. In addition,vendors must have at least $6 million in revenuefrom the sale of ORM software and related services(for example, implementation/training, softwareproduct customization, etc.) in the most recent fiscalyear.

Evaluation Criteria

Ability to Execute

Gartner analysts evaluate technology providers onthe quality and efficacy of the processes, systems,methods or procedures that enable theirperformance to be competitive, efficient andeffective, and to positively impact revenue, retentionand reputation. Ultimately, technology providers arejudged on their ability and success in capitalizing ontheir vision.

Product or Service: This criterion involves the coregoods and services offered by the vendor thatcompete in/serve the defined market. This alsoincludes current product or service capabilities,



quality, feature sets, skills, and so on, whetheroffered natively or through OEMagreements/partnerships, as defined in the MarketDefinition/Description section and detailed in thesubcriteria. Evaluation ratings are derived fromformal product demonstrations and customerfeedback.

Overall Viability (Business Unit, Financial, Strategy,Organization): This criterion is an assessment of theoverall organization's financial health, the financialand practical success of the business unit, and thelikelihood that the individual business unit willcontinue to invest in the product, offer the productand advance the state of the art within theorganization's portfolio of products. Revenue growthand the product implementation growth trend overthe past three years are primary determinants of theviability rating. Customer perception of futureviability is also considered.

Sales Execution/Pricing: This criterion involves thevendor's capabilities in all presales, sales andpostsales activities, and the structure that supportsthem. This also includes deal management, pricingand negotiation, presales support, and the overalleffectiveness of the sales channel. Customer ratingsof the quality of sales-related activities, as well as anevaluation of the clarity and competitiveness of thevendor's pricing structure, are primary determinantsin rating this criterion.

Market Responsiveness/Record: This criterioninvolves the vendor's ability to respond, changedirection, be flexible and achieve competitivesuccess as opportunities develop, competitors act,customer needs evolve and market dynamicschange. This criterion also considers the vendor'shistory of responsiveness. Customer ratings are aprimary factor.



Marketing Execution: This criterion involves theclarity, quality, creativity and efficacy of programsthat are designed to deliver the organization'smessage in order to influence the market, promotethe brand and business, increase awareness of theproducts, and establish a positive identification withthe product/brand and organization in the minds ofbuyers. This mind share can be driven by acombination of publicity as well as promotional,thought leadership, word of mouth and salesactivities. Customer ratings of the vendor'seffectiveness in responding to requests forinformation and RFPs are considered.

Customer Experience: This criterion involves therelationships, products and services/programs thatenable clients to be successful with the productsevaluated. Specifically, this includes the wayscustomers receive technical support or accountsupport. This also can include ancillary tools,customer support programs (and the quality thereof),availability of user groups, service-level agreementsand so on. Customer ratings are the primarydeterminant when evaluating this criterion.

Operations: This criterion involves the organization'sability to meet its goals and commitments. Factorsinclude the quality of the organizational structure,including skills, experiences, programs, systems andother vehicles that enable the organization tooperate effectively and efficiently on an ongoingbasis.

Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria Weighting

Product or Service High

Overall Viability High

Sales Execution/Pricing High



Market Responsiveness/Record Medium

Marketing Execution Medium

Customer Experience High

Operations Medium


Completeness of Vision

Gartner analysts evaluate technology providers ontheir ability to convincingly articulate logicalstatements about current and future marketdirection, innovation, customer needs, andcompetitive forces, and on how well thesestatements map to Gartner's position. Ultimately,technology providers are rated on theirunderstanding of how market forces can beexploited to create opportunity for the providers.

Market Understanding: This criterion involves thevendor's ability to understand buyers' needs and totranslate those needs into products and services.Vendors that show the highest degree of vision listento and understand buyers' wants and needs, and canshape or enhance those wants with their addedvision. One key factor is customer ratings of thevendor's ability to fulfill its critical functionalcapabilities using its ORM or business processexperience.

Marketing Strategy: This criterion involves a clear,differentiated set of messages that is consistentlycommunicated throughout the organization andexternalized through the website, advertising,customer programs and positioning statements. Thevendor's ability to target specific market segments byaddressing unique industry or geographicrequirements is a primary determinant of thiscriterion rating.



Sales Strategy: This criterion involves the strategyfor selling products using the appropriate network ofdirect and indirect sales, marketing, service, andcommunication affiliates that extends the scope anddepth of market reach, skills, expertise, technologies,services and the customer base. Customer ratings ofthe vendor's pricing strategy also are considered.

Offering (Product) Strategy: This criterion involves avendor's approach to product development anddelivery that emphasizes differentiation, functionality,methodology and feature set as they map to currentand future requirements. Evaluation factors includecustomer ratings of the vendor's productperformance and scalability, as well as the product'sroadmap for future enhancement.

Business Model: This criterion involves thesoundness and logic of a vendor's underlyingbusiness proposition. Evaluation of this criterionincludes the sustainability of the model given currentand projected economic and environmentalconditions.

Vertical/Industry Strategy: This criterion involves thevendor's strategy to direct resources, skills andofferings to meet the specific needs of individualmarket segments, including vertical industries.Customer ratings of the vendor's industry-relatedexperience also are considered.

Innovation: This criterion involves direct, related,complementary and synergistic layouts of resources,expertise or capital for investment, consolidation,defensive or pre-emptive purposes. Included in thiscriterion is an evaluation of product roadmaps, aswell as past and planned levels of R&D investment.

Geographic Strategy: This criterion involves thevendor's strategy to direct resources, skills andofferings to meet the specific needs of geographiesoutside the "home" or native geography — eitherdirectly or through partners, channels andsubsidiaries — as appropriate for those geographies



and markets. A vendor's ability to generate asignificant level of revenue outside its nativegeography is considered a key factor in rating thiscriterion.

Table 2. Completeness of Vision Evaluation Criteria

Evaluation Criteria Weighting

Market Understanding Medium

Marketing Strategy Low

Sales Strategy Low

Offering (Product) Strategy High

Business Model Low

Vertical/Industry Strategy Medium

Innovation High

Geographic Strategy Low


Quadrant Descriptions

LeadersAs the ORM solution market enters a new phase ofmaturity and begins to climb the Slope ofEnlightenment on the Gartner Hype Cycle (see "HypeCycle for Risk Management Solutions, 2016" ), theLeaders are characterized by several differentcapabilities. Customers are looking to Leaders in thismarket to provide a solid base of functionality acrossthe five ORM critical capabilities, which can beimplemented with relative ease. Leaders also are



noted for their ability to innovate and meet the futureneeds of enterprises across a range of industries andgeographies.

ChallengersChallengers have proven viability, demonstratedmarket performance and shown the ability to exceedcustomer expectations on technical functionality.They need to focus on innovation in their productroadmaps, as well as in their geographic and verticalindustry strategies, to move into the Leadersquadrant.

VisionariesVisionaries have a solid understanding of the market,as demonstrated by domain expertise andcommitment to innovation. Vendors in this categoryalso have a broad portfolio of capabilities within theirORM solution, as well as complementary solutionssuch as EH&S. To move into the Leaders quadrant,Visionaries may need to sharpen their focus on thecritical ORM capabilities, and take advantage ofmarket growth opportunities.

Niche PlayersNiche Players often have a unique approach to themarket. Vendors could be in the Niche Playersquadrant because they have to improve on thecritical ORM software capabilities. Niche Playersmay target a specific vertical industry or the needs ofparticular professionals. All vendors in the NichePlayers quadrant are successful in the market withcompetitive solutions.

ContextCompanies must ensure that they are usingcomprehensive and integrated ORM solutions inorder to assess the various risk types in theirorganizations. Regulators and other stakeholderspay much more attention to risk managementpractices as part of their financial supervision, and



the lack of comprehensive ORM modeling andreporting use not only could result in lower creditratings by financial services providers, but also couldthreaten the public accreditation of organizations.

ORM solutions also require consistent riskmanagement policies, which often necessitate staffretraining as well as the implementation of newcompliance policies and procedures. The changemanagement associated with establishing a risk-aware culture and implementing new policies isoften the most difficult aspect of adopting ORM.

In addition, it is crucial to harmonize and consolidatedata sources across the company on a continualbasis, rather than at a single point in time. This maycreate some challenges from a process perspectiveas well as from an IT redesign perspective. Theintegration of various data sources is, on the otherhand, critical for the eventual success of a top-downrisk management dashboard that is accuratelydisplaying bottom-up data. While some companiesmay aspire to have a single ORM application to coverall risks, it may be more practical to have severalORM solutions that focus on related risk areas, suchas IT risk. The ultimate goal should be deployingORM solutions that can be integrated, and that can fitthe existing IT architecture.

Market OverviewThe ORM solution market has progressed throughthe first phases of the Gartner Hype Cycle over thepast three to five years, and its maturity level ischaracterized as early mainstream, with a marketpenetration of 20% to 50%. The market is notprojected to plateau for another two to five years,and, during that time, it will be shaped by a numberof priorities.

ORM solutions are becoming increasingly importantbecause of organizations' growing need to meetcompliance and regulatory requirements, particularly



in financial services and healthcare, and because oftheir desire to avoid severe punishment fromregulators. This is especially true in North Americaand Europe, and is the primary reason for theincrease in technology maturity.

ORM solutions not only are implemented indeveloped markets, but also are gaining importancein developing markets, such as China, South Africaand India, where local regulators are increasinglyemphasizing the role of ORM to combat fraud,bribery and other persistent risks. Although elementsof ORM have been in existence for many years,sophisticated analytics and modeling capabilities areincreasingly in demand, which has attractedanalytics vendors like IBM, SAP and SAS to themarket.

The use of ORM solutions will help organizationsimprove data quality and support adequate reportingto national and international regulation authorities inorder to avoid regulatory risks. Without theappropriate ORM solutions, organizations will nothave adequate analysis and insight into theiraggregate risk positions, or the ability to comply withnew capital adequacy regulations, such as Basel IIIand Solvency II.

Pricing models for ORM solutions include perpetuallicenses for on-premises deployments, as well assubscription models for private hosted or SaaS-based solutions. While a few vendors still price theirsoftware on an enterprise basis, most have shifted toa user-based model that is tiered based on thefrequency of software use.

Most companies that utilize ORM solutions are inhighly regulated industries, such as banking,insurance, securities, healthcare, utilities and energy.However, other industries — such as manufacturing,retail and natural resources — are adopting ORMsolutions as an extension to their EH&S solutions.Overall adoption rates are still relatively low (less



than 20% cross-industry), and the market's maturitycan be categorized as being in in the adolescentphase. The market should reach mainstreammaturity in no more than five years, based on currentadoption rates in industries that are not highlyregulated.

EvidenceThe Strengths and Cautions in this Magic Quadrantcover the evaluation criteria for which a vendor isabove or below average. We do not providecommentary on every evaluation criterion, or oncriteria for which a vendor's capability did notstand out from the others. Where no commentaryis provided, it should be assumed that thecapability is adequate for most organizations'needs.

As part of the vendor survey conducted for thisMagic Quadrant, we asked each vendor to identifythree to five reference customers. Thesecustomers' comments were derived from morethan 100 ORM surveys completed between June2016 and July 2016. Vendors' placement in theMagic Quadrant also was influenced by ourdiscussions of ORM solutions with Gartner clientsand non-Gartner clients.

All 14 vendors featured in this Magic Quadrantcompleted a survey in which they provided: (1)information about their business and operationalstrategies; (2) an overview of their capabilities andhow they align with the inclusion and evaluationcriteria; and (3) their most important financial,sales and operational data.

Vendors were evaluated as if they were respondingto an RFP, and they were ranked on their ability todocument and qualify their strengths and features. Itis important to remember that a Magic Quadrantdoes not solely rate product quality or capabilitiesand features; it also indicates Gartner's view of a



vendor's overall position in a specific market.Although product portfolio was an importantconsideration in our assessment, a vendor's ability toacquire customers and expand its presence in themarket also was deemed important, as was its abilityto increase its product revenue. A vendor that offersa strong, technically elegant product, but that isunable or unwilling to devote funding and attentionto marketing and sales to increase revenue andimprove profitability, will find itself unable to invest infuture product development.

Each vendor also was provided with theopportunity to conduct a video demonstration ofits ORM solution. The product demonstrationswere rated according to their effectiveness inaddressing the five critical ORM capabilities. Theseratings were used to substantiate and, in somecases, where inadequate customer reference dataexisted, to supplement the overall product ratings.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered bythe vendor for the defined market. This includescurrent product/service capabilities, quality, featuresets, skills and so on, whether offered natively orthrough OEM agreements/partnerships as defined inthe market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment ofthe overall organization's financial health, thefinancial and practical success of the business unit,and the likelihood that the individual business unitwill continue investing in the product, will continueoffering the product and will advance the state of theart within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities inall presales activities and the structure that supportsthem. This includes deal management, pricing and



negotiation, presales support, and the overalleffectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond,change direction, be flexible and achieve competitivesuccess as opportunities develop, competitors act,customer needs evolve and market dynamicschange. This criterion also considers the vendor'shistory of responsiveness.

Marketing Execution: The clarity, quality, creativityand efficacy of programs designed to deliver theorganization's message to influence the market,promote the brand and business, increaseawareness of the products, and establish a positiveidentification with the product/brand andorganization in the minds of buyers. This "mindshare" can be driven by a combination of publicity,promotional initiatives, thought leadership, word ofmouth and sales activities.

Customer Experience: Relationships, products andservices/programs that enable clients to besuccessful with the products evaluated. Specifically,this includes the ways customers receive technicalsupport or account support. This can also includeancillary tools, customer support programs (and thequality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meetits goals and commitments. Factors include thequality of the organizational structure, includingskills, experiences, programs, systems and othervehicles that enable the organization to operateeffectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor tounderstand buyers' wants and needs and to translatethose into products and services. Vendors that show



the highest degree of vision listen to and understandbuyers' wants and needs, and can shape or enhancethose with their added vision.

Marketing Strategy: A clear, differentiated set ofmessages consistently communicated throughoutthe organization and externalized through thewebsite, advertising, customer programs andpositioning statements.

Sales Strategy: The strategy for selling products thatuses the appropriate network of direct and indirectsales, marketing, service, and communicationaffiliates that extend the scope and depth of marketreach, skills, expertise, technologies, services andthe customer base.

Offering (Product) Strategy: The vendor's approachto product development and delivery thatemphasizes differentiation, functionality,methodology and feature sets as they map to currentand future requirements.

Business Model: The soundness and logic of thevendor's underlying business proposition.

Vertical/Industry Strategy: The vendor's strategy todirect resources, skills and offerings to meet thespecific needs of individual market segments,including vertical markets.

Innovation: Direct, related, complementary andsynergistic layouts of resources, expertise or capitalfor investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to directresources, skills and offerings to meet the specificneeds of geographies outside the "home" or nativegeography, either directly or through partners,channels and subsidiaries as appropriate for thatgeography and market.

© 2016 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registeredtrademark of Gartner, Inc. or its affiliates. This publication may not be reproduced ordistributed in any form without Gartner's prior written permission. If you are authorized to



access this publication, your use of it is subject to the Usage Guidelines for GartnerServices (/technology/about/policies/usage_guidelines.jsp) posted on gartner.com.The information contained in this publication has been obtained from sources believedto be reliable. Gartner disclaims all warranties as to the accuracy, completeness oradequacy of such information and shall have no liability for errors, omissions orinadequacies in such information. This publication consists of the opinions of Gartner'sresearch organization and should not be construed as statements of fact. The opinionsexpressed herein are subject to change without notice. Gartner provides informationtechnology research and advisory services to a wide range of technology consumers,manufacturers and sellers, and may have client relationships with, and derive revenuesfrom, companies discussed herein. Although Gartner research may include a discussionof related legal issues, Gartner does not provide legal advice or services and its researchshould not be construed or used as such. Gartner is a public company, and itsshareholders may include firms and funds that have financial interests in entities coveredin Gartner research. Gartner's Board of Directors may include senior managers of thesefirms or funds. Gartner research is produced independently by its research organizationwithout input or influence from these firms, funds or their managers. For further

information on the independence and integrity of Gartner research, see "GuidingPrinciples on Independence and Objectivity.(/technology/about/ombudsman/omb_guide2.jsp)"

About (http://www.gartner.com/technology/about.jsp) |Careers (http://www.gartner.com/technology/careers/) |Newsroom (http://www.gartner.com/newsroom/) |Policies (http://www.gartner.com/technology/about/policies/guidelines_ov.jsp) |Privacy (https://www.gartner.com/privacy) |Site Index (http://www.gartner.com/technology/site-index.jsp) |IT Glossary (http://www.gartner.com/it-glossary/) |Contact Gartner (http://www.gartner.com/technology/contact/contact_gartner.jsp)

http://www.gartner.com/technology/about.jsp

http://www.gartner.com/technology/careers/

http://www.gartner.com/newsroom/

http://www.gartner.com/technology/about/policies/guidelines_ov.jsp

https://www.gartner.com/privacy

http://www.gartner.com/technology/site-index.jsp

http://www.gartner.com/it-glossary/

http://www.gartner.com/technology/contact/contact_gartner.jsp

https://www.gartner.com/technology/about/policies/usage_guidelines.jsp

https://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp