Friday, June 16, 2017

Mgic Quadrant for Operational Risk Management Solutions

Published: 13 December 2016 I


Summary

Security and risk management leaders are seeking to integrate their risk management solutions to gain a more holistic view of risk across the enterprise. Operational risk management solutions serve as the core element of integrated risk management.

Market Definition/Description

This document was revised on 28 December 2016. The document you are viewing is the corrected version. For more information, see the Correctionspage on gartner.com.
Operational risks refer to those risks that "relate to the uncertainty of daily tactical business activities, as well as risk events resulting from inadequate or failed internal processes, people or systems, or from external events." Operational risk management (ORM) software solutions allow organizations to aggregate and normalize data from multiple data sources, including operational and financial systems, as well as from external sources such as regulatory alerts and loss event databases.
By providing a better understanding of these risks to business objectives, ORM enables better business performance and capital allocation. ORM solutions also help companies address the increasing pressure from regulators to improve the risk reporting in annual reports, and to improve the board of directors' role in enterprisewide ORM oversight. ORM solutions usually include functions for risk analytics, as well as risk indicators to support decision making.
ORM is a central part of a growing category of integrated risk management (IRM) software solutions focused on supporting a broader enterprise risk management (ERM) program. Gartner defines IRM as a set of practices and processes, supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks (see "Transform Governance, Risk and Compliance to Integrated Risk Management ").
IRM solutions (IRMS) have matured and remain a top business priority for senior executives as we enter the new age of digital business. IRMS represents the set of integrated risk management technologies and processes that enable an IRM program. Gartner's research coverage of IRMS includes seven market segments containing a range of solutions, from purpose-built applications to single-vendor, integrated solution sets. The seven defined Gartner IRMS (formerly known as governance, risk and compliance [GRC] software) market segments are listed in "Market Guide for Integrated Risk Management Solutions."
The critical capabilities of ORM solutions center on providing business leaders with a more effective means of assessing risk and control effectiveness, identifying operational risk events, managing remediation efforts, and quantifying the associated operational risk exposure across the enterprise. What follows is an overview of the critical capabilities, as well as a description of their primary usage.

Risk and Control Documentation/Assessment

Operational risks, and the related controls required to mitigate them to an acceptable level, must be documented sufficiently to satisfy a number of key stakeholders — including customers, the public, regulators, external auditors, business partners/associates and board members — as well as to provide the basis for performing a comprehensive operational risk assessment. Features within this capability include:
  • Risk-related content, including a risk taxonomy/library, key risk indicator (KRI) catalog, regulatory compliance updates and so on
  • Risk assessment methodology and calculation capabilities (for example, bow tie risk assessment)
  • Documentation authoring, versioning and approval
  • The ability to integrate with purpose-built risk systems, such as business continuity management planning (BCMP), IT risk management (ITRM), IT vendor risk management (VRM), corporate compliance and oversight (CCO), enterprise legal management (ELM), and audit management

Risk Mitigation Action Planning

When operational risks are assessed to be beyond defined risk tolerance levels, action plans must be developed to ensure that the appropriate mitigation steps are taken to meet the operational risk appetite set by the board of directors or other governance body. ORM solutions can provide support to risk professionals and business leaders in managing the associated risk mitigation efforts. Features within this capability include:
  • Business process mapping to IT assets
  • Project management capabilities to track progress on risk-related initiatives or tasks
  • Risk control testing capabilities, such as continuous control monitoring
  • Control mapping to risks and business processes
  • Control mapping to compliance mandates

KRI Monitoring/Reporting

To effectively monitor the operational risk levels across the enterprise, companies can utilize ORM solutions to report the risk levels through KRIs (see"The Gartner Business Risk Model: A Framework for Integrating Risk and Performance" ). Features within this capability include:
  • Risk scorecard/dashboard capabilities
  • The ability to link KRIs to performance metrics

Risk Quantification and Analytics

Beyond the exercise of assessing operational risk from a qualitative perspective, companies in many industries (including banking, insurance and securities) are seeking to measure operational risk on a quantitative basis. Some of the quantitative analysis is used to support capital calculation requirements driven by regulatory mandates, such as Basel III and Solvency II. Other quantitative analysis methods are used to develop more precise predictive models to determine the potential for certain operational risk events, such as fraud or theft. As such, the features within this capability include:
  • "What if" risk scenario analysis capabilities
  • Statistical modeling capabilities (for example, Monte Carlo simulation, value at risk, Bayesian statistical inference and so on)
  • Predictive analytics
  • Capital allocation/calculation
  • Fraud detection capabilities

Incident Management/Loss Event Capture and Analysis

A history of operational incidents and/or loss events can be used to inform the risk assessment process and facilitate the identification of event causes. In addition, ORM solutions can integrate with external loss event databases to identify potential risk events based on the experience of peers and other related entities. Features within this capability include:
  • An external risk event repository
  • Incident management workflow (review, escalate, investigate, resolve, dispose) and reporting
  • Impact/consequence data and analytics

Magic Quadrant

Figure 1. Magic Quadrant for Operational Risk Management Solutions
Research image courtesy of Gartner, Inc.
Source: Gartner (December 2016)

Vendor Strengths and Cautions

Cura Software

Cura Software is a subsidiary of Cura Technologies, a vendor headquartered in India. Within its software product set, Cura Assessor is mostly aligned with ORM capabilities. Cura's main target buyers are chief risk officers (CROs) and chief compliance officers. ORM Lite (ISO 31000) and ORM Integrated were the two products demonstrated for this research. Cura Assessor can be deployed through on-premises, hosted and SaaS models. Technical support teams are available in all major regions. The majority (about 80%) of its customer base is in South Africa and Australia.
STRENGTHS
  • Offering (Product) Strategy: Cura's strategy is clear and addresses the product flexibility needs of customers in this market segment.
  • Vertical/Industry Strategy: Clients referenced by Cura include a broad cross-industry focus in areas such as manufacturing, natural resources, communications, services and banking.
CAUTIONS
  • Geographic Strategy: The vendor has a limited global presence — its client base is currently concentrated in India, Australia and South Africa.
  • Sales Strategy: Cura has a higher reliance on partnerships with local resellers or consulting firms.
  • Operations: Cura's support staff and its availability are limited, when compared to other solution providers.

Dell Technologies (RSA)

RSA, a Dell Technologies business headquartered in Round Rock, Texas, offers its GRC platform to a broad set of roles, and supports a spectrum of ORM use cases. RSA Archer release 6.1, demonstrated for this research, has a set of use-case-based solutions that can be deployed and purchased independently. RSA's ORM software can be deployed either on-premises or in a multitenant, private hosted environment. Implementation services are available through the former EMC's consulting services and its partners. Four multisolution support centers are located in the U.S., the U.K., India and Australia.
STRENGTHS
  • Geographic Strategy: RSA has a client base across the entire globe, with a sales presence in over 50 countries.
  • Vertical/Industry Strategy: The vendor has a broad vertical strategy, with 28% of its current client base in financial services and the remainder spread across nine additional verticals.
  • Marketing Strategy: There is a strong focus on marketing to multiple buyers within an organization in support of a broader enterprisewide ORM program.
CAUTIONS
  • Customer Experience: Clients report lengthy time to value related to more complex implementation requirements than competitors.
  • Sales Strategy: A shift from direct sales to a reseller model for new customers has resulted in longer sales cycles and greater complexity in delivering solutions.

Enablon

Enablon, now a part of Wolters Kluwer (headquartered in the Netherlands), targets the following buyers: CROs; internal audit directors and/or internal control directors; environmental, health and safety (EH&S) directors; and sustainability directors. The Enablon Platform v.8, demonstrated for this research, can be deployed via on-premises, hosted or SaaS models. Enablon primarily targets and has a large customer base in industries that have high environmental and safety impacts; such as oil and gas, energy, mining, construction, chemical, engineering, heavy manufacturing, and life sciences.
STRENGTHS
  • Offering (Product) Strategy: The product roadmap is clear and detailed, reflecting Enablon's continued enhancements in usability and risk assessment capabilities.
  • Sales Strategy: The vendor's extensive implementation partner and reseller network will be bolstered by its new parent company, Wolters Kluwer.
  • Overall Viability: Enablon has had solid revenue and customer growth with increased access to capital via the recent acquisition.
CAUTIONS
  • Market Responsiveness/Track Record: The product functionality and upgrade ratings by client references are positive, yet slightly lower than with other solution providers .
  • Marketing Strategy: Enablon has a primary focus on the large-scale, enterprise market, which is increasingly saturated.
  • Sales Execution/Pricing: Its pricing model is moderately complex when compared to other solution providers.

IBM

IBM, publicly traded and headquartered in Armonk, New York, targets a broad set of buyers across the enterprise, including governance, risk management and internal audit professionals. IBM's OpenPages GRC Platform 7.2, reviewed for this research, is offered as an on-premises or SaaS solution. IBM has nine help center facilities, with locations in the U.S. and Canada, as well as in six other countries around the world. OpenPages GRC Platform typically has been deployed in larger, more complex environments; however, it also has a small or midsize business (SMB) version with a slimmed down set of functionalities. Approximately 50% of OpenPages' customers are in the financial services sector.
STRENGTHS
  • Marketing Strategy: IBM has a stated strategy to provide solutions for all market sizes and is expanding its focus on a wide array of industries beyond financial services.
  • Business Model: The vendor has highly mature sales, software development and management teams.
  • Operations: Integrated global support is available through IBM's standard support network — it has great reach, but may impact the vendor's ability to provide specialized subject matter expertise and support.
CAUTIONS
  • Vertical/Industry Strategy: While marketing a broad cross-industry focus, IBM's client base is largely centered in financial services.
  • Customer Experience: Clients report longer implementation time frames, potentially resulting in longer time to value relative to other solution providers.
  • Market Responsiveness/Track Record: Some clients experience integration, migration and scalability problems — more so relative to other solution providers.

LockPath

LockPath, privately held and headquartered in Overland Park, Kansas, offers the Keylight platform as its ORM solution. It targets the following buyers: chief information security officers, compliance teams and CROs. Keylight 4.4, demonstrated for this research, can be deployed via SaaS as well as an on-premises model. The majority of LockPath's customers (over 70%) are on the SaaS model. Customers in healthcare, financial services and technology make up over 50% of its current installed base. Almost all its market share today (98%) is in North America. LockPath leverages a network of global partners for implementation services.
STRENGTHS
  • Offering (Product) Strategy: Clients have a positive view of the value LockPath's product provides versus the money spent.
  • Market Understanding: The importance of understanding a client's business needs is a primary driver for clients that select LockPath.
  • Sales Execution/Pricing: Pricing and contract flexibility is noted as favorable relative to other solution providers.
CAUTIONS
  • Geographic Strategy: The vendor's current focus is limited primarily to North America, with only a 5% growth projection for sales outside the U.S.
  • Operations: Customer support is limited to U.S. business hours.
  • Overall Viability: A limited ability to compete on a global basis may constrain future growth prospects.

MetricStream

MetricStream, privately held and headquartered in Palo Alto, California, targets a wide range of buyers, including all primary C-suite executives, plus buyers such as chief information security officers, VRM executives and quality management executives. MetricStream's Operational Risk Management App, demonstrated for this research, can be deployed via SaaS or an on-premises model. Over 75% of its revenue comes from the financial services sector. About 65% of its customer base is outside the U.S. Support is provided from centers in Palo Alto, California; New York; London; Milan; Dubai; and Bangalore, India.
STRENGTHS
  • Marketing Execution/Understanding: MetricStream responds well to the evolving business needs and challenges of the ORM functions in large enterprises.
  • Sales Strategy: Clients have an overall positive view of the sales process and ease of contract negotiation.
  • Sales Execution/Pricing: Pricing and contract flexibility is noted as very favorable relative to other solution providers.
CAUTIONS
  • Business Model: Future growth is largely dependent on the successful transition from a highly tailored, on-premises product architecture to a user-configurable, cloud-based product architecture.
  • Offering (Product) Strategy: The vendor's product execution is tied to making continued R&D investments in the newly released product version.

Nasdaq

Headquartered in New York City, Nasdaq's primary IRMS platform, BWise, targets the following buyers: all C-suite-level executives, including corporate controllers and chief audit executives. BWise is part of a broader offering of board and governance software solutions and services. BWise Risk Management module (4.1 SP7), demonstrated for this research, can be deployed in a single-tenant, private hosted environment or on-premises. BWise has customer distribution in all regions. Approximately 50% of its revenue is from the financial services sector. Support is provided across the globe, but centralized in New York, the Netherlands and India.
STRENGTHS
  • Geographic Strategy: Thirty percent of Nasdaq's client base is in the U.S., 40% is in Europe and the remainder is spread across the globe. The strategy reflects the parent company's reach.
  • Business Model: A subscription-based, private hosted model is driving strong sales growth.
  • Sales Execution/Pricing: Pricing and contract flexibility is noted as favorable relative to other solution providers.
CAUTIONS
  • Customer Experience: A recent upgrade to real-time reporting has yielded issues with clients upgrading and migrating. Nasdaq has addressed the issues and continues to guarantee technical upgrade.
  • Vertical/Industry Strategy: A heavy concentration in financial services is represented by 50% of the vendor's client base.

Protiviti

Protiviti, headquartered in Menlo Park, California, and a wholly owned subsidiary of U.S.-based Robert Half International, offers Protiviti's Governance Portal platform. It targets the following buyers: chief audit executives, corporate controllers, chief compliance officers, CROs and operational risk managers. The Governance Portal v.4, demonstrated for this research, can be deployed on-premises, hosted or SaaS; 70% of its customers use the software via an on-premises model. Among its globally distributed customer base, consumer products/services, financial services and manufacturing make up 65%. Support is provided from locations in the U.S., India, Japan and the U.K.
STRENGTHS
  • Sales Execution/Pricing: The per-user pricing based on role is very clear and simple.
  • Operations: Dedicated support centers in the U.S., the U.K., India and Japan provide 24/5 access across the globe.
  • Sales Strategy: Protiviti utilizes its professional services arm as a key driver for sales growth.
CAUTIONS
  • Offering (Product) Strategy: A service-oriented approach is emphasized over product. The focus is on incremental product enhancements and API development for business intelligence tools and Microsoft SharePoint.
  • Marketing Strategy: The base product fulfills a horizontal market segment primarily focused on risk and control management, but can be expanded in its scope with SharePoint plug-ins. Protiviti seems to rely primarily on the demand from professional services.
  • Innovation: The vendor's R&D investment was not disclosed, and known improvements are largely incremental, based on client demand.

SAI Global

SAI Global, headquartered in Australia, offers its Compliance 360 platform to the following buyers: compliance teams, risk managers and CROs. Compliance 360 v.15.2, demonstrated for this research, is exclusively offered via SaaS. This solution focuses on sectors such as retail, financial services, agriculture/food, manufacturing, energy, and aerospace and defense. The client base is distributed in EMEA, the Americas and the Asia/Pacific region, with 73% of its customers in North America. SAI Global has a joint venture in China to support the growing customer needs in that region. Customer support is offered in the U.K., Australia and the U.S. In August 2016, SAI Global acquired Modulo (a former competitor), which joins and combines two customer bases and technology offerings, further deepening SAI Global's operational risk capabilities.
STRENGTHS
  • Market Responsiveness/Track Record: Clients report very few problems encountered in the use of SAI Global's product.
  • Sales Execution/Pricing: Pricing and contract flexibility is viewed as very favorable by its clients.
CAUTIONS
  • Sales Strategy: The sales channel is limited to direct sales, with a few content partners and a joint venture in China.
  • Geographic Strategy: Seventy-three percent of revenue comes from North America, with a remaining presence in the Asia/Pacific region (22%) and other various locations (5%).
  • Marketing Strategy: The vendor has a broad strategy, with limited focus on specific target markets in terms of organization size or complexity.

SAP

SAP is a publicly traded company headquartered in Germany, The main target buyers for SAP's risk management solution are senior executives and risk managers. The offering includes SAP Risk Management, SAP Process Control, SAP Regulatory Change Management and SAP Audit Management, deployed via on-premises or SaaS. SAP's S/4HANA business suite supports these four products by providing continuous control monitoring of integrated ERP data, as well as KRI reporting. Product support is provided via three support centers located in the U.S., Brazil and India. SAP's risk management solutions are typically considered by customers already using SAP ERP or other SAP software products for leveraging the required infrastructure/support and easier integration. SAP did not respond to requests for supplemental information or to review the draft contents of this document. Gartner's analysis is therefore based on other credible sources, including discussions with users of this product.
STRENGTHS
  • Sales Execution/Pricing: The quality and reliability of SAP's sales team received relatively high ratings from customer references.
  • Operations: SAP's risk management solutions leverage its centralized corporate support resources to provide extensive customer coverage across the globe.
CAUTIONS
  • Offering (Product) Strategy: SAP's product roadmap is not as detailed as those of its primary competitors.
  • Vertical/Industry Strategy: SAP's industry experience is rated relatively low by its own customer references provided to Gartner as part of this evaluation. While the low ratings may not be fully representative of the entire customer base, the vendor's broad cross-industry focus limits its depth of industry-specific knowledge and functionality.

SAS

SAS, privately held and headquartered in Cary, North Carolina, offers a suite of risk management solutions, and some are industry-specific (SAS Risk Management for Banking) and some leverage its data analytics and statistical modeling (SAS Risk Data Aggregation and Reporting, and SAS OpRisk VaR). SAS mainly targets risk managers, compliance officers, auditors and strategy officers. SAS Enterprise GRC, an integrated platform, includes the SAS OpRisk module, which can be deployed on-premises or via the Amazon Web Services (AWS) cloud platform. Primary customer support is provided from three service centers in the U.S., the U.K. and Australia. SAS did not respond to requests for supplemental information or to review the draft contents of this document. Gartner's analysis is therefore based on other credible sources, including discussions with users of this product.
STRENGTHS
  • Operations: Support is provided out of 50-plus local offices across the globe. Advanced 24/7 support is provided from the U.K. or Australia. It is a very mature organization.
  • Sales Strategy: The vendor has primarily direct sales across 400 offices worldwide, with strategic partnerships among the largest professional services and system integrator firms.
CAUTIONS
  • Vertical/Industry Strategy: This strategy is limited primarily to large, complex financial services organizations.
  • Sales Execution/Pricing: The pricing model is tiered based on financial asset size for financial services clients and revenue size for nonfinancial clients. This model may prove to be a disadvantage for large, but less complex, companies.
  • Customer Experience: Customer references provide relatively low ratings for SAS's ease of initial implementation and setup.

ServiceNow

ServiceNow, a public company based in Santa Clara, California, built ServiceNow Governance, Risk and Compliance on the ServiceNow Platform (platform as a service) offering. The ORM solution targets buyers such as IT security teams, risk management directors and internal audit teams. ServiceNow GRC, version Helsinki, was demonstrated for this research. It is almost exclusively deployed via a SaaS model, although on-premises is optional for customers. Its customer base is largely in North America, from which 70% of its revenue is derived. Support is provided in North America and Japan, plus seven European countries.
STRENGTHS
  • Customer Experience: Time to value is short, with an implementation time frame of just over two months on average.
  • Innovation: Rapid software development is supported by eight engineering centers globally.
  • Operations: Global support is offered through nine centers on a 24/7 basis.
CAUTIONS
  • Offering (Product) Strategy: ServiceNow has an IT-centric strategy focused primarily on IT service management (ITSM) customers seeking to expand reach into real-time ORM capabilities.
  • Vertical/Industry Strategy: There is no clear focus beyond financial services currently.
  • Sales Strategy: The vendor's strategy is to sell additional solutions opportunistically to existing or potential customers of its ITSM solution.

Sphera Solutions

Headquartered in Chicago, Sphera Solutions (the former IHS Operational Excellence and Risk Management [OERM] business) is a portfolio company of Genstar Capital, a leading middle-market private equity firm focused on the software, industrial technology, financial services and healthcare industries. Sphera's main target buyers are CROs and EH&S directors. The Sphera operational risk solution can be deployed via on-premises, hosting or SaaS models. The majority (near 90%) of its customers use the software via an on-premises model. Sphera's primary customer base is in North America and EMEA (91% of its revenue in 2016). Support is provided through Sphera customer care centers in North America, EMEA and India. The solution is used by asset-heavy sectors such as energy, chemical, automobile, manufacturing and mining.
STRENGTHS
  • Geographic Strategy: The vendor has an even distribution of clients across the globe.
  • Marketing Strategy: Sphera demonstrates a clear and concrete focus on current market trends and product development needs.
CAUTIONS
  • Business Model: The vendor is private-equity-backed and is being divested as a stand-alone company. It has an uncertain future, at least for the short term.
  • Vertical/Industry Strategy: There is a heavy concentration in energy, represented by 47% of the vendor's current revenue.
  • Customer Experience: There is a very lengthy time to value, with an average implementation time frame of greater than 12 months.
  • Innovation: Sphera has a limited R&D budget compared to other solution providers. It is largely focused on incremental feature improvements.

Thomson Reuters

Thomson Reuters, headquartered in New York City, offers a spectrum of risk-and-compliance-related technologies and services. Its ORM software and services target the following buyers: CROs, and managers of enterprise compliance and risk teams. Thomson Reuters Enterprise Risk Manager v.5.9.5, demonstrated for this research, can be deployed via on-premises, hosted and SaaS models. However, the majority of its customers are deployed on-premises. Thomson Reuters' customer base is widely distributed across industry sectors and major geographical regions. Product support is provided by service centers in the U.S., India, Singapore and Switzerland.
STRENGTHS
  • Geographic Strategy: The vendor has a specific growth strategy for markets across the globe. It has customers in more than 180 countries.
  • Business Model: There is a wide range of offerings across cloud, hosted and on-premises platforms. The business is well-funded and integrated with the vendor's core regulatory publishing operation.
  • Operations: Global support is offered out of four locations to provide 24/7 service. It is a mature organization.
CAUTIONS
  • Offering (Product) Strategy: The product roadmap is limited to incremental improvements.
  • Sales Execution/Pricing: The seat-based, modular and value proposition pricing is somewhat opaque.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor's appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

  • Cura Software
  • LockPath
  • Sphera Solutions
  • ServiceNow

Dropped

  • Modulo was acquired by SAI Global.
  • Wolters Kluwer did not provide data on its OneSumX product to qualify for inclusion this year. Enablon did participate and has since become part of Wolters Kluwer.
  • Covalent did not meet the revenue inclusion criteria for the most recent fiscal year.
  • Riskonnect did not provide data to qualify for inclusion this year.

Inclusion and Exclusion Criteria

To be included in this Magic Quadrant, vendors must demonstrate the ability to address (on an enterprisewide basis) at least four of the five critical capabilities listed in the Market Definition/Description section above. In addition, vendors must have at least $6 million in revenue from the sale of ORM software and related services (for example, implementation/training, software product customization, etc.) in the most recent fiscal year.

Evaluation Criteria

Ability to Execute

Gartner analysts evaluate technology providers on the quality and efficacy of the processes, systems, methods or procedures that enable their performance to be competitive, efficient and effective, and to positively impact revenue, retention and reputation. Ultimately, technology providers are judged on their ability and success in capitalizing on their vision.
Product or Service: This criterion involves the core goods and services offered by the vendor that compete in/serve the defined market. This also includes current product or service capabilities, quality, feature sets, skills, and so on, whether offered natively or through OEM agreements/partnerships, as defined in the Market Definition/Description section and detailed in the subcriteria. Evaluation ratings are derived from formal product demonstrations and customer feedback.
Overall Viability (Business Unit, Financial, Strategy, Organization): This criterion is an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue to invest in the product, offer the product and advance the state of the art within the organization's portfolio of products. Revenue growth and the product implementation growth trend over the past three years are primary determinants of the viability rating. Customer perception of future viability is also considered.
Sales Execution/Pricing: This criterion involves the vendor's capabilities in all presales, sales and postsales activities, and the structure that supports them. This also includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Customer ratings of the quality of sales-related activities, as well as an evaluation of the clarity and competitiveness of the vendor's pricing structure, are primary determinants in rating this criterion.
Market Responsiveness/Record: This criterion involves the vendor's ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness. Customer ratings are a primary factor.
Marketing Execution: This criterion involves the clarity, quality, creativity and efficacy of programs that are designed to deliver the organization's message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This mind share can be driven by a combination of publicity as well as promotional, thought leadership, word of mouth and sales activities. Customer ratings of the vendor's effectiveness in responding to requests for information and RFPs are considered.
Customer Experience: This criterion involves the relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This also can include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on. Customer ratings are the primary determinant when evaluating this criterion.
Operations: This criterion involves the organization's ability to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Table 1.   Ability to Execute Evaluation Criteria
Evaluation Criteria
Weighting
Product or Service
High
Overall Viability
High
Sales Execution/Pricing
High
Market Responsiveness/Record
Medium
Marketing Execution
Medium
Customer Experience
High
Operations
Medium
Source: Gartner (December 2016)

Completeness of Vision

Gartner analysts evaluate technology providers on their ability to convincingly articulate logical statements about current and future market direction, innovation, customer needs, and competitive forces, and on how well these statements map to Gartner's position. Ultimately, technology providers are rated on their understanding of how market forces can be exploited to create opportunity for the providers.
Market Understanding: This criterion involves the vendor's ability to understand buyers' needs and to translate those needs into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those wants with their added vision. One key factor is customer ratings of the vendor's ability to fulfill its critical functional capabilities using its ORM or business process experience.
Marketing Strategy: This criterion involves a clear, differentiated set of messages that is consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. The vendor's ability to target specific market segments by addressing unique industry or geographic requirements is a primary determinant of this criterion rating.
Sales Strategy: This criterion involves the strategy for selling products using the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extends the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Customer ratings of the vendor's pricing strategy also are considered.
Offering (Product) Strategy: This criterion involves a vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements. Evaluation factors include customer ratings of the vendor's product performance and scalability, as well as the product's roadmap for future enhancement.
Business Model: This criterion involves the soundness and logic of a vendor's underlying business proposition. Evaluation of this criterion includes the sustainability of the model given current and projected economic and environmental conditions.
Vertical/Industry Strategy: This criterion involves the vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical industries. Customer ratings of the vendor's industry-related experience also are considered.
Innovation: This criterion involves direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Included in this criterion is an evaluation of product roadmaps, as well as past and planned levels of R&D investment.
Geographic Strategy: This criterion involves the vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography — either directly or through partners, channels and subsidiaries — as appropriate for those geographies and markets. A vendor's ability to generate a significant level of revenue outside its native geography is considered a key factor in rating this criterion.
Table 2.   Completeness of Vision Evaluation Criteria
Evaluation Criteria
Weighting
Market Understanding
Medium
Marketing Strategy
Low
Sales Strategy
Low
Offering (Product) Strategy
High
Business Model
Low
Vertical/Industry Strategy
Medium
Innovation
High
Geographic Strategy
Low
Source: Gartner (December 2016)

Quadrant Descriptions

Leaders

As the ORM solution market enters a new phase of maturity and begins to climb the Slope of Enlightenment on the Gartner Hype Cycle (see "Hype Cycle for Risk Management Solutions, 2016" ), the Leaders are characterized by several different capabilities. Customers are looking to Leaders in this market to provide a solid base of functionality across the five ORM critical capabilities, which can be implemented with relative ease. Leaders also are noted for their ability to innovate and meet the future needs of enterprises across a range of industries and geographies.

Challengers

Challengers have proven viability, demonstrated market performance and shown the ability to exceed customer expectations on technical functionality. They need to focus on innovation in their product roadmaps, as well as in their geographic and vertical industry strategies, to move into the Leaders quadrant.

Visionaries

Visionaries have a solid understanding of the market, as demonstrated by domain expertise and commitment to innovation. Vendors in this category also have a broad portfolio of capabilities within their ORM solution, as well as complementary solutions such as EH&S. To move into the Leaders quadrant, Visionaries may need to sharpen their focus on the critical ORM capabilities, and take advantage of market growth opportunities.

Niche Players

Niche Players often have a unique approach to the market. Vendors could be in the Niche Players quadrant because they have to improve on the critical ORM software capabilities. Niche Players may target a specific vertical industry or the needs of particular professionals. All vendors in the Niche Players quadrant are successful in the market with competitive solutions.

Context

Companies must ensure that they are using comprehensive and integrated ORM solutions in order to assess the various risk types in their organizations. Regulators and other stakeholders pay much more attention to risk management practices as part of their financial supervision, and the lack of comprehensive ORM modeling and reporting use not only could result in lower credit ratings by financial services providers, but also could threaten the public accreditation of organizations.
ORM solutions also require consistent risk management policies, which often necessitate staff retraining as well as the implementation of new compliance policies and procedures. The change management associated with establishing a risk-aware culture and implementing new policies is often the most difficult aspect of adopting ORM.
In addition, it is crucial to harmonize and consolidate data sources across the company on a continual basis, rather than at a single point in time. This may create some challenges from a process perspective as well as from an IT redesign perspective. The integration of various data sources is, on the other hand, critical for the eventual success of a top-down risk management dashboard that is accurately displaying bottom-up data. While some companies may aspire to have a single ORM application to cover all risks, it may be more practical to have several ORM solutions that focus on related risk areas, such as IT risk. The ultimate goal should be deploying ORM solutions that can be integrated, and that can fit the existing IT architecture.

Market Overview

The ORM solution market has progressed through the first phases of the Gartner Hype Cycle over the past three to five years, and its maturity level is characterized as early mainstream, with a market penetration of 20% to 50%. The market is not projected to plateau for another two to five years, and, during that time, it will be shaped by a number of priorities.
ORM solutions are becoming increasingly important because of organizations' growing need to meet compliance and regulatory requirements, particularly in financial services and healthcare, and because of their desire to avoid severe punishment from regulators. This is especially true in North America and Europe, and is the primary reason for the increase in technology maturity.
ORM solutions not only are implemented in developed markets, but also are gaining importance in developing markets, such as China, South Africa and India, where local regulators are increasingly emphasizing the role of ORM to combat fraud, bribery and other persistent risks. Although elements of ORM have been in existence for many years, sophisticated analytics and modeling capabilities are increasingly in demand, which has attracted analytics vendors like IBM, SAP and SAS to the market.
The use of ORM solutions will help organizations improve data quality and support adequate reporting to national and international regulation authorities in order to avoid regulatory risks. Without the appropriate ORM solutions, organizations will not have adequate analysis and insight into their aggregate risk positions, or the ability to comply with new capital adequacy regulations, such as Basel III and Solvency II.
Pricing models for ORM solutions include perpetual licenses for on-premises deployments, as well as subscription models for private hosted or SaaS-based solutions. While a few vendors still price their software on an enterprise basis, most have shifted to a user-based model that is tiered based on the frequency of software use.
Most companies that utilize ORM solutions are in highly regulated industries, such as banking, insurance, securities, healthcare, utilities and energy. However, other industries — such as manufacturing, retail and natural resources — are adopting ORM solutions as an extension to their EH&S solutions. Overall adoption rates are still relatively low (less than 20% cross-industry), and the market's maturity can be categorized as being in in the adolescent phase. The market should reach mainstream maturity in no more than five years, based on current adoption rates in industries that are not highly regulated.

Evidence

  • The Strengths and Cautions in this Magic Quadrant cover the evaluation criteria for which a vendor is above or below average. We do not provide commentary on every evaluation criterion, or on criteria for which a vendor's capability did not stand out from the others. Where no commentary is provided, it should be assumed that the capability is adequate for most organizations' needs.
  • As part of the vendor survey conducted for this Magic Quadrant, we asked each vendor to identify three to five reference customers. These customers' comments were derived from more than 100 ORM surveys completed between June 2016 and July 2016. Vendors' placement in the Magic Quadrant also was influenced by our discussions of ORM solutions with Gartner clients and non-Gartner clients.
  • All 14 vendors featured in this Magic Quadrant completed a survey in which they provided: (1) information about their business and operational strategies; (2) an overview of their capabilities and how they align with the inclusion and evaluation criteria; and (3) their most important financial, sales and operational data.
  • Vendors were evaluated as if they were responding to an RFP, and they were ranked on their ability to document and qualify their strengths and features. It is important to remember that a Magic Quadrant does not solely rate product quality or capabilities and features; it also indicates Gartner's view of a vendor's overall position in a specific market. Although product portfolio was an important consideration in our assessment, a vendor's ability to acquire customers and expand its presence in the market also was deemed important, as was its ability to increase its product revenue. A vendor that offers a strong, technically elegant product, but that is unable or unwilling to devote funding and attention to marketing and sales to increase revenue and improve profitability, will find itself unable to invest in future product development.
  • Each vendor also was provided with the opportunity to conduct a video demonstration of its ORM solution. The product demonstrations were rated according to their effectiveness in addressing the five critical ORM capabilities. These ratings were used to substantiate and, in some cases, where inadequate customer reference data existed, to supplement the overall product ratings.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography an
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)