Enterprise GRC Technology Solutions 2012: Thomson Reuters Vendor Highlights

Transcription

1 Enterprise GRC Technology Solutions 2012: Thomson Reuters Vendor lights January 2013

2 About Chartis Research Chartis is a leading provider of research and analysis covering the global market for risk management technology. Our goal is to support enterprises seeking to optimize business performance through better risk management, corporate governance and compliance. We help clients make informed technology and business decisions by providing in-depth analysis and actionable advice on the broad spectrum of risk technology offerings. Areas of expertise include: Credit risk Operational risk and Governance, Risk and Compliance (GRC) Market risk Asset and Liability Management (ALM) and Liquidity Risk Financial Crime Insurance risk Regulatory requirements including Basel 2, Basel 3, Dodd-Frank and Solvency 2 Chartis is solely focused on risk technology giving it significant advantage over generic market analysts. Chartis has brought together a leading team of analysts and advisors from the risk management and financial services industries. This team has hands-on experience of implementing and developing risk management systems and programs for Fortune 500 companies and leading consulting houses. Chartis Research is authorized and regulated in the United Kingdom by the Financial Services Authority (FSA) to provide investment advice. No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of Chartis Research Ltd. The facts of this report are believed to be correct at the time of publication but cannot be guaranteed. Please note that the findings, conclusions and recommendations that Chartis Research delivers will be based on information gathered in good faith, whose accuracy we cannot guarantee. Chartis Research accepts no liability whatever for actions taken based on any information that may subsequently prove to be incorrect or errors in our analysis. See Chartis Terms of Use on RiskTech100 is a Registered Trade Mark of Chartis Research Limited RiskTech Quadrant is a Registered Trade Mark of Chartis Research Limited Unauthorized use of Chartis Research s name and trademarks is strictly prohibited and subject to legal penalties 2

3 Table of Contents 1- Executive summary Overview of drivers and requirements for Enterprise GRC Leading practices from Thomson Reuters Chartis RiskTech Quadrant for Enterprise GRC Appendix A: Chartis RiskTech Quadrant Methodology Further Reading

4 List of Figures and Tables Figure 1: Accelus data management...9 Figure 2: Thomson Reuters internal audit capabilities...14 Figure 3: Accelus reporting and BI tools...16 Figure 4: Chartis RiskTech Quadrant for Enterprise GRC Systems...19 Figure 5: Chartis RiskTech Quadrant research process...21 Figure 6: Chartis RiskTech Quadrant...22 Table 1: Thomson Reuters competitive position

5 1- Executive summary In 2012, organizations continued to expand usage of enterprise governance, risk, and compliance (EGRC) software. With so many governance, risk, and compliance-related stories in the news this year (LIBOR, BP, HSBC), this is probably not a shock. Following the financial crisis, it is perhaps not surprising that the focus of the drive to improve GRC has been on financial institutions. However, the pressure from regulators and shareholders on organizations in energy, healthcare, and other non-financial sectors is also increasing. The drive from improved enterprise GRC has focused on a number of trends: Increased focus on GRC as an enterprise-wide task; Risk management increasingly integrated with business strategy and execution processes; Greater decentralization of GRC; Greater focus on the threat from interrelated risks; Cross-fertilization of skills and techniques between financial and non-financial industries, including more use of qualitative approaches by the former and more use of quantitative approaches by the latter. The strategic profile of Chief Risk Officer (CRO) and Chief Compliance Officer (CCO) is rising and CROs and CCOs increasingly report directly to the board or CEO. Their higher profile has increased pressure on them to improve risk management initiatives and has resulted in greater demand for EGRC software. To achieve their goals, firms need robust technology systems. This report covers the specific technologies required for firms to improve their GRC processes, including enterprise GRC platforms, continuous monitoring and assessment functionalities, collaborative feedback systems, policy and procedure management, regulatory change management, and real-time risk intelligence. This report also covers the enterprise GRC capabilities and market position of Thomson Reuters, a leading worldwide provider of information and technology services. Chartis believes Thomson Reuters to be one of the leading vendors in the enterprise GRC marketplace. 5

6 2- Overview of drivers and requirements for Enterprise GRC Market drivers Across the globe, firms in the financial and non-financial sectors are struggling to deal with the impact of the financial crisis and a stagnant global economy. The crisis has forced firms to take another look at their internal governance procedures and at the way they manage risk. The most significant pressure has been placed on financial institutions, but internal drivers and increased demands from regulators are also affecting firms outside financial services. The key factors driving the adoption of enterprise GRC include: Increased regulatory scrutiny of senior management Across all sectors, regulators and supervisors are pressuring boards and senior management to take a greater role in managing GRC processes and issues. Regulators believe that senior management figures have not previously taken enough responsibility for GRC issues and need to be more accountable for the GRC structures and processes at their firms. More rigorous regulation and enforcement Regulators across numerous sectors are also increasing the number of rules and enforcing them more rigorously and strictly. While this driver for stricter enforcement has focused on financial services, laws and regulations in other sectors are also having a major impact, including environmental and energy regulations, anti-bribery and corruption laws, data protection and IT regulations, and the new IFRS accounting standards. Increased scrutiny of compensation With executive compensation under greater scrutiny, firms are no longer linking it exclusively to returns, but are now also linking it to risk exposures. Shareholders and regulators want to see a stronger relationship between the level of risk and the level of executive compensation. This means compensation committees, HR teams, and the risk function need to collaborate. Integrating risk exposures and compensation can help organizations to bring risk management into their business strategy and execution processes. Increased decentralization of GRC Firms are moving away from the mid-1990s to 2000s trend of centralizing GRC in the second line of defense and are increasingly investing their GRC budgets in the first line of defense, dispersing responsibility for GRC throughout the firm. Technology vendors need systems that can manage GRC in the first and second lines of defense, but few currently have that ability. Technology drivers Despite the global economic slowdown, the pace of technological progress has not slowed. Instead, the tough economic environment may have accelerated the pace of technology advancement, as organizations look to technology to gain and sustain competitive advantages. Firms need to be able to respond to a number of major technology trends The mobile revolution 75% of the world s population now has access to a mobile phone and increasing numbers of people use mobiles and tablets for professional purposes. Organizations need to offer their products and services through mobile devices, and as employees bring more mobile devices to work, need to re-think their IT security policies and processes to keep productivity gains, while protecting their assets. The increased use of mobile technology exposes firms to risks such as information theft, hackers, and fraud through IT loopholes. Social media and reputational risk The increased use of social media platforms has also increased firms exposure to reputational risk. Due to social media, a small event in any part of the world can get global coverage in minutes, increasing the potential reputational impact of risk events, forcing organizations to incorporate reputational impacts in their risk analysis. EGRC systems need to monitor social media channels, so that reputational impacts of risk events can be identified early and appropriate preventative actions can be taken. 6

7 Technology requirements Enterprise GRC platform Many firms are still using separate systems for different GRC requirements, but cost and complexity pressures are driving them to consolidate these systems. This will provide lower costs through consolidation and will give firms an integrated enterprise view of risk and compliance exposures. This will improve governance and risk oversight for board and senior management. A robust data management system To support an enterprise GRC platform, technology systems need to gather and integrate a wide variety of data items and have a single enterprise library of risks across all risk categories and a single enterprise library of controls across all risk categories. Systems also need to analyze large volumes of internal and external unstructured data, such as s, documents on internal website and content management systems, pertinent comments on social media, and industry news content. Self-assessment functionality EGRC systems should also manage IT risks and perform selfassessment of risks and controls at pre-defined frequencies (e.g. quarterly). To support selfassessment initiatives, it should be easy to capture results and store them in a database. Real-time assessment/monitoring Current manual risk monitoring processes are too static to identify emerging risks or changing risk exposures pro-actively. Firms recognize this limitation and are demanding the ability to monitor and assess risk exposures continuously. As risks and assessments are stored in EGRC software, dedicated continuous monitoring software needs to be integrated with EGRC software. Integration of risk/finance/performance EGRC systems need to provide an integrated view between business strategy-related information and GRC-related information. This will allow senior management to define and evaluate various categories of risk exposures, so the relationship between compensation, business performance, and risk exposure can be clearly demonstrated to key stakeholders. Integrated compliance and regulatory change management Increased attention to risk exposures by regulators means firms must replace Excel-based and silo-based G, R, and C systems with integrated solutions. These solutions need to update regulatory content regularly, perform frequent compliance assessments, and manage the end-to-end life cycle of policies related to GRC requirements effectively. Risk intelligence and visualization Senior management need integrated dashboards and reporting for simple, intuitive, and visual representation of risk and compliance exposures. GRC vendors also need to provide intuitive visualizations of interdependencies between risks across the organization. Collaboration and feedback functionality EGRC software can enhance levels of collaboration on risk and control assessment, reducing duplication and complexity. By bringing all risk and compliance issues into a unified EGRC environment, risk and compliance teams can collaborate, identify issues, and implement remediation actions together. EGRC systems also need to provide functionality to challenge risk assessment outcomes, so inputs can be collected from a wider group of users. Convergence with financial crime systems Most financial institutions already have anti-fraud and anti-money-laundering systems in place to address compliance requirements, loss-control objectives, and reputational risk concerns. Chartis believes that those vendors that can demonstrate the efficiencies and advantages of an integrated financial crime and GRC solution will have a competitive advantage. 7

8 3- Leading practices from Thomson Reuters Thomson Reuters provides information and technology solutions to businesses and professionals worldwide. The Financial and Risk division of the company provides information and transaction solutions, deep domain knowledge, rich industry insight, and high-level news and market data for financial professionals, as well as end-to-end solutions for GRC activities. Thomson Reuters combination of custom content, easy connectivity, and robust community serves over 500,000 professionals in 150 countries every day. Energy companies, investment firms, brokerage houses, industrial conglomerates, global corporations, and the largest global banks support and enable their most crucial financial decisions utilizing Thomson Reuters solutions. The complexity of simultaneous change across interconnected global markets means multi-national corporations and financial organizations across the spectrum must reshape their businesses as their markets are profoundly restructured, and they must do so with ever-greater integrity. Thomson Reuters solutions provide connectivity to colleagues, customers, compliance products, liquidity, and trading venues, streamed throughout users workflow in ways that are intuitive to use and easy to act on. The quality of the information enables users to find new assets, venues, markets, and opportunities ahead of their competitors. It enables traders to price competitively, investors to react swiftly when opportunities emerge, and compliance officers to know the rules locally and globally. Thomson Reuters suite of GRC solutions, called Thomson Reuters Accelus, aims to assist organizations in growing revenue and cutting costs, connecting assurance professionals and the broader GRC workflow, and managing the ever-changing risk and regulatory landscape. The Accelus suite provides solutions specific to audit, risk management, and compliance professionals, a central data repository, and common functionality for risk assessment, reporting, and issue tracking across all disciplines. Purpose-built to address the diverse requirements of internal assurance professionals, the Accelus Enterprise GRC platform provides dynamic functionality that enables organizations to embrace a connected approach to GRC. Designed as a comprehensive platform, the solution helps to break down the walls between audit, risk, and compliance groups and provides considerable value when organizations deploy the software across the enterprise. This solution provides comprehensive audit, financial controls management, operational risk management; IT controls/risk management, enterprise risk management and compliance/policy management functionality and is available through on premise deployments or via a SaaS delivery model. The system has comprehensive internal audit capabilities that enable organizations to standardize, automate and manage key aspects of the internal audit process including the sharing of audit findings, key risk areas and recommendations across compliance, IT, internal controls and risk management processes. Designed to address the entire audit process, the system has features for risk assessment, audit planning, scheduling, workpaper preparation, time and expense entry, audit report generation, and global issue tracking. The system has extensive compliance capabilities, including a single source for regulatory news, analysis, rules, a comprehensive policy workflow manager, integration to link regulatory intelligence with policy workflow, and a monitoring and event manager that can link regulatory information to internal business structures. The system also includes a collaborative system for case and issue management with event-based notifications and the option for integrated compliance training. Organizations can take a proactive approach to risk management by embracing enterprise risk management and operational risk management. Using the solution, business process owners can conduct independent risk evaluations using objective-based or process-specific structures and definitions. With a configurable, threedimensional risk framework, the solution provides a comprehensive view of material risks impacting an organization. This risk framework can be configured to a variety of organizational structures or methodologies, allowing organizations to adapt the solution to their systems and processes. The solution also supports a topdown risk assessment approach that measures risk for every entity in the organization and a process-level risk assessment approach to analyze business processes across the organization. The solution also offers extensive reporting features with a large library of standard reports, heat-maps and dashboards. The solution also includes ad hoc reporting tools that enable users to create customized managerial reports and charts. These reporting options provide the executive team direct oversight of compliance processes and risks. 8

9 Data management The Accelus suite solutions utilize a shared data model, which leverages common organization and process structures and supports the use of one-to-many shared risk and control models. One-to-one, one-to-many, and many-to-many relationships between data elements such as org structure, processes, risks, controls, objectives, assets, issues, events, and audits are supported by the data model. The product supports multiple risk and control models and can link the models to the risks and controls that belong to them. Data relationships can be imported through a standard data load process or mapped on an individual basis in the system, and viewed on graphical dashboards. Risk and control mapping relationships are inherited when these objects are mapped to different levels of the org structure or processes. Central to managing GRC data effectively also is leveraging a common regulatory taxonomy. The regulatory taxonomy facilitates the integration of regulatory intelligence with core GRC data. Figure 1, below, demonstrates Thomson Reuters data management model. Figure 1: Accelus data management CONTENT SOURCES FEDERAL, STATE & GLOBAL RULE BOOKS REGULATORY ALERTS MEDIA NEWS & ANALYSIS COMMON DATA ORGANIZATION STRUCTURES PROCESSES / PROJECTS RISKS CONTROLS TESTING / EVALUATIONS AUDIT Risk Management Audit Office Quality Management Resources Management Metrics Management Reporting & Issue Management COMPLIANCE Global Regulatory Event Tracking Business Impact Risk Management Policy Management Privacy & Suspicious Activity Supervisory Procedures Certifications Regulatory Exams & Inquiries CONTROLS MANAGEMENT Integrated Compliance, Operations & Financial Controls Management Certifications Key Performance Indicators BAC DATA via API ISSUES & ACTION PLANS Analysis & Consolidated Reporting Tools RISK MANAGEMENT Global Issues & Action Plan Management Key Risk Indicators Enterprise Risk Management Operational Risk Assessment Compliance management Thomson Reuters Accelus Compliance Management solutions provide organizations with a competitive advantage through capabilities that enables users to join up ever-changing regulatory information and connect it to their internal compliance business process workflow. Thomson Reuters Compliance Management solutions provide regulatory insight through the ability to identify, map, and track regulatory change and process integrity, with workflows designed to communicate, test, and audit controls, including policies and training. It is also designed to improve transparency with capabilities to evidence risk and controls to management and regulators. 9

10 Thomson Reuters Accelus Compliance Complete is a single source for regulatory news, analysis, rules, and regulatory developments, covering global rulebooks and regulations for the securities and banking industries. Compliance Complete regulatory content includes information from more than 330 regulators and exchanges around the world, tracking hundreds of individual regulatory events such as policy statements, speeches, rule filings, and consultation papers. A sample of regulators covered includes: Financial Services Authority (FSA), American Stock Exchange, Committee Banking Supervisors Financial Industry Regulatory Authority (FINRA), Australian Securities Exchange, Hong Kong Monetary Authority, and the Dubai Financial Services Authority (DFSA). Compliance Complete features include: News: Up-to-the-minute regional regulatory developments; Regulatory developments tracker: An early warning system for tracking upcoming regulatory developments; Analysis: Expert analysis provided by Thomson Reuters international editorial team; Rulebooks: Hosted regulatory rulebooks with the latest information and updates; Practice Notes: Practical expert guidance and advice; Regulatory Calendar: Online diary of upcoming regulatory events. Thomson Reuters Accelus Policy Manager offers compliance professionals an enterprise-wide solution that removes the cost and burden associated with policy management and directly connects internal policies to external regulatory rulebooks. This direct connection is a powerful tool that reduces lag time between rule changes and compliant behavior and helps to reduce a firm s exposure to regulatory censure because rule changes are automatically ed, as they occur, to the responsible compliance team members, alerting them that action is required. Features of Accelus Policy Manager include: Collaboration: Create roles and responsibilities for creating, editing, and managing policies; Evidence of Supervision: Complete audit trail of who has read and understood a policy; Version Control: Evidence detail of historical and current versions of policy content; Automation: Automated reports and chasers prompt users and assist with supervision; Security: Secure hosted content with full disaster recovery. Accelus Compliance Manager is designed to serve as a regulatory intelligence portal, giving the ability to track and assign regulatory events to organizational risks and owners, and to record and manage associated policies and controls. It comes with purpose-built compliance workflows to enhance the efficiency and effectiveness of compliance processes. Through a shared taxonomy focused on regulations and risks, the solution enables a common language of compliance and shared methodology, providing increased transparency and insight. Core features of the Accelus Compliance Manager include: Precise relationships between regulations and internal business structures and risks Regulatory information and updates from Thomson Reuters Regulatory events are dynamically linked to the relative risk, policies and controls, and communicated to the respective business owners Centralized policy management, record-keeping, and training Management and sharing of regulatory information, risks, policies, controls, test results, and management remediation data stored in a central library Centralized issue management and remediation plan documentation for compliance related processes Robust, configurable reporting delivered through alerts, status reports, dashboards, and heat maps 10

11 Risk Management Thomson Reuters Accelus Risk Manager is both powerful and flexible, enabling executives to strengthen risk assessment processes, quantify and aggregate risks, and engage in a proactive approach to risk management. Thomson Reuters Accelus Risk Manager s flexibility and completeness of functionality allow it to deliver capabilities that fit well with each company s unique risk management methodology and framework. The solution provides extensive support for regulatory and compliance frameworks such as Basel 2 and Solvency II and widely-recognized industry standards including ISO 31000, ONR 49000, COSO and ITIL. As a comprehensive risk management solution, Accelus Risk Manager provides features for risk assessments, indicator monitoring, loss event tracking, and risk quantification and analysis. Thomson Reuters Accelus Risk Manager is designed to automate the tracking of risks no matter what risk framework is used. The solution features an assessment library in which all relevant questionnaire templates to assess risks, controls, and processes, both qualitatively and quantitatively, are held. Users can tailor their assessments to meet their organization s risk identification and tracking processes. Evaluation of risk information is supported through individual parameterized scoring and calculation formulas, as well as the aggregation of assessments. The system has the ability to rate inherent risk, risk tolerance, and residual risk. Users can rate risks using multiple factors, with values and parameters defined by the administrator during setup. Through the process of risk assessment, risk scores are entered by the user and stored with the risk record. Risk measurement can be driven from either a top-down or bottom-up process. Controls can be associated with risks and assessment scores are managed in a similar manner to that of risks. As a purpose-built risk management solution, one of the most powerful capabilities of the software is in the area of risk quantification. The step-wise approach to risk quantification involves: 1. Development of the general approach; 2. Statistical analysis of loss data; 3. Modeling of risk assessment data; 4. Determination of correlations; 5. Analysis of different scenarios. Collected data and/or risk estimations captured by assessments are the basis for the calculation of loss distributions. The module currently supports AMA measures as defined by the Basel Committee. Users can estimate adequate distribution functions and risk measures (such as VaR) for the regulatory combinations of business lines and event types, or for areas set up internally. A sophisticated aggregation matrix is a valuable feature, as is the capability to upload external matrices. Support is also given for definition of a standardized procedure to extend the internal database with external data (ORX, other consortium data), with sparse data (or a lack of data) being enriched by expert estimation. Results from the supervision of Key Risk Indicators or of the Assessment can be used as conditioning information. Specific quantification capabilities include the following: Severity estimations* Count data regression of loss frequency on ratings from KRI or SAM Frequency estimations** Entry of expert estimation of loss distribution Sensitivity analysis Credibility weighted combination of data and expert estimation Calculation of expected shortfall Monte Carlo simulation of conditional loss distribution based on regression Frequency/severity histograms, stats Inclusion of external losses into estimation of distribution parameter Inclusion of insurance contracts Graphical analysis of loss severity (QQ-Plot, ME-Plot) Aggregation of loss distributions Monte Carlo simulation of loss distribution Value-at-Risk, economic capital * Lognormal, Normal, Exponential, Gamma, Pareto, Generalized Pareto, Piece-wise Uniform. ** Poisson, Negative Binomial, Binomial, Geometric. 11

12 Incident, loss event recording, and KRIs Thomson Reuters Accelus Risk Manager tracks root causes, actual loss events, and recovery efforts to supply quantitative data about the true costs of risks. The system supports freely configurable capture forms for enterprise collection and management of events, risks, monetary, and non-monetary losses, as well as near misses. Events and effects can dynamically be assigned to any organizational units, processes, or business products. The sophisticated capture and validation workflow can be linked to internal management accounting and external loss data sources. It also provides a full audit trail for compliance purposes, while enabling management oversight of significant risks. The solution captures detailed loss event data including: Event identity; Event status; Textual event descriptions; Geography, business line, department, and individual event mapping; Process details; Risk categorizations; Data information including detection, durations, settlement, recovery; Audit control points and sign-offs; Source data and causal data. Loss events can be entered directly into the system or mapped for third-party systems through standard APIs. Loss events can be associated with one or more risks in the system and risks can have one or more controls associated with them. Reporting, trend analysis, and quantitative risk calculations can be facilitated utilizing the reporting tools or ad-hoc reporting feature of the product. KPIs and KRIs can also be set up to monitor key business process performance and likelihood or significance of risk, if an event occurs. Three independent thresholds can be set to monitor KPIs and KRIs, so that organizations can set thresholds and internal or external benchmarks. KPIs and KRIs can be configured to monitor business process performance and risk events. Independent thresholds can be configured to monitor KPI and KRI tolerance band breaches and internal or external benchmarks. 12

13 Audit management Audit management is a core capability of the platform, with a heritage of over 17 years of experience and customer feedback. The audit functionality of the solution is displayed in Figure 2, below and features of the audit management solution include: Electronic work-papers to manage the capture of audit related documentations; Planning & Scheduling: Defining what to audit, who will do the work and time tracking; Documentation: A structured way to capture, manage and organize the work product of internal audit; Issue Tracking: Capturing, managing, communicating and resolving audit issues and action plans; Reporting: Providing visibility and transparency to organizational stakeholders; Review and approval of audits, audit programs and work-papers; Central database of information, automated planning and resource management; Automated risk assessments; Comprehensive, executive reporting. The solution comes delivered with the Cobit control model and the option for the UCF framework to be delivered. It supports the business processes of IT audit, IT controls management, and IT risk management. IT policies can be defined and set-up. Figure 2: Thomson Reuters internal audit capabilities Audit Universe Risk Assessment Intelligent Information Audit Scheduling Issue Tracking INTERNAL AUDIT Resource Management Electronic Workpapers Audit Checklists Time & Expense Entry 13

14 Issue and case management The issue tracking feature of the solution can track issues for processes, risks, strategic risks, controls, policies, and laws and regulations. Supporting documentation can be captured through document management capabilities, including outputs from feeds of whistleblower reports, quality issues, and customer complaints. Issues can link to supporting information in supporting systems via in-context URL linking. Alerts, notifications, and pending actions are delivered via and also are featured as an item on the respective end-users personalized to-do list that is presented as they log into the application. The alerts and notifications functionality gives users the flexibility to configure their own notifications and provides the capability to determine the timing of those notifications. An easy access link is contained in all alerts to provide a link to the specific form or record, enabling quick access to the items end-users need. The case and issue management features of the platform include: A collaborative system for tracking, managing, and resolving cases and issues across the organization; Role based with owners, coordinators and reviewers; and alerts capabilities to drive event based notifications; Provides a common meeting place, where all parties involved in issues and cases can contribute to the process at the appropriate junctures; Document management capabilities to attach and version control evidence; Features to create 1 or more action plans for follow up that link back to the original case or issue; Multiple status and date fields to track the case activity, status and due dates; Security controls to limit access to who can view, edit and manage a specific case or issue; Ability to link cases and issues to policies, risks, controls, events and processes. The system provides functionality for capturing, storing, and managing documents. Functionality includes check-in, check-out, version control, audit trails, search, and document linking. Risk information is documented in standard forms and leveraged through association with one or more risk models. Reporting and business intelligence The reporting solutions are designed for the business user and require minimal training. Customized reports are typically created by the end-user or power users of the system. Clients also have the option to leverage Thomson Reuters professional services team for custom report creation. Enterprise GRC supports the use of both proprietary reporting tools as well as the use of industry standard reporting tools such as Cognos, Business Objects and Hyperion; Ad hoc, SNAP! Reporter and the Enterprise Reporting Connector are proprietary and provide the ability to schedule reports. Report outputs can be saved as Word, Excel, HTML and PDF; These reporting solutions also support the ability to drill into reports via notification as well as access detailed reporting information by drilling down into data; End-users have the capability to easily create reports, configure dashboards, and toggle between information displays on personalized workspaces; Through an enterprise reporting connector the solution supports the use of industry standard reporting tools such as Cognos, Business Objects, Hyperion or other solutions; Reports can be saved as HTML, Excel, and PDF formats; Customized reports are built through a wizard like interface that walks through a selection of data areas, data fields, filters, and formatting options. A similar interface is used for simple ad-hoc reports, dashboards, SNAP reports, or reports created utilizing a connection from a third party tool such as Business Objects. All report creation goes through the business application layer which enforces data level security and provides information regarding related tables and fields. 14

15 A standard feature of the configurable user interface is the creation of topic specific dynamic dashboards. Dashboards offer a choice of multiple graphical displays, panel sizes, data field selection, and field filters. Dashboards are designed to be configured by end-users. Role or topic specific dashboards can be defined by administrators for roll out to the broader user community. The system contains powerful, user-friendly reporting tools to communicate an aggregated view of risk and compliance data through dashboards, heat-maps, and reports. Proprietary tools provide report outputs that can be scheduled and saved as Word, Excel, HTML and PDF. These reporting solutions also support the ability to drill into reports via notification as well as access detailed reporting information by drilling down into data. Figure 3: Accelus reporting and BI tools INTERACTIVE BOARD REPORTING GRC WORD ADD-IN + ENTERPRISE GRC DATABASE MICROSOFT WORD DESKTOP REPORTING GRC DIRECT CONNECT ODBC DRIVER CRYSTAL REPORTS + * CUSTOM DATAMART OR DATA WAREHOUSE THIRD-PARTY REPORTING * GRC OPEN API ENTERPRISE GRC SERVER + Delimited CSV Text XML MANUAL OR PROGRAMMATIC SECURE DATA DOWNLOADS + * Supplied with Enterprise GRC Optional Client-Supplied Technology 15

16 4- Chartis RiskTech Quadrant for Enterprise GRC Presenting a single competitive landscape for the GRC technology marketplace can be very difficult. The capabilities offered by each vendor change continually and entirely new categories of vendors continue to emerge. Additionally, many vendors are positioned in several places, because they offer a wide range of capabilities addressing different aspects of GRC (e.g. policy management, audit, financial risk, transaction monitoring, operational risk). A further consideration is the variety of capabilities and domain specific functionality and content needed by different industry sectors. For example, the GRC requirements of the financial services industry are significantly different (due to the advanced quantitative needs of banking, capital markets, and insurance and regulations including anti-money laundering, know-your-customer, Basel 2, Solvency II, Dodd-Frank, etc.) to the non-financial sector (e.g. sectors such as energy, transportation, and manufacturing have greater emphasis on human factors, health, safety and environment risks and regulations). Chartis considers Thomson Reuters to be a leading vendor in the Enterprise GRC market. Thomson Reuters position in our view of the vendor landscape is based on our assessment of its relative strengths/weaknesses, in Table 1, below. Figure 4, below, describes Chartis s view of the vendor landscape for enterprise GRC technology solutions. Table 1: Thomson Reuters competitive position Completeness of Offering: Breadth of functional capabilities (including reporting) Advanced analytics Usability Configurability Data management and performance Actionable risk and compliance content ERM support - integration with other related areas (e.g. market risk, credit risk, regulatory reporting) Medium Medium Medium Market share potential: Existing customer base Global footprint Size and financial stability Scalability of sales distribution channels (including alliances) Marketing and brand awareness R&D expenditure and innovation capabilities Implementation and support capabilities (including alliances) Growth strategy Medium Medium 16

17 The RiskTech Quadrant is a proprietary methodology developed specifically for the risk technology marketplace. It takes into account product and technology capabilities of vendors as well as their organizational capabilities. Appendix A sets out the generic methodology and criteria used for the RiskTech Quadrant. For enterprise GRC, we considered the following criteria as particularly important: 1- Completeness of Offering: Risk identification Risk monitoring Inherent and residual risk analysis Risk evaluation Controls monitoring Scenario analysis Library functionality Regulatory content and compliance by industry and geography Policy management Issues and action management Loss event and incident management Audit management Crisis management and business continuity Document management Workflow management Integration capabilities Data management Embedded domain knowledge 2- Market Potential: Existing enterprise GRC client base Track record of delivering successful enterprise GRC projects Growth strategy and brand Post-sales implementation and support capabilities Strategy for and investment in continued innovation in GRC solution and related products Potential volume of GRC wins Potential value of GRC deals (i.e. Tier 1 clients vs. Tier 2 or Tier 3 clients) Scalability of business model i.e. repeatable sales and delivery capabilities Geographical reach Financial strength 17

18 Figure 4: Chartis RiskTech Quadrant for Enterprise GRC Systems Best-of-Breed Category Leaders = Key Strengths in Multiple Industries MARKET POTENTIAL Thomson Reuters MetricStream IBM Detica NetReveal NASDAQ-BWise WoltersKluwer FS NICE Actimize Software AG SAS RSA SAP Protiviti Mega Oracle Palantir Wynyard YarcData SAI Global Enablon BPS Resolver ActiveRisk Cura Technologies Chase Cooper = Strongest in Financial Services = Strongest in Non-Financial Sectors Low Point Solutions Enterprise Solutions Low COMPLETENESS OF OFFERING 18

19 5- Appendix A: Chartis RiskTech Quadrant Methodology Independence Chartis is a research and advisory firm that provides technology and business advice to the global risk management industry. Chartis provides independent market intelligence regarding market dynamics, regulatory trends, technology trends, best practices, competitive landscapes, market sizes, expenditure priorities, and mergers and acquisitions. Chartis s RiskTech Quadrant reports are written by experienced analysts with hands-on experience of selecting, developing, and implementing risk management systems for a variety of international companies in a range of industries including banking, insurance, capital markets, energy, and the public sector. Chartis s research clients include leading financial services firms and Fortune 500 companies, leading consulting firms, and risk technology vendors. The risk technology vendors that are evaluated in the RiskTech Quadrant reports can be Chartis clients or firms with whom Chartis has no relationship. Chartis evaluates all risk technology vendors using consistent and objective criteria, regardless of whether or not they are a Chartis client. Where possible, risk technology vendors are given the opportunity to correct factual errors prior to publication, but cannot influence Chartis s opinion. Risk technology vendors cannot purchase or influence positive exposure. Chartis is authorized and regulated by the Financial Services Authority (FSA) in the UK for providing investment advice and adheres to the highest standards of governance, independence, and ethics. Inclusion in the RiskTech Quadrant Chartis seeks to include risk technology vendors that have a significant presence in a given target market. The significance may be due to market penetration (e.g. large client-base) or innovative solutions. Chartis does not give preference to its own clients and does not request compensation for inclusion in a RiskTech Quadrant report. Chartis utilizes detailed and domain-specific vendor evaluation forms and briefing sessions to collect information about each vendor. If a vendor chooses not to respond to a Chartis vendor evaluation form, Chartis may still include the vendors in the report. Should this happen, Chartis will base its opinion on direct data collated from risk technology buyers and users, and from publicly available sources. Research Process The findings and analyses in the RiskTech Quadrant reports reflect our analysts considered opinions, along with research into market trends, participants, expenditure patterns, and best practices. The research life cycle usually takes several months, and the analysis is validated through several phases of independent verification. Figure 5, below, describes the research process. 19

20 Figure 5: Chartis RiskTech Quadrant research process Identify research topics Market surveys Client feedback Regulatory studies Academic studies Conferences 3 rd party information sources Select research topics Interviews with industry experts Interviews with risk technology buyers Interviews with risk technology vendors Decision by Chartis Research Advisory Board Data gathering Develop detailed evaluation criteria Vendor evaluation form Vendor briefings and demonstrations Risk technology buyer surveys and interviews Evaluation of vendors and formulation of opinion Demand and supply side analysis Apply evaluation criteria Survey data analysis Check references and validate vendor claims Follow-up interviews with industry experts Publication and updates Publication of report On-going scan of the marketplace Continued updating of the report Chartis typically uses a combination of sources to gather market intelligence. These include (but are not limited to): Chartis Vendor Evaluation Forms A detailed set of questions covering functional and non-functional aspects of vendor solutions, as well as organizational and market factors. Chartis s vendor evaluation forms are based on practitioner level expertise and input from real-life risk technology projects, implementations, and requirements analysis. Risk Technology User Surveys As part of its on-going research cycle, Chartis systematically surveys risk technology users and buyers, eliciting feedback on various risk technology vendors, satisfaction levels, and preferences. 20

21 Interviews with Subject Matter Experts Once a research domain has been selected, Chartis undertakes comprehensive interviews and briefing sessions with leading industry experts, academics, and consultants on the specific domain to provide deep insight into market trends, vendor solutions, and evaluation criteria. Customer Reference Checks These are telephone and/or checks with named customers of selected vendors to validate strengths and weaknesses, and to assess post-sales satisfaction levels. Vendor Briefing Sessions These are face-to-face and/or web-based briefings and product demonstrations by risk technology vendors. During these sessions, Chartis experts ask in-depth, challenging questions to establish the real strengths and weaknesses of each vendor. Other Third Party Sources In addition to the above, Chartis uses other third party sources of information such as conferences, academic and regulatory studies, and collaboration with leading consulting firms and industry associations. Evaluation Criteria The RiskTech Quadrant evaluates vendors on two key dimensions: 1. Completeness of offering 2. Market potential Figure 6: Chartis RiskTech Quadrant Best-of-Breed Category Leaders MARKET POTENTIAL Low Point Solutions Enterprise Solutions Low COMPLETENESS OF OFFERING 21

22 The generic evaluation criteria for each dimension are set out below. In addition to the generic criteria below, Chartis utilizes domain-specific criteria relevant to each individual risk. These are detailed in the individual Vendor Evaluation Forms, which are published as an appendix to each report. This ensures total transparency in our methodology and allows readers to fully appreciate the rationale for our analysis. Completeness of offering: Depth of functionality The level of sophistication and amount of detailed features in the software product (e.g. advanced risk models, detailed and flexible workflow, domain-specific content). Aspects assessed include: innovative functionality, practical relevance of features, user-friendliness, flexibility, and embedded intellectual property. scores are given to those firms that achieve an appropriate balance between sophistication and user-friendliness. In addition, functionality linking risk to performance is given a positive score. Breadth of functionality The spectrum of requirements covered as part of an enterprise risk management system. This will vary for each subject area, but special attention will be given to functionality covering regulatory requirements, multiple risk classes, multiple asset classes, multiple business lines, and multiple user types (e.g. risk analyst, business manager, CRO, CFO, Compliance Officer). Functionality within risk management systems and integration between frontoffice (customer-facing) and middle/back office (compliance, supervisory, and governance) risk management systems are also considered. Data management and technology infrastructure The ability of risk management systems to interact with other systems and handle large volumes of data is considered to be very important. Data quality is often cited as a critical success factor and ease of data access, data integration, data storage, and data movement capabilities are all important factors. Particular attention is given to the use of modern data management technologies, architectures, and delivery methods relevant to risk management (e.g. in-memory databases, complex event processing, component-based architectures, cloud technology, software-as-a-service). Performance, scalability, security, and data governance are also important factors. Risk analytics The computational power of the core system, the ability to analyze large amounts of complex data in a timely manner (where relevant in real-time), and the ability to improve analytical performance are all important factors. Particular attention is given to the difference between risk analytics and standard business analytics. Risk analysis requires such capabilities as non-linear calculations, predictive modeling, simulations, scenario analysis, etc. Reporting and presentation layer The ability to present information in a timely manner, the quality and flexibility of reporting tools, and ease of use are important for all risk management systems. Particular attention is given to the ability to do ad-hoc on-the-fly queries (e.g. what-if-analysis), as well as the range of out-of-the-box risk reports and dashboards. Market potential: Market penetration Both volume (i.e. number of customers) and value (i.e. average deal size) are considered important. Also, rates of growth relative to sector growth rates are evaluated. Brand Brand awareness, reputation, and the ability to leverage current market position to expand horizontally (with new offerings) or vertically (into new sectors) are evaluated. Momentum Performance over the previous 12 months is evaluated, including financial performance, new product releases, quantity and quality of contract wins, and market expansion moves. 22

23 Innovation New ideas, functionality, and technologies to solve specific risk management problems are evaluated. Developing new products is only the first step in generating success. Speed to market, positioning, and translation into incremental revenues are critical success factors for exploitation of the new product. Chartis also evaluates business model or organizational innovation (i.e. not just product innovation). Customer satisfaction Feedback from customers regarding after-sales support and service (e.g. training and ease of implementation), value for money (e.g. price to functionality ratio) and product updates (e.g. speed and process for keeping up to date with regulatory changes) is evaluated. Sales execution The size and quality of sales force, sales distribution channels, global presence, focus on risk management, messaging, and positioning are all important factors. Implementation and support Important factors include size and quality of implementation team, approach to software implementation, and post-sales support and training. Particular attention is given to rapid implementation methodologies and packaged services offerings. Thought-leadership Business insight and understanding, new thinking, formulation and execution of best practices, and intellectual rigor are considered important by end-users. Financial strength and stability Revenue growth, profitability, sustainability, and financial backing (e.g. the ratio of license to consulting revenues) is considered as key to scalability of the business model for risk technology vendors. Quadrant Descriptions: Point Solutions Providers of point solutions focus on a relatively small number (typically two or three) of component technology capabilities. These vendors meet a very important need in the risk technology market by solving specific risk management problems with domain-specific software applications and technologies. Point solution providers also provide a strong engine for innovation as their deep focus on relatively narrow subject areas generates thought leadership and intellectual capital. These vendors often have gaps relating to the broader enterprise risk management functionality and do not have the integrated data management, analytics, and business intelligence capabilities found in enterprise technology platforms. Furthermore, these vendors have not yet developed the organizational characteristics for capturing significant market share. Their growth is often constrained by lack of financial and human resources, or relatively weak sales and marketing execution. Best-of-Breed Providers of best-of-breed solutions have best-in-class point solution capabilities together with the organizational characteristics to capture significant market share in their chosen target markets. Providers of best-of-breed solutions usually have a growing client-base, superior sales and marketing execution, and a clear strategy for sustainable profitable growth. Best-of-breed solution providers can also demonstrate a healthy rate of investment in research and development, and have specific product or go-to-market capabilities that give them a competitive advantage. Best-of-breed solution vendors have depth of functionality, but lack the breadth of technology and functionality required to provide an integrated enterprise-wide risk management system. Best-of-breed solutions are often considered as a subset of more comprehensive risk technology architecture and are required to co-exist with other third party technologies or in-house systems to provide an integrated solution to a given risk management problem. 23