Vendor Highlights: Aravo Solutions

Independent research by

April 2017

Third-Party Risk Management 2017Vendor Highlights: Aravo Solutions

© Copyright Chartis Research Ltd 2017. All Rights Reserved 2

About Chartis Chartis Research is the leading provider of research and analysis on the global market for risk technology. It is part of Incisive Media, which owns market-leading brands such as Risk and Waters Technology. Chartis’s goal is to support enterprises as they drive business performance through improved risk management, corporate governance and compliance and to help clients make informed technology and business decisions by providing in-depth analysis and actionable advice on virtually all aspects of risk technology. Areas of expertise include:

• Credit risk• Operational risk and governance, risk and compliance (GRC)• Market risk• Asset and liability management (ALM) and liquidity risk• Energy and commodity trading risk• Financial crime including trader surveillance, anti-fraud and anti-money laundering• Cyber risk management• Insurance risk• Regulatory requirements including Basel 2 and 3, Dodd-Frank, MiFID II and Solvency II

Chartis is solely focused on risk and compliance technology, which gives it a significant advantage over generic market analysts.

The firm has brought together a leading team of analysts and advisors from the risk management and financial services industries. This team has hands-on experience of implementing and developing risk management systems and programs for Fortune 500 companies and leading consulting houses.

Visit www.chartis-research.com for more information.

Join our global online community at www.risktech-forum.com.

© Copyright Chartis Research Ltd 2017. All Rights Reserved. Chartis Research is a wholly owned subsidiary of Incisive Media Ltd.

No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of Chartis Research Ltd. The facts contained within this report are believed to be correct at the time of publication but cannot be guaranteed.

Please note that the findings, conclusions and recommendations Chartis Research delivers will be based on information gathered in good faith, whose accuracy we cannot guarantee. Chartis Research accepts no liability whatever for actions taken based on any information that may subsequently prove to be incorrect or errors in our analysis. See Chartis ‘Terms of Use’ on www.chartis-research.com.

RiskTech100®, RiskTech Quadrant®, FinTech Quadrant™ and The Risk Enabled Enterprise® are Registered Trade Marks of Chartis Research Limited.

Unauthorized use of Chartis’s name and trademarks is strictly prohibited and subject to legal penalties.


Table of contents1. Executive summary ...............................................................................................................................5

2. Aravo Solutions: vendor highlights ....................................................................................................6

3. Context ................................................................................................................................................. 17

4. Appendix A: RiskTech Quadrant® methodology .......................................................................... 19

5. How to use research and services from Chartis .......................................................................... 25

6. Further reading ................................................................................................................................... 27


List of figures and tablesFigure 1: RiskTech Quadrant® for third-party risk management systems 2017 .............................8

Figure 2: Aravo’s third-party lifecycle management process .......................................................... 11

Figure 3: Risk dashboard ......................................................................................................................... 13

Figure 4: Workflow management .......................................................................................................... 15

Figure 5: RiskTech Quadrant® research process ................................................................................ 20

Figure 6: RiskTech Quadrant® ................................................................................................................ 21

Table 1: Aravo Solutions – company information .................................................................................6

Table 2: Completeness of offering – Aravo Solutions ..........................................................................8

Table 3: Market potential – Aravo Solutions .........................................................................................9


1. Executive summaryThis report provides an independent evaluation and description of Aravo Solutions’ leading practices and competitive position. The analysis is based on information in the Chartis Report Enterprise GRC Solutions: Market Update 2017, and the RiskTech Quadrant® for third-party risk management solutions.

The report also includes brief coverage of:

• The main demand-side trends in this market, with an analysis of the key business and regulatory challenges.

• The supply-side dynamics, with a focus on the vendor landscape.

Enterprise Governance, Risk and Compliance (GRC) is now well established. The concept of ‘connected’ GRC is becoming more important, but end users and vendors are largely struggling with the concept; financial institutions in particular are still taking a mostly siloed approach to GRC, with weak links between departments. There is, however, potential for significant and widespread changes to enterprise GRC. The trend continues toward increasingly integrated GRC platforms, despite regulatory uncertainty and shifting definitions of what constitutes misconduct. This trend is driven largely by costs and supply-side factors, including:

• An increasing focus on the cost of GRC and compliance-specific technologies. Firms’ aggressive cost prioritization programs have placed a greater than usual emphasis on the cost of GRC and compliance technology.

• The need to keep customers front and center of all operations.

• Developments in sophisticated data-driven technologies. A whole new ecosystem of data analytics has developed, including standard Big Data platforms such as Hadoop, Artificial Intelligence (AI) in the cloud, and analytical languages such as Python, R and Lua.

• The emergence of AI and robotics (software that controls and automates rule-based processes, removing the need for human supervision) as fundamental components of workflow platforms.

A particular focus within Enterprise GRC is conduct risk; regulators are giving out larger fines and increasingly targeting individuals for misconduct. And tightening regulations mean that firms, in addition to managing misconduct within their own organizations, are increasingly required to deal with misconduct originating from their business and supply chain partners, as well as other sources of disruption, including data breaches and natural disasters. Doing this requires third-party risk management: firms must apply due diligence when selecting and evaluating their business partners, which relies heavily on access to data from internal and external sources. To protect themselves from third-party failures, firms must generate their own data, or get it from other sources. This focus on data gives vendors with strong data provision and management backgrounds a distinct advantage.


2. Aravo Solutions: vendor highlightsCompany information

Table 1 summarizes the key facts about Aravo and its offerings in the market for third-party risk management solutions.

Table 1: Aravo Solutions – company information

Company: Aravo Solutions, Inc.

Headquarters: San Francisco, California, US

Other offices: Dallas, Portland, London (UK)

Description: Founded in 2000, Aravo supplies Software-as-a-Service (SaaS) solutions to clients drawn from the Forbes Global 2000. These solutions focus on:

Third-party risk managementScalable complianceAnti-bribery and anti-corruptionData security and data privacyResponsible sourcingThird-party and supplier registration and qualification

Services/offerings: Aravo offers a configurable and scalable GRC SaaS platform that enables users to adopt a broad range of solutions to meet their requirements. Aravo’s market focus is on helping large, complex organizations manage their third-party risk programs across the enterprise using a holistic and federated approach. It also has pre-defined applications for a range of programs, including anti-bribery and corruption, responsible sourcing, data security and privacy, and European Union (EU) General Data Protection Regulation (GDPR) third-party compliance.

Source: Aravo Solutions

Competitive position

Figure 1 illustrates Chartis’s latest view of the vendor landscape for third-party risk management solutions. In this RiskTech Quadrant®, Aravo is positioned as a Category Leader. In our Completeness of Offering table, Aravo rates highly for the functionality of its third-party risk management offerings, which include: third-party validation and verification, data collection and management, third-party coverage and risk assessment. Aravo also has a good track record of delivering third-party risk management solutions, domain knowledge and thought leadership, and has a scalable business model.

The RiskTech Quadrant® is a proprietary methodology developed specifically for the risk technology marketplace. It takes into account vendors’ product, technology and organizational capabilities1.

1 The full methodology and criteria for the RiskTech Quadrant® can be found in the appendix to this report.


We consider the following criteria to be particularly important:

Completeness of offering. This assessment looks at a number of criteria, including:

• Third-party validation and verification

• Data collection and management

• Third-party coverage and risk assessment

• Significant event monitoring and notification

• Audit trail documentation

Market potential. This assessment looks at a vendor’s existing third-party risk management client base (which can highlight a vendor’s market potential), and considers financial strength, geographic reach and domain knowledge, as well as a vendor’s track record of delivering successful third-party risk management solutions.

Tables 2 and 3 indicate our rankings for Aravo in each of these categories.


Figure 1: RiskTech Quadrant® for third-party risk management systems 2017

Best-of-breed

Point solutions

Category leaders

Enterprise solutions

COMPLETENESS OF OFFERINGLow High

MA

RK

ET

PO

TE

NT

IAL

Low

Hig

h

eFront

FenergoFICO

Governor Software

IHS MarkitIBM

MEGA

MetricStreamNasdaq

Protiviti

RSA

SAP Thomson ReutersWolters Kluwer

Aravo

Source: Chartis Research

Table 2: Completeness of offering – Aravo Solutions

Completeness of offering Coverage

Third-party validation and verification High

Data collection and management (including management of internal and external data) High

Third-party coverage High

Third-party risk assessment (including risk scoring) High

Significant event monitoring and notification (including real-time/daily monitoring/notification)

High

Audit trail documentation High



Table 3: Market potential – Aravo Solutions

Market potential Coverage

Existing third-party management solutions client base Medium

Track record of delivering successful third-party risk management solutions High

Growth strategy and brand Medium

Post-sales implementation and support capabilities High

Strategy for and investment in research and development related to third-party risk management

High

Domain knowledge and thought leadership regarding third-party risk management High

Scalability of business model (i.e., repeatable sales and delivery capabilities) High

Geographical reach Medium

Financial strength Medium


Leading practices

GRC platform

Aravo is a vendor of cloud-based, Software-as-a-Service (SaaS) solutions used mainly in Global 2000 companies across the automotive, defense, consumer packaged goods, mining, financial services, pharmaceutical and life sciences, and technology industries. Companies in these sectors have complex supply chains and third-party networks, and require a platform that is highly configurable, flexible and scalable. Aravo’s system deploys a three-tier Java technology stack that uses various load-balancing techniques that can be integrated with customer applications using web services. The capabilities of Aravo’s GRC platform can be broken down into four main components:

• Content management – streamlines the collection and management of content across various formats and types (i.e., contracts, due diligence reports, regulatory data).

• Relational data model – creates relationships between different data and content objects such as regulations, policies and risks.

• Workflow management – defines and automates workflows.

• Reporting, dynamic dashboards and visualization – measures status and supports intelligent decision making.

Aravo has focused its GRC platform on third-party risk management applications designed to offer a coordinated and holistic approach to third-party risk management across the third-party lifecycle.


Third-party risk management

An increasingly important aspect of enterprise GRC is third-party risk management, which is diverse and complex. Aravo helps firms protect their business value and reputation, and supports better performance management through its enterprise-wide platform, offering an end-to-end solution that can manage the entire lifecycle of third-party risk management (see Figure 2):

• Strategy and planning. Third-party risk strategy is developed, and the cost and benefits are considered, while the risk appetite is incorporated into the process.

• Due diligence and third-party selection. Risk is identified, assessed and prioritized, and risk assessments are conducted. During this stage due diligence and enhanced due diligence activities are performed and recorded.

• Contract and onboard. Risk, compliance and performance requirements are incorporated into contracts and reporting capabilities. At this stage contracts, including those for segmented expiration, are managed against Service-Level Agreements (SLAs) and/or other contractual identifiers.

• Manage and monitor. Risk is recorded and monitored against Key Performance Indicators (KPIs), and risk assessments are conducted across all risk profiles. Further, issues are documented and escalated, and third-party reviews scheduled for full remediation capabilities. This stage provides real-time risk reporting, top management reports, dashboards and visualization. Ongoing monitoring throughout the relationship is also provided here.

• Terminate and off-board. At this stage users can determine whether they need to stop using a particular third party. This stage also enables users to manage the off-boarding process and block payments.


Figure 2: Aravo’s third-party lifecycle management process


The third-party risk management platform’s capabilities include:

• Onboarding. Ensures that the required third-party processes, including due diligence, risk management, compliance, sourcing, procurement and performance, are delivered in an automated, centralized and consistent fashion that can be easily tracked and audited.

• Third-party portal/registration. Provides a self-service option for third parties which automates and standardizes the registration process to ensure that all required information is gathered and kept up-to-date on an ongoing basis.

• Qualification. Ensures that all third parties and trading partners meet or exceed regulatory standards, and that those standards are established by the user.

• Master Data Management (MDM). Provides a single source of truth for third-party and supplier information, providing an enterprise-wide view of third parties. The relational data model allows many-to-one relationships between Aravo and third-party records in other enterprise systems to be mapped.

• Due diligence. Automates initial and ongoing due diligence with a systematic and consistent approach. Facilitates credit checks, beneficial ownership checks, sanctions and watch-list screening, information security audits, sustainability audits, conduct risk assessments and the collection of appropriate documentation and certification.


• Contract management. Storage and management of contracts with workflow-driven reminders, reviews and approvals.

• Risk scoring, assessment and management. Automates and continuously scores and assesses the risks originating from third parties. Integrates risk data (sourcing and management) from past events, third-party information and screening processes. Manages and controls risks through contract management and mitigation programs.

• Regulatory compliance. Manages both corporate and industry-specific regulatory compliance, including anti-bribery, anti-corruption, the Foreign Corrupt Practices Act (FCPA), data security and privacy (EU GDPR), anti-slavery, conflict minerals, and trade compliance programs. Supports compliance with the Consumer Financial Protection Bureau (CFPB) and the Office of the Comptroller of the Currency (OCC) in the US, and the Financial Conduct Authority (FCA) in the UK for financial services.

• Compliance management. Ensures third parties are adhering to compliance programs for code of conduct, information security, environmental, health and safety standards, and responsible sourcing.

• Monitoring and performance review. Uses dashboards, reporting and drill-down capabilities, and provides continuous monitoring and flagging of risk and performance issues.

• Audit. Provides evidence of compliance with full audit traceability.

Aravo provides a common platform on which its clients can manage all their third-party programs. Multinationals operating in multiple jurisdictions face different sets of rules in different parts of the world. Aravo’s solution provides capabilities for managing third-party compliance against multiple regulations and directives, including:

• Basel 1, 2 and 3

• Solvency II

• Dodd-Frank

• Sarbanes-Oxley

• International Financial Reporting Standards (IFRS)

• International Accounting Standards (IAS)

• US Generally Accepted Accounting Principles (GAAP)

• Markets in Financial Instruments Directive I and II (MiFID I and II)

• Fundamental Review of the Trading Book (FRTB)

• Market Abuse Directive (MAD) II


• Undertakings for Collective Investment in Transferable Securities (UCITS)

• Anti-bribery and corruption (specifically FCPA and the UK Bribery Act)

• The Modern Slavery Act

• The EU Waste Electrical and Electronic Equipment (WEEE) Directive

• The EU General Data Protection Regulation (EU GDPR)

Reporting against these can be at the enterprise, business unit, function and geographical level.

Within these broader categories, Aravo’s third-party risk management solution offers specific functionality, as outlined in the following sections.

Risk scoring and analytics

Aravo’s solution has an integrated engine that allows clients to score and weigh against any data attribute. It enables users to assign scoring rules to data, aggregate those scores, and calculate an overall score for the third-party risk (i.e., the third-party’s health, degree of compliance and performance). (See Figure 3). The engine also enables users to apply inherent and residual risk by business type, conditional risk models, auto-calculations throughout the workflow, and mass portfolio calculations. It integrates a qualitative and quantitative analytical tool that allows users to assess and prioritize risk, and to discover relationships and patterns across their third-party ecosystem. Scoring capabilities can also be applied to performance to help clients understand and optimize their own processes, as well as third-party delivery.

Figure 3: Risk dashboard



Reporting

Aravo provides a configurable online report and dashboard builder. Users can build reports and dashboards from any data within Aravo, using point-and-click/drag-and-drop functionality. The types of standard reports that Aravo offers include:

• All third parties • New third parties • Critical third parties• Third parties with breaches or incidents • Third parties with the highest residual

risk • Operational metrics • Third parties with noted significant issues • Third parties with the highest level of

inherent risk • Non-compliant third parties • Third parties with control issues that are

past-due • Third parties related to an emerging risk • Third parties about to be terminated• Contracts with incentive compensation

structures

• Presence of concentration risk related to predefined risk thresholds

• Forecasting of contract expiration • Services with global delivery locations • Third-party risk scorecard/profile across all

applicable risk and performance domains • Risk treatment distribution (i.e., amount

accepted or remediated) • Population of third parties based on specific

criteria (i.e., business area location service) • Identification of upcoming remediation plan

due dates • Customer/consumer-facing third parties • Forecasting of upcoming control

assessments (to be conducted in the next quarter)

• Population of critical third parties

Risk assessment process and workflows

This enables users to categorize third parties, intra-company suppliers, vendors and/or their services and contracts into various tiers of risk. By assessing the impact of third-party risks against compliance requirements, and by selecting pre-existing templates and frameworks designed to support specific mandates (e.g., Payment Card Industry (PCI), FCPA and EU GDPR etc.), the process and workflows support different business methodologies for assessing risks associated with services and contracts (see Figure 4). Furthermore, the tools enable users to create a risk register that includes a description of risks and their metrics from a business perspective, mapping them to controls, owners, remediation actions, vendors, business entities and so on.


Figure 4: Workflow management


Mitigating appropriate risk issues

Aravo enables users to manage third-party/vendor risk exceptions in relation to control requirements, enabling compensation controls to mitigate risks, and providing periodic reviews of whether exceptions are still required. It also provides remediation management, enabling users to record action plans to identify control failures and other deficiencies, and to track those plans to fulfillment.

Control assessment and monitoring

Aravo’s solution provides:

• The ability to assess the effectiveness of controls and to carry out ongoing monitoring of third-party risks.


• Integrated process management that supports the workflow of other functions (i.e., exception management, remediation and reporting).

• Advanced capabilities, including modeling and simulation, the creation of executable processes for data collection, and the development of rules for risk monitoring and control enforcement.

Contract management and performance

Users can support the development of contracts and the ongoing monitoring of delivery against them, and collect performance data and assess it against expected service levels and deliverables. A repository of contracts and services associated with a third party is also provided, and users can assess the risks and controls associated with them.

Project management

With this system, users can manage third-party analysis and compliance work as formal projects against any regulation.

Collaboration

Aravo has advanced buyer-supplier collaboration capabilities. This extends to being able to schedule video conferencing within the system to accommodate virtual audits. The system also allows first-, second- and third-party audit responses and reports to be captured directly within it.

Fourth-party risk

The tracking of subcontractor (fourth-party) relationships has become increasingly important within third-party risk management programs – especially with the OCC’s most recent guidance in January 2017. Aravo supports the tracking of these relationships and incorporates subsequent due diligence on these subcontractor relationships as a part of engagements with third parties/vendors. This also helps to deliver important insight into concentration risk.

System integration

Aravo’s third-party risk management solution can be fully integrated with internal systems and external content.

• Internal systems: the most common systems that the solution integrates are SAP, Oracle, Coupa, Ariba, Archer and Excel, to ensure full cross-platform process orchestration.

• External content: external content providers (such as Thomson Reuters, LexisNexis, Dow Jones, EcoVadis, SecurityScorecard, Shared Assessments [SIG], Arachnys, Dun & Bradstreet and Bureau van Dijk, as well as content from external auditors) can be integrated into the Aravo platform for real-time screening, verification and data enrichment directly within the workflow.

Utility applications

In addition to its direct client base, Aravo has also been involved in building and delivering utility third-party risk applications for the defense and financial services industries in the UK.


3. ContextDemand-side analysis

Enterprise GRC

The concept of true enterprise GRC is not new, but firms still lack a coherent plan or methodology to integrate their current GRC systems. Consequently, in many firms there are few links between vertical silos and the three lines of defense in risk management2.

Newly extended risk

Several definitions of third-party risk exist, but Chartis defines it as the risk posed to a firm by third parties it has business relationships with. Firms work increasingly as ‘extended enterprises’ within a network of connected organizations, exposing them to a multitude of risks. They link up with third parties for various reasons, but mainly to reduce costs, boost efficiency and capitalize on new opportunities. And their growing reliance on third parties is encouraging them to consider these relationships and how to handle them.

A growing responsibility

Firms are becoming increasingly responsible for activities carried out on their behalf by other entities. Although work can be outsourced, any attendant risk remains with the firm. Effective due diligence is one of the key methods firms can use to reduce their risk of non-compliance.

In 2018 the GDPR becomes enforceable in the EU, and firms in the EU will also face pressure to ensure that third parties holding their data do not pose inappropriate levels of risk. Third-party risk management is being pushed to the top of board members’ agendas because regulators can issue large penalties for non-compliance, with potentially severe consequences. Firms without high-quality due diligence are more exposed to third-party risk, and can face legal action, regulatory sanctions, financial losses or reputational damage.

A deeper level of risk

Managing risk from deeper within a firm’s supply chain means assessing other people and entities linked to their third parties. That process is known as ‘Know Your Client’s Client’ or ‘Know Your Supplier’s Supplier’.

With all this in mind, firms are turning to software to comply with regulations and to mitigate third-party risk. Third-party risk management solutions are still relatively new, although they have had slightly more time to develop in the US than in the EU.

The stages of third-party risk management

Third-party risk management systems usually consist of several stages of risk management, underpinned by essential requirements and functionality around collecting and analyzing data, and providing consulting services.

2 The ‘three lines of defense’ for tackling risk in a firm are business operations, the risk management department, and independent governance/auditors. For more information on this model, see the Chartis report Enterprise GRC Solutions 2015.


• Stage 1: Identify in-scope third parties. This stage involves broad analysis of third parties, and identifying those that are viable for a firm’s needs.

• Stage 2: Assign a risk rating to third parties. Firms assign a risk rating to third parties using relevant parameters.

• Stage 3: Conduct risk-based due diligence. Using data from multiple sources, firms conduct a high-level screening of third parties.

• Stage 4: Evaluate and monitor. After entering into a business partnership, the firm regularly re-analyzes the vendor and third-party risk.

Supply-side analysis

Different pressures from regulators and market participants have elicited very different responses from vendors in the separate areas of GRC. The marketplace continues to evolve: some vendors are focusing on traditional GRC processes, while others work toward enabling firms to integrate GRC with other departments in the organization. Data management is key to this integration: vendors with strong data management capabilities already have advantages over those without.

Most vendors’ offerings are a compromise between flexibility and content, and either:

• Cover a few areas of GRC very well, but with limited scope for extending into other applications; or

• Offer broad, flexible coverage, at the cost of less functionality in specific areas.

Aligning with changes on the demand side of the market, we are seeing broad developments in third-party risk. As a relatively recent innovation in enterprise GRC, a particular vendor’s background strongly influences how it offers third-party risk management solutions. For example, data capture and management are critical elements of third-party risk management, hence vendors with strong data management capabilities have a significant advantage over those that use externally sourced data management.


4. Appendix A: RiskTech Quadrant® methodologyChartis is a research and advisory firm that provides technology and business advice to the global risk management industry. Chartis provides independent market intelligence regarding market dynamics, regulatory trends, technology trends, best practices, competitive landscapes, market sizes, expenditure priorities, and mergers and acquisitions. Chartis’s RiskTech Quadrant® reports are written by experienced analysts with hands-on experience of selecting, developing, and implementing risk management systems for a variety of international companies in a range of industries including banking, insurance, capital markets, energy, and the public sector.

Chartis’s research clients include leading financial services firms and Fortune 500 companies, leading consulting firms, and risk technology vendors. The risk technology vendors that are evaluated in the RiskTech Quadrant® reports can be Chartis clients or firms with whom Chartis has no relationship. Chartis evaluates all risk technology vendors using consistent and objective criteria, regardless of whether or not they are a Chartis client.

Where possible, risk technology vendors are given the opportunity to correct factual errors prior to publication, but cannot influence Chartis’s opinion. Risk technology vendors cannot purchase or influence positive exposure. Chartis adheres to the highest standards of governance, independence, and ethics.

Inclusion in the RiskTech Quadrant®

Chartis seeks to include risk technology vendors that have a significant presence in a given target market. The significance may be due to market penetration (e.g. large client-base) or innovative solutions. Chartis does not give preference to its own clients and does not request compensation for inclusion in a RiskTech Quadrant® report. Chartis utilizes detailed and domain-specific ‘vendor evaluation forms’ and briefing sessions to collect information about each vendor. If a vendor chooses not to respond to a Chartis vendor evaluation form, Chartis may still include the vendor in the report. Should this happen, Chartis will base its opinion on direct data collated from risk technology buyers and users, and from publicly available sources.

Research process

The findings and analyses in the RiskTech Quadrant® reports reflect our analysts’ considered opinions, along with research into market trends, participants, expenditure patterns, and best practices. The research lifecycle usually takes several months, and the analysis is validated through several phases of independent verification. Figure 5 below describes the research process.


Figure 5: RiskTech Quadrant® research process

Data gathering

Select research topics

• Interviews with industry experts• Interviews with risk technology buyers• Interviews with risk technology vendors•

• Market surveys• Client feedback• Regulatory studies• Academic studies• Conferences •

• • • • Risk technology buyer surveys and interviews

• Demand and supply side analysis• • Survey data analysis• Check references and validate vendor claims• Follow-up interviews with industry experts

• • Ongoing scan of the marketplace•


Chartis typically uses a combination of sources to gather market intelligence. These include (but are not limited to):

• Chartis vendor evaluation forms. A detailed set of questions covering functional and non-functional aspects of vendor solutions, as well as organizational and market factors. Chartis’s vendor evaluation forms are based on practitioner level expertise and input from real-life risk technology projects, implementations, and requirements analysis.

• Risk technology user surveys. As part of its ongoing research cycle, Chartis systematically surveys risk technology users and buyers, eliciting feedback on various risk technology vendors, satisfaction levels, and preferences.


• Interviews with subject matter experts. Once a research domain has been selected, Chartis undertakes comprehensive interviews and briefing sessions with leading industry experts, academics, and consultants on the specific domain to provide deep insight into market trends, vendor solutions, and evaluation criteria.

• Customer reference checks. These are telephone and/or email checks with named customers of selected vendors to validate strengths and weaknesses, and to assess post-sales satisfaction levels.

• Vendor briefing sessions. These are face-to-face and/or web-based briefings and product demonstrations by risk technology vendors. During these sessions, Chartis experts ask in depth, challenging questions to establish the real strengths and weaknesses of each vendor.

• Other third-party sources. In addition to the above, Chartis uses other third-party sources of information such as conferences, academic and regulatory studies, and collaboration with leading consulting firms and industry associations.

Evaluation criteria

The RiskTech Quadrant® (see Figure 6) evaluates vendors on two key dimensions:

1. Completeness of offering

2. Market potential

Figure 6: RiskTech Quadrant®

Best-of-breed

Point solutions

Category leaders

Enterprise solutions

COMPLETENESS OF OFFERINGLow High

MA

RK

ET

PO

TE

NT

IAL

Low

Hig

h



The generic evaluation criteria for each dimension are set out below. In addition to the generic criteria below, Chartis utilizes domain-specific criteria relevant to each individual risk. These are detailed in the individual vendor evaluation forms, which are published as an appendix to each report. This ensures total transparency in our methodology and allows readers to fully appreciate the rationale for our analysis.

Completeness of offering

• Depth of functionality. The level of sophistication and amount of detailed features in the software product (e.g. advanced risk models, detailed and flexible workflow, domain-specific content). Aspects assessed include: innovative functionality, practical relevance of features, user-friendliness, flexibility, and embedded intellectual property. High scores are given to those firms that achieve an appropriate balance between sophistication and user-friendliness. In addition, functionality linking risk to performance is given a positive score.

• Breadth of functionality. The spectrum of requirements covered as part of an enterprise risk management system. This will vary for each subject area, but special attention will be given to functionality covering regulatory requirements, multiple risk classes, multiple asset classes, multiple business lines, and multiple user types (e.g. risk analyst, business manager, CRO, CFO, Compliance Officer). Functionality within risk management systems and integration between front-office (customer-facing) and middle/back office (compliance, supervisory, and governance) risk management systems are also considered.

• Data management and technology infrastructure. The ability of risk management systems to interact with other systems and handle large volumes of data is considered to be very important. Data quality is often cited as a critical success factor and ease of data access, data integration, data storage, and data movement capabilities are all important factors. Particular attention is given to the use of modern data management technologies, architectures, and delivery methods relevant to risk management (e.g. in-memory databases, complex event processing, component-based architectures, cloud technology, software-as-a-service). Performance, scalability, security, and data governance are also important factors.

• Risk analytics. The computational power of the core system, the ability to analyze large amounts of complex data in a timely manner (where relevant in real time), and the ability to improve analytical performance are all important factors. Particular attention is given to the difference between ‘risk’ analytics and standard ‘business’ analytics. Risk analysis requires such capabilities as non-linear calculations, predictive modeling, simulations, scenario analysis, etc.

• Reporting and presentation layer. The ability to present information in a timely manner, the quality and flexibility of reporting tools, and ease of use are important for all risk management systems. Particular attention is given to the ability to do ad-hoc ‘on-the-fly’ queries (e.g. what-if-analysis), as well as the range of ‘out-of-the-box’ risk reports and dashboards.


Market potential

• Market penetration. Both volume (i.e. number of customers) and value (i.e. average deal size) are considered important. Also, rates of growth relative to sector growth rates are evaluated.

• Brand. Brand awareness, reputation, and the ability to leverage current market position to expand horizontally (with new offerings) or vertically (into new sectors) are evaluated.

• Momentum. Performance over the previous 12 months is evaluated, including financial performance, new product releases, quantity and quality of contract wins, and market expansion moves.

• Innovation. New ideas, functionality, and technologies to solve specific risk management problems are evaluated. Developing new products is only the first step in generating success. Speed to market, positioning, and translation into incremental revenues are critical success factors for exploitation of the new product. Chartis also evaluates business model or organizational innovation (i.e. not just product innovation).

• Customer satisfaction. Feedback from customers regarding after-sales support and service (e.g. training and ease of implementation), value for money (e.g. price to functionality ratio) and product updates (e.g. speed and process for keeping up to date with regulatory changes) is evaluated.

• Sales execution. The size and quality of sales force, sales distribution channels, global presence, focus on risk management, messaging, and positioning are all important factors.

• Implementation and support. Important factors include size and quality of implementation team, approach to software implementation, and post-sales support and training. Particular attention is given to ‘rapid’ implementation methodologies and ‘packaged’ services offerings.

• Thought-leadership. Business insight and understanding, new thinking, formulation and execution of best practices, and intellectual rigor are considered important by end users.

• Financial strength and stability. Revenue growth, profitability, sustainability, and financial backing (e.g. the ratio of license to consulting revenues) is considered as key to scalability of the business model for risk technology vendors.


Quadrant descriptions

Point solutions. Providers of point solutions focus on a relatively small number (typically two or three) of component technology capabilities. These vendors meet a very important need in the risk technology market by solving specific risk management problems with domain-specific software applications and technologies. Point solution providers also provide a strong engine for innovation as their deep focus on relatively narrow subject areas generates thought leadership and intellectual capital. These vendors often have gaps relating to the broader enterprise risk management functionality and do not have the integrated data management, analytics, and business intelligence capabilities found in enterprise technology platforms. Furthermore, these vendors have not yet developed the organizational characteristics for capturing significant market share. Their growth is often constrained by lack of financial and human resources, or relatively weak sales and marketing execution.

Best-of-breed. Providers of best-of-breed solutions have best-in-class point solution capabilities together with the organizational characteristics to capture significant market share in their chosen target markets. Providers of best-of-breed solutions usually have a growing client base, superior sales and marketing execution, and a clear strategy for sustainable profitable growth. Best-of-breed solution providers can also demonstrate a healthy rate of investment in research and development, and have specific product or ‘go-to-market’ capabilities that give them a competitive advantage. Best-of-breed solution vendors have depth of functionality, but lack the breadth of technology and functionality required to provide an integrated enterprise-wide risk management system. Best-of-breed solutions are often considered as a subset of more comprehensive risk technology architecture and are required to co-exist with other third-party technologies or in-house systems to provide an integrated solution to a given risk management problem.

Enterprise solutions. Enterprise solution providers have a clear strategy and vision for providing risk management technology platforms. They are characterized by the depth and breadth of their technology capabilities, combining functionally rich risk applications with comprehensive data management, risk analytics, and business intelligence technologies. A key differentiator is the openness and flexibility of their technology architecture and their ‘tool-kit’ approach to risk analytics and reporting. Enterprise solution providers support their technology solutions with comprehensive infrastructure and service capabilities, ensuring best-in-class technology delivery. Moreover, enterprise solution providers have clear strategies for combining risk management content and data with their risk management software to provide an integrated ‘one-stop-shop’ for risk technology buyers.

Category leaders. Category leaders are risk technology vendors that have the necessary depth and breadth of functionality, technology, and content, combined with the organizational characteristics to capture significant market share by volume and value. Category leaders can demonstrate a clear strategy for sustainable, profitable growth, matched with best-in-class solutions. Category leaders also have the range and diversity of offerings, sector coverage, and financial strength to be able to absorb demand volatility in specific industry sectors or geographic regions. These vendors benefit from strong brand awareness, a global reach, and strong alliance strategies with leading consulting firms and systems integrators. Category leaders can also demonstrate an appetite for ongoing investment in innovation, often matched by deep pockets and a strong financial performance. Ultimately, category leaders combine deep domain knowledge in various risk topics with deep technology assets and capabilities. They can demonstrate this by addressing the needs of very large clients with complex risk management and technology requirements, as well as addressing the needs of smaller clients with standardized requirements looking for integrated solutions from a single vendor.


5. How to use research and services from ChartisIn addition to our flagship industry reports, Chartis also offers customized information and consulting services. Our in-depth knowledge of the risk technology market and best practice allows us to provide high-quality and cost-effective advice to our clients. If you found this report informative and useful, you may be interested in the following services from Chartis.

For risk technology buyers

If you are purchasing risk management software, Chartis’s vendor selection service is designed to help you find the most appropriate risk technology solution for your needs.

We monitor the market to identify the strengths and weaknesses of the different risk technology solutions, and track the post-sales performance of companies selling and implementing these systems. Our market intelligence includes key decision criteria such as TCO (total cost of ownership) comparisons and customer satisfaction ratings.

Our research and advisory services cover a range of risk and compliance management topics such as credit risk, market risk, operational risk, GRC, financial crime, liquidity risk, asset and liability management, collateral management, regulatory compliance, risk data aggregation, risk analytics and risk BI.

Our vendor selection services include:

• Buy vs. build decision support

• Business and functional requirements gathering

• Identification of suitable risk and compliance implementation partners

• Review of vendor proposals

• Assessment of vendor presentations and demonstrations

• Definition and execution of Proof-of-Concept (PoC) projects

• Due diligence activities.


For risk technology vendors

Strategy

Chartis can provide specific strategy advice for risk technology vendors and innovators, with a special focus on growth strategy, product direction, go-to-market plans, and more. Some of our specific offerings include:

• Market analysis, including market segmentation, market demands, buyer needs, and competitive forces

• Strategy sessions focused on aligning product and company direction based upon analyst data, research, and market intelligence

• Advice on go-to-market positioning, messaging, and lead generation

• Advice on pricing strategy, alliance strategy, and licensing/pricing models

Thought leadership

Risk technology vendors can also engage Chartis to provide thought leadership on industry trends in the form of in-person speeches and webinars, as well as custom research and thought-leadership reports. Target audiences and objectives range from internal teams to customer and user conferences. Some recent examples include:

• Participation on a ‘Panel of Experts’ at a global user conference for a leading Global ERM (Enterprise Risk Management) software vendor

• Custom research and thought-leadership paper on Basel 3 and implications for risk technology.

• Webinar on Financial Crime Risk Management

• Internal education of sales team on key regulatory and business trends and engaging C-level decision makers


6. Further reading• Enterprise GRC Solutions: Market Update 2017

• RiskTech100® 2017

• Cyber Risk Management in Financial Services 2016

• Financial Crime Risk Management Systems 2016

• Spotlight on New OpRisk Measurement Standards

• Spotlight on Conduct Risk Management

For all these reports see www.chartis-research.com.

http://www.chartis-research.com/

Documents

Vendor Highlights: Aravo Solutions