Room for improvement

As the operational risk technology market matures, several vendors have begun to emerge as leaders in the field. In our latest readers' survey, Sungard, Chase Cooper, Algorithmics, SAS, Reveleus/Mantas and OpenPages were singled out as the top technology vendors.

But as the voting shows, the top four vendors are in a highly competitive battle for the winning slots. Sungard may have taken 16% of the votes as top vendor overall, but Chase Cooper was only just behind them with 13.6%. Algorithmics took nearly 12% of the vote.

The survey results come as a vindication for Sungard, which was conspicuously absent in the early years of the operational risk market. Before entering into its advantageous partnership with Ci3, the heavy-hitter of market and credit risk was often said to have missed the boat in the op risk field. But as our survey shows, Sungard's early absence has done little to hurt it. The vendor was voted the top choice in four of the five categories, including scenario analysis functionality, op risk loss data collection, key risk indicators (KRI), and risk control and self-assessments (RCSA). Only in regulatory and economic capital modelling did Sungard not take the lead. It came second in this category, just behind Algorithmics, whose original software was a modelling engine.

While readers did believe that the quality of software was improving, many found that the actual experience of implementing an op risk software package was often a frustrating and daunting process. Once the product was installed, however, they were usually more satisfied.

The buying process starts with banks narrowing their long list down to around a half a dozen vendors and assessing each software system – a confusing and time-consuming process considering the number of vendors on the market. Inevitably, some of these systems disappoint. More than one bank called some of the software they viewed "vapourware", and one consultant confirmed that one of the biggest problems he sees are vendors claiming their software can do things it cannot.

One side of the problem, in some cases, is that banks may not know the exact direction they want to take with operational risk – for instance, a more risk-based approach, or a more compliance-led one. A tug-of-war between these two camps can often occur at a firm, making it difficult to know what type of software the firm would actually benefit from. Some of these banks are hoping for more direction from the regulators before they take the plunge, but as Ani Sanyal, managing director, integrated capital solutions at Sungard notes: "when it comes to regulatory direction, we have all the ingredients, but no meal."

Ever-expanding needs

The other part of the problem is the ever-expanding and shifting needs of operational risk management. Vendors must run as fast as they can just to stay abreast of market developments. Yet to keep up with these crucial changes, software firms need the traction in the marketplace to be able to fund them. It's a vicious circle that has chewed up more than one worthy technology company.

Indeed, while banks are increasingly looking for comprehensive op risk software solutions, they found that vendors could do better in creating a seamless flow between the different functionalities in their technology. Even the most comprehensive software solution can still feel as if it has been cobbled together. Much of this is the legacy of the fast-evolving world of op risk software where many vendors grow by acquisition, snapping up smaller, ailing competitors and adding their functionality into their software. The links between these disparate pieces of software aren't always smooth, and can make for a very inflexible system.

One respondent notes that there is a vast gulf between an integrated software solution and a package that offers all the various pieces to solve different operational risk functionalities, often in different technology: "In the majority of cases, they offer different methods in different technologies. Because of this, the connection between different methods (ie loss date collection, KRIs, risk simulation) is often very difficult, or at least very expensive. In our experience, what you really need is software with all op risk functionalities in one technology."

Indeed, having a flexible system was the biggest praise that readers heaped on the winners. One reader spoke for the majority of Chase Cooper customers, when he noted that the firm had an "extremely flexible product that accommodates a range of methodologies," and for "wide functionality, high performance and scalability".

Banks found their software allowed for "a methodical approach to identifying risks and controls in respect to the objectives the entity set," while "the ease of entering risks and control self assessments were very useful." The resulting reports allowed for quickly identifying where resources should be applied to meet the firm's risk appetite. One bank that had implemented Chase Cooper's Accelerate software said: "The system will be an enabler to take us from Risk and Control assessment, Causal Loss analysis and KRI management, right through to the Advanced Measurement Approach. In addition, it covers all of our requirements for not only op risk management, but also for Sarbanes-Oxley (SOX) obligations."

One firm was equally pleased with its purchase of OpenPages, which it called "extremely flexible". Another firm singled out Sungard as having a "highly flexible" and "intuitive" product.

Banks also praised vendors that could accommodate a range of methodologies and be altered on the fly. According to one survey participant: "Having to change risk management methodology because a product cannot accommodate yours is disruptive, and not something many organisations will be keen to do."

One reader singles out OpenPages as having "extremely flexible software that you can mould to your methodology and adapt as the discipline evolves." He adds: "The ease of configurability allows you to own the application and apply changes dynamically, rather than be a slave to the slow and costly Vendor Software Change Requirement process."

Another op risk manager adds: "Software should be very flexible. On the one hand, op risk culture is different from bank to bank. On the other, op risk management itself is about so many open questions, constantly in variation. The head of op risk should be able to change data structure or the workflow without the help of the vendor or his own IT department. Otherwise you will have to pay the bill for your software over time."

Customer service was another important part of the buyer's experience. Singling out Chase Cooper, one reader wrote: "[Chase Cooper was] extremely professional and helpful in all our dealings and had a real understanding of the op risk market and direction," said one manager. Not only does Chase Cooper have great software, it also has professional and highly qualified people."

Sungard/Ci3 also got strong marks for its customer service. One customer based in Australia made a point of applauding the vendor's customer service, as the two were continents apart. The software firm was also applauded for its professionalism, and for providing "detailed implementation plans and an easy-to-follow strategy".

Op risk managers have also voiced the concern that in op risk software packages, not all the different functionalities of a system are necessarily as good as the other. For example, while a vendor may have a module particularly adept at risk simulation, it may have failed to develop an equally powerful measurement-tracking or data-collection tool. Vendors say this is obviously changing, as the software continues to be improved upon.

Indeed, many of the winning vendors say they are focusing most of their attention on capital modelling engines, as this area is still a controversial one in operational risk. Sungard, SAS and Algorithmics are all working to refine their modelling tools.

Peter Christie, IT management solutions practice strategist at SAS, says the vendor is working on making sure that any external data scales correctly, for example.

Readers also wanted to see more innovation coming from vendors. Some banks believe they are supplying vendors with ideas for development, though vendors argue that they are called in when banks want to pick their brains. Readers would also like to see more customisation in the software, and commended vendors who were willing to tailor their product to the bank's specific needs. One reader noted that he was particularly pleased with Chase Cooper's willingness to continue tweaking the application based on the bank's feedback.

Still, some banks will insist on building their own software. With the cost of software as high as it is, many conclude that they may as well build their own system, thereby getting a perfect fit and controlling all aspects of the build and implementation.

Fitting in with the legacy systems

Vendors themselves acknowledge that internal builds are often their closest rivals. This is especially true of the very largest banks, where as one op risk manager noted, the challenge of installing technology is especially high, as any system must interact with virtually all the legacy systems of a firm.

As the field of op risk moves forward, readers are hoping to get a solution that lets them see more of the "big picture". Managers emphasised how eager they were for a solution that makes it simple for the user to move to a comprehensive view of risk. With more regulations sure to pass, and compliance becoming a thornier issue, banks want vendors to focus on delivering a solution that could quickly adapt to these changes. They also noted how op risk was just one slice of risk that the bank needs to view, or as one manager wrote: "Forget op risk as a silo, get to meaningful enterprise risk NOW!"

"With true ERM now a goal for many organisations, the flexibility and interfacing capability of any op risk solution must be in place and comprehensive," says one manager. Another adds that he wants "a single platform for a complete view of the total risk environment including risk, control, losses, breaches, audit findings and complaints".

Managers are also looking for strong links to compliance efforts. In fact, one described it as "vital" that software products have some linkages to compliance-related technology including anti-fraud, anti-money laundering and SOX, for example. Another survey participant writes: "Banks are facing the barrage of compliance that is Basel II, SOX, Mifid etc. All the vendors should develop a comprehensive issue and action tracking tool that can cover these audit and compliance issues."

Vendors are well aware that their customers want to have this comprehensive view. As Dan Mudge, managing director of op risk at Algorithmics notes, it's the most efficient use of time and effort. He adds: "As departments become more burdened with internal and regulatory requirements, they want to collect the data once, place it in a central location and be able to reuse it multiple times."

Usability was another issue that op risk managers want vendors to tackle. With op risk getting increasingly more complex, and with compliance overlapping it, banks want to see smoother user interfaces, rationalisation of functionality and a more intuitive system. One manager notes the difficulty in this: "The user community keeps requesting more and more, but it wants to keep it in a simple, intuitive package. Sometimes these goals are at odds with each other." Another manager added that he wanted to see that workers have the ability to make changes to the type of data they collect, to the input screens, and to the layout. He also wanted push-button reports for executives that are "easy on the eye".

One op risk manager came up with an interesting idea, especially for smaller banks. He envisions an application service provider (ASP) solution for op risk, one that would be capable of giving the banks a menu of choices that would allow them to mix and match the individual functionalities best suited to their business and that would "facilitate best of breed selection and usage".

In fact, Algorithmics began offering an ASP service recently. According to Mudge, smaller institutions have begun looking for op risk software as well, and an ASP model is one that better suits their purposes, both financially and in the complexity of the product.

Op risk managers are also hoping that new software will incorporate better business tools, especially as banks become more involved with better business practice, rather than regarding it as just an exercise to satisfy regulators. The field has been focused primarily on ensuring that banks are in step with regulations, but as the survey shows, managers are thinking of the bigger picture. Survey takers wanted to see products that could integrate risk and compliance from a business process perspective. This would include better workflow functionality to enable the business teams to take more accountability for risks and testing, but be monitored by the company risk and compliance teams. Finally, some brought up the benefits of Six Sigma and modelling for better business practices.

Methodology

This ranking was compiled from an online survey conducted by OpRisk & Compliance magazine. The survey was sent to more than 4,000 readers of OpRisk & Compliance from around the world, and respondents were asked to rank their top five firms across a range of five categories. The results were compiled by Incisive Research, a subsidiary of Incisive Media.