Analytics: the key

The partnership between Ci3 and SunGard continues to bear fruit as Sword again tops the rankings as the best op risk software. But with less than 1% of the vote dividing the top three, Algorithmics and SAS are snapping at the heels of Ci3, and both succeeded in improving on their performance in last year's rankings.

Chase Cooper, in fourth place, is a consistent performer, while OpenPages pushed its way into the top five for the first time. Reveleus/Mantas, IBM, Protiviti, Horwarth Software and RiskHive made up the rest of the top 10 - RiskHive making its first appearance in the survey this year.

The movement in the rankings demonstrates how the number and sophistication of op risk software vendors improves as the market matures. Over the past 12 months, banks have been focusing on getting their risk control self-assessments (RCSAs) and op risk loss data collection up to speed as they make the final push towards advanced management approach approval in Europe. And the op risk events that have hit the headlines over recent months have prompted regulators and banks to focus more on forward-looking techniques, such as scenario analysis, to help them better predict and prevent loss events before they happen.

Ci3/SunGard is building on its core strengths of RCSAs, which it constantly reviews and redesigns with its clients, but it is also looking to the future of the discipline. "We are focused on indicators and scenario analysis in terms of the development for the next version of Sword, so our results in these categories will be even better next year," says Richard Pike, product director at Ci3 in Dublin. "Our aim for this year is to develop an enterprise risk management version of Sword, which will be called Sword ERG (enterprise risk governance)".

Two of the main developments involved are cross-risk scenario analysis and cross-risk indicators - so you can do scenario analysis and key risk indicators across all risk types. We are developing this with our clients so we already have takers for this product and the first delivery is scheduled for May."

But this is just the beginning of the evolution of op risk software over the next few years. The credit crunch has revealed the importance of looking at all risks across the organisation - making enterprise risk management (ERM) a hot topic again. In an attempt to provide a more actionable structure than ERM, Ci3 has developed the concept of ERG - a methodology that looks at risk across sectors, but can also action problems as they arise.

ERM, or ERG, is closely linked with achieving governance risk and compliance (GRC). GRC is a broad philosophy that aims to implement an integrated approach to risk and compliance processes such as Sox and other legal issues, or IT risk in an organisation by helping all of the, often siloed, business lines to work together, using technology to automate the process. "We don't believe that op risk exists in a silo," says Gordon Burns, vice-president of marketing at OpenPages. "In many cases, companies are looking to integrate their op risk process with the processes around managing other types of risk in the business. We believe banks will increasingly look to integration with other kinds of risk management capabilities like an audit management function, IT risk or an industry compliance solution."

Burns adds: "Also looking forward, rather than try to manage their operating performance risk on an ad hoc basis, we believe that risk data will begin to be used more in the context of managing corporate performance than just for mitigating risk. In other words, allocating not just regulatory capital but helping to allocate investment capital."

Although many software vendors market GRC-related solutions, a complete software package has not yet been developed. That would need to be implemented in conjunction with a huge cultural change within an organisation - an aim that has not yet been achieved by any financial institution. However, ERM is considered to be more achievable in the near term.

"Truly complete technology for GRC is still a few years away but we feel strongly that enterprise risk management is achievable in the near term," says Pike. "We are providing the ability to aggregate risk scores and risk values from other frameworks and other systems, but more importantly govern by generating issues, actions, proper reports, appetites, all the information that senior board people need."

Algorithmics is also pushing for ERM as the future of risk management. "Being part of Algorithmics, with our significant client base and capabilities in market and credit risk, we are always looking at ways to integrate and give clients a complete ERM solution," says Rita Silverstein, product manager at Algo OpVar in New York. "We have seen a lot of take-up of ERM solutions by organisations globally this year so that will continue to be a focus."

Over the past year, Algorithmics has been strengthening its core solutions to ensure clients experience a faster implementation time and that they allow for better integration with other areas of op risk. "A year-and-a-half ago, we completed re-architecting our solution and came out with OpVar Standard Edition Version 6," says Silverstein. "OpVar Standard Edition incorporates best practices that we saw in the industry. The benefits we hear from our clients are that they have very quick implementation times and they can be up and running quickly with the new software. And they know that what they are getting is a solution that will make sense and work well within their environment.

"We built into the new version a framework that supports all categories of op risk functionality and allows those pieces to inter-operate for an organisation, so that they get greater benefit from, for example, combining RCSA assessments with loss data. Now that the Standard Edition functionality is in place with this integrated architecture, we are adding more intelligence and analytics to the software to help organisations better manage their risk and receive greater business benefits. It is fine and dandy to collect all of this data but now let's turn it into something that will improve the bottom line," she says.

Proving the business benefit of op risk investments has become essential for op risk managers over the past year. By integrating systems and employing better analytics, financial institutions now have the tools to be able to demonstrate to senior management and the board where savings are being made thanks to op risk systems. Going forward this technology will only improve as software firms place their focus on developing better analytics and scenario analysis techniques to help firms prevent loss events. "Our focus for the next 12 months will be on analytics," says Bart Patrick, head of risk at SAS. "Many systems now are very backward-looking, depending on RCSA, historical loss data and basic value-at-risk and Monte Carlo simulations. We want to go beyond that to ensure operational risk becomes a powerful weapon in the armoury of any financial institution to help them to better direct their business. We want to expand our analysis capacity across all data sets to include trade reports, email databases, structured and unstructured data in addition to existing loss databases, then cluster and group them to predict and model events accurately. This would allow firms to predict situations that are likely to occur such as unauthorised trading and stop it before it happens, preventing a reputation hit or financial loss."

Ci3 is staring even further into the misty distance of op risk software development. It is part of an EU research project called Musing (multi-industry, semantic-based next generation business intelligence), which aims "to integrate semantic web and human language technologies and combine declarative rule-based methods and statistical approaches for enhancing the knowledge acquisition and reasoning in business intelligence applications towards industries with a deep socioeconomic impact". Or, put more simply, to provide tools to use structured and unstructured data along with rule-based reasoning to gain better business intelligence.

"The future will be based on the research from the Musing project, which will allow us to incorporate Bayesian networks and ontologies into ERG," explains Pike. "At a Musing meeting in Milan, we generated a scorecard for ERG using a Bayesian network and data from a Sword database so we will be looking for proof of concept in that area."

However, operational risk vendors are all experiencing substantial growth in Asia, the Middle East, central and eastern Europe, and Latin America. Growth is expected to continue in the next 12-18 months as those regions step-up implementation of their op risk frameworks.

"Five years ago, op risk software did not exist and banks were forced to develop their own in-house systems," says Burns. "But as op risk as a discipline matures, so does the software market, which is growing in new markets thanks to greater acceptance of technology solutions."

METHODOLOGY

These rankings were compiled from an online survey conducted during the months of March and April by OpRisk & Compliance magazine. The survey was sent to more than 4,000 readers of OpRisk & Compliance from around the world, and respondents were asked to rank their top five companies across a range of five categories. The results were compiled by Incisive Research, a subsidiary of Incisive Media.