Updated May 15, 2026 · 10 platforms evaluated

Top 10 Risk Management Software for Insurance in 2026: A Buyer-First Comparison

Honest 2026 ranking of the 10 best risk platforms for insurance carriers. Scored on ORSA defensibility, Solvency II + ICS capital, MAR ICFR, and TCOR fit.

By RiskWatch Editorial · Insurance Risk and Compliance Software Research

Verdict

TL;DR

If you run an insurance carrier, reinsurer, or insurance holding company that has to file an ORSA Summary Report with a state DOI, satisfy Solvency II Pillar 1 / 2 / 3 in the EU, pre-position for IAIS ICS adoption, attest MAR §404 ICFR for the audit committee, and roll up claims TCOR across underwriting and operations, RiskWatch ranks first on our weighted score for the mid-market and regional segment that needs all five briefs on one tenant. Origami Risk is the strongest RMIS-first pick (eighth consecutive year as the Redhand RMIS Report market leader). Riskonnect leads on TCOR and claims after absorbing Ventiv Technology in March 2024. Moody's RiskIntegrity and Wolters Kluwer OneSumX are the right call when capital modelling under Solvency II or ICS is the load-bearing requirement. Workiva, IBM OpenPages, MetricStream, Archer, and Optro each win narrower briefs. Pick by DOI-examiner defensibility and total cost of ownership across multi-state and multi-jurisdiction filings, not analyst-quadrant placement, because eight of the ten vendors here will not publish a price.

Pick by use case

Where each platform fits

Multi-state carrier running NAIC + NYDFS + MAR + ORSA + HIPAA on one tenant: RiskWatch: 40+ framework libraries including NAIC Insurance Data Security Model Law (adopted in 25+ US states), NYDFS Part 500, MAR §404 ICFR, ORSA, HIPAA for health insurers, RESPA for title; state-specific overlays mean new state adoption surfaces as a coverage gap, not a separate programme build.
P&C and L&H carrier RMIS with claims, policy, billing, and analytics depth: Origami Risk: 2026 Redhand RMIS Report market leader for the eighth consecutive year; configurable RMIS with carrier-grade claims, policy administration, rating, billing, loss control, and analytics on one data model.
Insurer running total cost of risk plus enterprise claims at scale: Riskonnect: Salesforce-native ERM with insurance and claims depth that absorbed Ventiv Technology in March 2024; 2,700+ enterprise customers; deepest TCOR data model linking ERM, claims, BCM, and TPRM.
European insurer or US carrier pre-positioning for IAIS ICS where Solvency II Pillar 1 capital modelling is load-bearing: Moody's RiskIntegrity: End-to-end Solvency II SCR and MCR calculations with standard formula and internal model, economic balance sheet projections, stochastic ALM, and ORSA reporting from the Moody's Analytics insurance suite.
Insurer needing Pillar 3 regulatory reporting plus ORSA on the same regulatory-content engine: Wolters Kluwer OneSumX: End-to-end Solvency II SCR / MCR plus technical provisions plus Pillar 3 disclosures plus stochastic ORSA on the same regulatory-content engine that handles bank reporting; CCH Tagetik Solvency II module for finance-led carriers.
Public insurance holding company running NAIC RBC + ORSA + 10-K / 10-Q + ESG on one data spine: Workiva: Connected reporting platform supports GAAP, NAIC RBC, Capital Adequacy Test, ORSA, and Solvency II disclosures alongside SOX 302 / 404 and 10-K / 10-Q assembly; NYSE: WK public ownership.
Tier-1 carrier or insurance holding company that needs Watson AI assistance for ORM controls: IBM OpenPages: Watson AI for control narratives, loss-event classification, and KRI anomaly detection over an insurance operational-risk taxonomy; integrates with the Wolters Kluwer regulatory feed.
Global insurer or reinsurer running 5+ regulatory programmes across NAIC, EIOPA, BMA, MAS, HKMA, APRA: MetricStream: Broadest regulatory content library in this ranking covering NAIC, EIOPA, BMA, MAS, HKMA, APRA, PRA insurance supervisors; modular suite covering ERM, IT GRC, audit, TPRM, BCM, and compliance.
Heavily regulated insurance carrier or reinsurer that still requires on-prem deployment: Archer: 20+ year IRM bench with insurance carriers and reinsurers; on-prem still supported under Cinven ownership; deep operational, IT, and third-party risk workflow for carriers with data-locality obligations.
Public insurance holding company where MAR §404 ICFR and SOX internal audit are the load-bearing programme: Optro (formerly AuditBoard): Deepest SOX and MAR §404 controls testing and ICFR workflow in the category; 1,585 G2 reviews at 4.6 / 5; Fortune 500 insurance reference customers in the public-holding-company segment.

Insurance carrier risk management software is its own buyer category. A carrier filing an ORSA Summary Report with its lead state DOI, attesting MAR §404 ICFR for the audit committee, calculating Solvency II SCR for an EU subsidiary, pre-positioning for IAIS ICS adoption (the global Insurance Capital Standard published as ICS Version 2.0 in December 2024 and now in adoption), and rolling up claims TCOR across underwriting, reinsurance treaties, and operations has needs that a generic GRC platform serves badly. The ten platforms in this ranking each fit at least one of those load-bearing briefs; none of them fits all six equally well. We scored on a weighted methodology tuned for carrier buyers, with DOI-examiner defensibility and total cost of ownership across multi-state and multi-jurisdiction filings replacing the generic ease-of-use bias in our master listicle.

We considered 22 platforms across the 2026 Redhand RMIS Report, InsuranceERM software directory, Gartner Peer Insights for IT Risk Management and Operational Risk Management, the Forrester Wave for GRC, and Capterra Insurance shortlists. We cut to ten by excluding policy-admin core systems (Guidewire, Sapiens, Insurity, Duck Creek) that book underwriting and claims but do not run an ORSA or MAR programme, removing pure SaaS-compliance vendors built for SOC 2 startups (Sprinto, Hyperproof, Vanta, Drata) that lack insurance-grade regulatory content, and removing ERP-bundled risk modules (SAP GRC, Oracle GRC) that insurance buyers rarely shortlist standalone. Ventiv Technology was acquired by Riskonnect in March 2024 and is now part of the Riskonnect Helix suite, so its capabilities appear under the Riskonnect card rather than as a separate entry. The result is ten platforms a real carrier, reinsurer, broker, or insurance holding company might shortlist in 2026.

Pricing transparency is worse in this segment than in the broader GRC market. Eight of ten platforms here gate pricing behind a demo; the two that publish anything (IBM OpenPages SaaS Essentials and Standard tiers and the RiskWatch Standard tier) still negotiate enterprise deals materially off-list. We have triangulated prices for the opaque vendors from at least two independent third-party sources and dated each estimate to 2026-05-15. NAIC adoption of the IAIS ICS continues to expand the global capital-standards conversation, NAIC Insurance Data Security Model Law adoption stands at 25+ US states and counting, and NYDFS Part 500 final amended rules took effect November 1 2025; all three shifts have pushed pricing upward at the top of the market as state DOIs and EU supervisors expand examination scope.

At-a-glance

Comparison table

The 10 platforms scored on the methodology weights at the bottom of this page. Pricing-transparency pill is the buyer-honesty signal.

Rank	Product	Best for	Pricing transparency	G2	Verdict
1	RiskWatch RiskWatch International	Mid-market and regional multi-state insurance carriers, health-insurance subsidiaries, title carriers, broker-distribution institutions, and reinsurance brokers running NAIC Model Law plus MAR plus ORSA plus state DOI examinations on one tenant.	Partial	4.5/5 60+ reviews	NAIC Insurance Data Security Model Law overlay with state-specific variants for each...
2	Origami Risk Origami Risk, LLC	Mid-market and enterprise P&C, L&H, and specialty carriers, brokers, and TPAs that need carrier-grade RMIS depth (claims + policy + rating + billing) plus ERM in one tenant.	Opaque	4.3/5 290+ reviews	2026 Redhand RMIS Report market leader for the eighth consecutive year; the benchmark...
3	Riskonnect Riskonnect, Inc.	Enterprise P&C and L&H carriers, insurance holding companies, and self-insured organisations running TCOR at scale, especially Salesforce shops.	Opaque	4.2/5 200+ reviews	2,700+ enterprise customers, the largest active install base in this ranking after Optro
4	Moody's RiskIntegrity Moody's Analytics, Inc.	European insurance groups under Solvency II Pillar 1 internal-model approval, US insurance groups pre-positioning for IAIS ICS Pillar 1, and multinational reinsurers running stochastic ORSA.	Opaque	4.3/5 90+ reviews	End-to-end Solvency II SCR and MCR under both standard formula and internal model approval
5	Wolters Kluwer OneSumX Wolters Kluwer N.V.	European insurance groups under Solvency II Pillar 1 / 2 / 3 plus IFRS 17, multinational insurance groups running EIOPA Pillar 3 disclosures across jurisdictions, and finance-led carriers wanting CCH Tagetik consolidation workflow.	Opaque	4.2/5 110+ reviews	End-to-end Solvency II SCR and MCR plus technical provisions plus Pillar 3 disclosures...
6	Workiva Workiva Inc.	Public insurance holding companies, NAIC-RBC-filing US carriers, and EU insurance holding companies where MAR §404 plus 10-K / 10-Q assembly plus ORSA disclosure plus CSRD ESG are the central programmes.	Opaque	4.5/5 1300+ reviews	Native NAIC RBC, Capital Adequacy Test, ORSA, and Solvency II disclosure workflow...
7	IBM OpenPages IBM Corporation	Tier-1 insurance groups, multinational carriers, and bank-holding-companies-with-insurance-subsidiaries that need an AI-assisted controls layer over insurance operational risk and model risk, and that already run the Wolters Kluwer regulatory feed.	Partial	4.2/5 310+ reviews	Watson AI features for control-narrative drafting, loss-event classification, and KRI...
8	MetricStream MetricStream, Inc.	Global insurance groups, large reinsurers, and multinational carriers running 5+ regulatory programmes who can absorb $500K+/yr and a 12-month implementation in exchange for the deepest regulatory content library in the category.	Opaque	4.0/5 190+ reviews	Broadest module library in this ranking; one vendor can cover ERM, operational risk,...
9	Archer (formerly RSA Archer) Archer Technologies, LLC	Large insurance carriers, reinsurers, and government-adjacent insurance programmes that need on-prem deployment, deep IRM workflow, and a 20-year vendor track record.	Opaque	3.9/5 240+ reviews	20+ year track record in insurance carriers, reinsurers, and government; deepest IRM...
10	Optro (formerly AuditBoard) Optro, Inc.	Public insurance holding companies and Fortune 1000 insurance carriers running MAR §404 + SOX 302 + ICFR internal audit, plus enterprises that want one platform across internal audit, MAR, third-party, and ESG.	Opaque	4.6/5 1820+ reviews	1,585 G2 reviews at 4.6/5 (May 2026), the highest review volume in the category

Calculator

Estimate the licence cost

Drag the slider to your headcount. Estimates use each vendor's published or triangulated tiers. Opaque vendors show Contact sales.

Employees500

11.3k2.5k3.8k5k

RiskWatch

Professional (≤ 1,000 employees)

$36,000/yr

Origami Risk

Mid-market (est.) (quote-only tier)

Contact sales

Riskonnect

Enterprise entry (est.) (quote-only tier)

Contact sales

Moody's RiskIntegrity

Mid-enterprise (est.) (quote-only tier)

Contact sales

Wolters Kluwer OneSumX

Mid-enterprise (est.) (quote-only tier)

Contact sales

Workiva

SOX + ORSA reporting (est.) (quote-only tier)

Contact sales

IBM OpenPages

SaaS Essentials (≤ 1,000 employees)

$39,600/yr

MetricStream

Small enterprise (est.) (quote-only tier)

Contact sales

Archer (formerly RSA Archer)

Mid-enterprise (est.) (quote-only tier)

Contact sales

Optro (formerly AuditBoard)

Starter (est.) (quote-only tier)

Contact sales

Estimates only. Opaque-pricing vendors do not publish list prices; bands are triangulated from public third-party sources dated 2026-05-15. Implementation services, module add-ons, and renewal escalators are extra.

Pick your own weights

Decision matrix

Default weights match the methodology at the bottom of this page. Drag the sliders to match your priorities and re-rank in real time.

Ease of use20%

How quickly a non-technical control owner reaches first value

Feature breadth20%

Module coverage across ERM, IT, audit, TPRM, BC

Value20%

Price to value ratio at mid-market

Customer support15%

Quality and responsiveness of vendor support

Scalability15%

Handling 5,000+ employees, multiple entities, regions

Integrations10%

Breadth of native connectors and APIs

Weights sum: 100%

1
RiskWatch
Editorial rank #1
8.68
2
Optro (formerly AuditBoard)
Editorial rank #10
8.51
3
Origami Risk
Editorial rank #2
8.39
4
Riskonnect
Editorial rank #3
8.22
5
IBM OpenPages
Editorial rank #7
8.21
6
Moody's RiskIntegrity
Editorial rank #4
8.18
7
Wolters Kluwer OneSumX
Editorial rank #5
8.14
8
Workiva
Editorial rank #6
8.06
9
MetricStream
Editorial rank #8
7.96
10
Archer (formerly RSA Archer)
Editorial rank #9
7.72

Switching cost

Migration matrix

Read row-to-column. Row = today's platform, column = tomorrow's. Colour reflects realistic switching effort, not vendor sales pitches.

From / To	RiskWatch	Origami Risk	Riskonnect	Moody's RiskIntegrity	Wolters Kluwer OneSumX	Workiva	IBM OpenPages	MetricStream	Archer	Optro
RiskWatch	.	M	H	H	H	M	H	H	H	E
Origami Risk	E	.	H	E	M	E	E	M	M	E
Riskonnect	H	H	.	H	H	H	H	H	H	H
Moody's RiskIntegrity	E	E	H	.	E	E	E	E	E	E
Wolters Kluwer OneSumX	E	E	H	E	.	E	E	E	E	E
Workiva	E	E	H	M	M	.	E	M	M	E
IBM OpenPages	E	E	H	E	E	E	.	E	M	E
MetricStream	E	E	H	E	E	E	E	.	E	E
Archer	E	E	H	E	E	E	E	E	.	E
Optro	E	M	H	H	H	M	M	H	H	.

Easy (E)Moderate (M)Hard (H)Source: per-vendor migration field with radar-profile fallback. Treat as a directional guide, not a quote.

Methodology

How we scored and why you should trust it

The methodology is the only thing keeping this page honest. Read it carefully and apply your own weights in the decision matrix above.

RiskWatch published this ranking. RiskWatch accepts no affiliate fees, sponsorship money, or paid placements on this page. RiskWatch is also in the ranking, at #1, in the mid-market and regional-carrier segment for which our platform is built. Readers should weigh that disclosure against the published evidence on this page. We scored each of the ten platforms on six axes tuned for insurance-carrier buyers: DOI-Examiner Defensibility (20%, replacing generic Ease of Use), Regulatory Content Breadth across NAIC + Solvency II + ICS + MAR + state DOI rules (20%), Total Cost of Ownership across multi-state and multi-jurisdiction filings (20%), Customer Support and Implementation Track Record with carriers (15%), Scalability across P&C / L&H / health / title / reinsurance / specialty (15%), and Integrations with policy-admin, claims, actuarial, and reinsurance systems (10%). Scores are 0-10 and calibrated within this category (highest examiner-defensibility 9.5, lowest 7.0). Ratings reference G2 and Capterra figures pulled 2026-05-15. Pricing reflects the most-recent published or triangulated figures, also pulled 2026-05-15; where pricing is opaque we report a range based on two or more public third-party sources. We re-verify this page quarterly.

Weights used in the editorial ranking

Ease of use: 20%
Feature breadth: 20%
Value: 20%
Customer support: 15%
Scalability: 15%
Integrations: 10%

RiskWatch

RiskWatch International · Founded 1993 · Annapolis, MD, USA

Multi-state insurance risk and compliance platform with NAIC, NYDFS, MAR, and ORSA overlays in one tenant.

Partial pricingG2 4.5 · Capterra 4.6 · 60+ reviews

Summary

RiskWatch ships a risk and compliance assessment platform built around pre-mapped control libraries for 40+ regulatory frameworks including the NAIC Insurance Data Security Model Law (adopted in 25+ US states), NYDFS Part 500, MAR §404 ICFR, ORSA, HIPAA for health insurers, RESPA for title carriers, GLBA Safeguards, PCI DSS v4, NIST 800-53, and SOC 2. The platform runs on a survey-based assessment engine plus an evidence vault and a cross-mapped control library with state-by-state overlays. Insurance customers include US state-chartered carriers, regional P&C insurers, health-insurance subsidiaries, title companies, and broker-distribution institutions; the product has been in the field since 1993. The single-tenant deploy-as-tenant architecture means carriers retain full control of their data and can answer DOI data-locality questions without a vendor escalation.

Strengths

NAIC Insurance Data Security Model Law overlay with state-specific variants for each adopting jurisdiction; new state adoption surfaces as a coverage gap, not a separate programme build
ORSA, MAR §404 ICFR, and cyber controls share the same evidence vault so internal audit captures once and ORSA refreshes annually without duplicate workpapers
33-year operating history with examiner-recognised assessment artefacts; DOI examiner export packs are first-class output, not a custom report build
Single-tenant deployment with customer-owned data residency, useful for state-chartered carriers subject to DOI data-locality rules and for health insurers subject to HIPAA Security Rule physical safeguards
HIPAA for health-insurance subsidiaries and RESPA + state title-insurance regs for title carriers are first-party overlays, not OEM add-ons
Survey-based assessment engine works for non-technical control owners (underwriting officers, claims directors, branch managers) without a workflow-builder learning curve
Vendor risk management with BAA tracking and SOC 2 capture is a first-party module aligned to NYDFS Part 500 §500.11 and NAIC Model Law third-party-service-provider obligations
Published support tier ladder, not gated demos before you see what each tier includes

Weaknesses

No native quantitative capital-adequacy or Solvency II SCR / MCR calculation engine; carriers running internal-model Solvency II or pre-positioning for IAIS ICS Pillar 1 should pair RiskWatch with Moody's RiskIntegrity or Wolters Kluwer OneSumX
No native actuarial modelling or stochastic ALM; carriers running internal capital models keep that engine separate
No native claims administration or RMIS workflow at Origami / Riskonnect depth; carriers needing claims-and-policy on the same platform should pair RiskWatch with an RMIS
Public pricing is opaque on the public site for tiers above Standard (we are working on it; for now this listicle marks the category transparency problem with a partial badge for RiskWatch)
Brand awareness on G2 and Capterra is lower than Riskonnect, Origami, or Optro; total third-party review volume sits below 100
UI shows its operational-heritage in places; newer entrants (ServiceNow IRM, Optro) have a more polished first-run experience

Best for

Mid-market and regional multi-state insurance carriers, health-insurance subsidiaries, title carriers, broker-distribution institutions, and reinsurance brokers running NAIC Model Law plus MAR plus ORSA plus state DOI examinations on one tenant.

Worst for

Tier-1 global insurers and reinsurers running internal-model Solvency II Pillar 1 capital or pre-positioning for IAIS ICS standard-formula Pillar 1; pair RiskWatch with Moody's RiskIntegrity or OneSumX for the quantitative capital engine.

Key features

Pre-built control libraries for NAIC Insurance Data Security Model Law (25+ adopting-state variants), NYDFS Part 500, MAR §404 ICFR, ORSA, HIPAA, RESPA, GLBA Safeguards, PCI DSS v4, ISO 27001:2022, NIST 800-53 r5, NIST 800-171 r3, GDPR
Cross-mapping engine that auto-detects shared controls across NAIC + NYDFS + MAR + SOX + GLBA
DOI-examiner-export packs (PDF + Excel) ready for state insurance department reviews
Survey-based assessment engine for non-technical control owners (underwriting officers, claims directors)
Evidence vault with versioning and audit-ready export for MAR §404 ICFR attestation
Vendor risk management with BAA + SOC 2 tracking aligned to NAIC Model Law third-party-service-provider obligations
Policy management with approval and attestation workflows for ORSA governance documents
Single-tenant deployment with customer-owned data residency for state-DOI data-locality requirements

Integrations

25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Slack, Jira, Salesforce, Custom REST API.

Target size

100 to 25,000 employees · US · Canada · EU · UK · AU

Radar score

Pricing

Standard$99/month
Up to 250 employees
- · Up to 3 frameworks (typical: NAIC Model Law + NYDFS Part 500 + MAR §404)
- · 1 risk assessment workspace
- · Email + named-CSM support
- · Quarterly business review
Professional$36,000/year
Up to 1,000 employees
- · Up to 10 frameworks with state-specific overlays
- · Unlimited assessments
- · SSO + SAML
- · API access + custom reports
- · Phone + dedicated CSM
EnterpriseContact sales
- · All 40+ frameworks plus full state-DOI overlay library
- · Single-tenant deployment
- · Customer-owned data residency
- · 24/7 support
- · Solutions architect on retainer

Watch for

· Implementation services billed separately (typical 1-time fee 15-25% of first-year licence)
· Custom state-DOI overlays outside the 25+ NAIC Model Law adopting-states library are scoped per request

Public list-price pages are coming. For now we publish typical contract bands above; the Enterprise tier is quote-only because deployment topology varies materially for multi-state carrier holding-company structures.

Origami Risk

Origami Risk, LLC · Founded 2009 · Chicago, IL, USA

Carrier-grade RMIS market leader with claims, policy administration, rating, and billing on one data model.

Opaque pricingG2 4.3 · Capterra 4.4 · 290+ reviews

Summary

Origami Risk was founded in 2009 in Chicago and has been recognised as the market leader in the Redhand RMIS Report for the eighth consecutive year in 2026. The platform is a highly configurable SaaS RMIS used by insurance carriers, brokers, TPAs, and risk-bearing organisations for claims administration, policy administration, rating, billing, loss control, analytics, and ORM. For P&C carriers and L&H carriers the depth of the insurance core (policy + claims + billing + rating) is the differentiator that pulls Origami ahead of generic GRC platforms. G2 reviewers describe it as configurable but with a steep learning curve and a configuration burden that benefits from a dedicated administrator.

Strengths

2026 Redhand RMIS Report market leader for the eighth consecutive year; the benchmark RMIS platform for complex carrier and broker environments
Carrier-grade insurance core spanning policy administration, rating, billing, claims, and loss control on one data model; not a bolted-on RMIS
Highly configurable platform that adapts to carrier-specific workflows without source-code customisation
Strong analytics and dashboards praised by G2 and Capterra reviewers for claims, reserve adequacy, and TCOR visibility
Reserve methodology configuration with claims-examiner customisation by injury type and jurisdiction; useful for workers-comp and auto-liability carriers
Independent founder-led ownership (Spectrum Equity growth-investor, not control PE); roadmap continuity over multiple years

Weaknesses

G2 reviewers cite a steep learning curve and configuration burden; benefits from a dedicated platform administrator on day one
Pricing is opaque; SmartSuite and InsuranceERM directory triangulations place mid-market deals at $60K-$200K/yr and enterprise carriers at $300K-$1M+/yr
No native quantitative Solvency II SCR / MCR engine; carriers running EU subsidiaries pair Origami with Moody's RiskIntegrity or OneSumX
Reporting customisation requires platform-administrator time; out-of-the-box reports are functional but not citation-ready for every DOI examiner request
Smaller MAR §404 controls-testing depth than Optro or Workiva; public-insurance-holding companies running SOX-heavy internal audit pair Origami with a dedicated ICFR platform
Implementation timelines reported in G2 reviews routinely run 6-12 months for full insurance-core deployments

Best for

Mid-market and enterprise P&C, L&H, and specialty carriers, brokers, and TPAs that need carrier-grade RMIS depth (claims + policy + rating + billing) plus ERM in one tenant.

Worst for

Carriers whose primary brief is multi-state regulatory compliance (NAIC + NYDFS + MAR) rather than RMIS depth; or carriers running internal-model Solvency II.

Key features

Policy administration, rating, and billing for P&C and L&H carriers
Claims administration with reserve-adequacy configuration by injury type and jurisdiction
Loss control and safety with mobile inspection workflow
Risk management information system (RMIS) with TCOR analytics
Enterprise risk management (ERM) module
GRC and compliance module with framework templates
Configurable dashboards and ad-hoc reporting
Audit-ready exports for state DOI and reinsurance treaty review

Integrations

80+ native. Notable: Microsoft Entra ID, Okta, Salesforce, ServiceNow, Tableau, Power BI, Snowflake, ISO ClaimSearch.

Target size

500 to 1,00,000 employees · US · Canada · UK · EU · AU

Riskonnect

Riskonnect, Inc. · Founded 2007 · Atlanta, GA, USA

Salesforce-native integrated risk platform with the deepest TCOR and claims depth after the March 2024 Ventiv acquisition.

Opaque pricingG2 4.2 · Capterra 4.4 · 200+ reviews

Summary

Riskonnect runs on Salesforce and is built around an integrated-risk data model that covers ten GRC disciplines from one tenant. The company serves 2,700+ enterprise customers across six continents and is owned by TA Associates with Thoma Bravo and Arrowroot Capital. The March 2024 acquisition of Ventiv Technology added carrier-grade claims, billing, and policy-administration capabilities into the Helix suite, which closes the gap with Origami Risk on RMIS depth. Strengths are enterprise risk management, insurance and claims management, total cost of risk, and business continuity. Pricing is opaque; published triangulations place enterprise entry at $283K/yr.

Strengths

2,700+ enterprise customers, the largest active install base in this ranking after Optro
March 2024 Ventiv Technology acquisition added carrier-grade claims, policy, and billing capabilities into the Helix suite
Salesforce-native architecture inherits Salesforce SSO, mobile, and reporting capabilities
Deepest total cost of risk (TCOR) data model in the category; ERM, claims, BCM, and TPRM unified
Strong P&C insurance, claims, and business-continuity modules; the natural pick for insurance holding companies with self-insured workers-comp or property
Forrester Consulting reported a 280% three-year ROI on integrated-risk-platform deployments at enterprise scale

Weaknesses

G2 reviewers consistently flag initial complexity and overwhelming UI before familiarity sets in
Pricing reported by SmartSuite as starting at $283K annually; the highest entry point in this ranking after MetricStream and Moody's
Salesforce dependency cuts both ways; non-Salesforce shops absorb a platform-tax they did not budget for
Triple-PE ownership (TA, Thoma Bravo, Arrowroot) elevates renewal-pricing pressure; 8-12% annual uplift historically reported
Ventiv integration is ongoing; some customers report parallel UIs and data-model gaps during the post-acquisition stabilisation period
No native Solvency II SCR / MCR engine for EU subsidiaries; carriers pair Riskonnect with Moody's RiskIntegrity or OneSumX for internal-model capital

Best for

Enterprise P&C and L&H carriers, insurance holding companies, and self-insured organisations running TCOR at scale, especially Salesforce shops.

Worst for

Sub-500-employee regional carriers chasing first-time NAIC Model Law or ORSA readiness; cost-prohibitive and over-built.

Key features

Salesforce-native data model with inherited security and SSO
Enterprise risk management (ERM) with KRIs and risk register
Insurance and claims management (Helix, post-Ventiv acquisition March 2024)
Policy administration and billing for self-insured and captive programmes
Business continuity and operational resilience
Third-party / vendor risk management
Compliance and policy management with framework templates
Health and safety risk module
Connected total-cost-of-risk (TCOR) dashboards for board reporting

Integrations

200+ native. Notable: Salesforce AppExchange ecosystem, Microsoft Entra ID, ServiceNow, SAP, Workday, Tableau, ISO ClaimSearch.

Target size

1,000 to 1,00,000 employees · US · Canada · UK · EU · AU · APAC · LATAM

Moody's RiskIntegrity

Moody's Analytics, Inc. · Founded 2007 · New York, NY, USA

End-to-end Solvency II and ORSA capital modelling for insurers running internal-model or pre-positioning for IAIS ICS.

Opaque pricingG2 4.3 · Capterra 4.4 · 90+ reviews

Summary

Moody's RiskIntegrity is the insurance-specific risk and capital modelling platform from Moody's Analytics, built around Solvency II SCR and MCR calculations under both standard formula and internal model. The suite covers economic balance sheet projections, stochastic ALM, ORSA reporting, and capital-adequacy assessment. It is the natural pick for European insurers, multinational insurance groups running EIOPA Pillar 1 internal-model approvals, and US carriers pre-positioning for IAIS ICS adoption. The trade-off is that RiskIntegrity is a capital-and-risk engine, not a full GRC platform; carriers pair it with an enterprise GRC tool for ORM, IT GRC, and audit.

Strengths

End-to-end Solvency II SCR and MCR under both standard formula and internal model approval
Economic balance sheet projections, stochastic ALM, and Monte-Carlo capital simulations
ORSA reporting workflow aligned to EIOPA and NAIC guidance with stress-and-scenario modules
Used by tier-1 European insurance groups; the canonical Solvency II modelling reference
Moody's Analytics insurance suite extends to IFRS 17 reserve modelling and rating-feed integration
Public-company stability (NYSE: MCO ~$80B market cap); no PE renewal-pressure dynamic

Weaknesses

Not a full GRC platform; no native ORM, IT GRC, MAR controls testing, or vendor risk; carriers pair RiskIntegrity with a GRC tool
Pricing is opaque; multi-million-dollar enterprise deals are typical for tier-1 insurance groups
Implementation services dependency is heavy; greenfield deployments routinely run 9-18 months with Moody's PS or a tier-1 SI
Steep learning curve for actuarial and capital teams unfamiliar with internal-model approval workflows
Limited fit for SMB and regional US carriers whose ORSA brief is standard-formula or qualitative rather than internal-model quantitative
Reporting customisation typically requires platform-administrator time and Moody's PS engagement

Best for

European insurance groups under Solvency II Pillar 1 internal-model approval, US insurance groups pre-positioning for IAIS ICS Pillar 1, and multinational reinsurers running stochastic ORSA.

Worst for

Regional US carriers whose ORSA brief is standard-formula and qualitative; the platform is priced and architected for internal-model quantitative capital modelling.

Key features

Solvency II SCR and MCR calculations under standard formula and internal model
Economic balance sheet projections and capital adequacy assessment
Stochastic ALM and Monte-Carlo capital simulations
ORSA reporting workflow with stress-and-scenario modules
IFRS 17 reserve modelling integration
Rating-feed integration with Moody's credit and economic data
Internal-model approval audit trail for EIOPA and PRA supervisors
Pre-positioning workflow for IAIS ICS Pillar 1 standard-formula and internal-model

Integrations

60+ native. Notable: Moody's Analytics data feeds, Wolters Kluwer OneSumX, SAP, Oracle, Microsoft Entra ID, Custom actuarial models.

Target size

1,000 to 1,00,000 employees · Global

Wolters Kluwer OneSumX

Wolters Kluwer N.V. · Founded 1836 · Alphen aan den Rijn, Netherlands

Solvency II Pillar 1 / 2 / 3 plus ORSA plus IFRS 17 on the same regulatory-content engine that ships bank reporting.

Opaque pricingG2 4.2 · Capterra 4.3 · 110+ reviews

Summary

Wolters Kluwer OneSumX is a financial regulatory-technology platform with a dedicated insurance suite covering Solvency II SCR / MCR, technical provisions, Pillar 3 disclosures, ORSA, and IFRS 17. For finance-led carriers the CCH Tagetik Solvency II module provides an additional CFO-office-friendly path with consolidation and disclosure workflow. Wolters Kluwer is used by 24 of the top 25 global banks under OneSumX banking; the insurance suite extends the same regulatory-content engine to insurance supervisors including EIOPA, BMA, PRA, MAS, HKMA. Pricing is opaque and enterprise-tier.

Strengths

End-to-end Solvency II SCR and MCR plus technical provisions plus Pillar 3 disclosures plus stochastic ORSA on one engine
CCH Tagetik Solvency II module for finance-led carriers wanting consolidation and disclosure workflow in the CFO office
Daily regulatory-content updates across EIOPA, PRA, BMA, MAS, HKMA, APRA insurance supervisors
Used by 24 of top 25 global banks under OneSumX banking; the insurance extension inherits the same regulatory-content discipline
IFRS 17 integration for reserve modelling and disclosure
Public-company stability (Euronext: WKL); no PE renewal-pressure dynamic

Weaknesses

Pricing is opaque; tier-1 insurance deals routinely $250K-$2M+/yr depending on jurisdiction coverage
Implementation services dependency is heavy; greenfield Solvency II deployments routinely 12-24 months with Wolters Kluwer expert services or a tier-1 SI
Not a full GRC platform; no native MAR controls testing, ORM workflow, or vendor risk; carriers pair OneSumX with a GRC tool
Steep learning curve for actuarial, finance, and risk teams; benefits from a dedicated platform team on day one
Limited fit for SMB and regional US carriers running standard-formula NAIC ORSA only; over-built for that brief
UI generations behind newer entrants; not the right pick for non-technical control owners

Best for

European insurance groups under Solvency II Pillar 1 / 2 / 3 plus IFRS 17, multinational insurance groups running EIOPA Pillar 3 disclosures across jurisdictions, and finance-led carriers wanting CCH Tagetik consolidation workflow.

Worst for

Regional US carriers whose ORSA brief is standard-formula and qualitative; over-built for that brief.

Key features

Solvency II SCR and MCR under standard formula and internal model
Technical provisions and economic balance sheet projections
Pillar 3 disclosures with automated regulatory submissions
Stochastic ORSA workflow with stress-and-scenario modules
IFRS 17 reserve modelling integration
CCH Tagetik Solvency II module for finance-led carriers
Daily regulatory-content updates across global insurance supervisors
XBRL submission workflow for EIOPA Pillar 3

Integrations

80+ native. Notable: Wolters Kluwer regulatory-content feed, SAP, Oracle, Moody's Analytics, Microsoft Entra ID, Custom actuarial models.

Target size

1,000 to 1,00,000 employees · Global

Workiva

Workiva Inc. · Founded 2008 · Ames, IA, USA

Connected reporting for NAIC RBC, ORSA, Solvency II disclosures, MAR §404, and 10-K / 10-Q on one data spine.

Opaque pricingG2 4.5 · Capterra 4.5 · 1300+ reviews

Summary

Workiva was founded in 2008 and went public on NYSE in 2014. The core product is connected reporting for SOX 302 / 404, 10-K / 10-Q assembly, ESG, and statutory filings. For insurance carriers, the Workiva insurance suite supports GAAP, NAIC Risk-Based Capital (RBC), Capital Adequacy Test, ORSA, and Solvency II disclosures alongside MAR §404 ICFR and SEC reporting. The right pick for public insurance holding companies and bank-holding-company-with-insurance-subsidiary buyers where SOX and statutory financial reporting are the load-bearing programmes. Total reviews approach 1,300 on G2; the load-bearing weakness is breadth on the operational-risk side.

Strengths

Native NAIC RBC, Capital Adequacy Test, ORSA, and Solvency II disclosure workflow alongside MAR §404 + SEC reporting
Connected reporting spine eliminates duplicate evidence entry between risk register, controls testing, and statutory financial statements
Public company (NYSE: WK); stable ownership and no PE renewal-pressure dynamic
Strong audit-trail and version-control on the connected-reporting spine, useful for DOI examiner and SEC scrutiny
ESG reporting depth among the strongest in the category; useful for EU public-insurance-holding CSRD obligations
Native fit for public insurance holding companies running 10-K / 10-Q assembly alongside ORSA

Weaknesses

Operational risk, TPRM, and IT GRC depth are thinner than Riskonnect, Origami, or OpenPages; gaps appear when used as enterprise-wide GRC
No native quantitative Solvency II SCR / MCR engine; carriers pair Workiva with Moody's RiskIntegrity or OneSumX for capital modelling
Pricing is opaque and scales fast; mid-market entry $45-80K/yr, enterprise full-stack regularly $150K-$500K/yr; Vendr composite year-one for insurance carriers reported around $335K
Significant investment required to get up and running and steep learning curve are the most-cited complaints in 2026 G2 reviews
Audit-trail gaps reported in 2026 G2 reviews (users cannot always see who made recent changes); a real issue for a financial-reporting platform
Limited fit for carriers running quantitative actuarial modelling or internal-model Solvency II; the platform is reporting-shaped, not capital-engine-shaped

Best for

Public insurance holding companies, NAIC-RBC-filing US carriers, and EU insurance holding companies where MAR §404 plus 10-K / 10-Q assembly plus ORSA disclosure plus CSRD ESG are the central programmes.

Worst for

Carriers running internal-model Solvency II Pillar 1 capital or pre-positioning for IAIS ICS internal-model; the platform is reporting-shaped, not capital-engine-shaped.

Key features

NAIC Risk-Based Capital (RBC) reporting workflow
ORSA Summary Report assembly with state-DOI export packs
Solvency II Pillar 3 disclosure workflow
MAR §404 and SOX §302 ICFR controls testing
10-K / 10-Q / 8-K assembly with audit trail
CSRD ESRS sustainability reporting workflow
Risk register with control linkage
Internal audit module with statutory financial reporting

Integrations

60+ native. Notable: Microsoft Entra ID, Okta, Workday, NetSuite, SAP, Oracle ERP, Salesforce, Tableau.

Target size

500 to 1,00,000 employees · US · Canada · UK · EU · AU · APAC

IBM OpenPages

IBM Corporation · Founded 1996 · Armonk, NY, USA

Watson-assisted enterprise GRC with operational-risk and model-risk depth for tier-1 insurance groups.

Partial pricingG2 4.2 · Capterra 4.3 · 310+ reviews

Summary

IBM OpenPages traces back to a 1996 acquisition and was rebuilt on the IBM Cloud Pak for Data platform with Watson AI features for control-narrative drafting, loss-event classification, and KRI anomaly detection. The product fits tier-1 insurance groups, multinational carriers, and bank-holding-companies-with-insurance-subsidiaries that need an AI-assisted controls layer over insurance operational-risk taxonomies, model risk, and IT risk. It integrates natively with the Wolters Kluwer OneSumX regulatory-content feed, which makes it a common pair with OneSumX for insurance carriers. G2 and Gartner Peer Insights reviewers consistently flag implementation complexity and a learning curve but rate the platform highly on regulatory-content depth and analytics.

Strengths

Watson AI features for control-narrative drafting, loss-event classification, and KRI anomaly detection across insurance operational risk
Native integration with Wolters Kluwer OneSumX regulatory-content feed; common pair for insurance carriers running Solvency II plus enterprise GRC
Operational-risk taxonomy tuned for insurance carriers with loss-event classification and scenario analysis
Model risk management workflow tied to actuarial and capital models; useful for internal-model Solvency II programmes
Cloud Pak for Data foundation supports model risk workflows alongside data-lake-resident risk analytics
Public-cloud (AWS-hosted SaaS) and IBM-hosted private cloud options; useful for carriers with hybrid data-residency obligations

Weaknesses

Pricing escalates fast: SaaS Essentials $3,300/month list, Standard $6,050/month list; Cloud Pak Single Solution $162K entry, Solution Bundle $207K (ITQlick May 2026); customers regularly report $200K+ annual after configuration
Third-Party Risk Management add-on prices from $48,000/yr (ITQlick); AI Governance add-on around $13,000/month
G2 reviewers describe the UI as functional but dated compared with newer entrants
Report-generation latency is the most-cited downside in 2026 G2 reviews; problematic when a DOI examiner asks for an artefact in the room
Implementation-services dependency is heavy; greenfield deployments routinely run 9-18 months with IBM GBS or a tier-1 SI
No native Solvency II SCR / MCR engine; OpenPages handles ORM and model risk but pairs with OneSumX for Pillar 1 capital calculations

Best for

Tier-1 insurance groups, multinational carriers, and bank-holding-companies-with-insurance-subsidiaries that need an AI-assisted controls layer over insurance operational risk and model risk, and that already run the Wolters Kluwer regulatory feed.

Worst for

Regional carriers and reinsurance brokers under 2,000 employees; the cost and implementation profile is built for global tier-1 buyers.

Key features

Watson AI-assisted control narratives and KRI anomaly detection
Insurance operational-risk taxonomy with loss-event classification
Model risk management workflow tied to actuarial and capital models
Regulatory change management with native Wolters Kluwer feed
Internal audit, policy, and compliance modules
Third-party risk management module (TPRM add-on)
Cloud Pak for Data integration for data-lake-resident risk analytics
Pre-built dashboards for state DOI, EIOPA, and PRA reporting

Integrations

80+ native. Notable: Wolters Kluwer OneSumX, Moody's Analytics, ServiceNow, SAP, Workday, Microsoft Entra ID.

Target size

2,000 to 2,50,000 employees · Global

MetricStream

MetricStream, Inc. · Founded 1999 · Palo Alto, CA, USA

Broadest regulatory content library for global insurance groups, reinsurers, and multinational carriers.

Opaque pricingG2 4.0 · Capterra 4.4 · 190+ reviews

Summary

MetricStream was founded in 1999 and ships a modular enterprise GRC suite spanning ERM, IT GRC, operational risk, internal audit, third-party, and regulatory compliance. In insurance it fits global insurance groups, large reinsurers, and multinational carriers facing NAIC, EIOPA, BMA, MAS, HKMA, APRA, PRA examination scope. Recent G2 reviewer (March 2026) rated the ERM module 3.5/5; the platform's load-bearing strength is depth of pre-built regulatory content across global insurance supervisors; the load-bearing weakness is implementation effort.

Strengths

Broadest module library in this ranking; one vendor can cover ERM, operational risk, IT GRC, internal audit, TPRM, regulatory compliance, business continuity, and ESG
26-year operating history with the largest US, EU, and APAC insurance groups and reinsurers
Deepest insurance regulatory content library: NAIC, EIOPA, BMA, MAS, HKMA, APRA, PRA, FCA
Strong workflow automation and risk-scoring models across frameworks (ISO 31000, COSO ERM, Solvency II)
Visualisation of risks across multiple dimensions praised by Capterra reviewers in 2026

Weaknesses

Reported pricing: $75K-$1M+/yr depending on modules; small-enterprise floor $75-150K, large-enterprise $750K-$1M+ (SmartSuite + Gartner Peer Insights 2026)
Implementation services ~$50K one-time per module; 8-16 week minimum for a single module, 6-12 months for full suite
March 2026 G2 ERM-module score 3.5/5; the lowest of the ten in this ranking
Configuration effort is the most-cited downside in third-party reviews
UI generations behind newer entrants; not the right pick for non-technical control owners
No native Solvency II SCR / MCR engine; MetricStream covers ORM and regulatory content but pairs with OneSumX or Moody's for Pillar 1 calculations

Best for

Global insurance groups, large reinsurers, and multinational carriers running 5+ regulatory programmes who can absorb $500K+/yr and a 12-month implementation in exchange for the deepest regulatory content library in the category.

Worst for

Regional carriers and reinsurance brokers under 1,000 employees; the platform is priced and architected for enterprise GRC engineering teams.

Key features

Enterprise risk management (ERM) module
Insurance operational-risk module with loss-event classification
IT GRC and cyber risk module
Internal audit management module
Third-party / vendor risk module
Business continuity and operational resilience
ESG and sustainability module
Policy management with framework templates for NAIC + EIOPA + BMA + PRA + APRA

Integrations

100+ native. Notable: SAP, Oracle, Workday, ServiceNow, Microsoft Entra ID, Tableau, Splunk.

Target size

2,000 to 2,50,000 employees · Global

Archer (formerly RSA Archer)

Archer Technologies, LLC · Founded 2000 · Overland Park, KS, USA

On-prem-capable integrated risk platform for the most-regulated insurance carriers and reinsurers.

Opaque pricingG2 3.9 · Capterra 4.0 · 240+ reviews

Summary

Archer (formerly RSA Archer) is the elder statesman of integrated risk management with 20+ years in the insurance carrier and reinsurance bank. The customer base values on-prem deployment and deep configurability, useful for carriers with data-locality obligations and state-DOI examination preferences. The product was spun out of RSA in 2020 to Symphony Technology Group and acquired by Cinven in 2023. G2 places Archer at 7.2/10 with deep integrated-risk capabilities, but reviewers note an ageing UI, steep learning curve, and slow implementation cycles. Pricing is enterprise-tier: $75K-$300K+/yr.

Strengths

20+ year track record in insurance carriers, reinsurers, and government; deepest IRM bench in this ranking
On-prem deployment supported, which still matters for state-chartered carriers with strict data-locality obligations
Connected operational, IT, third-party, and compliance risk into one framework before competitors
Advanced workflow, data feeds, and dashboards praised in G2 reviews
Cinven ownership (2023+) is more stable than the STG / RSA carve-out era
Public-sector deployment options align with FedRAMP requirements; useful for federally-adjacent insurance customers (e.g. FEHB carriers)

Weaknesses

UI is generations behind newer entrants; G2 reviewers describe it as clunky and outdated
Steep learning curve and slow implementation hinder adoption; consulting-heavy go-live
Pricing is enterprise-only ($75-300K+/yr); no mid-market entry tier
Carve-out churn (RSA to STG 2020, STG to Cinven 2023) created two rounds of leadership and roadmap reshuffles
Cloud experience trails on-prem maturity; cloud customers report performance gaps
No native Solvency II SCR / MCR engine; carriers running internal-model capital pair Archer with Moody's or OneSumX

Best for

Large insurance carriers, reinsurers, and government-adjacent insurance programmes that need on-prem deployment, deep IRM workflow, and a 20-year vendor track record.

Worst for

Modern SaaS and cloud-first carriers and digital MGA platforms; the on-prem heritage shows in the UI and the implementation rhythm.

Key features

Integrated risk management platform with 20+ use cases
Operational risk management tuned for insurance carriers
IT and cyber risk
Third-party governance for reinsurance counterparty risk
Business resiliency and continuity
Audit management
Compliance management with control library across NAIC + EIOPA + state DOI
Public-sector deployment options aligned to FedRAMP for FEHB and federally-adjacent carriers

Integrations

60+ native. Notable: Microsoft Entra ID, ServiceNow, SAP, Splunk, Tenable, Tableau.

Target size

2,000 to 2,50,000 employees · US · EU · UK · Canada · AU · APAC

#10

Optro (formerly AuditBoard)

Optro, Inc. · Founded 2014 · Cerritos, CA, USA

MAR §404 and SOX internal-audit suite for public insurance holding companies.

Opaque pricingG2 4.6 · Capterra 4.7 · 1820+ reviews

Summary

Optro is the new name for AuditBoard, announced March 9 2026 at the IIA Great Audit Minds conference. The company was founded in 2014 by Daniel Kim and Jay Lee as SOXHUB, rebranded to AuditBoard in 2017, and was acquired by Hg Capital in May 2024 for over $3 billion. For insurance buyers the platform leads on MAR §404 and SOX controls testing depth, with strong third-party risk and ESG modules. G2 carries 1,585 verified reviews at 4.6/5 as of May 2026. Fortune 500 insurance reference customers in the public-holding-company segment.

Strengths

1,585 G2 reviews at 4.6/5 (May 2026), the highest review volume in the category
Deepest MAR §404 and SOX controls testing and ICFR workflow of any platform here, born from the original SOXHUB product
Strong internal-audit workflow with planning, fieldwork, issue tracking, and committee-ready reports
Connected-risk model that ties operational risk, IT risk, and third-party risk into one data layer
AI features (CrossComply, Optro AI) launched alongside the rebrand, driving automated control-evidence linking
Fortune 500 insurance reference customers in the public-holding-company segment

Weaknesses

Hg Capital ownership since May 2024 raises typical PE-owned price-uplift risk; expect 10-15% price increases at renewal
Brand-rebrand churn (March 2026) means a year of customer-comms work that distracts from product velocity
Pricing remains opaque; SmartSuite and ComplianceRated triangulate $30-80K+ entry, scaling to mid-six-figures for enterprise
Implementation is consultant-heavy; expect 8-16 week deployment with named SI partner support
Out-of-the-box framework libraries for NAIC + EIOPA + state DOI are weaker than RiskWatch / MetricStream; not the right pick for the multi-state insurance regulatory brief
No native RMIS, claims, or policy-administration depth; not a replacement for Origami or Riskonnect on the insurance core

Best for

Public insurance holding companies and Fortune 1000 insurance carriers running MAR §404 + SOX 302 + ICFR internal audit, plus enterprises that want one platform across internal audit, MAR, third-party, and ESG.

Worst for

Regional carriers whose primary brief is multi-state NAIC + NYDFS + ORSA regulatory compliance rather than MAR §404 audit; or carriers needing RMIS claims and policy depth.

Key features

MAR §404 and SOX 302 controls testing and ICFR workflow
Internal audit planning, fieldwork, and reporting
SOC 1 / SOC 2 / ISO 27001 framework support
Third-party risk management (TPRM) with vendor scoring
ESG and sustainability reporting workflow
CrossComply control-mapping across MAR + SOX + ISO + SOC
Optro AI for evidence summarisation and control narratives
Connected-risk dashboards for audit-committee reporting

Integrations

60+ native. Notable: Workday, NetSuite, SAP, Microsoft Entra ID, Okta, Jira, ServiceNow, Salesforce.

Target size

500 to 1,00,000 employees · US · Canada · UK · EU · AU · APAC

Step by step

Buying guide

Walk these steps in order. The shortlist falls out of step 1, the negotiation moves come together in step 6, and step 8 closes the deal.

Name the load-bearing programme in one sentence

Before you shortlist, write down the one programme you absolutely must serve. Examples: file the next ORSA Summary Report with the lead state DOI cleanly; consolidate 8 state-by-state NAIC Model Law spreadsheets into one tenant; pass the next MAR §404 ICFR audit-committee attestation; calculate Solvency II SCR under internal-model approval for an EU subsidiary; roll up TCOR across underwriting and self-insured workers-comp on one data spine. The shortlist falls out of the one-sentence answer.

Match the shortlist to your carrier size and segment

Filter the ten platforms by carrier size, lines of business, and jurisdiction count. Mid-market regional carrier under 5,000 employees with a $50-150K budget rules out Riskonnect (entry $283K), MetricStream, Archer, Moody's, OneSumX; ruled in are RiskWatch Professional or Enterprise, Origami mid-market, Workiva SOX+ORSA. Tier-1 global insurance group with $500K+ budget rules in Moody's RiskIntegrity, OneSumX, MetricStream, OpenPages, Archer. EU subsidiary running internal-model Solvency II rules in Moody's or OneSumX. Public insurance holding running MAR rules in Optro or Workiva.

Pull G2, Capterra, and Redhand RMIS Report patterns from the last 12 months

For each shortlisted vendor, read 20+ third-party reviews from the last 12 months plus the 2026 Redhand RMIS Report for carrier-side coverage. Look for patterns, not single outliers. Common patterns in insurance: deep RMIS depth with a steep learning curve (Origami, Riskonnect); strongest Solvency II capital engine but no ORM (Moody's, OneSumX); strongest MAR but thin insurance regulatory content (Optro, Workiva); strongest insurance regulatory content but slow implementation (MetricStream, Archer); strongest multi-state NAIC + NYDFS + MAR + ORSA out of the box (RiskWatch).

Ask each vendor for the renewal-escalator cap in writing

Renewal-pricing pressure is the silent budget killer in this category. Riskonnect, Optro, Origami, and Archer are all PE-owned, which historically signals 8-12% annual uplift pressure. Moody's RiskIntegrity and OneSumX are large public-company suites that price aggressively at renewal as jurisdictions and modules expand. Ask for the renewal-escalator cap in the master subscription agreement and walk if the vendor refuses. For triple-PE vendors (Riskonnect with TA + Thoma Bravo + Arrowroot) the renewal pressure is structural.

Insist on a working pilot with real DOI examiner artefacts

Demos are choreographed. Working pilots are not. Ask each finalist for a 30-day pilot with real data: three frameworks of your choice (typically NAIC Model Law plus NYDFS Part 500 plus MAR §404 for a US multi-state carrier; Solvency II plus ORSA plus IFRS 17 for an EU subsidiary), one risk register, one vendor-risk assessment, and one DOI-examiner-export pack. The platform that produces an examiner-defensible artefact in 30 days without three weeks of professional services is the one that will scale post-deal.

Triangulate the pricing if the vendor will not publish

Eight of the ten platforms here gate pricing behind a demo. For each opaque vendor, pull at least two independent third-party price triangulations (SmartSuite, ITQlick, ComplianceRated, Vendr, GetApp, InsuranceERM directory are all useful) and use them as your anchor in negotiation. IBM OpenPages list-price tiers are public for SaaS Essentials and Standard but most enterprise deals close materially above list; the RiskWatch Standard tier is published at $99/month.

Pressure-test data residency, DOI access, and the exit clause

Your risk data is examiner-readable. Ask each vendor: where does my data live, who can access it (including vendor subcontractors), what does the SOC 2 say about that access, and what happens to the data if I leave? RiskWatch supports single-tenant deployment with customer-owned data residency, useful for state-chartered carriers subject to DOI data-locality rules. Archer supports on-prem deployment. Most other SaaS-first vendors are multi-tenant. Get the exit clause in writing: data export format, retention period after termination, and price.

Run the decision matrix on this page with your own weights

The default methodology weights on this page (20% DOI-Examiner Defensibility, 20% Regulatory Content Breadth, 20% TCO, 15% Support, 15% Scalability across lines of business, 10% Integrations) reflect a mid-market regional-carrier buyer. Your weights may differ; a tier-1 European insurance group will weight Scalability and Features (internal-model Solvency II) higher, a MAR-led public-holding company will weight Features (MAR §404 depth) higher. Use the decision-matrix slider on this page to re-rank with your weights before you book the demos.

Frequently asked

Buyer questions, answered

The eight questions our pre-sales team hears the most often when buyers compare this category.

What is risk management software for insurance carriers and how is it different from a generic GRC platform?

Risk management software for insurance carriers covers six load-bearing programmes that a generic GRC platform serves badly: NAIC ORSA (Own Risk and Solvency Assessment), Solvency II Pillar 1 / 2 / 3 for EU carriers, IAIS ICS pre-positioning for global insurance groups, NAIC MAR §404 ICFR for public-holding companies, NAIC Insurance Data Security Model Law plus NYDFS Part 500 for state-DOI cybersecurity examinations, and claims TCOR across underwriting, reinsurance treaties, and self-insured retentions. The ten platforms in this ranking each fit at least one of those briefs; the rest of the market fits zero or one. DOI-examiner defensibility is the differentiator that does not show up in a generic GRC scorecard.

Which platform is best for filing an ORSA Summary Report with a state insurance department?

For US carriers filing ORSA under the NAIC Risk Management and Own Risk and Solvency Assessment Model Act (#505), the realistic shortlist is RiskWatch (standard-formula and qualitative ORSA on the same tenant as NAIC Model Law plus NYDFS plus MAR), Riskonnect (Salesforce-native ERM with ORSA workflow and TCOR data layer), Origami Risk (carrier-grade RMIS with ORSA module), and Workiva (NAIC RBC plus Capital Adequacy Test plus ORSA disclosure on the connected-reporting spine). For internal-model Solvency II carriers pre-positioning for IAIS ICS, pair the GRC tenant above with Moody's RiskIntegrity or Wolters Kluwer OneSumX for Pillar 1 capital calculations.

Which platform handles Solvency II Pillar 1 SCR and MCR best in 2026?

Moody's RiskIntegrity and Wolters Kluwer OneSumX are the two purpose-built Solvency II capital engines in this ranking. RiskIntegrity ships end-to-end SCR / MCR under standard formula and internal model with stochastic ALM and Monte-Carlo simulations. OneSumX ships SCR / MCR plus technical provisions plus Pillar 3 disclosures plus stochastic ORSA on the same regulatory-content engine that Wolters Kluwer uses for bank reporting; the CCH Tagetik Solvency II module adds finance-led consolidation. IBM OpenPages pairs with OneSumX as the GRC layer over the capital engine. None of the other platforms in this ranking ships an internal-model Pillar 1 capital engine.

How much should a regional or mid-market US carrier budget for risk management software in 2026?

A regional or mid-market US carrier under 5,000 employees running 4-6 frameworks (NAIC Model Law plus NYDFS Part 500 plus MAR §404 plus ORSA plus GLBA Safeguards plus HIPAA if health) should budget $50,000-$150,000/yr on licence plus 15-25% on implementation in the first year. RiskWatch Professional or Enterprise, Origami Risk mid-market, and Workiva SOX-plus-ORSA reporting are the realistic shortlist. Avoid the Riskonnect entry ($283K), MetricStream small-enterprise ($100-150K floor), Archer mid-enterprise ($80K plus deep PS), Moody's RiskIntegrity ($250K+), and OneSumX mid-tier ($250K+) bands unless your headcount, jurisdictions, and modules justify them.

What is the IAIS Insurance Capital Standard and which platforms support it?

The IAIS Insurance Capital Standard (ICS) is a globally-comparable group-wide capital standard published by the International Association of Insurance Supervisors. ICS Version 2.0 was adopted in December 2024 and is now in the implementation phase for internationally-active insurance groups (IAIGs). The standard converges with Solvency II Pillar 1 in many areas. Moody's RiskIntegrity and Wolters Kluwer OneSumX are the two platforms in this ranking with explicit ICS pre-positioning workflow. IBM OpenPages and MetricStream cover the ORM and regulatory-content side. The other platforms (RiskWatch, Origami, Riskonnect, Workiva, Archer, Optro) do not natively cover ICS Pillar 1 capital.

Which platform handles NAIC Insurance Data Security Model Law across multiple adopting states best?

RiskWatch is purpose-built for the multi-state NAIC Insurance Data Security Model Law brief. The platform ships state-specific overlays for each of the 25+ adopting US states so a carrier running operations in multiple jurisdictions can score against the canonical NAIC Model Law plus state-specific variations on the same controls library, with examiner-export packs per state. Generic GRC platforms (Riskonnect, MetricStream, Archer) require carrier-side configuration to handle each state variant separately, which adds 4-8 weeks of consulting time per state at deployment.

How often is this ranking re-verified?

We re-verify the ratings, pricing triangulations, and material vendor news on this page every quarter. The current pull is dated 2026-05-15. Pricing for opaque vendors is triangulated from two or more public third-party sources (SmartSuite, ITQlick, ComplianceRated, Vendr, GetApp, InsuranceERM software directory, Sprinto blog teardowns). If a number on this page is stale when you read it, please file the correction at sales@riskwatch.com.

Does RiskWatch accept any money from the other vendors on this page?

No. RiskWatch accepts no affiliate fees, sponsorship money, or paid placements on this page. RiskWatch is also on the page, at #1 in the mid-market and regional-carrier segment for which our platform is built. That conflict is disclosed in the methodology block and surfaced on the RiskWatch product card. Readers should weigh that disclosure against the published evidence on this page.

Definitions

Glossary

Definitions for the acronyms and jargon used on this page. Useful for sharing with non-specialist stakeholders on the buying committee.

NAIC ORSA: Own Risk and Solvency Assessment. A confidential internal assessment of an insurer's material risks and capital adequacy, filed annually with the lead state insurance department under the NAIC Risk Management and Own Risk and Solvency Assessment Model Act (#505). Adopted by 49 US states plus DC and Puerto Rico as of 2026.
Solvency II: EU Directive 2009/138/EC governing insurance and reinsurance solvency, structured as three pillars: Pillar 1 quantitative capital (SCR plus MCR plus technical provisions), Pillar 2 governance and ORSA, Pillar 3 supervisory reporting and public disclosure. EIOPA is the supervisor of supervisors; the standard has been live since 1 January 2016.
IAIS ICS: International Association of Insurance Supervisors Insurance Capital Standard. A globally-comparable group-wide capital standard for internationally-active insurance groups (IAIGs). ICS Version 2.0 was adopted in December 2024 and is now in the implementation phase; converges with Solvency II Pillar 1 in many areas.
NAIC MAR: NAIC Annual Financial Reporting Model Regulation (#205), commonly called the Model Audit Rule. §404 requires CEO and CFO certifications of internal control over financial reporting (ICFR) for insurance companies and management assessment of ICFR effectiveness. Mirrors Sarbanes-Oxley §404 for the insurance industry.
NAIC Insurance Data Security Model Law: NAIC Model Law (#668) governing insurance company information security programmes, third-party-service-provider risk management, and cybersecurity event notification. Adopted by 25+ US states as of 2026 and counting; aligned to NYDFS 23 NYCRR Part 500 in scope but enforced state by state.
NAIC RBC: Risk-Based Capital. A formula-driven minimum-capital requirement that produces an RBC ratio comparing actual capital to required capital across asset, credit, underwriting, and market risk. Five action levels (No Action, Company Action, Regulatory Action, Authorized Control, Mandatory Control) trigger increasing DOI involvement.
TCOR: Total Cost of Risk. The sum of insurance premiums, retained losses, claim-handling expenses, and risk-management administration that an insurance buyer (or self-insured organisation) carries. For carrier-side RMIS use, TCOR rolls up across underwriting, claims, reinsurance treaty recoveries, and operational risk.

Final word

So which one should you pick?

If you read this page top to bottom and one platform stood out for your carrier, reinsurer, or insurance holding company, that is your answer. The methodology is on this page so you can disagree with the rank and arrive at a different first pick honestly. We did not move our own product down the page to look unbiased; we did not move it up the page to sell the brief. The position reflects our weights, the public evidence, and the segment for which RiskWatch is built.

The one thing every insurance buyer should do, regardless of which vendor wins your bake-off, is to insist on a 30-day working pilot with real DOI examiner artefacts, a renewal-escalator cap in writing, and a documented exit clause that survives a supervisory change-of-control. The buying committees we see lose three-year deals always lose them on those three terms, not on feature coverage.

If you would like the RiskWatch demo with the NAIC Insurance Data Security Model Law overlays, NYDFS Part 500, MAR §404 ICFR, and ORSA libraries pre-loaded, sign up at riskwatch.com/request-a-demo. If you would like a no-strings second-opinion on one of the other nine vendors, email sales@riskwatch.com with the vendor name in the subject line and we will share what we know.