Well suited for general compliance, multiple initiatives, and integration with TeamMate. SAP GRC Process control may be better suited for an SAP environment. Oracle GRC may be better suited for an Oracle environment. Overall, BWise is a very cost effective, and flexible solution.
If you are truly using IBM API Management for an API gateway, you will be ok. if you start trying to build custom scripts to transform messages complex in nature, it will soon become unmanageable.
Great reporting tool (uses SAP Business Objects). It is quite flexible on types of reports that can be created and supported. Also the reporting consultants are very competent and nice.
Highly customizable solution: almost everything can be tailored to an organization's needs, assessments, audits, issues, recommendations, tasks, etc. However, there's a trade-off between customization and the integration of different areas of the organization.
Increases visibility and efficiency in the organization. BWise offers centralized repositories (catalogs) that can be easily accessed and used by everyone in the organization (e.g. Process catalog, Policies and Procedures catalog, Risks, Controls, Laws catalogs, etc.). Also, the application allows findings on controls tested by Audit to be automatically reflected in controls monitored by SOX for example, without the need for SOX to retest them. So one area can leverage on the work of other areas increasing operational efficiency.
Increases integration and avoids silos. By choosing the correct design (e.g. Risk Workshops instead of Open Assessments), one area can see and benefit from another areas' work. An example was mentioned above; another would be Operational Risk area considering the results of Business Continuity, Vendor Management, Info Security, etc. assessments when carrying out theirs. Additionally, processes can be integrated: when contracting a new vendor for instance, one can include questions about data confidentiality and usage of models in the Vendor risk assessment. Answers to these could then trigger Info Sec / Model Risk assessments.
Increases accountability. Application provides full audit/change log with the type of change, name of executor, and date of change.
Easier follow-up. BWise sends automatic emails with reminders to the people required to take action on an issue, assessment, etc.
Import APIs - We have an existing inventory of APIs and services, so having an easy import process was required. IBM provides the ability to import Swagger so the process was quick and easy.
Service Offerings - Can create plans to control various model offerings for varying clients depending on the need. You are not locked into a tier structure and can customize if a need arises.
API Usage - visibility into the use of an API with a wealth of reporting information allows you to support an API from a production use to trending and forecasting any future growth.
Troubleshooting deployment pipeline - identifying issues with your api based on restrictions through a deployment pipeline is difficult. If a quality assurance environment is less stringent than a production environment, making sure your api is accessible and configured appropriately is tough.
Code level scripting is limited to javascript and xslt. so if any complex fanning needs to occur, you are limited in tooling.
Administration is more cumbersome than it needs to be. There are roles/profiles that are defined, but to use a group email for the approval or use of an api needs to managed better. A more thorough thought process needs to be defined - which I think IBM is tackling as an improvement.
Wasn't personally involved in the vendor selection process. I am aware that one of the main drivers for selecting BWise was cost (I believe BWise total project cost was several times lower than MetricStream's).
There are a lot of similarities between Apigee Edge and IBM API Management. Some of the differences at the time of this posting is... 1) IBM APIM/C integrates better with other products. Dynatrace is used to track API and service specifics with the ability to offload those statistics for operational reporting. 2) If you are evolving from DataPower, IBM API Management is a logical choice to support additional REST APIs. 3) Generating keys is simple. Integration of those keys with a secure data vault is easy as well for your consumer.
Centralizing on an API management platform was imperative. Being able to support SOAP UIs as well as REST APIs was required. Because of the tooling, service inventory and provisioning can be managed - regardless of the pricing and cost structures are used.
Constructing plans that provide tiering options based on rate limits help in onboarding new consumers. The lesser cost in onboarding through an API gateway outweighs the cost of modifying/configuring an API to handle multiple clients.
Defining guidance and onboarding practices while rolling out the product also helps in the adoption, reference architecture, and governance that can save your company money.
