The next four years will be lucrative for vendors that sell risk management technology to banks, if IDC's latest projections prove to be true. The analyst firm expects banks' risk tech spending to increase at a steady compound annual growth rate of 6.9% until 2017 (worldwide, with the U.S. rates in line but just slightly below that). Areas of high growth for North American banks include compliance systems and resources, counter-fraud, credit, and cyber protection/information security.

This spending growth rate is impressive, given that banks have already made heavy investments in risk technology over the past five years. "You would think growth rates would start to taper off a little bit," says Michael Versace, global research director at IDC Financial Insights. "There's only so much technology you can implement. These ongoing growth rates show how much bankers feel they still need to invest in modernization."

They're largely driven by regulatory uncertainty, he says. "There's still a strong undercurrent around reducing counterparty risk, the counterparty being the bank. Firms that continue to invest in risk management will present the lowest counterparty risk in the market and will ultimately be presented with better business opportunities."

Perception and reality of counterparty risk are widely divergent, as a review of JP Morgan Chase's past decade can attest. The bank was once considered a leader in prudent investment and lending risk; recent events have shown it to be one of the less effective risk management organizations. The bank itself has not changed -- after all, it was the primary bank for Madoff Investment Securities from 1986 to 2008. But the encomiums the bank received during and right after the financial crisis, when it was perceived to have been less engaged in risky subprime mortgage activity and collateralized debt obligations than many of its peers, have withered to scorn as mortgage- and London Whale-related activities have come to light.

Many large banks have a lot of work to do to get their risk management technology, internal controls and data management up to speed.

"We've taken great strides and moved quickly up the maturity curve relative to asset-liability management on the back of fears about the Volcker rule and provisions of Dodd Frank that require banks to reserve more capital," Versace says. "We've made great strides in putting systems in place that allow us to make strategic credit and capital decisions on a more frequent, accurate basis."

However, data management challenges are still a major problem for many large financial and insurance companies. There are silos of data that don't talk to one another, and red flags that aren't shared among business units.

The firms that do manage to integrate their risk, finance and compliance data will be able to manage capital and credit risk much more effectively, Versace says.

One bank that has built a well-integrated, risk-aware performance management platform for corporate banking is Standard Chartered, Versace says. "It's very well designed, it's focused on data integration with a product and risk function. They worked with a whole set of technology players. They're now able to, on a deal by deal basis in their trade finance business, evaluate not only the risk of specific large trade finance transactions, but also know what those transactions look like in terms of profitability and pricing. It's an excellent case of not just modernizing a process, but building a fundamental risk information environment to support the business."

Northern Trust has put aside "a significant sum of money" for risk management technology. "Chase has done a lot also, particularly in their trading business they're putting together very effective operational data stores to support post-trade settlement risk," Versace says. "You find pockets of this around the U.S. in some of the larger institutions." A cynic might point out that these are the companies that should be making such investments.

Vendor risk is an area regulators are examining more closely.

Versace believes that regulatory crackdowns on technology and third party risk management will accelerate as a series of failures produce fines and IT departments struggle with aging platforms, skill shortages and large-scale consolidation.

These failures will be fundamental internal control breakdowns and tech failures, he says. "You see them all around. Some are directly related to banking, others are adjacent to the banking infrastructure," he says, such as the Target data breach.

"The vendor ecosystem needs to be paid attention to and it's not going to get any easier," Versace says. There's no easy answer. Banks that consolidate the number of key vendor relationships they have consolidate their risk; those that expand the number of vendors they deal with also increase their risk profile. "The only thing you can do is pay attention to that as an increasingly important part of your business," he says. Banks need to closely watch changes in executive management, supply chain and financial condition in their vendors, he says.

U.S. banks will invest in predictive fraud analytics in 2014, Versace says. (Danny Peltz, executive vice president at Wells Fargo, discussed this with us recently.) This is good news for FICO, Fiserv, SAS, Nice Actimize, IBM and Oracle, to mention a few. Information security will be another area of investment for banks..