S&P Rolls Out ERM Review

It's official: Standard & Poor's wants to talk to you about your enterprise risk management (ERM) program.

The agency has announced that it will start to incorporate ERM into its discussions with the companies it rates starting in the third quarter of this year, and it will add commentary in its reports in the fourth quarter. It won't be scoring organizations based on ERM, though -- at least, not yet. "We explicitly will not be doing that during 2008, and if we do score companies it will probably not be before the start of the second quarter of 2009," said Steven J. Dreyer, managing director of corporate ratings for S&P, in a teleconference on Friday.

He added that the agency will take action, however, if it discovers that "something big and important" is amiss in companies' risk management programs.

The move has been on the cards for a while. S&P started evaluating insurance companies' enterprise risk management practices in 2005 and has made no secret of its plans to roll out its methodology to non-financial firms.

The insurers didn't do spectacularly well in the ratings process; eighty percent fell into the "adequate" category, according to David Ingram, director of ERM with S&P (See "Rating Risk Holistically" in our January issue.

And there's no reason to think that the typical non-financial organization will do better. A Towers Perrin survey conducted earlier this year revealed that only about 60 percent of companies currently have a top-down, enterprisewide risk management program in place and that if S&P were to score them on ERM today, 28 percent would be scored as "weak."

S&P is not the only rating agency pushing ERM. Moody's has been developing a holistic risk management rating methodology through its Enhanced Analysis Initiative. A.M. Best has stated that ERM will be included as an integral part of its rating process (though not as a separate rating factor).

"The reason why the rating agencies have got interested is because they're evaluating the quality of management," says Prakash Shimpi, managing principal with global responsibility for ERM at Towers Perrin in New York City. "Higher quality management knows itself better and knows what it can do and can't do, and can articulate it."

Indeed, S&P sees its ERM investigations as a way to deepen its reporting in this area, according to Dreyer. "If you're a student of our reports you will have observed, as I have, that we don't often say a lot about management because it's a subjective, qualitative issue that's difficult to put into words," he noted. "Our objective for this year for this process is to bring out in our reports more of that flavor of our opinion of management and how they are doing and how we expect them to perform going forward. The ERM process we think will help us get there."

S&P is agnostic about the actual form ERM should take. It will recognize generally accepted standards such as those promulgated by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), but will also judge the effectiveness of whatever risk management practices are in use at a given company.

The ERM discussions will focus on two areas: risk management culture and strategic risk management. In the first area, topics will include:

• Risk management frameworks or structures currently in use;
• The roles of staff responsible for risk management and reporting lines;
• Internal and external risk management communications;
• Broad risk management policies and metrics; and
• The influence of risk management on budgeting and management compensation.

In the strategic area, topics will include:

• Management's view of the most consequential risks the firm faces, their likelihood, and potential effect on credit;
• The frequency and nature of updating the identification of the top risks;
• The influence of risk sensitivity on liability management and financing decisions; and
• The role of risk management in strategic decision-making.

Quite a laundry list. But it's worth remembering that a solid ERM program can deliver benefits that go far beyond keeping on the good side of the agencies. "Risk management is something that companies do just in the normal course of doing business," Shimpi points out. "What ERM is really suggesting is that there's a more systematic way of doing it. And if you live that, then it can help you identify places where you can be more profitable, given the risk you take."

Towers Perrin offers the following six-stage process for creating an effective ERM environment:

1. Establish a blueprint of the current state of ERM capability.

2. Contrast the current state to recognized ERM best practices and produce an ERM report card, or gap analysis, highlighting areas that need improvement.

3. Define the organization's optimal or target-state ERM environment through interaction and iteration, based on the information gathered in Stages 1 and 2 and its strategy and risk profile.

4. Prepare a formal action plan or ERM road map for implementation. This should include determining quick wins as well as medium- and long-term ERM objectives.

5. Systematically implement the organization's vision for an optimal ERM environment, utilizing timelines, milestones, and assigned responsibility.

6. Establish a formal program-monitoring process that consists of continuous evaluation and reporting using formal metrics and follow-up initiatives.