After years of sluggish progress, enterprise risk management (ERM) is finally making some headway in American companies. And nothing has given it more impetus than the increased interest of the big credit rating agencies, with Standard & Poor's leading the charge.
It's not hard to see why the agencies would want a holistic view of a company's risk. "A company that adopts ERM does so because it wants to have a comprehensive look at all its risks. Well, when we do a rating, we're doing it on the comprehensive enterprise," says David Ingram, director, enterprise risk management, at S&P. "So we saw a really good alignment between the objectives of the companies' ERM programs and the objectives we're looking for in a ratings evaluation."
Ingram heads up S&P's initiative to enhance the risk management component of its ratings framework, a project it launched about three years ago with a close look at trading risk management in financial institutions. In 2005, the rating agency rolled out what Ingram calls a "full ERM evaluation process" for insurers. Then it saw an opportunity to transfer the trading risk evaluation process to the utilities sector without a lot of additional development work. This work is ongoing, and Ingram expects to expand it into a full ERM view next year.
The ERM evaluation process "is a fundamental one that's integrated into our rating process," says Ingram. "It took us the better part of 9 or 10 months before it took hold and started to be really influential in our ratings decisions."
Initially, the analysts reported on ERM to the rating committees but didn't give it much weight. But before long, "it started to crop up regularly in our press releases on our rating committees, either as a driver of a ratings affirmation or a driver of a change in outlook on a rating or even a change of rating itself." ERM was a factor in only about a dozen rating changes or outlook changes, and the changes were both positive and negative, he reports.
The results of the evaluation program turned up some surprises. Of the 240 insurers that S&P evaluated around the globe, about 80 percent fell into the "adequate" category. "This is a business where risk taking is the business," Ingram points out, "yet less than 15 percent of the entire sector worldwide had developed the full range of practices that we think make for an enterprise risk management program."
So where will S&P apply its new risk assessment methodologies next? The organization is currently considering expanding the trading risk evaluation into other sectors. "By the end of last year, we had looked at this enough that we were able to form our plan," says Ingram. "What we're looking for is a combination of two things in a sector that say it's time to do this now." The first is that the sector has risks that S&P calls "rating-sensitive event risks, meaning that companies might have a loss, if they don't manage the risk, that would move a rating." The second is that "we find enough evidence of ERM practice in the sector to make it a distinguishing factor. If nobody's doing it, it doesn't make any sense to ask everybody about it."
Agribusiness, oil and gas, and other sectors that have a significant amount of practice in the hedging area or foreign exchange risk are likely candidates. "The pharmaceutical sector is also pretty high-risk," Ingram adds, "because the sector over time has transitioned to relying pretty heavily on a relatively small number of drugs." These companies may also face liability issues, he notes. "We see that as a lot of potential for a rating-significant event."
Ingram is quick to point out that companies shouldn't see the full ERM assessment process as hugely daunting. In the case of the insurers, for example, "we would either tack on an hour or squeeze in an hour's worth of discussion into our annual meeting with the company. And so between that and material that might be traded before or after the meeting, that's how we do our ERM assessment. As far as the degree to which we're prying into companies and disrupting them goes, we think that this is not unreasonable."
For larger, more complex organizations -- some of the top 40 to 50 global insurers, for example -- the process might involve analysts spending a full day asking questions about ERM. "We're spending a lot more time on them, and we think that we have to because whatever they do to manage risk, it's going to have to be complicated, and it's going to take a long time to hear the story." For these companies, S&P doesn't expect to cover every relevant ERM topic every year, but will rotate its enquiries over a two- or three-year period.
S&P has made its ERM evaluation criteria available online to help companies understand what the agency is looking for: www.erm.stan-dardandpoors.com [1].
Links:
[1] http://www.erm.stan-dardandpoors.com