Standard & Poor’s ERM for Corporates: Taking ERM out of the Back Room and into the Boardroom

Standard & Poor’s ERM for Corporates: Taking ERM out of the Classroom and into the Boardroom

In May 2008, Standard & Poor’s Ratings Services announced its intention to include enterprise risk management (ERM) assessments in ratings of nonfinancial companies. In July they issued a carefully worded progress report on their observations to date in their Progress Report: Integrating Enterprise Risk Management Analysis Into Corporate Credit Ratings.

I make the point that the report is carefully worded because after three or four readings I am coming to appreciate the studied neutrality S&P is bringing to the table. They are not preaching any particular approach or, at least not yet, being judgmental in their observations. What they are doing is assessing how, based on 300 interviews with issuers, actual executives manage risk. The report card is not great.

For serious risk management professionals, investors and for solutions providers, the progress report is a must read.

Here are the basic questions that guide their discussions with issuers.

1. What are the company’s top risks, how big are they, and how often are they likely to occur? How often is the list of top risks updated?

2. What is management doing about top risks?

3. What size quarterly operating or cash loss has management and the board agreed is tolerable?

4. Describe the staff responsible for risk management programs and their place in the organization chart. How do you measure the success of risk management activities?

5. How would a loss from a key risk affect incentive compensation of top management and planning/budgeting?

6. What discussions about risk management have taken place at the board level or among top management when strategic decisions were made in the past?
7. Give an example of how your company responded to a recent “surprise” in your industry. How did the surprise end up affecting your company differently than others?

One question that comes to mind for me, and I invite comments from readers, is this: Which, if any of the major risk management frameworks provide the best answers to these questions? Do the COSO ERM or AS/NZS 4360 (or ISO 31000) frameworks for example suggest methodology or practices that will assist companies in getting a good score from S&P or do they reflect only what risk management professionals think executives should be doing?

Standard & Poor’s makes no recommendation for risk frameworks and gives no particular weight if a company professes to have adopted one.

A couple of points are worth noting. S&P is clearly searching for a link between ERM and business performance. And they are looking for executive behaviors consistent with serious ERM implementation. I know of no established risk management framework which so clearly focuses on performance and observable supporting behavior.

Question 4 looks for some explicit value measurement for ERM activity. Question 5 searches for links between losses and impacts on incentive compensation. The word “control” is not mentioned, although question 2 asks what management is doing about top risks.

This is a progress report only. A further progress report is due at year end and plans are for ERM references to be incorporated into corporate credit rating reports in 2010.

That risk management generally has not been incorporated into management is well accepted. Read the recent Report on the Current State of Enterprise Risk Oversight conducted by NC State University as you consider the S&P report.

My guess is that S&P will have a far greater impact in advancing the cause of ERM than any other single report or study. It will drive discussion at the most senior levels. It will drive an appreciation for the value of ERM. Most importantly, it will drive pragmatic standards, practices and tools for ERM practitioners, something the leading frameworks have failed to accomplish.

As always, comments are welcome.