Standard and Poor’s will expand its evaluation of risk management to all rated companies in the third quarter of 2008. Currently risk management in regulated industries, like financial services and electric power marketers, is evaluated using Standard and Poor’s Policies, Infrastructure, and Methodology (PIM) approach. In these sectors, operational risks are easier to quantify and trading risks can be measured, modeled, and hedged.
Standard and Poor’s will recognize a company’s adoption of generally accepted risk management standards such COSO or AS/NZS 4360, but does not consider adoption of a standard a prerequisite for effective risk management or sufficient evidence of the effectiveness of ERM. The application of ERM analysis to all rated companies will focus on the organization’s risk management culture and strategic risk management. These criteria are considered universally applicable to rated companies.
Standard and Poor’s has the expectation that ERM will assure that a company is attending to all risks, has defined its risk tolerance, and has a methodology in place to avoid or mitigate risks outside its risk tolerance. Risk management is a fundamental responsibility of a company’s senior management and board of directors. A company’s chosen method for implementing ERM should shift thinking about risk from a cost/benefit model to a risk/reward model that recognizes that identifying risks also makes opportunities more apparent. Standard and Poor’s does not envision ERM as a replacement for internal controls, a means to eliminate risk, or the same for all companies in all sectors.
Applying ERM Analysis to Corporate Ratings
Standard and Poor’s credit rating reviews already consider management’s operating and financial performance, responses to strategic threats, and the company’s risk governance bodies and structures. ERM-related discussions during credit reviews will focus on the organization’s risk management culture and strategic risk management. Standard and Poor’s discussions with managers are intended to evaluate management’s consciousness of the risks they have taken and retained, and their comfort with the organization’s net risk position. This will allow a comparison between management’s statements and historical performance. Specific discussion topics will include:
- Risk management frameworks or structures currently in use
- Internal and external risk management communications
- The influence of risk management on budgeting and management compensation
- Management’s view of the most consequential risks the firm faces, their likelihood, and potential effects on credit
- The role of risk management in strategic decision making
Standard and Poor’s recognizes that standards for ERM will vary based on the size and complexity of the organization being reviewed. ERM efforts should be standard and highly developed in large, multinational organizations. Companies that are less diversified or have fewer resources will likely be at an earlier stage of ERM development. In response to public comments about Standard and Poor’s proposal to introduce ERM analysis, the rating agency decided not to expand their review to evaluate risk-control processes or emerging risk management beyond criteria included in the current ratings process.
Standard and Poor’s intent is to apply ERM analysis equitably while recognizing differences between industries and geographic regions. Beginning in the third quarter of 2008, the ratings agency will incorporate ERM analysis into credit reviews and expects to have an initial ERM discussion with all rated companies within one year. Initially, ERM discussions will be used to develop preliminary benchmarks which can be used to compare companies against each other and over time. ERM analysis is not expected to radically alter existing credit rating opinions expect in cases where risk management is found to be superior or ineffective.
Click below to download full report.