Credit ratings significantly impact borrowing costs and act as a sign of creditworthiness to investors. S&P announced in May 2008 that ERM would be incorporated into management discussions by the fourth quarter to establish benchmarks for ERM evaluations. ERM effectiveness and maturity will be considered in credit ratings beginning in 2009. The report, authored by Christopher Duncan discusses the preparations for this transition.
S&P does not advocate a particular ERM framework as a standard. The rating agency is interested in whether a company has an effective and consistent ERM process in place, with particular emphasis on the company’s risk management culture and strategic risk management. Attributes of an effective ERM process identified by S&P include:
- An approach to assure that the firm is attending to all risks
- A set of expectations among management, shareholders and the board about which risks the firm will and will not take
- Methods for avoiding situations that might result in losses outside the company’s tolerance
- A method to shift the strategic focus from cost/benefit to risk/reward
- A language for communicating the firm’s expectations about its risk profile
For a company to evaluate all its risks on the same basis, the company must first determine its tolerance for risk and potential losses. S&P has indicated that a strong risk management culture should involve cross-functional areas and lead to an enterprise-wide understanding of the company’s risk profile and tolerance. While ERM cannot guarantee that the company will not experience losses, the process should increase risk awareness and allow prioritization of risks from different functional areas. A well-tested crisis management plan can help the company respond to risk events, and serves a critical role in enhancing an organization’s resilience.
ERM is not intended to eliminate organizational risk or guarantee against losses. S&P also expresses a view of what ERM is not that includes:
- A method to eliminate all risks
- A guarantee that the firm will avoid losses
- Limited to compliance and disclosure requirements
- A replacement for internal controls
- The same for all firms or from year to year
As part of the evaluation process, S&P analysts will interview management and request documentation of ERM programs and plans as evidence of an effective risk management culture. Specifically, S&P will evaluate how risk is defined and determine if this common language is used for company-wide planning and decision-making. The expectation is that risk will be addressed in communications between management, boards of directors and investors. At the board level, there should be metrics for measuring the success of risk management policies. ERM considerations should be incorporated into budgeting, strategic planning and management compensation.
An effective ERM process should help management make better decisions that conform to the company’s risk appetite and make the organization more resilient when faced with unexpected risks. When evaluating a company’s risk management, S&P will consider management’s view of the company’s most important risks based on their likelihood and potential impact. When ERM is fully integrated into an organization, the process of monitoring emerging risks is continuous and risk management influences liability management and financing decisions.
Incorporating an evaluation of ERM into corporate ratings may differentiate companies based on the maturity and effectiveness of their ERM implementation. An excellent ERM rating is likely for a company with well-developed capabilities to identify, measure and manage exposures to risk with predetermined tolerance levels, considers risk management in corporate decision-making and is unlikely to have unanticipated losses. Companies with adequate or weak ERM ratings are likely to incur unanticipated losses, are less cognizant of risk when making strategic decisions, and manage risks in silos without adequate controls for at least one major risk. Evaluating ERM during the S&P ratings process allows companies the opportunity to distinguish themselves based on the maturity of their risk management process or the insufficiency or their ERM program.