Skip to main content
ERM Leadership and Governance

Assessing ERM Practices

Prodyot Samanta, Director of Enterprise Risk Management at New York-based Standard & Poor’s, spoke on February 24th to 130 business professionals at the first of three Spring 2006 ERM  Roundtables. Samanta described how S&P is now evaluating the effectiveness of ERM practices as part of S&P’s overall rating assessments for financial institutions, insurance companies, utilities and other large corporations.

Samanta emphasized S&P’s view that institutions should share information with shareholders about key areas of risks. To do so, S&P believes entities should have robust processes for managing risks across an enterprise. Thus, S&P is now evaluating the effectiveness of corporate ERM practices as part of S&P’s overall rating assessments.

One of the goals of this assessment process is to evaluate the extent to which corporations approach risk management from an integrated, firm-wide perspective. S&P is particularly interested in management’s processes for understanding, managing, and communicating information about risks arising throughout an enterprise. S&P is ultimately trying to assess management’s ability to interpret and make qualitative judgments in response to various risk metrics. Management needs to demonstrate an ability to incorporate risk information as part of its strategic decision making.

Samanta provided an overview of S&P’s ERM assessment framework, which consists of three primary components:

1. Policies & Governance
2. Methodology
3. Infrastructure

Policies and Governance

S&P’s ERM evaluation framework begins with a focus on an entity’s policies and governance procedures related to ERM. A foundational element for policies and governance includes the enterprise’s risk governance and culture. To assess these aspects, S&P seeks information about the stature of the risk management function within the entity, including the reporting lines of the chief risk officer and the impact of that organizational structure on the independence of the risk function.

In addition to assessing risk governance and culture, the S&P approach also incorporates information about how entities establish risk tolerances and how those tolerances are applied in decision making (e.g., are risks associated with new product developments evaluated relative to overall entity risk tolerances). Consistent with the view that a strong and independent risk management function is one that provides checks and balances, the evaluation of policies and governance also includes the assessment of management’s responses to risks through controls and oversight across an organization.

Finally, S&P evaluates the degree of risk communication and disclosure within the firm as part of assessing the policies and governance component of an enterprise’s ERM processes.

Methodology

Three key aspects comprise the methodology dimension of S&P’s ERM framework.

First, S&P assesses the risk management tools and related technologies enterprises use to track key risk indicators. Samanta emphasized that S&P focuses on the quality and level of systems used and the integration of those systems used to track and manage risks.

Second, S&P evaluates specific measures, such as Value at Risk (VAR), to examine how entities are using quantitative measures to manage risks, including management’s ability to qualitatively interpret information provided by those measures (e.g., they assess whether management can meaningfully draw conclusions from complex quantitative calculations).

Finally, Samanta emphasized the third aspect – the importance of vetting various risk measurement models, including stress testing and “what if” scenario analyses, to assess their reliability and accuracy in measuring risk ranges.

Infrastructure

The final component of the S&P ERM framework is infrastructure. This aspect of the framework emphasizes the importance of an entity’s risk architecture, data quality, and back office operations. System failures or other business disruptions can directly impact an entity’s ability to effectively assess and proactively respond to enterprise risks. Thus, the underlying risk infrastructure and back office operations are key to an enterprise’s overall risk management process.

Impact of S&P ERM Evaluations

Samanta described how S&P evaluations of corporate ERM practices affect the overall rating assessments issued by S&P. He noted that, while evaluating corporate ERM practices, S&P is not issuing separate ERM rating assessments. Rather, S&P’s assessment of an entity’s ERM practices is communicated to the S&P assessments group as one of many inputs to the overall rating assessment. If an institution falls short on their ERM practices, overall rating assessments can be lowered. In contrast, when ERM practices exceed expectations, rating assessments may be raised.

Samanta’s presentation illustrates growing market expectations for effective enterprise risk management. While S&P currently conducts these assessments for financial institutions, insurance and utilities, Samanta noted that these assessments will be expanded to other industry segments. This is consistent with trends at other rating agencies, such as Moody’s.

Citation: Samanta, Prodyot “Assessing Enterprise Risk Management Practices Of Financial Institutions” Standard & Poor’s. Sep. 22, 2006.