S&P Evaluations of ERM as Part of Credit Rating Process
Standard & Poor’s announced in 2008 plans to include evaluations of how non-financial companies manage enterprise-wide risks as part of S&P’s credit rating process. Steve Dreyer, Managing Director of Utilities and Infrastructure Ratings at Standard & Poor’s, provided an overview at the February 2009 ERM Roundtable in Charlotte about S&P’ process for considering ERM practices as a part of their credit rating evaluations.
Motivation for Considering ERM
S&P’s decision to consider how companies manage enterprise-wide risks is directly linked to the credit rating agency’s desire to more accurately assess the predictability of a non-financial company’s likelihood of repaying its financial obligations. In S&P’s view, the economic events of the past year underscore the need for better risk oversight for entities of all types. S&P is interested in obtaining an understanding of how management is monitoring risks that affect their enterprise. The rating agency believes that learning about management’s approach to overseeing enterprise wide risks provides better insights about management’s effectiveness. Knowledge about an entity’s risk oversight activities will enhance S&P’s analytical process and focus, will help better differentiate more effective management, will provide better insights about management, which in turn will create more forward-looking ratings. While ERM is relevant to many stakeholders, S&P’s primary interest is solely on evaluating how an entity’s ERM process helps a company repay its financial obligations. Other benefits of ERM are not the focus of S&P.
Primary Focus
As the ERM evaluations are being added to S&P’s credit rating process, there are two stages of implementation. In the first year (2008 – early 2009), S&P has been primarily gathering information from entities about how ERM is being done. That is, analysts are primarily listening to management’s description of how they go about risk oversight and the analysts are then compiling that information to get a sense for the state of ERM in non-financial companies today. In year two (mid-2009 and onward), S&P is working towards publishing the criteria that it will use going forward to actually rate the effectiveness of an entity’s ERM processes.
Characteristics of Risk Oversight
The primary focus of S&P is to obtain a sense for the substance of management’s approach to overseeing enterprise-wide risks. They are looking for some indicators of whether management
- Has an approach to attend to key risks (e.g., is it an intentional versus “drifting” activity)
- Makes conscious decisions about which risks to take (e.g., are decisions made in context with a known risk appetite)
- Knows the entity’s risk tolerance (e.g., how does the company communicate what it does and does not want to do)
- Knows what can go wrong with its operations and strategy and has a “Plan B” (e.g., is there an ability to respond to possible events)
- Avoids outsized risks (e.g., avoids “really big risks”)
- Is resilient (e.g., has some capacity to bear risks)
S&P acknowledges that there is no one-size-fits-all approach to ERM. Dreyer emphasized that S&P believes there are many different ways to demonstrate risk oversight effectiveness.
Dreyer also emphasized that S&P is not looking for an entity to have a system to eliminate all risks. It also is trying to focus on the substance versus form of risk oversight. Thus, a system that resembles the cramming of disparate risk management activities together or a system whose focus is merely compliance or disclosure oriented, is not viewed as substantively effective. Similarly, the decision to merely purchase new software or to name a Chief Risk Officer doesn’t necessarily signal that there is any substance to an entity’s ERM processes.
Emphasis on Culture and Strategy
As S&P conducts these reviews, its analysts will primarily focus on two primary elements of risk oversight: culture and strategic risk management. The focus on culture will primarily involve assessments of how management’s risk oversight processes encourage communications about risks and how management has assigned and communicated roles, policies, metrics, and frameworks throughout the organization. They are interested in understanding the “influence” of risk oversight in day-to-day decision-making.
The focus on strategy will primarily assess how risk-thinking is embedded in strategy. More specifically, S&P will try to determine and evaluate how risk oversight processes impact key strategic decisions. Analysts will attempt to gather an understanding of the strategic planning process to determine how risk considerations are integrated and whether the strategic planning process leads to the consideration of a “Plan B” for its strategic plan.
Linkage of Risk and Return
A core business tenet emphasizes the linkage between risks and return: higher returns are generally correlated with greater risks. As part of S&P’s evaluations, they are keenly interested in understanding where management wants to be along the curve depicting the intersection of risk and return. They are interested in gaining an understanding of how management tracks where they are along the risk/return curve and whether their return goals are placing the entity beyond its risk tolerances. The analysts are trying to obtain a sense for management’s goals for returns and their knowledge and understanding of risks required to generate those returns.
Areas of Interest
As S&P gathers information in this initial year of ERM evaluations, they are entering into discussions and dialogue with management about these issues:
- How are key risks identified, updated, and dealt with?
- How is risk tolerance defined and communicated?
- Who “owns” risk in the organization and how is success measured”
- What is the board’s involvement in risk management?
- How would your company respond to…(a hypothetical scenario)?
As they engage in these discussions, S&P is looking for evidence of management’s risk oversight effectiveness.
For more detailed information, visit S&P’s website