ERM Analysis for Credit Ratings of Nonfinancial Companies: Stepping Up to New Criteria

On November 15, 2007, the rating giant Standard & Poor’s (S&P) formally unveiled a proposal to introduce in-depth ERM criteria into their ratings of nonfinancial companies, making many of them draw a sharp breath. Well, ERM has been around for many years, so what’s special about the S&P’s announcement? Yes, it’s true that ERM isn’t anything new in the corporate world; nonetheless, the S&P’s announcement came as a wake-up call for many enterprises, as it clearly implies that an enterprise with no ERM framework or with discrepancies in its risk management capabilities could find its credit ratings placed lower. As put by a senior risk manager of a large enterprise, "This will put a spotlight on firms that don't have an ERM framework in place; and likely to spur them on to change that." Patterned on the approach already used for sectors like finance, insurance and energy since 2004, S&P's announcement proposes to employ 100 or so different factors to evaluate the quality of ERM operations in nonfinancial institutions and then include that assessment in their final score. Under the expanded framework, they will analyze a company’s policies, infrastructure and methodologies (PIM) - focusing on a firm’s overall risk-control practices and benchmarking the quality of risk management.

What are the main factors that S&P will analyze when evaluating ERM? 
According to S&P, “The ultimate importance of ERM on a firm's rating will depend on the risks of the firm, the susceptibility of the firm to those risks and the capacity of the firm to absorb losses.” Recognizing that there is no single recipe for the best ERM platform and each company needs to pursue its own tailor-made approach to managing risk, S&P’s will evaluate companies within a general ERM framework having four major analytical components:


Risk Management Culture & Governance: To assess these aspects, S&P probes into the stature of risk and risk management function within the enterprise. This includes evaluating the organizational structure and the roles, capabilities and accountabilities of the Chief Risk Officer. The assessment incorporates data about how the organization has established risk tolerances and how these tolerances are applied to the overall strategic decision-making process. A favorable indicator of risk-management governance is a structure that strongly influences corporate judgment by risk-management staff. Perhaps even more important is the degree line-level managers adhere to risk tolerances in daily decision making. For instance, whether risks associated with new product developments are evaluated as against overall enterprise risk tolerances. Furthermore, internal and external communication of risk and risk management is considered a strong indicator or risk management culture.

Risk Controls: S&P believes that the firms achieve risk control through identifying, measuring, and monitoring risks, setting and enforcing risk limits and manage risks to meet these limits through risk avoidance, risk transfer, risk offset or other risk management process. They expect firms to have structured programs to effectively deliver the risk controls necessary to maintain exposures and losses and consistently execute those programs for future implementation. They will evaluate risk-control processes for each firm, considering those risks that they have identified for the overall sector, as well as those identified by the management. Consistency between the overall corporate risk tolerances and the specific risk limits will be an important consideration.

Emerging Risk Preparation: Emerging risks are those that are completely new, or extremely rare and adverse events and therefore cannot be managed via a control process. Analysts concentrate on those practices, within an enterprise, that provide meaningful benefit to addressing such risks. These practices generally include environmental scanning, trend analysis, stress testing, contingency planning, problem post-mortem and risk transfer. Depending upon the nature of the business, the analyst will look for evidence that the company is planning for adverse events and for the outcome of such planning, before and after the occurrence of such events.

Strategic Risk Management: This component involves incorporation of risks and risk management process into strategic decision-making process. The analyst will focus on getting a clearer picture of company’s risk profile and obtaining a statement of the recent shifts in risk profile as well as anticipated future changes. S&P analyzes the risk profile of an enterprise in the light of earning loss, enterprise value, or other financial metrics for various risks. For example, analyst might inquire as to whether the company uses risk and reward analysis when allocating resources (e.g., capital, talent); or how does management reflect risk and reward for risk in strategic decision making, pricing and performance measurement. Strategic processes affected by risk and risk management capabilities include capital budgeting, business planning, performance measurement, product management, acquisitions and divestitures, performance measurement, dividend practices and incentive compensation.

Undoubtedly, S&P’s inclusion of ERM in credit rating has drawn attention of management and stakeholders to the virtues of a holistic risk management in an enterprise. Could this provide the much needed impetus to ERM and bring its long-anticipated benefits to the forefront? Well, if S&P focuses on ERM, no company can afford to ignore it. For the last few years, S&P has been developing an ERM component of their rating system, initially in the finance sector, then insurance and energy; and the efforts have been a great success in underpinning the benefits of ERM. As put by one of the S&P members, “Interest in ERM has increased now that rating implications are involved. What’s more, "we are continually hearing from enterprises that they have just hired a new chief risk officer, or added staff or even adopted new ERM policies and procedures.”  He points out, “Every time we meet with companies, they advise us how much their board of directors is involved in the ERM process. Without question, it’s on everybody’s mind now.” Most enterprises are now introspecting its ERM capabilities and assessing its ERM framework using the S&P’s four components.

With the incorporation of ERM in credit ratings, the query on everyone’s mind is "How do we establish an ERM that satisfies S&P’s criteria?” The answer lies in prioritizing effective ERM as a value-added business initiative and implementing a robust ERM framework supported by advanced systems and tools that enable adopting ERM best practices. An integrated ERM system enables organizations to identify, assess, quantify, monitor and manage their enterprise risk in an integrated manner. Leveraging automated tools like threshold-based alerts, data feeds, risk libraries, risk analytics, key risk indicators (KRIs), risk heat maps, trend charts and compliance dashboards, an integrated ERM system provides a reliable risk management infrastructure critical for avoiding surprises and keeping pace with dynamic risk profiles. At MetricStream, we have uniquely combined software and content to deliver a system with embedded best practices content that helps define the scope of processes and sub-processes for which risk management needs to be performed and guides development of control and test libraries. It also provides intelligent content driven features such as access to training content from an expert community from within the solutions and integration of business processes with regulatory notifications and industry alerts. By implementing such systems organizations can reduce unexpected disruptive business events in their environment, increase operating margins, reduce earnings volatility, enhance process efficiency, improve regulatory compliance and build investor confidence.

Conclusion:
S&P has been at the forefront in encouraging companies to develop integrated ERM frameworks and incorporate them into their day-to-day operations - an effort to provide more in-depth analysis and incisive commentary on the many critical dimensions of risk that determine overall creditworthiness of a firm. The ERM framework as expected by S&P, if implemented efficiently, should result in a more focused and efficient risk management process across the entire value chain. Now is the time for management and risk managers to strengthen their risk management framework, and determine if they can realize greater efficiencies and value from their business. The resulting benefits would range from adaptability to market movements and growth opportunities to the ability to challenge underwriting and investment assumptions, leading to smarter capital allocation and more sustainable value creation. As one of the experts at S&P points out, "We think that there are a lot of competitive advantages to be gained from ERM. The companies that are using ERM are the ones that will make the best choices."
 

ERM quality: Key questions to be answered to help score higher rating   The rating agency will assign scores to a company's ERM capabilities in four categories: "weak," "adequate," "strong" and "excellent."   Risk Management Culture And Governance   Risk Controls   Emerging Risks   Strategic Risk Management Does the company have a risk-management program? How does the company identify and control each major risk?   What does the company do to prepare for extreme disaster?   When developing strategic plans does the company use risk/reward analysis when allocating resources (e.g., capital, talent)?   Is there a statement of risk appetite or risk tolerance?   What are the company's risk limits for each major risk? How are they enforced?   What types of disasters are of active concern to the company?   How does management reflect risk and reward for risk in strategic decision making, pricing, and performance measurement? What staff is responsible? How did the company manage losses in a recent loss event scenario?   What are the company's stress testing practices?   How does risk management affect the company's financial decision making?   What are reporting relationships?   What changes were made to risk-management procedures as a result of loss experience?   What are the company's liquidity risk management practices?     What reports go to the CEO, audit committee, and board of directors? What information about each major risk is shared with senior management   What contingency plans has the company developed?       How does the company measure success of its risk-management program?   and/or the board of directors?   What environmental scanning techniques does the company use to anticipate the emergence of extreme disasters?     How is risk management integrated into performance/budgeting process?             How do risk-management metrics affect compensation for managers?