|
Enterprise Risk Management
Resistance is futile
Converging factors appear to make ERM adoption inevitable
By Michael J. Moody, MBA, ARM
Enterprise risk management (ERM) has been a hot topic of late. The ERM concept, which stresses the analysis of an organization’s risk management program from a holistic standpoint, has been around for at least 10 years. Originally, it attracted the attention of the financial service sector, particularly banking institutions. However, recently it has found a broader audience that includes insurance/reinsurance companies and energy companies. Unfortunately, for many organizations, ERM remained just a passing fad.
But today, the passing fad phase has been replaced by a “must have” phase as corporate boards are now seeing the value of adopting an ERM course of action. One of the primary drivers of this increased interest in ERM has been the rating agencies. Over the past 12 months, the majority of rating agencies including Standard and Poor’s (S&P) and Moody’s, have developed specific ERM criteria that are included in their overall rating matrix for their financial service sector clients, as well as energy-related companies.
Then late last year, S&P made known their interest in incorporating ERM elements into the rating of non-financial entities. In this regard, they presented their ideas in a “request for comment” document that previewed their approach to ERM analysis for non-financial service organizations.
The results are in
Recently, S&P finally made its thoughts known regarding ERM for non-financial service sectors. And, while most experts believed that S&P would move into this area, the report did contain several surprises. The primary point was not too surprising, however, since S&P announced it would begin to look at the ERM program of all companies for which it provides credit ratings. S&P did indicate that it did receive significant interest from the “response for comments.”
It indicated that it had received more than 60 written responses and more than 30 informal, telephone or in-person conversations, responses coming from rated as well as unrated companies. S&P said the responses came from a broad spectrum of industries as well as different global regions. The rating agency also stated that, overall, the comments affirmed the value of ERM and its relevance to the credit-rating process. Further, S&P noted that it has taken under advisement numerous recommendations and, in some cases, has modified its approach based on the suggestions it obtained.
From a timing standpoint, S&P reports that it will begin incorporating ERM into its discussions starting in the third quarter of 2008, and it will begin adding commentary in the reports during the fourth quarter of 2008. However, it also points out that it does not intend to score company ERM programs until around the second quarter of 2009. The exception to this is in the case where S&P discovers that something big and important is amiss in the risk management program; then immediate action will be taken.
One of the surprises in S&P’s approach for non-financial organizations is with the actual form the ERM program should take. This has been a struggle for many corporations for the past few years, but S&P’s approach may help solidify a universal approach, since it indicated that it would recognize generally accepted standards for ERM. More specifically, S&P notes that the standards promulgated by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO) will be considered as one of the generally accepted standards. This, of course, is good news for earlier adopters of the COSO approach. It would appear that massive realignment of the COSO—ERM Framework appears unnecessary under the S&P format.
S&P notes that their initial reviews will center on two specific areas:
1) Risk Management Culture, including the following items:
• Risk management frameworks or structures
• Role of risk management staff as well as reporting lines
• Internal and external communications
• Risk management policies and procedures
• Influence of risk management on budgeting and management compensation
2) Risk Management Strategy, including the following:
• Management view of their major risks, their likelihood of occurring, and potential effect on credit
• Frequency and nature of updating the identification of the top risks
• Influence of risk sensitivity on liability management and financing decisions
• The role of risk management in strategic decision making
S&P realizes it has much to learn with regard to ERM in a non-financial setting. As a result, the movement into this area will be measured and deliberate. However it is not backing away from its commitment to the ERM concept.
Additional pressure
Of course, S&P’s increasing attention to ERM is not occurring in a vacuum. With regard to ERM for financial service organizations, particularly insurance companies, both Moody’s and A.M. Best have followed suit. Moody’s for example, has been busy developing a holistic risk manage-ment rating approach that is based on its Enhanced Analysis Initiative.
It has also noted an interest in expanding the analysis beyond financial service sector companies. A. M. Best also initiated an ERM initiative that will be included as an integrated part of the rating process. However, unlike S&P, which has made ERM one of its specific criteria, Best’s has indicated that ERM will not be a separate rating factor.
Over the past four or five years, the Federal Reserve, primarily through speeches and articles from Federal Reserve Board Governor Susan Schmidt Bies, has also been a strong proponent of ERM. And while Bies has since left the Fed, the interest in ERM remains high. This was confirmed during a recent speech by Fed Chairman Ben Bernanke discussing how the credit crisis has exposed weaknesses at many financial insti-tutions. He pointed out that, “For risks to be successfully managed, they need to first be identified and measured.”
Bernanke went on to point out, “Recent events have revealed significant deficiencies in this area.” He stated that these failures were due in large part to a lack of an effective enterprise risk management program. He concluded by stating that if banks don’t beef up their risk management programs, the Fed may be forced to step in. In that regard, he indicated that the Fed is considering issuing a revised supervising guidance on risk management for banks. He said most of the new emphasis would focus on firm-wide risk management.
With this kind of attention, it’s no wonder that ERM is becoming a major concern for corporate boards and audit committees. KPMG, for example, found in its latest Annual Audit Committee Member Survey that audit committee members are quite confident of their oversight of financial reporting matters. It was a different story, however, with regard to risk management oversight.
In fact, the survey found that oversight of risk management is agenda priority number one for most audit committees. This should come as no surprise since the survey also found that only 28% of the participants were satisfied with the effectiveness of their firm’s risk identification efforts. Fewer still (14%) were satisfied with the risk reports they were provided by management.
Conclusion
With each passing day, some new interest group or association joins the choir of converts to ERM. And while it is still not widely embraced, ERM is making giant strides. Early adopters have shown that there are major, competitive advantages from accepting an enterprise view to risk management. And while S&P has noted that it will be taking a measured approach to including ERM as a part of the rating methodology for non-financial sector rated companies, there is little doubt that ERM will ultimately become one of its key rating criteria.
At this point, even corporations that have not initiated a serious effort toward ERM implementation must be able to hear the drum beat. And it is not just the rating agencies that are pushing ERM. Any number of other stakeholders are demanding more rigorous risk management programs. * |