Enterprise Risk Management—A bloodless coup? 06/08

Enterprise Risk Management

A bloodless coup?

The rating organizations have co-opted the ERM movement

By Michael J. Moody, MBA, ARM

Over the past three or four years, Rough Notes has tried to document the growth of the enterprise risk management (ERM) movement. And while the growth over that time period is inescapable, there have been several periods when the concept of ERM began to falter and interest waned. However, much of this lack of traction could be attributed to the lack of a common knowledge base or even a common language for this new management discipline. Additionally, to date, the concept has primarily been confined to the financial service sector and its benefits have been primarily anecdotal.

One of the first attempts to formalize the ERM process was provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), when it published its draft of the Framework for Enterprise Risk Management. The Framework provided guidance with regard to the general aspects of ERM as well as some details of particular aspects of the process. In general, it was viewed as a good first step of documenting the ERM process. However, critics were quick to point out that the Framework was mostly an extension of an existing audit procedure known as Internal Control – Integrated Framework and, as a result, many felt it was too closely tied to the audit function and did not represent the true purpose of ERM.

Several other competing “framework” type documents were advanced shortly after the COSO document was rejected by the public. However, to date, most have found little general acceptance.

Early success

One of the early “shining stars” with regard to acceptance of ERM was the banking community. Study after study confirmed the broad acceptance of the ERM concept by the banking community. One reason given for the quick adoption of ERM by the banking industry was the fact that the bank’s “products” are money, making it easier to maintain a holistic view of risk management. Another reason was a major push of the ERM concept by the Federal Reserve. Regardless of the reason, ERM quickly spread within the banking community.

The early successes within the banking community were soon moving into other financial service industry segments as well. Insurance companies were quite taken with the ERM concept. One reason why the insurance industry was receptive to the ERM movement was the involvement of the actuaries. A major shortcoming to much of the ERM work prior to the actuaries’ involvement was the reliance on subjective quantification of data. This has typically been an issue that surrounded the ERM concept. The actuaries within the insurance sector brought a much-needed qualitative view into the ERM process. This soon helped to provide a more formal risk assessment approach to the ERM process.

Concerns abound

More recently, the nation’s rating agencies have shown a significant interest in ERM. But now several new concerns have been voiced regarding the aggressive movement by the rating agencies into ERM. The first concern revolves around the fact that the two major rating agencies, S&P and Moody’s, have taken different approaches to their analysis of an organization’s ERM program. S&P’s current rating matrix includes eight separate segments, ERM analysis being one of the eight. As a result, the determination of the effectiveness of the ERM program can have a significant impact and either upgrade or downgrade an insurer’s rating. S&P’s ERM evaluation is generally centered on four components:

• Analysis of risk management culture and governance
• Risk control
• Emerging risk preparation
• Strategic risk management

These four components are considered to be the key factors for S&P analysis.

Moody’s also has four “pillars” to its risk management assessment. However, its pillars are risk governance, risk management, risk analysis and quantification, and risk infrastructure and intelligence. Other rating agencies, such as Fitch and Best’s, have also developed their own approach to ERM analysis.

While there is some commonality among their approaches, each of the agencies has developed its own individual criteria and methodology. At this point, it is difficult to develop a consistent approach to ERM that would comply with more than one agency’s formula. This well may lead to reluctance of organizations to move forward in a timely manner.

Bigger picture

Up until recently, the rating agencies’ primary focus has been limited to the financial services sector, but all of that changed in November 2007 when S&P indicated that it was going to investigate the probability of providing ERM analysis for non-financial organizations. S&P had, in fact, already begun moving in this direction with some limited ERM reviews of energy-related organizations.

A November press announcement from S&P noted that it would be issuing a draft proposal of its approach to ERM for non-financial entities. S&P did issue the draft and provided interested parties with a comment period that was open until January 30, 2008. This comment period deadline was moved up several times and now is indicated as March 30, 2008. However, this date has been missed as well, and there has been no revised deadline offered. There seems to be little doubt that S&P will move forward with its plans, since it has frequently noted that it is proposing the introduction of the “ERM analysis into the corporate ratings process globally as a forward-looking, structured framework to evaluate management as a principle component in determining the overall business profile.”

For its part, Moody’s has been working towards a similar goal. It is developing a process that considers ERM as a component of it rating approach via its “Enhanced Analysis Initiative.” This will be used in conjunction with the formal “Risk Management Assessments.” Specific information regarding the approach has not been flowing as quickly as that of S&P; however, Moody’s is also committed to expanding its ERM analysis into public corporations.

Conclusion

At this point there are a number of unknowns in this matter. One of the most significant issues is whether S&P, Moody’s, et al. will move to make ERM an explicit component of their rating methodology for non-financial service sector organizations. While it appears that this will occur at some point in the future, the timing is still a question mark. However, the actual direction of this movement is a cause for concern. At this point, as noted above, there is little commonality among the various approaches being advanced by each agency, causing concern about how a corporation selects one over the other competing approaches.

Without question, the rating agencies have called attention to ERM. On numerous occasions, for example, S&P has indicated that it believes that “any company with a superior ERM program should have less volatility in its earnings.” Additionally, over time, S&P thinks the company should also be able to optimize the risk/return relationship.

The agencies have noted that they realize that there are consequences to the explicit inclusion of ERM within their overall corporate ratings. But, the real question is which of these competing ERM approaches should management be following? Will organizations adopt an ERM program because it is based on rating agency criteria, or because it is good management? And if it is adopted by the organization, does the rating agency now assume a regulatory role, which is in no one’s best interest?

Bottom line, will a rating agency’s ERM model become the “Best Practice” approach? Just as the original COSO Framework was rejected after an objective analysis by risk management professionals, will we have the same opportunity after S&P formalizes its ERM approach? *

The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF), an independent consulting firm established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.