Enterprise Risk Management—ERM: Rating agencies forcing the issue 03/08

Enterprise Risk Management

ERM: Rating agencies forcing the issue

S&P looking to add ERM analysis for all business sector ratings

By Michael J. Moody, MBA, ARM

For a variety of reasons, enterprise risk management (ERM) has been attracting significant amounts of attention over the past six months. One of the major reasons for this attention is speculation as to how the subprime mortgage mess would have been handled had the various financial institutions fully invested in their ERM programs. At this point, it is clear that many traditional, siloed risk management programs were not able to prevent the effects. Most experts agree that one of the key shortcomings was the lack of a comprehensive, enterprise-wide view of risk management. As a result, there appears to be a renewed interest within the financial sector in ERM.

One group that has taken ERM to heart is the insurance industry. Many insurance companies have been viewed as early adopters of ERM. Thanks in large part to the involvement of actuaries within the individual insurance companies, insurers are considered by many as being at the cutting edge of ERM. An additional reason for the early interest in ERM by the insurance industry has been the support of the concept by the various rating agencies.

Early interest

Early on in the ERM movement, the rating agencies began to see the value of ERM. And for the past several years they have developed a methodology that incorporates a financial service firm’s ERM program into the overall rating. Standard & Poor’s (S&P) was among the leading proponents of using ERM criteria in assigning ratings. S&P formalized its ERM evaluations in 2005 and was quickly followed by the majority of other rating organizations. S&P points out that their ERM analysis has subsequently been responsible for increasing ratings due to exceptional ERM programs as well as decreasing ratings due in part to poor ERM programs. As a result of this intense analysis, ERM has become a key topic of discussion on most financial services board’s agendas.

S&P has reported that it has been able to find two specific forms of information from ERM analyses performed thus far. The first type of information is “the degree to which a firm has a comprehensive mastery of the risks that they face.” The second type of information S&P is able to gain is “the extent that the firm’s management optimizes revenue for the risks they are willing and able to take.” At this point, S&P has been utilizing the ERM analysis on the majority of financial institutions including insurance companies and notes that “while ERM does not radically change the way we assign ratings, the structure provides deeper insights that has caused us to change ratings and/or outlooks of many companies.” A good case in point, S&P says, is Hurricane Katrina, which resulted in $41 billion in loss. What S&P found after the storm was that ERM was “a differentiating element when they reviewed insurer’s credit ratings.”

Moving on

Over the past 12 months, there has been significant speculation as to whether S&P and other rating agencies would be extending their ERM criteria to other non-financial service sector entities. The fact is that S&P has already begun extending its ERM criteria to non-financial service sectors in an attempt to broaden its experience in ERM evaluation. As a result, in April 2006, S&P decided to begin a pilot program directed at energy companies. The year-long project allowed S&P to evaluate the trading risk management program of 10 energy firms.

As a result of this program, S&P indicates it was able to gain significant additional amounts of new quantitative and qualitative information to augment its traditional capital and liquidity stress test data for this market segment.

Initially S&P was going to limit the focus of the analysis to the control processes for risk from trading in fuel and electricity markets, but it began to gain broader insights into the firms’ risk management capabilities and cultures that could influence the overall rating. Based on the positive results thus far, S&P has decided to expand its ERM analysis to all energy companies by early 2008.

However, that leaves open the question regarding the other industry sectors. Late last year, however, S&P put an end to the speculation. “We now propose to introduce Enterprise Risk Management (ERM) analysis into the corporate credit rating process globally as a forward-looking, structured framework to evaluate management as a principal component in determining the overall business profile.”

S&P notes that it’s the business profile along with the financial profile that are the key factors to a company’s credit rating. And, as is the case with the insurance company ratings, S&P indicates that it expects a deterioration or improvement in a company’s ERM program would “drive rating and outlook changes before the consequences are apparent in published financial results.”

A humble proposal

At this point, S&P has not yet made a commitment to the ERM analysis to other industry segments. In fact, on November 15, 2007, S&P outlined its view of the importance of ERM and asked the public for comments on the proposed advancement into non-financial industry segments. S&P asked respondents to forward comments by March 1, 2008. As we went to press, formal notification of the results had not yet occurred, but one can assume that there will be few stakeholders that will not benefit from the addition of an ERM analysis.

Should that be the case, and we assume that S&P will begin extending its ERM analysis to all industry segments, based on the results that have occurred in the insurance industry, companies will start to scramble to implement state-of-the-art ERM programs. And since the analysis can have either a positive or negative effect on the overall company rating, firms will soon see the competitive advantages that can be gained from a properly implemented ERM program.

Additionally, most experts believe that, as happened in the financial services segment, other rating agencies will soon follow suit, leaving few places for a company that has not committed to an ERM to hide.

Scope of work

Based on past work, S&P realizes that any ERM analysis of non-financial service organizations will need to be based on the unique risks, structures and culture of the particular industry. S&P indicates that ERM must be different in each industry sector because the risk and necessary risk control measures differ from segment to segment. But while S&P understands that there is “no single recipe” for the best ERM platform, it is able to distinguish the effectiveness in managing risk by relying on a customized and consistent general framework. In that regard, S&P has found four major components that will be making up a part of the ERM analysis regardless of the industry segment involved. These four major components include:

Analysis of risk management culture and governance—“measures the importance of risk and risk management in considering daily corporate judgment.” In addition to the evaluation of the risk management culture, S&P will also evaluate the organizational structure, as well as the roles, capabilities, and accountabilities of those charged with the execution of the risk management plan. And S&P will look at risk management governance that strongly influences corporate judgment by the risk management staff. S&P considers this a critical aspect of ERM.

Analysis of risk control—“helps achieve risk control through identifying, measuring, and monitoring risks, setting and enforcing risk limits, and managing risks to meet those limits through risk avoidance, risk transfer, or other risk management processes.” The analysis will focus on three key aspects of an organization’s risk control practices:

• Policies, including business strategies, risk tolerance, risk authority and disclosure

• Infrastructure, including personnel, operation, data, and technology

• Methodology, including risk metrics, stress testing, validation and performance

Analysis of emerging risk preparation—“those risks that are completely new or extremely rare adverse events, and therefore cannot be managed via a risk control process.” Firms are beginning to find innovative ways to deal with such risks including trend analysis, contingency planning, and environmental scanning.

Analysis of strategic risk management—“the formal process that a firm uses to incorporate the ideas of risks, risk management, and return of risk into corporate strategic decision-making processes.” This aspect of the analysis will include a comprehensive measurement of risk as it relates to the risk profile of the organization.

S&P indicates that it will evaluate each of the above noted components in developing an industry-specific ERM evaluation. Obviously, the degree of importance of each factor will vary among the different industry segments.

At this point it should be clear to most business executives, ERM will be coming to all industry segments in the near future. And the impact will be as meaningful as it is for the insurance industry. Those firms that have excellent ERM programs will gain additional leverage in the rating matrix; those that are less than that will suffer the consequences.

The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.