Enterprise Risk Management

Progress report

Rating agencies push ERM to all business sectors

By Michael J. Moody, MBA, ARM

Just a decade ago, most insurance professionals were not familiar with the term enterprise risk management (ERM). But over the past five or six years, ERM has gone from a concept to an accepted management principle. And while ERM has advanced on many fronts, there is still much work remaining to bring the concept to its full potential.

From its initial entrance into the banking industry, ERM has now extended its reach into general business management and is slowly finding its footing within the corporate hierarchy. Most industry sectors have begun accepting ERM as an integral part of the strategic management process. While there are many reasons for this rapid growth, one of the most influential ones has been the acknowledgement by the rating agencies that ERM enhances their opinions on the management of corporate borrowers.

Rating agencies

Banks were the first industry segment to receive the attention of the rating agencies, as they began to check on whether there was any connection between ERM programs and the credit worthiness of the bank in question. They quickly began to see the difference between those banks that had gotten involved with ERM and those that had not. They found that ERM’s holistic approach to risk management provided the bank with a proactive approach to risk management. However, it was not until the rating agencies began analyzing the results of insurers that they noticed the profound impact that could be obtained with ERM.

Moody’s Investors Service, Fitch Rating, and A.M. Best all began incorporating new ERM standards within their analysis of insurers/reinsurers; however, it was Standard & Poor’s (S&P) that was the most forthright with it ERM methodology. In fact, S&P drafted and promoted a very specific approach to the use of ERM in its rating matrix. S&P ultimately indicated that its insurance rating methodology was made up of eight specific criteria, one of those being ERM. And after a brief introductory period, ERM became one of the key rating issues. S&P soon was reporting that insurer’s ratings were being upgraded because of excellent ERM programs. And conversely, S&P also advised insurers that obtained lower ratings due to poor ERM programs. Insurers quickly picked up on the criteria and began to develop ERM programs that either met or exceeded S&P’s criteria.

Beyond insurers

One of the reasons that S&P had such success within the insurance sector was that it had estab­lished very specific criteria at a time when there were few other specific models. The S&P approach was well thought out and left little to guess at with regard to what was going to be considered excellent and what was going to be considered average. Without many specific ERM plans, S&P’s approach soon became the de facto standard. Around late 2007 to early 2008, there was much speculation regarding whether S&P would develop similar ERM require­ments for nonfinancial companies.

In May 2008, S&P ended the speculation when it announced that it would, in fact, begin assessing ERM as part of its overall ratings for nonfinancial companies. However, unlike the assessment of the insurance industry, where S&P had developed specific criteria, the agency was going to focus on only two universally applicable aspects of ERM—risk management culture and strategic risk management. According to S&P, it started this process in the third quarter of 2008. To date, the agency indicates that it has conducted more than 300 ERM discussions with nonfinancial companies and has summarized the results thus far in a new publication, “Integrating Enterprise Risk Management Analysis Into Corporate Credit Ratings.”

Key concerns

In order to more fully develop the two areas of risk management culture and strategic risk manage­ment, S&P uses several key questions when discussing ERM with organizations. The major questions involve a general discussion about the corporation’s top risks, the size of the risks and the frequency of occurrence. Additionally, the agency wants to know what corporate management is doing about these top risks. It also leads discussions regarding the organizations’ risk tolerances. Details regarding the person who is responsible for the ERM program and his or her place on the organizational chart are part of the discussions. Issues surrounding performance management are also an agenda item. S&P is also very interested in the level of involvement of the company’s board of directors. Finally, S&P wants to know of any recent “surprises” within the company’s industry and how those surprises affected the corporation.

S&P realizes that the current financial conditions can provide a quick view of ERM results that would probably not be available “during more placid times.” And while the results to date have varied greatly, some preliminary findings are available for the group of 300 organizations. This group was primarily drawn from the United States and Europe and represents about 10% of S&P’s global coverage of nonfinancial organizations.

At this point, the adoption and maturity of ERM “varies widely within and across sectors and regions,” accord­ing to S&P. Initially, most companies have not adequately determined their organization’s risk tolerance and risk appetite. S&P believes that this may be largely because many companies “find it difficult to ensure uniform behavior across the enterprise.” While most companies do exhibit active, ongoing risk reviews, they typically are confined to “high-impact/high probability risks.” And while successful integration of risk management is needed for ERM, “silo-based” risk management continues to be prevalent.

S&P also notes that companies are starting to more clearly define both the roles and responsibilities of chief risk officers. And typically this function has a “reporting line to the CFO or the CEO, often with a direct line of communications to the board of directors.” Despite this, S&P also has observed examples of risk management structures “that lack stature and influence in the organizations.”

The agency also found that most companies are willing and able to provide “considerable detail about their risk management practices.”

It also appears that many compa­nies are struggling with the enterprise aspects of ERM. S&P concludes that “not many companies have come to grips with the upside aspects of ERM.” As a result, too many companies are focusing on assuring that their downside risks are covered and have a “very strong compliance-driven push towards ERM.” However, they point out that companies with a true enterprise view of ERM are moving beyond the “the top 10 risks” mentality, and they “increasingly understand the importance of emerging risks.”

S&P believes that it has made significant strides in conducting the information-gathering phase of its work. And until it obtains sufficient benchmarking information, it will defer using ERM as a formal part of the rating methodology for nonfinancial organizations. S&P points out that it is hopeful that it can begin to incorporate ERM analysis into individual corporate credit rating reports in 2010.

Conclusion

Despite the newness of the ERM concept, the work completed by S&P has shown that more and more organi­zations understand the importance of adopting this approach to risk manage­ment. And while these firms will soon see the competitive advantages that arise from a properly implemented ERM program, it’s the continued inclusion of an ERM analysis by the rating agencies that will assure ERM’s future. S&P, as well as the other rating organizations state that they believe that ERM is an “organizing tool for assessments of management.” As such, corporations that are early adopters will soon see the benefits of an ERM approach.

Agents and brokers would be wise to begin discussing the benefits of ERM with their clients and look for ways to provide value-added services that help them move towards ERM. Mid-sized agents and brokers need to take note of the commitment that the “big box” brokers are making to ERM. There is still time to take advantage of this emerging trend, but the window of opportunity is rapidly disappearing as your clients find others to assist them with their ERM implementation.