From the December-January 2007 issue of Treasury & Risk magazine

Rating Risk Practices

At a recent conference on enterprise risk management (ERM) organized by the Conference Board, an analyst with Standard & Poor's threw out a hypothetical: Would the 150 or so corporate executives in attendance be concerned if S&P incorporated ERM evaluations into credit ratings? A few hands were raised. Later, after it was revealed that the rating agency in fact intends to introduce an ERM component in the next 12 months, the speaker asked the question again. This time, says Ellen Hexter, director of the Integrated Risk Management Center of Excellence at the Conference Board, "every hand in the room went up."

While nonfinancial companies have been considering ERM imple- mentations for years, S&P is now making the choice obvious: Sometime by late 2007 or early 2008, the credit rating agency will introduce in-depth ERM criteria into its ratings of nonfinancial companies, and companies with no ERM framework in place could find their marks lower. Modeled on an approach already used for banks and insurance companies since 2004, S&P's new category most likely will use 100 or so different factors to evaluate the quality of ERM operations, and then include that assessment in their final score. "This will put a spotlight on firms that don't have ERM in place," says Beaumont Vance, senior enterprise risk manager for Sun Microsystems Inc. "And, it's likely to spur them on to change that."

S&P started with the energy sector--a logical choice since it has been the next most active sector in ERM after financial services. S&P launched a pilot program in January 2006, using 12 oil companies and utilities that regularly trade commodities to help establish best-practices benchmarks for capital and liquidity levels on trading operations. (S&P won't name the companies.)

By the end of first quarter 2007, S&P intends to move to a "full ERM" analysis--as Arleen Spangler, S&P director of utilities, power and project finance, calls it--for energy companies. Next step: The rollout to everyone else at the end of 2007.

It's an ambitious effort, involving intensive, face-to-face research. "They're not simply checking off a few boxes on a survey," says Sun's Vance. Indeed, according to Spangler, S&P will typically spend as much as a day interviewing senior managers, risk officers and heads of business units, to gather data about how a company's ERM operation works.

The underlying framework of the assessment is called PIM for Policy, Infrastructure and Methodology. Policy covers such factors as risk tolerance, approach to internal and external reporting, and overall structures for assessing financial and nonfinancial risk. Infrastructure includes the level of technology, personnel issues (for example, whether a company has a chief risk officer and to whom he or she reports), and the quality of back office operations. Finally, Methodology looks at metrics for assessing and quantifying risk.

Since S&P plans to tailor its approach to the industry or business model in question, the weighting of elements will vary depending upon the company. "A company doing heavy derivative trading would not have that same framework as a simple gas distribution company," says Spangler. "For a local utility, regulation might be the most important component, while market risk measurements might play a bigger role for companies with big trading operations." She admits, however, that the evaluation requires qualitative analysis. "There's a part that's more art than science," Spangler says.

What will the final report look like? There won't be a separate ERM score--although companies will receive a breakdown of the ERM assessment, describing areas of strength and weakness. Instead, risk management will be factored into the overall rating of a company's business risk. Currently, S&P includes five components in its business risk evaluation: regulation, markets, competitive position, operations and management. ERM will fall under the management section.

How critical the ERM evaluation will be to the final rating is less clear. Since introducing ERM considerations to the banking side, according to Prodyot Samanta, director of ERM for financial institutions at S&P, the rating agency has upgraded "a couple" of brokerage houses with better risk management operations than others in the industry. At the same time, a company with inadequate ERM wasn't necessarily downgraded. Instead, S&P met with the company to offer the chance to address the matter to avoid a downgrade. S&P is not alone in seeing a need to incorporate some ERM measure in credit ratings. But it is clearly ahead when it comes to extending the criteria to nonfinancial companies. In July, New York-based Fitch Ratings introduced a financial model aimed at measuring insurance companies' ERM activities. According to Jeff Mohrenweiser, senior director of the insurance group, their evaluations have already affected the ratings of several companies offering variable annuities. Moody's says it "has no plans to publish anything as narrow as enterprise risk per se," although it includes such measurements as market and trading risk in its ratings.

One thing is sure: If S&P cares about ERM, it will be hard for any company in the credit markets to ignore it. "Once you know somebody is judging you, it changes the dynamic completely," says Robert Mark, CEO of consultant Black Diamond Risk Enterprise in Pleasant Hill, Calif. "It will get the attention of senior management."