At a recent conference on enterprise risk management (ERM) organized by the Conference Board, an analyst with Standard & Poor's threw out a hypothetical: Would the 150 or so corporate executives in attendance be concerned if S&P incorporated ERM evaluations into credit ratings? A few hands were raised. Later, after it was revealed that the rating agency in fact intends to introduce an ERM component in the next 12 months, the speaker asked the question again. This time, says Ellen Hexter, director of the Integrated Risk Management Center of Excellence at the Conference Board, "every hand in the room went up."
While nonfinancial companies have been considering ERM imple- mentations for years, S&P is now making the choice obvious: Sometime by late 2007 or early 2008, the credit rating agency will introduce in-depth ERM criteria into its ratings of nonfinancial companies, and companies with no ERM framework in place could find their marks lower. Modeled on an approach already used for banks and insurance companies since 2004, S&P's new category most likely will use 100 or so different factors to evaluate the quality of ERM operations, and then include that assessment in their final score. "This will put a spotlight on firms that don't have ERM in place," says Beaumont Vance, senior enterprise risk manager for Sun Microsystems Inc. "And, it's likely to spur them on to change that."