Sometime late this year, Standard & Poor's hopes to roll out a new category for its corporate ratings: enterprise risk management (ERM). The Big Three rating agency, which has been assessing finance and insurance companies on their risk management practices and capabilities since 2005, is "developing the criteria" for this specific rating category, a company spokesman says. The move highlights a reality: While ERM has become a popular term, some experts say that most corporations, especially outside of the financial sector, have not moved risk management far beyond the regulatory risk area nor made it an integral part of their operations.
"Typically, risk is managed in a silo fashion at most companies, with most of the focus on regulatory and financial risk, but ERM really has to be holistic in treating all risks equally seriously," argues Sim Segal, U.S. leader of ERM services at consulting firm Watson Wyatt. "It also has to be able to look at what happens if two or more risks happen at the same time, which very few companies do." Segal says that a survey of the 100 most serious losses in the stock market in recent history shows that 85% of the losses involved two or more risks occurring at the same time. Ward Sax, chief risk officer and treasurer at RTI, a not-for-profit research organization based in Research Triangle Park, N.C., agrees that ERM has "a long way to go," and says, "It is clear that while a lot of companies talk about risk management, most are still really struggling with where to start."
"Most companies these days recognize the value of risk management," says Dale Hall, vice president and chief actuary at Bloomington, Ill., insurer Country Financial. But he says for a lot of them, it's still mostly in the "should do" category. Steve Dreyer, an S&P managing director who heads the ERM global integration project, says, "This is something we're doing very deliberately and carefully."
The plan is not for some kind of "big bang," Dreyer says. Rather, S&P's analysts, in the normal process of their reviews, are talking with corporate managers about risk management and developing criteria and a methodology, which will be published before ERM ratings are actually offered. "We're getting the lay of the land," he says. The target date for publishing the criteria to be used for risk management ratings is the third quarter of 2009.
"The most important thing we need to learn is what the impact is on a company's credit rating of having good or bad risk management," Dreyer says. "And as far as I know, no one has yet really connected the dots to answer that question." Watson Wyatt's Segal argues that S&P faces a certain dilemma in introducing the new rating category.
"Politically, they can't start changing corporate ratings drastically because of a company's risk management competence," he says. "So I think what they'll do is get in there and start rating risk management fairly gently, and then start raising the bar each year." This is the way S&P introduced its risk management evaluations of the insurance industry, he notes, adding, "It kind of upset people in the industry when they kept having to improve their risk management each year." There is a general expectation that S&P's move will lead to an increased focus on the process at most public companies. "If history is any judge, this move by S&P will impact the enterprise risk management of all companies, because they're saying that to get a high rating, you will have to demonstrate that you are managing risk well," says Segal.
"It will lead to a shift of resources, with more funding for the people in an enterprise who are in risk management positions," says Country Financial's Hall. "Everyone is going to have to get up to speed on this." "I think formalizing the rating of ERM is a great idea," says RTI's Sax. "It may end up being like the introduction of Sarbanes-Oxley, in that it will focus everyone on risk management."
"It could have a positive impact," says Brian Kalish, director of the finance practice at the Association for Financial Professionals (AFP). "Just like SOX focused people on reporting procedures and processes, this could focus companies on risk areas that they may not have been highlighting." But he says such rating agency moves tend to come and go as issues change. "Remember a few years ago when they were all focused on liquidity assessments?" he asks with a laugh. "Now what happened to that?"
"You would think that S&P would have been looking at risk in their rating assessments already, right?" Kalish adds. "But then, what happened with Lehman Brothers?"
Indeed, that's the reason that S&P's main competitor, Moody's Investors Service, offers when it says it has no plans to follow S&P in rating companies on their risk management function. "Inherent in any rating we do is consideration of risk management from any number of angles," says Mark LaMonte, senior vice president for the company's accounting, risk management and governance team. "Evaluating the key risks of firms is embedded in our methodology. Will we label that evaluation separately?I'm not sure."
LaMonte disputes the notion that U.S. companies are not doing a good job of risk management. "For years," he says, "companies have been managing risk relating to brands, insurable risks, financial risks. Internal auditors have always been identifying risks. The quality of corporate risk management is really a very company-specific question. That being said, people could do it better." He adds, "Back in the 1990s, I remember as an auditor having discussions with corporate clients about their key risks. It was an issue people were thinking about. There was just no term: ERM."
A spokesman at Fitch, the third major ratings firm, said that the company would have "no comment" on the question of risk management assessments in its corporate ratings.
The introduction of a specific rating category for ERM is likely to lead to a boom in automated ERM solutions. Whether that's a good idea is open to question. RTI's Sax hails the dashboards that his company has in place, which "ensure that management is informed quickly of all the risks and how to deal with or take advantage of them."
Watson Wyatt's Segal is more skeptical. "I don't think it's really possible to automate something like this that is still just evolving," he says. "There will be a role for IT in risk management in a few years, but I haven't seen a company yet that's ready to institutionalize and automate their ERM."
With S&P gearing up to introduce an ERM rating category, and with companies feeling the pressure to achieve a high rating in that category, that time may be coming sooner than Segal thinks.