Enterprise Risk Management
Firms are increasingly succumbing to external pressures to embrace ERM to satisfy expectations from regulatory bodies and ratings agencies. Is your firm at risk?
February 4, 2008
by Bruce Branson, PhD
An enterprise risk management (ERM) program provides a framework for managing risk at your organization, and typically asks you to identify risks and opportunities relevant to your organization's objectives, assessing them their likelihood and magnitude of impact on your organization, determining your response strategy and monitoring progress. By identifying and proactively addressing risks and opportunities, your firm can protect and create value for your stakeholders, including owners, employees, customers, regulators and society overall.
Despite the many benefits associated with active ERM programs, many firms have resisted ERM initiatives, citing concerns about costs, loss of focus on managing operations and lack of skilled personnel. Recent events, however, may increase external pressures on many firms to begin or expand their ERM efforts. This column discusses one important new source of external pressure on firms — Standard & Poor’s (S&P) recent release of their proposal to include an evaluation of ERM practices as part of their overall credit ratings analysis of nonfinancial companies.
Bruce Branson will be speaking at AICPA’s The Audit Committee’s Role in Risk Oversight: Taking a Strategic View of the Enterprise conference, March 27-28, New York, New York.
Why Financial Firms Need ERMs
S&P, along with Moody’s and Fitch Ratings Services, provides credit ratings for a broad swath of Corporate America. These ratings are important for determining corporate borrowing costs and, thus, play an important role in strategic planning and capital acquisition decisions. S&P has included an evaluation of ERM practices in its ratings analysis for financial institutions and insurance companies for several years, and more recently has expanded its ERM evaluations to include certain companies in the energy sector. This past November, S&P released for public comment a proposal to include an ERM evaluation as part of the credit ratings analysis for firms in 17 distinct industry sectors, ranging from airlines to telecommunications. In its proposal, S&P identifies key organizational risks for each industry. For example, key risks identified for the health products industry include failure to innovate, legal liability, regulatory oversight and risk of losing a company’s good reputation.
S&P ERM Model
S&P envisions using a four-point scale to score a firm’s ERM processes, with a range of “weak” to “excellent.” Firms whose ERM programs are considered weak are missing complete controls for one or more significant risks and have limited capabilities to identify, measure and comprehensively manage risk exposures. A firm whose ERM program is considered adequate exhibits conventional “silo-based” risk management processes — in which risks within its business functions are well-managed, but its risk responses are not well-coordinated across business units. Companies whose ERM programs are rated strong exhibit an enterprise-wide view of risks allowing for consistent identification, measurement and management of risks across business units within predetermined risk tolerances. These companies will also include risk and risk management discussions in their strategic business planning efforts. Firms rated as excellent will, in addition to those characteristics of strongly-rated companies, also exhibit risk/reward optimization behavior.
S&P ERM Evaluation
Based on its experience with ERM program evaluation in the financial sector, S&P recognizes that it will be necessary to tailor its approach based on a company’s unique risks, structure and risk management culture. Its proposal identifies four major analytic components that it believes can provide a framework for each custom evaluation. These four components are:
S&P intends to look for adherence to systematic and consistent management practices that limit losses and optimizes rewards for given levels of risk. It expects to observe sophisticated risk management practices for complex risks and recognize that less formal risk management programs may be sufficient in simpler contexts.
With respect to risk management culture and governance, S&P will evaluate the organizational structure of the business, along with the roles, capabilities and responsibilities of those charged with risk management. An important indicator of a sound risk management culture will be the degree to which line-level managers routinely comply with stated risk tolerances on a day-to-day basis.
Risk control practices will be evaluated using S&P’s PIM approach (policies, infrastructure and methodology). The PIM approach provides a consistent framework to evaluate control practices across an organization. The review of policies (business strategy, risk tolerance, disclosure practices), infrastructure (personnel, operations, technology) and methodology (risk metrics employed, testing and validation procedures) will provide a basis for scoring companies on this important component of their overall ERM program. Board members will play an important role in this evaluation given their responsibilities related to strategy development and implementation as well as policy approval and oversight.
S&P will also evaluate firm processes designed to identify emerging risks and the extent to which planned responses exist for rare, but potentially crippling, adverse events. As well, an evaluation of how risk management fits within the broader strategic planning mechanism employed by the business will be conducted. Both evaluations are designed to provide inputs, along with the evaluations of risk culture and controls discussed above, to an overall ERM score that will factor into the overall ratings decision for the firm.
Future of ERM
By early March, S&P expects to decide whether to move forward and expand its evaluation of ERM processes to many of the nonfinancial sectors they rate. If adopted, S&P will introduce ERM analysis into the ratings process immediately, though individual ERM scores will not be made public until they have gained sufficient experience with the process to meaningfully compare ERM practices across firms and across time.
Should S&P determine that a well-functioning ERM program is a vital attribute for highly-rated entities (and all signs are that they will make this determination), the pressure to implement an ERM program or expand upon an existing ERM initiative will increase dramatically. Stay tuned.
Rate this article 5 (excellent) to 1 (poor).
Bruce C. Branson, PhD, is Professor & Associate Director, enterprise risk management initiative in the College of Management at the North Carolina State University. Branson has published articles in Journal of Applied Business Research, The CPA Journal, The Journal of American Academy of Business, among others.