When Standard & Poor’s added risk management to its credit rating assessment, some doubted it had the credibility to properly judge the discipline. But as a good rating is vital to success, says Nathan Skinner, does your ERM do enough to impress the panel?

On 7 May 2008, the credit rating agency Standard & Poor’s announced that it would “enhance” its rating process for non-financial companies by conducting a review of enterprise risk management (ERM). It began discussions with firms in the USA and Europe,and by July 2009 had spoken to around 300 fi rms.

“ERM will add an additional dimension to our analysis of management and corporate governance, creating a more systematic framework for an inherently subjective topic,” S&P’s official statement said.

The decision to start including a review of ERM in ratings immediately sparked interest from the risk management community. Some risk managers were outraged at the development, feeling that a rating agency would not have the independence, expertise or resources to properly evaluate ERM. Others saw it as an opportunity to raise the profile of risk management and a welcome move that would add credibility to the discipline outside the fi nancial world.

Slating agencies

Given that the rating agencies failed to spot problems in the fi nancial system as part of their “forward-looking” assessments of banks and other financial firms, leading to the global banking crisis, those doubters may have felt vindicated.

But credit ratings are still vitally important, both inside and outside the banking world, hence the level of interest in these risk-rating developments. In particular, capital-intensive companies, like large manufacturers, car makers and mining companies, are acutely aware that their credit rating has a direct bearing on borrowing costs: the lower the rating score, the more borrowing costs escalate.

Investors also demand the assurance and transparency of a highly rated company. A substandard evaluation can be a severe disadvantage in the competition for investment.

So, what does S&P’s decision mean for risk managers? How will the new rating dimension affect them and corporate credit ratings overall? And do rating agencies have the credibility to “judge the effectiveness of whatever risk management processes are in use”, as the agency promises on its website?

Some senior risk practitioners doubt commercial rating agencies will ever provide the best way of assessing an organisation’s management practices.

Fundamental to their concerns is the fact that companies must pay for their own assessment.

Former senior analyst at Moody’s Investor Services, Eric Kolchinsky, has said that in the run-up to the financial crisis, conflicts of interest within the rating agency led analysts to issue overly optimistic outlooks on subprime-backed fi nancial instruments, which later turned out to be toxic. “At the end of the day, you could never say ‘no’ to a deal,” he said.

Many within the industry continue to believe that these conflicts of interest prevent rating agencies from issuing a truly objective opinion.

Another concern with assessing ERM in a corporate is that each company tends to do things very differently – and this makes comparing one system with the other very diffi cult. S&P does appear to accept this and has developed a strict set of criteria, which limits the scope of their investigation to an “extension of the management assessment”.

Judge and be judged

Despite these structural issues, risk managers are keen to understand how the rating process works.

Credit rating agencies are an influential force within the financial system and jumping through their hoops could deliver some important benefits. After all, if a company is on the cusp of a rating upgrade then an outstanding ERM assessment could bump them up.

But ERM issues alone are unlikely to drive up a particular rating for most non-financial companies, the rating house says. S&P analyst Amra Balic explains: “We don’t really expect ERM to move very many ratings. What we do believe is that it could reflect on the rating in a positive way, by showing that the management is looking into the main risks.

The companies that are embracing ERM are doing so for reasons beyond merely hoping to boost their credit rating, however. The value of strong risk management, believes S&P, is more likely to emerge during extraordinary or unexpected circumstances, such as a financial crisis for example, as shown in recent years. It is this sort of unanticipated risk that makes ERM indispensable.

In terms of the assessment itself, S&P says that a company’s ERM review will just be another part of its normal credit review. S&P will look at public information, such as the risk management information in the annual report, in addition to putting questions to management directly.

Under scrutiny

In the review, the rating agency will look at two main strands of ERM: risk management culture and strategy. Additional analysis will also look at the firm’s risk controls and emerging risk management.

S&P will assess culture based on internal and external risk management communication, the frameworks and structures currently in use, the influence of risk management on compensation and how well a firm’s risk appetite has been identified.

Analysts will explore: management’s view of the biggest risks the firm faces, the frequency and nature of updating the identification of these top risks and the role of risk management in strategic decision-making.

Risk managers say the rating agency won’t rate highly new processes that still need to become embedded in the organisation, governance frameworks that are unclear, and opaque risk ownership and accountability.

Opinion is divided over the stringency of S&P’s judging process. One chief risk officer with a major insurer, who has experienced the process first hand, describes it as “fairly thorough”. while another senior risk manager, for an information services firm, is not so kind, dismissing the assessment as “fairly light”.

An important distinction to make is that, under S&P’s rules, insurers get a separate ERM score as part of their full analysis; corporates, on the other hand, do not have a specifically assigned or published ERM score. Balic stresses that “ERM is simply an extension of our management assessments”.

She adds: “The way the term has been discussed might have been misinterpreted by some people in the market as signalling a drastic change in the rating process. We do not intend nor have we ever intended to rate ERM in the corporate credit rating.”

Practice makes perfect

So what can companies do to prepare for their time under scrutiny? According to advice from PricewaterhouseCoopers, steps include: performing a robust risk assessment, including emerging risks; evaluating and being able to articulate the inherent strengths and weaknesses of your current ERM; and assessing your company’s risk management culture.

As always, successful companies will want to go beyond just getting a round of applause and positive feedback from the raters. In order to realise all the benefits of ERM, they’ll have to integrate a thorough understanding of risk throughout their organisations.

S&P says: “Very few companies that we have reviewed seem fully imbued with a culture that integrates risk assessment into strategic decisionmaking, clearly communicates risk appetite to internal and external stakeholders, and has a fully engaged and risk-astute board of directors overseeing risk.”

So plenty of room for improvement, then. Yet, worryingly, few risk managers are aware of how they should be engaging with these agencies.

They need to become more familiar with this new dimension of assessment or risk losing out to others within the company with a better understanding of the issues, such as corporate treasurers or finance professionals.

Be warned – in five years’ time, S&P believes risk management will no longer be a distinct discipline, but a part of every senior executive’s skillset. If that’s the way the future is heading, risk professionals must make sure they are ready to perform when the spotlight shines on them.