|With the debut of Standard & Poor's new enterprise risk rating for non-financials, execs need to start paying attention|
April 7, 2008
Since the advent of Sarbanes-Oxley, non-financial corporations have faced increasingly strong regulatory and compliance requirements aimed broadly at increasing transparency in their business practices. Risk management has been addressed at times, but usually as an afterthought.
All this is about to change.
In November 2007, Standard and Poor's announced plans to introduce enterprise risk management into its credit ratings criteria for non-financial companies, a move meant to bring a level of consistency to evaluating not only the resilience and profitability of these firms, but also the quality of management.
S&P has been evaluating ERM in the financial sector for some time; now it will apply its ERM ratings criteria to industries as diverse as airlines, pharmaceuticals and retail. While S&P plans to tailor its proposed ERM analysis based on individual companies' unique risks, structure and culture, all companies will be rated against four major criteria that will serve as the framework for analysis—risk management culture and governance, risk controls, emerging risk preparation and analysis of strategic management.
ERM is anything but a trendy concept. In fact, its roots go back more than a decade. In 2005, S&P brought ERM into its ratings criteria in the insurance sector. Later S&P analysis showed that the strength or weakness of a company's ERM was a differentiating factor among insurers impacted by Hurricane Katrina. Those with weak ERM were unable to quantify their exposure, and many were hit with much greater losses than they had thought possible, while those with stronger ERM were able to quickly estimate losses that were within 25% of actual claims.
Several banking firms that implemented ERM and then successfully weathered a similar storm in the subprime market may also have influenced S&P's belief in ERM's value for other industries.
For companies outside the financial sector, taking an enterprise approach to risk management is a relatively new concept. And while only a progressive few look at risks holistically, S&P's move should be a wake-up call. To be sure, some companies with fresh memories of Sarbanes-Oxley compliance exercises will initially react with frustration. However, those who embrace ERM are likely to see a positive impact on their cost of capital and bottom line because S&P will draw a straight line from ERM ratings to better credit ratings. Although ERM won't eliminate risks, it certainly will prepare companies for difficult situations, thereby minimizing their negative financial effects.
In response to S&P's announcement, companies first must take inventory and evaluate any existing ERM processes against the four S&P criteria. Second, management needs to take action to remedy any inadequate processes. S&P will not implement these changes overnight, but it's reasonable to expect that it will start to give official ratings as early as 2009. Companies should start making changes now to prevent any adverse effects on their ratings scores and, thus, their ability to access capital.
ERM is only as successful as the priority it is given by senior management. The C-suite sets the tone for corporations by identifying priorities, and at companies outside the financial sector, ERM has rarely made it onto that list. S&P's initiative should elevate awareness about the importance of risk management and prompt senior leaders to establish a “risk management culture” that communicates the importance of ERM from the top down and forges a connection between business objectives and business performance.
Despite ERM's decade-long presence in some industries, we are only now entering an era when more companies will get serious about ERM and move from just talking about it to implementing robust methods that tackle a range of risks. And it's clear that ERM will need to be higher on the CEO's agenda if companies want to continue to maintain healthy financial performance.
In the future, the focus of ERM will shift from compliance, management and measurement to more business-driven results such as better loss optimization and strategic integration. Now is the time for corporations to honestly assess how well prepared they are to meet the portfolio of risks they face and begin to implement ERM as part of the complete business process. To do otherwise would just be, well, risky business.