S&P Publishes Status Report on ERM and Credit Ratings Project

The rating agency, Standard & Poor's (S&P), is in the process of evaluating companies’ risk management practices. It intends to consider this information, their evaluation of the quality of management’s processes, when it assigns credit ratings.

S&P recently released a progress report on its work. One surprise (at least for me) was this statement about enterprise risk management (ERM):

“Just as a company's introduction of ERM is unlikely to radically change its current decisionmaking processes, we don't see ERM analysis radically altering our existing credit rating opinions. We expect its value to be incremental in many cases, negligible in a few, and eye opening in some.”

The opinion that risk management doesn’t significantly change decision-making processes will not sit well with risk professionals — or, I suspect, many internal auditors.

S&P's other observations include:

    • The level of adoption, formality, maturity, and engagement of ERM varies widely within and across sectors and regions. We haven't seen many companies provide clear examples of definitions for risk tolerance or risk appetite. While that's not surprising (since ERM is still relatively new), a preliminary conclusion could be that many companies find it difficult to ensure uniform behavior across the enterprise.

    • The way the risk management function fits in the organizational structure indicates how integrated a company's approach is to risk management. We observe that "silo-based" risk management, focused only at the operational managers' level, continues to be prevalent.

    • There appears to be a link between transparency and disclosure and companies' confidence about ERM; many companies have been willing and able to provide considerable detail about risk management practices.

    • Companies with a true enterprise-wide approach to ERM appreciate the importance of going beyond only quantifiable risks or even top 10 risks. They increasingly understand the importance of emerging risks.

    • Companies often facilitate their ERM execution via separate structures, with associated roles and responsibilities clearly defined. The ERM function's reporting line is typically to the CFO or the CEO, often with a direct line of communication to the board of directors, commonly to the audit committee. However, we have also seen numerous examples of risk management structures that lack stature and influence in their organizations.

    • Companies in industries with more quantifiable and hedgeable risks are generally more comfortable discussing ERM, but they tend to focus on controls of those specific risks. Examples include: energy, pharmaceuticals, agribusiness, and some manufacturers.

    • ERM discussions, in general, have been more productive with investment-grade and public companies. Firms in the distressed and highly leveraged rating categories (and our analysts) are focused primarily on near-term liquidity in the current financial environment. Public companies often have more to say about ERM due to their attentiveness to compliance (i.e., these companies are more sensitive to the expectations of external stakeholders, such as auditors, regulators, rating agencies, etc.).

    • Not many companies have come to grips with the upside aspects of ERM. Focus is instead on assuring that downside risks are covered. There is a very strong compliance-driven push toward ERM, which we cited as a possible danger in the past. We expect that, over time, companies will recognize and articulate competitive advantages that arise as a result of superior risk management. 

You can see the complete report here (PDF).

None of these preliminary observations are surprising — just the overall statement that risk management typically doesn't affect decision-making in any significant way. If that is the case, then organizations are only implementing risk management to "check-the-box" and I am very disappointed.

Posted on Aug 7, 2009 by Norman Marks

Share This Article:    

  1. Interesting to note that at the same time there are projects to establish an authority to supervise these rating agencies... would seem not everyone thinks they've done their best to evaluate risks before it all burst out

    The raters being rated :-)

  1. S&P mentioned that they folllow 3,300 companies.  Only 150 companies are rated as "investment grade".  The rest are considered "junk" by the rating agency.  To go from junk to investment grade would be radical and thus their statement that most ratings will show incremental changes from their ERM program evaluations.

  1. Proof is always in the pudding.  Auditors and regulators, etc. need to be vigilant in decifering answers given by interviews and following up on the actions and goals.  Sometimes during reviews of supporting workpapers, box checking appears rampant.  Specifically, how does the hype, box checking, turn into results.  Good box checking does not always give similiar or obtained results.

  1. Norman,

    I have a number of points to make on this S&P ERM initiative. Unfortunately I missed the conference call the other day led by Steven Dreyer from S&P to discuss this. He is driving this initiative.

    S&P and the other rating agencies have taken a justifiable beating for their rating of the financial service entities and so right from the get go, there is a credibility issue in the marketplace and so S&P seems to be taking a very conservative approach "we don't see our ERM analysis being radically altering the credit rating" If so, I say why even bother? However, they do deserve much credit for this intense roll out and we should see how this plays out.

    On his point that he does not see risk management as significantly altering the decision making processes, I don't think he meant this but in any event, his comment needs further clarification.

    In that many companies are not  providing definitions for risk tolerance/appetite- this in itself says alot about the poor state of risk management out there. This is quite serious and needs to be corrected.

    It is critical that all events that develop risks be identified and assessed whether these are quantified or not quantified especially for these new and emerging risks and so this point must be appreciated.

    If not too many companies appreciate the upside aspects of ERM, this shows the absence  of a true ERM program-holistic in nature. I do not believe that the COSO-ERM framework  adequately emphasizes the upside of risk- the opportunities and it is a major issue especially in trying to sell this to management if you cannot show true benefits with the upside being of paramount importance in this regard.

    Arnold Schanfield





  1. Companies are at various stages of explicit recognition of risk management. They therefore do not always recognize what they are doing as formal risk management.

    With this in mind, recognizing the upside of RM or ERM requires some sophistication of the formal execution of a framework at the strategic level. Some structured effort is needed beyond COSO, a disclosure related standard.

  1. Moving to a formal "ERM" framework from an existing formalized process that has most of the key aspects of ERM will not be a sea change.  Most companies that are implementing ERM already have some strong degree of formal risk management.  Those that don't are likely to be the "eye-opener" cases.

Leave a Reply