Can We and Should We Rely on Third Party Ratings of Governance and Risk Management?

A colleague shared this link with me today. It’s an article from the Financial Times (FT) about a study into corporate governance standards: the Resources Global governance index. According to the FT article, corporate governance standards are higher among the 100 largest companies on the UK stock exchange (FTSE) than in other European companies. Individual company performance is rated and publicized.

My question is whether we can actually rely on this study to assess and compare corporate governance.
Standard & Poor’s Rating Services (one of the major credit risk rating agencies) has started to assess corporate risk management programs. You can see more here, and their latest report is here.
Again, my question is whether we can rely on S&P for an accurate assessment of companies’ risk management practices.
Whether these studies are of governance or risk management, they are being performed by outsiders. Outsiders assessed the governance practices at Enron as being world-class, and they had similar praise for risk management at a number of now-failed financial services corporations.
Outsiders can only see the veneer of governance or risk management. They can only assess the cut of the clothes being worn, not the strength and integrity of the body within.
This what internal auditors provide: they examine the body within. They can provide the board and management with assurance not only that the structure is sound (which is what outsiders can see) but that the heart (the control environment, the tone at the top), blood (the flow of information), and muscles (the controls and processes) are operating as intended.
In my ideal world, management includes in the financial statements a set of assertions around the adequacy of governance processes, risk management, and the related internal controls. The assertions are not limited to financial reporting, but address all risks of significance to the enterprise. Management relies on the work of the internal audit group to provide assurance that these processes are operating as intended. The board also relies on internal audit for its oversight of these assertions.

Posted on Oct 11, 2010 by Norman Marks

Share This Article:    

  1. Given how badly S&P, Moody's and other rating agencies missed the proper valuation of CDO's and firms trading them, what level of confidence to we have in them at all?

    I do not see my work as an internal auditor being made public though - most companies would not agree to that, even IA work around GRC.  Might it also run afoul of the concept of issuing an "opinion" concerning the company's financial statements, e.g. shouldn't GRC be part of that anywayTj?

    I am afraid it would have to be something required by the SEC that the external auditor's, in conjunction with their SEC attest work, include an assessment.

  1. Norman,

    Several points to make.

    First, I think that anyone can conduct a proper assessment whether it is an internal party or an external party providing that individual has the proper skill sets and is following a high quality methodology. True that the internal auditor has a head start in terms of knowledge of the business but  this in itself will not make for an excellent review.

    Second, I think it is critical that internal auditors acquire the necessary skill sets, which they currently do not have, to be able to conduct a high quality assessment of their company's risk management system. This is part of their responsibilities and to the extent that they cannot do this, management will search for other providers that can do this. The heat is turning up on risk managment both inside the company (sundry stakeholders and the board ) and external to it (PCAOB, SEC). So material must be developed that can give internal auditors the tools to do this. You can be assured that the external auditors and other consulting firms will be marketing these services going forward "assessing the adequacy of your company's risk management system". Just as there was a big push to outsource internal audit in the 1990s, there will be a further push in this area especially for such services. It will be quite a lucrative service.

    Third, I am quite disappointed with Standard and Poor's and their efforts to roll out ERM. My assessment is that this initiative is failing and will die out shortly. Historical perspective is important. Fitch and AM Best are not doing anything. Moody's has faltered and has been silent on this since 2005. When S&P rolled out this initiative, I was actually quite supportive of this as I believed this would put further pressure on companies to come to grips with their risk management practices.

    Continued below

  1. Continued from above

    What has transpired is that S&P is carrying the baggage of their botched rating efforts for the CDOs. So most of their clients and the public are quite skeptical. In addition, the person running this at S&P works during the day at an unrelated full time job with many analysts reporting to him. There is no separate budget for this initiative and no full time staff on it or any contemplated.

    S&P has further refused to adopt any specific framework although they have indicated in various presentations their preference for ISO 31000. Their questions seem to be a combination of both ISO 31000 and Basle and my take on this is that overall, there is not an in depth understanding of ERM, nor is there support for this and as such it will fail. In the end analysis, it is to your point. They have not walked away with a thorough understanding of the company. Their focus is on credit ratings and it seems to be much narrower in scope.

    Which gets back to the most important point in that internal auditors should seize the opportunity while they are in the driver's seat and not wait for the consultants to start the marketing process. Boards are getting smarter in risk management. Just this week Harvard Business School announced that it was rolling out an executive program in risk management for executives. You can rest assured that many executives will attend this and then come back to their offices and demand more from their internal auditors.

    Fourth and last, I will comment separately on this latest governance link you were good enough to share with us from Europe.



  1. Arnold, sorry but you are missing my point: those external to the organization don't know what is really happening within the organziation. They can see the veneer, not the heartbeat of the organization.

  1. Norman:

    I don't believe  that I have missed the points but I think the most important point of all is that no one at the moment is providing an accurate assessment of the company's risk management practices. Is the internal auditor ideally better equipped because they know the company? Sure they are.




Leave a Reply