During the latter part of 2008, enterprise risk management (“ERM”) “got real” for corporate America as Standard & Poor’s (“S&P”) began incorporating ERM analysis into the credit-rating process for nonfinancial companies.* While senior management and boards of directors are generally aware of ERM, implementation of holistic risk-management processes has been tepid and uneven. With the new S&P approach, companies that fail to implement ERM in a serious fashion do so at peril of suffering ratings downgrades. Companies that fully embrace ERM stand a chance of improving credit ratings with the consequent benefit of lowering the cost of capital and enhancing reputation.

ERM is a coordinated approach to identifying, assessing and managing risks across the enterprise. The coordination of risk-management initiatives across the enterprise greatly enhances the quality and completeness of risk analysis. For example, ERM helps to identify “concentrations” of risks and to analyze “correlations” to other risks that may be overlooked in a single-focused, siloed risk-management framework. In addition, ERM establishes a “risk portfolio” framework, which enables companies to balance risk exposures and set a risk profile and overall risk appetite and tolerance.

Since 2005, S&P has included ERM analysis in its rating evaluations of financial institutions and insurance companies. And in 2007, S&P extended ERM analysis to energy-company and agribusiness trading risks. Based upon the experience gained from the application of ERM principles to the financial and energy sectors, and after receiving comments on ERM application to nonfinancial companies, S&P concluded that using the ERM framework for the nonfinancial sector will improve the breadth and consistency of its review of management capabilities and corporate governance.

In evaluating the creditworthiness of nonfinancial institutions, S&P initially is focused on two universal components of ERM – risk-management culture and strategic risk management.

The risk-management culture analysis includes management discussions with S&P analysts about: (i) risk-management organizational and governance structures; (ii) roles, capabilities and accountabilities of risk-management staff; (iii) risk-management communications and transparency; (iv) risk-management policies and metrics; and (v) influence of risk management on budgeting and management compensation.

The strategic risk-management discussions focus on: (i) management’s view of the most consequential risks – their likelihood and potential effect on credit; (ii) frequency and process of updating the identification of top risks; (iii) influence of risk sensitivity on liability management and financing decisions; and (iv) role of risk management in strategic decision making.

For the moment, S&P has deferred full consideration of the other two components of ERM – emerging risk management and risk-control processes. For the next several months, S&P will continue to gather risk information through its discussion process with nonfinancial companies leading to the development of reliable ERM performance benchmarks. Once appropriate benchmarks are established, criteria will be published that will eventually lead to evaluation and possible scoring of ERM capabilities. S&P does not expect to score ERM capabilities until at least mid-2009. Accordingly, companies still have time to put robust ERM implementation processes in place before the full impact of the S&P risk-management analysis is felt.

The following are some steps that nonfinancial companies should consider to better prepare for discussions with S&P analysts:

  • Form an interdisciplinary ERM credit team to roll up risk-assessment data on the organization’s risk-management culture and strategy from across the enterprise, and analyze the impact of the data on the creditworthiness of the enterprise. The ERM credit team should be headed by the chief financial officer and should include the chief executive officer, business unit executives, treasurer, chief risk officer, general counsel, chief compliance officer, and chief audit executive.
  • Leverage ERM-type analyses already implemented, for example, Sarbanes-Oxley financial-control risk analysis and compliance risk assessment.
  • Evaluate the current state of the risk-management culture. A persistent flaw in risk analysis is lower-level managers with knowledge of risks not communicating them up to senior management. In addition, senior management compensation often has been misaligned with risk-management goals. Further, companies have been challenged by conflicts of interest and other ethical constraints. These potential risk dislocations as well as others should be examined as part of the assessment of risk-management culture.
  • Demonstrate how ERM affects strategic planning. S&P has listed several strategic processes affected by risk and risk-management analysis, including capital budgeting, strategic asset allocation, acquisitions and divestitures, performance management, and incentive compensation. The degree that risk and risk management are considerations in these strategic processes indicates the quality of strategic risk management. The endgame is to structure an assessment that evaluates and prioritizes risks based upon likelihood of occurrence and impact on the achievement of corporate objectives, and that has an influence on liability management and/or financing decisions.

Finally, a robust ERM process will yield benefits far beyond credit-rating enhancement. An effective ERM process will:

  • reduce operational and compliance surprises by providing early warning of impending corporate threats;
  • enable companies to identify and correct control deficiencies, thereby permitting process improvements, before they result in operational failures or are discovered by regulators;
  • enable the reduction of penalties and fines in the event of a compliance failure through self-reporting and restitution;
  • improve the decision-making process through greater awareness of risks and mitigating strategies; and
  • improve capital allocation across business units because risk information will facilitate weighing expected returns against the risks inherent in undertaking a business opportunity.