My notes, live, from the Compliance Week Conference session by Steven Dreyer who is overseeing Standard & Poor’s program to assess corporate ERM efforts as part of credit ratings. Standard & Poor’s To Apply Enterprise Risk Analysis To Corporate Ratings (.pdf)
S&P’s ERM review for non-financial companies will be based primarily on information provided by issuers in public disclosures and through discussions with S&P analysts. S&P does not require written responses to these questions, but will certainly consider them if provided to supplement or make more efficient our in-person discussions.
- What are the company’s top risks, how big are they, and how often are they likely to occur? How often is the list of top risks updated?
- What is management doing about top risks?
- What size quarterly operating or cash loss has management and the board agreed is tolerable?
- Describe the staff responsible for risk management programs and their place in the organization chart. How do you measure success of risk management activities?
- How would a loss from a key risk impact incentive compensation of top management and on planning/budgeting?
- Tell us about discussions about risk management that have taken place at the board level or among top management when making strategic decisions.
- Give an example of how your company responded to a recent “surprise” in your industry and describe whether the surprise affected your company and others differently.
All S&P cares about is the ability of the company to repay its debt. Corporate social responsibility is nice, but does not affect credit. S&P does not lower a credit rating on an airline because of a plane crash. They care about cash flow. They do care if a risk is a risk to cash flow. S&P is not a missionary for ERM.
So why are they adding ERM to credit ratings to non-financial institutions?
- Enhance Analytical Process & Focus
- Create More Forward-Looking Ratings
- Better Insights and Communication on Management
- Differentiate Better
Non-financial institutions tend to die very slow deaths. Financial institutions have the potential to fall off a cliff and disappear quickly. For non-financial institutions, ERM is a means to see inside the enterprise to see how they may be able to bounce back from issues and crises.
Every company has an appetite risk and a tolerance for risk. By focusing on risk management, there is some insight about how they treat risk, the appetite and the tolerance.
What Is S&P Not Looking For… (These mindsets can actually hinder effectiveness):
- Eliminating all risks
- Cramming together disparate policies
- Solely compliance/disclosure requirements
- Replacement for internal controls
- A shiny new software program
- Naming a CRO and calling it a day
“The reviews will focus predominantly on risk-management culture and strategic risk management, two universally applicable aspects of ERM.” – Standard & Poor’s To Apply Enterprise Risk Analysis To Corporate Ratings, May 7, 2008
Culture = Communications, Frameworks, Roles, Policies, Metrics, Influence
Strategic = Identification and Updating Process, Impact on Key Decisions
Here are some ERM discussion topics he offered:
- How are key risks identified, updated, and dealt with?
- How is risk tolerance defined and communicated?
- Who “owns” risk in the organization and how is success measured?
- What is the board’s involvement in risk management?
- How did your company respond to _______________ ?
Ultimately, they are looking for evidence of effectiveness. They are planning to release the criteria during the fourth quarter of 2009. They are currently in the process of benchmarking and comparing information. They are thinking about using a rating scale, but there is a concern that people will focus on the number and not the nuances that went into the number.
A counter-intuitive result was that the companies that responded quicker to questions were more accurate than those that took longer. The quick result was because they had better access to their information. The longer response was because the information was hard to find and less reliable.
(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)