The rating agency, Standard & Poor's (S&P), is in the process of evaluating companies' risk management practices. It intends to consider this information, their evaluation of the quality of management's processes, when it assigns credit ratings.
S&P recently released a progress report on its work. One surprise (at least for me) was this statement about enterprise risk management (ERM):
"Just as a company's introduction of ERM is unlikely to radically change its current decisionmaking processes, we don't see ERM analysis radically altering our existing credit rating opinions. We expect its value to be incremental in many cases, negligible in a few, and eye opening in some."
The opinion that risk management doesn't significantly change decision-making processes will not sit well with risk professionals — or, I suspect, many internal auditors.
S&P's other observations include:
- The level of adoption, formality, maturity, and engagement of ERM varies widely within and across sectors and regions. We haven't seen many companies provide clear examples of definitions for risk tolerance or risk appetite. While that's not surprising (since ERM is still relatively new), a preliminary conclusion could be that many companies find it difficult to ensure uniform behavior across the enterprise.
- The way the risk management function fits in the organizational structure indicates how integrated a company's approach is to risk management. We observe that "silo-based" risk management, focused only at the operational managers' level, continues to be prevalent.
- There appears to be a link between transparency and disclosure and companies' confidence about ERM; many companies have been willing and able to provide considerable detail about risk management practices.
- Companies with a true enterprise-wide approach to ERM appreciate the importance of going beyond only quantifiable risks or even top 10 risks. They increasingly understand the importance of emerging risks.
- Companies often facilitate their ERM execution via separate structures, with associated roles and responsibilities clearly defined. The ERM function's reporting line is typically to the CFO or the CEO, often with a direct line of communication to the board of directors, commonly to the audit committee. However, we have also seen numerous examples of risk management structures that lack stature and influence in their organizations.
- Companies in industries with more quantifiable and hedgeable risks are generally more comfortable discussing ERM, but they tend to focus on controls of those specific risks. Examples include: energy, pharmaceuticals, agribusiness, and some manufacturers.
- ERM discussions, in general, have been more productive with investment-grade and public companies. Firms in the distressed and highly leveraged rating categories (and our analysts) are focused primarily on near-term liquidity in the current financial environment. Public companies often have more to say about ERM due to their attentiveness to compliance (i.e., these companies are more sensitive to the expectations of external stakeholders, such as auditors, regulators, rating agencies, etc.).
- Not many companies have come to grips with the upside aspects of ERM. Focus is instead on assuring that downside risks are covered. There is a very strong compliance-driven push toward ERM, which we cited as a possible danger in the past. We expect that, over time, companies will recognize and articulate competitive advantages that arise as a result of superior risk management.
None of these preliminary observations are surprising — just the overall statement that risk management typically doesn't affect decision-making in any significant way. If that is the case, then organizations are only implementing risk management to "check-the-box" and I am very disappointed.