During the latter part of 2008, enterprise risk management ("ERM") "got real" for corporate America as Standard & Poor's ("S&P") began incorporating ERM analysis into the credit-rating process for nonfinancial companies.1 While senior management and boards of directors are generally aware of ERM, implementation of holistic risk-management processes has been tepid and uneven. With the new S&P approach, companies that fail to implement ERM in a serious fashion do so at peril of suffering ratings downgrades. Companies that fully embrace ERM stand a chance of improving credit ratings with the consequent benefit of lowering the cost of capital and enhancing reputation.
Elements Of ERM
The challenge of business decision-making is to weigh, as precisely as possible, the expected return on an opportunity against the risks inherent in undertaking the opportunity. Risks are those threats to a company's operations, financial condition, investments and reputation that must be identified and assessed to determine how best to manage them. Operational risks can arise from inadequate or failed internal processes and systems, human factors and external events, manifesting themselves in, for example, errors, inappropriate employee behavior, supply-chain breakdowns and business interruptions. Compliance and reputation risks can arise from failure to comply with laws, regulations, internal policies and procedures, ethical standards, and expectations of customers and counterparties.
ERM is a coordinated approach to identifying, assessing and managing risks across the enterprise. The coordination of risk-management initiatives greatly enhances the quality and completeness of risk analysis. For example, ERM helps to identify "concentrations" of risks and to analyze "correlations" to other risks that may be overlooked in a single-focused, siloed risk-management framework. In addition, ERM establishes a "risk portfolio" framework, which enables companies to balance risk exposures and set a risk profile and overall risk appetite and tolerance. When a company's risk appetite and tolerance permit acceptance of certain risks, such risks can then be managed through a variety of processes, including business and strategic plans, budgets, internal controls, training, insurance, hedging techniques, and diversification.2
A successful ERM process is grounded on three predicates. First, all risks and mitigating strategies must be transparent to accurately calibrate risk appetite and tolerance, and to ensure exception reporting where deviations from the normal ERM process are permitted. Second, a company's culture must support the free reporting of risks. It is imperative that managers protect from retaliation employees who voice their concerns about process dislocations. Third, managers must always think in terms of risk adjusted returns - risk/reward should be the yardstick not cost/benefit.
S&P's Risk-Management Analysis
Since 2005, S&P has included ERM analysis in its rating evaluations of financial institutions and insurance companies.3ERM analysis adapts easily to the financial and insurance sectors since risks in those sectors (e.g., financial market risk, credit risk, and underwriting risk) lend themselves to quantitative measures and hedging strategies. In 2006, S&P extended ERM analysis to energy-company and agribusiness trading risks, again a business function that can be analyzed quantitatively and hedged. Based upon the experience gained from the application of ERM principles to the financial and energy sectors, and after receiving comments on ERM application to nonfinancial companies, S&P concluded that using the ERM framework for the nonfinancial sector will improve the breadth and consistency of its review of management capabilities and corporate governance, although a more qualitative approach may be required.
In evaluating the creditworthiness of nonfinancial institutions, S&P initially is focused on two universal components of ERM - risk-management culture and strategic risk management.
The risk-management culture analysis includes management discussions with S&P analysts about: (i) risk-management organizational and governance structures; (ii) roles, capabilities and accountabilities of risk-management staff; (iii) risk-management communications and transparency; (iv) risk-management policies and metrics; and (v) influence of risk management on budgeting and management compensation.
The strategic risk-management discussions focus on: (i) management's view of the most consequential risks - their likelihood and potential effect on credit; (ii) frequency and process of updating the identification of top risks; (iii) influence of risk sensitivity on liability management and financing decisions; and (iv) role of risk management in strategic decision-making.
For the moment, S&P generally has deferred consideration of the other two applicable components of ERM - emerging risk management and risk-control processes.However, in certain companies with trading operations, S&P intends to review risk-control processes where it is appropriate to apply control analysis using the policies, infrastructure, and methodology ("PIM") approach as was utilized in the credit analysis of energy-company and agribusiness trading risks. The PIM approach focuses on a myriad of factors, including risk tolerance and disclosure policies, operations and technology infrastructure, and risk metrics and performance-measurement methodologies.
For the next several months, S&P will continue to gather risk information through its discussion process with nonfinancial companies leading to the development of reliable ERM performance benchmarks. Once appropriate benchmarks are established, criteria will be published that will eventually lead to evaluation and possible scoring of ERM capabilities. S&P intends to score ERM capabilities as "excellent," "strong," "adequate," or "weak." Weak ERM may be predictive of negative creditworthiness while strong ERM processes may be predictive of positive credit quality. The touchstone in scoring ERM capabilities will be evaluating whether a company consistently identifies, assesses, rates and manages exposures to risk and losses within predetermined tolerance objectives.
Fortunately, S&P does not expect to score ERM capabilities until at least mid-2009. Accordingly, companies still have time to put robust ERM implementation processes in place before the full impact of the S&P risk-management analysis is felt.
The biggest threat to the credit condition of corporate America comes from emerging risks. These risks may be completely new, are often understated and ignored, are difficult to identify, and can be devastating to a company. The current financial crisis, Hurricane Katrina, and the Enron debacle are well-known poster children. Could any of these cataclysmic events have been better predicted? While no ERM process will eliminate losses, a robust process will certainly minimize them.
The ERM toolbox contains several tools that should give managers a better handle on identifying and assessing adverse events. Good event identification and assessment processes are critical to identifying possible events and evaluating the likelihood of events occurring and their potential impact. Event identification and assessment can be achieved through, among other processes, environmental scans, scenario analysis, and stress testing.
Environmental scans entail looking at an industry broadly to identify, for example, trends in product development and pricing, consumer complaints, company consolidations or expansions, counterparty relationships, regulation, and litigation. Scenario analysis utilizes descriptive models to assess likelihood of occurrence of an event by analyzing the effect of a hypothetical yet plausible scenario on the risk of loss exposure.Scenario analysis involves positing "what if" factual conjectures that could plausibly occur in the business environment. Stress testing assesses the potential severity of an event by subjecting internal controls to a hypothetical yet plausible high-impact event to determine if control weaknesses exist.The information garnered from these analyses can provide a heads-up on emerging threats to a company.
Steps To Prepare For S&P's Risk Discussion
The following are some steps that nonfinancial companies should consider to better prepare for discussions with S&P analysts:
• Form an interdisciplinary ERM credit team to roll up risk-assessment data on the organization's risk-management culture and strategy from across the enterprise, and analyze the impact of the data on the creditworthiness of the enterprise. The ERM credit team should be headed by the chief financial officer and should include the chief executive officer, business unit executives, treasurer, chief risk officer, general counsel, chief compliance officer, and chief audit executive.
• Leverage ERM-type analyses already implemented, for example, Sarbanes-Oxley financial-control risk analysis and compliance risk assessment. Compliance risk assessments are encouraged by the Federal Sentencing Guidelines4as an early warning process for detecting compliance threats, which enables companies to address compliance risks before they become violations of law.
• Evaluate the current state of the risk-management culture. A persistent flaw in risk analysis is lower-level managers with knowledge of risks not communicating them up to senior management. In addition, senior management compensation often has been misaligned with risk-management goals. Further, companies have been challenged by conflicts of interest and other ethical constraints. These potential risk dislocations as well as others should be examined as part of the assessment of risk-management culture.
• Demonstrate how ERM affects strategic planning. S&P has listed several strategic processes affected by risk and risk-management analysis, including capital budgeting, strategic asset allocation, acquisitions and divestitures, performance management, and incentive compensation. The degree that risk and risk management are considerations in these strategic processes indicates the quality of strategic risk management. The endgame is to structure an assessment that evaluates and prioritizes risks based upon likelihood of occurrence and potential impact on the achievement of corporate objectives, and that has an influence on liability management and/or financing decisions.
ERM Benefits Beyond Enhanced Credit Rating
Finally, a robust ERM process will yield benefits far beyond credit-rating enhancement. An effective ERM process will:
• reduce operational and compliance surprises by providing early warning of impending corporate threats;
• enable companies to identify and correct control deficiencies, thereby permitting process improvements, before they result in operational failures or are discovered by regulators;
• enable the reduction of penalties and fines in the event of a compliance failure through self-reporting and restitution;
• improve the decision-making process through greater awareness of risks and mitigating strategies; and
• improve capital allocation across business units because risk information will facilitate weighing expected returns against the risks inherent in undertaking a business opportunity.
1 Standard & Poor's Ratings Direct, "Enterprise Risk Management: Standard & Poor's To Apply Enterprise Risk Analysis To Corporate Ratings," (May 7, 2008), available at http://www.riskonnect. com/files/SnP.pdf.
2 There are many generally accepted risk-management standards. The COSO framework is an ERM standard that is familiar to most managers. The COSO framework establishes four objectives: strategic (high-level goals aligned with and supporting a company's mission), operations (effective and efficient use of resources), reporting (reliable preparation of financial statements), and compliance (adherence to applicable laws and regulations). Further, the COSO framework elaborates on eight interrelated components that go into managing the four objectives: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. Committee of Sponsoring Organizations of the Treadway Commission ("COSO"), Enterprise Risk Management - Integrated Framework (September 2004), available at http:/www. coso.org/-ERM.htm.
3 Moody's and Fitch Rating Services, the two other major credit-rating agencies, have indicated that they integrate risk management analysis in varying degrees in their credit ratings.
4United States Sentencing Commission, 2007 Federal Sentencing Guideline Manual, Chapter 8 - Sentencing of Organizations, Effective Compliance and Ethics Program: §8B2.1, available at http://www.ussc.gov/orgguide.htm.
James E. Bowers is Counsel and Director, Compliance Risk Services at Day Pitney LLP, where he practices in the areas of compliance risk management, corporate governance, ethics, and antitrust, corporate and securities law.