Standard & Poor's Comments on ERM in Non-Financial Companies

In September 2008, credit rating agency Standard & Poor's informed the world that they were extending their credit rating process to cover Enterprise Risk Management in non-financial companies. Last month they issued an update, sharing some insights into how those companies manage risk. As one of the few businesses that impartially reviews risk management across a broad range of non-financial companies, their comments are very revealing about the state of ERM. Here are some snippets:

'The value of strong risk management practices, or failings of weak ones, is more likely to emerge in extraordinary or unexpected circumstances. In many cases, senior executives introduced ERM as a compliance exercise and hence are more likely to focus on ERM's loss-avoidance features and less likely to see opportunity in superior risk management. The biggest factor we have seen behind companies realizing value in ERM is when they have a large, unexpected loss or they witness harm occurring to competitors, suppliers, or customers.'

On the surface, this is an interesting admission - it takes a crisis to get the most value from ERM. But read a second time, and you realize this statement is just a truism: low probability, high impact events are the most dramatic test of risk management. The key admission is that most businesses see ERM asymmetrically. In practice, risk management focuses more on avoiding downside risk and less on enhancing the upsides.

'At companies that have a formal ERM program -- by no means a majority -- ERM is generally in a nascent stage. We find their most common approach is to maintain a "risk register" or "heat map" that classifies top risks by likelihood and impact along with a mitigation strategy for each. Fewer companies assign specific ownership for key risks, develop alternative mitigation strategies, and communicate risk tolerances clearly across their organizations. Very few companies we have reviewed seem fully imbued with a culture that integrates risk assessment into strategic decision-making, clearly communicates risk appetite to internal and external stakeholders, and has a fully engaged and risk-astute board of directors overseeing risk.'

There is an interesting presumption in S&P's use of the word 'nascent'. It implies future development is inevitable, even if little development has occurred so far. Less than a majority - in other words, a minority - of companies have a formal ERM program, and formality here means pulling together some record of the risks faced and what is being done about them. Less assign ownership and communicate risk tolerances, and even fewer have a board which is fully engaged. Hmmm... so there is a lot of work to do to get businesses from where they are now to the point where they deliver on the expectations set in ISO 31000 and other risk standards.

'We believe that successful risk culture begins with fostering open dialogue where every employee in the organization has some level of ownership of the organization's risks, can readily identify the broader impacts of local decisions, and is rewarded for identifying outsize risks to senior levels. In such cultures, strategic decision-making routinely includes a review of relevant risks and alternative strategies rather than a simple return-on-investment analysis.'

Phew... there really is a lot of work to do, if that is where a successful risk culture begins.

'Forming a risk committee at the board level is generally at the discussion stage, with a consensus apparently building that a risk committee or the audit committee should take ownership of the process of risk-management (sic), but the responsibility to oversee risks remains a key role of the board at large. Executive level risk committees are more common, and led in some cases by a chief risk officer, a financial officer, or, in other cases, the CEO...

Only a few companies we rate have a chief risk officer with enterprise-wide responsibility reporting to the CEO... most companies have at this point decided that other executives can carry out the functions of a chief risk officer.'

Okay, there is some useful stuff here. Consensus is like a decision-making snowball. People are influenced to make decisions just because it follows the norm established by others, and the more who join the consensus, the greater the incentive for everyone else to follow too. Per this advice, we have some clear directions that others may wish to follow. Ownership should rest with the audit committee or a special risk committee. Either is there to support the full board, which has ultimate responsibility for risk oversight. In practice, risk is more often managed only up to the executive level. If the CEO does not take the lead, then the lead executive for risk management will most likely be from Finance. A small but growing number of non-financial businesses specifically appoint an executive to manage risk.

'We believe that ERM eventually will not be a distinct discipline because it will become integrated with everyday practice.'

That sounds noble, but given the timidity of S&P's comments about the numbers of companies making progress, and the modest rate of progress they are making, you have to wonder how long it will take businesses to evolve from nascent ERM to integrating ERM with everyday practice.

In summary, this update from Standard & Poor's tries its best to look to the future. Even so, it is impossible to avoid the conclusion that S&P has seen only very modest signs of progress in the last couple of years. S&P hint that boards will inevitably learn to appreciate the importance of ERM. However, it may take more shocks to the system to drive a more rapid roll-out of risk management within non-financial businesses.