Yet that hasn't stopped the agencies from rating risk management.
Standard and Poor's has, since 2006, been rating selected companies for their performance and capabilities in enterprise risk management (ERM). There were four outcomes: weak, good, strong or excellent.
S&P has now rated hundreds of companies using regularly evolving criteria. Still, as of the end of 2009, only 3 percent of rated companies achieved an ERM assessment of "excellent." As S&P's approach continues to evolve, other ratings agencies haven't followed suit. This is not to say that they don't consider risk-management performance an important component of their assessments; they just haven't drawn it out separately like S&P.
In a February 1, 2010 paper published by S&P, a direct correlation is shown between stock price performance and S&P-issued ERM ratings for insurers. Though 2008 stock performances for insurers were negative, those insurers with higher ERM ratings showed consistently smaller stock price declines than those rated otherwise. S&P's view is that a more robust ERM program is a particularly mitigating effect during periods of high financial stress as in that of the last two years.
So how does S&P define ERM excellence now? While the definition above may not have changed, the underlying ratings criteria has continued to evolve, though with much overlap to the original criteria set forth by S&P in 2005-06.
In fact, the primary change has been the more expansive set of criteria with a more detailed focus. S&P launched "Level II Reviews," which drill down into five key components of their framework. These components begin appropriately with "risk culture."
Where risk culture per se was not an explicitly rated element in 2006, it now takes center stage and S&P expects it to "permeate" the organizations that are rated excellent in ERM. Some of the key elements of risk culture are: ERM departmental independence, a thoroughly understood risk profile with evidence of a clear risk appetite statement approved by the board, and further, evidence of managed risk tolerances against this appetite and evidence of a tie between risk decisions taken and the incentive compensation structure.
The second plank of S&P's criteria relates to controls. Some of the considerations here include: written policies for hard and soft risk limits, use of risk and control self-assessment, evidence of learning from past mistakes, complete identification of material risks, and frequent risk reporting and effective use for metrics and dashboards.
S&P also wants to know that a company has an effective process for identifying and taking action against "emerging risks." Elements of focus include: board reporting on related risks, consistent collection of relevant information, an effective early warning system, evidence of effective actions to mitigate emerging risks and understanding of the potential impact to the firm should they become more likely to occur. A final concern is a company's ability to manage risk strategically. While this connects to the risk culture, the central theme here is evidence of having a balanced risk/reward mentality. Focal points include: evidence of appropriate risk prioritization, consistent use of risk measurements and other metrics.
CHRIS MANDEL is the enterprise risk manager for a leading financial institution and a former president of the Risk and Insurance Management Society.
May 1, 2010
Copyright 2010© LRP Publications