There are certainly many that still resist the notion. I maintain however, that all industries can benefit from some more rigorous form of risk management that fits their culture and mission.
While rating agencies should not be the singular driver for adoption of formal risk management strategies by any entity, credit rating impacts are certainly a sharp-edged motivator. Having said that, Standard & Poor's has already shot itself in the foot by documenting its view that "just as a company's introduction of ERM is unlikely to radically change its current decision-making processes, we don't see ERM analysis radically altering our existing credit-rating opinions."
This can be viewed either positively or negatively, but it certainly undermines S&P's stated intent to drive more commitment to enterprise
risk management in nonfinancial industries. Nevertheless, many other third parties, most particularly regulators and company boards, are focusing on a more effective approach to risk management. They want a better understanding of the tie to performance outcomes. I've always said that a risk isn't a risk unless it threatens an objective.
In May of 2008, S&P confirmed its intent to continue to broaden its focus on ERM in nonfinancial services industries and to begin incorporating its findings in its credit-rating reports in 2010. Elements of its focus at that time (the S&P ERM team has largely turned over since then) included:
-- Clarity of expectations among management, shareholders, and the board about which risks the firm will and will not take.
-- Importance of avoiding situations that might result in losses that would be outside the firm's tolerance.
-- A shift in focus from "cost/benefit" to "risk/reward".
-- The fundamental responsibility of a company's board and senior management for risk oversight.
-- An intelligible language for communicating the firm's efforts to maintain a manageable risk profile.
Its report goes on to state that "S&P's decision to focus explicitly, for the first time, on enterprise risk management (ERM) for nonfinancial companies is a recognition that the numbers alone don't tell the whole story of company stability and creditworthiness." It urges companies of all types to acknowledge the multifaceted character of the total risk environment and to foster a culture of risk resilience.
Evidence outside rating agencies on the state of ERM is reflected in a study conducted by the ERM Initiative at North Carolina State University in 2009. Key findings suggest a number of disappointing conclusions such as:
-- Just over a third of respondents (36 percent) note that they were caught off guard by an operational surprise "Extensively" or "A Great Deal" in the last five years.
-- 44 percent of respondents have no enterprise-wide risk management process in place and have no plans to implement one.
Companies that truly employ ERM appreciate the importance of going beyond only quantifiable risks.
Call it what you want, risk outcomes affect performance outcomes and the latter is what every organization at its core is about. Delivering the mission successfully and consistently is at least in part a function of effective risk management.
CHRIS MANDEL is principal of Excellence in Risk Management LLC and is a long-term senior risk manager and former president of RIMS.
October 15, 2010
Copyright 2010© LRP Publications