Under fire for its failure to foresee the collapse of the credit markets, Standard & Poor's Financial Services LLP (S&P) announced in 2008 that it would apply enterprise risk management (ERM) measurement to its credit ratings of nonfinancial companies.
By making ERM an explicit element of S&P's management analysis of companies, the argument went, its credit ratings would become more prospective -- and perhaps head off the kind of fiscal crisis that has upended the global economy.
The plan to add an ERM measurement is taking more time -- and has proved more challenging -- than anticipated, according to Steven Dryer, S&P's managing director. "I am disappointed we are not further along. Our plan was by this time to be more explicit with these management opinions [on ERM]," Dryer said.
Part of the delay is that S&P is still dealing with the fallout of the recession, focusing much of its time on companies close to or in default. While Dryer may be disappointed with the plan's progress, however, he added that the agency is "not compelled to act hastily" in its quest to include ERM assessments in its ratings. Quantifying a qualitative aspect of a company's financial health, such as an enterprise risk management strategy, is a difficult task, even absent a recession, he said.
How much is risk management strategy worth?
Before S&P could even think about how to quantify enterprise risk management programs, it first had to determine if ERM was a differentiable factor, Dryer said. If its research showed that companies were all on the same plane when it came to risk management -- all of them highly immature or all at a high standard -- that would suggest the current ratings were OK, he explained.
After nearly two years of talking with companies about their risk management, covering everything from their risk management structures to the staff members responsible for risk management, internal and external communication on risk and ERM policies and metrics, Dryer said that S&P analysts have indeed seen that ERM practices and maturity vary across companies.
"But we are struggling with how to value it in terms of our ratings process," Dryer said. "How much value do we put on the fact that Company A seems to be thinking much more diligently and frequently about the things that can go wrong and preparing for them, versus Company B that is good at reacting to things as they occur?" Dryer explained.
And it is taking more time than anticipated to gather the data. S&P rates 3,000 companies worldwide in up to 20 industry sectors and employs 200 analysts. Dreyer estimated that, so far, the agency has interviewed fewer than half those companies about their ERM programs and held in-depth discussions with even fewer -- far short of the due diligence required for analysts to assign a meaningful value to a company's risk management strategy.
Meanwhile, company PowerPoint presentations on risk management programs "can be very far from reality," he said. To gauge management credibility, S&P needs to start benchmarking companies against themselves over time, he said.
S&P is also mining the credit data it has collected on companies for many decades, looking in particular at instances when companies defaulted or for times when a sudden ratings adjustment had to be made because S&P didn't anticipate a problem.
"We can go back and do the postmortems on those -- and over the past year we have another whole batch of defaults to examine -- and ask ourselves the question: 'If we had the ERM reviews in place before these shocks occurred, would we have, or could we have, acted any earlier? Would there have been clues there?'" he said.
The good news, Dryer said, is that in the two years since announcing its plan to include ERM in its credit ratings, even companies that had never heard the term ERM then are now are getting it. At a recent meeting with a chemical company, there were 15 people in the room to talk with Dryer about enterprise risk management strategy, including representatives from legal and human resources.
Don't wait for S&P
Jesper Anderson, co-founder of FreeRisk.org, a new crowdsourcing project that gives investors the open source financial data, algorithms and tools necessary to try out various risk models, has been a sharp critic of the ratings agencies. He has argued that the ratings of these private institutions have, "over time, been written into law," as many state and federal programs are limited to investing in bonds rated as safe by these agencies. Still, he said he applauds S&P's efforts to consider a company's risk management culture when evaluating risk exposure.
"More data is always better. But it is hard to see how they are going to come up with a metric that can be put into their ratings in a way that is robust to different people measuring it and is robust to abuse by companies and the assessors," Anderson said in a SearchCompliance.com podcast interview in July.
Analyst Chris McClean, who covers risk at Cambridge, Mass.-based Forrester Research Inc., said he does not see S&P's reconsidered assessments shaking up the credit markets anytime soon. "I'm not going to tell people to go out and spend a ton of money because S&P is adding an ERM metric," McClean said.
But, he added, there are plenty of reasons besides the credit rating agencies to get going on a formal enterprise risk management strategy. A more consistent approach to risk will improve efficiency. Better metrics will reduce risk exposure.
In addition, financial reforms aimed at making risk more transparent to investors are either here or coming down the pike. They range from the Securities and Exchange Commission's new proxy rules that went into effect March 1 to a proposed bill in the Senate requiring a public company board of directors to have a risk committee.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.