S&P talk about recognising a company’s adoption of standards such as COSO or the Australian/NZ risk standard. Presumably, although not yet published, this will also include the new BS31100. This will provide a big impetus for companies that are subject to S&P ratings to review their ERM practices. As they helpfully indicate, they see "ERM as:
- An approach to assure the firm is attending to all risks;
- A set of expectations among management, shareholders, and the board about which risks the firm will and will not take;
- A set of methods for avoiding situations that might result in losses that would be outside the firm's tolerance;
- A method to shift focus from "cost/benefit" to "risk/reward";
- A way to help fulfill a fundamental responsibility of a company's board and senior management;
- A toolkit for trimming excess risks and a system for intelligently selecting which risks need trimming; and
- A language for communicating the firm's efforts to maintain a manageable risk profile."
Also of relevance is what they feel that ERM is not, namely:
- A method to eliminate all risks;
- A guarantee that the firm will avoid losses;
- A crammed-together collection of longstanding and disparate practices;
- A rigid set of rules that must be followed under all circumstances;
- Limited to compliance and disclosure requirements;
- A replacement for internal controls of fraud and malfeasance;
- Exactly the same for all firms in all sectors;
- Exactly the same from year to year; nor
- A passing fad.
We could not agree more wholeheartedly.
So what is this going to mean? Helpfully S&P set out in some detail what this will address:
“Our industry-focused rating analysts will incorporate an ERM discussion into the regular credit reviews on each company, emphasizing risk-management culture and strategic risk management, which are the most broadly comparable and critical of the four areas outlined in our original proposal. In the risk-management culture analysis, discussion topics will include:
- Risk-management frameworks or structures currently in use;
- The roles of staff responsible for risk management and reporting lines;
- Internal and external risk-management communications;
- Broad risk-management policies and metrics for successful risk management; and
- The influence of risk management on budgeting and management compensation.
"In addition, we will incorporate our existing review of governance, accounting policies and issues, and derivatives into this much broader analysis of a company's risk-management culture.
"Under strategic risk management, our analysts will explore:
- Management's view of the most consequential risks the firm faces, their likelihood, and potential effect on credit;
- The frequency and nature of updating the identification of these top risks;
- The influence of risk sensitivity on liability management and financing decisions; and
- The role of risk management in strategic decision making.”
Does this represent the death knell for the overview Turnbull approach to risk management which has merely scratched the surface, and in our view often undermined more wholehearted approaches to risk management? Nigel Turnbull’s suggestion that risk management needed no more than a conversation at the board about the top-10 risks does not look like it will fit comfortably with the approach adopted by S&P.
All of this of course will need some review by S&P. They say: “While we cannot audit assertions by company managers about their ERM procedures, we will closely examine the consistency between their statements and historical performance. We will specifically inquire about how they handled actual risks in the past. A discussion of ERM will become a regular part of our follow-up after significant drops in earnings or losses, significant restatements of past financial results, or material impairment losses and write-downs. Our discussions with managers about ERM will be to understand how consciously they have taken and retained risks and why they are comfortable with their net risk positions.”
So how much change will this represent? As S&P themselves conclude:
“Just as the introduction of ERM for a company is unlikely to radically change extant decision-making processes, we do not see ERM analysis radically altering our existing credit rating opinions. Its value will be incremental in most cases, negligible in a few, and eye-opening in some others. We expect that ERM analysis will drive some rating and outlook changes, but not before we have been able to benchmark companies against each other and over time.”
SO IS THIS THE BIGGEST DRIVER FOR RISK MANAGEMENT THAT WE HAVE SEEN? and will it help to address the questions that were being discussed below???