ERM Now Formally a Factor in Credit Ratings Issued by Top Agency

Credit ratings for banks, insurance companies and publicly-traded companies are issued by one of three agencies – Standard & Poor’s (S&P), Moody’s or Fitch. Together, these firms account for 95% of credit ratings issued in the world.

Although each of these firms evaluates a company’s ability to handle risks to the enterprise in one way or another, S&P was the first to formalize it as part of an entity’s credit rating. Beginning with financial institutions and insurance companies around 2004/05, S&P expanded its evaluation into the energy industry shortly thereafter.

By 2013, S&P was formally evaluating ERM within all of its management and governance assessments. According to the ratings agency, “corporate enterprises with a deliberate, consistent, articulated, resourced, and integrated approach that effectively identifies, selects, and prudently mitigates risks are more likely to build long-term credit strength as compared to enterprises with a casual, opportunistic, or reactive approach.”

Does this mean that all companies that have a S&P credit rating have mature risk management capabilities?

Hardly so, according to Steve Dreyer of S&P Global Ratings in this interview with the Director of Research for NC State’s ERM Initiative. Of all of the companies S&P evaluates, only 38% received a strong (1) or satisfactory (2) score.

This may seem a little bleak, but Dreyer explains that this number is up from when the agency first began making ERM a formal component in credit ratings.

While it hasn’t resulted in big changes with ratings, Dreyer explains that including ERM formally rather than embedding it in other areas “…definitely helps the conversation” and makes ERM more visible to executives.

What exactly is S&P looking at in their review of ERM?

S&P explains that the ultimate impact of ERM on a firm’s credit rating “…will depend on the risks of the firm, the susceptibility of the firm to those risks, and the capacity of the firm to absorb losses.”

In his interview with NC State, Steve Dreyer explains that companies who are doing ERM well are using methods and techniques that work for them. While they may hire consultants and work off of certain frameworks, companies fit the approach to their culture and internal language, not the other way around.  (Check out this earlier article on tailoring ERM to fit the organization.)

With this caveat in mind, S&P evaluates a company’s ERM initiative within a general framework that includes the following four major components:

  1. Risk Management Culture & Governance – This component looks at the status of the risk management function within the organization, plus whether the entity has established risk tolerances and how they are applied to decision-making at all levels. Also, S&P will assign a higher rating for companies who clearly communicate risks and risk management to different business units. (Check out this earlier post on using risk appetite and risk tolerances for decision-making.)
  1. Risk Controls – This component evaluates risk control processes. S&P believes that a company achieves risk control by not only identifying, measuring, and monitoring risks, but also by setting limits and enforcing them through avoidance, transfer, offset or some other risk management process. Within this component, S&P also examines the alignment of overall risk tolerances with specific risk limits. (Do you know the four possible risk response strategies?)
  1. Emerging Risk Preparation – Risks that are new, extremely rare, or unknown cannot be managed through a risk control process. Therefore, S&P also evaluates how well a company is using trend analysis, stress testing, environmental scanning, contingency planning, risk transfer, and more to look into the future. Depending on the type of business, S&P will also look for evidence on how well a company is planning to cope before, during, and after an event. (Learn more about how General Motors approaches this area.)
  1. Strategic Risk Management – The fourth and final component examines how well risks and risk management processes are embedded into the organization’s strategic decision-making process. Procedures related to strategy that can be affected by risk(s) include capital budgeting, business planning, performance measurement, product management, acquisition and divestitures, performance measurement, dividend practices and incentive compensation.   (Here are a couple earlier articles on this topic for some guidance:  ERM as a Strategic Tool and Factoring Risk into Strategic Planning.)

 

Upon evaluating these 4 criteria, S&P analysts will assign a final rating of 1) strong, 2) satisfactory, 3) fair, or 4) weak for the company’s ERM function.

Just because S&P formally includes ERM in a company’s credit rating doesn’t mean the other large agencies ignore it.

“Risk management is listed as a consideration in determining the stand-alone rating for [a] company. It’s not an explicit factor,” states Neil Strauss of Moody’s Investors Services, Inc.  “We have our methodology – we do discuss risk management.”

James Auden of Fitch Ratings, Inc., the smallest of the “big-three,” explains “How companies really identify the risks they face and measure them and how they set risk appetites – it kind of all works together and is embedded in our rating process.”

While S&P credit ratings pertain to larger, publicly-traded companies, it’s possible that lenders to mid-size or even small companies will evaluate a company’s risk management activities in the future.

If your company receives a credit rating from S&P, Moody’s, or Fitch and you’re one of the 60-plus percent who received a fair or weak score, it may be time to revamp or establish a program so your credit rating isn’t hampered.

To learn more about establishing an ERM program or understanding the differences between ERM and traditional risk management, continue browsing. And if you would like to discuss your individual company’s situation, please don’t hesitate to contact me today.

,

Related Posts

4 Comments. Leave new

  • Tim Nauheimer
    July 21, 2017 4:25 pm

    Carol, Just as an FYI, Insurer ERM assessments have five components to them. The four you mentioned plus Risk Modeling, i.e., the use of capital modeling. Also, insurance is the only sector where a separate formal ERM assessment is conducted as part of the ratings process. The final ERM scoring scale is as follows for insurers:
    Very Strong
    Strong
    Adequate w Strong Risk Controls
    Adequate
    Weak

    The separate management assessment scale is 1) strong, 2) satisfactory, 3) fair, or 4) weak.

    The ERM score is combined with the management assessment score to arrive at a combined score using the same scale as the ERM scale above. The score can give issuers a notch uplift or notches downward depending on the score.

    Reply
    • Tim – Thanks for such as great comment and clarification on this topic! I really appreciate your additional insights into how ERM can affect the credit rating for insurers.

      Reply
  • Very interesting article, thank you for this. Is it possible to map the ERM score to the S&P rating, such that we could say that on average, a 1 score has an x% higher probability of receiving a AAA rating; and 2 has an xx% change of a AAA rating, etc?

    This to me would be the opportunity to place a concrete value in terms of market confidence, in the assessed value that ERM provides.

    Reply
    • Hi, Daniel. Thanks for your comment and question. Unfortunately, I don’t have the answer to this question, but I have reached out to S&P to see if this information can be provided. If so, I will update the post accordingly.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu