Credit ratings for banks, insurance companies and publicly-traded companies are issued by one of three agencies – Standard & Poor’s (S&P), Moody’s or Fitch. Together, these firms account for 95% of credit ratings issued in the world.
Although each of these firms evaluates a company’s ability to handle risks to the enterprise in one way or another, S&P was the first to formalize it as part of an entity’s credit rating. Beginning with financial institutions and insurance companies around 2004/05, S&P expanded its evaluation into the energy industry shortly thereafter.
By 2013, S&P was formally evaluating ERM within all of its management and governance assessments. According to the ratings agency, “corporate enterprises with a deliberate, consistent, articulated, resourced, and integrated approach that effectively identifies, selects, and prudently mitigates risks are more likely to build long-term credit strength as compared to enterprises with a casual, opportunistic, or reactive approach.”
Does this mean that all companies that have a S&P credit rating have mature risk management capabilities?
Hardly so, according to Steve Dreyer of S&P Global Ratings in this interview with the Director of Research for NC State’s ERM Initiative. Of all of the companies S&P evaluates, only 38% received a strong (1) or satisfactory (2) score.
This may seem a little bleak, but Dreyer explains that this number is up from when the agency first began making ERM a formal component in credit ratings.
While it hasn’t resulted in big changes with ratings, Dreyer explains that including ERM formally rather than embedding it in other areas “…definitely helps the conversation” and makes ERM more visible to executives.
What exactly is S&P looking at in their review of ERM?
S&P explains that the ultimate impact of ERM on a firm’s credit rating “…will depend on the risks of the firm, the susceptibility of the firm to those risks, and the capacity of the firm to absorb losses.”
In his interview with NC State, Steve Dreyer explains that companies who are doing ERM well are using methods and techniques that work for them. While they may hire consultants and work off of certain frameworks, companies fit the approach to their culture and internal language, not the other way around. (Check out this earlier article on tailoring ERM to fit the organization.)
With this caveat in mind, S&P evaluates a company’s ERM initiative within a general framework that includes the following four major components:
- Risk Management Culture & Governance – This component looks at the status of the risk management function within the organization, plus whether the entity has established risk tolerances and how they are applied to decision-making at all levels. Also, S&P will assign a higher rating for companies who clearly communicate risks and risk management to different business units. (Check out this earlier post on using risk appetite and risk tolerances for decision-making.)
- Risk Controls – This component evaluates risk control processes. S&P believes that a company achieves risk control by not only identifying, measuring, and monitoring risks, but also by setting limits and enforcing them through avoidance, transfer, offset or some other risk management process. Within this component, S&P also examines the alignment of overall risk tolerances with specific risk limits. (Do you know the four possible risk response strategies?)
- Emerging Risk Preparation – Risks that are new, extremely rare, or unknown cannot be managed through a risk control process. Therefore, S&P also evaluates how well a company is using trend analysis, stress testing, environmental scanning, contingency planning, risk transfer, and more to look into the future. Depending on the type of business, S&P will also look for evidence on how well a company is planning to cope before, during, and after an event. (Learn more about how General Motors approaches this area.)
- Strategic Risk Management – The fourth and final component examines how well risks and risk management processes are embedded into the organization’s strategic decision-making process. Procedures related to strategy that can be affected by risk(s) include capital budgeting, business planning, performance measurement, product management, acquisition and divestitures, performance measurement, dividend practices and incentive compensation. (Here are a couple earlier articles on this topic for some guidance: ERM as a Strategic Tool and Factoring Risk into Strategic Planning.)
Upon evaluating these 4 criteria, S&P analysts will assign a final rating of 1) strong, 2) satisfactory, 3) fair, or 4) weak for the company’s ERM function.
Just because S&P formally includes ERM in a company’s credit rating doesn’t mean the other large agencies ignore it.
“Risk management is listed as a consideration in determining the stand-alone rating for [a] company. It’s not an explicit factor,” states Neil Strauss of Moody’s Investors Services, Inc. “We have our methodology – we do discuss risk management.”
James Auden of Fitch Ratings, Inc., the smallest of the “big-three,” explains “How companies really identify the risks they face and measure them and how they set risk appetites – it kind of all works together and is embedded in our rating process.”
While S&P credit ratings pertain to larger, publicly-traded companies, it’s possible that lenders to mid-size or even small companies will evaluate a company’s risk management activities in the future.
If your company receives a credit rating from S&P, Moody’s, or Fitch and you’re one of the 60-plus percent who received a fair or weak score, it may be time to revamp or establish a program so your credit rating isn’t hampered.
To learn more about establishing an ERM program or understanding the differences between ERM and traditional risk management, continue browsing. And if you would like to discuss your individual company’s situation, please don’t hesitate to contact me today.