Still reeling from its failure to spot the subprime-mortgage crisis, Standard & Poor's is nonetheless moving ahead on a long-discussed plan to dissect enterprise risk management (ERM) practices at non-financial companies. But will S&P be able to gain enough visibility to assess something that executives have trouble defining, much less practicing?
S&P plans to address four components of ERM it considers common to all industries: risk-management culture and governance, risk controls, emerging-risk preparation, and strategic management. Its goal is to factor such analysis, as well as an examination of industry-specific risk, into its ratings so it can anticipate major blowups before they happen. "We want to get a sense of a company's resiliency and ability to respond to regulatory risk, lawsuit risk, terrorism risk — things that cause companies to go under," says managing director Steve Dreyer.
The ratings agency's final assessment will be based largely on interviews with senior managers. How heavily weighted ERM is in a company's credit rating will vary by industry, its capital position, and its risk exposure, S&P says.
Some experts are skeptical about relying on company executives for a complete ERM analysis. "It's not uncommon for a CEO to believe he has an ERM process and think his direct reports are on top of risk when that's not the case," says Richard M. Steinberg, CEO of Steinberg Governance Advisors.
Dreyer agrees. "We can't interview every employee to be sure they have drunk the Kool-Aid with regards to risk-management culture and practices," he says. But S&P can look for proof of adoption of company policies in organizational structures and communications, he says. The bottom line: ERM analysis is, like ERM itself, still a work in progress.