Point of view: S&P’s fresh look at risk

A company’s credit rating will reflect its ability to handle risk*
Standard & Poor’s is refining its ratings process to include a review of enterprise risk management as practiced at non-financial companies.

 

Highlights

A rating change directly affects borrowing costs and investor confidence.

Organizations face an increasingly complex risk environment.

ERM provides a forward-looking framework that encourages a culture of performance and enhanced risk management.

  

Setting a new direction in credit ratings
S&P’s decision to focus explicitly, for the first time, on enterprise risk management (ERM) for nonfinancial companies is a recognition that the numbers alone don’t tell the whole story of company stability and creditworthiness.

Acknowledging the multifaceted risk environment
The complex world of global commerce has brought many rewards but also many challenges. The ability to recognize new challenges and respond confidently is the hallmark of adept management.

Fostering a culture of risk resilience
For all industry sectors, S&P’s ERM analysis will initially focus on Risk Management Culture and Strategic Risk Management.

Securing rewards in borrowing power and reputation
With S&P’s enhanced approach to credit ratings, a high score will speak to corporate stability in the broadest sense. Cost of capital will be controlled even in a constrained environment. In addition, strengthened investor confidence will contribute to operational agility.

Risk preparedness is ever more vital to business well-being

In a world interconnected as never before, the implications for business risk are significant and constantly emerging. Today, a problem on one side of the globe—a crop failure, an earthquake, an oil spill, a coup, a faulty supply chain or vendor—can radiate out with stunning swiftness and force to other regions, and threaten to undermine even strong enterprises. The very success of global commerce contains within it a heightened exposure to more frequent, more far-reaching risks. The current financial crisis offers a painful example.

Among nonfinancial companies, S&P sees
ERM as a function that is still finding its place in the boardroom and with management.

A new dimension

When risk and uncertainty beset some of the most respected names in the business world, the importance of a strong credit rating has never been clearer. The credit rating agency Standard & Poor’s has responded by extending its review process to embrace enterprise risk management (ERM) as it applies to nonfinancial companies.

This step is a new undertaking for Standard & Poor’s. The full effects will emerge during 2009 as S&P enters exploratory discussions on ERM with issuers. The financial sector is historically well-versed in the requirements of a disciplined ERM structure. S&P credit ratings there have included an ERM component since 2005, allowing the proper assessment of the creditworthiness of companies that are especially vulnerable to trading volatility, currency swings and international commodity fluctuations.

Large manufacturers, automakers and similar capital-intensive companies, particularly, are acutely aware that the rating bears directly on borrowing costs. Investors demand the assurance and transparency of a highly rated company. And a substandard evaluation in this area can lead to a disadvantage in the competition for
investor dollars. Borrowing costs escalate.

Responding to greater risk

Among nonfinancial companies, S&P sees ERM as a function that is still finding its place in the boardroom and in management. Recent events—the subprime mortgage crisis, the deleveraging of financial institutions and the supply chain breakdowns linked to Asian vendors—demonstrate forcefully that disruptions can arise suddenly from unexpected quarters.
It is this sort of unanticipated risk that ERM is intended to uncover and mitigate.

S&P announced this change in May 2008. In the current phase S&P is in discussions with ratings clients, as part of regularly scheduled review meetings, to gather information on how companies have taken on risks and why they are comfortable with their risk positions. The discussion phase is part of a staggered implementation that is not intended to produce a formal score. S&P expects to start scoring in 2009, after conducting enough reviews to permit reliable benchmarking and publishing evaluation criteria. Formal scoring will take the form of a four-level assessment: excellent, strong, adequate and weak.

Culture and strategy

S&P intends to look at two broad areas: risk management culture and strategic risk management. Risk management culture concerns the tone setting and ethical environment in place at all levels. These touch upon lines of reporting, internal and external risk management communications and policies that reinforce risk management.

Strategic risk management addresses managerial decision making—determining how management weighs risk in terms of likelihood, potential effect on credit, liability management and financing decisions.

S&P plans to ask specifically about a client’s handling of risks in the past and to look for consistency between managers’ statements about ERM capabilities and historical performance.

Tangible rewards for comprehensive risk resilience.

Today’s risk environment is all-encompassing and multifaceted. It demands agile risk management, constantly alert to emerging threats from unexpected fronts.

ERM helps companies navigate the hazards, and Standard & Poor’s is now underscoring the importance of that role in a new way. PwC believes that the S&P initiative to incorporate ERM reviews in its credit ratings for nonfinancial clients will help management and shareholders understand and confront the widening world of risk.

The value of a positive ERM score will be felt directly in its effect on cost of capital and indirectly but powerfully in a firm’s risk resilience reputation.

Bottom-line risk

The value of a positive ERM score will be felt directly in its effect on cost of capital and indirectly but powerfully in a firm’s reputation. Cost of capital is easily quantified. It is a crucial component to the success of any enterprise, but particularly those that rely on borrowing to fuel innovation and growth.

The reputational aspect of ERM is more elusive but no less valuable. S&P recognizes its centrality by presenting risk management culture as a focus of its assessment. S&P will be looking at risk management structures already in place, staff roles and reporting lines, broad company policies and how risks are communicated.

The right culture is critical

PwC views risk management culture as the hub of effective risk management. Put simply, it’s critical to possess a culture in which the right people do the right thing at the right time regardless of circumstances. No matter how sophisticated the systems or controls, the underlying culture must be committed to ethical decision-making.

Differences among industries

In scoring, it is unlikely that all industry sectors will be equally affected, or at least in the same time frame. S&P plans a staggered introduction of ERM scores as it works to establish benchmarks in various industries. Energy and commodity companies with extensive trading will likely undergo ERM evaluations similar to that of financial institutions.

S&P has said it will account for sector-specific risk management. For companies exposed to a specific single risk, as in commodity price risk in agribusiness, S&P intends to perform a more in-depth review focused on managing that particular risk.

Leading a critical discussion

PwC urges boards and management to respond thoughtfully to the S&P initiative. Managers should be prepared to lead discussions with rating agencies by outlining their ERM initiatives and candidly pointing to strengths, weaknesses and remediation efforts.

To help prepare for ERM discussion and evaluation with S&P, companies should consider:

  • Performing a self-assessment of the current ERM framework, to arrive at a clear understanding of capabilities; determining the major risks facing the firm.
  • Establishing or showing progress toward a strong risk culture that incorporates effective risk governance.
  • Approaching the S&P ERM evaluation as an opportunity to create value by showing sustainable ERM capability to the rating agency, thus achieving an upgrade or defending against a downgrade.

Doing less carries a price in borrowing costs and reputation. A favorable rating and a favorable reputation are hard won advantages, and if lost, both are hard to reclaim.

Achieving risk resilience: Beyond S&P scoring

Finally, implementing an ERM process that meets the credit rating standard is a worthy but incomplete goal. Successful companies will need to look beyond S&P scoring to incorporate all the elements of the ERM framework designed to foster a cohesive culture of core values, integrating an understanding of risk throughout an organization. More than being creditworthy, these companies will be truly risk resilient.

Laying the groundwork for risk readiness and commitment.

Q&A

Q: How can my company prepare for the ERM discussion and ratings process with S&P?

A: The ERM evaluation is an opportunity to establish a comfort level with the ratings agency as it adds a new dimension to its assessment of enterprise stability and the readiness of your own risk management capability. Management can prepare by:

  • Leveraging work already done on ERM.
  • Performing a robust risk assessment that goes beyond business-as-usual and includes emerging risks.
  • Evaluating, and being able to articulate, the inherent strengths and weaknesses of the current ERM capability.
  • Assessing the state of the company’s risk management culture.
  • Demonstrating that ERM influences strategic planning.
  • Preparing an action plan to improve the S&P ERM rating, secure an upgrade or defend against a downgrade.
  • Developing a presentation that demonstrates ERM progress to S&P.

Q: What is the board’s role?

A: Boards must first recognize the S&P pronouncement is meaningful in that a direct relationship is being established between ERM assessments and credit rating decisions. Boards can begin by seeking assurance from management that an effective ERM framework is in place and that management is prepared to champion the current ERM environment to the rating agency.

Q: How are the scores defined and when will they be applied?

A: The ERM scores will be presented in four levels: excellent (lowest risk), strong (slight risk), adequate (moderate risk) and weak (highest risk). S&P has said that formal scoring of ERM capabilities will be deferred until the agency has conducted a sufficient number of reviews across sectors to permit reliable benchmarking and publishing of evaluation criteria. This could be well into 2009.

Q: When will credit ratings be affected by the ERM evaluation, and how extensive would any changes be?

A: According to S&P, the agency will not be able to determine ratings and outlook changes until the agency has been able to benchmark companies against each other and over time. While S&P anticipates that the value of ERM analysis will be incremental in most cases, it does expect in rare instances to find eye-opening results.

Q: Will this all come down to compliance and checklists rather than demonstrating robust ERM?

A: That appears unlikely. From the beginning, S&P has taken pains to assure its clients that ERM evaluation will not be a “check the box” exercise but rather one that requires companies to anticipate new and emerging risks that have not yet occurred. No rigid set of rules will be established to follow under all circumstances.