Beginning in September 2008, S&P widened the scope of their analysis of some nonfinancial companies’ management team and started reviewing their ability to identify, monitor, and manage key risks. They started looking at a firm’s risk culture and its ability to communicate risk throughout their organization. Here is their viewpoint on the current state of ERM in most organizations:
“Managing enterprise-wide risks and capitalizing on opportunities are fundamental responsibilities of senior executives at all firms. Standard & Poor’s Ratings Services’ corporate credit ratings include evaluations of those managers’ strategies, effectiveness, and credibility. These evaluations help us develop forward-looking opinions on credit strength by supplementing our fundamental analysis of the company’s business and financial risk profile. Beginning in September 2008, we widened the scope of our analysis of some non-financial companies’ management to enhance our review of managers’ ability to identify, monitor, and manage key risks — those endemic to its industry and those that managers elect to take when running their businesses. Specifically, we started to look at how a firm’s culture (communications, structures, incentives, and risk appetite) affects the quality of its decisions and at the role risk considerations play when making strategic decisions. The public spotlight on risk management has intensified since we began this initiative.” ( S&P Report June 24, 2010 ” Looks Further Into How Nonfinancial Companies Manage Risk” )
What is the current state of ERM in most organizations the S&P reviewed? At companies that have a formal ERM program they generally are in a nascent stage. The most common approach for most organizations is to maintain a risk register or heat map that classifies top risks by likelihood and impact along with a mitigation strategy for each. Fewer companies assign specific ownership for key risks, develop alternative mitigation strategies, and communicate risk tolerance clearly across their organizations. Very few companies they reviewed are fully imbued with a culture that integrates risk assessment into strategic decision-making, clearly communicating risk appetite to internal and external stakeholders, and has a fully engaged and risk astute board of directors overseeing risk.