Standard and Poor’s published their progress report on their integration of Enterprise Risk Management analysis into their non-financial corporate credit ratings evaluations. In observing company performance during the ongoing economic and financial difficulties, S&P has noted that effective or ineffective risk management is often cited as the root of success or failure.
This is in sync with the recent announcements by the SEC and other regulators to extend their risk management disclosure requirements to focus on the gap between executive management and their front-line of managers. The consensus is clear, that companies need an ERM infrastructure to manage tolerances for risks within each process area that may materially impact to the organization and to disclose how compensation policy has changed from paying for activities to rewarding risk management competency.
Further evidence that an ERM infrastructure is needed can be found in the RIMS State of ERM Report. It states that organizations that have built their ERM infrastructures using the 25 competency drivers in the RIMS Risk Maturity Model for ERM were proven to have higher credit ratings and better business performance than those who did not.
If you want to learn how to put an ERM infrastructure in place or improve your current ERM Program to increase your risk management competency simply and practically, use the complimentary RIMS Maturity Model for ERM that can be downloaded at www.rims.org/rmm. This resource uses an ERM assessment technique to help you to identify the gaps versus best practice in your current risk management efforts and then provides a report with specific and actionable steps based on your answers of what to do next to improve.
The key findings released by Standard & Poor’s as a result of their enterprise risk management evaluations with companies reinforces the need to take action.
- Most companies are unable to provide clear examples of definitions for risk tolerance or risk appetite and find it difficult to ensure uniform behavior across the enterprise.
- A majority of companies suffer from “silo-based” risk management.
- Companies with a true enterprise-wide approach to ERM appreciate the importance of going beyond only quantifiable risks or top 10 risks and understand the importance of emerging risks.
- The ERM function’s reporting line is typically to the CFO or the CEO, often with a direct line of communication to the board of directors, commonly to the audit committee.
- Standard & Poor’s cites a compliance-driven push toward ERM as a possible danger.
The full report can be found on Standard & Poor’s website, www.erm.standardandpoors.com