December 15, 2008 | Tony Chapelle
Boards, concerned about the health of their companies, have even more reason to shore up their efforts at risk oversight.
A new report from industry trade group Risk and Insurance Management Society (RIMS) has shown for the first time a statistical correlation between a company’s credit rating and its ability to handle risk.
In one of its strongest conclusions, RIMS says it found that companies that had higher credit ratings tended to have more competent enterprise risk management programs as well. Conversely, the report found that organizations that didn’t have formal risk management programs at all had lower credit ratings.
The report also pinpoints certain areas boards can focus on to ensure their companies have competent risk management programs, such as whether senior managers pay attention when rank-and-file employees spot problems.
RIMS is touting the report, which outlines the 25 drivers and 65 indicators of a mature risk program, as a best-practices blueprint for enterprise risk management in all types of companies. The information comes at a time when boards are focusing more on risk oversight in the wake of the financial crisis.
RIMS researchers reached their conclusions after running blind tests to determine the level of risk management maturity at companies with the best and worst credit grades. “Credit ratings are not only a short-term direct cost of capital, but a concrete measure of business performance,” according to the report.
The corollary is also true, says the author of the study. “If you want a higher credit rating and better business performance, then increase your risk management competency,” says Steven Minsky, who is also chief executive of LogicManager, a risk management software provider.
That advice is the flip side to the new rating policy being launched by Standard & Poor’s. In mid-2009, that credit rating agency will begin grading non-financial companies based on how well they’ve integrated risk management processes into their enterprises. Such action assumes that ERM has influence on a company’s financial health.
James Duffy, a director at Allied World Assurance, says the news from the RIMS report is “not rocket science.”
“It’s a very basic business process,” says Duffy, who is a retired chairman and CEO of St. Paul Reinsurance Group. “If someone pay[s] their bills on time and they’re prudent in managing their financial affairs to balance debt against their net worth, then they’re in a healthier financial position to attract capital at a lower rate.”
From meeting risk executives at companies such as H.J. Heinz, Fidelity Investments, Dow Chemical, Bank of America and Microsoft, Bonnie Hancock says she’s heard many say that one benefit of ERM is that it reduces volatility. That allows for more predictable results including more predictable cash flows, a key factor in being able to pay debts. “That’s at the heart of why S&P is [going to include ERM] in its ratings,” says Hancock, who is the executive director of the Enterprise Risk Management Initiative at North Carolina State University.
The study’s researchers, who surveyed risk practitioners at 564 companies and organizations, found that the highest credit ratings were correlated to companies that employed three key risk management detectors. One of those was whether the risk management culture included input from front-line employees who whistled out risks that they saw in their daily work.
In defining its criteria for identifying better-managed companies, the study referred to standards set by Moody’s Investors Service and other corporate credit rating agencies. It defined better-managed companies as those having higher credit ratings; better-performing companies meant those having fewer credit defaults.
Officials at RIMS say the group’s new blueprint represents the standardized model that could span every industry’s risk. “A mature process will have repeatability and scalability,” says Carol Fox, the chair of the ERM development committee at RIMS and a senior risk management director at Convergys.
Many directors are waiting for such a standardized model. One of them is Stuart Levine, who is lead director at Gentiva Health Services and a director at Broadridge Financial Solutions.
“It [would] provide the board with the four or five most important risk metrics and populate board culture with a robust understanding of risk. That will strengthen shareholder confidence.”