ERM’s Financial Strength

There has been considerable discussion over the past few years about the factors leading to the emergence of enterprise risk management (ERM) and why organizations may want to embed the discipline into their business practices. These factors include corporate governance guidelines, corporate scandals arising out of accounting issues, regulatory requirements, litigation and shareholder activism and the influence of institutional investors. As a result, ERM has become known as a “best practice” for organizations, and yet still it is somehow viewed as “optional.”

Following these developments (which have encouraged organizations to think about incorporating ERM), Standard & Poor’s (S&P) has announced it will include ERM in its assessment of a company’s financial strength and evaluate ERM practices in its ratings of publicly traded companies. This means ERM is no longer an option for publicly traded organizations.

The time for discussion of the benefits of adopting ERM is over. Risk managers must begin to serve their organizations by implementing and designing ERM programs that will address the factors leading to the emergence of ERM. They must also contribute to the assessment of the financial strength of the organization.

S&P is not new to this type of assessment. They published a document in October 2005 entitled “Insurance Criteria: Evaluating the Enterprise Risk Management Practices of Insurance Companies.” In other words, they have now gone through an entire cycle of including ERM as an assessment of the financial strength of insurers, allowing them a “more prospective view of an insurer’s risk profile and capital needs.”

As S&P reviews ERM as a part of its ratings process, organizations will be required to demonstrate strong indicators of risk control. These include risk identification, risk monitoring, documented limits and standards and programs in place to manage the risks that the company takes. Of particular interest, in the insurance company model, there is a reference to the need for formal risk learning that is a “loss post-mortem process to determine if the processes need improvement.”

What does this mean for risk managers? It is generally accepted there is no one right way to design and implement ERM for an organization. Having said this, a wide range of industry associations, consultants, regulatory authorities and other organizations have proposed dozens of ERM models and frameworks.

Still, there is one tried and true methodology for establishing a comprehensive risk management program: risk managers can use the methodology of risk management that have been employed since the 1960s to manage hazard risks – that is the five steps of risk management: identification, assessment, selecting and implementing risk management techniques, reporting on risk and monitoring the risk management program. Using this traditional approach – albeit keeping in mind a broader perspective and an expanded definition of risk – is a strong foundation for building a successful ERM program.

It cannot be emphasized enough that the first step of risk management is the most important one; that is, the identification of risks. In an ERM context, this means identifying all of the material or significant risks that can impede the business objectives of the organization. This can best be accomplished by conducting risk workshops with senior management to identify the risks of their areas of accountability. After prioritizing these risks, a risk map can be created for the purpose of reporting and monitoring the risks that have been identified.

The risk manager now has support for the argument of expanding the risk management program into an ERM framework. Previously, a number of factors caused organizations to adopt the discipline. The benefit of strong credit ratings through the S&P ERM evaluation goes directly to shareholder value and the raison d’etre of publicly traded organizations. ERM is no longer an option!