INTRODUCTION

There are many important stakeholders that have had an impact on the acceptance of enterprise risk management (ERM). However, one critically important stakeholder group within the financial services sector that has had a profound impact on ERM over the past few years is the rating agencies. Rating agencies have historically assessed the financial strength of a variety of corporate and governmental entities. In essence, they determine the entities’ ability to meet the interest and principal payments of bonds and other debt obligations. The agencies provide the ratings after studying the terms and conditions of each specific debt instrument, as well as the entities’ overall financial condition. As a result, the assigned rating then reflects the agency’s degree of confidence about the specific borrower’s ability to meet the interest and principal payment, as scheduled.

Credit ratings can be used by bankers, brokers, governments, and other interested parties to help determine the creditworthiness of a borrower. For investors, rating agencies can increase the range of investment alternatives by providing easy-to-use measurements of the relative credit risks. In general, this increases the efficiency of the market by lowering the costs to both borrowers and lenders. The key point to the rating provided by the agency is that it will ultimately determine the cost of capital for the entity. So, the better the rating, the lower the cost of capital; obviously, it is extremely important for any borrower to obtain the highest rating possible.

Over the past several years, however, rating agencies have been subject to some criticism for their ratings assignments. In fact, it was a response to this type of criticism following the fall of Enron, et al. that led President Bush to sign into law the “Rating Reform Act of 2006,” on September 29, 2006. As part of revising their rating methodology, the agencies began a more robust risk management regime, such as considering enterprise risk management, and started providing additional assessments on a selective basis.

Today, there are three U.S. general rating agencies, Standards & Poor’s (S&P), Moody’s Investors Service (Moody’s), and Fitch Rating (Fitch). In addition, there is one specialty agency, A.M. Best (Best), which is only active in rating insurance companies. Rating agencies have been actively involved with defining an ERM methodology in the banking industry, but it was only when they turned to using the methodology in conjunction with rating insurance companies that they began to fine-tune their approach. As a result, the agencies began to take a broader, holistic view of risk management, and the effect that would have on the company seeking the ratings.

One of the primary reasons for the aggressive movement into ERM is that the rating agencies believe that companies with an enterprise-wide view of risks, such as that offered by ERM, are better managed. Several of the agencies have also noted that ERM provides an objective view of hard-to-measure aspects such as management capabilities, strategic rigor, and ability to manage in changing circumstances. In addition, some agencies, such as S&P, believe that positive or negative changes in ERM programs are leading indicators that will show up long before they could be seen in a company’s published financial data.¹

The following sections summarize the rating agencies ERM rating practices by industry segments of banking, insurance, energy, and nonfinancial entities.

BANKING: GENERAL

Some of the rating agencies have been working with enterprise risk management within the banking industry for a number of years. In Moody’s July 2004 “Risk Management Assessments” publication,² they emphasized the importance of developing a holistic review of both risk philosophy and risk practices in banks. Moody’s pointed out that they would be moving away from the traditional, discrete risk sectors such as market risk, credit risks, and so on, to a more holistic view of risk management. They further commented on their desire to begin risk reviews on a more holistic basis in their October 2004 paper titled “Governance in the United States and Canada—August 2003–September 2004.”³ Moody’s noted that more organizations continued to move toward an enterprise approach to risk management. The other major rating agencies also signaled an increased interest in ERM. Most of the rating agencies indicated that they would be developing criteria for formally assessing ERM. The major agencies indicated an interest in ERM, but initially it appeared that Standard & Poor’s (S&P) was one of the first to provide specific information regarding their plans for ERM.

INSURANCE: S&P

One of the leaders in promoting the enterprise approach to risk management has been S&P. They completed their first review on the ERM program of an insurer in 2006. S&P noted that when evaluating insurers they look at not only how management defines their risk tolerance, but also how they ensure that it is kept within that level. Further, they also consider the degree that risk management is involved in setting the insurer’s direction and strategic decision making. They also look to see if the ERM practices are being completed in a systemic and consistent way and that an optimal risk/reward structure is achieved. This information is then compared with other peer group organizations.

More specifically, S&P developed an ERM review that evaluates five distinct areas:

1. Risk management culture: S&P determines if risk and risk management are considerations in the everyday aspects of corporate decision making. Reviewing the effectiveness of the organizational and governance structures, as well as the effectiveness of the risk management communications, is another important part of the corporate culture. This includes an examination of how clearly articulated the risk tolerances are as well.
2. Risk control: The rater determines if risk control measures have been achieved via identification, measuring, and monitoring of risks. As part of this determination, S&P evaluates the risk control processes for each important risk.
3. Emerging risk management: Consideration is also given for those risks that either do not currently exist or are not currently recognized. Frequently, these are the risks that are associated with changes in the political, legal, market, or environment, such as nanotechnology or climate change that could become a major problem area for insurers.
4. Risk and economic capital models: Another important aspect of the review is the flow of relevant information from the insurer’s risk models in relation to its risks. S&P analyzes not only the information, but how the information is used by management. Accordingly, the insurer needs to provide information that is sufficiently accurate, up-to-date, and timely in order to facilitate appropriate risk management decisions and actions.
5. Strategic risk management: The rating agency examines this key area because it deals with risks, risk return, and how they are incorporated into decision making. Key data is reviewed regarding the insurer’s overall risk profile, as well as other important data concerning capital budgeting, asset allocation, performance measurements, and incentive compensation. This is an important review because other aspects of ERM focus on limiting the downside; however, the strategic risk management focuses more on the upside or reward aspects.

S&P makes an evaluation of the five separate areas as noted above. Once they have concluded this evaluation, they combine the evaluations into a single classification, which is an indication of the agency’s overall rating for the insurer’s ERM program. This assignment of a single classification is determined by S&P by providing a weighted average for each of the five factors according to the specific situation each insurer faces. Thus, according to S&P, the weighting is dependent on the insurer’s individual risks as well as their capacity to absorb losses.⁴

S&P uses a four classification system of ERM programs with regard to their insurance company ratings. A summary of the four classifications is:

1. Excellent: Insurers who are awarded this classification must show that they have advanced capabilities to identify, measure, and manage risk exposures and losses within the company’s predetermined risk tolerances. Additionally, they must demonstrate advanced implementation, development, and execution of ERM parameters. The insurer must also consistently optimize risk adjustment returns in their corporate decision making.
2. Strong: Those insurers who qualify for this classification have both a clear vision of risk tolerance as well as their overall risk profile, but can periodically experience unexpected losses that are outside their tolerance level. They will have a robust process for identifying risks and preparing for emerging risks. And they usually incorporate risk management into their decision making to optimize their risk adjusted returns.
3. Adequate: The insurer has adequate capabilities to identify, measure, and manage most major risk exposures and losses; however, they lack a comprehensive process needed to extend this to all significant risks. The execution of their risk management program is sufficient, but less comprehensive than strong or excellent ERM practices. As a result, unexpected losses are more likely to occur. Although risk management is often important to the insurer’s decision making process, they may fail to prepare for emerging risks.
4. Weak: Insurers’ risk management programs are considered weak when they have inconsistent or limited capacity to indentify, measure, and manage their risk exposures. Their risk management execution is sporadic and as a result losses cannot be expected to be limited to predetermined risk tolerances. Corporate decision making sometimes considers risk management, but frequently business unit managers have yet to adopt an enterprise approach to risk management. As a result, these insurers have incomplete control processes for one or more major risks.

According to S&P, they completed 274 ERM evaluations during 2007 for insurance companies, including property/casualty insurers, health insurers, life insurers, and reinsurers worldwide. Of that number, the majority (83 percent) were rated “adequate.” In addition, 10 percent were rated “strong” and 3 percent were rated “excellent,” but only 4 percent were rated as “weak.” It should be noted that S&P has started to increase some insurers’ overall credit ratings, due in large part to either their “strong” or “excellent” ERM ratings. The reverse is also true, since they have lowered overall ratings on some insurers with “weak” ratings. Since an ERM rating is used as an explicated component in their overall rating methodology, much more attention is being paid to their ERM ratings.⁵

INSURANCE: MOODY’S

Moody’s Investors Services (Moody’s) has been the least public with regard to how they view ERM. They have indicated that they view their risk management assessment as a portion of a broader program referred to as “Enhanced Analysis Initiative” (EAI). They have further noted that their EAI analysis is designed to bring additional scrutiny to the creditworthiness evaluation of a company and encompasses five separate areas:

1. Quality of financial reports—Financial reporting assessment.
2. Quality of corporate governance—Corporate governance assessment.
3. Vulnerability to an abrupt loss of market—Liquidity risk assessment.
4. Existence of material off-balance sheet risks—Off-balance sheet risk assessment.
5. Quality of risk management practices—Risk management assessment.

Moody’s increased level of interest in the above five areas is the result of recent events that have “demonstrated that high-profile credit defaults, or severe credit deteriorations were often preceded by instances of poor financial reporting, weak governance practices, inadequate risk or liquidity management, or abusive uses of off-balance sheet structures.”⁶ Of the five areas noted above, Moody’s major emphasis will be on the risk management assessment, because these assessments are much more closely aligned with their fundamental rating process. As a result of this increased emphasis on the risk management assessment, Moody’s indicates that the impact of the assessment will be significant on their rating framework.

As Moody’s began to reexamine their rating methodology, they found that risk management was a much more important aspect than they first believed. They indicated that a corporation’s risk management practices essentially form the company’s first line of defense against potentially devastating effects from various financial risks. They also point out that both risk control practices and risk measurement techniques have been making progress in recent years. Further, Moody’s believes that additional innovation is on the horizon. However, they voice a concern about a lack of risk management uniformity across various industries.

In essence, Moody’s is attempting to “assess the relationship between the firm’s risk appetite and its risk control capacity.”⁷ As a result, Moody’s ratings would be reflective of their determination on the relative creditworthiness of the issuer. And, as Moody’s points out, their approach emphasizes a holistic view of risk philosophy and practices. Among other things, the risk management assessment will consider such things as the rigor of the process, the buy-in of management, the appropriateness of the measurements, as well as the issue of technical competence. Initially, Moody’s states that they were going to apply their risk management assessment to the financial service sector, but they also note that they would be attending to the nonfinancial issuers at a later date.

INSURANCE: FITCH

According to Fitch, they do not think that ERM is new, and “there is no reason to create another component to Fitch’s rating methodology.”⁸ As a result, there is no separate or explicate consideration of ERM within Fitch’s rating matrix. They indicate that risk management is just part of their overall review of an insurance company, which would normally include such things as industry, operational, and organizational management as well as financial opinions of the company. Fitch does, however, believe that the improvements that result from ERM have allowed insurers to better control their risks. Further, they have stated that these improvements (i.e., ERM) will begin to affect the competitive landscape of the insurance industry and they think that insurers that have not embraced ERM may be at a disadvantage in the market.

Fitch’s current rating methodology and categories already encompass the essence of ERM, so they saw no reason to develop a new “pillar” or consider ERM as a separate review area or stand-alone category. ERM does allow Fitch to investigate its traditional areas of analysis with a new perspective, which is based on modern risk management practices. Among the key areas of ERM that Fitch will begin to analyze are:

• Risk governance.
• Risk tolerance, monitoring, and reporting.
• Risk assessment—economic capital modeling and catastrophe risk management.
• Operational risk analysis—including planning for the unknown.
• Risk optimization.

In mid-2006, Fitch introduced a new economic capital model known as Prism. They believe that economic capital results are an important aspect of ERM since it analyzes an insurer’s capital quality. As such, involvement with the Prism model will become a critical aspect of their ERM analysis since it can measure and aggregate risk. Fitch feels that the Prism mode can help them assess ERM in several ways, by providing a benchmark in-house economic capital calculation, by aiding in an understanding of the in-house model, as well as by measuring the effects of strategic actions carried out by management. A major portion of Fitch’s ERM analysis will incorporate its Prism model. In the final analysis, Fitch says that “those insurers who significantly improve risk management, could experience future rating increases as the benefits of their strong ERM become evident.”⁹

INSURANCE: A.M. BEST

A.M. Best (Best) is a specialty rating organization that limits their rating to the insurance industry. According to their published reports, Best believes that the two primary objectives of a sound risk management program are:

1. “To manage the organization’s exposure to potential earnings and capital volatility.”¹⁰
2. “To maximize value to the organization’s various stakeholders.”¹¹

However, Best goes on to point out, that the objective is not to eliminate risks and volatility, but rather to understand risk and manage it. Best believes that if risk management is done correctly, it “fosters an operating environment that supports strong financial controls and risk mitigation, as well as prudent risk taking to seize market opportunities.”¹²

According to Best, this has been their position for quite some time; however, the introduction of ERM has resulted in a major change in their view regarding risk management. As they say, “What’s new about ERM, is the ‘E,’ which represents the development of an enterprise-wide view of risk,”¹³ which allows insurers to consistently identify, quantify and manage risk on a holistic basis.

Thanks in large part to the movement to ERM, Best can now assign an interactive rating that encompasses an in-depth evaluation of an insurer’s balance sheet strength, operating performance, and business profile. This is in sharp contrast to the traditional quantitative and qualitative standards they previously used. As a result, Best’s new view of risk management (i.e., ERM) shows that risk management is the common thread that links balance sheet strength, operating performance, and business profile. A key consideration for Best is the insurer’s “corporate DNA,”¹⁴ which is the embedding of risk management into corporate business lines and functional area objectives. In order for this to be correct, the risk-return measures are incorporated into the financial planning and budgeting, strategic planning, performance measurements, and incentive compensation.

One of the major components to Best’s rating review is the “Best’s Capital Adequacy Ratio (BCAR).” This has become an important tool in Best’s rating matrix where they can differentiate between companies since it will indicate whether the insurer’s “capitalization is appropriate for a particular rating level.”¹⁵

U.S. ENERGY COMPANIES: S&P

Since April 2006, S&P has expanded its ERM analysis to nonfinancial organizations, when it began assessing the trading risk management practices of U.S. energy companies. They focused on select energy companies’ risk management policies, infrastructure, and methodology (PIM). This allowed S&P to include the PIM analysis along with their established liquidity survey and their capital adequacy methodology.

As explained in S&P’s RatingsDirect “S&P Completes Initial ‘PIM’ Risk Management Review for Selected U.S. Energy Firms,” dated May 29, 2007, the rater is moving from a passive perspective to a more enhanced analytic framework. They point out that the “policies” aspect of the review focuses on the stature of risk management, as well as an assessment of risk appetite, the risk control process, and risk information dissemination. The “infrastructure” portion of the analysis centers around the capture and management of risk data and an assessment of the back office functions. The “methodology” aspect deals with the technology of risk management such as the quality and variety of valuation techniques.

Originally, S&P used 10 energy trading companies to introduce their PIM approach; however, they now continue to expand their analysis to other energy organizations. The PIM analysis has become one of the centerpieces to S&P’s ERM methodology.¹⁶

NONFINANCIAL COMPANIES: S&P

Given S&P’s success with ERM analysis within the insurance sector, rumors during 2007 that they would extend ERM reviews to nonfinancial companies continued to persist during the year. Then in November 2007, they finally published their “Request for Comment: Enterprise Risk Management Analysis for Credit Ratings of Nonfinancial Companies,” (RFC) which outlined their approach to introduce ERM scoring for this target group.¹⁷ S&P proposed to revise its current corporate credit rating process to include ERM. In essence, S&P noted that the rationale for this change was due in large part that they “expect that deterioration or improvement in a company’s ERM quality would potentially drive rating and outlook changes before the consequences are apparent in published financial results.”¹⁸ It should be noted that it is this one key belief that has accounted for much of S&P’s commitment to ERM.

S&P requested comments on their overall ERM analytical approach, as well as the value of adding ERM analysis and the particulars of the proposed methodology. They indicated that their “principal interest in evaluating ERM is to implement steps that will limit the frequency and severity of losses that could potentially affect ratings.”¹⁹ According to the RFC, S&P proposed to use a similar rating plan as they had done with the insurance industry. As such, the scoring would utilize the four-level ratings approach that includes weak, adequate, strong, and excellent. S&P’s ERM ratings within the financial sector produced two key types of information: (1) the degree to which a firm has comprehensively mastered the risks it faces, and (2) the extent that the firm’s management optimizes revenue for the risks it is willing and able to take. Accordingly, they believe that “ERM could significantly enhance our assessment of a non-financial service sector company’s ability to anticipate and manage risks.”²⁰

On May 7, 2008, S&P finally reported on the results of their RFC. In their report titled “Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate Ratings,”²¹ they indicated that they would begin including discussions with rated companies during the third quarter of 2008 and would include commentary during the fourth quarter. They also provided a discussion of several other ERM-related timelines as related to their implementation schedule.

However, in the May 7, 2008, report S&P noted that they would be modifying their proposed ERM review, based on the feedback of more than 60 respondents. One of the biggest changes was the abandonment of S&P’s five-pillar approach to ERM that had worked so well with the insurance industry. As a result, S&P’s focus for nonfinancial rated companies will be only on two key areas, risk management culture and strategic risk management, which they believe are universally applicable aspects of ERM.

1. Risk management culture—As part of their review, S&P will analyze the risk management framework or structure that the organization is currently using. Additionally, as part of this area, they will evaluate the roles of the risk management staff as well as the reporting relationship of those staff members. S&P’s guidelines suggest a strong expectation of a highly qualified and effective risk management department. Other items examined will be internal and external risk management communication including the risk management policies, and the effect of risk management on both budgetary and compensation management.
2. Strategic risk management—This will include an assessment of management’s view of the most consequential risks, their likelihood, and the potential effect on the organization’s credit. An examination of the method for updating risk exposure and the influence of risk management within the organization including the role of risk management in strategic decision making. In general, this aspect represents the upside of risk management from S&P’s standpoint.

Furthermore, S&P also indicated that they would modify their original planned implementation schedule by deferring formal scoring of ERM capability, which they limited to three optional scores, strong, adequate, and weak, until sufficient data is collected to determine that proper evaluation criteria exists. Until that point, projected to be sometime in mid- to late 2009, they plan to withhold changes in credit ratings and/or rating outlooks.

The other major modification to S&P’s proposed analysis is the recognition of generally accepted risk management standards. They indicated that accepted standards, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) or the Joint Standards Australia/Standards of New Zealand Committee OB/7 (AS/NZS 4360) could be used as a foundation for ERM by the rated companies. However, S&P stated that neither of the above noted standards will be a prerequisite for, nor sufficient evidence of, effective risk management.²² This recognition of generally accepted standards is significant. Movement to a COSO framework by organizations has, for the most part, been slow in catching on since it was introduced in 2004. However, with S&P’s blessing, interest in the COSO Framework and the AZ/NZS standard, should increase significantly (see Box 25.1).

As noted above, movement into the nonfinancial market by S&P has slowed down from their original proposal. The agency has indicated that they would begin with a staggered implementation schedule. Their timeline points to ERM discussions that would be incorporated into regular review meetings during the third quarter of 2008. This schedule would give S&P one year to conclude their initial discussions with the organizations. During this period, they will begin to develop appropriate industry specific benchmarking information. They also note that they will begin to include analysis of emerging risk management and risk control processes as they gain better benchmarking insight.

Both Moody’s and Fitch have also indicated a willingness to extend their ERM analysis to nonfinancial service organizations. However, unlike S&P, neither firm has provided specifics as to their approach for these additional organizations.

A FLY IN THE OINTMENT

Although each rating agency has made significant advancements with their ERM analysis and with the exception of A.M. Best (insurance company specific), they have plans to move aggressively into the nonfinancial service sectors. However, despite their best efforts, the rating agencies have become embroiled with congress, other regulatory agencies and investors, over their role in the financial mess caused by the subprime home loan meltdown. As a result, it would appear that all rating agencies could end up with significantly more regulations and oversight than they previously had. Additionally, major changes in their business model may be required or legislated, since there has been significant concern about the current approach to their method of compensation for services provided. Currently, the rated companies pay the rating agency for assigning a rate; however, the “conflict of interest” allegations may require a change in this arrangement, along with several other operational requirements.

As we have seen, S&P has taken the most aggressive approach by including the ERM analysis explicitly into their rating methodology. S&P evaluates eight specific areas as part of their rating process. These areas include management strategy, financial flexibility, earnings, liquidity, market position, investments, capital adequacy, and more recently, ERM. However, the other rating firms have “embedded” their ERM approach into their existing methodology. So, the rated company may have to make a choice regarding which rating agencies’ ERM approach they wish to follow. Although many may feel that the S&P approach is the most robust and thus the most appropriate, it is still just one view of how the goal of effective risk management can be achieved. And for some, it may not even be the most obvious choice. For example, in the insurance industry, no insurance company would want to endanger their Best rating, so they may choose the Best approach. In the long term, it would be helpful to all stakeholders to have more alignment between the rating organizations regarding their ERM requirements, and identifying industry best practices.

CONCLUSION

Without question, the rating agencies have been a major driver in the increasing interest in ERM over the past three or four years. Most corporations realize the importance that a credit rating can bring. Not only is an increased credit rating good in and of itself, an increase in a rating can reduce the long-term cost of capital for most organizations. And, in the case of an insurance company, it can also affect the amount of surplus they would be required to maintain. Obviously, there are significant financial consequences that are associated with this new rating landscape. All of the agencies have voiced a commitment to their ERM programs, but their current regulatory and reputational woes may require a change in their implementation schedules.

ABOUT THE AUTHOR

Mike Moody is the Managing Director of Strategic Risk Financing, Inc., an independent management consulting firm providing advice and counsel on risk management and enterprise risk management matters. Clients have ranged from a variety of public and private organizations to governmental agencies. He has an MBA with concentration in finance, as well as an Associate in Risk Management (ARM) designation. He has 25-plus years of experience in risk management, including as a corporate risk manager for a Fortune 500 corporation. He has also been employed by an international management consulting firm as well as worked for several international insurance brokers. He has been active in the Risk and Insurance Management Society (RIMS) having served both as a local and national officer. He has spoken at numerous risk management and risk financing presentations. He is also a recognized authority and author on the subject of risk management related issues, including enterprise risk management, where he has a monthly column on ERM in Rough Notes magazine. Currently, his project work is centered on assisting mid-size corporations in designing and implementing enterprise risk management programs.