Posted by: Linda Tucci
enterprise risk management, Freerisk, Risk assessment
If your company is finding it difficult to weigh the costs vs. benefits of a formal risk management program, Standard & Poor’s (S&P) feels your pain.
I caught up with Steven Dryer, managing director at the New York-based credit rating agency, for an update on S&P’s 2008 announcement that it intended to factor enterprise risk management (ERM) measures into its credit ratings of nonfinancial companies. Nearly two years later, the effort is not where Dryer hoped it would be. (Learn more in “What’s a risk management strategy worth to your S&P credit rating?”)
While just about everybody would agree — post-financial meltdown — that a balance sheet is insufficient for gauging a company’s risk exposure, Dryer told me that the agency is really struggling with assigning a value to the more qualitative aspects of a risk management program (company culture, staff roles and where those roles fit in the organization chart, risk policies and metrics).
To ascertain management’s credibility, S&P has to compare what it’s been told about the company’s enterprise risk management program with how the company actually handles anticipated and unanticipated risks — and that will take time, he said. As you’ll read in my story this week, S&P can draw on decades of data it has collected on companies to help set benchmarks. But that will take time, too.
A startup crowdsourcing project called Riskfree.org contends that the business models of the ratings agencies are too narrow to provide sound guidance for investors. Riskfree.org argues that what investors need are the tools to create their own risk models — lots of them, including S&P’s — which can then be aggregated and compared over time to see which models hold up best.
Whether investors should continue to trust any model the credit rating agencies come up with anymore, given their failure to predict the worst financial crisis since the Great Depression, is probably a topic for another story. But somebody has to find a way to correlate the cost of an enterprise risk management program with the benefits. For another reminder, if you need one, of just how much damage this recession as wreaked, consider this: Half the companies that S&P rates today fall into its bottom two categories, CCC and D, or, in plain terms, close to or in default.