IT Compliance Advisor

Mar 8 2010   7:33PM GMT

Can anybody find a way to put a value on a risk management program?

Linda Tucci Linda Tucci Profile: Linda Tucci

If your company is finding it difficult to weigh the costs vs. benefits of a formal risk management program, Standard & Poor’s (S&P) feels your pain.

I caught up with Steven Dryer, managing director at the New York-based credit rating agency, for an update on S&P’s 2008 announcement that it intended to factor enterprise risk management (ERM) measures into its credit ratings of nonfinancial companies. Nearly two years later, the effort is not where Dryer hoped it would be. (Learn more in “What’s a risk management strategy worth to your S&P credit rating?”)

While just about everybody would agree — post-financial meltdown — that a balance sheet is insufficient for gauging a company’s risk exposure, Dryer told me that the agency is really struggling with assigning a value to the more qualitative aspects of a risk management program (company culture, staff roles and where those roles fit in the organization chart, risk policies and metrics).

To ascertain management’s credibility, S&P has to compare what it’s been told about the company’s enterprise risk management program with how the company actually handles anticipated and unanticipated risks — and that will take time, he said. As you’ll read in my story this week, S&P can draw on decades of data it has collected on companies to help set benchmarks. But that will take time, too.

A startup crowdsourcing project called Riskfree.org contends that the business models of the ratings agencies are too narrow to provide sound guidance for investors. Riskfree.org argues that what investors need are the tools to create their own risk models — lots of them, including S&P’s — which can then be aggregated and compared over time to see which models hold up best.

Whether investors should continue to trust any model the credit rating agencies come up with anymore, given their failure to predict the worst financial crisis since the Great Depression, is probably a topic for another story. But somebody has to find a way to correlate the cost of an enterprise risk management program with the benefits. For another reminder, if you need one, of just how much damage this recession as wreaked, consider this: Half the companies that S&P rates today fall into its bottom two categories, CCC and D, or, in plain terms, close to or in default.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: