 |
 |
 |
|
Prelude of things to come Rating agencies embrace ERM concept for financial institutions By Michael J. Moody, MBA, ARM For the past several years, Rough Notes, as well as several other industry publications, has been documenting the rise of enterprise risk management (ERM). We have touched on various reasons why organizations should be moving to a holistic approach for risk management. Among other things, we looked at a variety of frameworks that have been advanced to assist in ERM implementation and provided, in detail, key elements of some of the more popular ERM software packages. We also reviewed some of the unique aspects of ERM such as how reputational risks could be assessed only via ERM. Further, we documented several case studies that highlighted effective ERM implemen-tation. Discussions regarding the various compliance-related issues such as the Sarbanes-Oxley Act 0f 2002, the New York Stock Exchange rules and other recent regulatory concerns have also been a frequent topic. Taken in total, all of these items certainly illustrate the increasing importance of ERM. And all of these should be alerting organizations that it is time to begin moving to a holistic approach to risk manage-ment, such as ERM. However, one of the most pressing arguments for ERM implementa-tion, and a real eye opener for those that have not implemented an ERM program yet, was advanced recently by rating giant Standard & Poor’s (S&P). In a document titled “Enterprise Risk Management for Financial Institutions: Rating Criteria and Best Practices,” S&P may well have provided one of the most compelling reasons for organizations to begin to embrace the concept. Just the beginning As the title suggests, S&P has now begun to evaluate the effectiveness of ERM practices as part of their overall rating assessment for the financial services sector, such as banks and insurance companies. S&P believes it is important for organizations to be able to share critical information with their shareholders regarding their key areas of risks. They also believe that an organization must have a robust process for managing risk across the entire enterprise. In support of this conclusion, S&P has begun evaluating the effectiveness of corporate ERM practices as part of their overall rating assessment. The primary objective of their assessment is to evaluate the extent of the organization’s approach to risk management from a holistic standpoint. They are particularly interested in an organization’s processes for understanding, managing, and communicating important, enterprise-wide risk information. S&P’s approach assesses management’s ability to interpret and make qualitative decisions in response to various risk metrics. At the end of the day, they believe that management needs to demonstrate an ability to incorporate risk information as an integral part of its strategic decision-making process. S&P’s assessment framework The ERM assessment framework that S&P has developed consists of three broad components. The first component is policies and governance as related to ERM. A key consideration driving this aspect of the assessment is the organization’s risk governance and risk culture. Specifically, this portion of the framework deals with the stature of the risk management function within the organization. As part of the assessment process, S&P will seek detailed information about the risk management function including the reporting lines of the chief risk officer (CRO) as well as the independence of the risk management function. This aspect of the assessment also incorporates data about how the organization established risk tolerances as well as how those tolerances are applied to the overall strategic decision-making process. For example, S&P determines the extent of senior management’s involvement in setting the organization’s risk appetite and how they monitor their major risks. Since a strong and independent risk management function is one that typically provides checks and balances, S&P’s assessment also includes a review of management’s responses to risks through controls and oversight across the entire organization. Additionally, the assessment evaluates the degree of risk communication and disclosure within the organization. The second component of S&P’s assessment framework is method-ology. This component is made up of three distinct aspects—the first being assessment of the risk management tools and related technologies that the organization uses to track key risk indicators. S&P focuses on both the quality and level of the systems used, as well as how the systems are integrated into the organization’s overall efforts to track and manage risks. The next aspect is the evaluation of the specific measurements the organization uses for tracking purposes. For example, financial institutions such as banks typically use the Value at Risk (VaR) approach. A key portion of this assessment is to determine management’s ability to qualitatively interpret the results provided by the measurements. In effect, S&P assesses whether management can draw meaningful conclusions from the quantitative calculations. The final aspect deals with vetting the various risk measurements models including such things as stress testing and “what if” scenario analyses. The purpose of this aspect is to assess management’s accuracy in measuring risk ranges. Infrastructure is the final compo-nent to the S&P ERM framework. This portion of the framework is directed at an organization’s risk architecture, the quality of data and the back-room operations. S&P realizes that systems failures or other business disruptions can directly affect an organization’s ability to effectively assess and appropriately respond to holistic risks. Thus, the underlying risk infrastructure and back-office operations are critical to an organization’s overall risk manage-ment program. Consideration of the organization’s disaster recovery process as well as its business continuity plan in the event of a massive system failure are included as part of the assessment of this component. The back-room operations analysis also includes a review of the background and educational qualifications of the risk personnel and the number of years of experience in risk management. Once completed, the assessment from the three risk management components commonly referred to as the policies, infrastructure and methodologies (PIM) assessment will be used in the overall rating assessment. At this point, S&P is not issuing a separate ERM rating assessment, but rather the assessment is provided to the S&P assessment group as one of many inputs to the overall rating. As a result, if the organization falls short on its ERM assessment, the overall rating can be lowered and, correspondingly, should a company’s ERM practices exceed expectations, the rating assessment may be raised. Future Without question, there is a growing expectation from many stakeholders for an effective approach to risk management. ERM has the potential to meet this expectation and, with increasing frequency, many interested parties are looking for an objective view of how well organizations are implementing this. Currently, the majority of S&P’s ERM analysis is for the financial services sector. However, it has also begun to provide a similar assessment on energy companies. Further, S&P indicates that it will be expanding these types of assessment to other industry segments as well. Additionally, Moody’s, the other major rating organization, has also implemented an ERM assessment as part of its overall rating process for financial service sector clients. Several years ago, it was easy to dismiss ERM as just the latest management fad. It appeared that there was no clear methodology to develop this holistic approach to risk management. As a result, while many organizations understood the advantages of the ERM concept, it was just easier to concentrate on SOX compliance or some other pressing issue. Today, however, ERM has begun to attract the attention of many stakeholders and is rapidly rising on the board’s agenda. Early ERM adopters have started documenting the advantages of ERM, and now even the rating agencies are taking note of the importance of an ERM approach to risk management. It should no longer be a surprise to any organization that it will have to begin to develop and implement a holistic approach to risk management. Notwithstanding the significant advantages derived from ERM, as well as the increasing pressure from external sources, such as rating agencies, the sooner the better with regard to ERM implementation. * |
|
|||||||||||||
| ||||||||||||||
