Enterprise Risk Management
ERM: Change is in the wind
Attention paid to three key areas will help alter the ERM landscape
By Michael J. Moody, MBA, ARM
Despite the fact that enterprise risk management (ERM) has been around for more than 10 years, significant changes, both internal and external, soon will be underway. While there are a number of reasons for these changes, most are the direct result of the current financial meltdown. Some of the changes will involve the practice of ERM itself, while others will deal with areas that have an indirect involvement.
Three major areas of change are bound to have a profound impact on ERM as it moves forward in its evolution.
Risk management, in general—and, more specifically, ERM—has been mentioned frequently as one of the major failures that contributed to the country’s current financial mess. However, another frequent target has been the risk oversight provided by corporate boards. Clearly, most corporate boards now have moved risk management to the top of their agendas and made it a priority for 2009. However, are they prepared for proper risk oversight?
Today, boards have determined to handle risk oversight in one of two ways: via the audit committee or via the board as a whole. Research provided by North Carolina State University points out that the majority of corporations believe that the volume and complexity of risks have increased over the past five years. Despite this increase, 44% of the respondents have no ERM process in place.
Still, about half of the boards are increasing their involvement in risk oversight. The “Report on the Current State of Enterprise Risk Oversight” suggests that all boards—whether for-profit, not-for-profit and even governmental entities—will need to take a more proactive role in risk oversight. The report notes that while this process of increased involvement in risk oversight began several years ago with new rules provided by the New York Stock Exchange and other bodies, it will accelerate over the next 12 to 18 months as new, more onerous rules and regulations are propagated.
One of the primary reasons for ERM’s rise over the past few years has been the interest shown by rating agencies. A number of the larger rating agencies began to develop specific ERM rating matrixes that have been incorporated into the overall rating process. This movement was spearheaded by the primary rating agencies, S&P, Moody’s, Fitch and A.M. Best. Corporations were quick to see the value of establishing an ERM program. There are several examples where corporations’ overall debt rating was improved due in large part to their ERM program.
However, the current financial mess has called into question the value of advice provided by the rating agencies. They were widely criticized for failing to give investors adequate warnings of the risks in the sub-prime mortgage mess. A study by the Council of Institutional Investors titled “Rethinking Regulation of Credit Rating Agencies: an Institutional Investor Perspective,” notes just how important the ratings are since they fulfill a wide range of regulatory and contractual requirements.
Bottom line, the role of the rating agencies has become that of the financial gatekeeper. And as has been seen at this point, the rating agencies failed in this role. As a result, the agencies will be subjected to new, more stringent operating rules and regulations. Many believe that they should be more accountable for their actions and that the ratings process should be more transparent.
Among the ideas that have been advanced recently are the lifting of rating agencies’ liability exemption. Many think that rating agencies should be removed from the liability under the Securities Act of 1933 and made subject to private rights of action under the anti-fraud provisions of the securities laws. Investor groups have voiced support for removing the exemption from liability in the rating agencies’ forward-looking statements.
Last year the Securities and Exchange Commission (SEC) did take action to crack down on conflicts of interest at rating agencies that are paid by the issuers whose products they rate. This particular aspect of the rating agencies business model (i.e., being paid by the organization they rate) has long been questioned, and many believed that it led to a failure to provide adequate due diligence efforts.
The real concern, however, surrounds the liability exemption. Many investment experts have pointed out that the rating agencies have no real motive to report the actual results since they are exempt from liability. The consensus among Congress and the new SEC chairman is that status quo on this issue is not good enough.
The upshot is that the rating agencies have been a driving force for the movement toward ERM in the past, but in order to maintain this movement, the agencies will need to reestablish their creditability with the investing public. This will undoubtedly happen, and when it does, one would expect that ERM will have an even large role in the rate-making process.
One of the shortcomings of ERM is that there are too many cooks in the kitchen. Several industry groups have advanced a specific approach to ERM that, for the most part, has not been fully embraced by the general public. One of the announcements that came out of the recent Risk and Insurance Management Society (RIMS) Conference was that there may soon be a common approach to ERM.
RIMS and the American Institute for CPCU/Insurance Institute of America (the Institutes) are joining together to develop a new course titled “Enterprise-wide Risk Management (ERM): Developing and Implementing.” The new course is designed for practitioners with strong risk management and business backgrounds. They indicate that the course focuses on how to optimize risk-taking to meet strategic goals and the practical steps to develop and implement ERM programs. RIMS will start offering the course in 2010. The program is established to incorporate the ARM designation by allowing the enrollee to earn the ARM-E designation.
Among the topics that are expected to be covered in the course are:
• ERM, strategy, and exposure spaces
• Integrating risk management and organizational strategy
• ERM as a project—building the business case
The course work will be provided in an intense three-day workshop that will be conducted by RIMS. It is believed that the new designation (ARM-E) will give risk practitioners the tools and skills to develop an ERM program at their organizations and should help to successfully integrate a functional ERM culture into their existing organizational culture.
All three of the above noted changes—additional oversight by corporate boards, establishment of new designations by the Institutes and RIMS, and changes at the rating agencies—bode well for ERM. Taken in total, it would appear that ERM will continue to gain momentum in corporate America as businesses search for ways to maximize their returns while reducing their downside risks.
Michael J. Moody, MBA, ARM, is the managing director of SuRF, an independent consulting firm that has been established to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.