Enterprise Risk Management
External forces drive growth in ERM
Rating agency practices and new legislation focus on risk oversight
By Michael J. Moody, MBA, ARM
Interest in enterprise risk management (ERM) continues to grow over a wide range of industry sectors. Initially, as we have noted in the past, interest in ERM was limited to the financial services sector. After gaining a foothold in the banking industry, the concept began to gain acceptance in the insurance sector and was received favorably by the major rating agencies. Today ERM is a key component of the rating process.
From the beginning, the rating agencies were able to determine the value of ERM based on the overall creditworthiness of an insurer or reinsurer. Noting this relationship in 2006, Steven Dyer, a Standard & Poor's analyst, commented: "These evaluations help us develop forward-looking opinions on credit strength by supplementing our fundamental analysis."
In essence, S&P sought to ascertain whether an insurer's ERM program was being carried out in a systematic and consistent manner and whether an optimal risk/reward balance was being achieved. This information was then compared with data on peer organizations. S&P has stated that its attraction to ERM is based in large part on the belief that "expected deterioration or improvement in a company's ERM quality would potentially drive rating and outlook changes before the consequences are apparent in published financial results."
Favorable reaction by the rating agencies encouraged many nonfinancial service organizations to consider implementing an ERM program. Just as the concept of ERM was beginning to gain acceptance, however, the true scope of the financial crisis in the banking/insurance community was becoming evident. As a result, many corporations, financial and nonfinancial, as well as the rating agencies had many more pressing issues to attend to. This slowed the implementation of ERM at many organizations.
Since the financial meltdown, a plethora of new rules and regulations have been put in place to prevent another financial collapse. All of this attention has once again raised awareness of ERM. For the most part, corporate America has started to realize the need for a more strategic approach to risk management. Left on their own, some corporations might be slow to implement ERM. That said, much of the responsibility for the meltdown has been placed squarely—and appropriately—on the members of corporate boards of directors, and this should serve as an impetus for officers and directors to implement a program of enterprise risk management.
A number of new financial regulations have been put in place over the past 12 to 18 months. Chief among these new laws is the Dodd-Frank Wall Street Reform and Consumer Protection Act, which was signed into law in July 2010. Many details concerning implementation of the law are being worked out by a group known as the Financial Stability Oversight Council, which in essence amounts to "kicking the can down the road." Further, the scope of the law is restricted to a select group of financial firms, primarily large banks. As a result, many experts believe that Dodd-Frank will not have a significant impact on the growth of enterprise risk management.
Another influence on the advancement of ERM was the enactment in February 2010 of Rule No. 33-9089 by the Securities and Exchange Commission (SEC). Section C of the rule requires that proxy statements disclose risk-based compensation policies, the role of the board of directors in risk oversight, and the nature of communications between executives and board members on risk management issues.
To evaluate the effect of Section C of the new SEC regulation, ermINSIGHTS (an enterprise risk management consulting firm) reviewed available proxy statements for the 30 companies whose stocks comprise the Dow Jones Industrial Average. The firm sought to learn how the board's role in risk oversight was being presented, measure the extent to which ERM was specifically mentioned, and learn how many of the corporations had chief risk officers. The review determined that 76% of the companies' proxy statements addressed the role of the board in risk oversight. Additionally, 64% mentioned ERM and 20% indicated that they had a chief risk officer (CRO).
Although the new SEC rule applies only to publicly traded companies, many private corporations have chosen to follow a similar path. A key reason is that board members at public corporations frequently occupy similar positions at private firms, and many believe that rigorous oversight is essential. Additionally, new rules and regulations typically become "best practice" standards that are accepted by many accounting and audit firms, and this is another reason for boards of directors to implement an ERM strategy.
Thus far, insurers that write directors and officers liability coverage have not exerted pressure on corporations to adopt ERM. That could change quickly when the insurance market hardens. D&O underwriters could begin to request compliance with the provisions of SEC 33-9089. Like the rating agencies, D&O carriers likely will see the advantages that accrue to companies that implement ERM. In the future, these insurers might make underwriting and pricing decisions based on a company's implementation of rigorous ERM and risk oversight.
It is obvious that much of the impetus for corporations to implement enterprise risk management is coming from external forces such as new rating agency practices, the enactment of Dodd-Frank and related legislation, and the SEC rule that mandates disclosure of risk oversight measures.
Although the attention ERM is beginning to receive at the executive level clearly is a positive development in the expansion of ERM, it primarily signifies a response to external forces rather than being driven from within. Without internal awareness of and support for ERM, it could become little more than a compliance exercise. The challenge for risk managers is to build a persuasive business case for ERM within their organizations and to implement an ERM initiative that is based on advancing stakeholder value.
Michael J. Moody is the retired managing director of Strategic Risk Financing, Inc. (SuRF), which was established to advance the practice of enterprise risk management. As a regular columnist, he continues to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.