On November 15, 2007, the rating giant Standard & Poor’s (S&P) formally unveiled a proposal to introduce in-depth ERM criteria into their ratings of nonfinancial companies, making many of them draw a sharp breath. Well, ERM has been around for many years, so what’s special about the S&P’s announcement? Yes, it’s true that ERM isn’t anything new in the corporate world; nonetheless, the S&P’s announcement came as a wake-up call for many enterprises, as it clearly implies that an enterprise with no ERM framework or with discrepancies in its risk management capabilities could find its credit ratings placed lower. As put by a senior risk manager of a large enterprise, “This will put a spotlight on firms that don’t have an ERM framework in place; and likely to spur them on to change that.” Patterned on the approach already used for sectors like finance, insurance and energy since 2004, S&P’s announcement proposes to employ 100 or so different factors to evaluate the quality of ERM operations in nonfinancial institutions and then include that assessment in their final score. Under the expanded framework, they will analyze a company’s policies, infrastructure and methodologies (PIM) - focusing on a firm’s overall risk-control practices and benchmarking the quality of risk management.

1. GOVERNANCE, RISK & COMPLIANCE
MetricStream Insights
ERM Analysis for Credit Ratings of Nonfi-
nancial Companies: Stepping Up to New
Criteria
○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○
INTRODUCTION
On November 15, 2007, the rating giant Standard & Poor’s (S&P)
formally unveiled a proposal to introduce in-depth ERM criteria
into their ratings of nonfinancial companies, making many of them
draw a sharp breath. Well, ERM has been around for many years,
so what’s special about the S&P’s announcement? Yes, it’s true Risk Management Culture & Governance
that ERM isn’t anything new in the corporate world; nonetheless, To assess these aspects, S&P probes into the stature of risk and
the S&P’s announcement came as a wake-up call for many risk management function within the enterprise. This includes
enterprises, as it clearly implies that an enterprise with no ERM evaluating the organizational structure and the roles, capabilities
framework or with discrepancies in its risk management capabili- and accountabilities of the Chief Risk Officer. The assessment
ties could find its credit ratings placed lower. As put by a senior incorporates data about how the organization has established risk
risk manager of a large enterprise, “This will put a spotlight on tolerances and how these tolerances are applied to the overall
firms that don’t have an ERM framework in place; and likely to strategic decision-making process. A favorable indicator of risk-
spur them on to change that.” Patterned on the approach already management governance is a structure that strongly influences
used for sectors like finance, insurance and energy since 2004, corporate judgment by risk-management staff. Perhaps even more
S&P’s announcement proposes to employ 100 or so different important is the degree line-level managers adhere to risk toler-
factors to evaluate the quality of ERM operations in nonfinancial ances in daily decision making. For instance, whether risks
institutions and then include that assessment in their final score. associated with new product developments are evaluated as
Under the expanded framework, they will analyze a company’s against overall enterprise risk tolerances. Furthermore, internal
policies, infrastructure and methodologies (PIM) - focusing on a and external communication of risk and risk management is
firm’s overall risk-control practices and benchmarking the quality considered a strong indicator or risk management culture.
of risk management.
Risk Controls
WHAT ARE THE MAIN FACTORS THAT S&P WILL ANALYZE S&P believes that the firms achieve risk control through identify-
WHEN EVALUATING ERM? ing, measuring, and monitoring risks, setting and enforcing risk
According to S&P, “The ultimate importance of ERM on a firm’s limits and manage risks to meet these limits through risk avoid-
rating will depend on the risks of the firm, the susceptibility of the ance, risk transfer, risk offset or other risk management process.
firm to those risks and the capacity of the firm to absorb losses.” They expect firms to have structured programs to effectively
Recognizing that there is no single recipe for the best ERM deliver the risk controls necessary to maintain exposures and
platform and each company needs to pursue its own tailor-made losses and consistently execute those programs for future
approach to managing risk, S&P’s will evaluate companies within implementation. They will evaluate risk-control processes for each
a general ERM framework having four major analytical compo- firm, considering those risks that they have identified for the
nents: overall sector, as well as those identified by the management.
Consistency between the overall corporate risk tolerances and the
specific risk limits will be an important consideration.

2. GOVERNANCE, RISK & COMPLIANCE
Emerging Risk Preparation its ERM capabilities and assessing its ERM framework using the
Emerging risks are those that are completely new, or extremely S&P’s four components.
rare and adverse events and therefore cannot be managed via a
control process. Analysts concentrate on those practices, within With the incorporation of ERM in credit ratings, the query on
an enterprise, that provide meaningful benefit to addressing such everyone’s mind is "How do we establish an ERM that satisfies
risks. These practices generally include environmental scanning, S&P’s criteria?” The answer lies in prioritizing effective ERM as a
trend analysis, stress testing, contingency planning, problem post- value-added business initiative and implementing a robust ERM
mortem and risk transfer. Depending upon the nature of the framework supported by advanced systems and tools that enable
business, the analyst will look for evidence that the company is adopting ERM best practices. An integrated ERM system enables
planning for adverse events and for the outcome of such planning, organizations to identify, assess, quantify, monitor and manage
before and after the occurrence of such events. their enterprise risk in an integrated manner. Leveraging auto-
mated tools like threshold-based alerts, data feeds, risk libraries,
Strategic Risk Management risk analytics, key risk indicators (KRIs), risk heat maps, trend
This component involves incorporation of risks and risk manage- charts and compliance dashboards, an integrated ERM system
ment process into strategic decision-making process. The analyst provides a reliable risk management infrastructure critical for
will focus on getting a clearer picture of company’s risk profile and avoiding surprises and keeping pace with dynamic risk profiles. At
obtaining a statement of the recent shifts in risk profile as well as MetricStream, we have uniquely combined software and content
anticipated future changes. S&P analyzes the risk profile of an to deliver a system with embedded best practices content that
enterprise in the light of earning loss, enterprise value, or other helps define the scope of processes and sub-processes for which
financial metrics for various risks. For example, analyst might risk management needs to be performed and guides development
inquire as to whether the company uses risk and reward analysis of control and test libraries. It also provides intelligent content
when allocating resources (e.g., capital, talent); or how does driven features such as access to training content from an expert
management reflect risk and reward for risk in strategic decision community from within the solutions and integration of business
making, pricing and performance measurement. Strategic pro- processes with regulatory notifications and industry alerts. By
cesses affected by risk and risk management capabilities include implementing such systems organizations can reduce unexpected
capital budgeting, business planning, performance measurement, disruptive business events in their environment, increase operat-
product management, acquisitions and divestitures, performance ing margins, reduce earnings volatility, enhance process effi-
measurement, dividend practices and incentive compensation. ciency, improve regulatory compliance and build investor confi-
dence.
Undoubtedly, S&P’s inclusion of ERM in credit rating has drawn
attention of management and stakeholders to the virtues of a
holistic risk management in an enterprise. Could this provide the
much needed impetus to ERM and bring its long-anticipated
benefits to the forefront? Well, if S&P focuses on ERM, no
company can afford to ignore it. For the last few years, S&P has
been developing an ERM component of their rating system,
initially in the finance sector, then insurance and energy; and the
efforts have been a great success in underpinning the benefits of
ERM. As put by one of the S&P members, “Interest in ERM has
increased now that rating implications are involved. What’s more,
"we are continually hearing from enterprises that they have just
hired a new chief risk officer, or added staff or even adopted new
ERM policies and procedures.” He points out, “Every time we
meet with companies, they advise us how much their board of
directors is involved in the ERM process. Without question, it’s on
everybody’s mind now.” Most enterprises are now introspecting

3. GOVERNANCE, RISK & COMPLIANCE
CONCLUSION work, and determine if they can realize greater efficiencies and
S&P has been at the forefront in encouraging companies to value from their business. The resulting benefits would range from
develop integrated ERM frameworks and incorporate them into adaptability to market movements and growth opportunities to the
their day-to-day operations - an effort to provide more in-depth ability to challenge underwriting and investment assumptions,
analysis and incisive commentary on the many critical dimensions leading to smarter capital allocation and more sustainable value
of risk that determine overall creditworthiness of a firm. The ERM creation. As one of the experts at S&P points out, "We think that
framework as expected by S&P, if implemented efficiently, should there are a lot of competitive advantages to be gained from ERM.
result in a more focused and efficient risk management process The companies that are using ERM are the ones that will make the
across the entire value chain. Now is the time for management best choices."
and risk managers to strengthen their risk management frame

4. REFERENCES
Criteria: Request For Comment: Enterprise Risk Management
Analysis For Credit Ratings Of Nonfinancial Companies
http://www2.standardandpoors.com/portal/site/sp/en/us/
page.article/3,1,1,0,1148449315878.html
ABOUT METRICSTREAM
MetricStream is a market leader in Enterprise-wide Gover-
nance, Risk, Compliance (GRC) and Quality Solutions for global
corporations. MetricStream solutions are used by leading
corporations such as Pfizer, Philips, American Airlines,
NASDAQ, Hitachi, Aurobindo Pharma, Sandisk, BP, Entergy,
Subway, Fairchild Semiconductor, and TaylorMade-Adidas Golf
in diverse industries such as Pharmaceuticals, Medical
Devices, Automotive, Food, High Tech Manufacturing, Energy
and Financial Services to manage their quality processes,
regulatory and industry-mandated compliance and corporate
governance initiatives, as well as by over a million compliance
professionals worldwide via the ComplianceOnline.com portal.
MetricStream
www.metricstream.com info@metricstream.com
© Copyright 2007, MetricStream, Inc. All rights reserved.