Companies Urgently Search for Hidden Risks

The phones are ringing off the hook at risk-management consultancies these days. So far, however, it’s just a lot of window-shopping.

The spectacular unraveling of credit markets and collapse of major financial institutions has caused public companies of all shapes and sizes to step back and wonder: What’s our risk? Are we managing things as well as we should? Or even as well as we thought?

“Given what’s happened in the last several weeks, it’s hard to imagine a sector that’s not been affected,” says Laura Taylor, national director at Aon Corp. “We’re seeing a heightened focus on risk.”

Hobgood

At the same time, companies aren’t pulling the trigger on big projects to assess and mitigate their risks. “We don’t see people making significant investments right now,” says Dirk Hobgood, CFO at consulting firm Accretive Solutions. Given persistent market volatility and the bad economy, “it goes along the line of discretionary spending that can be deferred until a later time,” he says.

Risk management as a discipline in business has been around for a while, but the collapse of credit markets would suggest it’s still in its infancy, says Richard Phillips, a risk-management professor at Georgia State University. Some well-heeled financial institutions that had risk-management practices in place have collapsed, while others with seemingly similar practices have weathered the storm.

Phillips

“You could argue they just got lucky that they weren’t participating in these risky marketplaces,” he says. “As I tell my students, I stand before you a humbled risk-management professor.” The post-mortem on risk-management programs, he says, is likely to conclude that statistical models companies had been using to measure risk—especially relationships among economic variables—still need some development.

Meanwhile, recent events are sure to push more companies to get more serious about identifying, assessing, and mitigating risk. Some combination of regulatory and market forces are likely to drive more companies to formalize their enterprise risk management processes, Phillips says. “Regulation is going to take a much more interventionist tone over the next several years,” he says. “And management is not going to want to end up in these types of places again.”

ERM EXPLAINED

We (S&P) see ERM as:

An approach to assure the firm is attending to all risks;

A set of expectations among management, shareholders, and the board about which risks the firm will and will not take;

A set of methods for avoiding situations that might result in losses that would be outside the firm’s tolerance;

A method to shift focus from “cost/benefit” to “risk/reward”;

A way to help fulfill a fundamental responsibility of a company’s board and senior management;

A toolkit for trimming excess risks and a system for intelligently selecting which risks need trimming; and

A language for communicating the firm’s efforts to maintain a manageable risk profile.

Source

S&P to Apply ERM to Ratings (May 7, 2008).

Standard & Poor’s has already determined it will take a closer look at enterprise risk management, even for non-financial institutions, in establishing its ratings. S&P says it will begin discussing ERM in the fourth quarter, with reviews focused primarily on a company’s risk-management culture and strategic risk management. S&P will not establish any kind of rating or scoring system until it gets some experience assessing risk management and establishes some benchmarks, which is “unlikely to occur before 2009,” the company says.

That act alone is sure to make more companies get serious about ERM, Taylor says. Recent data would suggest only about 5 percent of companies have an optimized enterprise risk management function embedded into their management strategy, she says. Most companies are somewhere along a broad continuum of practicing or at least dabbling in a risk strategy, suggesting plenty of room for improvement.

Kaiser

Mike Kaiser, a principal in the ERM practice at Ernst & Young, says he’s been living and breathing ERM for nearly a decade, yet only now is he starting to see a “dramatic shift” in companies recognizing value in risk management. They’re starting to get a better handle on the notion that risk management isn’t a siloed function in an organization, he explains.

“The value comes when the processes become part and parcel to management discipline,” he says. “When it’s seen as someone else’s responsibility, it’s not effectively embedded into the rhythm of the business.”

Investors have been voicing demand for better risk management, Kaiser says. An E&Y poll (predating the current crisis) shows 61 percent of investors will walk away from an investment if they think risk is not adequately identified and disclosed. The S&P focus on risk is sure to drive more investor interest, experts say.

ERM EFFECTS

S&P Defines ERM’s Affect on Ratings …

The potential effect of ERM on ratings will significantly depend on the type of the enterprise we are assessing. For larger, multinational corporations, highly developed and well-resourced ERM efforts will be standard. We expect to have very different interaction about risk management with those companies compared with less-diversified

companies and those with fewer resources that are at an earlier stage, such as those in certain emerging markets.

The ERM-related discussions we will have with rated companies will build on our existing analysis of management’s operating and financial track record; credibility of strategies, projections, and execution; response to competitive threats; and risk governance bodies and structures.

Our industry-focused rating analysts will incorporate an ERM discussion into the regular credit reviews on each company, emphasizing risk-management culture and strategic risk management, which are the most broadly comparable and critical of the four areas outlined in our original proposal. In the risk-management culture analysis, discussion topics will include:

Risk-management frameworks or structures currently in use;

The roles of staff responsible for risk management and reporting lines;

Internal and external risk-management communications;

Broad risk-management policies and metrics for successful risk management; and

The influence of risk management on budgeting and management compensation.

In addition, we will incorporate our existing review of governance, accounting policies and issues, and derivatives into this much broader analysis of a company’s risk-management culture.

Under strategic risk management, our analysts will explore:

Management’s view of the most consequential risks the firm faces, their likelihood, and potential effect on credit;

The frequency and nature of updating the identification of these top risks;

The influence of risk sensitivity on liability management and financing decisions; and

The role of risk management in strategic decision making.

For now, we have decided to exclude additional analysis of the other two areas cited in our original risk-control processes and emerging risk management, beyond what is included in our current process. The additional effort required for us to scrutinize these company- and sector-specific areas may be of limited value at this time. An important exception to this is our ongoing review of risk-control processes that is already in place and that we can logically and consistently apply in new sectors.

Specifically, we have already conducted risk-control analyses using the Policies, Infrastructure, and Methodology (PIM) approach for electric power marketers and agribusiness companies with sizable trading operations. Building on that experience, we intend to examine the application of the PIM approach for oil and gas issuers with

meaningful trading operations. What characterizes these exceptions is that unlike other corporate sectors with operational risks that are difficult to quantify, trading risks can be measured, modeled, and hedged. That allows us to apply a consistent approach that is within the realm of credit analysis tools we now use.

While we cannot audit assertions by company managers about their ERM procedures, we will closely examine the consistency between their statements and historical performance. We will specifically inquire about how they handled actual risks in the past. A discussion of ERM will become a regular part of our follow-up after significant

drops in earnings or losses, significant restatements of past financial results, or material impairment losses and write-downs. Our discussions with managers about ERM will be to understand how consciously they have taken and retained risks and why they are comfortable with their net risk positions.

Source

S&P to Apply ERM to Ratings (May 7, 2008).

Henry Ristuccia, a partner with Deloitte & Touche and leader of the firm’s steering committee on risk services, says recent events are causing companies to step back and ask, “What are we really spending on risk management? And are we getting value?” The Sarbanes-Oxley era heightened focus on costs and benefits associated with control activities, so those questions will not be targeted on risk management, he says.

Ristuccia

In fact, SOX may have given some companies and their investors a false sense that their risk was covered, Hobgood says. “People automatically assume SOX put in place best practices and that ERM was just naturally rolled up in those programs” when in fact they are quite different concepts, he says.

For example, SOX has no bearing on whether transactions are pursued wisely, only on whether they are recorded accurately, says Todd Markus, vice president of accounting and finance for Accretive Solutions. “You can make bad decisions, as long as you account for them in the financial statements,” he quips.

Blenkinsopp

Damien Blenkinsopp, associate director for Kennedy Information and an analyst for the consulting business, says despite the talk around risk, there have been “relatively few” meaningful implementations of ERM programs. “ERM is still developing and maturing as a management science, albeit rapidly, and it has some way to develop before it can be implemented across the whole enterprise to provide a single view of risk,” he says.

The current crisis is stirring companies to become more aggressive about ERM, he says. “Consulting firms are typically hearing from clients, ‘I want to understand how my competitor got into trouble and how to make sure the same thing doesn’t happen to me,’” Blenkinsopp says.

That being said, companies will hold off on spending money to develop better risk strategies at least until the end of the year, he suspects. They’re waiting for the market to settle down, and they’re waiting to see if some regulatory sea change begins to percolate that will mandate some specific activity or investment. He predicts that by mid-2009, once the motives of a new Congress and new White House become clearer, companies will begin investing in developing their risk strategies.

Gary Sturisky, global practice leader for internal audit and controls at Jefferson Wells, says his firm is seeing an increase in boards asking for an independent assessment of the risk-management function. “Very few companies have a very advanced ERM process,” he says. “They have ERM, but they haven’t connected all the dots.”