Atlanta Firm Uses S&P's Credit Ratings for Non-Financial Companies

GlobalAtlanta: How difficult is it for a company to create a risk inventory for itself and a coherent set of assessment processes?

Mr. Duncan: The biggest mistake companies make in trying to start an ERM program is trying to solve for every risk. If you break the process down into manageable chunks, the process moves more quickly, with faster actionable outcomes. Even for a large organization, and initial risk inventory (typically the top 50-75 organizational risks) can be created in 60-90 days.

An initial risk inventory doesn’t have to be perfect the first time out, but you will need to have an organized and prioritized process and plan. There is huge inherent value in just having a common language around how you discuss and measure risk internally, and in getting a first pass at your critical risk inventory (often called a “risk map” or a “risk profile”) in place. A risk map will not only create a rating of risks by likelihood and impact, it will shed light on how well controlled or mitigated this risk is, showcasing the highest risks with the least mitigation – a gap analysis.

Most companies start with the development of a basic risk map with their top leadership team (risk management, internal audit, legal, finance, operations, supply chain, HR, IT, etc.), then once they have an initial risk map, they then step back to plan a more detailed process including a more bottom-up approach.

With an initial risk map in place, the ERM leader is then in a position to discuss the process and the high priority risks with the biggest gaps with the senior leadership team and the board for feedback and additional direction.

One of the great side benefits is ERM gives all management a politically correct way to talk about, organize and respond to difficult risks without creating political heat internally, and it will quickly identify surprises leadership needs to know about.

Our strongest advice is “Don’t boil the ocean.” ERM is about progress towards understanding and mitigating critical risks, not perfection of understanding and eliminating all risks. NInety percent of the battle is understanding enough so you can allocate finite resources to your infinite risks for maximum return on investment. Develop short and medium term priorities to make headway against your critical risks, including specific risk mitigation plans, the assignment of risk owners, and concrete action steps. Use whatever methodology that works in your company, and your culture, to prioritize what you need to do, then pick 4-5 things to work against. Fine tune the process.

GlobalAtlanta: Has Standard & Poor’s announcement that it is soon to incorporate evaluations of ERM into its ratings of non-financial companies had widespread impact?

Mr. Duncan: In May of 2008, Standard and Poor’s (S&P) announced that it is now incorporating evaluation of Enterprise Risk Management (ERM) into its ratings of non-financial companies, starting in late 2008 (management discussions) and 2009 (actual ratings promulgation). This decision comes after experimenting with the effectiveness of integrating ERM into the credit ratings of financial institutions (mainly banks and insurance companies). In many ways, the S&P announcement is public validation that ERM is a value-added discipline and a management best practice that makes a difference in a company’s future.

GlobalAtlanta: In what ways can the McCart Group assist in developing this sort of inventory?

Mr. Duncan: In addition to providing benefits, HR consulting, payroll and benefits administration outsourcing, and a complete array of property casualty insurance and loss control services, McCart provides ERM program evaluation and development consulting assistance to its clients. McCart’s chief operating and financial officer leads McCart’s ERM practice, and is a former chief risk officer, where he implemented (or evaluated) various ERM programs for Fortune 500 companies, either directly or as a consultant. In addition to McCart’s COO, McCart also has several former risk managers on staff to assist companies in evaluating and implementing risk management programs. McCart offers a complete range of ERM program evaluation services (to prepare for the S&P inquiries) as well as ERM development and implementation.

GlobalAtlanta: What industries seem to have more developed ERM practices than others? Which industries are laggards? Where is ERM more widely developed?

Mr. Duncan: Financial institutions, insurance companies, and utilities were early adopters of ERM, but today, ERM practices can be found in almost every industry and geography. ERM programs are more commonly found in European, Australia and New Zealand companies than in the U.S., but that is rapidly changing.

GlobalAtlanta: Risks are often associated with silo business models – be it in business units or functions. Have you found this assertion to be generally correct? If so, why?

Mr. Duncan: There are strengths and weaknesses to managing risks by silos – whether functional silos or within business units. One advantage is it allows for deeper risk specialization in a particular silo – finance is awfully good at managing financial risk, a business unit in Latin America will understand the risks unique to Latin America better than anyone else. The problem is that an organization’s risk is no respecter of geographic or functional boundaries. The adequacy of the capital base as managed by finance is influenced by world events, by strategic actions (or failures) by the company, unexpected operational surprises, supply chain disruptions, and consumer perceptions of a company’s product or service and reputation. A Latin American business unit may rely upon parts manufactured in the U.S. or Asia, and whose customers may be Europe.

The bigger problem with silos is they don’t talk very well to each other, and in doing so, marginal risks to one silo may be very material to other parts of the organization and the lack of communication, awareness and proactive risk management could threaten the entire enterprise.

GlobalAtlanta: Can ERM help detect opportunities as well as downside risks?

Mr. Duncan: Absolutely! The same process one uses to identify risks can be used to identify opportunities. For example, if you can predict your critical parts exposure faster and better than your competitor who uses the same part, and have mitigation plans in place to ensure continuity of supply, then it’s a competitive advantage in the marketplace.

GlobalAtlanta: Does ERM have an impact on the transparency in a company? If so, is this for the better? Does ERM also benefit communication with shareholders and other concerned parties?

Mr. Duncan: Again, the answer is “yes”. Communicating the effectiveness of the ERM program to critical stakeholders helps these same stakeholders understand just how effective management is at protecting critical assets, and how resilient a company and its cash flow may be. A company’s ERM program should enhance the cash flow predictability of an organization, an important piece of information for a shareholder, for example.