Part 1: The Build-up

I was speaking in Boston last week at the GRC Summit put on by the Global Strategic Management Institute (GSMI). I was excited to see that Standard & Poor's was in attendance and would be speaking about their efforts to incorporate ERM criteria into their corporate ratings process. Geoffrey Buswick, the Managing Director of their Boston office, was giving everyone an introduction to, and update of, exactly what was going on over at S&P.

The session was very informative, if not a bit of a letdown. I guess you would have had to have been there two years ago, when I first heard news that S&P was going to start evaluating organizations' risk management capabilities. Of course, there were no real details and much speculation at that moment, but the timing couldn't have been more perfect. COSO had just released its much-anticipated guidance on Enterprise Risk Management and the PCAOB had issued Auditing Standard No. 5, which would push public companies to incorporate a more risk-based approach into financial statement reporting. The country was slowly coming to terms with the looming crisis and it seemed as if some good risk management might be just what the doctor ordered.

But perhaps what was most exciting in the S&P announcement was that a corporate icon appeared to be on the cusp of providing a viable alternative to increased government regulation. Recall that at the same time, the Payment Card Industry Security Standards Council was making a big splash in the business world with its Payment Card Industry Data Security Standards. In fact, the PCI Council has arguably experienced as much, if not more success, in broadly influencing industry behavior as any local or national regulation could. Would a new S&P rating system usher in a new era of transparency and self-regulation? Were we witnessing the birth of a new trend?

Part 2: Questions and Answers

In listening to the session last week, I was able to come up with some answers to questions I've had on my mind over the past few months – questions that have probably crossed your mind, as well. Q. Why has it taken so long to get the ERM ratings criteria out the door?

As it turns out, the ratings criteria have been in the works since 2005. S&P began discussions with financial services and insurance companies early on, because risk management is a core business in these industries. Initially, there was an expectation that risk management practices would be more formal in these organizations, and lessons learned could provide the basis for solid evaluation criteria across other markets. Much to their surprise, however, the S&P has discovered that risk management methodologies, and practices used in banking and insurance do not necessarily translate uniformly into other markets. As a result, while they would like to have more formal criteria to work with, right now the plan is to continue to use a short list of standard discussion questions during the evaluation process.

Q. So how does this work? These “discussion questions" are fairly open ended. Do you just sit down and have a chat with these folks or do you request documentation and evidence when performing your evaluation?

The intent of the S&P is not to be an auditor or regulator. They feel that inquiring about an organization's risk management capabilities can provide value in the overall evaluation of an organization's creditworthiness, especially for those “cross-over" organizations that hover just above or just below investment grade. If organizations wish to share risk management reports that are regularly provided to the Board or meeting minutes regarding issues that are being addressed, that is more or less voluntary support that will be taken into account during discussions.

Q. What happens if one of your analysts performing an evaluation disagrees with the organization's assessment of its top risks?

The objective of the evaluation is not to determine the effectiveness of the organization's risk management efforts, but to enrich the existing process of gathering data to rate an organization's credit worthiness. If certain information is obtained during management discussions that sheds light on the organization's ability or willingness to repay its debt, that information will certainly be incorporated into the evaluation.

Q. So what's next for ERM and S&P?

Mr. Buswick made it clear that there would NOT be a separate ERM rating issued for companies, but that discussion questions that exist today would continue to be used in the ratings process until more formal criteria could be developed. His presentation did highlight the fact that the S&P tracks and reports key credit indicators on an aggregate basis across various market segments, but he reiterated that individual companies will not formally be rated on their susceptibility to these risk factors.

Part 3: Takeaways

Well, two years have passed and while I would love to be blogging about the historical significance of S&P's risk management efforts, I find myself sitting in an airport asking the barista for an extra shot of espresso before my redeye, wondering if anyone really cares. After all, it's not as if S&P sells ice cream. They aren't going to wake up tomorrow, for instance, and have a brand new flavor that combines pecan pie and cheesecake (wouldn't that be fantastic?). At the core, the S&P ratings are (and will always be) designed to provide an estimation of a company's ability and willingness to repay its debt. Sexy? No. Important? You betcha!

As a former auditor and investor, I must admit I was a bit bummed to find out that there would not be a separate rating system to measure companies on their risk management practices. Nearly two years have passed since the issuance of AS5 and while companies are supposedly incorporating broader risk management practices into their financial reporting processes, investors still have little information about how companies are managing risk (or, even more important, what risks are being taken to meet regular earnings forecasts).

The S&P ratings process, as depicted by the speaker, appears to be a delicate balance of both dark art and reputable science. Apparently, I'm not the only one who thinks so. Just two weeks ago, on Sept. 17, 2009, California Attorney General Edmund G. Brown Jr. issued subpoenas to Standard & Poor's, Moody's and Fitch to determine whether the firms violated California law when they recklessly gave "stellar ratings to shaky assets." It seems that the rating agencies themselves are going to have some explaining to do to account for the “credit cliffs" (rapid rise or fall in company ratings) that occurred in the wake of the recent financial meltdown.

I'm for a free economy just as much as the next guy, but recent questions about the credibility of ratings institutions and reliability of the ratings process make me wonder whether or not this function is too important to rest solely in the hands of corporate America. Indeed, what a difference two years has made. Check out this nice exposé in the Wall Street journal and let me know what you think  (requires subscription).