Rating agencies pose challenging risks

Ask a Risk Manager

Q: Why should risk managers care about regulatory or rating agency concerns?

A: Whether your company operates in heavily regulated industries or is private and, therefore, subject to a more manageable reputational risk exposure, risks related to regulatory supervision or rating agency assessment can be significant and a challenge to manage.

Clearly, the more regulators your company may be subject to, the more substantial the challenge. Similarly, public companies, compared to private and nonprofit entities, have unique balance sheets and income statement exposures related primarily to their stockholders' expectations. Regardless of where your company fits in, any of these categories related to risk mitigation typically are critical to management and governance.

One high-profile example of regulatory risk comes from the Sarbanes-Oxley Act of 2002. Since passage, compliance has been central among regulatory risk management priorities for public companies--and for many private companies that have voluntarily committed to full or partial compliance.

The impact has been costly and far reaching and the cost benefit assessment is often viewed as a negative from a direct dollar standpoint. Recent press reports exhibit a growing number of financial restatements in 2006 alone. Clearly, Sarbanes-Oxley compliance has occupied much of management's attention and for good reason.

More often than not, risk managers are divorced from Sarbanes-Oxley compliance initiatives, and this separation is a critical mistake for companies that want the most efficient and integrated approach to managing risks and related controls. Unfortunately, this separation is all too common in most areas of regulatory risk management and creates overlapping and duplicate efforts towards managing common risks and controls.

Equally significant is the likelihood that a less than complete and integrated risk profile of the company can be assembled and reported to management and boards, which are best able to do their jobs with a view of risk that includes regulatory exposure. Particularly for companies subject to many regulators, this exposure grows exponentially.

Similarly, rating agencies bring exposure to companies both public and private that is similar to that of regulators. They may not be able to directly impose operating rules on those subject to their purview, but their ability to impact the reputation, cost of operations or, in extreme cases, the ability of a company to effectively compete can be substantial.

Here, there is even less probability that the typical risk manager is directly involved in the rating agency response process. Recently, however, the need for more direct involvement has been heightened by the more explicit call by agencies, such as Standard & Poor's Corp., to better understand risk management strategies and tactics of those companies they review, as well as separately rate those efforts and integrate this view into their overall rating of the company.

While not all rating agencies are taking this approach to assessing risk management effectiveness, all are interested in the same general question of ensuring risk management effectiveness. Also, while one might have assumed that this interest would be limited primarily to the financial risks of companies, it is clear that rating agencies are more and more interested in all significant risks that could threaten a company's performance. This is for an obvious reason: all risks lead to financial consequences, some good and many bad.

Since S&P has labeled its assessment of risk management as enterprise risk management and has been vocal and detailed in its expectations, I'll give you a quick overview of the rating agency's construct and what it's most interested in.

The S&P model is based on five pillars of managing risk: risk culture, risk control practices, extreme event management, economic capital and capital management, and strategic risk management. The model's foundation is built on risk culture and consists of the many, often fuzzier aspects of how companies operate and that define risk appetite and tolerances, among other things.

The first of three pillars that support an overarching view of strategic risk are risk practices and controls, which are used to mitigate risk to acceptable levels.

The second pillar is extreme events management, and is best understood in the context of insurance companies that specialize in financing such risk for others. In doing so, insurers put their own balance sheets at risk and--through reinsurance, underwriting rules or other methods and tools--match risk to the ability to reasonably and predictably assume it for others.

The third pillar is economic capital models and capital management. Here again, in an insurance company context, sufficient capital is the lifeblood of being able to assume risk. Being able to adequately evaluate and assess the amount of capital needed to do so is best done by being able to accurately model the impact of the risk taken. Economic capital models, which take many forms, are one way to build confidence in these estimates.

Finally, risk strategy forms an umbrella over all these elements and ties it all together with a view toward both the short- and long-term ability of the company to deliver its mission and meet its objectives. The S&P evaluation results in one of four ratings--ranging from "weak" to "excellent"--which include the extent to which a company considers risk in making its strategic decisions.

S&P is not the only oversight entity that has been so specific in defining how it views the most important element of managing risk. The National Assn. of Insurance Commissioners is ratcheting up its risk management expectations of the companies within its purview. As a result, risk managers can no longer afford to occupy the sidelines in the evolution of the discipline. In a classical sense, it is becoming more and more like competition generally; evolve how you manage risks or lose competitive advantage. Even if you can't take the lead, partner with those that have direct accountability for these functions and work together to make them as good as they can be.

This is just another part of the future of the risk discipline. Be an important part of this evolution and you'll see your career evolve as well.

Ask A Risk Manager, Ask A Benefit Actuary and Ask A Casualty Actuary answer written questions from readers on risk and benefits management issues and actuarial problems.

This month's column on rating agency concerns is written by Christopher E. Mandel, assistant vp, enterprise risk management at USAA Group in San Antonio; 2004 Risk Manager of the Year; and past president of the Risk & Insurance Management Society Inc.

Address your questions to ASK, Business Insurance, 360 N. Michigan Ave., Chicago, Ill. 60601. Please give us your name, title and employer; however, Business Insurance will consider unsigned letters.