The S&P Assessments

compliance-week-blue

My notes, live, from the Compliance Week Conference session by Steven Dreyer who is overseeing Standard & Poor’s program to assess corporate ERM efforts as part of credit ratings. Standard & Poor’s To Apply Enterprise Risk Analysis To Corporate Ratings (.pdf)

S&P’s ERM review for non-financial companies will be based primarily on information provided by issuers in public disclosures and through discussions with S&P analysts. S&P does not require written responses to these questions, but will certainly consider them if provided to supplement or make more efficient our in-person discussions.

  • What are the company’s top risks, how big are they, and how often are they likely to occur? How often is the list of top risks updated?
  • What is management doing about top risks?
  • What size quarterly operating or cash loss has management and the board agreed is tolerable?
  • Describe the staff responsible for risk management programs and their place in the organization chart. How do you measure success of risk management activities?
  • How would a loss from a key risk impact incentive compensation of top management and on planning/budgeting?
  • Tell us about discussions about risk management that have taken place at the board level or among top management when making strategic decisions.
  • Give an example of how your company responded to a recent “surprise” in your industry and describe whether the surprise affected your company and others differently.

All S&P cares about is the ability of the company to repay its debt. Corporate social responsibility is nice, but does not affect credit. S&P does not lower a credit rating on an airline because of a plane crash. They care about cash flow. They do care if a risk is a risk to cash flow. S&P is not a missionary for ERM.

So why are they adding ERM to credit ratings to non-financial institutions?

  • Enhance Analytical Process & Focus
  • Create More Forward-Looking Ratings
  • Better Insights and Communication on Management
  • Differentiate Better

Non-financial institutions tend to die very slow deaths. Financial institutions have the potential to fall off a cliff and disappear quickly. For non-financial institutions, ERM is a means to see inside the enterprise to see how they may be able to bounce back from issues and crises.

Every company has an appetite risk and a tolerance for risk. By focusing on risk management, there is some insight about how they treat risk, the appetite and the tolerance.

What Is S&P Not Looking For… (These mindsets can actually hinder effectiveness):

  • Eliminating all risks
  • Cramming together disparate policies
  • Solely compliance/disclosure requirements
  • Replacement for internal controls
  • A shiny new software program
  • Naming a CRO and calling it a day

“The reviews will focus predominantly on risk-management culture and strategic risk management, two universally applicable aspects of ERM.” – Standard & Poor’s To Apply Enterprise Risk Analysis To Corporate Ratings, May 7, 2008

Culture = Communications, Frameworks, Roles, Policies, Metrics, Influence

Strategic = Identification and Updating Process, Impact on Key Decisions

Here are some ERM discussion topics he offered:

  • How are key risks identified, updated, and dealt with?
  • How is risk tolerance defined and communicated?
  • Who “owns” risk in the organization and how is success measured?
  • What is the board’s involvement in risk management?
  • How did your company respond to _______________ ?

Ultimately, they are looking for evidence of effectiveness. They are planning to release the criteria during the fourth quarter of 2009. They are currently in the process of benchmarking and comparing information. They are thinking about using a rating scale, but there is a concern that people will focus on the number and not the nuances that went into the number.

A counter-intuitive result was that the companies that responded quicker to questions were more accurate than those that took longer. The quick result was because they had better access to their information. The longer response was because the information was hard to find and less reliable.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Corporate In-House Counsel in the Age of Internal Compliance

You can listen to a webinar from the Georgetown Journal of Legal Ethics Fall Symposium – Corporate Compliance: The Role of Company Counsel from October, 2007.

Panel III – Corporate In-House Counsel in the Age of Internal Compliance

Professor Rostain started off with a summary of her paper: General Counsel in the Age of Compliance – A Research Agenda (.pdf).

She cites two reasons for compliance regimes. One is the diffusion of compliance throughout the organization. The goal is to centralize the management of those functions. The second is the multi-disciplinary approach to compliance. You need different types of knowledge and expertise.   In-house counsel needs to relinquish some of the control to group managers.

Are in-house counsel managers first? or are they lawyers first? Which is the better model? Do they exert more influence when they take the role of manager or the role of lawyer? Professor Rostain cited some previous studies on these topics. If they focused on legal risk, they had less influence over corporate decision making. Lawyers limited to explaining the risk and deferring the risk decision to the managers had less influence in the the corporation.  One survey responder equated managers as playing offense and counsel playing defense.

Professor Rostain stated an example of counsel making clear what her personal opinion was and what her professional opinion is.

Killingsworth pointed out the dark side of the new powers of general counsel. After SOX, new reporting obligations were forced on general counsel.  One problem is that the general counsel may be investigating a potential violation and have a duty to report it at the same time, making it difficult to do both well. Counsel are also worried about the increased risk of criminal action against in-house counsel. You only talk to regulatory people about your compliance program when it has failed. You need to penetrate down to everyone that can get you in trouble and everyone that can keep you out of trouble. Is important to mpve from abstract compliance terms into the mechanics of the business processes.

Straw states that “knowledge of the business” is the most important part of creating an effective compliance program. The face of compliance needs to be visible and accessible. A code of conduct sitting on the bookshelf is not effective.

Barlow focused on risk.  She talked about ERM, the process and how it fits into compliance.