Recently, Standard & Poor’s announced that they will begin to evaluate Enterprise Risk Management (ERM) processes with non-financial companies in the third quarter of 2008. S&P also indicated that it will begin to consider ERM program maturity and capability in determining ratings as of the fourth quarter.
Initial discussions will focus “…predominantly on risk-management culture and strategic risk management…” for the majority of industries, avoiding specific discussions of “…emerging risk management and risk-control processes.” In other words, the review will focus on the structure of an organization’s risk management effort and the supporting governance and review processes across all areas of enterprise risk rather than the substance and efficacy of specific risk management activities. Although it is too early to define the process S&P intends to use to evaluate ERM processes, industry experts believe the evaluation process will leverage industry-specific benchmarking data when examiners reach conclusions. These same industry experts believe that findings will be qualitative in nature, meaning that more mature processes will demonstrate that the organization has a prudent risk management culture. Even though the scope of the current effort is limited and somewhat unknown, it will still broaden the discussion beyond the financial topics related to credit risks, market risks and liquidity issues that have traditionally been S&P’s main focus. It will also move the discussion beyond the financial area comfort zone of many CEOs and CFOs, creating a need for senior executives to not only assess strategic business risks, but also get more involved in mitigating, transferring or accepting enterprise risks.
The opportunity to raise the profile of operational (and by extension, business continuity) risk and further integrate it into the corporate strategy is enormous. In the current climate, risk management, and its systematic and verifiable implementation, will do nothing but grow and mature across all areas of the organization. Business continuity professionals can help provide structure in key areas associated with operational risk, which are often weak points in many organizations’ ERM programs.
In organizations with a developed ERM effort, S&P’s expansion provides the business continuity manager opportunities to grow and strengthen the relationship with the ERM committee and mature proactive and reactive business continuity controls and processes. Establishing, at the least, a formal business continuity policy and framework that mandates repeatable activities to measure, control and manage operational risk will not only meet customer demands, but it will also protect key stakeholder interests.
In organizations without an established ERM program, the opportunity is even greater. Today’s business continuity professional must perform their duties in the context of risk management. Gone are the days of merely identifying recovery needs and developing plans to recover critical technologies and business activities. Current standards mandate a repeatable process to identify risks, evaluate their potential impacts to the organization, and develop appropriate treatments to mitigate, respond to or recover from, those risks. Introducing these concepts and standards, as well as the tools and business continuity management methods as a potential basis for a larger risk management program, could position business continuity as a major element of the program and an integral part of strategic planning.
Overall, this effort by Standard & Poor’s raises the visibility of ERM and provides the business continuity profession with an opportunity to raise its profile, establish a clear connection to the strategic goals of the organization, and provide recognized value on a much larger stage.