S&P Viewpoint

We now propose to introduce Enterprise Risk Management (ERM) analysis into the corporate credit ratings process globally as a forward-looking, structured framework to evaluate management as a principal component in determining the overall business profile. (The business profile, along with the financial profile, are the key factors of a Standard & Poor's credit rating.) Discussions with company managers, part of our normal credit review process, would inform the ERM evaluation. We would then score companies to benchmark our opinions of ERM quality. Furthermore, we expect that deterioration or improvement in a company's ERM quality would potentially drive rating and outlook changes before the consequences are apparent in published financial results. Companies with superior ERM should have less volatility in earnings and cash flow, and will optimize the risk/return relationship.

We invite comments by Feb. 1, 2008 on:

• The ERM analysis approach,
• The value of adding ERM analysis to the credit ratings process, and
• The particulars of the proposed methodology.

By March 1, 2008, we expect to decide on whether to include ERM analysis, including methodology and a timetable for its introduction.

Our interest in codifying management analysis under the ERM heading coincides with increased interest by many companies to initiate their own ERM programs –- or other risk-management practices -- to increase risk-adjusted returns, improve strategic judgment, and/or avoid extraordinary losses due to lawsuits, fines, operational failures, or negligence. The intersection of these interests is in the expectation that a firm's future ability to meet financial obligations in full and on time is more likely to be enhanced by strong ERM or diminished by weak or nonexistent ERM. Our principal interest in evaluating ERM is to implement steps that will limit the frequency and severity of losses that could potentially affect ratings.

We expect to assign scores of ERM quality to all companies we review. A primary consideration is whether to provide the same scoring rules across financial and nonfinancial sectors. While using a commonly applied scale would make it easy to compare the ERM quality of, say, Unilever PLC with Citicorp, it would likely fail to provide differentiation among firms in financial or nonfinancial sectors. Risk management in financial services firms is fundamental to their very existence. Financial firms buy and sell risk, while nonfinancial firms accumulate risk as a consequence of making some other product or providing some other service. In other words, financial firms are fundamentally "riskier" than nonfinancial firms. For this reason, we propose to use different scoring definitions for nonfinancial firms.

Companies that are considered "weak" on ERM are missing complete controls for one or more major risks, because the firm has limited capabilities to consistently identify, measure, and comprehensively manage risk exposures and thus, limit losses. Execution of its risk-management program is sporadic, and losses may be widespread according to a set of predetermined risk-/loss-tolerance guidelines. Risk and risk management may sometimes be considered in the firm's corporate judgment.

Those companies considered "adequate" often manage risk in separate silos, but maintain complete control processes because the firm has capabilities to identify, measure, and manage most major risk exposures and losses. Firm loss-/risk-tolerance guidelines are less developed. Unexpected losses are somewhat likely to occur, especially in areas beyond the scope of the existing ERM practices. Risk and risk management are often important considerations in the firm's corporate judgment.

Companies that are "strong" demonstrate an enterprise-wide view of risks, but are still focused on loss control. These companies have control processes for major risks, thus giving them advantages due to lower expected losses in adverse times, as the firm can consistently identify, measure, and manage risk exposures and losses in predetermined tolerance guidelines. A strong ERM firm is unlikely to experience unexpected losses outside of its tolerance level. Risk and risk management are usually important considerations in the firm's corporate judgment.

Companies that are considered "excellent" possess all of the characteristics of those scored "strong" and will also demonstrate risk/reward optimization. The firm has very well-developed capabilities to consistently identify, measure, and manage risk exposures and losses in the company's predetermined tolerance guidelines. Risk and risk management are always important considerations in the firm's corporate judgment. It is highly unlikely that the firm will experience losses outside of its risk tolerance.

The weight of the score in the credit rating will vary depending on the importance of ERM for the particular company/sector. We would expect to introduce ERM analysis into the ratings process by the end of first-quarter 2008. However, we would refrain from assigning ERM quality scores to individual companies, until we have reviewed a sufficient number to provide a range of comparability across firms and time. This could take as little as a few months, but will likely require at least one year.

The way that businesses plan for the future is changing. Analyses of potential results over near-infinite possibilities are replacing single-view business plans. Many companies examine returns per unit of risk as well the overall return on investment, allocate capital to business units on a risk-adjusted basis, and hold managers accountable for risk-adjusted profitability. The old adage that you must take on risk to achieve reward, often used to justify any new and untested process, now requires additional steps to quantify how much risk is involved for exactly how much reward. We observe that this combination of management practices, collectively known as ERM, is fundamentally consistent with the underlying nature of credit ratings. ERM specifies the range of risks that might affect a firm; credit ratings are concerned with any risk that might endanger the ability of the firm to meet its financial obligations. With ERM, management explicitly states its risk tolerance and develops processes to keep losses within that tolerance; credit analysts attempt to illustrate the firm's capacity to absorb losses and likelihood that management can limit losses to a level within that capacity for a given rating. ERM provides management with information to optimize earnings -– and ultimately the firm's value –- while staying in a well-defined risk tolerance. Credit ratings are heavily influenced by that same information in expressing a projected forecast over a rating horizon.

ERM also provides a new and clearer language for transferring information about management's intentions and capabilities, which are critical to credit evaluation. Traditional credit analysis is primarily an inference process. Analysts meet with management to understand corporate strategy, examine financial statements and forecasts, and perform other research into risks that might affect the ability of the company to meet its financial obligations. From that, analysts infer the future fundamentals of the firm. However, analysts still conjecture likely results, and this credit-focused analytical process can be simplified by the information transfer via ERM.

Since 2005, Standard & Poor's has included ERM in our rating evaluations for financial institutions and insurance companies. It has provided two key types of information: the degree to which a firm has comprehensive mastery of the risks that they face, and the extent that the firm's management optimizes revenue for the risk they are willing and able to take. In some cases, our confidence in management's ability to control risk taking allows us to conclude that a firm could absorb an apparently high level of potential risk exposure, and still qualify for high ratings. Conversely, firms with relatively low prima facie risk exposure, but with a weak ability to control risk, might receive lower ratings. While ERM did not radically change the way we assign ratings, the structure provided deeper insights that have caused us to change ratings or outlooks on many companies in the financial services sector.

In 2005, Hurricane Katrina cost insurers more than $41 billion, the largest loss event ever for the industry. The magnitude of losses eventually reported shocked many. In the wake of the disaster, ERM was a differentiating element when we reviewed insurer credit ratings. Some insurers with weaker ERM had losses that were as much as twice what they previously reported as their "probable maximum loss". These insurers were unable to even estimate their losses several days after the event. On the other hand, insurers with stronger ERM could quickly estimate losses that were within 25% of actual claims. These insurers could quickly pinpoint where weaknesses were in their ERM processes and took immediate steps to rectify them. Although we do not expect ERM to eliminate losses, firms with good ERM should not only have smaller losses in adverse times, but also rebound more quickly from those losses and establish better future practices.

More recently, many financial institutions have reported steep losses in the value of their securities backed by subprime mortgages. Despite the severity of some of the losses, we expect the effects to be less severe for those institutions that in our opinion, demonstrate stronger ERM practices.

To build on our experience gained in evaluating the trading risk component of ERM in financial institutions, in April 2006, we launched a pilot project to supplement our analysis of energy companies' trading risk with ERM concepts (see "Taking The "PIM" Approach When Assessing U.S. Energy Companies' Risk Management," published April 21, 2006 on RatingsDirect). The year-long project to evaluate trading-risk management of 10 energy firms yielded substantively new quantitative and qualitative information to augment capital and liquidity tests previously used to assess trading risk. Although we intended to focus narrowly on control processes for risks from trading in fuel and electricity markets, our analysts gained broader insights into firms' risk-management capabilities and cultures that could influence ratings. (see "S&P Completes Initial ?PIM? Risk Management Review For Selected U.S. Energy Firms," published May 29, 2007 on RatingsDirect). Encouraged by the pilot project, we expect to extend trading-risk-management analysis to other energy companies in commodities trading and to formally introduce our risk-management policies, infrastructure, and methodologies (PIM) approach into the ratings of these firms, along with those of the initial 10 companies, in early 2008. We will take this step whether we proceed with incorporating the broader ERM analysis into corporate ratings overall.

We believe ERM could significantly enhance our assessment of a company's ability to anticipate and manage risk, but we are still in the evaluation stage. We will carefully reflect on responses to this Request for Comment before making a decision, which will depend on how the ERM analysis can influence credit strength, as well as how it affects the ratings process.

The ultimate importance of ERM to a firm's rating will depend on the risks of the firm, the susceptibility of the firm to those risks, and the capacity of the firm to absorb losses. For a firm with a high liquidity and/or excellent access to funds and a business plan that concentrates on retaining only those risks that are less complex and well understood, ERM will be less important in forming the rating decision. For firms with tight capital and/or limited access to funds that are exposed to very complex risks, ERM will be a very important part of the rating evaluation. However, capital and liquidity are not seen as a substitute for ERM. For a high ERM score, even a well-funded company still must demonstrate the ability to maintain that position by limiting future losses.

Once criteria are established, we will begin to carry out company ERM analysis generally on their current annual review cycle. We plan to add an ERM segment to our external reports on all corporations, much like we do now with short-term credit factors, accounting, and other items. We will publish ERM quality scores only after completing enough reviews to support comparisons across a representative sample.

We have no illusions that ERM analysis will be a panacea or eliminate surprises that necessitate sudden rating changes. However, it may provide insights that allow us to better anticipate which firms are more or less likely than others to weather, rebound, or even capitalize on the unexpected.

Insurance Criteria: Summary Of Recent Enhancements To Insurer Enterprise Risk Management Criteria (published June 2, 2006)

ERM: The New Standard And Practice In Good Corporate Governance (published June 14, 2006)

ERM: Evolving, Resonating, And Maturing Down Under (published Nov. 8, 2006)

A Roadmap For Evaluating Financial Institutions' ERM Practices (published May 3, 2007)

Credit FAQ: Solid Enterprise Risk Management Practices: An Essential Ingredient To a Successful M&A Transaction (published Oct. 2, 2007)

Asia-Pacific Insurers' ERM: Advancing From A Compliance Culture (published Oct. 3, 2007)

Insurers With Excellent ERM Have Clear Enterprise Risk Reporting (published Oct. 3, 2007)

Please submit your comments on any aspect of the ERM proposal through Feb. 1, 2008 to criteriacomments@standardandpoors.com or by contacting the authors of this article, or additional contacts in table 8.

Table 8

Contact Information
Credit analyst	Location	Phone	E-mail
United States
Richard Cortright	New York	(1) 212-438-7665	richard_cortright@standardandpoors.com
Evan Gunter	New York	(1) 212-438-6412	evan_gunter@standardandpoors.com
Terry A. Pratt	New York	(1) 212-438-2060	terry_pratt@standardandpoors.com
Prodyot Samanta	New York	(1) 212-438-2009	prodyot_samanta@standardandpoors.com
Arthur Wong	New York	(1) 212-438-7870	arthur_wong@standardandpoors.com
Latin America
Ivana Recalde	Buenos Aires	(54) 11-4891-2721	ivana_recalde@standardandpoors.com
Europe
Amra Balic	London	(44) 20-7176-3637	amra_balic@standardandpoors.com
Keith Bevan	London	(44) 20-7176-7075	keith_bevan@standardandpoors.com
Trevor Pritchard	London	(44) 20-7176-3737	trevor_pritchard@standardandpoors.com
Raam Ratnam	London	(44) 20-7176-7066	raam_ratnam@standardandpoors.com
Australia
Jeanette Ward	Melbourne	(61) 3-9631-2075	jeanette_ward@standardandpoors.com