Sometime late this year, Standard & Poor’s hopes to roll out a new category for its corporate ratings: enterprise risk management (ERM). The Big Three rating agency, which has been assessing finance and insurance companies on their risk management practices and capabilities since 2005, is “developing the criteria” for this specific rating category, a company spokesman says. The move highlights a reality: While ERM has become a popular term, some experts say that most corporations, especially outside of the financial sector, have not moved risk management far beyond the regulatory risk area nor made it an integral part of their operations.
“Typically, risk is managed in a silo fashion at most companies, with most of the focus on regulatory and financial risk, but ERM really has to be holistic in treating all risks equally seriously,” argues Sim Segal, U.S. leader of ERM services at consulting firm Watson Wyatt. “It also has to be able to look at what happens if two or more risks happen at the same time, which very few companies do.” Segal says that a survey of the 100 most serious losses in the stock market in recent history shows that 85% of the losses involved two or more risks occurring at the same time. Ward Sax, chief risk officer and treasurer at RTI, a not-for-profit research organization based in Research Triangle Park, N.C., agrees that ERM has “a long way to go,” and says, “It is clear that while a lot of companies talk about risk management, most are still really struggling with where to start.”