ERM Now Formally a Factor in Credit Ratings Issued by Top Agency

Credit ratings for banks, insurance companies and publicly-traded companies are issued by one of three agencies: Standard & Poor’s (S&P), Moody’s or Fitch. Together, these firms account for 95% of credit ratings issued in the world.

Although each of these firms evaluates a company’s ability to handle risks to the enterprise in one way or another, S&P was the first to formalize it as part of an entity’s credit rating. Beginning with financial institutions and insurance companies around 2004/05, S&P expanded its evaluation into the energy industry shortly thereafter.

By 2013, S&P was formally evaluating ERM within all of its management and governance assessments. According to the ratings agency, “corporate enterprises with a deliberate, consistent, articulated, resourced, and integrated approach that effectively identifies, selects, and prudently mitigates risks are more likely to build long-term credit strength as compared to enterprises with a casual, opportunistic, or reactive approach.”

Does this mean that all companies that have a S&P credit rating have mature risk management capabilities?

Hardly so, according to Steve Dreyer of S&P Global Ratings in this interview with the Director of Research for NC State’s ERM Initiative. Of all of the companies S&P evaluates, only 38% received a strong (1) or satisfactory (2) score.

This may seem a little bleak, but Dreyer explains that this number is up from when the agency first began making ERM a formal component in credit ratings.

While it hasn’t resulted in big changes with ratings, Dreyer explains that including ERM formally rather than embedding it in other areas “…definitely helps the conversation” and makes ERM more visible to executives.

What exactly is S&P looking at in their review of ERM?

S&P explains that the ultimate impact of ERM on a firm’s credit rating “…will depend on the risks of the firm, the susceptibility of the firm to those risks, and the capacity of the firm to absorb losses.”

In his interview with NC State, Steve Dreyer explains that companies who are doing ERM well are using methods and techniques that work for them. While they may hire consultants and work off of certain frameworks, companies fit the approach to their culture and internal language, not the other way around.  (Check out this earlier article on tailoring ERM to fit the organization.)

With this caveat in mind, S&P evaluates a company’s ERM initiative within a general framework that includes the following four major components:

  1. Risk Management Culture & Governance – This component looks at the status of the risk management function within the organization, plus whether the entity has established risk tolerances and how they are applied to decision-making at all levels. Also, S&P will assign a higher rating for companies who clearly communicate risks and risk management to different business units. (Check out this earlier post on using risk appetite and risk tolerances for decision-making.)
  1. Risk Controls – This component evaluates risk control processes. S&P believes that a company achieves risk control by not only identifying, measuring, and monitoring risks, but also by setting limits and enforcing them through avoidance, transfer, offset or some other risk management process. Within this component, S&P also examines the alignment of overall risk tolerances with specific risk limits. (Do you know the four possible risk response strategies?)
  1. Emerging Risk Preparation – Risks that are new, extremely rare, or unknown cannot be managed through a risk control process. Therefore, S&P also evaluates how well a company is using trend analysis, stress testing, environmental scanning, contingency planning, risk transfer, and more to look into the future. Depending on the type of business, S&P will also look for evidence on how well a company is planning to cope before, during, and after an event. (Learn more about how General Motors approaches this area.)
  1. Strategic Risk Management – The fourth and final component examines how well risks and risk management processes are embedded into the organization’s strategic decision-making process. Procedures related to strategy that can be affected by risk(s) include capital budgeting, business planning, performance measurement, product management, acquisition and divestitures, performance measurement, dividend practices and incentive compensation. (Here are a couple earlier articles on this topic for some guidance:  ERM as a Strategic Tool and Factoring Risk into Strategic Planning.)


Upon evaluating these 4 criteria, S&P analysts will assign a final rating of 1) strong, 2) satisfactory, 3) fair, or 4) weak for the company’s ERM function.

Just because S&P formally includes ERM in a company’s credit rating doesn’t mean the other large agencies ignore it.

“Risk management is listed as a consideration in determining the stand-alone rating for [a] company. It’s not an explicit factor,” states Neil Strauss of Moody’s Investors Services, Inc.  “We have our methodology – we do discuss risk management.”

James Auden of Fitch Ratings, Inc., the smallest of the “big-three,” explains “How companies really identify the risks they face and measure them and how they set risk appetites – it kind of all works together and is embedded in our rating process.”

While S&P credit ratings pertain to larger, publicly-traded companies, it’s possible that lenders to mid-size or even small companies will evaluate a company’s risk management activities in the future.

If your company receives a credit rating from S&P, Moody’s, or Fitch and you’re one of the 60-plus percent who received a fair or weak score, it may be time to revamp or establish a program so your credit rating isn’t hampered.

To learn more about establishing an ERM program or understanding the differences between ERM and traditional risk management, continue browsing. And if you would like to discuss your individual company’s situation, please don’t hesitate to contact me today.

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More