Credit rating is a highly concentrated industry, with the two largest CRAs,
Moody's Investors Service and
Standard & Poor's (S&P) controlling 80% of the global market share, and the
"Big Three" credit rating agencies, which also include
Fitch Ratings, controlling approximately 95% of the business. While the value of the rating agencies has been highly questioned, they remain critically important to many organizations. Risk managers can play a key role in preserving and improving their organizations' credit rating.
Having had the opportunity to participate in rating agency presentations for a publicly traded company and a non-profit, I learned that the process was similar for both and that the stakes were high, requiring a tremendous amount of preparation. In the case of the publicly traded company, my presentation materials were focused on traditional risk management and audit practice (it was the ‘90s), and with the non-profit my focus was on enterprise risk management (progress). The following, though not a comprehensive description of the rating process, describes key areas where risk managers should focus:
- Engage with the lead on the rating team (typically within the CFO division)
- Prepare a high level report for the lead's review. Provide information regarding how the organization is addressing risks, both insurable and non-insurable.
- Inquire about the rating agency criteria
- Agencies do not use the same criteria, but they are required to be transparent about the criteria and will share them beforehand. Through inquiry, you can identify the areas of risk that will be their focus. Read other institutions' credit reports for clues.
- Know your financial statements
- Carefully review your financial statements for what the rating agency analyst will be looking for: debt, finances, significant litigation, mergers and acquisitions, etc. and be prepared to address questions around risk in all these areas.
- Understand the metrics that are used
- In addition to financial metrics, the focus will also be on legal review, risk management and governance.
- Strategies and polices
- Board composition and capabilities
- Bank covenants
- Management turnover
- Ability to anticipate, predict and respond to potential challenges
- Rehearse your presentation
- It is common to rehearse individually and as a group for the presentation. Your presentation time will likely be less than 30 minutes. There may also be tours provided to the rating agency analysts, so assist in preparing the people involved and the physical location.
What can lead to a downgrade? Failure to meet targets, two or more years of declining revenue, debt burden that exceeds 10% of operating revenue, significant turnover in leadership and litigation.
What can lead to an upgrade? Consistent financial performance, lower debt burden, modest future capital plans (not overextending) and a strong enterprise risk management program.
At the University of California (UC), we presented our enterprise risk management program during the rating agency review. Universities access the capital markets to finance their working capital need, so a strong credit rating is critical. The result was that UC was the first non-financial institution to receive credit agency acknowledgement of an enterprise risk management program. S&P's RatingsDirect on the Global Credit Portal wrote on Sept. 9, 2010: "The UC has implemented a system-wide enterprise risk management information system, which in our opinion, is a credit strength."
As a result of the presentation, Standard & Poor’s requested that we conduct a
webinar on Enterprise Risk Management in Higher Education for its analyst in New York and has continued to focus on the importance of ERM.
The company has written: "Standard & Poor’s Ratings Services has expanded its review of the financial service industry’s enterprise risk management (ERM) practices. This enterprise risk management initiative is an effort to provide more in-depth analysis and incisive commentary on the many critical dimensions of risk that determine overall creditworthiness. This enhancement is part of Standard & Poor’s holistic assessment of enterprise risk management of corporations and financial institutions. Standard & Poor's is continually enhancing its ratings process to respond to the emergence of new risks and marketplace needs and conditions."
The presentation centered on demonstrating that risk management programs and tools were in place and effective, fulfilling the following criteria:
ERM aims to measure an institution's achievement of four primary objectives:
- Strategic - High-level goals that are aligned with and support the institution's mission
- Operational - Continuing management process and daily activities of the organization
- Financial reporting - Protection of the institution's assets and quality of financial reporting
- Compliance - The institution's adherence to applicable laws and regulations
Within each of these four objectives, there are eight related components:
- Internal environment - The general culture, values and environment in which an institution operates. (e.g., tone at the top)
- Objective-setting - The process management uses to set its strategic goals and objectives, establishing the organization's risk appetite and risk tolerance
- Event identification - Identifying events that influence strategy and objectives, or could affect them
- Risk assessment - Assessment of the impact and likelihood of events, and a prioritization of related risks
- Risk response - Determining how management will respond to the risks an institution faces. Will they avoid the risk, share the risk or mitigate the risk through updated practices and policies?
- Control activities - Represent policies and procedures that an institution implements to address these risks
- Information and communication - Practices that ensure that the right information is communicated at the right time to the right people
- Monitoring - Consists of continuing evaluations to ensure controls are functioning as designed, and taking corrective action to enhance control activities if needed
Your criteria (framework) could be different; the key is to demonstrate that you have an effective means of identifying, managing and monitoring a wide variety of risks across the enterprise. Of primary importance is the identification of risks. The analysts are very concerned that organizations are going to be hit by surprises and thus be ill-prepared to respond and recover from them.
Examples of programs and tools that evidence your ability to detect risks:
- Policies that are supported by awareness and education (people know the right thing to do), backed up with reward and accountability for doing the right thing – built into employee selection process, job description, development plans and reviews and compensation plans (people want to do the right thing)
- Multiple reporting channels – anonymous hotlines for employees, customers and the public and ease of access to human resources, compliance, risk management and legal and the inclusion of continual communication that retaliation is not tolerated
- Incident reporting and tracking systems (claims, safety, human resources information systems, etc.)
- Risk assessments at both an enterprise level and at the functional level
- Business intelligence system – the ability to aggregate and analyze data across the organization to enhance detection and advance predictive modeling
Key takeaway: As a risk manager or enterprise risk practitioner, your engagement in the credit rating process is an ideal way for you to add value. Leverage your ERM program to highlight your organization's ability to detect, manage and respond to risk events.