Enterprise Risk Management (Preview)

Chapter 1 – Risk Management Awareness 23 The New York Stock Exchange (NYSE) has corporate governance standards that are mandatory for listed companies. The standards note that senior management is respon- sible for risk management, however the standards assign specific responsibilities to the audit committees of boards of directors. Audit committees must discuss the major financial risks of the organization and the steps taken to monitor and control these risks. In addition, audit committees need to discuss the policies that govern risk management processes. 29 The NYSE standards do not suggest that audit committees are solely responsible for risk management oversight at the board level. However, the responsibilities of the board are not specifically mentioned beyond what is expected from audit committees. The NYSE also provides guidance for effective ERM using a principles-based approach. The guidance covers four principles, namely: (1) executive sponsorship and risk culture; (2) effective governance and infrastructure; (3) risk management enablers and accelerators; and (4) effective communication and change management. 30 Credit Rating Agencies Credit rating agencies use methodologies that are tailored to each type of industry and debt obligation. These methodologies are continuously updated and improved over time. To determine the overall credit rating of an organization, the agencies analyze the context of the organization, its approaches for managing risks, and the capacity that it has to remain viable and meet its financial obligations. As part of their analyses, the agencies consider how organizations manage risks applicable to their operations and industry. For example, if the organization is a bank, the credit rating agencies focus their attention on the management of risks associated with interest rates, currency exchange, asset liquidity, investment and loan maturities, regulatory capital, etc. All credit rating agencies consider elements of ERM for determining the overall credit rating of an organization. In addition, some agencies assess ERM as a distinct component. For example, Standard & Poor’s (S&P) updated its methodologies in 2005 to specifically assess the ERM practices of financial services organizations. In 2008, S&P began to assess the ERM practices of all other organizations using a different approach. The different approach for non-financial services organizations focusses on risk management culture, structures, policies, decisions and communications. For these organizations, S&P examines how the most significant risks are identified and assessed, and how these risks and the risk management activities affect strategic and financing decisions. 31 International Context Most international companies based outside of the United States issue securities that are traded publicly in the United States. These companies are listed with the SEC and major stock exchanges such as the NYSE. Accordingly, these international companies are subject to the same laws, regulations and rules that apply to publicly-traded companies that are based in the United States. Many companies that are traded only outside of the United States also adopt these regulations and rules voluntarily to improve their governance and risk management practices. However, many countries make some requirements mandatory within their jurisdiction, to ensure that minimum standards apply to all publicly-traded companies, and to protect the integrity of their financial markets.