Standard and Poor's (S&P) announcement that it will now include an assessment of Enterprise Risk Management (ERM) practices in its rating process demonstrates the increasing importance of ERM as a core aspect of corporate governance. One asked S&P's Steven Dreyer why the company is making the change—and what it will mean for businesses in future.

ONE: Why now?
Steve Dreyer: We have been using ERM as one part of our evaluation for some time in specific sectors—since 2005 for insurance companies, for instance. We believe with the growing maturity of ERM practices, it has reached a stage where we can also give greater transparency to investors and issuers in non-financial sectors—by giving them our view of a management team's ability to understand, articulate and successfully manage risk.

ONE: What do you consider under the ERM banner?
SD: We won't be taking a prescriptive approach, because ERM cannot be a one-size-fits-all tool … nor should it just be a "box-ticking" exercise. The most important thing is that the organization should be aware of, and attending to, all risks—not eliminating them all, but taking steps to avoid any situations that might lead to losses that would be outside their level of tolerance. It's important that the board, management and shareholders have a common understanding of the type and level of risk that is acceptable. That's a fundamental responsibility at the board and senior executive levels, and it needs to be backed up by intelligent ways to identify and trim excess risks. Where ERM is properly established, it becomes part of the culture and the language around the firm's efforts to manage risk effectively.

ONE: If firms can show they comply with global standards, will that be enough?
SD: Compliance with standards like COSO or AS/NZS4360 is obviously beneficial, but it's not essential, nor would it be enough to demonstrate that they are managing their risks effectively. We will be looking for evidence firm by firm, and comparing them with their peers.

ONE: How will you achieve ratings consistency when the adoption of ERM varies so much around the world?
SD: The impact of ERM performance on overall ratings will vary based on the type of organization, the sector, the level of development, diversification and so on. You wouldn't expect to have identical conversations about ERM with a large, diverse multinational corporation on the one hand, and a small, single-industry firm in a developing market on the other.

We are focusing on delivering a consistent approach to evaluating two key aspects of ERM: risk culture and strategic risk management, which make comparisons of ERM performance possible. But the weight of ERM in the overall company rating will vary sector by sector, based on our assessment of how critical ERM is in each one.

ONE: What do you mean by strategic risk management?
SD: For us, it's about whether management has a clear view of the greatest risks the organization faces, how likely those risks are to occur, and what their impact would be on credit. We will seek to understand how—and how often—companies update those risk assessments, and how much influence risk sensitivity has on financing decisions and their management of liabilities. Ultimately, it comes down to what role risk management plays in their strategic decision-making.

ONE: Do you exclude risk control processes and emerging risk management from your approach?
SD: That goes to show the value of the consultation process we have been through. We came to the conclusion that going beyond what we currently do in those areas would represent a lot of additional effort, and we aren't sure it would deliver enough value at the moment.