I've been reading for more than a year now that compliance is giving way to enterprise risk management -- both in terms of corporate strategy and in terms of software solutions. Today there is further evidence that such is indeed the case. Financial Week reports that Standard and Poor's will now include enterprise risk management in its determination of a company's credit ratings. More specifically, S&P will look at the following four factors:
ERM has been a part of S&P ratings for the financial and insurance industries for awhile, but the story says it now will be used in industries anywhere from "airlines [to] pharmaceuticals and retail."
How should companies respond to the announcement? According to Financial Week:
[Companies] first must take inventory and evaluate any existing ERM processes against the four S&P criteria. Second, management needs to take action to remedy any inadequate processes. S&P will not implement these changes overnight, but it's reasonable to expect that it will start to give official ratings as early as 2009. Companies should start making changes now to prevent any adverse effects on their ratings scores and, thus, their ability to access capital.
Like compliance initiatives before it, though, ERM must have buy-in from top management before it will be successful in the enterprise. As of yet, ERM has "barely made it on the [C-suite priority] list" save in the finance world, but S&P's move should change that, the story says.