In the wake of 2008’s historic crash of Wall Street and unprecedented economic woes, the New Year brings a shift in how companies are viewing Governance, Risk and Compliance (GRC).
During the past couple of years, compliance has been a primary concern for many while risk management has taken a back seat as a purely tactical and after-the-fact activity. That’s all about to change. The financial events of 2008 and their fallout have forced companies to rethink the importance of risk management as an integral and strategic business driver.
In 2009 and beyond companies can expect auditors, audit committees, governments, regulators, and credit-rating agencies will increase scrutiny of corporate risk-management practices. Companies need to understand their risk profile –- which areas they are exposed in, which activities may be risky, and whether the risks taken are within the appropriate risk-appetite and -tolerance thresholds. With this shift, companies must now attempt to quantify, control, and mitigate risks that previously had not garnered their focused attention.
Case in point: Many of the credit rating agencies have been eyeing enterprise risk management (ERM) practices and are poised to tighten the screws. Standard & Poor is implementing a new risk management category as part of its credit ranking system this year. Moody's has been developing a holistic risk management rating methodology through its Enhanced Analysis Initiative and A.M. Best has stated that ERM will be included as an integral part of its rating process.
Those businesses who embrace ERM are likely to see a positive impact on their cost of capital and bottom line because agencies will draw a straight line from ERM ratings to better credit ratings. Although ERM won't eliminate risks, it certainly will prepare companies for difficult situations, thereby minimizing their negative financial effects.
In the future, the focus of ERM will shift from compliance, management and measurement to more business-driven results such as better loss optimization and strategic integration. Now is the time for corporations to honestly assess how well prepared they are to meet the portfolio of risks they face and begin to implement ERM as part of the complete business process. To do otherwise would just be, well, risky business.