Standard & Poor’s plans to assess enterprise risk management (ERM) practices at non-financial companies. The assessments will look at four components of ERM that S&P considers common to all industries: “risk-management culture and governance, risk controls, emerging-risk preparation, and strategic management.” From a write-up in CFO, Vol. 24, March 2008 at 18, this new analysis for ratings will include more specifically a company’s “resiliency and ability to respond to regulatory risk, [and] lawsuit risk.” The ratings agency will base its final assessment largely on interviews with senior managers of the companies.
Does that mean S&P will try to ask the general counsel how well the legal team is prepared to handle major litigation? Or respond to changes in regulations? I don’t see how those responses, hardly disinterested, will help quantify ERM.