Getting credit for having a BCP

In July U.S. credit rating agency Standard & Poor's (S&P) started evaluating the enterprise risk management (ERM) capabilities of non-financial companies that it covers. This is S&P's announcement, and here are their answers to common questions about it.

Extrapolating an ERM evaluation to a logical, eventual conclusion, if a company didn't have a business continuity management (BCM) program, its credit rating could be lowered. The consequence? Borrowing money would cost more, and for the large companies that S&P reviews, that could be a material consequence.

S&P already evaluates risk management at banks, insurance, energy and agribusiness companies, and now wants to do so for companies in other sectors. These are Asian corporates that S&P rates, and these are the U.S. corporates. You've probably heard of their S&P 500 index of American companies. S&P also rates companies, governments and debt instruments all over the world.

Suppose one of those companies wanted to issue a bond for US$200 million to build a new plant in, say, India. Suppose also that, due in part to its assessment of the company's risk management, S&P lowered the company's credit rating from, say, A- (upper medium grade) to BBB+ (lower medium grade). As a result, the company is forced to pay a 4.1 percent coupon instead of 3.9 percent to make the bond attractive to investors or underwriters. Based on US$200 million, two-tenths of 1 percent (the difference between 4.1 percent and 3.9 percent) is US$400,000.

What could you do for US$400,000? Could you develop a company BCM program for US$400,000? Could you hire an experienced, certified BCP professional to run it for US$400,000? Set up a recovery site? Could you make a company genuinely more resilient--and therefore more credit-worthy--for US$400,000? As we say in Minnesota, "You betcha!" The benefit side of the BCP cost-benefit equation would be much easier to quantify.

Of course, it won't be anywhere near that simple or simplistic.

S&P says it aims to create "a more systematic framework for an inherently subjective topic". In the first six months, analysis will initially focus on "those broad ERM practices that can be found in all sectors", including a company's risk management "culture" and "strategic" risk management--the sort of qualitative, touchy-feely stuff discussed in interviews with senior executives. S&P analysts will not evaluate a company's risk control processes, or whether the company has a BCM program; that may come later. And S&P will evaluate large, multinational companies differently from how they assess companies "in certain emerging markets".

Initial assessments will be delivered in narrative form only, with the first public comments to be published by the end of 2008. S&P says it hopes to develop and publish ERM evaluation criteria, and to start scoring companies on a quantitative scale, in 2009.

So they are tiptoeing into the minefield.

S&P clearly believes that a company's ability to manage its risks is an indicator of the company's ability to repay its debts. How accurate an indicator it is has never been quantified by a ratings agency. S&P's promised marketing innovation is to rank, on an ordinal scale (1 to 5, for example, or AAA to CCC), a company's ability to manage risk.

This is a clever marketing move for S&P, introduced at a very good time. Credit is a headline topic these days: U.S. mortgage loan defaults, enormous U.S. bank losses, staggering levels of consumer debt. But S&P and its main competitors, Fitch Ratings and Moody's Investors Service, have been accused of missing--and worse, misleading investors about--the credit collapse in the U.S. mortgage market. So this announcement can be seen as S&P doing a little reputation risk management of its own. The other ratings agencies won't be far behind in making similar announcements if S&P succeeds in selling its concept of ERM evaluations to its customers. Wikipedia lists the credit rating scales of those three agencies.

A very few companies understand that risk management can be a risk vs. reward evaluation, not just a cost vs. benefit calculation. S&P specifically says in its announcement that it sees ERM as a risk-reward calculation. It's intuitive that a company that manages risks well is more likely to pay its bills and debts.

I believe it will eventually also be acknowledged that companies that manage risk well are also better companies, better employers and better investments. Those companies enter second- or third-world markets (China, India) before their competitors. They develop innovative products that competitors can't or won't (pharmaceuticals come to mind). They offer services that competitors think unlikely to succeed (Apple's iTunes, at the time it was introduced). They manage quality control (Japanese manufacturers) and human resources (American tech companies) better, and so over time, have a competitive advantage. This view is articulated clearly and succinctly in this June 2008 paper from iJET International about resilience as a competitive advantage.

How can one prove that such companies are better investments? By tracking their ERM rankings against their stock prices. I have no doubt at all that S&P will be doing just that, and letting us all know when it has the proof.

NOTE: You will need to register at the S&P Web site to view the documents referred to in this post. You'll have to do likewise at the iJET Web site, if you want to view their document referred to in this post.

• Talkback (4)
• Print
• E-mail
• Share
• Alerts

Slashdot

Digg

Facebook

Twitter

Delicious

reddit

Google

StumbleUpon

close this

Talkback 4 comments

• Sample influenza business continuity plan
• No blood test for influenza
• Getting tested for H1N1 flu in Singapore
• Is Tamiflu 'better' than Relenza?
• BCM standard discovered in Malaysia

• Internationally-recognized BCM certifications for BCP professionals
• Sub-prime BCM certification in Asia
• Transportation Silliness at Airports
• Getting credit for having a BCP
• Tuning out supply chain risk

2009

2008

2007

2006

• What Y2K can teach us about 2012
• In remembrance: DRMs
• My favourite new features of Windows 7
• Learning to embrace Net without fear
• Changing of the IT guards

Nathaniel Forbes

Nathaniel Forbes is the director of Forbes Calamity Prevention, a Singapore-based consulting firm providing business continuity, crisis management and emergency response advice and training to multinational companies, with a focus on companies with offices in Asia. The firm is 10 years old. FCP's current and past clients include Singapore Exchange Ltd, OCBC Bank, AXA Insurance, The Gillette Company, Siemens and ABN Amro Bank. A former President of the Singapore Computer Society’s Business Continuity Group, Nathaniel passed the DRII’s Certified Business Continuity Planner (CBCP) examination in 1997. He has lived, traveled or worked in Asia since 1973.