Credit rating is a highly concentrated industry, with the two largest CRAs, Moody's Investors Service and Standard & Poor's (S&P) controlling 80% of the global market share, and the "Big Three" credit rating agencies, which also include Fitch Ratings, controlling approximately 95% of the business. While the value of the rating agencies has been highly questioned, they remain critically important to many organizations. Risk managers can play a key role in preserving and improving their organizations' credit rating.
Having had the opportunity to participate in rating agency presentations for a publicly traded company and a non-profit, I learned that the process was similar for both and that the stakes were high, requiring a tremendous amount of preparation. In the case of the publicly traded company, my presentation materials were focused on traditional risk management and audit practice (it was the ‘90s), and with the non-profit my focus was on enterprise risk management (progress). The following, though not a comprehensive description of the rating process, describes key areas where risk managers should focus:
- Engage with the lead on the rating team (typically within the CFO division)
- Prepare a high level report for the lead's review. Provide information regarding how the organization is addressing risks, both insurable and non-insurable.
- Inquire about the rating agency criteria
- Agencies do not use the same criteria, but they are required to be transparent about the criteria and will share them beforehand. Through inquiry, you can identify the areas of risk that will be their focus. Read other institutions' credit reports for clues.
- Know your financial statements
- Carefully review your financial statements for what the rating agency analyst will be looking for: debt, finances, significant litigation, mergers and acquisitions, etc. and be prepared to address questions around risk in all these areas.
- Understand the metrics that are used
- In addition to financial metrics, the focus will also be on legal review, risk management and governance.
- Strategies and polices
- Board composition and capabilities
- Bank covenants
- Management turnover
- Ability to anticipate, predict and respond to potential challenges
- In addition to financial metrics, the focus will also be on legal review, risk management and governance.
- Rehearse your presentation
- It is common to rehearse individually and as a group for the presentation. Your presentation time will likely be less than 30 minutes. There may also be tours provided to the rating agency analysts, so assist in preparing the people involved and the physical location.
- Strategic - High-level goals that are aligned with and support the institution's mission
- Operational - Continuing management process and daily activities of the organization
- Financial reporting - Protection of the institution's assets and quality of financial reporting
- Compliance - The institution's adherence to applicable laws and regulations
- Internal environment - The general culture, values and environment in which an institution operates. (e.g., tone at the top)
- Objective-setting - The process management uses to set its strategic goals and objectives, establishing the organization's risk appetite and risk tolerance
- Event identification - Identifying events that influence strategy and objectives, or could affect them
- Risk assessment - Assessment of the impact and likelihood of events, and a prioritization of related risks
- Risk response - Determining how management will respond to the risks an institution faces. Will they avoid the risk, share the risk or mitigate the risk through updated practices and policies?
- Control activities - Represent policies and procedures that an institution implements to address these risks
- Information and communication - Practices that ensure that the right information is communicated at the right time to the right people
- Monitoring - Consists of continuing evaluations to ensure controls are functioning as designed, and taking corrective action to enhance control activities if needed
- Policies that are supported by awareness and education (people know the right thing to do), backed up with reward and accountability for doing the right thing – built into employee selection process, job description, development plans and reviews and compensation plans (people want to do the right thing)
- Multiple reporting channels – anonymous hotlines for employees, customers and the public and ease of access to human resources, compliance, risk management and legal and the inclusion of continual communication that retaliation is not tolerated
- Incident reporting and tracking systems (claims, safety, human resources information systems, etc.)
- Risk assessments at both an enterprise level and at the functional level
- Business intelligence system – the ability to aggregate and analyze data across the organization to enhance detection and advance predictive modeling