The PNG University of Technology

Department of Business Studies

AC422 (Financial Risk Management)
Dr. Luis R. Alamil, CPA, FFA-Aus., Ph.DBA
Course Facilitator
=====================================================================================

Lecture/Reading Material
on
(Chapter 4)

ENTERPRISE RISK MANAGEMENT (ERM)

Given the speed of change in the global business environment, the volume and complexity of
risks affecting an enterprise are increasing at a rapid pace. At the same time, expectations for
more effective risk oversight by boards of directors and senior executives are growing. Together
these suggest that organizations may need to take a serious look at whether the risk
management approach being used is capable of proactively versus reactively managing the
risks affecting their overall strategic success. Enterprise risk management (ERM) is becoming a
widely embraced business paradigm for accomplishing more effective risk oversight.
Learning Objectives
After studying this chapter, you shall be able to:
1. Discuss understanding on the overview of enterprise risk management.
2. Explain the underlying principles of Enterprise Risk Management (ERM).
3. Cite the elements of an ERM process and briefly explain each process.
4. Analyze and assess the focus of ERM.
5. Relate current issues in ERM to a workplace setting.

4.1 OVERVIEW OF ENTERPRISE RISK MANAGEMENT

Leaders of organizations must manage risks in order for the entity to stay in business. In fact,
most would say that managing risks is just a normal part of running a business. So, if risk
management is already occurring in these organizations, what’s the point of “enterprise risk
management” (also known as “ERM”).
This section revisits the traditional risk management to better understand the subject of ERM..
Business leaders manage risks as part of their day-to-day tasks as they have done for decades.
Calls for entities to embrace enterprise risk management aren’t suggesting that organizations
haven’t been managing risks. Instead, proponents of ERM are suggesting that there may be
benefits from thinking differently about how the enterprise manages risks affecting the business.

1
 Figure 3 – Traditional Approach to Risk Management

Traditionally, organizations manage risks by placing responsibilities on business unit leaders to

manage risks within their areas of responsibility. For example, the Chief Technology Officer
(CTO) is responsible for managing risks related to the organization’s information technology (IT)
operations, the Treasurer is responsible for managing risks related to financing and cash flow,
the Chief Operating Officer is responsible for managing production and distribution, and the
Chief Marketing Officer is responsible for sales and customer relationships, and so on. Each of
these functional leaders is charged with managing risks related to their key areas of
responsibility. This traditional approach to risk management is often referred to as silo or stove-
pipe risk management whereby each silo leader is responsible for managing risks within their
silo as shown in Figure 3.
4.1.1 Limitations with Traditional Approaches to Risk Management1
Assigning functional subject matter experts responsibility for managing risks related to their
business unit makes good sense. However, this traditional approach to risk management has
limitations. This may mean that there are significant risks on the horizon that may go undetected
by management and that might affect the organization. Let’s explore a few of those limitations.
Limitation #1: There may be risks that “fall between the silos” that none of the silo leaders can
see. Risks don’t follow management’s organizational chart and, as a result, they can emerge
anywhere in the business. As a result, a risk may be on the horizon that does not capture the
attention of any of the silo leaders causing that risk to go unnoticed until it triggers a
catastrophic risk event. For example, none of the silo leaders may be paying attention to
demographic shifts occurring in the marketplace whereby population shifts towards large urban
areas are happening at a faster pace than anticipated. Unfortunately, this oversight may
drastically impact the strategy of a retail organization that continues to look for real estate
locations in outlying suburbs or more rural areas surrounding smaller cities.

1
Mark Beasley, Ph.D (2020). What is Enterprise Risk Management?. The Institute of Risk Management
https://www.theirm.org.

2
Limitation #2: Some risks affect multiple silos in different ways. So, while a silo leader might
recognize a potential risk, he or she may not realize the significance of that risk to other aspects
of the business. A risk that seems relatively innocuous for one business unit, might actually
have a significant cumulative effect on the organization if it were to occur and impact several
business functions simultaneously. For example, the head of compliance may be aware of new
proposed regulations that will apply to businesses operating in Brazil. Unfortunately, the head of
compliance discounts these potential regulatory changes given the fact that the company
currently only does business in North America and Europe. What the head of compliance
doesn’t understand is that a key element of the strategic plan involves entering into joint venture
partnerships with entities doing business in Brazil and Argentina, and the heads of strategic
planning and operations are not aware of these proposed compliance regulations.
Limitation #3: Third, in a traditional approach to risk management, individual silo owners may
not understand how an individual response to a particular risk might impact other aspects of a
business. In that situation, a silo owner might rationally make a decision to respond in a
particular manner to a certain risk affecting his or her silo, but in doing so that response may
trigger a significant risk in another part of the business. For example, in response to growing
concerns about cyber risks, the IT function may tighten IT security protocols but in doing so,
employees and customers find the new protocols confusing and frustrating, which may lead to
costly “work-around” or even the loss of business.
Limitation #4: So often the focus of traditional risk management has an internal lens to
identifying and responding to risks. That is, management focuses on risks related to internal
operations inside the walls of the organization with minimal focus on risks that might emerge
externally from outside the business. For example, an entity may not be monitoring a
competitor’s move to develop a new technology that has the potential to significantly disrupt
how products are used by consumers.
Limitation #5: Despite the fact that most business leaders understand the fundamental
connection of “risk and return”, business leaders sometimes struggle to connect their efforts in
risk management to strategic planning. For example, the development and execution of the
entity’s strategic plan may not give adequate consideration to risks because the leaders of
traditional risk management functions within the organization have not been involved in the
strategic planning process. New strategies may lead to new risks not considered by traditional
silos of risk management.
What’s the impact of these limitations? There can be a wide array of risks on the horizon that
management’s traditional approach to risk management fails to see, as illustrated by Figure 4.
Unfortunately, some organizations fail to recognize these limitations in their approach to risk
management before it is too late.

3
 Figure 4: Currently Unknown, But Knowable Risks Overlooked by Traditional Risk
Management

4.2 ENTERPRISE RISK MANAGEMENT (ERM)

According to Thomas Stanton of Johns Hopkins University, the point of enterprise risk
management is not to create more bureaucracy, but to facilitate discussion on what the really
big risks are.2 Enterprise risk management (ERM) is a methodology that looks at risk
management strategically from the perspective of the entire firm or organization. It is a top-down
strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and
other potentials for harm that may interfere with an organization's operations and objectives
and/or lead to losses.3
Enterprise risk management (ERM) in business includes the methods and processes used by
organizations to manage risks and seize opportunities related to the achievement of their
objectives. ERM provides a framework for risk management, which typically involves identifying
particular events or circumstances relevant to the organization's objectives (threats and
opportunities), assessing them in terms of likelihood and magnitude of impact, determining a
response strategy, and monitoring process. By identifying and proactively addressing risks and
opportunities, business enterprises protect and create value for their stakeholders, including
owners, employees, customers, regulators, and society overall.4

2
Thomas Stanton (Feb 18, 2017). "Enterprise Risk Management". YouTube. TEDxJHUDC. The whole point of enterprise risk
management is not to create another layer of bureaucracy, but rather to have your chief risk officer facilitate the
conversations and then the discussions about priorities – what are the really big risks we've got to grapple with.‖
3
Adam Hayes (2022). ―Enterprise Risk Management (ERM): What Is It and How It Works‖, https://www.investopedia.com.
4
Ibid.

4
ERM can also be described as a risk-based approach to managing an enterprise, integrating
concepts of internal control, the Sarbanes–Oxley Act, data protection and strategic planning.
ERM is evolving to address the needs of various stakeholders, who want to understand the
broad spectrum of risks facing complex organizations to ensure they are appropriately
managed. Regulators and debt rating agencies have increased their scrutiny on the risk
management processes of companies.
The objective of enterprise risk management is to develop a holistic, portfolio view of the most
significant risks to the achievement of the entity’s most important objectives. The “e” in ERM
signals that ERM seeks to create a top-down, enterprise view of all the significant risks that
might impact the strategic objectives of the business. In other words, ERM attempts to create a
basket of all types of risks that might have an impact - both positively and negatively - on the
viability of the business.
In 2003, the Casualty Actuarial Society (CAS) defined ERM as the discipline by which an
organization in any industry assesses, controls, exploits, finances, and monitors risks from all
sources for the purpose of increasing the organization's short- and long-term value to its
stakeholders."5 The CAS conceptualized ERM as proceeding across the two dimensions of risk
type and risk management processes. The risk types and examples include: 6[3]
 Hazard risk - Liability torts, Property damage, Natural catastrophe
 Financial risk - Pricing risk, Asset risk, Currency risk, Liquidity risk
 Operational risk - Customer satisfaction, Product failure, Integrity, Reputational risk;
Internal Poaching; Knowledge drain
 Strategic risks - Competition, Social trend, Capital availability

4.2.1 ERM frameworks defined

There are various important ERM frameworks, each of which describes an approach for
identifying, analysing, responding to, and monitoring risks and opportunities, within the internal
and external environment facing the enterprise. 7
Management selects a risk response strategy for specific risks identified and analysed, which
may include:
i. Avoidance: exiting the activities giving rise to risk
ii. Reduction: taking action to reduce the likelihood or impact related to the risk
iii. Alternative Actions: deciding and considering other feasible steps to minimize risks
iv. Share or Insure: transferring or sharing a portion of the risk, to finance it
v. Accept: no action is taken, due to a cost/benefit decision

5
Enterprise Risk Management Committee (May 2003). "Overview of Enterprise Risk Management" (PDF). Casualty Actuarial Society: 8.
Retrieved June 3, 2023.
6
Ibid.
7 Ibid (Thomas Stanton).

5
Monitoring is typically performed by management as part of its internal control activities, such as
review of analytical reports or management committee meetings with relevant experts, to
understand how the risk response strategy is working and whether the objectives are being
achieved.

4.2.2 COSO ERM framework

The COSO "Enterprise Risk Management-Integrated Framework" published in 2004 (New
edition COSO ERM 2017 is not Mentioned and the 2004 version is outdated) defines ERM as a
"…process, effected by an entity's board of directors, management, and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events that
may affect the entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives."8
The COSO ERM Framework has eight components and four objectives categories. It is an
expansion of the COSO Internal Control-Integrated Framework published in 1992 and amended
in 1994. The eight components are:
 Internal Environment
 Objective Setting
 Event Identification
 Risk Assessment
 Risk Response
 Control Activities
 Information and Communication
 Monitoring
The four objectives categories - additional components highlighted - are:
 Strategy - high-level goals, aligned with and supporting the organization's mission
 Operations - effective and efficient use of resources
 Financial Reporting - reliability of operational and financial reporting
 Compliance - compliance with applicable laws and regulations

4.2.3 ISO 31000: the new International Risk Management Standard

ISO 31000 is an International Standard for Risk Management which was published on 13
November 2009, and updated in 2018. An accompanying standard, ISO 31010 - Risk
Assessment Techniques, soon followed publication (December 1, 2009) together with the

8
Enterprise Risk Management — Integrated Framework: Executive Summary" (PDF). Committee of Sponsoring Organizations of the Treadway
Commission. September 2004. Retrieved June 3, 2023.

6
updated Risk Management vocabulary ISO Guide 73. The standard set out eight principles
based around the central purpose, which is the creation and protection of value.9
An effective ERM process should be an important strategic tool for leaders of the business.
Insights about risks emerging from the ERM process should be an important input to the
organization’s strategic plan. As management and the board become more knowledgeable
about potential risks on the horizon they can use that intelligence to design strategies to nimbly
navigate risks that might emerge and derail their strategic success. Proactively thinking about
risks should provide competitive advantage by reducing the likelihood that risks may emerge
that might derail important strategic initiatives for the business and that kind of proactive thinking
about risks should also increase the odds that the entity is better prepared to minimize the
impact of a risk event should it occur.10
As illustrated by Figure 5, the ERM process should inform management about risks on the
horizon that might impact the success of core business drivers and new strategic initiatives.
Figure 5 – ERM Should Inform Strategy of the Business

4.3 ELEMENTS OF AN ERM PROCESS11

Because risks constantly emerge and evolve, it is important to understand that ERM is an
ongoing process. Unfortunately, some view ERM as a project that has a beginning and an end.
While the initial launch of an ERM process might require aspects of project management, the
benefits of ERM are only realized when management thinks of ERM as a process that must be
active and alive, with ongoing updates and improvements.

9
Hopkin, Paul (2022). Fundamentals of risk management : understanding, evaluating and implementing effective enterprise risk
management. Clive Thompson (6th ed.). London. ISBN 978-1-3986-0286-1. OCLC 1300754988
10 Ibid (Mark Beasley (2020).
11 Mark Beasley, Ph.D (2020). What is Enterprise Risk Management?. The Institute of Risk Management, https://www.theirm.org.

7
The diagram in Figure 6- illustrates the core elements of an ERM process. Before looking at the
details, it is important to focus on the oval shape to the figure and the arrows that connect the
individual components that comprise ERM. The circular, clockwise flow of the diagram
reinforces the ongoing nature of ERM. Once management begins ERM, they are on a constant
journey to regularly identify, assess, respond to, and monitor risks related to the organization’s
core business model.
4.3.1 ERM Starts with What Drives Value for the Entity
Because ERM seeks to provide information about risks affecting the organization’s achievement
of its core objectives, it is important to apply a strategic lens to the identification, assessment,
and management of risks on the horizon. An effective starting point of an ERM process begins
with gaining an understanding of what currently drives value for the business and what’s in the
strategic plan that represents new value drivers for the business. To ensure that the ERM
process is helping management keep an eye on internal or external events that might trigger
risk opportunities or threats to the business, a strategically integrated ERM process begins with
a rich understanding of what’s most important for the business’ short-term and long-term
success.
Figure 6 – Elements of an ERM Process

Let’s consider a public-traded company. A primary objective for most publically traded
companies is to grow shareholder value. In that context, ERM should begin by considering what
currently drives shareholder value for the business (e.g., what are the entity’s key products,
what gives the entity a competitive advantage, what are the unique operations that allow the
entity to deliver products and services, etc.). These core value drivers might be thought of as
the entity’s current “crown jewels”. In addition to thinking about the entity’s crown jewels, ERM
also begins with an understanding of the organization’s plans for growing value through new
strategic initiatives outlined in the strategic plan (e.g., launch of a new product, pursuit of the

8
acquisition of a competitor, or expansion of online offerings etc.). You might find our thought
paper “Integration of ERM with Strategy”, helpful given it contains three case study illustrations
of how organizations have successfully integrated their ERM efforts with their value creating
initiatives.
With this rich understanding of the current and future drivers of value for the enterprise,
management is now in a position to move through the ERM process by next having
management focus on identifying risks that might impact the continued success of each of the
key value drivers. How might risks emerge that impact a “crown jewel” or how might risks
emerge that impedes the successful launch of a new strategic initiative? Using this strategic
lens as the foundation for identifying risks helps keep management’s ERM focus on risks that
are most important to the short-term and long-term viability of the enterprise. This is illustrated in
Figure 7.

4.4 THE FOCUS OF ERM

The Focus of ERM is on all types of risks. Sometimes the emphasis on identifying risks to the
core value drives and new strategic initiatives causes some to erroneously conclude that ERM
is only focused on “strategic risks” and not concerned with operational, compliance, or reporting
risks. That’s not the case. Rather, when deploying a strategic lens as the point of focus to
identify risks, the goal is to think about any kind of risk – strategic, operational, compliance,
reporting, or whatever kind of risk – that might impact the strategic success of the enterprise. As
a result, when ERM is focused on identifying, assessing, managing, and monitoring risks to the
viability of the enterprise, the ERM process is positioned to be an important strategic tool where
risk management and strategy leadership are integrated. It also helps remove management’s
“silo-blinders” from the risk management process by encouraging management to individually
and collectively think of any and all types of risks that might impact the entity’s strategic
success.
Figure 7 – Apply Strategic Lens to Identify Risks

4.4.1 Output of an ERM Process

The goal of an ERM process is to generate an understanding of the top risks that management
collectively believes are the current most critical risks to the strategic success of the enterprise.

9
Most organizations prioritize what management believes to be the top 10 (or so) risks to the
enterprise (see our thought paper, “Survey of Risk Assessment Practices”, that highlights a
number of different approaches organizations take to prioritize their most important risks on the
horizon). Generally, the presentation of the top 10 risks to the board focuses on key risk
themes, with more granular details monitored by management. For example, a key risk theme
for a business might be the attraction and retention of key employees. That risk issue may be
discussed by the board of directors at a high level, while management focuses on the unique
challenges of attracting and retaining talent in specific areas of the organization (e.g., IT, sales,
operations, etc.).
With knowledge of the most significant risks on the horizon for the entity, management then
seeks to evaluate whether the current manner in which the entity is managing those risks is
sufficient and effective. In some cases, management may determine that they and the board are
willing to accept a risk while for other risks they seek to respond in ways to reduce or avoid the
potential risk exposure. When thinking about responses to risks, it is important to think about
both responses to prevent a risk from occurring and responses to minimize the impact should
the risk event occur. An effective tool for helping frame thinking about responses to a risk is
known as a “Bow-Tie Analysis”, which is illustrated by Figure 8. The left side of the “knot” (which
is the risk event) helps management think about actions management might take to lower the
probability of a risk occurring. The right side of the “knot” helps management think about actions
that could be taken to lower the impact of a risk event should it not be prevented (take a look at
our article, “The Bow-Tie Analysis: A Multipurpose ERM Tool)”.
Figure 8 – Bow-Tie Tool for Developing Responses to Risks

4.4.2 Monitoring and Communicating Top Risks with Key Risk Indicators (KRIs)
While the core output of an ERM process is the prioritization of an entity’s most important risks
and how the entity is managing those risks, an ERM process also emphasizes the importance of
keeping a close eye on those risks through the use of key risk indicators (KRIs). Organizations
are increasingly enhancing their management dashboard systems through the inclusion of key
risk indicators (KRIs) linked to each of the entity’s top risks identified through an ERM process.
These KRI metrics help management and the board keep an eye on risk trends over time.

10
Check out our thought paper, Developing Key Risk Indicators to Strengthen Enterprise Risk
Management, issued in partnership with COSO for techniques to develop effective KRIs.
Leadership of ERM
Given the goal of ERM is to create a top-down, enterprise view of risks to the entity,
responsibility for setting the tone and leadership for ERM resides with executive management
and the board of directors. They are the ones who have the enterprise view of the organization
and they are viewed as being ultimately responsible for understanding, managing, and
monitoring the most significant risks affecting the enterprise.
Top management is responsible for designing and implementing the enterprise risk
management process for the organization. They are the ones to determine what process should
be in place and how it should function, and they are the ones tasked with keeping the process
active and alive. The board of director’s role is to provide risk oversight by (1) understanding
and approving management’s ERM process and (2) overseeing the risks identified by the ERM
process to ensure management’s risk-taking actions are within the stakeholders’ appetite for
risk taking. (Check out our thought paper, Strengthening Enterprise Risk Management for
Strategic Advantage, issued in partnership with COSO, that focuses on areas where the board
of directors and management can work together to improve the board’s risk oversight
responsibilities and ultimately enhance the entity’s strategic value).

4.5 ENTERPRISE RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS12

Enterprise risk management (ERM) for financial institutions refers to the systems in place to
identify and manage all risks within a financial services firm. These include financial risks,
operational risks, event risks, and strategic risks.
1) Enterprise risk management for financial institutions refers to the systems that are in
place to identify and manage all risks, including financial, operational, event, and
strategic risks.
2) Enterprise risk management is important for financial institutions due to the inherent risk-
taking nature of these businesses, and their systemic importance to the overall
economy.
3) Enterprise risk management benefits financial institutions by allowing these companies
to remain in compliance, mitigate loss, support growth, and improve profitability.
Why is Enterprise Risk Management Important for Financial Institutions? Financial institutions
such as banks, insurers, and investment management companies are entrusted with managing
the economy’s finances. Because financial institutions are so systemically important to the
economy, they are very tightly regulated. The risks these firms face can impact the broader
economy, and thus it is particularly important for them to have well-developed enterprise risk
management systems and processes.
Since the 2008 Global Financial Crisis, which led to the collapse of large financial institutions
such as Bear Sterns and Lehman Brothers, there has been increasing internal and external

12
Corporate Finance Institute. https://corporatefinanceinstitute.com.

11
pressure for greater risk management within the financial services sector.
4.5.1 Benefits of Enterprise Risk Management for Financial Institutions
Enterprise risk management can help financial institutions in numerous ways, including:
1) Remaining in Compliance: As mentioned, financial institutions are very tightly
regulated and face the potential of significant regulatory penalties if they are found to not
comply. A strong enterprise risk management system can help financial institutions
maintain regulatory compliance and avoid financial penalties and operational disruptions.
2) Mitigating Loss: Financial institutions face a broad set of risks that can result in
monetary loss. A strong risk management system can help identify potential losses in
advance and allow institutions to manage these risks proactively.
3) Supporting Growth: Financial institutions rely on consumer trust to operate effectively.
Strong enterprise risk management processes and systems can assist in building
consumer trust over time which in turn may lead to increased business.
4) Improving Profitability: Financial institutions are able to improve profitability when they
optimize their risk exposures. A strong enterprise risk management system can help
prevent and mitigate losses which boost the bottom line of these firms.
In addition to these four benefits, the implementation of an effective ERM program often creates
a cultural shift within the organization. Strong ERM programs typically enable financial
institutions to view risk with a much longer-term lens and react to risk much more proactively.
4.5.2 Enterprise Risk Management Framework
Enterprise risk management for large and complex financial institutions is exceedingly difficult. It
requires a significant amount of dedicated people and resources. Successful enterprise risk
management systems are typically implemented with an ERM framework. An enterprise risk
management framework encompasses four key factors:
1) Risk Transparency: Risks such as threats, potential crises, legal issues, and financial
risk exposures need to be identified, clearly defined, and communicated to appropriate
decision-makers.
2) Risk Strategy: Management needs to establish risk tolerance levels in which the firm
will operate. These tolerance levels are benchmarked against currently observed risks in
order to develop a strategy to manage these risks firm-wide.
3) Risk Decisions: Once risks are understood and risk tolerance levels established,
decisions are made on which risks to accept, hedge, transfer, and/or mitigate.
4) Risk Organization: Financial services firms need to establish robust internal risk teams,
systems, and processes to continuously monitor and manage the firm’s risk universe.
This includes establishing key persons to oversee risk, setting goals and milestones, and
monitoring risk over time.

12
4.6 CURRENT ISSUES IN ERM
The risk management processes of corporations worldwide are under increasing regulatory and
private scrutiny. Risk is an essential part of any business. Properly managed, it drives growth
and opportunity. Executives struggle with business pressures that may be partly or completely
beyond their immediate control, such as distressed financial markets; mergers, acquisitions and
restructurings; disruptive technology change; geopolitical instabilities; and the rising price of
energy.
Sarbanes–Oxley Act requirements: Section 404 of the Sarbanes–Oxley Act of 2002 required
U.S. publicly traded corporations to utilize a control framework in their internal control
assessments. Many opted for the COSO Internal Control Framework, which includes a risk
assessment element. In addition, new guidance issued by the Securities and Exchange
Commission (SEC) and Public Company Accounting Oversight Board in 2007 placed increasing
scrutiny on top-down risk assessment and included a specific requirement to perform
a fraud risk assessment.13 Fraud risk assessments typically involve identifying scenarios of
potential (or experienced) fraud, related exposure to the organization, related controls, and any
action taken as a result.
NYSE corporate governance rules: The New York Stock Exchange requires the Audit
Committees of its listed companies to "discuss policies with respect to risk assessment and risk
management." The related commentary continues: "While it is the job of the CEO and senior
management to assess and manage the company’s exposure to risk, the audit committee must
discuss guidelines and policies to govern the process by which this is handled. The audit
committee should discuss the company’s major financial risk exposures and the steps
management has taken to monitor and control such exposures. The audit committee is not
required to be the sole body responsible for risk assessment and management, but, as stated
above, the committee must discuss guidelines and policies to govern the process by which risk
assessment and management is undertaken. Many companies, particularly financial companies,
manage and assess their risk through mechanisms other than the audit committee. The
processes these companies have in place should be reviewed in a general manner by the audit
committee, but they need not be replaced by the audit committee."14
ERM and corporate debt ratings: Standard & Poor's (S&P), the debt rating agency, plans to
include a series of questions about risk management in its company evaluation process. This
will roll-out to financial companies in 2007.15 The results of this inquiry is one of the many
factors considered in debt rating, which has a corresponding impact on the interest rates
lenders charge companies for loans or bonds.16 On May 7, 2008, S&P also announced that it
would begin including an ERM assessment in its ratings for non-financial companies starting in
2009,17 with initial comments in its reports during Q4 2008.18

13 PCAOB Auditing Standard No 5 Archived 2007-06-27 at the Wayback Machine

14
"NYSE Listing Standards Part 7d" (PDF). Archived from the original (PDF) on 2014-06-11. Retrieved 2017-08-27.
15
S&P Ratings - Treasury & Risk Article Archived 2007-09-28 at the Wayback Machine
16
S&P ERM for Financial Institutions.
17
S&P ERM FAQs.
18
S&P ERM Announcement.

13
IFC Performance Standards: International Finance Corporation Performance Standards19
focus on the management of Health, Safety, Environmental and Social risks and impacts. The
third edition was published on January 1, 2012 after a two-year negotiation process with the
private sector, governments and civil society organizations. They have been adopted by
the Equator Principles Banks, a consortium of over 118 commercial banks in 37 countries.

19
Performance Standard 1.

14