As a superregional financial institution with nearly $95 billion in assets, Fifth Third Bank is in the business of taking major financial risks every day to make money for its shareholders.
And as the bank's top operational risk manager, Gregory P. Lutz's job is to make sure those risks don't end up damaging the company's reputation, slashing into its profits or dragging down its stock price. Now, with the increased scrutiny that government regulators and shareholders are placing on every company's corporate governance practices and internal risk controls, Lutz's skills at managing operational risks have become even more finely honed.
"There's a real trick to managing the risk," says Lutz, senior vice president and director of operational risk management at the Cincinnati, Ohio-based bank. Because much of his line of work is prescribed by banking regulators, the trick is to find the balance between fulfilling regulatory mandates and ensuring the economic growth of the bank. Says Lutz, "Our salespeople need a shield and a sword to do their job, but we don't want to burden them with such a heavy shield, that they can't swing their sword."
Lutz is not troubled by bank examiners' greater focus on the bank's risk management controls or the tougher compliance requirements being generated by legislation such as Sarbanes-Oxley.
That federal law, passed nearly three years ago by Congress after financial scandals at
Enron, WorldCom and other U.S. corporations raided the portfolios of investors and eroded the retirement plans of employees, is aimed at curbing corporate corruption in public companies.
As a result, the Securities and Exchange Commission has implemented new regulations and controls, including the controversial and costly Section 404. This regulation forces companies to monitor the internal controls they have in place to ensure their financial reporting is accurate and requires outside auditors to vouch for those controls.
Rather than viewing these new compliance measures as burdensome, public companies can use Sarbanes-Oxley and its newly minted regulations to sharpen their own key risk indicators and risk assessment techniques, Lutz says.
"There's some good to it. There's an overlap between Sarbanes-Oxley and what we do in risk management," say Lutz, who was a senior manager in the financial services consulting practice at Deloitte & Touche before joining Fifth Third in 1991. "We can use it to see where the risks are in our processes and what our existing controls are around those risks."What's important is leveraging the requirements and not overburdening our business people with excessive selfassessments."
He estimates that Fifth Third, which has about 21,000 employees and more than 1,000 bank offices in the Midwest and Florida, will end up spending between $5 million and $10 million to implement Section 404.
Lutz views the new emphasis on corporate Governance--with its accompanying demands for greater transparency of a corporation's business activities--as another step in the evolution of the operational risk function at any financial institution. Corporations have always managed their operational risks--that murky array of hard-to-quantify risks that can result from a failed internal process that doesn't keep tabs on delinquent loans or a bank teller embezzling funds--in an informal way. But as companies become larger, corporate executives need to manage their operational risks in a more cohesive manner, Lutz says.
"Boards are demanding it. Unless a company's executives have a unified, consistent method of evaluating any risk, how can a board be accountable and have confidence in its management?" he adds. And as board directors feel mounting pressure from shareholders and government regulators to make sure a company is operating within the rules, the role of a company's operational risk department is even more crucial.
"I think we have to make sure that we are the board's eyes and ears ... to shine a light in the company so the relevant information gets to the board during the couple of hours of their meeting," says Lutz. "We see it as our role to get the right information to them."
One way the risk management division at Fifth Third is funneling this information to the board is through its risk and compliance committee. Malcolm D. Griggs, the bank's chief risk officer, updates the board committee on a quarterly basis about the controls and processes that bank managers are using to monitor the company's operational, credit and market risks. The board set up the committee to monitor the bank's compliance through an agreement with the Federal Reserve Bank of Cleveland in March 2003.
That agreement resulted after federal and state bank regulators investigated Fifth Third, which was forced to take a $54 million write-off against profits in 2002 because of previous bookkeeping errors.
Griggs, who is also an executive vice president at Fifth Third, assumed the newly created post of chief risk officer in May 2003. He had previously worked as director of risk policy for Wachovia Corp. in Charlotte, N.C. Lutz moved into the newly created role of director of operational risk management six months later in September 2003. Lutz says the bookkeeping errors and agreement with regulators played a role in Fifth Third's decision to hire a chief risk officer and create an enterprise risk management group.
"I believe the bank would have moved in this direction anyway due to the increasing size and complexity of the company," adds Lutz. "I am sure the regulatory issues accelerated the process."
In order to strengthen the bank's overall risk management activities, Griggs helped shape an enterprise risk management group of about 125 employees nearly two years ago. About two thirds of the group came from employees already working in the audit, compliance and administration divisions while the others were new hires. Lutz has about 35 people working for him.
Like many large financial institutions, the company decided a centralized model of operational risk management, in which the risk management standards and procedures are developed at the home office, was best.
"It's looking at the company's risks from a top down perspective," says Lutz, whose previous responsibilities with Fifth Third included management slots in information technology, risk and credit operations.
Before the creation of the enterprise risk management group, the bank's risks were managed within the risk management function of each line of business.
"We believe our lines of business know their risks best, and we want risk managers in those groups as integral parts of their teams. At the same time, we recognize the need for consistency of practice and the need to be able to aggregate and understand the risks at the corporate level," he adds.
For that reason, Fifth Third is actually a mix of a centralized and decentralized approach to operational risk that lets the risk manager of each line of business implement the standards and processes shaped at the home office in Ohio.
"We felt we needed to manage with a top-down approach, yet let the risk managers report to their line of business rather than back to the chief risk officer," says Lutz. "We're somewhat of a hybrid ... with a centralized and noncentralized approach."
For example, early last year the risk management department initiated a new products program that requires each department to complete a risk assessment form before a new product or program is launched.
Fifth Third's credit card group weaved this program into the launch of a new agent credit card product--a credit card Fifth Third issues on behalf of a smaller financial institution. That strategy helped Fifth Third's credit card group flush out the stakeholders that needed to be involved in the process before the agent program was launched. "The point is to prevent the implementation of a product in which the proper risk management procedures are not developed," he adds.
Lutz sees the field of operational risk becoming more sophisticated as companies formalize the activities that they did in a more informal way.
He says they key is to only take the risks he intends to take, and avoid the ones he doesn't know about. "It's good, common business sense," says Lutz. "If you have 10 divisions, you may have nine divisions doing a good job. But you don't want one cowboy going off on their own."
PAULA L. GREEN,
a staff writer with a New York-based finance magazine, is a frequent contributor to Risk & Insurance®.
June 1, 2005
Copyright 2005© LRP Publications