Home Equity
Debt Consolidation
Home Purchase
Home - Other News Articles

Mixing it up: Fifth Third Bank has followed a mixed policy of centralized and decentralized approaches to operational risk that lets the risk manager of each business line implement the standards and processes shaped at the home office in Ohio

Refinance & Save!
Lower Your Mortgage Payments.
Bad Credit OK

Home Equity Loans
Get up to 125% of home value.
Fast & Easy.

Consolidate Your Debt
Pay Off Bills
& Lower Your Payments

Want to Purchase a Home?
Get Approved Now!

Risk & Insurance
By Paula L. Green
June 1, 2005

As a superregional financial institution with nearly $95 billion in assets, Fifth Third Bank is in the business of taking major financial risks every day to make money for its shareholders.

And as the bank's top operational risk manager, Gregory P. Lutz's job is to make sure those risks don't end up damaging the company's reputation, slashing into its profits or dragging down its stock price. Now, with the increased scrutiny that government regulators and shareholders are placing on every company's corporate governance practices and internal risk controls, Lutz's skills at managing operational risks have become even more finely honed.

"There's a real trick to managing the risk," says Lutz, senior vice president and director of operational risk management at the Cincinnati, Ohio-based bank. Because much of his line of work is prescribed by banking regulators, the trick is to find the balance between fulfilling regulatory mandates and ensuring the economic growth of the bank.

Says Lutz, "Our salespeople need a shield and a sword to do their job, but we don't want to burden them with such a heavy shield, that they can't swing their sword."

Lutz is not troubled by bank examiners' greater focus on the bank's risk management controls or the tougher compliance requirements being generated by legislation such as Sarbanes-Oxley.

That federal law, passed nearly three years ago by Congress after financial scandals at Enron, WorldCom and other U.S. corporations raided the portfolios of investors and eroded the retirement plans of employees, is aimed at curbing corporate corruption in public companies.

As a result, the Securities and Exchange Commission has implemented new regulations and controls, including the controversial and costly Section 404. This regulation forces companies to monitor the internal controls they have in place to ensure their financial reporting is accurate and requires outside auditors to vouch for those controls.

Rather than viewing these new compliance measures as burdensome, public companies can use Sarbanes-Oxley and its newly minted regulations to sharpen their own key risk indicators and risk assessment techniques, Lutz says.

"There's some good to it. There's an overlap between Sarbanes-Oxley and what we do in risk management," say Lutz, who was a senior manager in the financial services consulting practice at Deloitte & Touche before joining Fifth Third in 1991. "We can use it to see where the risks are in our processes and what our existing controls are around those risks.

"What's important is leveraging the requirements and not overburdening our business people with excessive self-assessments."

He estimates that Fifth Third, which has about 21,000 employees and more than 1,000 bank offices in the Midwest and Florida, will end up spending between $5 million and $10 million to implement Section 404.

Lutz views the new emphasis on corporate governance--with its accompanying demands for greater transparency of a corporation's business activities--as another step in the evolution of the operational risk function at any financial institution. Corporations have always managed their operational risks--that murky array of hard-to-quantify risks that can result from a failed internal process that doesn't keep tabs on delinquent loans or a bank teller embezzling funds--in an informal way. But as companies become larger, corporate executives need to manage their operational risks in a more cohesive manner, Lutz says.

"Boards are demanding it. Unless a company's executives have a unified, consistent method of evaluating any risk, how can a board be accountable and have confidence in its management?" he adds.

And as board directors feel mounting pressure from shareholders and government regulators to make sure a company is operating within the rules, the role of a company's operational risk department is even more crucial.

"I think we have to make sure that we are the board's eyes and ears ... to shine a light in the company so the relevant information gets to the board during the couple of hours of their meeting," says Lutz. "We see it as our role to get the right information to them."

One way the risk management division at Fifth Third is funneling this information to the board is through its risk and compliance committee. Malcolm D. Griggs, the bank's chief risk officer, updates the board committee on a quarterly basis about the controls and processes that bank managers are using to monitor the company's operational, credit and market risks. The board set up the committee to monitor the bank's compliance through an agreement with the Federal Reserve Bank of Cleveland in March 2003.

That agreement resulted after federal and state bank regulators investigated Fifth Third, which was forced to take a $54 million write-off against profits in 2002 because of previous bookkeeping errors.

Griggs, who is also an executive vice president at Fifth Third, assumed the newly created post of chief risk officer in May 2003. He had previously worked as director of risk policy for Wachovia Corp. in Charlotte, N.C. Lutz moved into the newly created role of director of operational risk management six months later in September 2003.

Lutz says the bookkeeping errors and agreement with regulators played a role in Fifth Third's decision to hire a chief risk officer and create an enterprise risk management group.

"I believe the bank would have moved in this direction anyway due to the increasing size and complexity of the company," adds Lutz. "I am sure the regulatory issues accelerated the process."

In order to strengthen the bank's overall risk management activities, Griggs helped shape an enterprise risk management group of about 125 employees nearly two years ago. About two-thirds of the group came from employees already working in the audit, compliance and administration divisions while the others were new hires. Lutz has about 35 people working for him.

Like many large financial institutions, the company decided a centralized model of operational risk management, in which the risk management standards and procedures are developed at the home office, was best.

"It's looking at the company's risks from a top down perspective," says Lutz, whose previous responsibilities with Fifth Third included management slots in information technology, risk and credit operations. Before the creation of the enterprise risk management group, the bank's risks were managed within the risk management function of each line of business.

"We believe our lines of business know their risks best, and we want risk managers in those groups as integral parts of their teams. At the same time, we recognize the need for consistency of practice and the need to be able to aggregate and understand the risks at the corporate level," he adds.

For that reason, Fifth Third is actually a mix of a centralized and decentralized approach to operational risk that lets the risk manager of each line of business implement the standards and processes shaped at the home office in Ohio.

"We felt we needed to manage with a top-down approach, yet let the risk managers report to their line of business rather than back to the chief risk officer," says Lutz. "We're somewhat of a hybrid ... with a centralized and noncentralized approach."

For example, early last year the risk management department initiated a new products program that requires each department to complete a risk assessment form before a new product or program is launched.

Fifth Third's credit card group weaved this program into the launch of a new agent credit card product--a credit card Fifth Third issues on behalf of a smaller financial institution. That strategy helped Fifth Third's credit card group flush out the stakeholders that needed to be involved in the process before the agent program was launched.

"The point is to prevent the implementation of a product in which the proper risk management procedures are not developed," he adds.

Lutz sees the field of operational risk becoming more sophisticated as companies formalize the activities that they did in a more informal way.

He says they key is to only take the risks he intends to take, and avoid the ones he doesn't know about. "It's good, common business sense," says Lutz. "If you have 10 divisions, you may have nine divisions doing a good job. But you don't want one cowboy going off on their own."

RELATED ARTICLE: Vendors face consolidation musical chairs.

The number of operational risk vendors selling software to the largest commercial banks will shrink from about two dozen to less than 10 in the next three or four years says a consultant.

"There will be more and more pressure over the coming few years for (commercial banking) organizations to develop operational risk management approaches and in doing so to implement systems to support that," says Edward Niestat, a partner with PA Consulting Group, a systems technology consulting firm. "As they start making their choices, there's a game of musical chairs. There'll be less and less room for some of the outsiders."

Well-established systems include Comit Gruppe, Fitch, SAS and Algorithmics, which was recently acquired.

Though some of these firms have been in the operational risk management software marketplace for several years, none has been able to capture a dominant share of the marketplace, and that means opportunity for startups. "Right now the penetration is so low that there's a very low barrier for a new startup coming in," says Niestat. "But we'll see as some of these players start capturing 10 percent or 20 percent of the marketplace it becomes harder and harder for a new entrant to think that it can capture that."

New risk-based capital allocation requirements for banks also mean that banking institutions will place their bets by choosing one software system over another.

Asked if some banks have shown any predilection toward one software vendor over another, Niestat said: "Not yet. I'd say there are a few players--FitchRisk, Algorhythmics, RAFT Radar and Centerprise that seem to be relatively preferred but none so highly that you would say they are becoming anything like a standard."

The price of many of the operational risk software packages, based on the dominant Windows-Intel operating system-hardware platform, run into the hundreds of thousands of dollars. Choosing and installing a software package amounts to an expensive proposition for the banks, particularly the larger ones.

"Make sure the hidden costs are fleshed out before installation," says Rachel M. Floars, senior vice president of liability risk management for North Carolina-based BB&T Corp.

Tim Elliott, first vice president of operational risk at Detroit-based Comerica Bank, says it's often difficult to describe what operational risk managers need from their software. "It's very hard for a vendor to do something you can't describe," he says.

Vendors are competing for the business of the nation's largest banking institutions--San Francisco-based Wells Fargo & Co. or Charlotte-based Wachovia, for example--who need the most advanced risk measurement tools available to meet the strictest compliance codes.

Many regional banks, however, which are not required to meet such strict compliance standards, are also looking for cheaper, simpler software tools to help them manage risk.

What are people saying about mortgages today:

Rates on 30-year mortgages edged down last week to a seven-month low. Mortgage-giant Freddie Mac reported Thursday that 30-year, fixed-rate mortgages fell to 6.3 percent, down slightly from 6.31 percent two weeks ago. It put rates at the lowest level since they were at 6.24 percent the first week of March.

Bank of Hawaii, Central Pacific Bank, Territorial Savings Bank and Wells Fargo Home Mortgages all cut their 30-year mortgage rates to 5.75 percent this week.

Most people think of a mortgage as a means to an end. After all, you buy a house, not a home loan. But a mortgage is much more than the path to homeownership. It is a financial instrument that must be managed, just like any other financial investment.