5 4 3 2 1: Malcolm Griggs propels Fifth Third into a first-rate risk management organization

RMA Journal, The, March, 2005 by Bill Githens

Enterprise Risk Management, or ERM, has been evolving as a best practice among large banks for several years. Recently, the concept of identifying and managing credit, market, and operational risk under the leadership of a group dedicated to an enterprise-wide view has gained momentum. Banking regulators are demanding better risk management practices, the Basel II accords require a higher level of sophistication, and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has recently issued its long-awaited guidance on ERM.

The RMA Journal had the opportunity to talk with Malcolm Griggs, executive vice president and chief risk officer of Fifth Third Bancorp, about the ERM concept that he developed and implemented at Fifth Third. Fifth Third Bancorp, headquartered in Cincinnati, has assets of approximately $100 billion and operates over 1,000 banking centers in the Midwest and Florida.

RMAJ: You arrived at Fifth Third in April 2003, on the heels of the Written Agreement with the Federal Reserve Bank of Cleveland requiring Fifth Third to strengthen its risk controls. Did Fifth Third create your position as Chief Risk Officer in response to the regulatory action?

MDG: Clearly, the agreement with the regulators required us to enhance our risk controls, and we have done so and were released from the agreement in short order. I think the CRO position would have been created in any event, but the timing of the agreement with the regulators probably accelerated the process.

RMAJ: Tell us a little about your background and what you feel prepared you most for the challenges of a CRO position.

MDG: Prior to Fifth Third, I had the privilege of spending nearly 15 years in a variety of risk-related positions with Wachovia and its predecessor, First Union. Before that, I practiced commercial law.

The best preparation for the CRO position has been the opportunity to learn from people who know more than I do. That's a process that doesn't stop.

It's also important to have broad exposure to various types of risk and to the enterprise itself--retail, wholesale sale, capital markets, finance, treasury, and operations--to see 1) where risks might arise, 2) the best controls to have around those risks, and 3) how to measure and monitor the risks on an ongoing basis. It would be difficult for any new CRO to be effective without exposure to the enterprise as a whole.

RMAJ: You had to create an ERM function from scratch. That's a big change for any organization. How much resistance did you encounter?

MDG: You're right, it is a big change, but I encountered very little resistance. I was pleased to find when I arrived that the senior management team was highly receptive to the idea of an ERM function. George Schaefer, our CEO, set the tone from the top by emphasizing the importance of good risk management to our long-term success. Fifth Third prides itself on having a best-in-class sales culture. George asked me to build a best-in-class risk structure as well so that our sales efforts are not negated by incurring avoidable risks. The other leaders in the company also genuinely view the ERM concept, as we've executed it here, to be very useful. Fifth Third has always had a very conservative credit culture. We've always been well capitalized, and we don't engage in the flavor du jour when it comes to lending or other products, so the fundamental mind-set for good risk management was already here. What everyone recognized was that as we get larger and more diverse in our product mix and geography, we have to approach risk management differently.

RMAJ: You refer to how ERM was executed at Fifth Third. How different would that be at other institutions?

MDG: You've really hit on a key point. In order for an ERM program to be successful, it absolutely has to be tailored to the institution. Every bank has a different asset mix and a different business model, so why should an ERM program look the same everywhere?

There are certainly some fundamentals that must exist in any effective program, and these would include the ability to identify, measure, and manage credit risk, market risk, and operational risk (which for these purposes would include regulatory compliance risk). Your ability to manage these risk categories effectively depends on a few common principles, but how you put these principles into practice will vary by institution. Some of these common principles include the following:

* Independence and accountability. An ERM function must be independent of the lines of business. This does not necessarily mean that the line of business outsources all risk responsibility to the ERM division. On the contrary, if you do that then accountability for the risk that a line of business takes on also shifts away from the line (which I don't think is healthy). A balance between independence of the governance/oversight functions and risk accountability in the line of business must be achieved in order for a program to be effective.

* Good information. You can't manage the risk you don't understand. Having good data-capture systems, good data integrity, and analytical tools suitable for the institution is important. A large middle-market and retail-oriented bank like Fifth Third does not need the same type of data and analytical tools as a money-center bank with large capital market functions. At the same time, there is an expectation that certain basic risk-based capital models be developed and employed, and it's hard to do that without good data-capture and analytical tools.