Although there have been numerous changes that have befallen the mortgage industry in recent years, the most understated – yet most powerful and beneficial – are the new rigorous requirements for the implementation of a comprehensive risk management system. Although subtly stated, the new Consumer Financial Protection Bureau standards imply that management must be aware of – and actively managing – the risks associated with operating a consumer financial organization. The term “risk management” now encompasses much of the activities found in any financial institution under the label “enterprise risk management” (ERM). Yet many, if not most, executives are at a loss when it comes to recognizing what such a program entails or what must be put in place to meet these standards. Equally important, they totally fail to comprehend how such a program can make the company more profitable when all they see is the need to conduct more and more costly file reviews.
The reason for this disconnect is quite simple. Today’s executives are not familiar with the basic philosophy associated with creating and maintaining an ERM program. To them, it is just a series of more and more controls that limit their ability to originate, fund and service mortgage loans. What they fail to grasp is that, with an ERM program, the emphasis is not on creating a risk-controlled environment, but on creating a profitable, well-managed organization that functions in an environment that is in control.
The difference, which may seem minor to the uneducated, is huge. A risk-controlled organization is all about what can and cannot be done. For example, when underwriting a loan, the credit policy may exclude loans that don’t meet certain criteria or require that loans that meet certain regulatory requirements be originated, even if they are not profitable. It is an environment of “must do” and “can’t do.” On the other hand, management at an organization that operates within an environment that is in control understands the level of risk that is acceptable within the organization and can make decisions to support its stated customer base – as long as it is within the limits of control.
This idea of control limits is an outgrowth of the quality management movement that began in the 1970s and that is based on the ideas of six-sigma management. As organizations developed set methods and rules for the operations that produced their products and/or services, management began to understand that all risks cannot be controlled all the time. These random events, or variances to the defined processes, occur regardless of how well controlled the processes are. Management must understand not only the risks, but also the probability of these risks occurring, the severity of the impact, the volatility of the outcomes and, finally, the potential exposure to each risk.
Once an overall understanding of these factors is developed, management can establish acceptable control limits and continuously monitor the organization’s functioning departments to determine if they are within that acceptable range of performance. This approach creates limits that are statistically sound and financially profitable. It is founded on the knowledge that control limits provide the freedom to make sound decisions to meet customer requirements, without causing harm to the organization.
Developing a risk management program
The development of a strong risk management program involves three critical steps. The first of these is an appreciation of the underlying risks, which is derived from managers’ knowledge of the risks within their organizations. It is sometimes called “risk awareness.” This awareness is not just being able to say, “Mistakes in processing loans can cause problems.” It requires that any organization understand the relationship between creating products and the negative financial impact that results from any mistakes – or combination of mistakes. In the mortgage industry, this may take the form of unsalable loans, poor-performing loans or pricing issues. This awareness can also include understanding how policies are implemented within the processes throughout the organization. Take fair lending, for example. Although a lender may have a well-stated policy, does management understand where and how this policy is implemented?
And it isn’t just regulations. Policies for funding loans are typical for most companies, but if those policies are not followed, what is the financial risk to the organization? And what are the risks to the investor and consumer?
Knowing the correlation between the financial impact and the probability of these mistakes occurring allows management to understand the overall risks and make changes when necessary. It is also critical that management understand that these risks are not static, but change as the organization changes. Management must learn to not only be aware of current risks, but also develop the ability to anticipate risks and learn from the mistakes that have been made. Part of this awareness is the ability to recognize changes in the operating environment, as well as how unexpected events affect this environment. For example, if a company is changing its loan origination system, management must be aware of – and prepared for – an increase in the number of mistakes made. Expecting to change the entire technological base while the process remains the same is ludicrous. Being aware that mistakes will increase in this situation allows management to plan appropriately for these risks.
One of the most useful means to gain this awareness is to develop a risk taxonomy. A taxonomy is a structure for describing levels associated with a topic. For example, most education systems are built on a taxonomy that describes what students should be taught at each level of the education process and what the expected outcome should be. Without this, no one would have a clear understanding of what it means to be a high school graduate.
A risk taxonomy is an effective way to describe the categories and subcategories of the risks that exist within a mortgage origination and/or servicing operation. It allows for effective communication between staff and management, as well as for combining risks from different production units for reporting and action purposes.
Unfortunately, today, there is no such taxonomy within the mortgage industry. Although the agencies have made an attempt, the taxonomies they developed are based on what they see as risks and do not correlate with any proven industry-wide operational failures.
This problem exists within companies of all types and sizes. Companies will typically have several different types of review processes, each of which is developed by the individuals conducting the review. As a result, a “critical” finding from one of these processes means something different when compared with a critical finding for another. Combining these results to provide management with an understanding of the level of risk within their processes is impossible and results in management frustration and a failure to address the problems. The solution for this problem is the second step of developing an effective risk management program – that of risk measurement.
The idea of measuring risk is based on having the necessary data, analytics and system resources to allow for the collection of consistent and accurate information. An oft-quoted quality management axiom says that “you can’t manage what you can’t measure.” As the mortgage industry so painfully learned in the lead-up to the Great Recession, without knowing whether the processes in place are creating the products that are expected, the risks associated with these processes are unknowable. Yet, the lending industry has failed to develop measurement tools and practices that provide the needed knowledge. Unfortunately, this has not changed to any great degree. Much of this is due to agency standards that have been around since the mid-1980s. Although the current version of these requirements has progressed from the antiquated “file inspection” program, the programs are developed and maintained for the benefit of the agencies, not individual organizations. It is not uncommon, therefore, to find that companies review files based on agency policies, not their own. The result of this approach is that the agencies are making money, and companies that sell to them are paying for it.
Making the risk measurement process more effective requires the acceptance and development of a program specifically designed for the organization. Included in this program should be a risk taxonomy that includes all risks that have been identified as part of the risk awareness process. In addition, the severity of these risks should be correlated to losses – not just the obvious loss on sale or repurchases, but also the cost of rework, rejects, regulatory fines and penalties, and other operational costs that may be associated with reduced revenue.
Because it is impossible to review every product or process output, the reviews should be based on a high level of statistical probability. Using descriptive sampling such as 10% can be just as meaningful if the margin of error in the population is calculated. Utilizing one population of products or outputs for as many reviews as possible is the most efficient way of conducting risk testing – but if more than one population must be used, the taxonomy of risk created as part of risk awareness should be used to ensure consistency in the result. Lenders often make the mistake of thinking multiple reviews of different populations will make the results more effective, when, in fact, they do nothing but cause confusion and a high level of distrust in the findings.
Another risk management mistake that occurs frequently is believing that a review of 100% of the product must be tested to cover the risks associated with a product or process. This flawed thinking does not support a reduction in risk, but makes the probability of a process failure higher, as those completing the processes become dependent on the reviewer to catch mistakes, rather than being accountable for the correctness of the process.
Technology is also an important part of the risk management process because data and the ability to analyze it are critical to risk measurement. Using the results of the reviews based on the risk taxonomy means that the organization is collecting usable data that can be used to support the business and associated policy decisions. All too often, management reports are based on unsupported data that is presented in a “data dump” format. These leave management confused as to the types of risk – and the levels of risk – within the organization.
Management reports utilized in today’s mortgage environment may include a variety of information about the organization and how it performs. Loan reviews are presented without indications of performance risk. Regulatory risk either is presented in a separate report or does not provide an understanding of the potential risk. Disassociated with this reporting is loan performance and “scorecards.” Information contained in these scorecards typically includes a variety of data points – but they do not correlate with the risks associated with the data. Executives reviewing these reports know that something is missing but are at a loss as to what it is and how to get the information they need. Thus, they ask for more and more isolated reports, which drives down the organization’s profitability.
Good risk management reporting, on the other hand, includes four basic points of information that management must have in order to effectively run the organization. These include losses, frequency of process failures (mistakes), management assessment and overall risk indicators.
Information on losses suffered by the organization should be identified and reported each month. The organization should also have a loss database to continually track them based on the taxonomy level assigned to them. These losses should include not just unexpected costs, such as rework or repurchases, but also other costs associated with the rework, such as increased warehouse costs. The loss levels need to be reported with regard to how they measure against the expected loss, or within the range of losses managed, and this must be established as part of any lender’s risk assessment program.
Process failure information is based on the standard monthly reviews that are in place. Using the risk taxonomy, the organization could identify these incidents and the potential losses based on the correlation between process failures and the probability of loss. Although most organizations do not have such a risk model, there is one available in the industry that has been validated for accuracy. Use of this model would provide valuable insight into the potential losses associated with process failures.
Recently, much has been said about identifying the root cause of these failures. Unfortunately, those lenders that require that this be done – and the organizations conducting the associated analysis – fail to understand that conducting a root cause analysis on a random failure is a waste of time and money. If the process failure information is for a large population of product and/or processes, or occurs over an extended period, it can be labeled a systemic issue. By conducting a root cause analysis on a systemic issue, the underlying cause can be identified and addressed.
As with losses, the level of critical process failures should be within the limits established by management. Established as part of quality management tools, an organizational control chart is an extremely useful tool. By developing the overall mean of process failures and calculating the standard deviation, management can set the level of acceptable process failures. An example of this is the much touted six-sigma measurement. What this is saying is that if the process failures are no more or no less than three standard deviations above or below the mean, the process is operating as well as can be expected. If the level of risk associated with this performance is acceptable, no action needs to be taken. If not, decisions must be made as to what and how changes should be implemented.
A critical piece of executive-level reporting includes an assessment by individual managers of potential future risk based on current business results. This assessment may be as generic as the overall state of the market or interest rate environment but should be tied to expected business performance. For example, if the number of process failures has increased for specific products but the business environment appears to want more of this product, what needs to be done to address the risk? If the real estate market values are decreasing, what does this mean in terms of losses, based on loss levels for current products and the timeliness of foreclosure?
The fourth reporting mechanism associated with an ERM is the table of risk indicators. When developing the initial risk awareness, management should identify the most critical aspects of risk that the company faces. These metrics are not necessarily associated with products or process performance but can include such things as mark-to-market assessments, consumer complaints, systems availability or unreconciled items. Such risk indicator tools have been in use in larger bank organizations for some time but are rarely seen in mortgage operations. These indicators provide management with a comprehensive overview of all facets of risk that are part of the company’s operations.
Although many lenders have failed to comprehend the scope of a true ERM program – or see it as just another punishment for mistakes made in the past – it is, in fact, a very comprehensive approach for making mortgage operations function more effectively and efficiently. Knowing one’s risks and the potential losses associated with those risks allows management to be more proactive in addressing them. It also opens the possibility for better customer satisfaction and provides a direct route to increased profitability.
The question now is, what companies – and what leaders – have the ability to see the vision that is laid out by an ERM program?
This is what will make all the difference between the winners and the losers in the years to come.
Becky Walzak heads her own consulting firm, rjbWalzak, and is a managing partner in MarBecca LLC, a forensic file review company. With more than 30 years of experience in the financial services industry, Walzak is an expert in loan quality assurance and risk management. She can be reached at firstname.lastname@example.org.