Recently, I spoke with several clients who had attended mortgage industry conferences. Each one of them pointed out the very same fact: Operational risk and regulatory compliance are the most prominent subjects being discussed. Thinking of learning more about new loan products and services when they first attended the conferences, they nevertheless left these conferences wondering about how they would ever be able to implement all the regulatory requirements being placed on them. As an old friend who runs a mid-tier, mortgage banking company said to me, "I came as a mortgage company and left as a compliance company!"
One of them said, "You know, Jonathan, you're sort of in the 'cat-bird seat' now, since you were among the first to predict that mortgage compliance would one day dominate how we originate loans." I'm not sure if that was a back-handed compliment, but I appreciate the sentiment, nonetheless. At least Lenders Compliance Group tries to lift some of the regulatory burden borne by our clients and thereby free up their time to do what they do best: originate loans.
That said, let's acquaint ourselves with operational risk and how to put some structure into risk management.
First and foremost, compliance decisions should be made not only on the basis of sound policy and regulatory mandates, but also on the basis of how compliance procedures are viewed by regulators. Examiners want to see a financial institution enforcing existing regulatory requirements. However, they also are not antagonists on a witch hunt. They honestly want to produce the kind of findings, good or bad, that will help a company thrive. They do not get a thrill out of putting forth adverse findings.
Building a solid framework begins with cataloging the company's people, processes and technology, and continues on into deriving the means by which a stable policy is designed to formalize the way the company tracks operational risk and identifies those risks within the organization's personnel and departments. Tasking, tracking and managing risk are central features of governance.
Companies both large and small should implement operational risk frameworks that formalize their operational risk management. There really is no excuse, in this day and age—especially with easy access to information and guidance—that any sized financial institution cannot position operational risk practices into the loan flow process.
Risk cannot be managed if there is no framework through which to manage it!
Reviewing and formalizing an operational risk framework does not need to be a complicated exercise. The size, complexity, and risk profile of the financial institution will dictate the ways and means by which risk is managed.
Controlling credit risk
At the start of this year, I published an article about “Controlling Credit Risk.”
In the article I pointed out that risk is identifiable and measurable - and it can be controlled. To get a sense of how my firm goes about evaluating credit risk and the concurrent role played by risk management, I outlined two features of managing risk: Quantity of Risk and Quality of Risk Management.
And I concluded with a section, entitled “Implementing Risk Management,” in which I offered some guidance about how to use credit risk information effectively to fortify a financial institution.
In formalizing a framework to manage operational risk, you need to get some idea of how firms like mine work with clients to ensure appropriate risk management strategies.
Four basic rules
1. Analyze processes: This requires creating a catalogue of the company's operational processes. This is always the first step. It can be presented like a flow chart or nested folders or in any form that makes sense to management, so long as it makes logistical and experiential sense. In effect, the analysis must reflect the way that the company actually conducts its business.
2. Identify risks: Now that processes have been analyzed, each process should be considered on the basis of efficiency, data integrity, and potential risks. This is accomplished through an internal audit, external audit, or designating a competent employee to conduct a generic self-assessment. Whatever the choice, be sure to standardize the evaluation method.
3. Centralize policies: Bring together all the company's policies and procedures. Take inventory and determine which policy statements are missing, which ones are outdated, and which ones may be redundant. The requirements of disparate policy statements may conflict with one another, so gather them all together and assess them as a group.
4. Establish a master policy: At this point—now that we have analyzed processes, identified risks and centralized policies—we are able to draft a master policy. Such an approach is reflective of “best practices” governance. The master policy sets forth the overarching set of policies and rules that govern the company's management of operational risk. It is the "map" that serves as a guide to the operational risk framework. Be sure that the master policy also provides “track-back” features and identifies the "owners" of each risk area.
Six even more basic rules
I mentioned above that the master policy is the "map" to the operational risk framework. But, as the philosopher Alfred Korzybski noted, the map is not the territory. Working through the four basic rules takes time and resources.
Sometimes, we cannot even get to the Four Basic Rules, because we have not taken into consideration the “Six Even More Basic Rules.”
Here are those six rules, without which an operational risk framework is not really attainable:
1. Assemble the management team
Bring together the company's executive and senior management. Start a conversation about operational risk and how to create a top-down approach toward risk management. Do this at least annually.
2. Make lists
Before the management meeting, each member of the management team should draft a list—long or short—of not only the known operational risks but the potential of unexpected risks. Assume that "Black Swans" do happen! Managers should offer insights relating to their own operational area as well as any other areas of the company. An unaccounted for risk, actual or potential, could cause massive financial, reputational, strategic, legal and regulatory damage.
3. Detail the risk
Specify the risk in as much detail as possible. State the consequences of risk failure. And, where possible, always provide a solution. If a risk is perceived, seek a way to mitigate or remove it. Don't waste time on solutions seeking a risk; concentrate on risks seeking a solution.
4. Discuss risk
In an open and conversational way, discuss the lists. Determine if there are coinciding or divergent perceptions of risk. Identify where there are gaps in knowledge or implementation. And encourage a discussion regarding perceived risk, to be sure that there is some general understanding about the levels of risk tolerance.
5. Draft a master list
Now build a consensus amongst the assembled management team. Create priorities to the various lists of risks provided by each participant. Determine the mitigation strategies that are acceptable, given the company's risk profile and risk tolerance.
6. Work the list
Implement the Master List, which may include the Four Basic Rules outlined above, but may form sufficient guidelines and directives to establish appropriate means to manage operational risk. Appoint a member of the management team to monitor the Master List and update the list for those risks that have been resolved or mitigated.
Jonathan Foxx, former chief compliance officer for two of the country’s top publicly-traded residential mortgage loan originators, is the president and managing director of Lenders Compliance Group, a mortgage risk management firm devoted to providing regulatory compliance advice and counsel to the mortgage industry. He may be contacted at (516) 442-3456 or by e-mail at [email protected]