Skip to main content

Regulatory Compliance Review: The Rules of Operational Risk

Jonathan Foxx
Nov 28, 2012

Recently, I spoke with several clients who had attended mortgage industry conferences. Each one of them pointed out the very same fact: Operational risk and regulatory compliance are the most prominent subjects being discussed. Thinking of learning more about new loan products and services when they first attended the conferences, they nevertheless left these conferences wondering about how they would ever be able to implement all the regulatory requirements being placed on them. As an old friend who runs a mid-tier, mortgage banking company said to me, "I came as a mortgage company and left as a compliance company!" One of them said, "You know, Jonathan, you're sort of in the 'cat-bird seat' now, since you were among the first to predict that mortgage compliance would one day dominate how we originate loans." I'm not sure if that was a back-handed compliment, but I appreciate the sentiment, nonetheless. At least Lenders Compliance Group tries to lift some of the regulatory burden borne by our clients and thereby free up their time to do what they do best: originate loans. That said, let's acquaint ourselves with operational risk and how to put some structure into risk management. Framework First and foremost, compliance decisions should be made not only on the basis of sound policy and regulatory mandates, but also on the basis of how compliance procedures are viewed by regulators. Examiners want to see a financial institution enforcing existing regulatory requirements. However, they also are not antagonists on a witch hunt. They honestly want to produce the kind of findings, good or bad, that will help a company thrive. They do not get a thrill out of putting forth adverse findings. Building a solid framework begins with cataloging the company's people, processes and technology, and continues on into deriving the means by which a stable policy is designed to formalize the way the company tracks operational risk and identifies those risks within the organization's personnel and departments. Tasking, tracking and managing risk are central features of governance. Companies both large and small should implement operational risk frameworks that formalize their operational risk management. There really is no excuse, in this day and age—especially with easy access to information and guidance—that any sized financial institution cannot position operational risk practices into the loan flow process. Risk cannot be managed if there is no framework through which to manage it! Reviewing and formalizing an operational risk framework does not need to be a complicated exercise. The size, complexity, and risk profile of the financial institution will dictate the ways and means by which risk is managed. Controlling credit risk At the start of this year, I published an article about “Controlling Credit Risk.” In the article I pointed out that risk is identifiable and measurable - and it can be controlled. To get a sense of how my firm goes about evaluating credit risk and the concurrent role played by risk management, I outlined two features of managing risk: Quantity of Risk and Quality of Risk Management. And I concluded with a section, entitled “Implementing Risk Management,” in which I offered some guidance about how to use credit risk information effectively to fortify a financial institution. In formalizing a framework to manage operational risk, you need to get some idea of how firms like mine work with clients to ensure appropriate risk management strategies. Four basic rules 1. Analyze processes: This requires creating a catalogue of the company's operational processes. This is always the first step. It can be presented like a flow chart or nested folders or in any form that makes sense to management, so long as it makes logistical and experiential sense. In effect, the analysis must reflect the way that the company actually conducts its business. 2. Identify risks: Now that processes have been analyzed, each process should be considered on the basis of efficiency, data integrity, and potential risks. This is accomplished through an internal audit, external audit, or designating a competent employee to conduct a generic self-assessment. Whatever the choice, be sure to standardize the evaluation method. 3. Centralize policies: Bring together all the company's policies and procedures. Take inventory and determine which policy statements are missing, which ones are outdated, and which ones may be redundant. The requirements of disparate policy statements may conflict with one another, so gather them all together and assess them as a group. 4. Establish a master policy: At this point—now that we have analyzed processes, identified risks and centralized policies—we are able to draft a master policy. Such an approach is reflective of “best practices” governance. The master policy sets forth the overarching set of policies and rules that govern the company's management of operational risk. It is the "map" that serves as a guide to the operational risk framework. Be sure that the master policy also provides “track-back” features and identifies the "owners" of each risk area. Six even more basic rules I mentioned above that the master policy is the "map" to the operational risk framework. But, as the philosopher Alfred Korzybski noted, the map is not the territory. Working through the four basic rules takes time and resources. Sometimes, we cannot even get to the Four Basic Rules, because we have not taken into consideration the “Six Even More Basic Rules.” Here are those six rules, without which an operational risk framework is not really attainable: 1. Assemble the management team Bring together the company's executive and senior management. Start a conversation about operational risk and how to create a top-down approach toward risk management. Do this at least annually. 2. Make lists Before the management meeting, each member of the management team should draft a list—long or short—of not only the known operational risks but the potential of unexpected risks. Assume that "Black Swans" do happen! Managers should offer insights relating to their own operational area as well as any other areas of the company. An unaccounted for risk, actual or potential, could cause massive financial, reputational, strategic, legal and regulatory damage. 3. Detail the risk Specify the risk in as much detail as possible. State the consequences of risk failure. And, where possible, always provide a solution. If a risk is perceived, seek a way to mitigate or remove it. Don't waste time on solutions seeking a risk; concentrate on risks seeking a solution. 4. Discuss risk In an open and conversational way, discuss the lists. Determine if there are coinciding or divergent perceptions of risk. Identify where there are gaps in knowledge or implementation. And encourage a discussion regarding perceived risk, to be sure that there is some general understanding about the levels of risk tolerance. 5. Draft a master list Now build a consensus amongst the assembled management team. Create priorities to the various lists of risks provided by each participant. Determine the mitigation strategies that are acceptable, given the company's risk profile and risk tolerance. 6. Work the list Implement the Master List, which may include the Four Basic Rules outlined above, but may form sufficient guidelines and directives to establish appropriate means to manage operational risk. Appoint a member of the management team to monitor the Master List and update the list for those risks that have been resolved or mitigated. Jonathan Foxx, former chief compliance officer for two of the country’s top publicly-traded residential mortgage loan originators, is the president and managing director of Lenders Compliance Group, a mortgage risk management firm devoted to providing regulatory compliance advice and counsel to the mortgage industry. He may be contacted at (516) 442-3456 or by e-mail at [email protected]
Published
Nov 28, 2012
'A Long Road To Normal'

Nominated again to lead The Fed, Powell tells Senate committee to expect three rate hikes, but 'if we have to raise interest rates more over time, we will.'

Regulation and Compliance
Jan 11, 2022
CFPB: Complaint Response Worsens At Big 3 Credit Bureaus

Report claims Equifax, Experian, and TransUnion routinely failed to fully respond to consumers with errors.

Regulation and Compliance
Jan 10, 2022
The Fed Names Chairs, Deputy Chairs For 12 Reserve Banks

In recent years, the Federal Reserve System has worked to increase the overall diversity of the Reserve Bank and branch boards of directors and continues to build on those efforts.

Regulation and Compliance
Jan 06, 2022
The Fed: Rate Hike Likely Coming in June

Federal Open Market Committee's December minutes reveal discussion of first hike in federal funds rate in 2Q of 2022, as well as of ending asset purchases by March.

Regulation and Compliance
Jan 05, 2022
AARMR No Protection For Savanah Scares

Conference provides opportunity for regulators to interact, discuss common topics

Regulation and Compliance
Jan 04, 2022
McCargo Sworn In As Ginnie Mae President

Former HUD official becomes the first female to lead the Government National Mortgage Association.

Regulation and Compliance
Jan 04, 2022