We Don’t Know Risk!

I was talking to someone recently who asked if I thought subprime loans would ever come back since they had proven to be so “risky.” While the answer to this is a simple “yes” there is a lot more involved in this answer than meets the eye. Underlying this question and the answer is the need for the industry to define what exactly do we mean by risk and determine how many kinds we actually have to address.

Wait a minute you say, we know what risk is! Really? Then tell me, is it the fact that loans may not perform? Or is it poor credit policy? Or maybe what we call “risk-based pricing” isn’t based on real risk at all. And what about financial risk? Is it more or less risky to produce subprime loans if they produce a much higher return or should we just accept low returns on bank investments? Of course at the moment everyone is shaking in their boots about regulatory risk. And don’t forget the biggest risk of all- Operational Risk. Whether we want to admit it or not, this risk is the one we have paid the least attention to and it was also the one that brought the house down in 2008. In fact there are so many different ideas, elements and issues surrounding risk that we end up getting in our own way when it comes to clarifying what we mean by “risk.”

One example of this is the MBA “Risk Management” Conference. This conference was originally the Quality Assurance Conference but when it became apparent we really don’t have any standardized way to assure quality in this business, or even what quality is, it became Risk Management. Now instead of a hundred or so QC staff, the conference draws underwriters, servicing people and some analytical staff in addition to those from QC. Each has their own “track” of sessions where the same issues and non-responsive answers are given over and over. What’s even more appalling is the committee meeting where the attendees, who care enough to come, spend the majority of the time telling each other what a great job they are doing rather than tackling this complex issue.

Another deterrent to making headway in this area is the overwhelming need for everyone to protect the way they work today and the jobs they have. For years I have been arguing that quality control is a function that has to serve the organization, not Fannie Mae and Freddie Mac. Yet the idea of not having the rigid requirements to follow seemed so foreign to so many that this idea went nowhere. Now Fannie Mae is promoting it. But where are the thought leaders to take on this task? Where are the risk managers who understand how to evaluate operational risk rather than identify isolated issues in a biased sample? They are few and far between because we have never developed them, nurtured their ideas or given them the authority to act.

Right now the CFPB is demanding that all lenders have a compliance management system. Yet the reality is that what they want us to have is a risk management system that identifies all facets of risk in the organization and manages them to achieve the best possible result for the company and the consumer. Despite the advertisements that offer to implement one of these “systems,” we have a long way to go before we reach the level of a comprehensive risk management approach envisioned by the regulators. That said, we have to start somewhere so why not with some simple definitions of what we mean by risk.

About The Author