Risk And Technology: The Opportunity


becky-walzakIn the 1990s technology and credit risk came together to develop the first of its kind automated underwriting system. Driven by the need to make faster decisions in light of a large refinance boom, these systems were designed to evaluate the “vanilla” loans and thus relieve underwriters of the responsibility of looking at every loan, when only the most complex loans actually needed their expert evaluation.

Based on the concern that underwriting jobs would disappear due to this technology, the acceptance of these programs was slow. However, once Fannie Mae and Freddie Mac released their versions and both underwriters and management became more aware of the benefits and underlying reliability of these engines, they became embedded in the overall underwriting process. In fact, companies such as Countrywide, Norwest (now Wells Fargo) and Chase also developed and implemented their own homegrown programs. And for a while, things were good.

However, with the advent of subprime lending, reduced documentation and the real estate boom of the 2000s, the flaws in this technology grew more and more apparent. The technology that was going to reduce risk and make lending work better didn’t, and the industry was left in tatters. Instead we are now dealing with stricter credit policies, excessive oversight by regulators, demands for more and more manual reviews and less opportunity to meet production goals. So, the question needs to be asked, “Technology, what good are you and what have you done for risk management?” Unfortunately, based on the recent MBA Risk Management Conference, the answer is not much. Sure, the usual suspects were in attendance showing the same technology that has been in place for twenty years, and in all fairness, there were some new companies that had developed ways to obtain information electronically and combine the results in one report, but there was nothing new, nothing that would move risk management into a technological environment that other processes have had for years.

So why is that? The underlying reason is really rather simple. The industry doesn’t know risk management. Take for example, the name of the conference- Risk Management and Quality Assurance. Any serious student of risk management knows that the quality assurance process is a vital part of risk management yet, when asked why they were segregated for this conference, there was no coherent answer to be found.

Risk Management is a large division of any organization no matter what they do. While there are numerous risks that lenders take on, the focus of the origination, servicing and secondary departments involve credit risk, interest rate risk, operational risk, regulatory risk and financial risk. Of course there are other risks such as litigation risk and reputational risk, but they are typically handled at the most senior corporate levels. For those who are not aware of it, the definition of operational risk is “The risk that people, processes and/or technology, and along with external events, will fail and cause financial harm to the organization. While most mortgage lenders became familiar with operational risk under the guise of business continuity planning that is only a very small piece of what operational risk is all about.

So let’s look at the how credit, interest rate, operational and financial risk fit together into a risk management function. On one hand it is rather a simplistic matter. Our industry produces mortgages. To be a successful lender, the organization must produce loans that meet the secondary market’s expectations. This includes pricing and performance so that the investor receives the expected return on their investment. The product must also meet the requirements of the regulators. Finally, if it doesn’t perform, the servicer must ensure that the foreclosure and sale of the property returns sufficient capital. Seems rather simple doesn’t it? But as we all know, it really is very complex and the loans produced are the result of a complicated system involving processes, people and technology. Credit risk has to ensure that the policies it approves are both acceptable to the secondary and are appealing to consumers in order to get the loan applications in the door. Secondary has to make sure its pricing is not only good but other attributes that investors are concerned about are incorporated. After all, that’s why we call it risk-based pricing, isn’t it. Origination and servicing operations must make sure that all of these credit and pricing attributes are implemented correctly as well as ensuring that any regulatory issues are addressed because any time one of these fails, it causes harm to the organization. These risks are without a doubt interactive and must be coordinated at all levels if they are to achieve what is expected.

Unfortunately, in today’s lending operations, they are not. We still retain each specific type of risk in its own separate silo because each entity feels responsible for their own risk. Credit policy approves guidelines that they believe will result in the loans with the highest probability of performance yet they are constantly hounded by loan officers and management who want more relaxed standards so they can obtain higher levels of production. The secondary staff must deal with the investment community and negotiate the best rates and pricing possible, but many times they clash with credit policy and production goals. Regulatory staff are typically seen as preventing production rather than supporting it despite the fact that they have no control over the requirements. The operational staff continuously struggles with trying to make all these pieces fit together in a speedy and effective manner. And management must tackle the job of making all this happen for as minimum a cost as possible. In other words as the saying goes “Quick, Cheap, Good- pick any two!” As a result of this silo approach, risks flourish and grow in the cracks where the silos don’t quite connect. Then, before we are even aware of the potential harm these risks can cause, they blow up in our face. So how do we change this and most importantly where can technology help.

First, we have to recognize two critical aspects of risk management. The first is that risks do not occur in isolation and must be coordinated across all aspects of the organization. Second, we must acknowledge that in order to keep risk under control we must have a measurement and monitoring system that tells us when these risks are occurring and their potential to cause harm. Most importantly this system has to be in real time.

The first of these issues, coordination of risk, has to lead from the very top. Silos must be opened to sharing of information and not continue to be dictates of the individuals who own that risk. Credit risk has to understand regulatory risk. For example, Fair Lending. There is no other regulation as amorphous as this one. Lenders have to make sure that their credit policy and underwriting do not discriminate or have any type of disparate impact on protected classes. So if the regulators walk into your shop and ask to have a detailed explanation of how your credit policy ensures that there is no unfair lending, could you tell them? What would you say about pricing of these loans? And how do you monitor the implementation of the Fair Lending policy? Yet in most companies the Regulatory Compliance staff write the policy, have it approved by an attorney and send it off to the operations staff for implementation. Then once a year, when the HMDA results are released, the results are reviewed and the risks come creeping out from between these silos.

Operations is many times victim to the dictates from these siloes and in many cases create their own risks within their world as well. Take for example the loan closing. It is not uncommon for the loan to be closing at or near the lock-in expiration. Secondary is not giving an extension and Credit is insisting that the conditions for approval be obtained and reviewed before funding. So what’s a closer to do? All too often Operations must take a position as to whether or not the conditions can be collected by the closing agent and hope that if they are incorrect the insured closing protection letter will cover them. Once again, the credit risk that this decision can create is hidden until more and more loans are rejected at delivery. Despite the best of intentions in a coordinated and communication-active organization, there will be risks caused by the failure of people, processes and/or technology. So, what can we do to get control of these risks?

One of the most effective answers is a timely and valid monitoring system. Today we continue to rely on a manual review process that is antiquated and focused on loan–by-loan issues rather than on identifying the risks generated by operations, credit, regulatory and secondary. Furthermore the results of these reviews are not generated for ninety days after the operational issue has occurred and management has no way of knowing if the issues identified are “real” or just a random mistake. If we want real risk management we have to get the information in real time and it has to be reported in a way that management can see the risk associated with it. And that means technology.

What senior management needs and what is crucial to risk managers is information that can become knowledge. A measurement and monitoring system that is embedded in all operational process technology that can continuously measure each and every loan and activity identify any risk that occurs is a must. In addition, it must have the ability to collect this data, analyze it so that when presented to management it is in a format that shows individual risk managers and senior management what risks are occurring, where, when and how. They need to be able to control the organization through a management system that implements, measures, informs and allows for directives to correct what is flawed and leaves what is working alone.

So technology companies, where are you? Can you meet this challenge? The industry truly hopes so since it is dependent on it. After all this is exactly what the regulators want when they talk about a management control system. More importantly however is that the industry must learn how to operate better, more efficiently and more cost-effectively while reaching out to a more and more diverse population. It just cannot be done without your help. So let’s get to work.

About The Author