In the fable Stone Soup, a destitute woman makes a meal for her children by putting water and a stone in a pot over the fire. As people come by and see her stirring the contents of the pot, they ask what she is cooking and each time she tells them she is making stone soup. Upon hearing this the person inquiring is amazed at the idea of making soup from a stone and offers her a carrot or other item that they have available. This continues until she actually has a soup of sorts. While the story’s moral is the value of joint cooperation in achieving a desired result, no one ever says whether all of these individual add-ins actually make the soup taste good. More than likely the results have a horrid taste and do no one any good.
Operational Risk in this industry is just like stone soup. There are lots of people passing by with no knowledge about Operational Risk or what it takes to make it good, but they are willing to throw in whatever they have available and call it good Operational Risk. Unfortunately for us instead of something good, we have a mess that even the CFPB won’t swallow.
Why is that? When this concept first arrived on the scene as a result of Basel II standards, most people paid little attention to it until 9/11. Then suddenly business continuity was the name of the game. From this perspective implementing Operational Risk was making sure than your business could continue if any disaster befell the organization. Numerous consultants made millions of dollars telling people how to prioritize their processes and make sure they had back-ups to the system. Then the whole idea seemed to hibernate as the wild and crazy years of housing and mortgage lending took hold. Once the industry fell apart, like humpty-dumpty, the operational risk “experts” tried to put it back together again by helping people find the “holes” in their operations. None of these efforts created the focus on a sustainable Operational Risk Management program that is critical for today’s mortgage company.
So what really is operational risk? Operational risk is the risk of loss from inadequate or failed processes, people and/or systems as well as losses due to external events. The losses can be direct such as selling a loan at a loss due to unacceptable underwriting or they can be indirect such as failing to get waivers on agency guidelines due to poor loan performance. The most important idea to remember about this risk is that it can be managed.
In order to effectively manage this risk, it is helpful to break it into three distinct areas. Global operational risk impacts the organization as a whole and includes such catastrophic events as total system failures or regulatory sanctions. The second area of focus is the operational risk focused on the actual product or service provided. Operational issues here are those that relate directly to the revenue stream such as dissatisfied consumers or investors, excessive costs, inefficiencies and unacceptable products as well as the direct regulatory issues such as TRID and QRM. Finally there should be an area of focus on ancillary and/or support issues. Among these are such items as indirect costs, inadequate and/or dissatisfied staff, inadequate technology, inadequate financial controls and regulatory issues such as Fair Lending. From this list it is easy to understand how the entire operation can be creating risk, impacting results and lowering profits if not effectively managed.
Another way to envision this risk is by looking at what affects the risks we currently focus on; credit risk, interest rate risk and market risk. Each and everyone one of these risks are dependent on processes, people and some type of technology to form an operational system. Therefore operational failures associated with any of these known risks can become catastrophic for an individual lender.
So how does an organization manage these risks? As expected, it starts at the top. Executive management has the responsibility of putting the risk management process in place. This can be accomplished by assigning a specific individual or by taking on the responsibility themselves. Unfortunately all too often, management makes the assignment and unless some disaster befalls the organization, they tend to focus on other business issues. Instead, senior management should approve the specific tools and methods for managing this risk and be updated on a regular basis, preferably monthly, on the level of these risks. It is also senior management’s responsibility to make decisions on what risks are acceptable and how they should be managed. For example, if the production staff wishes to change processes and is not sure that the new procedure is acceptable from an agency or regulator prospective, management has to evaluate the risks associated with this and make a decision as whether to offer the product. A recent example of the cost of failing to consider these risks in the case of the penalties and fines paid by a company for an unacceptable loan officer compensation plan. Management evaluated the program and got legal advice before implementing it but failed to account for the risk that the CFPB would find it unacceptable. It ended up costing the company $20M.
The second level of an operational risk program are the risk controls (typically credit policy, process design and technology programs), assessments, monitoring and reporting. This is by far the lynchpin of the program because the design (or control) specifies how things are to be done and the assessment and monitoring evaluate whether the product/service expected is what is actually being produced. Without knowing whether or not the people, processes or systems are functioning properly, there can be no effective decision making by senior management. Yet in the majority of companies today, this function is either not in place, inadequately financed or outsourced to companies that are focused on their own efficiencies and not the risks of any particular company.
The most common of these monitoring programs is known as Quality Control. Overwhelmingly this function is based on Fannie Mae, Freddie Mac and FHA requirements. Unfortunately their requirements are based on their risks and not on each individual company’s risk. As a result this vital function does not address the operational risks that the company has designed into its programs and processes. This is evidenced by the sampling programs, which are not based on validating whether the process is working properly but on criteria that are believed to be “risks” by the agencies.
A second issue with the programs as they exist today is the failure to have it grounded in the actual risk faced by organizations; that of unacceptable performance. The recent requirement by these agencies calls for classifying variances in the process at a specific risk level. This has been done without any validation that these issues are related in any way to expected poor performance. If the senior staff and risk management executives want to effectively measure and monitor their operational risk, the program needs to be developed internally and focus on how effectively their operations are producing the products and/or services they have specified.
Reporting is also the responsibility of this level of Operational Risk. Once again, the monitoring process for each risk identified collects the data on the functioning of the process. Each company should ensure that the method for collecting this data actually reflects the risk. For example, there are many Quality Control questionnaires that ask numerous questions on the closing that are actually covered by the insured protection letters so there is little, if any risk. So why spend time and money evaluating these processes.
Once the data is collected it must be analyzed to determine if the process, including the people and the technology are performing as expected. One thing that must be isolated are the random variances that occur in any process. Any report must show the variances that occur are not random and have a high probability of causing loss to the company. When this occurs it is management’s responsibility to address that risk. Addressing the risk does not necessarily mean making changes to the process, but instead may result in deciding to accept the risk or to insure over it in some way. Making changes on issues that are random or ones that do not expose the company to operational risk losses is inefficient and costly.
The final level of an Operational Risk Management program is the design of the process and the company culture in which the processes reside. For way too long management has seen the primary risk of the company as a failure to originate a sufficient number of loans. All else was delegated to a back-end correction process. In other words, enough volume will cover any risk. As we have seen this philosophy does not always work as expected. Therefore it is critical to ensure that the processes, people and technology are in sync and the focus is on producing and/or servicing loans that are in conformance with the company’s expectations.
Of course, just like any effective risk management program, it requires expertise and experience. When looking to implement an operational risk program, organizations should seek out individuals who are trained to work in this area and have experience in building such as operation.
The operational risk management program is designed to provide the organization with a comprehensive look at how it is functioning. As such it can identify where processes are failing and prevent mistakes that can cost the company amounts far in excess of the program cost.
About The Author
rjbWalzak Consulting, Inc. was founded and is led by Rebecca Walzak, a leader in operational risk management programs in all areas of the consumer lending industry. In addition to consulting experience in mortgage banking, student lending and other types of consumer lending, she has hands on practical experience in these organizations as well as having held numerous positions from top to bottom of the consumer lending industry over the past 25 years.