If you've ever taken a ride on London's Underground, also known as ‘The Tube,’ you've likely heard that cool British female voice gently alerting disembarking passengers to ‘mind the gap.’ Gaps in a sidewalk or platform can cause serious physical damage, especially when they go unnoticed. Gaps in a lender's enterprise risk management (ERM) strategy, while not a physical threat, can be equally as dangerous.
Data is the DNA from which an ERM strategy is born. Furthermore, data has become a particular focus for regulators. The Uniform Appraisal Dataset (UAD), Uniform Loan Delivery Data Standards (ULDD) and Uniform Mortgage Servicing Dataset are but three examples of how regulatory agencies are beginning to hold lenders and servicers accountable for their data. Even the Mortgage Electronic Registration System (MERS) has gotten in on the act, with some significant pushing on the Office of the Comptroller of the Currency's part, to hold servicers to higher data integrity standards by requiring a reconciliation of loan data against the MERS system. Not to mention that errors in Home Mortgage Disclosure Act data have been triggering audits left and right by the Consumer Financial Protection Bureau and other regulatory bodies.
Today, data management plays a critical role in a lender's ERM strategy. Any conversation regarding risk management today needs to consider the technology infrastructure that will be required to manage, analyze and archive all of the data pouring into lenders from multiple sources. Thought must be given to an enterprise-wide technology infrastructure that integrates the capture and management of business data to facilitate analytics, model building and the aggregation/reporting of information.
Using a data/technology-driven strategy for ERM development also evolves business management from a reactive, anecdotal, ‘hunch’ posture to a sophisticated, fact-based one. Back in the subprime mortgage heyday, the only data-driving strategy development was volume, cash flow and interest rates. Cash flow and profit covered a multitude of sins being committed in the name of loan production. That assumption came back to bite the industry big time, and as we continue to learn from our mistakes, we've come to realize that business decisions need to be based upon measurable data in order to be reliable and defendable to regulators and investors.
Furthermore, a sound ERM strategy is one that is predicated on the idea that there is a risk culture ingrained throughout all levels of the lending organization. Think about it as ‘the tone from the top’ effect. If the board and executive management take risk seriously, that sense of urgency is going to trickle down to all levels of the lender. The result is a mindset that everyone is a risk manager of some sort, and risk management naturally becomes a part of the larger dialogue within the lender. Additionally, when risk management behaviors are linked to performance objectives and compensation, there becomes a tangible reward for making risk management a part of everyone's day-to-day activities.
Once a risk culture has been ingrained, it's important to develop a comprehensive, board-approved risk appetite that is linked to risk tolerance limits and cascaded down throughout the lender. Business strategies are discussed and established within the boundaries set by the risk appetite, which establishes a context through which new loan products, transactions, and strategies are evaluated. This also provides transparency to the lender (and regulators), as well as a benchmark to evaluate performance.
However, it's important to remember that risk avoidance is not the end goal of creating a risk culture. Risk is an inherent part of the mortgage process. The key is having the tools in place to evaluate risk opportunities and select only those that will enhance and protect enterprise value. Once a lender is able to better understand the sources of uncertainty it faces, the lender can then evaluate the potential impact of emerging risks and decide which risks will benefit the lender the most while remaining within the pre-defined risk tolerance levels. The mark of an effective ERM strategy is when executives can satisfactorily answer the question, ‘Is risk being managed to an acceptable level?’
To do this, there must be a well-defined risk governance process in place managed by risk committees at both the board and executive levels, as well as other subordinate committees as appropriate (e.g. credit policy governance, compliance, counter-party risk, vendor management, IT/data security governance, etc.). These committees need clearly defined roles, responsibilities and authority levels to ensure that the requirements and processes for approving new products, transactions, etc. are followed. Centralized documentation and communication of risk decisions, policy approvals and exceptions will help these committees function efficiently. When applicable, periodic ‘toll-gate’reviews of new initiatives, products and acquisitions can help determine if the committees are functioning properly and if risk objectives are being met.
Resources will also be key to ensuring the proper execution of a lender's ERM strategy. Lenders must maintain sufficient levels of staffing and expertise for the risk management team, as well as dedicate other resources as needed to implement and execute the lender's ERM framework. Furthermore, achieving a ‘best-in-class’ ERM program requires a financial commitment by the lender. Without the proper funding for the development or acquisition of analytical tools, models and third-party data, this becomes an exercise in futility.
Finally, there needs to be a comprehensive set of centrally maintained corporate policies and procedures (P&Ps). When regulators come knocking, they are going to want to see documentation of what a lender is doing and why it is doing it. In addition, regulators will focus on whether P&Ps are being followed and how effective they are in achieving their aims. Those are questions lenders are going to want answered before regulators are at the door. Control groups, such as internal audit and compliance, used to test adherence to P&Ps, governance, and controls are a smart way to find those answers out beforehand. Additionally, there needs to be risk oversight of business functions involving credit decisions, and risk managers should be embedded throughout the lending process to ensure internal accountability for the risk decisions being made on a daily basis.
Musician Leonard Cohen once wrote, ‘There are cracks, cracks in everything/That's how the light gets in.’ When you shine a light on your ERM program, how much light are those cracks going to get in, and are you going to like what that light reveals?
Mary Kladde is president and CEO of Titan Lenders Corp. in Denver. She has more than 20 years of actual mortgage operations experience and exposure to all residential lending channels and processes from origination through point of sale. She can be reached at firstname.lastname@example.org.