We begin 2012 with the certain knowledge that many new regulations and responsibilities have made significant and costly demands on lenders, servicers, mortgage brokers, banks, investors, and mortgage securitizers to revise and strengthen plans to assure their economic survival. Many compliance departments throughout the country have set forth robust compliance calendars in order to monitor, test for, and implement federal and state guidelines. [*]
The primary source of revenue for the aforementioned companies (collectively, “financial institutions”) is the negotiating, extending, administering, and packaging of credit. Extension of credit and credit risk are really inseparable features of mortgage loan originations – one does not exist without the other.
Credit risk is quite measurable, especially with respect to any activity that poses a risk to earnings and capital. It is no secret that inadequate risk management is a leading cause of the failure of financial institutions. Just as credit risk and extension of credit are inseparable, so also are they inseparable from risk management. Only to the extent that credit risk and appropriate risk management procedures are identified, analyzed, established, and implemented may financial institutions claim to have safe and sound lending practices.
Risk management (often referred to, generically, as Compliance) should not formally come under the rubric of the so-called “Best Practices” section of corporate governance. In my view, risk management is not an elective, a negotiable issue, a good operating practice, a mere technique consistently providing superior results, a Six Sigma template, or a business management strategy. Rather, risk management is, and ought to be, an inherent and essential, evaluative and ministerial function reaching to virtually all intrinsic aspects of a financial institution’s business model. This is why I coined the term “Mortgage Risk Management,” because it stands on its own, a specialization that provides a firm foundation to the residential mortgage loan flow process – from point of sale to securitization. Put otherwise, it is the one and only “fail-safe” means by which a board of directors may ensure that management effectively implements internal processes designed to identify, measure, monitor, and control credit risk. [†]
Close consideration of appropriate risk management practices is vital to a financial institution’s stability, most especially in the outset of a new year and at all other times. But what is risk management? And, how does risk management affect a financial institution’s way of doing business?
In this article I will provide a brief outline of two key areas where credit risk review and risk management conjoin directly to impact a financial institution’s capability to conduct business and manage a thicket of regulations. Drawing on my own experience in working with our clients, I will offer an overview of what risk management entails, whether conducted internally or through external resources.
To get a sense of a typical approach involved in evaluating credit risk and the concurrent role played by risk management, I will outline the following areas: Quantity of Risk and Quality of Risk Management.
In a penultimate section, entitled Implementing Risk Management, I will offer some guidance about how to use credit risk information effectively to fortify a financial institution.
Quantity of Risk
I define quantity of risk as the level of credit risk associated with the credit portfolio of a financial institution.
Generally, there are three levels for quantity of risk: low, moderate, or high.
In evaluating credit risk, there are nine areas of review that should be undertaken.
1) Risk Level
- Consider in the analysis the size of the exposure associated with each of the areas bulleted below, their risk profiles, credit quality indicators, amounts, volatility, and trends:
- criticized and classified loans
- nonaccrual or nonperforming loans
- other credit quality metrics used by the financial institution (i.e., weighted average: risk grade or default probability)
- underwriting standards
- exceptions to policy
2) Risk Implications
- There are two areas in particular that are determinative with respect to risk implications:
- Significant growth in the size of a credit risk exposure, including whether such growth might be masking deterioration in credit quality indicators, and
3) Risk Assessments
- Prepare, review, and discuss with management any internally prepared risk assessments of credit risk (i.e., borrower profiles, disclosures, procedures, compliance with regulatory mandates).
4) Economic Environment
- Review the local, regional, and national economic trends and outlook, and assess their impact on the credit risk.
5) Business Plans
- Review business and strategic plans, and evaluate how their implementation may affect the level of risk posed by any credit risk.
6) Earnings and Capital
- Review and discuss with management the results from applicable testing of product evaluations with respect to potential impact on earnings, investment, and raising or maintaining capital.
7) Mitigation Strategies
- Evaluate the impact of mitigation strategies on the quantity of risk in all areas of the loan flow process. Consider the objectives of programs, and evaluate all departments’ experience with these risk levels, including management’s experience in addressing problems that may arise, or have previously arisen, in such risk levels.
8) Asset Classes
- Determine and give in-depth attention to asset classes and loan products with more volatility in performance.
- Based on the above-listed reviews and findings, assess whether the financial institution has adequate capital to support the risk posed by the quantity of risk.
Quality of Risk Management
Having worked with clients on their risk management needs over the years, I have often felt that quality of risk management is where the most work is needed. Financial institutions usually can compile most, if not all, of the quantity of risk information. But then what?
I define quality of risk management, broadly, as the exercise of producing evaluative findings with respect to the areas of Policy, Processes, Procedures, and Personnel, for the purpose of identifying, measuring, and appropriately mitigating credit risk.
Generally, there are three levels for quality of risk management: strong, satisfactory, or weak.
Determine whether the management has adopted effective policies that are consistent with safe and sound practices, given the financial institution’s size, nature, complexity, and risk profile.
Evaluate the following areas to determine whether relevant policies provide appropriate guidance for identifying and managing the financial institution’s credit risk.
- Consider whether the financial institution:
- Establishes a tolerance for risk, which would be shown, for instance, as a percentage of capital or expressed in terms of risk, but not simply by the financial institution’s size (i.e., tolerance should be expressed as risk of dollar loss, risk to earnings, or risk to capital).
- Develops a company-wide framework for identifying credit risk across business lines, and origination channels, including consideration of distinct groups of loans whose credit performance may be correlated.
- Establishes a process for testing the identification of potential credit risk, and to use such testing to evaluate the potential impact of adverse scenarios for credit risk on capital and liquidity, and for reporting those results to senior management and/or the board of directors.
- Clarifies the roles and responsibilities associated with identifying and managing credit risk, particularly those that may cross business lines or otherwise not be under common management.
- Defines the process for setting credit risk limits and for approving changes and exceptions thereto.
- Determine whether credit risk limits are well defined and reasonable. Consider the way that limits are measured and the use of limits or parameters for different types of exposure within a credit risk class (i.e., property types, product types, geographical considerations, and so forth).
- Verify that management periodically reviews and approves the financial institution’s credit risk policies, including relevant limits or strategies on significant credit risk.
Determine whether the financial institution has processes in place to provide accurate and timely assessments of credit risk associated with its activities involving the extension of credit.
There are two areas that we look for in determining quality of risk management processes:
1. We evaluate how policies, procedures, and plans affecting credit risk are communicated. This analysis involves considering whether management has clearly communicated objectives and credit risk parameters to the board of directors and affected staff. And this review also includes a determination of whether the board has approved the existing credit risk limits.
2. In light of the scope and complexity of a financial institution, we evaluate the adequacy of its processes for analyzing credit risk by considering the following questions:
- Does the financial institution assess the level of risk associated with each credit risk?
- Does the financial institution’s risk assessment aggregate exposures on a company-wide basis and across lines of business?
- Are the results of the risk assessments, including those from testing, appropriately incorporated into the overall capital planning process?
- Do the conclusions concerning credit risk appear reasonable in light of information available from other sources?
- Is the capital level adequate to support the levels and types of credit risk exposures?
- Is a formal analysis of higher credit risk conducted periodically, and does the financial institution have an effective system for monitoring developments in the interim?
- Are the financial institution’s analyses adequately documented and the credit risk conclusions communicated in a way that provides decision makers with a reasonable basis for strategic development?
- Are the resources devoted to the analysis of credit risk, including the number and expertise of staff members, considered adequate?
In reviewing procedures, we determine whether the financial institution has systems and guidelines in place to provide accurate and timely assessments and feedback of credit risk associated with its credit extension activities.
There are four areas that we look at in determining quality of risk management procedures:
1. Determine whether management information systems (MIS) provide timely, accurate, and useful information to evaluate risk levels and trends in credit risk by considering the following questions:
- Are all material credit risk exposures captured across all lines of business?
- Does the entirety of the data elements collected in the review of procedures appear to be adequate, given the scope and complexity of the portfolio?
- To whom are MIS and all reports involved in the loan flow process distributed and how timely are these reports?
2. Analyze how complying with credit risk parameters is monitored and reported to senior management and the board of directors.
3. Assess the level of review for credit risks that are nearing their credit risk limits. For instance, is there sufficient reporting to senior management and is oversight heightened?
4. Evaluate the adequacy of the procedures for monitoring current conditions in higher credit risks, and assess the reliability and accuracy of the types of internal and external resources used.
Staffing is a pivotal area for the quality of risk management, because it reveals the overall ability of the financial institution to meet the demands and responsibilities relating to administering the loan flow process. In effect, the level assigned to this quality of risk management indicates management’s ability to supervise its credit risk in a safe and sound manner.
There are four areas that we look at in determining quality of risk management personnel:
1. Given the scope and complexity of the financial institution’s portfolio, assess the appropriateness of the credit risk management structure and the experience of designated personnel, by evaluating:
- Whether the expertise, training, and number of staff members assigned to manage credit risk issues are adequate.
- Whether reporting lines encourage open communication and limit the chances of conflicts of interest.
- Whether there is an unusual level of staff turnover and the effect of any staff turnover on credit risk management.
2. Determine whether management has ascertained the adequacy of written policies for managing credit risk and assess management’s knowledge thereof.
3. Ascertain the adequacy of management’s practices and capabilities for managing credit risk, including timely responses to a changing environment.
4. Assess the performance of management and the compensation programs for staff members managing credit risks. Consider whether these programs measure and reward behavior that supports the financial institution’s strategic objectives and risk tolerance limits. (If the financial institution offers incentive compensation programs, ensure that (1) they provide employees with incentives that appropriately balance risk and reward, (2) are compatible with effective controls and risk management, and (3) at all times are supported by strong corporate governance, including active and effective oversight by the financial institution’s board of directors.)
Implementing Risk Management
Now that we have given consideration to certain features of Quantity of Risk and Quality of Risk Management, let’s outline what is required to implement risk management in a practical and effective way.
If the methodologies outlined above have been completed, we have reached the point where we may determine, perhaps on a preliminary basis, certain overall conclusions, and communicate our findings regarding quantity of risk and quality of risk management.
Keeping in mind that risk management, as previously stated, involves the ability to identify, measure, monitor, and control credit risk, there are several areas of guidance that we usually discuss with or provide to management as part of a due diligence review.
We provide a summary that elucidates the quantity of risk and quality of risk management, thereby clarifying the direction of credit risk and the adequacy of the financial institution’s process for managing credit risk.
A typical summary includes:
- Quality of the financial institution’s process for managing credit risk, including the adequacy of policies and procedures.
- Asset quality of credit risk.
- Appropriateness of strategic and business plans in light of their impact on credit risks.
- Responsiveness of strategic and business plans to test results that identify credit risks and materially affect risk exposure due to adverse economic scenarios.
- Accuracy and timeliness of management information systems and the entirety of data captured relative to the scope and complexity of the loan portfolio.
- Quality of staffing, and management’s capability to manage credit risk.
- Recommendation of corrective actions for deficient policies, procedures, practices, or other concerns, which include:
- Adequacy of adherence to policies and credit parameters.
- Adequacy of loan review or audit functions.
- Other matters of significance.
2) Impact. For any issues of concern identified when performing the credit risk procedures, we determine and discuss their impact on the financial institution’s aggregate credit risk and its direction.
3) Corrective Action. We encourage a discussion regarding previous, regulatory examination findings and conclusions, including a list of those credit risks that posed a challenge to management or presented unusual and significant credit risk to the financial institution. If needed, we provide a Corrective Action Matrix, which is a form that tracks all recommended changes and monitors compliance with those changes.
- Corrective Action Matrix. We issue the Corrective Action Matrix most often when conditions indicate (1) there has been a deviation from sound, fundamental principles that is likely to result in financial deterioration or increased risk if not addressed, and (2) there is substantive noncompliance with laws or regulations.
- When a Corrective Action Matrix is not used, the following features should still pertain:
- Describe the defect.
- Identify contributing factors or the root cause(s) of the defect.
- Describe likely consequences or effects from inaction.
- State the record management commitment to corrective action.
- Include the time frame and the person(s) responsible for corrective action.
4) Discussion. We set aside time to carefully review the actions that management and all relevant staff will take in the future to effectively supervise credit risk. In this setting, we discuss various findings with management, suggesting ways to further monitor and mitigate credit risk. Often, management offers a pledge to implement corrective action.
Preparation is Prevention
Compliance cannot be reverse engineered. I have stated many times that preparation is prevention. Working to evaluate credit risk is critical to the staying power needed by any financial institution involved in the loan flow process.
Some mistakes may have a minor effect. But there are costly mistakes that bring with them virtually catastrophic consequences. It is unacceptable and indefensible to attempt to fix mistakes belatedly, when they could have been avoided in the first place. And, for the most part, the tardy and delayed approach just does not work.
Allowing exposure to credit risk is such a potentially fatal and fundamental flaw that there really is often no way to undo the damage done by risk management failures. However, by using the above-mentioned tools to determine Quantity of Risk and Quality of Risk Management, a financial institution may still have the proactive opportunity to be stable, strong, and vibrant.
[*] This article first appeared in National Mortgage Professional Magazine, January 2012, Volume 4, Issue 1, pp. 8-23.
[†] Certain information provided in this article is based on the research and work I have done in developing one of my firm’s risk management tools, called the CORE Compliance Matrix®. A CORE® review consists of an in-depth evaluation of a financial institution's CORE® features: Compliance Program (C), Organizational Structure (O), Regulatory Risk (R), and Enforcement Strategies (E). For more information about the CORE Compliance Matrix®, or our other audit and due diligence review services, please visit our website.