Steve Spies is the Principal & Founder of SWS Risk Advisory LLC and former Fannie Mae Executive.
With lenders’ operational capacity stretched to the max, what are the key risks they need to monitor and manage?
SS: Change, change and more change, and all the downstream impacts on internal audit, quality control, cybersecurity, and third-party oversight. Whether that change is driven by growth or external events like COVID, it stresses the internal control environment and magnifies the difficulty in ensuring third parties are also keeping up. Lenders are rightly focused on customer acquisition and keeping them happy, but are they sacrificing manufacturing quality and process efficiency?
Today, lenders should be conducting a risk management “wellness check” to assess the effectiveness of their risk management and quality control programs. Just like going to the doctor prevents all sorts of ills and expenses, a third-party guided assessment of lenders’ risk management controls produces immediate bottom-line impact from increased productivity and risk mitigation. It creates the additional benefit of outstanding preparation for outside scrutiny from regulators and auditors. Furthermore, a regular, facilitated review of risk management effectiveness provides additional confidence in lenders’ growth plans because they know they have the capacity to scale without sacrificing quality or unnecessarily increasing risk.
Lenders are also seeing an unprecedented amount of regulatory and investor examination of their operational controls. How can they prevent exposure to those risks and be ready for the next auditor?
SS: Big or small, lenders are open to outside audits of some kind. The Government Sponsored Enterprises (GSEs) pay particular attention to lenders who are growing, recently started delivering or delivering high-risk profiles, or entered new lines of business such as third-party originations. Not being ready for the GSEs’ comprehensive risk reviews creates time-consuming, last-minute preparation and exposure to costly findings. Not only does a risk management operational assessment identify risks causing problems right now, but it also ensures future regulator audits go smoothly. SWS Risk guides lenders through Fannie Mae’s self-assessments in the 12 areas that Fannie Mae examines during their Mortgage Operational Risk Assessments (MORA). As the MORA is the gold standard for mortgage operational risk audits, if you can pass a MORA, you can pass just about any regulator exam. Often lenders want to start with a deep dive into just one or two MORA areas and expand the review as needed from there. I expand on the value of regulatory exam preparation in a recent blog.
How does an outside perspective add more value than an internal risk self-assessment?
SS: At the most basic level, front-line managers have little time to take stock of how well they are operating. Even if they carve out the time, self-review must resist potential conflict of interests and confirmation bias that often reduces objectivity, skews results, and causes resistance to bad news. I often begin by assessing the risk management culture. Unless there’s strong cultural support for risk management, then the best controls in the world are often ineffective. I encourage lenders to read my just-published blog on risk culture, and from there they can download my free one-page risk culture self-assessment giving them a quick perspective on cultural exposure to risk. That’s a great point to start the conversation about sizing risk exposure.