In February 2006, Susan Schmidt Bies, a member of the Federal Reserve Board of Governors, gave a speech titled, “The Continuous Challenges of Risk Management.” It was a well-written speech on the importance of risk management in a growing and robust financial services market with its many new challenges. Her concluding remarks were extremely profound as she stated, “While most U.S. banking organizations enjoy substantial profitability today, they should remember success depends on their ability to prepare for unexpected, and potentially much less favorable, events and outcomes.” 

While directed at banks, her comments were very much applicable to the mortgage industry as well. It was not too long after this speech that our country and housing industry entered the Great Recession. 

Could lenders have avoided some of the pain from the housing crisis if they had better risk management practices? Very possibly. Effective risk management intends to alert senior management and board members of the critical risks that will impact the organization’s profitability and competitiveness in the market.

Is it complicated? Not necessarily, if you have a framework. One enterprise risk management framework that many U.S. financial services companies use is “Enterprise Risk Management – Integrating with Strategy and Performance”. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) commissioned and published the framework in 2004 and updated it in June 2017. 

Today’s economic and regulatory environments continue to evolve, with more complexity and new risks emerging at a rapid pace. As a result, having a risk management process integrated into an organization is crucial. Senior management and the board need to ensure alignment of the organization’s strategies and objectives with the ERM system.

It starts with a clear understanding of the organization’s risk appetite and an objective assessment of whether business goals and initiatives effectively consider and mitigate identified risks within the organization’s risk appetite. Paying attention to risk allows the company to be more resilient to change and proactively take advantage of the opportunities from changes in the marketplace. 

Most importantly for the ERM system to be effective, management must communicate its risk philosophy and appetite across the entire organization. Without the right culture and governance, even the best ERM system will fall short. Employees must know that management believes in the process and feel comfortable speaking up when they identify potential risks.

Risks can come from many areas, both within the organization and in the market place, such as competitors, customers, and the government. What are the critical risks that organizations in the housing market must be aware of and prepared for?

TECHNOLOGY AND INNOVATION RISKS

New technologies and innovations are evolving at a rapid pace and can easily make the “old way” of conducting business in the housing industry obsolete. Customer expectations for convenience and speed of transactions have a tremendous impact on the industry. Meeting these expectations is necessary for survival.  

Increasingly, customers are insisting that they will only conduct business with companies that provide easy access to social media, mobile and internet based applications. If an organization does not recognize and anticipate the risks brought by these shifts, it will lose existing customers and the ability to attract new customers. If an organization does not change and innovate, competitors will; resulting in significant loss of market share.

DATA SECURITY RISKS

In addition to the requirements brought on by the new technologies, ease of access and use has brought on risks related to the privacy and security of customers’ information. Controlling these risks is also critical to the survival and reputation of the organization. One breach in security can harm the company to the point of financial failure. Not having an effective and tested information security policy and plan exposes the company to a catastrophic event. 

Cyber threats and attacks, unfortunately, are a way of life in this new age of rapidly advancing technology where access can take place from anywhere in the world from almost any device. These attacks can hurt the organization in many ways, from theft of critical data to major disruption of critical systems.

REGULATORY AND COMPLIANCE RISKS

Regulatory changes and scrutiny from government regulators have resulted in a significant amount of added stress to the industry. The uncertain political environment further compounds these risks. 

While significant time and resources must be dedicated to compliance, those organizations that embrace and proactively address these regulatory changes have created a competitive advantage. Those that do not adapt may find themselves in the “headlines” as a result of enforcement actions and very heavy fines and penalties. 

Many of these regulations focus on either protecting the consumer from harm or assuring criminals are not using the financial system for their own benefit. It is good business to develop an effective compliance management process and mitigate these regulatory risks.

THIRD-PARTY RISKS

As it seeks to streamline business and be more competitive, many in the housing industry are looking to outside vendors to perform many processes such as IT systems, underwriting, appraisals, loan document preparation, etc. The use of more outside vendors certainly increases risk to the organization contracting these outside entities to perform critical operations. 

While organizations can outsource various tasks and functions, the organization must realize they cannot outsource the responsibility for these tasks and functions. If something goes wrong with a vendor, customers and regulators will be looking to the organization to resolve the issue. Placing blame on the vendor will not be an acceptable solution to the problem. 

LENDING POLICY RISKS

Both competitive pressures and potential increases in interest rates have the potential to impact financial risk. As organizations present new products to gain market share, they need to ask themselves “what if” questions about their potential assumptions regarding expected performance. For example, if implementation of looser underwriting guidelines potentially increases risk, what additional controls have been put in place to ensure that delinquencies do not go outside a targeted range?

When an organization embraces risk as an opportunity, it can limit surprises and take advantage of future events for the benefit of the organization. Effective ERM allows organizations to review the company holistically and see the “big picture,” not just issues facing one area of the business. This will also allow the company to recognize that an issue in one area may have significant effects and consequences for other areas in the organization or for the organization in total. 

Understanding the risk allows organizations to place resources where they are needed. But most importantly, an effective ERM system allows the organization to thrive for the long-term and be prepared for the unexpected.