Demystifying risk assessments by evaluating your solutions

Many regulators pose the question, "Provide copies of any internal risk assessments" in their licensing or examination reviews. These requests applied even to single proprietors who, naturally, felt overwhelmed and confused about what the examiners requested. Risk assessments represent a prudent step in the process of building a business. It's simply asking the question: "What could go wrong?"

The CFPB provides a sample risk assessment in its examination guides, which you can access here. In our view, the CFPB assessment addresses many items but also misses some. There is the regulator's well-known penchant for diving into minutia in some elements (like corporate governance and certain regulations), then overly broad assessments of others. The best approach remains thinking through your process.

Risk Management Process for Mortgage Bankers and Brokers

Mortgage Companies, small and large face the same risks as any company; physical damage and infrastructure damage from disasters, and employee and workplace safety. But financial institutions also face risks specific to the business model: compliance, counter-party risk, process management issues, and fraud and information security.

Even the smallest company needs to address these issues, which can seem almost insurmountable. The task becomes more manageable and understandable by structuring our business with systems that regularly address these risks and then rationalizing these checks into a standard business flow.

The standard risk management process should look like this:

  1. Identify what risks a company faces,
  2. Identify the level of risk to the company, its customers, and counter-parties,
  3. 'How the company mitigates those risks through procedures and other provisions

We have compiled a risk assessment for standard retail mortgage brokering or lending operations, identified the level of risk, and show how, through policies or procedures, these companies mitigate this risk.

Risk Levels

We follow the CFPB’s model for assessing the risk to the customer.


Quality of Risk Controls

A non-system-based Risk Control produces haphazard results. For instance, if there is simply an individual responsible for the execution of a risk mitigation procedure, it is likely to be missed. By integrating controls into processes we already conduct, scheduling regular audits, and using pre-programmed systems like LOS, Credit Reporting tools such as fraud guards, and web alerts like Google Alerts, we control these risks automatically.

At the heart of all our risk mitigation is implementing a “systems-based” approach that does not rely on an individual to oversee the process. For instance, checklists, step-by-step procedures, and automation contribute to systematic risk management.

Risk Assessment For Mortgage Companies

Customers of can find this risk assessment in their QC Plans.

download samples for their own use here: