August 2010

What Happened to ERM?

Failures in mortgage lending processes provide useful lessons for auditors about the importance of managing enterprisewide risks.

Jim Jorgensen

The worldwide financial crisis has had a tremendous impact. Internal auditors who work in the financial services industry are dealing firsthand with issues arising from this crisis, including increased reviews and enforcement actions by bank regulatory agencies. Even auditors outside of the financial services industry have witnessed the effects of a struggling economy, tight to nonexistent credit, and declining housing values.

The financial crisis teaches valuable lessons about the importance of identifying and managing risks effectively. An enterprise risk management (ERM) program should have improved the probability of anticipating the risks stemming from the large volumes of foreclosures. In any industry, an effective ERM program can enable management to have fewer surprises, handle crises effectively, be more likely to achieve its objectives, and make more informed risk-taking decisions. Internal auditors have a significant role in assessing their organization’s ERM program and helping management prepare better for future events.

SEEDS OF A CRISIS
The recent enforcement actions issued by U.S. bank regulators against mortgage servicers are an excellent example of the potential consequences of an ineffective ERM program. In April the U.S. Federal Reserve Bank, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, and Office of Thrift Supervision issued enforcement actions to the largest money center banks regarding how they handled foreclosures on residential mortgage loans. The regulators had taken note of the seriousness of the wave of foreclosures and were particularly concerned about the allegations of misconduct and negligence of bank servicing organizations in the residential loan servicing and foreclosure process. The regulators determined that, with the large number of foreclosures and with no indication that they would slow down soon, deficiencies in the servicers’ foreclosure processes could have major consequences for the housing market.

As a result, the regulators created an interagency audit team to evaluate the adequacy of controls and governance over the servicers’ foreclosure process and assess the servicers’ authority to foreclose. This audit team conducted reviews at some of the largest federally regulated mortgage servicers during the fourth quarter of 2010. The regulators’ report, released in April, stated that the review clearly showed the servicers had significant deficiencies in numerous aspects of their foreclosure processing, including:

  • Underdeveloped and insufficient processes to manage and control risks associated with the large volumes of foreclosures.
  • Filing of inaccurate affidavits and other documentation in the foreclosure proceedings.
  • Poor oversight of attorneys and other third-party vendors involved in the foreclosure process.
  • Inadequate staffing and training of employees.
  • Failure to coordinate the loan modification and foreclosure process to ensure effective communication to borrowers seeking to avoid foreclosure.

To understand how these processes broke down, it is important to look back at the original cause of the financial crisis. The 2007 subprime mortgage meltdown caused significant bank failures and required major government bailouts of some of the largest money center banks termed “too big to fail.” A huge wave of home foreclosures resulted from this crisis, precipitating heated and emotional discussions. Consumer advocacy groups and many U.S. politicians pushed to enact new laws to keep borrowers from losing their homes. The banking community and mortgage-backed securities investors voiced concern about protecting the foreclosure process, which they felt had provided the banking industry decades of confidence to originate mortgages. They argued that lack of foreclosure protection would dramatically harm the mortgage banking industry.

LESSONS FOR ERM
As the foreclosure crisis illustrates, it is important for internal auditors to revisit their organization’s ERM program to make sure it identifies risks timely and assesses their impact on the organization quickly. The wave of foreclosures was a result of many events that should have alerted management that a crisis was imminent. The first wave was initially brought on by poor lending practices that provided mortgages to many high-risk borrowers who could not afford them. As the economy declined and unemployment rose, a second wave of homeowners became financially distressed and began defaulting on their mortgages. Despite efforts by banks and the U.S. government to modify mortgage terms, it was not enough to stop the overwhelming tide of foreclosures.

Auditors also need to assess whether management is able to recognize when a crisis arises in the marketplace and how this crisis might affect the organization. Management should be able to assess quickly the potential impact of the crisis, even if it has had little effect on the organization to date. By anticipating the challenges the organization could face downstream, management can focus on the proactive measures it will need to take and possibly avert significant problems.

Another lesson auditors can learn from the financial crisis is how quickly organizations can be impacted when government agencies determine that consumers are being harmed or treated unfairly. Enforcement actions not only can have a financial impact through monetary penalties, business disruption, and required implementation of new procedures, audits, and processes, they also can severely harm the organization’s reputation. Initially, the mortgage servicing organizations were not under the intense scrutiny of the U.S. banking regulators, whose early attention was on lending practices.

Events can change quickly in any crisis, though. For example, inappropriate handling of foreclosure documents, referred to as “robo-signing,” became a major news story that sparked a public outcry. The regulators quickly focused their efforts on the major mortgage servicers, many of whom will likely incur monetary penalties and be required to take immediate corrective actions as detailed in the consent orders:

  • Establish compliance programs to ensure that mortgage servicing programs and foreclosure operations comply with all applicable legal requirements and appropriate policies and procedures.
  • Retain an independent firm to perform “look backs” of foreclosure actions that were pending in 2009 and 2010.
  • Implement procedures to provide a single and effective point of contact for the borrower involved in foreclosure and loss mitigation.
  • Establish effective policies and procedures for the outsourcing of foreclosure and related functions to ensure appropriate oversight and compliance with regulations.
  • Improve management information systems to ensure that the foreclosure and loss mitigation activities have accurate, timely, and complete information to facilitate effective decision making.
  • Retain an independent firm to perform a comprehensive risk assessment of the servicing operations.

Another lesson that auditors in any industry need to learn is the importance of understanding the risks their organization’s vendors, partners, and alliances may have or lay claim to the organization. For example, borrowers may blame mortgage lenders who originated their loans and later sold the servicing rights for foreclosure errors by the servicer, exposing those lenders to financial and reputational risks. In this case, lenders should have had effective risk management processes in place in the selection of their mortgage servicers.

A RETURN TO RISK BASICS
Clearly, the risks brought on by the tremendous volume of foreclosures overwhelmed even the largest U.S. financial services organizations. These organizations should ask themselves how the risks could have been identified and why their risk management processes may have failed to identify and address them. The regulators’ report noted a lack of internal audit and quality control reviews at the servicing operations. Internal auditors must make sure their audits and reviews focus on the high-risk areas identified through the ERM process.

How management responds to the identification of risks can determine the degree of success or failure the organization has. In any industry, the board and management need to get back to the basics of risk identification by implementing effective annual audit plans and corporate governance programs to assure that the risks are identified promptly and mitigated or managed effectively. An ERM process also must be communicated across the organization and have support from the executive team and board of directors to be effective. Without the appropriate “tone at the top,” any ERM program, no matter how well designed, will be doomed to failure.

Jim Jorgensen, CIA, CPA, CISA, is president and CEO of CrossCheck Compliance LLC in Chicago.

To comment on this article, email the author at iaonline@theiia.org.

Send Risk Watch article ideas to Paul Sobel at paul.sobel@gapac.com.

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2