A Note from Chief Risk Officer Sara Avery
To Our Client Partners:
Cenlar has invested a significant amount of time and effort over the last year-plus to remediating issues and build on our risk management foundation. We’ve adopted a risk strategy that makes identifying, managing and mitigating risk a priority for everyone at Cenlar. Our teams are breaking down silos and working more collaboratively than ever.
As a result, we closed out 2022 as a stronger, more resilient organization. That’s especially so in the three critical areas that we’ve addressed with you over the course of the last year: risk and controls, IT and default. Our focus here is steadfast as we work to sustain progress and simultaneously push forward to achieve new milestones.
I am pleased to share what we’ve accomplished and where we’re headed as we bolster this risk-aware culture at Cenlar.
Risk and Controls
In 2022, we completed the definition of our enhanced Risk Management Framework including updates to our RCSA, Issues Management, Change Management and Testing programs. We’re currently working on fully implementing the programs.
We’ve completed re-baselining of almost half of our Risk and Control Matrices, resulting in stronger and more focused data to support our risk and control self-assessment process (RCSA). Completing the second portion of this is our focus in 2023.
In Issues Management, we’ve made substantive progress that is helping improve Cenlar’s controls and enhance our risk culture. We’ve worked to increase our rate of self-identified issues and also improved our ability to assess the root cause of any issue and complete timely and effective remediation. The success of the Issues Management program represents a collaborative effort across multiple teams, including operations, business controls, operational change management, risk, compliance and internal audit. To date, Cenlar has remediated 80% of past due issues and is looking to finish the remainder by mid-year 2023.
Our enhanced Operational Change Management (OCM) program was improved last summer when the team introduced a new process that assures changes are made timely and properly with speed and quality. We recognize that the success and sustainability of the OCM program depends on everyone at Cenlar. With that in mind, OCM and HR are partnering to kick off an awareness and education campaign to help our employees understand and engage in this important effort.
IT made tremendous progress in 2022. Of note is the completion of our cloud migration, which delivers a more stable and scalable platform for our organization and, importantly, our clients and their homeowners.
IT also enhanced its strategic plan and governance process to ensure we keep ahead of requirements and improved patching systems to close vulnerabilities to attackers. In fact, we resolved our backlog of software patching and have remained current. As of January, we are on our eighth consecutive month of compliance with our patching standard and are working to sustain that progress.
For IT asset management, we successfully met 90% remediation of end-of-life assets by the end of 2022. We are on track to keep up with that rigor in managing our asset management lifecycle and continuing sustainable processes going forward.
Additionally, our CIO, Steve Taylor, has made important investments in talent. New positions in business resiliency and identity and access management are critical to building a sustainable and strong technology function at Cenlar.
This year, one of the most outstanding examples of collaboration in our organization is the automation effort between IT and loan operations. At Cenlar, we are working to automate our controls, with the goal of reducing manual tasks. Automation helps remove the risk that comes with manual processes, and, importantly, helps prevent errors and create a faster, more efficient process for homeowners.
As an example, we’re in the process of completing a full end-to-end automation process for mortgage insurance. We’ll automatically know when MI is no longer required and cancel it, eliminating additional work for the homeowner. Homeowner requests to remove MI also are migrating to Cenlar’s digital servicing platform, providing a quicker resolution for homeowners. Taken together, it’s an enhancement we believe gives homeowners — and by extension you — a better experience.
Fundamental to our risk framework is a repeatable and consistent four-phase approach to driving changes as we re-design, develop and implement new processes and procedures at Cenlar. Our employees have worked thoughtfully to consider new and better ways of doing things. Our goal is to get us from where we are today to where we want to be.
We effectively applied this approach to our foreclosure process starting in the third quarter of last year. As a result, we have made a number of changes. Most notably, we enhanced our pre-referral and pre-foreclosure review processes and enhanced our contact center scripting, adding controls to ensure homeowners are provided with every option available to them and that no one goes to foreclosure who shouldn’t. From here, we’re looking at the metrics we’re using to check our progress as well as test controls.
We’re looking to apply this approach to designing new ways of doing things across the business beginning with transfer operations, insurance and HELOCs in 2023.
Building a Risk Culture
No matter who you are or what you’re doing, a significant part of ongoing risk management is recognizing that risk changes and evolves through circumstances often beyond your control. At Cenlar, as a federally chartered bank and one of the nation’s largest mortgage servicers, we know that building and fostering a risk-aware culture requires continuous, diligent work.
We do this by viewing risk management not as a separate, isolated business function, but as a culture where every line of business sees the clear value of vigilant awareness. Teams work with each other across the lines of defense — they partner and leverage the expertise from each line to create a stronger and more sustainable risk infrastructure. It’s proof you can maintain appropriate independence while also benefitting from collaboration and taking lessons learned to better mitigate risk in the future and find operational efficiencies along the way.
When a risk culture is implemented successfully, an organization “talks risk” in business terms. There is a shared language and a wider understanding. The Enterprise Risk Management teams are viewed as advisors and are aligned with each business area to strengthen risk management practice and behaviors.
At Cenlar, establishing a risk-aware culture starts at the top. This is critical — management, the executive level and the board understand that developing or strengthening a risk-aware culture is a necessary and important function. The concepts of risk and the ideas need to be reiterated as the core foundation of the organization.
Risk management concepts and practices need to be accessible to every employee — less academic and more pragmatic. One of the most important principles in building a risk-aware culture is to convey the concepts of risk so that people not only understand it, but can apply it to their day-to-day role. People need to understand why what they’re doing is important and what the real magnitude of a risk is in order to sustain sound mitigation practices. It can’t be a “check-the-box” activity.
How you implement a risk-aware culture is really about the people who are running the day-to-day, and how they think and operate, so you have to attack it from the grassroots, as well, in order to be successful.
We are committed to continuing our efforts to strengthen our risk and control environment and look forward to sharing updates on our progress.
Sara Avery joined Cenlar in September 2021. Prior, she was the Chief Risk Officer for Common Securitization (CSS), a financial technology joint venture that supports back-office securitization for Fannie Mae and Freddie Mac. Before CSS, Sara spent nearly a decade working with Freddie Mac in a variety of leadership roles across risk management, including risk, credit risk and third-party risk management.
READ MORE INSIDE THIS ISSUE