Risk Management
A comprehensive approach.
A tone set from the top down
The foundation of our risk culture begins with an appropriate tone from the top. This tone is essential and encompasses not only what senior management says, but what it does. Senior management, including the Board, demonstrate their commitment to and support for risk management activities and incentives that encourage a strong risk culture throughout the bank. As a whole and at the committee level, the Board has an active role in overseeing the management of our risks. Board members regularly review our credit, liquidity, operations, compliance, price, interest, strategic, reputational, and the associated risks.
The bank’s senior management has effectively demonstrated its support for risk management activities by:
- Creating and investing in a robust and comprehensive risk management framework
- Appropriately staffing the program with experienced, qualified personnel
- Providing ongoing training to increase knowledge and capabilities where applicable
- Allocating significant amounts of management time discussing risk and mitigation plans during management committee and Board meetings
- Continuously supporting the risk management program and reinforcing its requirements
Risk management framework
Beyond the investment in risk management, the bank has embraced a risk culture throughout the organization. Human Resources implements a goal-setting process for all employees. It includes a Quality and Risk Management component that aligns with our overall strategic plan and the executive team’s goals and objectives. Goal attainment, including Quality and Risk Management, comprises 70% of an employee’s annual evaluation. The remaining 30% covers core values. An employee’s goal attainment or lack thereof positively or negatively impacts their year-end bonus.
Our risk framework uses the following system to manage risk throughout the organization:
- Risk identification: recognizing, analyzing, and understanding existing and potential risks that may arise from new business initiatives
- Risk measurement: measuring the risks the bank faces accurately and on a timely basis
- Risk control: establishing controls and limits, communicating them through policies and procedures, and articulating processes for exceptions and escalation
- Risk monitoring/reporting: monitoring risk levels to validate compliance with the Board’s risk "appetite" tolerance and established limits and alerting the business lines, management, and the Board when risk levels exceed these guidelines
This framework applies to the entire Flagstar enterprise. It covers all eight risk categories as defined in the “Bank Supervision Process” booklet of the Office of the Comptroller of Currency’s Handbook. The categories include credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputational risk.
Three lines
All of the bank’s organizational units are responsible for risk management; however, their specific roles and responsibilities vary based on their organizational role. We manage risk using the three lines principle. Together, the three lines establish a system to control risk-taking and ensure that the Board has sufficient information on the bank’s risk profile and risk management practices to provide credible challenges to management’s recommendations and decisions.

First Line
This includes the business units and corporate functions that create risk for the bank by directly conducting business. The First Line units are responsible for identifying, managing, and mitigating risks associated with their activities and adhering to the risk tolerances and limits established by management and approved by the Board’s Risk Committee. These units are also responsible for implementing and maintaining processes and practices to ensure conformity with all applicable policies, laws, and regulations, including business-level quality control functions.

Second Line
This comprises the bank’s independent risk management functions, including all organizational units that do not create risk for the bank or oversee its risk-taking activities. These units assess, report, and escalate risks and issues independent of the First Line units and provide tools to assist all organizational units in managing risk.

Third Line
The Third Line consists of internal audit and loan review, whose responsibilities include, but may not be limited to, providing timely, relevant, independent, and objective enterprise-level perspectives and assurance regarding the effectiveness of governance, risk management, internal controls, and the quality of loan portfolios contributing to the overall safety and soundness of the bank.
Together, the three lines establish a system to control risk-taking and ensure that the Board has sufficient information on the bank’s risk profile and risk management practices to provide credible challenges to management’s recommendations and decisions.
Managing third-party risk
Flagstar has developed a strong program to manage our third-party relationships, holding all employees involved in these relationships accountable for managing risks. We have third-party management processes in place for vendors and contractors who provide goods and services and separate procedures for Third-Party Originators (TPOs).
The director of vendor risk management and sourcing is responsible for creating and maintaining a framework that protects and effectively manages the risks associated with the third-party management lifecycle. The key functions of this process include:
- Planning
- Third-party selection
- Due diligence
- Risk assessments
- Criticality classification
- Third-party recommendations and approval
- Contract negotiations and administration
- Contract approvals
- Ongoing monitoring procedures
- Contract renegotiation and termination
- Recertification requirements
Our portfolio of third-party providers is segmented based on inherent risk and business continuity criticality. Relationships deemed to have higher risk are subject to more frequent and thorough reporting and review requirements.
Third-Party Originator management process
Third-party originator (TPO) relationships are established and governed through signed loan purchase agreements and Flagstar’s seller’s guide. We purchase closed loans from Non-Delegated and Delegated correspondents and fund loans originated by brokers. All loans are either underwritten by Flagstar or the delegated lender’s underwriters according to Flagstar criteria.
The bank formed a TPO risk committee to review and monitor these relationships, which reports to the enterprise risk management committee. Our TPO risk team uses a rating system to measure, monitor, and manage the quality of each TPO relationship. Based on the performance rating, the team works with TPO and business unit partners to determine the appropriate course of action, up to and including termination.
Disaster response and business continuity
Flagstar has established continuity plans to mitigate the impact to our customers and the business during interruption or adverse circumstances. The most important element during a business disruption event or crisis is the safety of all employees. Therefore, we developed a defined set of actions that our department leaders follow for various incidents, such as power outages, system or telecommunications failures, third-party service provider outages, or staff shortages. Our goal is to minimize the financial and operational impact, protect Flagstar’s data and records, and allow customers to continue to conduct business.
You may also be interested in: