Risk Management

A comprehensive approach.

A tone set from the top down

The foundation of our risk culture begins with an appropriate tone from the top. This tone is essential and encompasses not only what senior management says, but what it does. Senior management, including the board, demonstrate their commitment to and support for risk management activities and incentives that encourage a strong risk culture throughout the bank. As a whole and at the committee level, the board has an active role in overseeing the management of our risks. Board members regularly review our credit, liquidity, operations, and the associated risks.

The bank’s senior management has effectively demonstrated its support for risk management activities by:

Creating and investing in a robust and comprehensive risk management framework
Appropriately staffing the program with experienced, qualified personnel
Providing ongoing training to increase knowledge and capabilities where applicable
Allocating significant amounts of management time discussing risk and mitigation plans during committee and board meetings
Orally supporting the risk management program and reinforcing its requirements

Risk management framework

Beyond the investment in risk management, the bank has embraced a risk culture throughout the organization. Human Resources implements a goal-setting process for all employees. It includes a Quality and Risk Management component that aligns with our overall strategic plan and the executive team’s goals and objectives. Goal attainment, including Quality and Risk Management, comprises 70% of an employee’s annual evaluation. The remaining 30% covers core values. An employee’s goal attainment or lack thereof positively or negatively impacts their year-end bonus.

Our risk framework uses the following system to manage risk throughout the organization:

Risk identification: recognizing, analyzing, and understanding existing and potential risks that may arise from new business initiatives
Risk measurement: measuring the risks the bank faces accurately and on a timely basis
Risk control: establishing controls and limits, communicating them through policies and procedures, and articulating processes for exceptions and escalation
Risk monitoring/reporting: monitoring risk levels to validate compliance with the board’s risk tolerance and established limits and alerting the business lines, management, and the board when risk levels exceed these guidelines

This framework applies to the entire Flagstar enterprise. It covers all eight risk categories as defined in the “Bank Supervision Process” booklet of the Office of the Comptroller of Currency’s Handbook. The categories include credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputational risk.

Three lines of defense

All of the bank’s organizational units are responsible for risk management; however, their specific roles and responsibilities vary based on their organizational role. We manage risk using the three lines of defense principle. Together, the three lines establish a system to control risk-taking and ensure that the board has sufficient information on the bank’s risk profile and risk management practices to provide credible challenges to management’s recommendations and decisions.

First Line of Defense

This includes the business units and corporate functions that create risk for the bank by directly conducting business. The First Line of Defense units are responsible for identifying, managing, and mitigating risks associated with their activities and adhering to the risk tolerances and limits established by management and approved by the board’s Risk Committee. These units are also responsible for implementing and maintaining processes and practices to ensure conformity with all applicable policies, laws, and regulations, including business-level quality control functions.

Second Line of Defense

This comprises the bank’s independent risk management functions, including all organizational units that do not create risk for the bank or oversee its risk-taking activities. These units assess, report, and escalate risks and issues independent of the First Line of Defense units and provide tools to assist all organizational units in managing risk.

Third Line of Defense

The Third Line of Defense consists of internal audit and loan review, whose responsibilities include, but may not be limited to, providing timely, relevant, independent, and objective enterprise-level perspectives and assurance regarding the effectiveness of governance, risk management, internal controls, and the quality of loan portfolios contributing to the overall safety and soundness of the bank.

Together, the three lines of defense establish a system to control risk-taking and ensure that the board has sufficient information on the bank’s risk profile and risk management practices to provide credible challenges to management’s recommendations and decisions.

Managing third-party risk

Flagstar has developed a strong program to manage our third-party relationships, holding all employees involved in these relationships accountable for managing risks. We have third-party management processes in place for vendors and contractors who provide goods and services and separate procedures for Third-Party Originators (TPOs).

The director of vendor risk management and sourcing is responsible for creating and maintaining a framework that protects and effectively manages the risks associated with the third-party management lifecycle. The key functions of this process include:

Planning
Third-party selection
Due diligence
Risk assessments
Criticality classification
Third-party recommendations and approval
Contract negotiations and administration
Contract approvals
Ongoing monitoring procedures
Contract renegotiation and termination
Recertification requirements

Our portfolio of third-party providers is segmented based on inherent risk, residual risk, and business continuity criticality. Relationships deemed to have higher risk are subject to more frequent and thorough reporting and review requirements.

Third-Party Originator management process

Third-party originator (TPO) relationships are established and governed through signed loan purchase agreements and Flagstar’s seller’s guide. We purchase closed loans from Non-Delegated and Delegated correspondents and fund loans originated by brokers. All loans are either underwritten by Flagstar or the delegated lender’s underwriters according to Flagstar criteria.

The bank formed a TPO risk committee to review and monitor these relationships, which reports to the enterprise risk management committee. Our TPO risk team uses a rating system to measure, monitor, and manage the quality of each TPO relationship. Based on the performance rating, the team works with TPO and business unit partners to determine the appropriate course of action, up to and including termination.

Disaster response and business continuity

Flagstar has established continuity plans to mitigate the impact to our customers and the business during interruption or adverse circumstances. The most important element during a crisis is the safety of all employees. Therefore, we developed a defined set of actions that our department leaders follow for various incidents, such as power outages, system or telecommunications failures, third-party service provider outages, or staff shortages. Our goal is to minimize the financial and operational impact, protect Flagstar’s data and records, and allow customers to continue to conduct business.