One-on-One with the CRO of Fannie Mae

Over the past 32 years, John Forlines has worn many hats at Fannie Mae - the mortgage giant that ranked 22^nd on this year's Fortune 500 list. Starting his career in the internal audit group in 1987, he worked his way up from chief credit officer to chief audit executive to deputy chief risk officer, where he was responsible for managing the firm's aggregate credit, market and liquidity risks.

Today, after graduating from interim to full-time CRO in October 2018, Forlines oversees Fannie Mae's enterprise risk management - a group comprised of 282 employees. That number has risen over the past five years, but not significantly. “We are currently looking at additional areas where we need to grow staff, particularly in operational risk and model risk management,” says Forlines, who also chairs the company's enterprise risk committee.

Fannie Mae buys mortgages from lenders and either holds them in its portfolios or packages them into mortgage-backed securities that are sold to investors, with interest and principal guarantees. Its objective is to bring liquidity, stability and affordability to a mortgage market that can sometimes be risky and volatile.

Last year, as the largest issuer of single-family mortgage-related securities in the US, Fannie Mae provided roughly $512 billion in liquidity to the mortgage market. Moreover, its net income jumped from $2.5 billion in 2017 to roughly $16 billion in 2018.

However, the picture hasn't always been so rosy. During the run-up to the 2007-08 credit crisis, underwriting standards were lowered, home prices plummeted and foreclosures increased, leading, eventually, to the collapse of the subprime mortgage market. Shares of Fannie Mae and Freddie Mac, its fellow government-sponsored enterprise (GSE), subsequently tumbled, and both companies were placed under federal conservatorship in September 2008.

Since that time, Fannie and Freddie have received a total of $191 billion in aid, but have returned a combined $297 billion in dividends to the US Treasury, according to ProPublica, a public interest journalism website. (Fannie Mae claimed responsibility for $175.8 billion of that return in its 2018 financial statement.)

Earlier this year, Fannie Mae's future became a bit murkier when President Trump called for the US Treasury to create a housing finance reform plan that releases the GSEs from conservatorship. Although Treasury Secretary Steven Mnuchin released the long-awaited reform plan on September 5, it is doubtful that a quick overhaul of Fannie and Freddie will occur before the 2020 presidential election. Indeed, ending conservatorship may take years.

That's a worry for another day for Forlines, who has had a front-row seat for Fannie Mae's roller-coaster ride over the past decade. In a recent interview, he shared his insights on a variety of risk management and mortgage industry topics. Here are excerpts.

Career and Culture

Risk Intelligence (RI): You've been at Fannie Mae since 1987, working your way up from internal audit associate to chief credit officer (single-family division) to chief audit executive to deputy CRO. How did all of those roles prepare you for current CRO job? I would think that your experience as a CAE and a CCO would come in particularly handy.

John Forlines (JF): It has been very helpful to work in the first, second and third lines of defense to get all views of risk management. Most of my experience at Fannie Mae has been in the first line in the single-family division - our largest business segment.

Being able to leverage the credit experience and what I learned during the credit crisis to then move to an enterprise-wide role of chief audit executive gave me exposure to technology, operations and other parts of the company. This helped prepare me to ultimately come to ERM and continue in an enterprise-wide role of chief risk officer and identify risk throughout the entire company.

I've been able to work with different board members and different people from our regulator, the Federal Housing Finance Agency (FHFA), and learn different perspectives from people using a different lens on how they view the risk of the company.

RI: You currently report to Fannie Mae's CEO, Hugh Frater. How often do you meet with him, and can you cite some of the risk issues that have been at the top of your agenda this year when you have met?

JF: I meet with Hugh one-on-one weekly. In addition, I meet with the entire management committee of the company on a weekly basis. The management committee, our leadership team, consists of 12 senior leaders of the company. Issues that we talk about often are credit risk, cyber risk and operational risk.

RI: How frequently do you interact with the board of directors, and what risk data (e.g., timely and actionable risk reports) do they expect you to deliver on a regular basis?

JF: Our risk policy and capital committee meets as a group 8-10 times a year, and I meet with the chair and vice chair of that committee once or twice a month on average. The purpose of the that committee is to assist Fannie Mae's board of directors in overseeing the company's enterprise risk management program and the alignment of that program with the company's mission and safety and soundness objectives.

A risk report is sent to the board monthly. In that risk report, we assess against our primary risk appetite for all areas and emphasize any areas where we see increasing risk. The discussion related to this report is one of the most important interactions I have with the board.

RI: How do you translate risk and security threats into language that resonates with the executive team?

JF: We establish a risk appetite for all primary risks across the company, [and] we use a common risk taxonomy to describe each of these risks. In the risk report to the board, we assess where we are relative to our risk appetite for each of the areas.

RI: Part of your remit is to build and sustain a strong risk culture. What advice would you give to someone who needs to create and sustain a culture of risk awareness?

JF: Risk culture starts with tone at the top. You must make sure that the senior management of the company and the board make risk management a priority. The actions that the management team and board members take must be consistent with their words.

It is also important that you continually drive home basic themes with all the employees around themes like, “If you see something, say something,” so people understand that, whatever your role in company, you have the responsibility to identify risk and escalate anytime you think risk is not being appropriately addressed.

We also conduct an annual risk culture summit where we invite people from the first, second and third lines of defense. We usually get an outside speaker to talk about risk from a different perspective, so people can learn how other companies ingrain risk culture in their divisions.

RI: You chair the firm's enterprise risk committee. What are the primary responsibilities of that committee, and what role does it play in developing a risk culture?

JF: The enterprise risk committee oversees enterprise-wide risk, including strategic, reputational, compliance, credit/counterparty, market, and operational/model risks. The committee ensures we are talking about the right risks as a company, making sure employees feel like they are being heard when they escalate concerns and providing guidance and direction around how we may want to manage the top risks of the company. Our committee meetings are highly interactive, with much discussion that leads to additional actions regarding management of our most important risks.

RI: How has social media changed the risk landscape? How do you protect Fannie Mae's reputation and maintain its integrity in this hyperconnected world?

JF: Using social media from a corporate or business perspective enables you to share information with a large group of people very quickly - whether it's directed toward employees or external followers. Fannie Mae has started using social media more effectively to share some of our data and research findings - including, for example, our national housing survey results produced by our chief economist, Doug Duncan.

Social media is an opportunity to share more information more widely. But you must make sure you're on top of things because news can travel, be shared or acted on quickly. We have policies in place that clarify how our employees can and cannot use social media.

RI: Compensation is another important component of culture. We've seen examples in the past of poorly-designed incentive compensation plans wreaking havoc on risk culture. Do you think that compensation plans that are heavily linked to business objectives (e.g., focused on earnings incentives) are a threat to drive more short-term and riskier behavior in the business units? Should the CRO be involved in the construction of compensation packages?

JF: It's important for the chief risk officer to be involved in the structure of compensation packages, but I don't think it's appropriate for [him or her] to be involved in determining the level of compensation. I think it's important to keep compensation tied very closely to the goals of the company, but it's also very important that compensation doesn't incentivize people to do things that are inappropriate - whether to the consumer, the customer or the company.

RI: How can you tell if your risk management approach is actually working? Obviously, if your firm manages to avoid losses caused by, say, operational risks, that's a good sign. But are there other ways to measure the effectiveness of risk culture?

JF: Employee surveys are a great way to determine if the risk management approach is working. We have four specific questions in our annual employee survey to gauge this, from risk communication to how comfortable employees feel in escalating risks to their immediate supervisor. This encourages everyone in the company to be a risk manager and ensures the other senior managers are talking about risk management.

Operational Resilience

RI: Lately, operational risk events like cyber-attacks, IT meltdowns and fraud have grabbed headlines. What steps have you taken to more proactively identify possible points of failure and to protect Fannie Mae against these types of events? Do you, for example, perform scenario analyses to better understand the risks that could interrupt your business?

JF: Fannie Mae proactively gains insights into potential points of failure through the review of internal loss and near-miss events, external events and scenario analysis. We perform root-cause analysis of internal loss and near-miss events as they occur, but we also supplement the event-level analysis with portfolio-level reviews of our incident database, looking for recurring themes that might indicate more systemic issues.

In addition, we analyze significant external events for lessons learned based on comparison to Fannie Mae's risk profile and control environment. The insights from the evaluation of internal and external events are key inputs to the development of scenarios that are analyzed during workshops, where we review and estimate the company's exposure to potential high-impact operational risk events. The outcomes of the workshops help us evaluate the need for preventative actions by highlighting control gaps or weaknesses.

RI: Some regulators, including the Bank of England, are now demanding greater operational resilience, asking financial institutions to plan on the basis that it's no longer a matter of if, but when, you experience a failure. Do you think it's important for firms and regulators to collaborate to develop better incident reporting and to understand the reasons behind recent risk management missteps? Is Fannie Mae doing any work with the FHFA in this area?

JF: Yes, collaboration is very important, and it plays a key role in effective reporting and overall risk management efforts. For the most significant operational events, including those that impact operational resilience, Fannie Mae has mechanisms in place to promptly notify our regulator of the occurrence of the event, even if the full impact, root cause and risk response is not yet known. This early notification is followed by updates as the impact and root cause is assessed and the risk response is planned.

In addition, our regulator receives regular reporting on all operational events, and we engage in periodic discussions with the regulatory teams on operational event trends and lessons learned.

RI: The aviation industry employs a “no-blame approach” (evidence compiled by investigators is not admissible in court) as part of an effort to encourage employees to speak up when they observe wrongdoings. Some financial institutions, moreover, now have whistleblower programs. Does Fannie Mae have one, and what specific steps have you taken to encourage a speak-up culture?

JF: Raising compliance and ethics concerns is a key principle in Fannie Mae's code of conduct. Our employees are expected to address difficult issues and promptly raise compliance and ethics questions and concerns that come to their attention.

Fannie Mae has an FM Ethics program that provides a central location for employees to ask questions and raise concerns anonymously or confidentially. Employees may contact FM Ethics through a variety of methods, including by anonymous web line, email or phone.

We also actively promote our “speak-up culture” by providing mandatory code of conduct and compliance training and targeted ethics training to business units, as well as by routinely communicating to all employees regarding ethics matters and the obligation to raise compliance and ethics concerns.

Moreover, we ask employees to participate in a third-party administered ethics culture survey every few years, which allows us to identify program strengths and opportunities for improvement. Finally, we have a non-retaliation policy in place, and enforce it through our internal investigations function.

Technology and the Evolving Mortgage Industry

RI: How has technology changed the mortgage industry? What role, for example, do automated valuation models (AVMs) now play in the mortgage underwriting process?

JF: There's no question technology has changed the mortgage industry. We've found ways to directly verify income, assets, and employment information electronically. We continue to look at ways to use automated valuation models to complement traditional manual appraisals. We don't believe they'll ever replace the appraisal process, holistically, as it currently exists. Appraisers are an important part of ensuring we have the data to accurately assess the value of a property.

RI: Do you have any concerns that the industry will become over-reliant on AVMs, completely eschewing human judgment?

JF: I don't have a concern that that's going to happen. We've taken a very measured approach to using data that we have on property values and data from actual appraisals to essentially determine what we think approximates the value of a property. We continue to rely on appraisers to assess properties and provide the data needed for a value determination.

RI: Speaking of disruptive technology, do you use AI for any of your risk management needs - e.g., to build risk models?

JF: No, we aren't using true “artificial intelligence” for any of our risk management needs currently. However, we are constantly looking for new ways to manage risk and automate processes. One example is the use of a natural language processing tool to assist with credit reviews of our counterparties. We have been able to reduce the amount of time for a credit review by a large percentage.

RI: How does Fannie Mae establish its internal credit standards? Do you use automated underwriting systems and statistical scorecards?

JF: Yes, we do. We establish our internal credit standards based on review of the data we have on more than 17 million loans we currently have on our books, as well as many other loans that have been paid off or have defaulted. We collaborate with our customers to understand what's going on in the current marketplace to make sure our standards are reasonable.

We also use automated underwriting, and our automated system has a scorecard that determines the risk of every loan application submitted. We are constantly reviewing our scorecard to accurately capture risks of new mortgages and to ensure we are establishing appropriate risk cut-offs.

RI: Are you concerned at all about the rise in non-bank mortgage lenders and servicers, many of which are backed by hedge funds and private equity firms? Since these players are subject to little regulation and are prone to more risk taking than traditional banks, do they pose a risk to the stability of the mortgage market when the next major downturn occurs?

JF: We constantly monitor the financial stability of all our approved sellers/servicers to ensure that they have adequate net worth and adequate liquidity. We can do business at essentially equal levels with banks and non-banks, because of the many measures that we've put in place to oversee all of our sellers/servicers since the crisis. We are well-prepared for the typical business cycles that have recessions and expansions.

RI: What are the most significant changes you've seen in risk management in the mortgage industry over the past five years?

JF: The biggest change I've seen is an increased use of technology. I've also seen greater maturity of the three lines of defense model with many of our customers.

Our sellers/servicers have also invested in risk management and quality control to ensure they produce high-quality loans. When there are defects in the loan origination process, these defects are often identified early and addressed properly.

RI: Are they any risk trends and/or regulatory developments that you expect to keep a particularly close eye on over the next 12 months?

JF: We will continue to monitor the macroeconomic environment and assess the impact it has on our $3.3 trillion mortgage book, and we will continue to enhance our operational risk infrastructure.