In the years since the housing crisis, the phrase "operational risk" grew into a primary concern of every mortgage executive. Even by its tone, operational risk sounds ominous, but it's an issue that's omnipresent, given the ever-increasing number of regulations, investor requirements and agency guidelines that both mortgage servicers and lenders face.

When it comes to mitigating operational risk, however, we need science, not science fiction.

Regulators, investors, agencies and the other partners that mortgage companies work with need to see policies, audits and enforcement. The precise rules and duties may differ depending on who a firm works with, and vary across the myriad roles within an organization.

No one is excused from these responsibilities, and mitigating operational risk requires a plan. Devising that plan — and the training and oversight necessary to implement it — requires lenders and servicers to conduct a scientific investigation into the policies, procedures and controls they already have in place.

Mitigating operational risk is certainly complex, but it doesn't need to be complicated. Whether a mortgage company is focused on meeting regulatory and investor requirements, reducing repurchase requests, avoiding fines or simply ensuring loans don't default, adhering to a few fundamental steps can help mitigate operational risk.

First, take stock of the current situation. What is holding the business together? Is risk currently being managed upfront, or is it an afterthought? To properly answer this question, lenders and servicers must take a good, hard look at their current processes. Because the mortgage chain is incredibly multifaceted, it helps to create a flowchart of what an individual business looks like. Whatever works, as long as the image of the business is detailed and thorough.

For this reason, many firms today conduct periodic operational risk audits. The idea behind a risk audit is to match a company's business goals with its current policies and procedures to ensure they are aligned. With the help of a qualified auditor, the risk audit will identify gaps and provide a clear picture of how to move forward. Lenders that conduct these audits periodically will have a clear understanding whether their operations are getting better or worse over time, and why.

"At New Penn, we are very focused during our audit process on root cause analysis," said Kevin Harrigan, senior vice president, chief risk officer at New Penn Financial. "Often times, internal audit functions become too focused on the reporting of loan-level events, and lose focus on the systemic underlying causes of those events."

Next, prioritize areas of risk. Once everything is mapped and all the details of the company are laid out, identify each separate process and rank them in terms of efficiency level, quality of data and potential for risk. To make sure every possible deficiency or weakness is identified, ask team members for help and request that they make their own list of all the operational risks they are aware of, especially if it has not been identified in any previous audits.

It's extremely important to keep past audits handy and talk to staff members who have reviewed them. For example, AnnieMac Home Mortgage makes sure all relevant employees are aware of the company's past audits, including executive and senior managers and staff, said Matthew Buckley, the company's executive vice president of compliance.

"Companies should not put their audit findings on a shelf to collect dust," he said. "They need to publish them to their staff, use the data to train and teach staff, make them better. Many staff members welcome this critical feedback because I do not believe that staff members approach their jobs with an attitude of indifference to quality."

The next step is to study existing policies. Collect all of the guidelines and processes and figure out if any are absent, superfluous, or too old to be useful, as well as any training procedures that accompany those policies. Be sure to consider things both individually at each stage of the loan process, as well as collectively as a whole. Keep an eye out for isolated processes for which there are no policies or training that may have escaped earlier notice.

A major error some mortgage companies discover in this stage involves record keeping. To maintain compliance, it's not enough to simply keep a record — it's how the records are kept. For years, some lenders have relied on notes, not on actual data. But there's a big difference between the two, said Rebecca Walzak, of rjbWalzak Consulting. "Because it's in notes form, you can't analyze it," she said. "How do you improve a process if it's not in data format?"

Maintaining quality data is critical, agrees AnnieMac's Buckley. "Having good data is the key. If your data is not good, you are blind. It's the equivalent of trying to sail with a broken compass: you won't know where you are and you won't know how to get to where you need to be."

Once this is done, draft an operational risk management plan. Once a lender has a strong understanding of its risk policies and procedures, including any weak spots, the company can create and put in place an operational risk management plan designed to protect the business going forward.

New Penn has integrated a combination of checkpoints into its loan manufacturing process, said Harrigan. "They include prefunding quality assurance findings, post-closing quality control results, investor audits and scorecards, and borrower complaint monitoring just to name a few," he said. "Feedback received through these various channels is then aggregated and reviewed to determine if there are isolated training issues or a systematic fix is required."

It's also critical at this stage for mortgage companies to form a risk management team, if one is not already in place.

"The team should be made up of a group of people who really have the knowledge and depth of process," said Walzak. "They need to be the ones looking at how each of these risks is embedded in the process. There are people out there who are now called operational risk people, but still, they are pretty isolated."

Finally, fill in the missing links. Speed bumps in this process are clear indicators that something is missing. It turns out many mortgage firms — even very large organizations, and most small ones — cannot mitigate operational risk on their own without incurring significant time and expense. The good news is that there's a ton of help available.

Some mortgage companies turn to outsourcers and other third-party support vendors that can take a good deal of the risk management processes off their shoulders. For regional lenders and servicers in particular.

This may feel like a significant step that lenders and servicers, particularly regional-sized firms, may not be ready for, particularly from a cost perspective. But the key is finding an outsourcer with experience helping lenders of various sizes. And risk management outsourcing can take place on a per-unit pricing level, which makes it a manageable cost regardless of a company's size.

"When running a compliance department, you must be mindful of how your dollars are spent," said AnnieMac's Buckley. "Finding third-party support is critical in this effort. It is not cost effective to maintain certain functions in-house, while other functions should not be outsourced. Maintaining that balance is important."

Also keep in mind that a qualified risk partner can also help mortgage firms lower costs by taking on the burden off of meeting regulatory requirements. Such partners also have a large knowledge base of systems, policies, procedures and risk management used by other institutions that they can leverage strategies to benefit any lender.

Controlling operational risk requires an examination of an organization from all stages of its business. Whether this function is done in-house or with the help of an outsourcing partner, safely managing risk is mandatory in today's environment.

Nicolle Nelson is a vice president at business process management firm SLK Global.