Enterprise-Wide Risk Assessments for Small Mortgage Companies

Small mortgage companies face the same regulatory expectations as larger institutions when it comes to identifying and managing risk. Even with one or two branches and fewer than fifty employees, regulators expect management to conduct an enterprise-wide risk assessment (EWRA) that evaluates exposures across operations, compliance, cybersecurity, and customer interactions. The EWRA provides a structured approach to documenting where risks exist, how they are controlled, and how frequently those controls are reviewed.

Risk Assessment Framework

The EWRA matrix organizes risks into categories, assigns an initial rating, lists the existing mitigation measures, records the residual rating, identifies the responsible party, and determines the review frequency.

We provide a tool to conduct your Risk Assessment internally. The idea is a four-step process: 1.) Identify Risk 2.) Risk Level (low, medium, or high) 3.) Where and how the risk is mitigated (e.g. policies/audits) and 4.) Post-mitigation risk.

• Advertising – Online or remote application gateways

  • Initial Risk: Medium

  • Mitigation: Advertising compliance checklist; social media policy review

  • Residual Risk: Low

  • Responsibility: Compliance Officer

  • Review: 12 months

• Advertising – Non-compliant advertising or social media use

  • Initial Risk: Medium

  • Mitigation: Advertising audit and officer oversight

  • Residual Risk: Low

  • Responsibility: Marketing Manager, reviewed by Compliance Officer

  • Review: 12 months

• Compliance – Failure to comply with published regulations

  • Initial Risk: High

  • Mitigation: Regulatory Compliance Management System, documented policies and procedures

  • Residual Risk: Low

  • Responsibility: Compliance Officer / Management

  • Review: 12 months

• Cyber-Security – Customer data exposure

  • Initial Risk: High

  • Mitigation: Red Flags Identity Theft program, written safeguarding policies, IT security plan

  • Residual Risk: Medium

  • Responsibility: IT Administrator or designated third-party vendor, overseen by Management

  • Review: 12 months

• Fair Lending – Credit decisioning risk

  • Initial Risk: Medium

  • Mitigation: Fair Lending Plan with monitoring and comparative file review

  • Residual Risk: Low

  • Responsibility: Underwriting Manager / Compliance Officer

  • Review: Annual

Responsibility for the EWRA

Responsibility for the risk assessment rests with management. In small companies without a board of directors, the owner, managing broker, or designated compliance officer typically prepares the matrix and maintains the record. Regulators expect management to review and approve the EWRA annually and when major changes occur, such as opening a branch or introducing a new loan product. Companies may hire a third party to conduct or validate the assessment, but if they follow the structured process outlined in Form 1-80, they can complete the EWRA internally without outside assistance.

Application for Small Companies

A small mortgage company must demonstrate that it applies this framework proportionately to its size.

• Policies such as the QC Plan, Compliance Manual, and IT Security Plan serve as the mitigation layer.

• Risk ownership is documented directly in the matrix to show who is accountable for each item.

• The EWRA is updated when products, vendors, or branch operations change.

• Documentation is reviewed during examinations to confirm the company has a process to identify and mitigate risks.

States That Require Enterprise-Wide Risk Assessments

Several states have explicit or implied EWRA requirements tied to licensing examinations. Current examples include:

• Texas – Department of Savings and Mortgage Lending (SML) requires annual EWRA documentation.

• Washington – Department of Financial Institutions (DFI) cites EWRA in examinations.

• South Carolina – Department of Consumer Affairs requires an IT-security-focused EWRA.

• New York – Department of Financial Services (DFS) requires risk assessments as part of cybersecurity compliance.

• Connecticut – Banking Department requests EWRA in mortgage company exams.

• California – Department of Financial Protection and Innovation (DFPI) includes EWRA in compliance review requests.

• Florida, Virginia, and Maryland – examiners frequently request EWRA documentation, even if it is not formally codified.

Next Steps - Conduct one NOW!

An EWRA is a core element of compliance for small mortgage companies. By documenting risks, mitigation, responsibilities, and review cycles in a structured matrix, the company demonstrates control of exposures across advertising, compliance, cybersecurity, and fair lending. Regulators expect to see this process in place, regardless of company size.