Risk Management
All businesses with an online presence must find ways to identify, manage, and mitigate potential risk. The types of risk you could face include data-related risk, operational risk, compliance risk, and financial risk. Conducting a risk assessment is a crucial step in the risk management process to prepare your infrastructure and stakeholders for a potential risk event and its impact.
Why risk management
is important
The world in which we operate is evolving quickly, presenting new emerging risks and economic concerns. COVID-19 has shifted the perspectives of consumers, who are now looking for alternative solutions to manage finances in a digitally-driven world. But with new demand comes an increased chance of risk. That’s why a robust, evolving risk management strategy is crucial to understanding your company’s risk tolerance—and any risk factors you face.
Risk management
in payments
The different categories of organizational risk span far and wide. A security breach resulting in a privacy leak, a natural disaster wiping out a data center, or fraudulent activity causing financial losses are all common, typical types of risk. Let’s look at payment-specific risk first.
Companies that manage a large amount of online transactions are subject to more niche, payment-related risks. No online payment can be facilitated entirely risk-free, but when both vendors and consumers are relying on you to safely handle transactions, it’s important to understand the types of risk your organization will take on.
Whether you’re an online marketplace, PoS solution, or offer alternative payments in the financial services space, the most common types of payment risks you could face include credit risk, fraud risk, or account takeovers. Another common risk that you could face when handling online payments is operationally-driven, where financial loss stems from a system or an employee mistake.
Credit Risk
A seller/provider of goods should have sufficient cash flow to cover refunds, chargebacks, and even periods of financial instability. However, there may be times when a seller is lacking in both sales, and the funds needed to stay afloat. In extreme cases, a seller may stop operating or may face bankruptcy, where your organization is now responsible for an amount of money that a seller can’t cover. This is because your organization is often liable for those using your platform.
Fraud Risk
Unlike credit risk, fraud risk is driven by malicious intent. In the online payments ecosystem, fraud can derive from either the seller or the purchaser. A fraudulent seller may deceive buyers into purchasing goods, with no intent to deliver. A fraudulent purchase consists of a transaction occurring that is not authorized by the cardholder, i.e. the card used was stolen. A buyer may also falsely claim they didn’t receive a good or service, submitting a chargeback request to their financial institution. This is known as ‘friendly fraud’. Either instance could leave you facing fraud risk.
Account Takeovers (ATO)
While certain mitigation strategies can prevent fraud risk, they won’t be able to prevent account takeovers. An account takeover is when a 3rd-party with malicious intent gains primary access to sensitive credentials, taking over an account to commit fraud and/or steal funds.
Enterprise risk management (ERM)
In every decision we make, risk is present. Traditional methods for monitoring and managing risk often involve siloing risk analysis to separate areas of the business. With enterprise risk management, or ERM, your organization can work risk management into your overall strategy and business goals. The goal of ERM is to gain a better understanding of your company’s risk appetite. What risks are worth taking? What risks can you afford to handle? Dedicated risk teams can work organization-wide with business leaders and individual teams to ensure risk is accounted for across everything you do.
Most instances of ERM will rely on a standard framework for identifying, managing, and mapping the effects of a risk event. Frameworking your organization’s risk strategy will provide a bird’s eye view into all potential risks that jeopardize your goals and key objectives.
Frameworking your organization’s risk strategy will provide a bird’s eye view into all potential risks that jeopardize your goals and key objectives.
Who manages risk?
Traditionally, risk and any risk management plans would cascade down from executive leaders, including the CEO. However, it’s important to note that leadership may not possess a strong enough skill set to truly understand your unique risk landscape.
That’s why some organizations employ entire risk management teams. These teams—often led by executive employees (CEO, CTO, CIO, and CRO)—are responsible for identifying risks, monitoring the landscape you operate in, and improving your response. Other roles within the risk management team include the Director of Risk, Risk Managers, Risk Analysts, and Risk Specialists. With a team of risk experts on hand, your company will be in a better position to approach risk strategically.
Risk management process
The risk management process your organization follows will be unique to the way you operate. Prioritizing and identifying the risks that are more likely to surface for your company can keep you one step ahead in managing and mitigating risk. To determine your unique risk profile, conduct a risk analysis:
Identify Risk
Risk identification is key to preparing your company for quick decision-making should a risk event occur. To pinpoint potential risk, highlight any barriers that could prevent you from hitting targets, reaching goals, or operating as you should. An organization that operates in a vulnerable physical environment may identify natural disasters as a high-priority risk—this is an operational risk. To effectively characterize the severity of a risk, determine if the factor in question has the potential to limit or completely shut down your company, or its operations.
Assess Risk
With a list of potential risks identified, you should assess these risks to determine the likelihood of this risk occurring. Are there supply chain issues looming which could leave you without the necessary tools to work? This step in the risk management process helps to surface those risks which are most probable to occur, and the resulting outcome should this risk occur.
Prioritize Risk
The risks that you’re most likely to face have been identified, but it’s important to double down and truly understand those that require the most attention. To better prioritize risk, order the risks by most likely to least likely to occur—and the potential impact of each on your ability to generate revenue and operate as expected.
Treat Risk
This stage of your risk management program involves ideating a range of potential risk mitigation and risk reduction strategies to either eliminate a risk, or reduce its impact. The approach you take to handling a risk will ultimately depend on the circumstances surrounding a specific risk, cost vs. impact, and stakeholder input. Depending on the nature of the risk, you could follow one of these paths:
- Avoidance: Where a risk is too impactful to take on, or poses detriment to your organization, alter any behaviors or systems in place that could lead to this risk. Your aim is to completely eradicate the chance of this risk occurring.
- Reduction: Where a risk is undesirable, but not completely avoidable, risk reduction is the appropriate response. This is where you would apply risk mitigation strategies to limit the occurrence or impact of an identified risk.
- Transfer/sharing: Risk transfer, or risk sharing, is the process where any adverse outcome or financial loss that could arise from a potential risk is ‘transferred’ to a 3rd party, like an insurance company. The insurance company would bear responsibility should a risk event occur.
- Acceptance: Where a risk has a low probability of occurring, or the outcome is less adverse, you may choose to simply accept the chance that the risk occurs. The financial and operational burden of mitigating the risk may outweigh the potential impact.
Monitor and Review Risk
The handling of risk is a dynamic process, often affected by the constantly changing nature of the environments we operate in. Regularly reviewing your risk landscape allows you to reprioritize and shift your approach if needed. What was once a low-priority risk could now be a high priority one, so constant monitoring and review allows you to detect changes to your risk profile and alter your response accordingly. If the likelihood or impact of a risk has changed, then this should be recorded in your risk management program and stakeholders should be notified. This proactive approach to risk monitoring can help you better mitigate risk, before an event occurs. Often implementation of risk mitigation requires time and the allocation of resources, and if left too late, you may fall victim to the risk before your organization can intervene.
See a fresh demo right out of the oven
Schedule a demo with us today to see how Pi can boost your risk strategy.
Risk management plan
A risk management plan is critical to keeping your business operating in the face of any potential risk event. A risk management plan is a core element of your response that documents potential risks, potential impacts, the factors that could trigger a risk event, roles and responsibilities, and contingency plans.
Often a framework provides the guidance needed to build out a robust risk response, though the online payments environment requires a unique approach.
Risk management for credit risk
Onboarding new users to your platform is usually the most crucial time for pinpointing any risk. Understanding past actions or how a new user/merchant operates can prevent any future credit-related risk events. Usually as a third-party facilitator, you assume a level of responsibility for handling online payments. It’s standard to expect a new seller to have enough cash to cover refunds and to keep business moving, though there is always a risk a faulty seller could leave you facing large amounts of loss when they can’t cover refunds or returns.
Identify Risk
It’s okay to be weary of new sellers as you have no prior experience in working together. But by following a risk management process, you can gain a better view into any risk-prone users before you onboard them fully.
- Don’t assume, and always conduct a thorough review of new vendors that want to use your software
- Be thorough— double check refund policies, financial statements, and credit checks
- Create financial limits or purchase caps at the start to get a better understanding of how the vendor will operate
- Hold a percentage of funds as a safety net from any sellers that pose risk, or create a standard timeline for review so that you can vet all new vendors
Monitor Risk
- Build a first line of defense by creating automatic notifications or alerts when a potential risk-related event occurs
- Conduct regular audits to better understand how sellers are using your platform and to reveal any negative patterns of behavior
- Pay attention to customer feedback. Are there patterns of complaint from a particular vendor?
Mitigate Risk
After you’ve identified and monitored risk, you should have a better grasp on the risk profiles your business deals with. Categorizing users under certain risk profiles can create a system of checks and balances to ensure you’re flagging potential liabilities and new risks
- Don’t pay vendors/sellers until a recipient receives what they were intended to
- Create rules for payout based on unique risk profiles to cover your credit risk—the riskier the vendor, the longer payout period
- Pay attention to sellers with a negative balance, and understand what power you have to recover funds, otherwise, you’ll need to cover the transactions they can’t
- Understand where risk is coming from. Are there more risk-prone sellers from a particular area or industry? Implement onboarding caps in line with these discoveries
Risk management for fraud risk
Any type of fraud payment arises out of a purchase that a cardholder has not authorized. Whether a physical card has been stolen, or card details were skimmed, every transaction you process poses the risk of fraud. To detect and combat this type of fraud risk, your company can implement fraud detection software.
Conversely, fraudulent sellers can collect funds for goods that they have no intention of ever providing. It’s your responsibility to ensure you’re minimizing fraud risk from illegitimate merchants.
Identify Risk
When you onboard new sellers or users, you should be validating as much information as you can to verify the legitimacy of the account.
- Always verify as much as possible when onboarding. Review business licenses, research the seller’s online presence to flag any discrepancies, and confirm details like physical addresses exist
- Fraudulent sellers will often open another account if they’ve been caught before. Always cross check personal information to combat duplicate accounts
- Similar to credit risk, you could hold funds as a guarantee for those sellers who fit into the high-risk profiles you’ve established
Monitor Risk
The digital landscape is always evolving, and with this, fraudsters evolve too. To ensure you’re picking up on any red flags from a seller, set up automatic alerts that flag major changes in a seller’s activity.
- Analyze seller behavior and set benchmarks for review. Cross compare monthly activity with previous months to understand how a potential fraudulent seller is changing their tactics to fly under the radar
- Rely on past occurrences of fraud to establish a checklist for auditing seller behavior (i.e. what to check for, what’s normal, what’s extreme)
- Don’t ignore suspicious activity—contact a seller to validate that a sale is legitimate if your system flags potential fraud
Mitigate Risk
After a certain period of time, you should have good visibility into the different levels of risk that you’re dealing with. Here you can finetune your approach to proactively mitigate risk.
- Hold funds from sellers until an exchange is complete. That is, once the recipient receives the goods. This can limit chargebacks or stolen funds
- Categorize sellers per your risk categories. For those with a good record, you may consider releasing funds straight away
- Avoid card testing attacks by adding new layers of verification during the checkout stage to verify that a purchase is legitimate
Risk management for account takeovers
Even with a strict, multi-layered verification approach, fraud may still occur within your software via account takeovers. An account takeover only requires a cybersecurity criminal to obtain credentials, then they use already verified, existing accounts to commit automated fraud attacks.
Identify Risk
Identify verification can help to ensure only authorized sellers access their accounts.
- Adhere to ID verification processes for every seller, add a two-factor login stage to block automated progression
- Set lockout periods for multiple failed attempts and alert account owners when a potential breach has been attempted
Monitor Risk
Establishing when an account takeover is occurring is important to stopping fraud in its tracks.
- Monitor any activity that could be suspicious by flagging when a login is from an unusual location
- Create alerts for when account activity is out of the ordinary, i.e. abnormal order size, frequency of orders, and review accordingly
Mitigate Risk
Reducing automated account takeovers involves understanding how these breaches are successful, and applying any learnings to your risk management plan.
- Alert customers when you block an attempted account takeover, use the opportunity to demonstrate security but also to inform the seller on how to avoid future attacks
- Send notifications when personal details associated with a users’ account have been modified in case of a successful breach
Risk management for credit risk
Onboarding new users to your platform is usually the most crucial time for pinpointing any risk. Understanding past actions or how a new user/merchant operates can prevent any future credit-related risk events. Usually as a third-party facilitator, you assume a level of responsibility for handling online payments. It’s standard to expect a new seller to have enough cash to cover refunds and to keep business moving, though there is always a risk a faulty seller could leave you facing large amounts of loss when they can’t cover refunds or returns.
IDENTIFY RISK
It’s okay to be weary of new sellers as you have no prior experience in working together. But by following a risk management process, you can gain a better view into any risk-prone users before you onboard them fully.
- Don’t assume, and always conduct a thorough review of new vendors that want to use your software
- Be thorough— double check refund policies, financial statements, and credit checks
- Create financial limits or purchase caps at the start to get a better understanding of how the vendor will operate
- Hold a percentage of funds as a safety net from any sellers that pose risk, or create a standard timeline for review so that you can vet all new vendors
MONITOR RISK
- Build a first line of defense by creating automatic notifications or alerts when a potential risk-related event occurs
- Conduct regular audits to better understand how sellers are using your platform and to reveal any negative patterns of behavior
- Pay attention to customer feedback. Are there patterns of complaint from a particular vendor?
MITIGATE RISK
After you’ve identified and monitored risk, you should have a better grasp on the risk profiles your business deals with. Categorizing users under certain risk profiles can create a system of checks and balances to ensure you’re flagging potential liabilities and new risks
- Don’t pay vendors/sellers until a recipient receives what they were intended to
- Create rules for payout based on unique risk profiles to cover your credit risk—the riskier the vendor, the longer payout period
- Pay attention to sellers with a negative balance, and understand what power you have to recover funds, otherwise, you’ll need to cover the transactions they can’t
- Understand where risk is coming from. Are there more risk-prone sellers from a particular area or industry? Implement onboarding caps in line with these discoveries
Risk management for fraud risk
Any type of fraud payment arises out of a purchase that a cardholder has not authorized. Whether a physical card has been stolen, or card details were skimmed, every transaction you process poses the risk of fraud. To detect and combat this type of fraud risk, your company can implement fraud detection software.
Conversely, fraudulent sellers can collect funds for goods that they have no intention of ever providing. It’s your responsibility to ensure you’re minimizing fraud risk from illegitimate merchants.
IDENTIFY RISK
When you onboard new sellers or users, you should be validating as much information as you can to verify the legitimacy of the account.
- Always verify as much as possible when onboarding. Review business licenses, research the seller’s online presence to flag any discrepancies, and confirm details like physical addresses exist
- Fraudulent sellers will often open another account if they’ve been caught before. Always cross check personal information to combat duplicate accounts
- Similar to credit risk, you could hold funds as a guarantee for those sellers who fit into the high-risk profiles you’ve established
MONITOR RISK
The digital landscape is always evolving, and with this, fraudsters evolve too. To ensure you’re picking up on any red flags from a seller, set up automatic alerts that flag major changes in a seller’s activity.
- Analyze seller behavior and set benchmarks for review. Cross compare monthly activity with previous months to understand how a potential fraudulent seller is changing their tactics to fly under the radar
- Rely on past occurrences of fraud to establish a checklist for auditing seller behavior (i.e. what to check for, what’s normal, what’s extreme)
- Don’t ignore suspicious activity—contact a seller to validate that a sale is legitimate if your system flags potential fraud
MITIGATE RISK
After a certain period of time, you should have good visibility into the different levels of risk that you’re dealing with. Here you can finetune your approach to proactively mitigate risk.
- Hold funds from sellers until an exchange is complete. That is, once the recipient receives the goods. This can limit chargebacks or stolen funds
- Categorize sellers per your risk categories. For those with a good record, you may consider releasing funds straight away
- Avoid card testing attacks by adding new layers of verification during the checkout stage to verify that a purchase is legitimate
Risk management for account takeovers
Even with a strict, multi-layered verification approach, fraud may still occur within your software via account takeovers. An account takeover only requires a cybersecurity criminal to obtain credentials, then they use already verified, existing accounts to commit automated fraud attacks.
IDENTIFY RISK
Identify verification can help to ensure only authorized sellers access their accounts.
- Adhere to ID verification processes for every seller, add a two-factor login stage to block automated progression
- Set lockout periods for multiple failed attempts and alert account owners when a potential breach has been attempted
MONITOR RISK
Establishing when an account takeover is occurring is important to stopping fraud in its tracks.
- Monitor any activity that could be suspicious by flagging when a login is from an unusual location
- Create alerts for when account activity is out of the ordinary, i.e. abnormal order size, frequency of orders, and review accordingly
MITIGATE RISK
Reducing automated account takeovers involves understanding how these breaches are successful, and applying any learnings to your risk management plan.
- Alert customers when you block an attempted account takeover, use the opportunity to demonstrate security but also to inform the seller on how to avoid future attacks
- Send notifications when personal details associated with a users’ account have been modified in case of a successful breach
Your risk management
options with Pi
Face risk head on with Pi – an ML-driven decisioning engine that serves as a fraud prevention layer for your business. Pi provides continuous risk scoring throughout the customer lifecycle, allowing you to evaluate your risk landscape, and modify your approach in real-time. The Pi platform creates dynamic risk scores and tiered experiences for each user on your platform, based on their behavior and profile.
Pi helps you flag unusual activity with automatic detection based on a set of established rules and policies. Whether it’s restricting settlement windows, setting money movement limits, or adding extra verification layers for certain users—Pi can strengthen your approach to mitigating risk.
Pi also continuously monitors users throughout each touchpoint, readjusting personal scores and recommending the right course of action as a user’s behavior changes. Risk is out of your control, but what is in your control, is your response. Take a proactive approach to risk and grow with confidence by creating the right experiences for the right users.
Risk is out of your control, but what is in your control, is your response. Take a proactive approach to risk and grow with confidence by creating the right experiences for the right users.
FAQs
What is meant by risk management?
Risk management is the practice of identifying, assessing, and mitigating risk across your organization. Risk management can be done at the micro level (department wide), or at the macro level (organization wide). Organization-wide risk management is also referred to as enterprise risk management, or ERM. This is when risk is approached strategically in line with business goals and objectives.
What are some examples of risk?
In the world of online payments, the three most common types of risk are credit risk, fraud risk, and the risk of account takeovers. Though risk can extend beyond these to other types of risk, like operational risks, the risk of a natural disaster, or compliance-related risks, etc.
What are risk management examples?
An example of risk management is holding funds from sellers that fall into a risk profile of concern. If there are signs that a seller on your platform is engaging in fraudulent activity, holding funds until you can verify their legitimacy is an example of managing fraud risk.
What are the 5 ways to minimize risk?
The 5 ways to effectively manage risk are: Identify risk, assess risk, prioritize risk, treat risk and monitor/review risk.
What is the risk management process?
The risk management process refers to the way your company identifies, assesses, and mitigates risk. Depending on the type of risk, the severity of its potential outcome and your organization’s risk appetite, you may follow a personalized risk management process. However, a standard framework approach can be a good place to start.
What is the difference between risk management and risk assessment?
Risk assessment is a facet of the risk management process. While risk management is the ongoing process where your organization identifies, analyzes, and works to mitigate risk, risk assessment is a once-off and helps to surface any immediate risks facing your company right now.
