#88 - Duct tape beats a "perfect" vendor
The shit hit the fan. What do you do?
Holly Sandberg joined me on the latest TSFS episode (out now!), where we talked about the consequences of choosing the wrong fraud vendor.
She mentioned there’s one thing you’re not allowed to do - give up. Or, even worse, say “I told you so”.
Risk leaders should strive to make data-driven decisions.
But when the shit hits the fan, it’s time for some bubble gum and duct tape.
If you have all the data, it’s not a risk decision
Here’s the core paradox: if you had all the data in the world, there would be no risk. And if there’s no risk, what do we need risk managers for?
If you have all the data in the world, anyone would make the right decision.
Before you stone me to death, I’m not saying that data doesn’t matter, or that data-driven decisions are not the way to go.
I’m 100% in team “data-driven decisions.”
But risk managers, whether they like it or not, are forced into positions where data isn’t there. And they need to make a decision. A critical decision. Right now.
And that’s part of the job.
Eventually shit hits the fan. Eventually you’re caught flatfooted. Eventually you need to make decisions in low-certainty situations.
I don’t think that’s new to anyone. But what I see often is the effort to avoid such situations entirely.
If we only have the perfect processes. The perfect data environment. The perfect training. The perfect vendor (p.s. no such thing) - then we’ll be ready for anything.
I’m here to suggest something different.
Accept that it’s part of the job. Accept that it’s your role.
Instead of building the perfect scenario where you can never be caught off guard, you start accepting the reality that these scenarios are what you’re preparing for.
MacGyver mode
The easiest - and most insufferable - thing risk managers can do when the shit hits the fan is say “I told you so”.
I told you we need vendor X.
I told you we have issues in our data platform.
I told you we need more people.
I can go on forever. There are endless excuses. I know because I used them all myself many times.
But this gets you, your team, and your business nowhere. Taking the moral high ground never prevented a chargeback from arriving. At least not that I know of.
So what do I expect of myself in such situations?
There’s this famous scene in “Apollo 13” that gets stuck in the head of anyone that ever watched it.
The astronauts are dealing with a life-threatening malfunction in their spacecraft, when a team of NASA specialists are on the ground trying to solve it.
They pour on a desk everything that is available to the space crew and say “We need to find a way to put a square peg in a round hole... using nothing but that.”
Holly had a different analogy for it when we spoke - “[you need to] MacGyver your way through what you've got.”
Your team operates off of Excel sheets? That’s what you’ve got.
Your fraud logics are hard-coded into the product? That’s what you’ve got.
You need to manually push chargeback pdf files so you can label fraud? That’s what you’ve got.
That’s the piece of gum and duct tape Macgyver always had hanging around. He didn’t complain about it being all he had, he just saved the day.
“But Chen, that’s no way to build a fraud system!”
Damn right it isn’t! But guess what, you’re not building a fraud system at that moment - you’re saving it.
The duct tape doesn’t need to hold for a year. It needs to hold for the next week or two.
Get the leak dealt with, get the organization to calm down, then talk about the long-term solutions and investments.
Not in the middle of a crisis.
There are two de-risking modes
I argued countless times that fraud prevention is a reactive discipline in nature. As much as we’d like to think that, it’s mostly impossible to prevent attacks that didn’t happen.
As such, what is the role of fraud strategy?
It’s about defining how the business can react efficiently and effectively when fraud attacks do emerge.
It’s about building the capabilities for the business to do it better.
It’s about building the capacity for the business to do it at scale as it grows.
And to do all of that properly, we need data. Especially after the first iteration of guesswork.
Actually, producing, processing, and managing data is one of the core pillars that fraud strategy needs to account for.
The more we build our stack and organization to be data-rich, the more we de-risk our business.
But that mode of operations should be reserved for our day-to-day, “business as usual” routine. When the waters are calm and the alarms are silent.
When the alarms go off, de-risking your business requires you to switch your approach to Macgyver mode.
And honestly, most risk leaders I’ve come across do that. Eventually.
The thing we can all get better with is how fast we recognize that the situation warrants this shift. This is where I failed in the past, and where I see most risk leaders struggle.
But hey, no one said it’s an easy job.
What’s the best MacGyver story you have? Hit reply and share, these are always the best war tales.
In the meantime, that’s all for this week.
See you next Saturday.
P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:
Free Discovery Call - Unsure where to start or have a specific need? Schedule a 15-min call with me to assess if and how I can be of value.
Schedule a Discovery Call Now »
Consultation Call - Need expert advice on fraud? Meet with me for a 1-hour consultation call to gain the clarity you need. Guaranteed.
Book a Consultation Call Now »
Fraud Strategy Action Plan - Is your Fintech struggling with balancing fraud prevention and growth? Are you thinking about adding new fraud vendors or even offering your own fraud product? Sign up for this 2-week program to get your tailored, high-ROI fraud strategy action plan so that you know exactly what to do next.
Sign-up Now »
Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!