#41 - When NOT to act fast in risk management

As risk managers, we are expected to be decisive.

We are expected to cut through the noise, the uncertainty, and use the evidence we do have to act now, and act fast.

Woke up to a 10% increase in declines? You need to solve it today.

Got a chargeback file three times bigger than usual? CEO wants a briefing this evening.

We’ve all been there.

That’s the meaning of risk management.

But here’s the thing: we are so conditioned to make decisions with incomplete data that sometimes we do it when it’s not necessary.

And then we make unnecessary mistakes.

I take on risk when the cost is imminent

Let’s start with when you actually need to take risks.

It is actually quite easy to tell. When inaction would be more costly than making a mistake, take action.

Here’s an example:

Your team just notified you that your business is under a fraud attack. You basically have two options.

Option 1: Hit the panic button and switch your decision strategy to strict (higher friction, lower decline thresholds), then start researching how to solve the attack with higher accuracy.

Option 2: Avoid changing the user experience, and research the long-term solution while the fraud ring remains active.

Side Note: Let’s assume that in both cases it would take you the same time to identify, build, test, and deploy a solution. But my experience shows there are two types of teams: ones that work faster when there’s a sense of urgency, and ones that make more mistakes when that’s the case.

Without getting into the actual dollar formulas, it’s clear that the math is quite simple. What would cost you less? Higher losses, or lower losses with some lost business?

In most cases, Option 2, especially if temporary, would likely cost more.

And so even though you don’t know how much time it’ll take or what would be the performance of the new solution, it’s easy to make that decision.

I avoid risk when the cost is pending

Other decisions should work completely differently, especially when the cost is still a probability and not a certainty.

The best example is when onboarding a suspicious new customer to your business.

Onboarding a fraudster in and of itself doesn’t create an immediate financial loss. Unless we’re suspicious of promo abuse, it’s likely only the first step in the fraud attack.

Only after a successful signup–and sometimes aging the account–will the fraudster drive actions that really create financial exposure: running stolen cards, accepting fraudulent payments, engaging in scams/money-muling, and the list goes on.

But at signup? We haven’t lost a single dollar.

And yet, every single week I come across teams that feel the urge to make a risk decision at that point:

This is either a fraud case and should be blocked right away, or it’s a legitimate user and they can do whatever they please on our platform.

This is a sure way to have both a terrible onboarding user experience and fraud slipping through the cracks.

But why? Why act with urgency when you risk no cost?

A better way to handle it would be to let suspicious accounts sign up, track their behavior, and see if they indeed engage in fraudulent activities.

Once they are about to create financial exposure for your business–taking a loan, paying a high amount, receiving more than X dollars–then, and only then, you need to make your decision.

And the best thing?

Not only are you likely to improve your overall figures, but you’re also turning the risk of exposure onto the fraudsters themselves.

Think about it: the more opportunities they get to engage with your product without creating loss exposure, the more opportunities they have to get sloppy.

Not switching their VPN to a new IP address. Forgetting to refresh their cookies after signing up to a different account. Adding new compromised identifiers (i.e., email, phone, physical addresses, etc.).

Given time, all fraudsters make mistakes. And while they’re not creating immediate risk, we should give them that time.

This will not only help you make better risk decisions on these accounts, but will likely expose other accounts that have shown activity from the same identifiers.

How do I know when to make a decision?

Here’s the thing: yes, as risk managers we are asked to make decisions in an uncertain environment.

But that does not mean we can’t create favorable conditions for us to make decisions by balancing data completeness and financial exposure.

It’s not about being fast. It’s about being timely.

And this isn’t only relevant to case decisions. We see it repeating in every aspect of our work. A great example is developing new risk features.

Fraud teams often see such projects (vendor selection, new model training, data integration) as zero-sum projects. “We either have it or we don’t”.

Instead, fraud teams need to adopt an engineering mindset when approaching, well… engineering-dependent tasks.

Running trials, hacking MVPs, researching messy Excel files - these are all activities that can create substantial immediate value and de-risk investments.

But just as well, sometimes the best thing you can do is… do nothing.

Sometimes it’s about recognizing that taking action is more risky than inaction.

So how do we know when to make a decision and when not to? Here are the guidelines I use:

Take action now if you see some of the below:

• Real financial exposure

• Inaction would not yield more data

• Low cost/effort will yield substantial data

• You’ve faced/solved this situation many times before

Delay action if you see some of the below:

• No imminent financial exposure

• Inaction would enable data collection

• You’re facing a challenge for the first time

Or in other words:

Take small risks to get more data.

Take big risks only when you are exposed.

What risk decisions have you delayed where it turned out to be the right idea? When did it end in catastrophe? Hit the reply button and share your story.

In the meantime, that’s all for this week.

See you next Saturday.

P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:

Free Discovery Call - Unsure where to start or have a specific need? Schedule a 15-min call with me to assess if and how I can be of value.
​Schedule a Discovery Call Now »​

Consultation Call - Need expert advice on fraud? Meet with me for a 1-hour consultation call to gain the clarity you need. Guaranteed.
​Book a Consultation Call Now »​

Fraud Strategy Action Plan - Is your Fintech struggling with balancing fraud prevention and growth? Are you thinking about adding new fraud vendors or even offering your own fraud product? Sign up for this 2-week program to get your tailored, high-ROI fraud strategy action plan so that you know exactly what to do next. ​
Sign-up Now »

Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!