1. As a risk manager, when you first walk into a company, how do you go about identifying the risks that need to be managed?
It’s not your traditional onboarding experience, where you ease your way into the role — it’s pretty intense from the get-go. I’d say an essential place to start is to work with the company leadership to clarify the company’s goals and growth plans. Is the focus on a particular industry? Is it on a specific product? Is there a target customer count? The information derived from these questions will provide context on where you’re heading, not just what’s happening here and now. Once you know the company’s direction, you can start prioritizing.
It’s also important to conduct an enterprise risk assessment. This takes a holistic look at the company through the lens of many types of risks — for example, financial risk, macro-economic risk, or technology risk. It also includes risks specific to the company, like a product weakness or bug. We also consider what happens if there’s a downturn in our sector. Are there other companies on our platform or a cohort of companies that would be negatively affected? An enterprise risk assessment involves an interview with every engineering and product team. You need to understand the scope of the product, where the handoffs happen between other groups, weaknesses in the product or processes, and the movement of information and money. And then, you can identify areas of risk.
Lastly, looking at historical risk events, like a fraud event or credit loss scenario, helps you understand how your platform can be exploited. The circumstances leading up to the event can help you build systems of early-warning indicators of the type of profile, characteristics, and actions that might be included in future loss events.
2. How consistent and standardized are these risks, say, within the SaaS sector?
They can be very broad. It’s tough to find something that’s standardized. Within SaaS, there are companies focused on everything from finance technology to CRM to project management to human resources — all of which present an array of risk challenges. Look at Airbase, for example. We deal primarily with U.S. dollar payments in a B2B model. These payments alone have many different payment types, like wires, ACH payments, and credit card payments, which will have hugely different risk profiles. SaaS companies operating in B2C environments or, for instance, crypto payments, are dealing with a wildly different set of risks and regulations than those that Airbase faces.
In terms of common themes that pertain to fintech SaaS companies, you’re looking at credit risk, first/third party fraud, account takeovers, referral fraud, subscription fraud, and market risk, to name a few.
Almost every company moving sums of money will have a credit risk. For credit card companies, it’s probably the top risk that you will have to deal with because you’re lending a sum of money to a customer and hoping that they can pay you back.
One of the biggest things to think about from a risk perspective is that just because a customer/company is well funded, has a strong product, and is on an upward trajectory today, that doesn’t guarantee it will be the case forever. Measuring that potential downside and extrapolating the minute details that could hint at a company’s potential to head south — this is the beginning of a solid risk management foundation.
3. Are there good off-the-shelf models that can be purchased and used to measure and manage most company risks?
Yes and no. The dream for every risk manager is a one-stop-shop that can inform you of every company, every transaction, every piece of information that is high risk, or definitively bringing risk onto your platform. If that solution could then provide you with a choice of risk management strategies to reduce or eliminate the exposure, and that solution also made sense for all parties involved AND was fairly frictionless (oh, and without false positives), there would be no need for large risk teams. The reality here is that there is a big gray area in risk and there are not always clearly prescribed sets of actions to take to manage it or make everyone happy.
By nature, companies come from differing industries, have different business models, locations, size, and all have extremely different needs and distinct behaviors. A behavior norm for one firm or industry may be an early-warning indicator for a risk event in another. These companies will all interact with your product in a much different way. With that in mind, taking an out-of-the-box model and trying to apply it to a broad spectrum of industries is extremely hard.
On the flip side, risk vendors do know that there are a considerable amount of objective signals that can be captured and flagged. In order to capture all potential negative signals, the models generally err on the side of caution. What this means is that implementing a model will tell you a portion of what you’re looking at is a high risk, and a portion is a low risk, both of which can be addressed automatically. The tricky part is that there’s this large middle portion that the model can neither tell you is low risk or high risk — and that requires human eyes on it. This is where the investment in strong risk teams come in. These teams can manually review the flags, take the necessary follow-up actions, and improve the model and product based on qualitative feedback they’re witnessing. Human intuition also comes in handy, and this is something that models do not possess.
4. Where are the deficits in these models?
It’s really time-consuming to adapt an off-the-shelf product to your unique business and then mold it into how your users interact with the product. There are plenty of configurations that go into adopting these models, and generally this will take precious bandwidth from many teams, including product and engineering.
Many risk models and vendors are offering no-code solutions, which is a welcomed development in the industry. Someone like me can write all these rules, and then we have that running in the system in real time. On the flip side, rules need to be constantly updated based on emerging threats and trends. This can be fairly cumbersome, and the person who generates the rules has a great deal of responsibility to maintain accuracy and timeliness.
5. How important is it that risk models tie into existing software?
For 90% of risk models, they must fit in with your existing data and platform. As a risk manager, you want to capture every single piece of information from that event to have your model identified. So, whether that’s an IP device ID, login, location, login time, or email, those are all automatically fed from your system into that model. If you were to manually input a few of those pieces of information, you might miss the critical element that ties it all together and allows the model to work.
For the other 10% of models, where you can manually input a few pieces of information and get a reliable answer, this is the minority. I would focus time on developing your own internal scoring and modeling systems instead of seeking them out. If the models aren’t plugged into your existing software, you run the risk of having a disconnected, siloed risk management system that isn’t operating in unison or leveraging all capabilities available.
6. What type of resources does it take to build risk management models in-house?
Without a doubt, the biggest resource required is data. Sometimes, the best way to identify risk at a company is to have the risk event happen on your platform or have that system exploited within your platform. That data gives you a way forward. You can tangibly build up your system and your mitigation framework. Ironically, sometimes having more loss instances can help to inform you where your biggest gaps are.
Aside from that, just understanding how your customers use your platform can be hugely beneficial. That can range from analyzing spend trends or how many bill payments are run each week, to how the customer interacts with their accounting profile. This information will give you a great idea of what is normal behavior on your platform vs what is anomalous behavior. And that’s all content you can feed into an in-house model.
Finally, a well thought out staffing strategy is important when building an in-house model. This would generally be comprised of a data scientist writing the algorithm, software engineers to program automatic actions taken based on the model’s feedback, a product partner to help design, scope, and create functionalities, and a risk team to operate and improve the functionality.
7. What tends to be the more complicated aspects? (Getting data? Building the algorithms to measure risk? Creating the right reports to report on risk? Updating the model regularly?)
I would say quickly getting the data portion is the most crucial element. And the most challenging. If you’re a startup and don’t have a decade of operating experience, you don’t have the luxury of data at scale. It becomes a matter of time, or potentially going out and trying to buy that data. It takes a lot of work to identify the exact piece of data that will work.
8. Would you advise companies to build or buy risk measurement models?
It depends. There are good models that can be sufficient for a small company, especially if their exposures to risk are not that complex. There are also complex and highly developed models for different types of specialized risk measurement and management. Where it gets more complicated is for fast-growing companies or mid-market to early-enterprise companies. Models need data, and early-stage companies haven’t had time to collect meaningful sample sizes to feed into those models. And early-stage and mid-market companies haven’t had time to build out dedicated product and engineering teams to capture data and build models or fine-tune off-the-shelf models to fit their needs.
Most companies need to work with vendors who can bridge the gap between now and when they are actually at scale and have a dedicated team. The answer becomes a little bit easier for smaller companies because they may be able to manage risks competently with simple tools. As you grow as a company, not only do your risks become more complex, but increased awareness means more attention from those that might wish to exploit weaknesses in your systems.
Eventually, many companies will want to build out some or all of their models — moving through the in-between stage typically means a reliance on purchased solutions while investing in data collection.
An important part of risk management is to evaluate the cost-benefit of setting up systems and processes to monitor and manage every type of risk. Limited resources mean that we are always trying to gauge if some risks can be ignored and accepted as a cost of doing business. Paying for a vendor solution may or may not be worth it.
Senior Manager, Risk, at Airbase