Guide to Risk Operations (RiskOps)

RiskOps, or Risk Operations, is just as important a field as it is misunderstood. Let’s clear things up here.

At some point, every successful company has to analyse, understand, and deal with risk. In fact, according to a report by Ropes & Gray, 69% of executives lack confidence that their risk management policies and practices are solid enough to meet future needs.

The problem is that the term risk is so general and vague that it can become meaningless. In fact, one of the biggest challenges in understanding RiskOps is that everyone’s idea of risk may be different – even within the same organization.

This is why it’s more important than ever to agree on a definition for the terms. Let’s start by explaining what we call RiskOps, or Risk Operations.

What Are RiskOps or Risk Operations?

RiskOps, short for Risk Operations, is the collection of practices, processes and tools that are designed to assist a company’s goals safely and effectively. Under a RiskOp model, traditional risk management operations are no longer siloed, regardless of where the risk appears.

Who Deals With What Type of Risk at a Company?

Traditionally, risk management is segmented at various levels.

• Marketing: where teams might have to battle ad fraud or affiliate fraud.
• Reputation and branding: content managers or PR companies combat reputational risk whether it’s direct (due to actions by the company itself), or indirect (due to the actions of employees and executives).
• Transactions and payments: any company that accepts online payments will have to fight transaction fraud and chargebacks.
• System/disaster recovery: network security, infosec and even disaster recovery are designed to protect data misuse, theft or corruption. These processes could also fall under the umbrella of risk operations.
• Finance: at the payout level, we have audits, inventory and compliance risk management.

The Challenges of RiskOps

But you also have to understand where risk experts are needed at a granular level. In fact, companies often fail to see that a lack of communication between risk specialists may lead to gaps in knowledge, data silos, or misaligned incentives which could cut into the company’s revenue. 

What Is the Difference Between RiskOps and Trust & Safety?

The term Trust and Safety is increasingly favored by companies dealing with customers. In the words of Jacqueline Hart, Trust and Safety officer at Patreon:

“When I worked at PayPal, I had a boss who told me “people don’t like hearing from the fraud department”. That’s the first time I heard anyone use the word “trust” and “safety”. It’s a gentler way to approach customers. Because, honestly, if you get a note from the fraud team, the first thing you do is freak out.”

Moreover, the terms “fraud” and even “content moderation” conjure up images of the banking world, which many customers may feel uncomfortable about. 

Wherever a company creates a platform where people interact, you’re more likely to find the term Trust and Safety than Risk Manager. This is true of companies such as eBay, Airbnb and Twitter, amongst others.

Last but not least, Trust & Safety tends to be more policy-driven. Those in charge will create policies designed to create a certain user culture, all while bringing maximum business returns in the safest way possible. RiskOps officers, on the other hand, will focus on big picture trends and the latest technological advances leveraged by bad agents.

Examples of positions that may fall under both RiskOps and Trust & Safety include:

• Escalation agent: In charge of monitoring and dealing with incidents that could threaten the safe functioning of a company’s online operations.
• Investigator, or threat analyst: Someone with an analytical mind who will preempt threats, usually in public spaces – overlapping with health and safety roles.
• Law enforcement response: Someone dedicated to interfacing with law enforcement to resolve incidents and to handle legal requests.
• Trust and safety engineer: More of a technical position related to IT, where developers are tasked with translating policies into website rules that should protect a company’s customers.
• Fraud analyst: The position we are the most familiar with here, which typically identify problematic data and examine larger fraud trends within a company.
• Product risk specialist: A position specifically focused on the risks presented by a company’s products, usually to limit customer exposure to unpleasant or illegal material. 

What Are the Core Skills Needed for RiskOps?

Still, RiskOps experts must also possess enough technical know-how to understand, for instance:

• How data is collected, analyzed, and how it connects that data to concrete, real-world usage of your company’s goods or services.
• How different business departments connect with each other, especially where risk overlaps between two or more.
• A full understanding of the business model, with a strong focus on payments and money flows.
• An affinity for the products, goods or services that the company provides, and a creative mind to imagine how fraudsters or cybercriminals would attempt to exploit it.

As Janis Tjarve, portfolio credit risk manager at Sun Finance, one of the fastest-growing lending companies in Europe, put it:

“It’s very good to have a structured approach to anything we do. This scientific background really helps me and my colleagues with a similar background. We have a lot of people with heavy maths and statistics backgrounds in our team.”

What Does a RiskOps Career Look Like?

As it stands today, there’s no playbook for learning to become a risk manager. We see people enter RiskOps from different fields, bringing their unique skills and point of view:

• Some will start in customer service, and develop a keen eye for fraud patterns that are contested by users.
• Others come from the payment world, where they similarly get a sense of what appears fraudulent or not by establishing patterns.

An example, from Dave Parrott, Payments Services Director at Jagex:

“Everyone who’s ever been in the team has come from our customer service department. We’ve always sourced from that because those people learn the game, they learn our customers, they learn about how people interact with the product. They quite quickly get an idea of what is normal, and then can quite easily pick out what isn’t.”

Inversely, understanding risk on the macro scale also serves as an entry point to the tech industry, where people branch off into different areas of specialization and acquire skills accordingly (transferring to payments, network security, or quality assurance).

Examples of departments that may that fall under the RiskOps definition include:

• BCP/Disaster Recovery 
• BSA/AML 
• Chief Compliance Officer 
• Chief Data Officer 
• Culture & Conduct 
• Emerging Risks 
• ERM for Community Banks
• ERM for Large Banks 
• ERM for Mid-Tier Banks 
• ESG 
• Fair Lending Analytics 
• Fraud Risk 
• Incentive Compensation 
• Privacy Risk 
• Technology Risk 
• Third-Party Risk Management
• And more…

What About Dedicated Training?

From the point of view of an L&D or HR department, RiskOps may be the point of entry for a non-technical role, which will still need to specialize and learn the ropes of a particular department.

This means preparing for highly technical internal training that targets initially nontechnical people. Some techniques, such as shadowing the heads of departments, are always a good bet, for instance for learning the most common fraud prevention terms.

More importantly, a key point is that risk officers need to be supported at a high level. As Jacqueline Hart from Patreon put it:

“We hope to be part of the conversation, because in tech companies and startups there tends to be a lot of quick movements. Product managers and products are going out so quickly that you need to have a voice at the table. And if you’re seen as a blocker, you don’t get invited until the very end of the party. So let’s think about how people are going to abuse the system before it happens.” 

What Are the Tools of the Trade?

While there is no one-size-fits-all suite of tools for RiskOps, a key few elements should be common across all companies:

Strong project management tools: These are a must-have, but particularly important where a big picture view of operations is needed.

Team management features: Combating risk is never a one-person operation, and ensuring everyone on board has the right permissions, communications channels, and tool-sharing opportunities is a must.

Automation and productivity features: When processes need to be checked hundreds or thousands of times a day, it’s important to know that your tools can be stringed together for maximum productivity, and reduce the amount of time spent performing manual reviews.

Security features: RiskOps should meet a certain level of security when it comes to data protection, for instance, meeting those required by the ISO270001 certification, or for GDPR and fraud detection.

Modular tools, easy integration: When risk management becomes a business decision, there is often a clash with the IT department over complex integrations and operational downtime. We believe this should be a concern of the past, thanks to advances in modular risk management software & technology, and short integration time frames.

Please see this article for more information on how to choose the right fraud management system.

Leveraging Risk Tools to Create KRIs

All the aforementioned tools should be used to create KRIs (Key Risk Indicators), or metrics designed to measure risk. Of course, like their closely related KPIs (Key Performance Indicators), you can use them to assess how effective your risk management strategies are in the long run.

Examples of KRIs could include: 

• Financial KRIs such as larger industry trends, economic downturn or regulatory changes.
• People KRIs such as a high staff turnover, low employee satisfaction, or recurrent headhunting from competitors.
• Payments KRIs: transaction fraud rates, chargeback percentage, false positives, etc…

A concrete example would be launching a brand new marketing campaign based on the pay-per-click model. The practice may be commonplace these days, but it doesn’t mean it’s completely safe. Anyone familiar with fraud prevention, for instance, would be able to tell you that fraudulent affiliate networks abound. 

In fact, it’s something a company like Uber found out the hard way, as in 2019, their marketing campaigns had not factored in the risk that some unscrupulous publishers would push their ads as “nonexistent, nonviewable, or fraudulent advertising”.

The practice of buying fake clicks, injecting cookies into websites, or even superimposing multiple ads on top of each other all help boost volume, but actually incur a lot of risks that many marketers might not be aware of. 

This is a fantastic example of where a RiskOps team could have researched and preempted risk, and established KRIs to measure the success of a marketing campaign – which demands specialist knowledge of affiliate and ad fraud.

Recognizing RiskOps as a Field of Its Own – And Building the Right Products for It

At SEON, we’re proud to deliver products designed by risk managers, for risk managers. We are very aware that legacy fraud protection tools, for instance, may rely on stale data or shared lists, which can be detrimental to a company’s fraud-reducing goals. 

Our key motivation is to deliver tools and features that make measuring KRIs easier than ever, and to combat fraud on all fronts at your company, whether it’s to minimize bonus abuse, account takeover andmulti-accounting or to combat high chargeback rates.

We also understand that there is no playbook yet for a RiskOps career and that the field needs to be independently recognized – both to help train the right talent and to ensure a company’s success in our modern, increasingly risky online landscape.