Effective Risk Management: KPIs Vs KRIs (Key Risk Indicators)

by Bence Jendruszak
RiskOps, or Risk Operations, is just as important a field as it is misunderstood. Let’s clear things up here.
At some point, every successful company has to analyse, understand, and deal with risk. In fact, according to a report by Ropes & Gray, 69% of executives lack confidence that their risk management policies and practices are solid enough to meet future needs.
The problem is that the term risk is so general and vague that it can become meaningless. In fact, one of the biggest challenges in understanding RiskOps is that everyone’s idea of risk may be different – even within the same organization.
This is why it’s more important than ever to agree on a definition for the terms. Let’s start by explaining what we call RiskOps, or Risk Operations.
RiskOps, short for Risk Operations, is the collection of practices, processes and tools that are designed to assist a company’s goals safely and effectively. Under a RiskOp model, traditional risk management operations are no longer siloed, regardless of where the risk appears.
Traditionally, risk management is segmented at various levels.
But you also have to understand where risk experts are needed at a granular level. In fact, companies often fail to see that a lack of communication between risk specialists may lead to gaps in knowledge, data silos, or misaligned incentives which could cut into the company’s revenue.
The term Trust and Safety is increasingly favored by companies dealing with customers. In the words of Jacqueline Hart, Trust and Safety officer at Patreon:
“When I worked at PayPal, I had a boss who told me “people don’t like hearing from the fraud department”. That’s the first time I heard anyone use the word “trust” and “safety”. It’s a gentler way to approach customers. Because, honestly, if you get a note from the fraud team, the first thing you do is freak out.”
Moreover, the terms “fraud” and even “content moderation” conjure up images of the banking world, which many customers may feel uncomfortable about.
Wherever a company creates a platform where people interact, you’re more likely to find the term Trust and Safety than Risk Manager. This is true of companies such as eBay, Airbnb and Twitter, amongst others.
Last but not least, Trust & Safety tends to be more policy-driven. Those in charge will create policies designed to create a certain user culture, all while bringing maximum business returns in the safest way possible. RiskOps officers, on the other hand, will focus on big picture trends and the latest technological advances leveraged by bad agents.
Examples of positions that may fall under both RiskOps and Trust & Safety include:
Still, RiskOps experts must also possess enough technical know-how to understand, for instance:
As Janis Tjarve, portfolio credit risk manager at Sun Finance, one of the fastest-growing lending companies in Europe, put it:
“It’s very good to have a structured approach to anything we do. This scientific background really helps me and my colleagues with a similar background. We have a lot of people with heavy maths and statistics backgrounds in our team.”
As it stands today, there’s no playbook for learning to become a risk manager. We see people enter RiskOps from different fields, bringing their unique skills and point of view:
An example, from Dave Parrott, Payments Services Director at Jagex:
“Everyone who’s ever been in the team has come from our customer service department. We’ve always sourced from that because those people learn the game, they learn our customers, they learn about how people interact with the product. They quite quickly get an idea of what is normal, and then can quite easily pick out what isn’t.”
Inversely, understanding risk on the macro scale also serves as an entry point to the tech industry, where people branch off into different areas of specialization and acquire skills accordingly (transferring to payments, network security, or quality assurance).
Examples of departments that may that fall under the RiskOps definition include:
From the point of view of an L&D or HR department, RiskOps may be the point of entry for a non-technical role, which will still need to specialize and learn the ropes of a particular department.
This means preparing for highly technical internal training that targets initially nontechnical people. Some techniques, such as shadowing the heads of departments, are always a good bet, for instance for learning the most common fraud prevention terms.
More importantly, a key point is that risk officers need to be supported at a high level. As Jacqueline Hart from Patreon put it:
“We hope to be part of the conversation, because in tech companies and startups there tends to be a lot of quick movements. Product managers and products are going out so quickly that you need to have a voice at the table. And if you’re seen as a blocker, you don’t get invited until the very end of the party. So let’s think about how people are going to abuse the system before it happens.”
While there is no one-size-fits-all suite of tools for RiskOps, a key few elements should be common across all companies:
Strong project management tools: These are a must-have, but particularly important where a big picture view of operations is needed.
Team management features: Combating risk is never a one-person operation, and ensuring everyone on board has the right permissions, communications channels, and tool-sharing opportunities is a must.
Automation and productivity features: When processes need to be checked hundreds or thousands of times a day, it’s important to know that your tools can be stringed together for maximum productivity, and reduce the amount of time spent performing manual reviews.
Security features: RiskOps should meet a certain level of security when it comes to data protection, for instance, meeting those required by the ISO270001 certification, or for GDPR and fraud detection.
Modular tools, easy integration: When risk management becomes a business decision, there is often a clash with the IT department over complex integrations and operational downtime. We believe this should be a concern of the past, thanks to advances in modular risk management software & technology, and short integration time frames.
Please see this article for more information on how to choose the right fraud management system.
All the aforementioned tools should be used to create KRIs (Key Risk Indicators), or metrics designed to measure risk. Of course, like their closely related KPIs (Key Performance Indicators), you can use them to assess how effective your risk management strategies are in the long run.
Examples of KRIs could include:
A concrete example would be launching a brand new marketing campaign based on the pay-per-click model. The practice may be commonplace these days, but it doesn’t mean it’s completely safe. Anyone familiar with fraud prevention, for instance, would be able to tell you that fraudulent affiliate networks abound.
In fact, it’s something a company like Uber found out the hard way, as in 2019, their marketing campaigns had not factored in the risk that some unscrupulous publishers would push their ads as “nonexistent, nonviewable, or fraudulent advertising”.
The practice of buying fake clicks, injecting cookies into websites, or even superimposing multiple ads on top of each other all help boost volume, but actually incur a lot of risks that many marketers might not be aware of.
This is a fantastic example of where a RiskOps team could have researched and preempted risk, and established KRIs to measure the success of a marketing campaign – which demands specialist knowledge of affiliate and ad fraud.
At SEON, we’re proud to deliver products designed by risk managers, for risk managers. We are very aware that legacy fraud protection tools, for instance, may rely on stale data or shared lists, which can be detrimental to a company’s fraud-reducing goals.
Our key motivation is to deliver tools and features that make measuring KRIs easier than ever, and to combat fraud on all fronts at your company, whether it’s to minimize bonus abuse, account takeover andmulti-accounting or to combat high chargeback rates.
We also understand that there is no playbook yet for a RiskOps career and that the field needs to be independently recognized – both to help train the right talent and to ensure a company’s success in our modern, increasingly risky online landscape.
Showing all with `` tag
Click here
Bence Jendruszák is the Chief Operating Officer and co-founder of SEON. Thanks to his leadership, the company received the biggest Series A in Hungarian history in 2021. Bence is passionate about cybersecurity and its overlap with business success. You can find him leading webinars with industry leaders on topics such as iGaming fraud, identity proofing or machine learning (when he’s not brewing questionable coffee for his colleagues).
The top stories of the month delivered straight to your inbox