Security risks that financial institutions are exposed to are constantly evolving and changing. Online network connectivity combined with the perseverance and ingenuity of criminals ensure that financial institutions have to invest heavily in risk management systems for timely responding to potential fraud. Moreover, governments impose significant compliance regulations, such that even if a financial institution wanted to attempt to forego some security to reduce expenditures, compliance strictures ensure that reducing the investment in risk management is a challenging task.
Of course risk management is also more than just fraud detection and prevention, risk management also includes ensuring credit is not extended to a debtor deemed to be too risky to the financial institution or too risky according to compliance regulations.
Typically, a risk management system includes a scoring mechanism where a variety of factors are evaluated to produce scores. The factors and weighting mechanisms of those factors are regularly updated to improve the scores for purposes of accounting for new situations (new data points) or for purposes of accounting for better knowledge by an institution about known situations.
Risk management analysts develop rules relying on the scores produced by their underlying risk management system. These rules are used for determining, in real time, whether any given transaction should: proceed as requested, be flagged for manual inspection, or be denied.
Each rule can potentially raise one or more alerts for each transaction. A large financial institution can have thousands of transactions per minute. The alert rate for each rule is monitored closely by a financial institution because it should remain stable when the underlying scoring mechanism changes within the risk management system. That is, any given existing rule relies on a score (or score range) produced by the at-the-time existing scoring mechanism as a condition for whether or not to raise an alert within the risk management system. If the scoring mechanism changes to a different set of scores or range of scores, the existing rule condition should remain unchanged if the condition having the old score is properly updated to include the new equivalent score from the new scoring mechanism.
So, when a new scoring mechanism is deployed within a risk management system, a significant manual effort is undertaking to update each of the existing rules based on the new scoring values. If this is not done, then the alert rates will dramatically change and resources will be immediately diverted to discover what is occurring within the risk management system.