Once a Risk Manager, Always a Risk Manager

The only thing that is constant is change
Heraclitus shared that the only thing that is constant is change. The lessons of fraud detection and risk management are seeded in philosophy and logic.  While the implementations, methods and tools change, the essence of the crimes committed, or the methods to accomplish the crime are identical.

If you were a risk officer in the 1970’s and all you were doing is sift through reams of paper applications (say for mortgages), then you trained your senses to look for fraud in that medium.

For example, you would scan the incoming paper applications on a daily basis, and look for suspicious activity.  What is suspicious you may ask? anything that is out of the ordinary… in the world of statistics they are called Outliers.

Say that on average, a normal person applies for one mortgage every five years, and the average property price is $250,000.  An outlier would be a person applying for three mortgages in one year, and every property they apply for is worth $500,000.

Now, being an outlier does not always mean being a fraud.  For example, if a famous celebrity wishes to buy vacation homes in spots they frequent – they might as well come across your desk with many mortgage applications in one year.

The medium you would use though to sift through is paper, and yet, what you are looking for is not related to the medium.  Perhaps 500 years prior, if you were a risk manager for a bank in Florence, you would be inspecting mortgages and the medium would be velum.  And if you go back further in time, you may be inspecting clay tablets and so on.

You see, the medium of the data for the mortgage application matters little, as what you are looking for is buried in the data itself.  Only when we get to 1982, when the PC revolution began, we had additional data from the device that was used (instead of paper and ink) to add to the mix.  Nonetheless, the basics have not changed and a risk manager from centuries ago could use the same strategies that worked before.

Have you ever seen how lobsters molt? They get to the point that they are “trapped” inside their exoskeletons, and must abandon them to grow. The same goes for risk managers, who know the fundamentals of security (how lobsters behave), and in order to grow (with new technologies) have to shed their old selves and grow.

You have to molt, as technology and market conditions evolve…

However, during the molting phase, and right after, the lobster is very vulnerable. Quite frankly, it is the MOST vulnerable, and can be eaten by predators. Its exoskeleton is soft, its lying on the floor immovable, it is risking its growth with its own life. But, alas, there is no other way. It is not a choice for the lobster.

Many risk managers choose not to molt, as they are worried of the molting phase. It will be hard to do, will make them vulnerable as the new technology medium requires specialization. They may seem out of their element for a while, and out of their comfort zone. Many choose to avoid this growth pain, and rationalize it with “my team will know the details, and I will know the strategy.”

You should keep the fundamentals as your guiding principle, at all times. Fundamentals will not change with new mediums and technologies. At the same time, molting is the only way to become as proficient you are with the fundamentals, as with with the latest threats that are coming your way.

Fundamentals that don’t change

What are the fundamental anomalies a risk manager would look for?

1) Masquerade as a another real person (identity) to get a mortgage in their name

2) Masquerade as a few real persons (identities), and divert the spolis to one person (the crook)

3) Provide false information (including identity), so in case of a default, when the police comes knocking on the door they will find nothing, or someone else

4) Applying for more applications than one identity is allowed (say more than once per year)

5) Falsify the true nature of their creditworthiness, either by latching on to another identity or lying about their wealth

As you can see, for the most part, the data needed to ascertain if the application is legit or not, has little to do with the medium from which it came.  This is why learning Sun Tzu is so valuable, as the essence of risk management is a logical one, and what changes are the mediums we get the data from.

This rule has some exceptions, specifically with the advent of the phone system and the internet. You could add additional meta-data from the medium which was helpful in detecting deceit.  Should the caller ID (ANI number) show an area code of 212 (New York City), and the caller said they lived in Los Angeles, you could derive that something is suspicious.  With the advent of the Internet, additional meta-data became available like IP Address, which browser was used and so on.

So, we learned that you could be a risk manager if the data was provided to you, regardless of the medium it was captured with.  You would look for fraud within the data, and try to expose the anomalies.

Now, does it matter if the applications were for mortgages, credit, cards, bank accounts, university admission, social benefits or anything else?


There is little difference in these account types, and if you were a risk manager in one field – your skills could easily be ported to another.

More in chapter 4


Lobster molting video https://www.youtube.com/watch?v=9D-xfStc9nc

Leave a Reply

Your email address will not be published. Required fields are marked *