Risk Modeling and Assessment

Risk modeling is a process that can be applied in any number of environments or business situations, including investments, operations, e-commerce, insurance, and fraud.

Risk modeling uses techniques and analyses, appropriate to the circumstances, to determine the nature and severity of risk and the methods that can be brought to bear to mitigate exposure to or losses from identified threats.

The risk modeling process can help organizations determine the correct controls for the environment or operation, to produce appropriate countermeasures, and to design effective recovery activities.

Though it can be accomplished in a number of ways, one method of formalizing risk modeling is outlined by the following steps:

1. Identify Objectives
2. Survey the Operation, Process and/or Environment
3. Reduce the Operation, Process and/or Environment into Its Component Elements or Steps
4. Identify Potential Threats to Each Identified Element or Step
5. Identify Vulnerabilities of Each Identified Element or Step
6. Design Preventive Controls for Each Identified Element or Step
7. Design Detective Controls for Each Identified Element or Step
8. Design Corrective Controls for Each Identified Element or Step

Governments should assess their risk to a variety of fraud, many of which are identified in the Tools by Business Area section of this ToolKit. Other types of fraud that affect governments are related to the nature of governments, the types of information they collect, and the requirement that much of what they do be transparent. Risk modeling must take these unique aspects of government into account.

Given the nature of data that governments collect and store, government databases are repositories of personal information. Beyond the fiduciary responsibility to protect confidential and sensitive data, governments must also comply with statutory and regulatory requirements to protect information. All governments must evaluate whether there are sufficient safeguards in place to protect personal information and to prevent identity theft or the misuse of information. Only authorized personnel should have access to sensitive data. Risk modeling can help identify potential weaknesses and suggest ways to strengthen defenses.

Trust is the currency of government. To maintain the public's trust, any breach of security or monetary loss must be revealed. Risk modeling can help identify potential problems before they occur.

While software tools are of great help in profiling and modeling, particularly in the area of statistical analysis, the adequacy of any risk model relies upon the judgment, knowledge and experience of the modelers.

In considering the risk modeling process described above, steps 2 through 5 are generally referred to as risk assessment.

As with risk modeling, when performing a risk assessment, the organization, operations or processes under consideration are analyzed and potential threats identified. In many ways, this important undertaking is subjective, relying on the experience and expertise of those conducting the assessment. In some cases, probability and impact is quantified no more specifically than being high, medium or low. In other cases, percentages are assigned to the likelihood of occurrence and dollars to the impact. In either case, the result is a table estimating the organization’s exposure. This, in turn, can be used to focus resources on preventing, detecting or correcting the most potent threats. Various fraud schemes, like those listed in our Fraud Type Target Tab, are among the risks evaluated as part of this exercise.