identity risk, many data elements are are dependent on other elements to be of profiling value. This leads to cross correlation between elements like SSN and DOB, DLN expiration and DOB, etc. Profiling must also consider the relative importance of each data element or combination in terms of its contribution to describing risk.
Priorities are dependent upon the vulnerabilities of the institution and its processes. It is also important to understand how negative and positive returns impact risk. For instance detecting a valid SSN doesn't necessarily mean the absence of ID fraud. The detection of a mismatch between a DOB and a SSN issue date conversely does not prove that ID fraud exists.
Profiling is an important function in enterprise risk management. It can be applied to many parts of an entity's operations, like:
Customer Risk is usually the most frequent focus for profiling. Identity factors for an individual can be verified to a variety of depths using both private and public sources. There exists broad experience with screening individual identity factors for immediate decisions, like new account approval. However, there is much less use of the information used in screening for developing a risk profile for an existing customer. Such profiling should be maintained continuously as changes occur. The CIA and FBI conduct very aggressive enrollment screening as well as periodic follow up review. Nevertheless, virtually every case of espionage in these organizations can be traced back to a change in lifestyle resulting from basic events like change in health, divorce, financial need, etc. This is why continual risk profile maintenance is critical to detecting changing risk. top
Business Risk measures different characteristics from individual risk. The Bank Secrecy Act, for instance spells out numerous concerns for the type of business, its location, its international relationships, the past history of owners/principals and types of financial services that are being used. The same type of profiling can be applied to other businesses although the risk characteristics will change. For example the risk profiling for a hospital would be different from that of an investment broker. Profiling is a powerful tool for "targeting" other waste, fraud and abuse detection processes. top
Enterprise Risk is focused internally on the vulnerabilities of the collective processes within the enterprise. These vulnerabilities may include, physical security, data and communications security, systems and process security, and personnel security, among others. Some government regulations like Sarbanes Oxley require certain industries to conduct self assessment of risks, particularly relating to the Safeguarding of Privacy Information. Profiling of the different risk categories provides a roadmap for both risk management and strategic planning. top
Employee Risk is always a consideration in any operation. Where there is value that can be acquired and sold from within the organization, employees must be monitored for their potential risk. In addition to the usual efforts by HR organizations to hire the best employees, there should be a risk profiling process that considers the characteristics of each employee as they relate to vulnerabilities and risks. Such profiling can be a major aid in quickly detecting the possibility of internal involvement in waste, fraud and abuse cases.
FRAUDetect has developed a risk profiling process that is flexible to different applications and which can be adapted to the needs of almost any organization. top