“What should I be looking for in my first Risk hire? Where do I even start?”
“What should our org structure look like for Risk?”
“Isn’t this just the same as Compliance?”
“How do I find Risk people that can operate in an early-stage environment?”
At SentiLink, we have a strong conviction that underlying every great Fintech product, there is a strong Risk team.
Here’s another way to think about it - if you sign up for a Fintech product, be it a card or an installment loan or a payment account, and you’re impressed by a smooth and low friction signup flow or the ability to transact quickly with a new card or credit line in hand, you should really be thinking “Wow, what a great Risk team."
Our goal in this post is to share some of our own experience in building Risk teams, and from partnering with the current generation of Fintech innovators.
Risk, the Fintech R&D Tradecraft
As is often the case of several jobs in the startup world, there’s no list out there that calls out the set of skills or responsibilities that a good Risk analyst or manager will cover. Unless the founders and early team at a Fintech company already have experience in the space, they may not know “what good looks like."
At the early stages of a new Fintech venture, it’s imperative that Risk is viewed as an R&D function, and usually that means that the early Risk foundation will need to cover aspects of:
- Product Management
- Closely measuring and improving conversion funnels drop-off rates, transaction decline rates, takeup rates, and customer experience (dispute and contact rates).
- Analytics and Data Science
- Building of optimal decision-making systems in production code, usually a combination of a simple decision tree framework, predictive modeling, scoring and threshold setting, and monitoring of decision outcomes.
- Manual Review (often titled Risk Operations or Underwriting)
- Manually reviewing potentially fraudulent applications or transactions, to tactically prevent loss events, label specific instances of fraud to be incorporated back into application-level and transaction-level decision making.
- Responding in real-time to organized fraud rings and attacks on the company.
- Ensuring that regulatory obligations unique to the product (i.e. FCRA, GLBA, BSA) are met when making account opening decisions and in monitoring and reporting of transactions.
- This often involves relationship management with an issuing bank partner.
The area that many Fintech startups most overlook is the business value of starting a skilled and experienced Risk Operations Analyst team.
One or two strong analysts can provide a tremendous amount of “R&D” value to a Risk organization, as their deep and nuanced understanding of fraud investigative or underwriting techniques will:
- Inform user experience and product flows, as well as data vendors and solution providers that can help strike the right balance of fraud loss risk with conversion funnel drop-off rates
- Create Labeled data that data scientists can use to build statistical models, rule backtesting, and other expert systems designed to replicate what a human analyst would infer.
Another trait that we find in good early-stage analysts is the ability to automate their own work with some basic analytical and technical skills. The ability to write and run basic scripts and write SQL queries (to find and display the data they need to do fraud investigations, surface trends, create dashboards, and backtest a decision rule’s impact) will have a tremendous impact on an early-stage environment and reduce the load on other teams.
No matter how you set up a Risk org, we believe this combination of human analyst deep investigation, data science decisioning systems, and product management intuition, are the core activities that enable smart Risk decision-making at scale.
Setting up a Risk Org
Another common question that startups have around Risk, is how to properly set up a Risk team. We’ve seen a few options out there, and we’d preface that in a high-growth startup, organizational structures and design can change every 6 to 18 months - what works at one stage of a business may not work later on as product or revenue business lines start to become more well-defined. And sometimes organizational patterns at startups just simply aligns with who the strongest executive leaders and management are within an organization.
Here’s some options we’ve seen in early stage companies:
1) Create an independent Risk function that includes both analytics and operations. This is our most common recommendation, if we are pressed on our preferred org structure.
- The main benefit of this model is that it can create clear ownership over losses and user experience especially when it comes to things like application conversion rates and risk-related user experiences.
- Another major benefit is that this independent Risk functional model lends itself better to scaling past the 100 employee mark, as this will likely be a familiar setup to any potential senior Risk executive or Chief Risk Officer type of hire.
- The biggest downside to this organizational model is that it can potentially create an insular Risk organization, especially if the rest of the company views Risk as simply a “modeling team” or a “loss prevention” team. The early leadership needs to establish themselves as “big picture” stewards of the business that can communicate well across product, growth, compliance, and technical teams.
2) Group Risk with a related functional group such as Compliance, Analytics, Operations, or Engineering.
- The most common variant of this we’ve seen has been combining Risk with either Compliance or Analytics.
- We believe this is a viable option and may make sense simply for resourcing purposes, as often Risk overlaps with other functions in some capacity.
- However, we do find it exceptionally rare to find an executive in Operations (or Compliance, or Analytics, or other functions) who is adept at the balancing act of managing Risk manual review teams and analytics, while also having the mandate to do data-driven risk product management in the way that an independent Risk org can do.
3) Don’t create a Risk organization at all:
- This is a viable option, so long as the key interrelated activities outlined above (collaboration of manual review, product management, analytics, and compliance) are built into day-to-day operations in other functions.
- But ultimately, this is just kicking the can down the road - if you’re in SMB or consumer financial services, we wouldn’t suggest doing this unless your team is < 10 people.
- This model might make sense if the founders and executive team already have a background in Risk, exceptionally strong intuition in this area, or as a temporary measure.
- The downside of this is that it might be difficult to assign ownership of losses, conversion rates, product development, while keeping the big picture in mind. This will reduce the Risk R&D value of the company in the long run.
Common Scaling challenges
No matter what organizational structure you pick, we’ve seen a few common friction points and challenges in high-growth Fintech Risk orgs.
- Ownership of losses in new markets or new products.
- Often a Risk org will need to manage losses across new products, but may be resource-constrained or limited in their ability to influence every detail of a new product or business unit’s launch. This especially happens when new risk resources are not added commensurately with adding new products.
- Our favorite way to manage this type of natural internal conflict is to make product managers or general managers accountable for owning the risk metrics (such as losses) associated with their new products or business lines.
- Expectation that a Risk team focused on fraud losses and decisioning systems will also cover Compliance Operations, and vice versa.
- Usually, the type of investigative work required to solve a tough identity fraud or synthetic identity case, design an application flow, or backtest a transaction decline rule to stop product abuse or losses, requires a different sort of problem solving and investigative approach than one focused on clearing OFAC hits, monitoring of transactions for potential money laundering, terms of service violations, and explaining risk procedures to bank auditors or issuing bank partners.
- Our general view is that as a Fintech company scales through its early and mid stages, having independent Compliance and Risk analysts (particularly in the realm of manual review operations) will help better manage the eventual transition into some of the more structured compliance and enterprise risk management functions that are required at later, pre-IPO stages.
- Risk Operations becoming dominated by “Operations” versus “R&D”.
- In any Risk org that is involved in making application and transaction decisions, there will be some “manual work” required (such as calling applicants as part of validating application information, or conducting an investigation for the sole purpose of responding to a customer dispute, usually under a time constraint).
- Unfortunately, the type of Risk analyst who enjoys discovering and investigating new and innovative forms of fraud, will be bored and disengaged if solely tasked with this type of operational work, and the organization loses the R&D benefits of this type of analyst.
- One tactic that we like to help address this challenge, is to put “operational” Risk work on a round-robin schedule, where 1-2 risk analysts per week take on these operational tasks, to free up the remainder of analysts to focus on fraud investigations, model-building and labeling for data scientists, etc.
Finding scalable Risk team members for the early-stage environment
Finding Risk talent that is comfortable with the ambiguity and pace of an early-stage startup environment can sometimes be a challenge, especially if your sourcing pool tends to draw from more mature risk teams (such as banks). We’ve found that the best early risk analysts and leaders at Fintech startups tend to have these qualities:
- Product sense - In this context, we mean a risk analyst who is empathetic to what the customer experience looks like, and can propose specific user flows and solutions that balance fraud risk with the customer experience. This type of risk leader is also adept at communicating their goals and ideas with other teams, and can keep the “big picture” of the business in mind, just as you would expect from an entrepreneurial product manager.
- Data literacy - While experience as a data scientist or an advanced mathematics degree is not necessary unless actually operating a Risk data scientist, we do find that that risk managers and analysts who are comfortable with automating aspects of their own work, or using data to answer their own questions and investigations, tend to provide much more value than a risk analyst who relies on data to be served to them in a pre-built case management interface
- Risk family tree - Given the craftwork of Risk, there’s an element of “apprenticeship” that you’ll often find from great organizations who had to innovate in fraud in order to survive. This type of talent tends to spin off in clusters to either start their own companies or start their own risk teams. Examples of such family trees that come to mind include descendants of early PayPal or Uber risk/fraud teams. Outside of tech, we are also huge fans of alums of Capital One’s business analyst program.
If you found this post interesting and want to take a deeper dive into the topic of building teams and organization at high growth startups in general, some of our favorite content includes:
SentiLink is publishing a series of articles and webinars on the craftwork of Risk in high growth startups: best practices, organizational design and hiring, benchmarks, and insights we’ve seen from the most successful Risk teams in Fintech.
This content is designed to be a helpful guide for early stage FinTech entrepreneurs and operators as they scale their startups to their first 100 employees. We would love to hear if there are specific topics you’d like us to cover.
Vivek Ahuja’s background in Risk at high-growth Fintech companies includes risk product management at Marqeta, credit and fraud risk management as Affirm’s head of Merchant Risk, and as the co-founder leading anti-fraud efforts at Xendit.