Do government agencies dream about electrical risks?
Risk management helps us out every day. When we cross the road, our natural neural network evaluates the situation, estimates the speed of a taxi driver violently tearing at the yellow light, determines the probability of breaking the collarbone when falling from the hood of the car and offers a measure to minimize the risk - wait five seconds and then move forward. Threat processing is built into our genes, even if we usually call it different.
But it is necessary to talk about the "risks" in a decent society, the interlocutors begin to talk about investments, loan portfolio, methods of allocation of bank capital and stress testing - all about finance. Yes, banks were pioneers in applying advanced risk analysis techniques. However, risks are not only about money.
Risk management is a universal management discipline that is applicable in any process where something happens, there is some expected result and there is a possibility that we will not get it. Simply put, almost always and everywhere. And in the work of state bodies too.
Why should the state engage in risk management?
To manage risks, from the point of view of a government agency, means to detect in time a threat to the safety of citizens or the order of things established by law and eliminate this danger. Or at least to reduce collateral damage: the same earthquakes are unavoidable, but if we get a forecast in time, we can evacuate the population, block the roads and take out the equipment.
Risks in the public sector and business are somewhat similar: these are certain threats that need to be found and eliminated. The fundamental difference between risk management in the commercial sector and government bodies lies in the measures taken. Business may abandon risk-related activities, but the state may not.
Suppose the bank does not like the future mortgage borrower: he turned to several financial institutions at once, delayed a credit card payment for 3 days, and it looks untidy. A bank may refuse a person to issue a loan without giving a reason. Just to not get involved in the risk of debt formation.
If the tax authorities do not like the future general director of the company, but he formally is doing well with the papers and there are no legal grounds for refusal, then the tax authority is obliged to register a legal entity. Even if by all indications this is a future "one-day", and its leader yesterday "rewrote" his past firm for a village grandfather with a goat. The state can only observe the behavior of the suspicious organization and try to catch the violator for tax evasion in time.
That's what it looks like. Imagine: you are the owner of the company and must employ each applicant with a resume that formally corresponds to the vacancy. Even if, according to his psychological profile, you understand that he will destroy the team with his intrigues, will not work normally and will eventually take out half of the office equipment from the office. It remains to observe, put the turnstiles in the right places, lock the lockers on the lock and regularly check that everything is in order.
This can be unpleasant for the rest of your staff, friendly, hard-working and honest. They will have to put up with cameras by observation and restriction of their freedom. This is the reality of the public sector - the Ministry of Internal Affairs, the Ministry of Emergency Situations, customs, tax and all institutions with the words "control" or "supervision" in the title. Often they check everyone to find the few who break the law. For those who do not violate, it is painful. And for government agencies - long and expensive.
In the parallel world, almost every citizen or organization knows almost everything, there are many law enforcement officers and they know how to teleport. In such a world, risk management is not needed: every suspicious item, person or organization can be checked at any time. And no one touches respectable citizens.
In our world, everything is not so: there are not enough employees, equipment, time. It is a lot of objects of control, and it is a little significant information on them. It is necessary to squeeze the maximum out of the available data and try to detect violators before they migrate to the neighboring region or even to another jurisdiction. And honest people and companies suffer from excessive control.
Risk management is just about it: how, under conditions of uncertainty, to properly distribute the resources of an organization, to reduce unproductive losses of money and time. And since we are talking about state control, we need to twitch less of those who are clean before the law.
In the language of squares, separate the wheat from the chaff:
What does the SAS?
If necessary, SAS employees immerse themselves in the client's subject area, rethink with the customer his approaches to work and help to improve them. After a number of projects in Russia and the world, we have formulated the concept of an analytical risk-based approach to control and supervisory activities. This is when the state does not waste time and money in vain, but is engaged in those who are most dangerous for society or, as they say, “protected by law”. Machine learning technologies help in this.
As the presale director Julius Goldberg remarked in his articleSAS analyzed data before it became fashionable. We also dealt with risk assessment methods for the needs of state bodies long before the current reform of control and supervisory activities in Russia, within the framework of which it is planned to implement a risk-based approach everywhere.
We talked at conferences and seminars at various levels about how risk management based on analytics helps the state machine to work more efficiently. It’s great that the state heard the business community - not so important, us or our colleagues - and decided to seriously engage in improving state control, including risk management among the priority reform projects .
The main provisions of the reform overlap with our vision, which is based on international experience.
Quote passport reform
«… новая система контрольно-надзорной деятельности, основанная на концентрации
ограниченных ресурсов государства в зонах наибольшего риска в целях предотвращения причинения вреда охраняемым законом ценностям при одновременном снижении административной нагрузки на добросовестных хозяйствующих субъектов...»
«...cформирована система сбора объективных данных, позволяющая вести учет причиненного вреда в автоматическом режиме, внедрена модель актуализации индикаторов риска и показателей для «динамической модели» в зависимости от изменений профилей риска, внедрена «динамическая модель» управления рисками...»
«… внедрена система регулярной переоценки рисков в зависимости от фактического распределения ущерба по категориям риска (классам опасности), в том числе с использованием технологий работы с массивами больших данных (Big Data)...»
(источник)
ограниченных ресурсов государства в зонах наибольшего риска в целях предотвращения причинения вреда охраняемым законом ценностям при одновременном снижении административной нагрузки на добросовестных хозяйствующих субъектов...»
«...cформирована система сбора объективных данных, позволяющая вести учет причиненного вреда в автоматическом режиме, внедрена модель актуализации индикаторов риска и показателей для «динамической модели» в зависимости от изменений профилей риска, внедрена «динамическая модель» управления рисками...»
«… внедрена система регулярной переоценки рисков в зависимости от фактического распределения ущерба по категориям риска (классам опасности), в том числе с использованием технологий работы с массивами больших данных (Big Data)...»
(источник)
I am glad that the state realizes the need to use solutions for working with Big Data for systematic risk assessment and speaks directly about this in one of the sections of the project’s passport. The scale of government tasks sometimes exceeds those in the commercial sector and requires the use of appropriate industrial solutions.
Effectively controlling all taxpayers or cross-border trade flows is not the same thing as deciding whether to grant a loan to even a million customers of a large bank. In 2017, 4.4 million electronic goods declarations passed through the customs authorities of Russia- in each from one to hundreds of positions that were required to check for violations. At the beginning of 2018, according to the tax service, 4.4 million legal entities and 3.8 million individual entrepreneurs were operating in Russia. Let's not forget about 73 million economically active Russian citizens , some of which, in addition to the income tax on individuals, also pay transport and land taxes.
Suppose that according to the reform passport, in-depth analytics are going to be introduced into the state control only in 2020 - the technologies are ready now. We have something to offer both in methodical terms and in terms of specific software solutions. Rosfinmonitoring and Rosalkogolregulirovanie told about how it works in the practice of Russian government agencies at the SAS Forum in 2017 .
The description of our concept was extensive, so I divided it into 3 parts (today, the first):
- What is risk in government control.
- How machine learning techniques help analyze risks.
- What to do with risks when we discovered them and how to turn it into a system.
To begin with - a pinch of theory.
What is risk in terms of state control?
According to ISO 31000-2018 , which defines the framework for risk management, risk is the effect of uncertainty on an organization’s objectives. That is, risk is not necessarily bad. Just because we do not know something, the result may deviate from the expected up or down.
From the point of view of the state agency that monitors compliance with the law, “good” should always be the default: the requirements of the law should be met, taxes should be paid, smuggling should not be brought in, wood should not be chopped secretly, crimes should not be committed. Deviations from the expected if there are, then only for the worse. Therefore, from the point of view of state control, the risk is something related to the offense.
However, the risk is not the violation itself. It is impossible to control the fact, it has already happened. You can only manage what happens in the future, which is not defined.
We can only predict a potential violation only approximately, with some probability - this is the first important risk characteristic that helps to properly allocate resources. If in some part of the city the likelihood of robbery is 85%, and in the other - 35%, obviously, where should the police patrol go? and implies the use of analytical software instead of psychics in the basement).
But there is little chance of taking serious measures: violations are substantial and not very. It is important to determine the amount of damage from a future adverse event. If a lone barn burns, it's sad, but not like a fire in an apartment building or a shopping center.
The ISO / IEC 51: 2014 manual on security matters says: “risk is a combination of the likelihood of an adverse event and the damage from it”. The combination of these characteristics already allows something to clearly manage and properly allocate resources: people, equipment, money.
Official documents of the reform of the Russian control and supervisory activities under the risk in the state control understand the same thing. Although this definition has not yet been formulated anywhere in the legislation, it follows from the revolutions used - the same article 8.1 of the Federal Law “On the Protection of the Rights of Legal Entities and Individual Entrepreneurs in the exercise of state control (supervision) and municipal control”. Yes, this is also a chance plus damage.
Where to look for risks?
Risk is characterized primarily by the area - a segment of supervised activities of controlled entities (people, organizations), which is associated with a certain threat. Sometimes it is easier for state agencies to go from the object (object, product, building), so that no one reproaches bias - it is not insulting to the soulless object that it is “some kind of wrong”, it will not be tossed by the prosecutor’s office for complaints list ".
For example, when importing goods from abroad, the importer must declare in the declaration (and confirm with documents) the customs value of the goods, from which the customs payments will be calculated later. Sometimes importers cunning and underestimate the cost to pay less duties and taxes. The area of risk in this case will be the declaration of the customs value when importing goods.
Here are a couple of examples:
Usually, risk management goes from general to specific: determine the area of risk, the specific activity where violations can occur (based on statistical data, experience or guesswork), then within this area assess risks (identify them, determine causes, conditions of occurrence and probability with damage), and then decide what to do with them. It works when the main characteristics of the violations are known: when, who and why it deals with it.
It happens and vice versa - finding a violation, determine the area of risk where it occurred. And then it is “excavated” to an accurate description of the risk itself with all the characteristics and carry out an assessment. So come when searching for new, unknown patterns of crime.
How are risks evaluated?
There are two main approaches to this issue: static and dynamic. This is evidenced by the theory, practice, and official documents of the reform of the Russian control and supervisory activities.
The static (not to be confused with the statistical) approach looks like this: bright heads gather around a round table, argue a lot, distribute existing objects of control according to “functional hazard classes” and approve any departmental order or order. For example, they form such a list in descending order of the danger of emergency situations:
- 1 class - nuclear power plants
- Class 2 - residential multifunctional complexes
- 3rd class - buildings of trade organizations
- 4 class - cinemas, residential buildings
- Grade 5 - kiosks.
It seems to be all right. If a nuclear power plant rushes, it will not seem to anyone much - it is potentially a very dangerous object. Probably, you should immediately send all available inspectors to the nearest nuclear power plant, and not release them until they find all violations.
But how often do accidents occur in nuclear power plants? The last time in the world this happened at the Fukushima-1 NPP in 2011, 7 years ago (in Russia 43 years ago - in 1975). Alas, fires in shopping centers and cinemas happen more often: according to the press, large tragedies with victims in Russia have happened 8 times since 2005 (including the “Winter Cherry”), and in the spring of 2018 in just 2 weeks there were 3 large fires in shopping areas .
This is a disadvantage of the approach based on hazard classes: abnormal situations do not occur according to the standards that we have identified for threats. The world is too chaotic. The environment in which the objects of control are located is constantly changing, the objects themselves are also changing. What worked yesterday doesn't necessarily work tomorrow. In addition, a dangerous object is not necessarily an object with violations.
Another approach that is applied, in particular, in banks, is a dynamic risk assessment based on customer behavior (sometimes referred to as a “behavioral” assessment). On the basis of information on customer payments on previous and current loans, according to his activity, the likelihood of loan default is determined. Very simply: if the client delays another payment - the probability increases, if the payment discipline improves - it decreases.
The same applies in the state control. The risk of incomplete payment of taxes can be regularly revaluated on the submitted tax returns and the characteristics of economic activity and information from the online cash departments. The risk of issuing invalid certificates of conformity - by the volume of documents issued by the certification center, according to those with which testing laboratories and applicants he worked. And so on.
Dynamic risk assessment for state control is more preferable than static because, in the end, the state does not deal with static objects, goods or documents, but with the persons who produce them, import, create or destroy them. Do not break things - people break. And behind each person there is a certain pattern of behavior. It is precisely this that must be discovered in order to identify the risk and realize what it will lead to and when.
This is a risk analysis task that can be done in different ways: be guided by the experience, intuition and judgments of experts, rely on statistics or apply modern data processing technologies.
We believe that for risk assessment the most promising is to combine the accumulated experience with machine learning. This will allow to predict where violations will occur in the future on the basis of information about the previous activity of the object. Such risk management compares favorably with “plugging holes” as they arise. From reactive state control turns into proactive.
For example, for environmental authorities it is possible to estimate in advance the risk of an illegal negative impact (in excess of established standards) of an enterprise on the environment. This can be done according to the characteristics of its previous activity: resource consumption, production and emergency situations.
For bodies involved in emergency situations, the same fires (in Russia - the Ministry of Emergency Situations), it is advisable to assess the risk of fire for each building: by its condition, socio-demographic data of the area and the history of incidents. According to data from physical sensors and satellite imagery, it is possible to predict a descent of sat down and minimize human casualties.
For customs authorities, the risk of smuggling can be predicted from the characteristics of the supply chain of goods and the organizations participating in it. And from the point of view of the fight against terrorism in Rosfinmonitoring, it is to identify individuals with a high risk of involvement in terrorist activities according to the parameters of their financial operations.
Machine learning allows you to digest all the available (and growing from year to year) set of information about objects of control, isolate relevant information and build an offense model that tells you who, where and when, is most likely to commit it.
But more about that in the next article . Do not switch, advertising will not be.