Setting Up Detection Context 

Objective

After completing this lesson, you will be able to explain how to set up detection context.

Introduction

A detection strategy is the object that is used to examine business data, such as invoices, payments or purchase orders, for potential fraud

The following figure shows the parts of a detection strategy:

  • Detection Strategy ID: This is the name, or unique ID, that you give to a detection strategy.
  • Investigation Reason: The investigation reason expresses the motivation for a detection strategy and is the key value for alerts. You must specify an investigation reason for each detection strategy that you define. The investigation reason lets you control how detection strategies create alerts if they examine the same detection objects. For example, the investigation reason lets you choose whether each detection strategy can open its own alert or whether the detection strategies share a single alert.

Example

Assume that you have several detection strategies that have the same investigation reason. One detection strategy has run and has created an alert. When the next strategy runs, its detection findings are added as alert items to the existing alert. Because the investigation reasons are the same, the strategies share an alert.

  • Detection Object Type:Detection methods and detection strategies are both specific to a single type of business data object - a detection object type. In the detection strategy, you define the detection object type that the strategy examines. You also determine which detection methods can be included in a detection strategy.
  • Selection Parameters: Selection parameters let you limit the set of detection objects that are selected for processing by a strategy. You set values for the selection parameters. When you run the strategy, only detection objects that meet your selection criteria are processed by the strategy. With the selection parameters, you can, for example, set up specialized strategies that work on separate sets of detection objects.
  • Authorization Group: You can optionally limit authorization to work with detection strategies. If you enter a value for authorization group, then a user must be authorized both for detection strategies and for the authorization group

Settings for detection methods

Detection methods are the application objects that examine specific aspects of detection objects for evidence of fraud. When you create a detection strategy, you assign as many detection methods as you need to the strategy. When the detection strategy is run, it applies each detection method in turn to the detection objects that it examines.

On the detection method level, you can define Input Parameters and Weighting Factors for specific detection methods, which allows you to define the detection strategy behavior and how its results are evaluated.

Please note also the following important facts about the detection method settings in the strategy:

  • In a detection strategy, you provide values for the input parameters that are exposed by a detection method. For example, you might tell a detection method to look for insurance claims for accidents only late in the night, if the method exposes input parameters for Start Time and End Time
  • Since you can include a detection method more than once in a detection strategy, you can use input parameters to tailor different instances of the method for different purposes
  • Weighting factors operate on the results returned by detection methods. A detection strategy assigns a weighting factor to each detection method
  • For each detection object, a detection method returns a result value. The detection strategy multiplies this result value by the weighting factor to calculate the score returned by the detection method. For each detection object, the scores of all of the detection methods are added up to see whether an alert should be generated
  • Weighting factors let you adjust the importance of detection methods relative to one another. You can assign a high weighting factor to an especially significant method to give its result more weight. With the Find Best Values feature on the Calibration screen, you can have the system recommend optimal weighting factors
  • Since you can assign negative weighting scores, you can even let a detection method reduce the likelihood that a fraud alert is raised. Such a method finds mitigating evidence with respect to fraud
  • The result of a detection method is between 0 and 100
  • The weighting factor must be between -100 and 100
  • Method result / 100 * weighting factor = method score

The following examples illustrate how the method score is calculated using different method results and weighting factors:

  • If the result is 30 and the weighting factor is 50, then the score is 15: 30 / 100 * 50 = 15
  • If the result is 100 and the weighting factor is 100, then the score is 100: 100 / 100 * 100 = 100
  • If the result is 50 and the weighting factor is -10, then the score is -5. A negative score suggests that fraud is not involved and reduces the likelihood that an alert is triggered

Setting thresholds for alert creation

You must set an alert threshold in a detection strategy.

You may optionally also set a delta threshold

Use the alert threshold to set the trigger for raising an alert. If the sum of the scores of the detection methods exceed the threshold, then the detection strategy creates an alert item for the detection object. It either adds the alert item to an existing alert or creates a new alert for the investigation object. Raising the alert threshold makes it harder to trigger an alert for a particular detection object. Lowering the threshold lets more alerts through

The alert threshold can be from0 to 1000, a range that allows you to work with detection strategies that have many methods or only a few. If you have only a few detection methods, then you should set a correspondingly low threshold

The delta threshold, if it is set, reactivates a closed alert. (The value 0 means that closed alerts cannot be reactivated.) Set the delta threshold to a value higher than the alert threshold. If more evidence of fraud is found when a detection object is reexamined, then the delta threshold makes it possible to raise an alert for the detection object for a second time.

This figure below illustrates fraud detection in SAP BIS solution:

The following figure illustrates how the detection strategy determines how to update an alert:

  • Is there an active alert in the investigation object that is the parent of the detection object? If yes, then the detection strategy compares the total score with the alert threshold. If the total is greater than the threshold, then the new finding is added to the active alert as a new alert item, or a new alert is created.
  • Is there no alert in the investigation object? If yes, then the detection strategy compares the total score with the alert threshold. If the threshold is exceeded, then the detection strategy raises an alert in the investigation object. It then adds the alert item to the new alert.
  • Is there a closed alert in the investigation object? If yes, then the detection strategy compares the total score with the delta alert threshold.
  • If the delta threshold is set to 0, then no reactivation of alerts is allowed. The detection strategy goes on to the next detection object.
  • If a delta threshold is set and the score exceeds the delta threshold, then the detection strategy reactivates the alert and adds the alert item to it. Otherwise, the detection strategy goes on to the next detection object.
  • Through reactivation of alerts, you can allow a detection strategy to bring in new evidence of fraud for an investigation object that has already been examined. Perhaps a new detection method has inspected the detection objects associated with the investigation object. Or the result of a detection method has changed.
  • In address screening in SAP Business Integrity Screening, closed alerts are not reopened. An address screening alert is keyed by the investigation object, the investigation reason, and a changing source object (the specific online request or delta address screening run). Therefore, a new alert is created.

Version management

Version management allows you to manage your changes to detection strategies.

Version management ensures the following:

  • There is only one active version of a detection strategy at any time. This version is for production use and cannot be changed.
  • There can be only one inactive version of a detection strategy at any time. The inactive version is the editable version of a detection strategy.
  • Older versions of a detection strategy are kept as deactivated versions. You can use such deactivated versions to track the changes to a detection strategy.

The process of version management works as follows:
When you create a new detection strategy, it is given the version number 1 and remains inactive until you activate it.
Direct changes to an active version are not allowed. Therefore, when you edit an active detection strategy, the system creates a new inactive version and assigns it one version number higher.
Once you have made your changes and you activate the new version of the detection strategy, the system changes the status of the first version to Deactivated, and the new version of the detection strategy becomes the new active version. If you change an existing inactive version, the previous inactive version is overwritten.
This process repeats indefinitely, with each edited and activated detection strategy.
Calibration is a simulation function that can be used to fine-tune a detection strategy. You can calibrate both the active and inactive versions of a detection strategy

Learning

SAP FacebookSAP YoutubeSAP LinkedIn