|
|
Playing the Numbers: Assigning EFT Testing Priorities
A Simple Example of Calculating Risk Exposure
After determining the potential for financial loss and the probability of each event, you can begin a simple risk exposure calculation. In our example, the scale is 1 to 4, where 1 is highly unlikely or very low impact, and 4 is highly likely or very high impact. (Your risk assessment scale will likely be more complex and can be devised by QA personnel or other stakeholders in your organization.)
| Probability/Likelihood (x value) |
| Highly likely = |
4 |
| Likely = |
3 |
| Unlikely = |
2 |
| Highly unlikely = |
1 |
|
| Financial Impact (y value) |
| Yery high = |
4 |
| High = |
3 |
| Low = |
2 |
| Very low = |
1 |
|
Use these scales to assign two numbers to each event: one representing the likelihood that the event may occur, and one that indicates the severity of the financial impact to your organization. After you have assigned the number pair, you can plot each event on a graph to begin assigning event priority.
Electronic Payment Event Examples and Their Resulting Number Pairs:
| Event Examples |
Probability/
Likelihood
Score |
Financial
Impact
core |
Resulting
Number
Pair |
| Approval of a transaction for an account without sufficient funds |
Unlikely
(x=2) |
Very high
(y=4) |
(2,4) |
| Approved transaction because of improper PIN checking |
Highly
unlikely
(x=1) |
Very high
(y=4) |
(1,4) |
| Approval of multiple (fraudulent) POS purchases from a single cardholder due to a failure to enforce the velocity limit on the cardholder account |
Likely (x=3) |
High (y=3) |
(3,3) |
| POS transactions are approved for a cardholder in error because pre-authorizations are not processed correctly |
Highly likely
(x=4) |
Very high
(y=4) |
(4,4) |
| An ATM has a reduced service level because its supply of receipt paper is low |
Highly likely
(x=4) |
Very low
(y=1) |
(4, 1) |
Using Risk Exposure to Assign Event Priority
As you plot various events, imagine that you are dividing your graph into quadrants that contain four categories of events: priority 1 (highest priority) events through priority 4 (lowest priority) events. Logically, you should first focus EFT testing on the highest priority events, and then test the next priority events, and so on.
Copyright © 1996-2012, Paragon Application Systems
|
