The risk policy then determines how the aggregated risk score from a risk evaluation should be translated into a final risk level of low, medium, or high. For more information, see Risk policies.

Review and analyze the results from risk evaluations to see how your risk policy is performing. After reviewing the results, you might need to fine-tune your risk policy, depending on your organization’s needs and use cases. To make decisions on whether you need to adjust your risk policy, consider the following:

Your business goals
Should your risk policy be more permissive or more restrictive? This decision depends on your organization’s needs, tolerance for fraud incidents, and overall revenue and user experience impacts.
How your risk policy is configured
How are various predictors configured as part of your risk policy? How are the final risk levels assigned? For more examples of questions to consider when creating and fine-tuning a risk policy, see Risk policies.
The type of user flow
Is your risk policy used for an access, authentication, authorization, registration, or transaction flow? The type of user flow might affect the adjustments you make to a risk policy. You can also create different risk policies for different use cases.
Additional identity mitigation tools
Should you use additional tools, such as multi-factor authentication (MFA), identity verification, or knowledge-based authentication (KBA), in your user flow to prevent user identity fraud?

To learn how to view risk evaluations and determine if you need to fine-tune your risk policy, see Reviewing risk evaluations.