The risk management model comprises six phases:

• Identifying risks

This phase involves a general risk review. It involves sequenced steps:

• Collect and analyse data;
• Produce information on the basis of such data;
• Analyse risks;
• Map risks.

• Prioritizing risks

This phase involves analysis of:

• The frequency of different risks;
• The consequences of risks (financial and immaterial, such as the public image of social security).

• Analyse the causes of risks

This phase should make it possible to distinguish between:

• The complexity of administrative processes;
• The lack of clarity in rules;
• The existence of grey zones, gaps or unsupervised areas;
• The efficiency of existing controls;
• Problems related to skills and the lack of adequate resources to detect, prevent and address EEF;
• Lack of communication with beneficiaries and contributors;
• Conflict with other public policies and initiatives.

• Defining initiatives to address and correct EEF

This relates specifically to:

• Prevention;
• Detection;
• Deterrent actions that may result in sanctions.

• Planning and implementing

This phase involves implementing, in a planned manner, prevention, detection and deterrent actions.

• Monitoring and evaluating

This phase involves evaluating the measures taken to inform an update of the risk assessment strategy. The strategy as a whole should be revised.