Ori Pomerantz has just published a How-To guide on developerWorks describing how to combine risk-based weighting & red-flag factors in the same access control policies with IBM Security Access Manager.
IBM Security Access Manager for Web (ISAM) access control policies usually depend on which URL is being accessed. Different URLs can require different levels of authentication, can be accessible to different user groups, and so on.
In risk-based access control, the decision to permit access to a URL can also be determined by request characteristics. For example, the address of the device that sent the request could be factored into the access control policy.