Posted by: Eric in News, Opinion
Take a deep breath, as what I am about to write might shock you. Some software developers who talk about risk management are lying to you. Or at least, they do not tell you the whole truth, by refusing to comment on the things they cannot do, or do not understand. New proof comes from a software developer that knows a lot about about risk management. Palisade has been making risk management software since 1984. Headquartered in New York, and with offices in Tokyo, Sydney, London and Rio de Janeiro, they sell cost-effective risk management software to all sorts of customers – because many big businesses have more sophisticated risk management than that found in telcos. Palisade’s tools are based on Monte Carlo simulation, and they have just released a new case study about Enterprise Risk Management in MegaFon, the Russian telco.
Monte Carlo? Some readers will not know what Monte Carlo simulation is, including readers who have some risk management responsibilities in their job description. That was why I slipped the phrase into the text. I want to provoke people into thinking about all the risk management tools and techniques they currently know nothing about. Revenue assurance should teach people that our failings stem from the limitations of our knowledge. And yet, whilst we recognize this truth, telecoms risk management suffers from an insular viewpoint. Some narrow people claim to have broad expertise on every subject, including the whole of risk management. In truth they know only a telecoms-specific view of the world, and can only thrive because telcos are so far behind other industries when it comes to implementing risk management. They are like false prophets, giving instruction to a small band of people who live on a remote island. Whilst they claim to have knowledge of the universe and its mysteries, they have no knowledge of the world beyond their island. The quickest evolutionary path is for telcos to learn how other sectors manage risk. Or in this case, we can also learn from MegaFon’s example.
Put simply, Monte Carlo techniques reveal the likelihood of different outcomes by setting up a game, and then rolling the dice repeatedly, to see which outcomes win most often, and which lose most often. In this context, the game is a mathematical model of an organization or a project, and the role of the dice is played by a random number generator. If we estimate probabilities for a variety of factors that will influence the results of an organization or project, we can then use random numbers to run multiple simulations of how the causal factors interact, in order to map the distribution of overall results. As such, we can quantify the range of risk in any decision, and hence alter decisions according to our appetite for risk.
A poker player cannot determine which cards he is dealt, but a good poker player wins more often than a bad poker player, because he makes better decisions. In the same way, we cannot control all the factors that influence our business, but we can make better decisions if we methodically measure the influence of factors outside of our control. The MegaFon case study helps to explain how to do that in practice.
Here are some key extracts from the case study, explaining how MegaFon uses Monte Carlo techniques to manage risk in their budgeting process:
Each branch [of MegaFon] states the risks it faces, such as competition, changes in legislation that will require it to operate differently, price increases and changes to staffing costs. They also calculate how much each budget will be over or under the forecast.
The risk management team at MegaFon’s headquarters amalgamates the information from each of its offices and simulates possible scenarios… allowing the five critical factors most likely to significantly affect the company’s gross revenue to be identified and therefore mitigated.
In addition… minimum, best case and median budget figures and the probability of their occurrence… are compared to the budget plans to determine whether the forecast is too aggressive or not ambitious enough.
As well as budgeting for business as usual, MegaFon uses their Palisade Monte Carlo tools to help them make better decisions for capital investment:
In 2012, MegaFon took the decision to invest in a large construction project with the aim of minimising its operating costs and improving network quality and control over technical operations.
Two potential locations were shortlisted and the management team used Palisade’s software to make an informed decision on the optimal one. It first used Palisade’s TopRank to perform sensitivity analysis to identify the factors in each location that would have the most influence over the total cost of the project.
From here, the team used @RISK to forecast how these critical factors might change. This allowed MegaFon to understand the most likely Net Present Values (NPVs) for each possible location and identify the risks for building or not building (i.e. opportunity cost) each data centre.
@RISK allowed MegaFon to use graphs to show easily how NPV and cash flows could change over time, and the probabilities of those changes occurring, rather than the static number that they would have had to rely on without the risk analysis tool.
This is a beautiful example of how to manage risk in a telco. Hence, it is tragic that so few telcos use techniques like these. The tragedy is even greater because some telcos listen to software firms that push ‘risk models’ that do not deserve the name. In the meantime, MegaFon is using tried and tested techniques which have already been automated, making them accessible to risk managers who do not have the time to build a Monte Carlo model from scratch.
Dmitry Shevchenko, Head of Risk Management at MegaFon, is quoted:
“Palisade’s decision support software is a well-balanced and flexible instrument that can be applied to a wide variety of situations, making it ideally suited to managing risk across the enterprise.”
Compare that to the misnamed ‘risk models’ found elsewhere, and we see why they are not genuine models of risk. There are many kinds of risk across the telco, and the models will be different for each telco. Some of the so-called ‘risk models’ being pushed at telcos only model one or two specific kinds of risk, and the models are inflexible, implying all telcos have a similar risk profile. Why would any risk manager use software to model only one kind of risk, in a way that forces him to use the same generic model as every other telco, when there is software that allows him to model every kind of risk, and to build a model that is specific to his company? I assume there is only one answer to my rhetorical question: the risk manager did not know there were other, better, tools that he could have used.
Mike Willett recently interviewed me for the talkRA podcast, and I fear I may have offended some people when he asked my thoughts about revenue assurance managers seeking to become risk managers. I was blunt. I said the problem was a lack of training, and the danger was that under-trained people may take on responsibilities without having an appreciation of the gaps in their skillset, and how that will alter their perception of risk. Already, I know that under-trained and under-skilled individuals are being given risk management jobs in telcos. This is not a good thing for their business, nor for the individual. Whilst it may feel like a promotion, the undertrained risk manager must push back, and ensure they have the skills needed for the job, or their failures will have serious implications for their business, their colleagues, and themselves. They need to find trustworthy advisors, and not just listen to the comforting, convenient nonsense spewed by the false prophets. When speaking to Mike, I drew upon an analogy coined by Abraham Maslow:
If you only have a hammer, you tend to see every problem as a nail.
There is no doubt that RA practitioners have some very useful skills that can be applied to manage risks more generally. They possess some powerful tools. But they do not have as wide a range of tools as they need in their toolbox, if they are genuinely going to manage the range of risks implied by a job title like ‘risk manager’. It is no good to turn around later, and make the excuse: “it’s my job to manage this risk, but not that risk”. Was it clear from the job title which risks were being managed? Was it clear from the job description, and the list of responsibilities? And where the risk manager decides they are not responsible for a certain kind of risk, who is responsible for identifying situations where the company faces a risk, but nobody is managing it? These are big questions. And once again, the telco world is being misled by people who, lacking any answer to the big questions, refuse to acknowledge them. They offer answers, but only to those questions where they already have an answer.
Techniques like Monte Carlo simulation should be in the toolbox of every risk manager, so they can be used when they are the best tool for the job. I hope this brief and excellent case study from MegaFon and Palisade helps to open some eyes to the limitations of the tools being used by some telco risk managers. There is a general rule for risk, which states we cannot manage a risk until we have identified it. Let us be honest with ourselves, and admit to the gaps in our knowledge, skills, and tools. When we do that, we create the possibility of improving our performance, and closing those gaps.
The annual TrendLabs Security Report, published by Trend Micro, is well worth a read. Here are some interesting insights from their new report:
- Trend’s software found that instances of mobile malware and high-risk apps had more than doubled between 2012 and 2013. Trend defines ‘high-risk’ apps as those which compromise user experience because they display unwanted ads, create unnecessary shortcuts, or gather device information without user knowledge nor consent.
- 27% of malicious and high-risk mobile apps could be found on legitimate app stores such as Google Play. Blackberry found that 2% of repackaged Android apps were too risky, so blocked them from their Blackberry World market.
- As well as using improved technology, criminals also took advantage of human gullibility with respect to innovation. For example, smartphone users who scan a QR code have no way of evaluating if the code is part of a malicious scheme.
- 76% of mobile phishing attacks sought to spoof a financial services website, with PayPal being the most common spoof of all. 3% were spoofing a telecommunications website.
- Spear-phishing email attachments most commonly use the .rtf file format.
- 76% of organizations continued to run Java 6 after Oracle withdrew support for it. Java vulnerabilities accounted for 91% of web-based attacks in 2013.
- Other old software continues to pose risks. For example, 95% of ATMs in the USA still run on Windows XP.
- There were more online banking malware infections in the 4th quarter of 2013 than during the whole of 2012. This was partly due to especially severe spikes in the number of infections in Japan and Brazil, as criminals targeted opportunities in those countries.
- What do Pope Francis, Iron Man 3, and Typhoon Haiyan have in common? They are the kinds of topics used to socially engineer victims of cybercrime.
The 2013 TrendLabs Security Report is available from here.
Posted by: Eric in Opinion
Imagine you worked for the Global Revenue Assurance Professional Association, which claims to be some kind of global and professional revenue assurance association, even though its head office is Papa Rob Mattison’s garage. During the 5 years you worked for GRAPA, you taught people how to do revenue assurance and fraud management. In parallel, you also sat examinations and received qualifications for all the subjects you teach. You honestly marked your own papers. And you scored 100% for the module on business ethics. Although you never worked for an actual telco, your CV says you are a GRAPA-qualified Telecoms Fraud Analyst (nice!), a GRAPA-qualified Practitioner of Revenue Assurance (cool!), a GRAPA-qualified Telecoms Fraud Officer (wow!), and a GRAPA-qualified Master of Revenue Assurance Management – how impressive is that!?!?! So when it comes time to leave GRAPA, what job do you do? Is it…
- Director of Revenue Assurance for a tier one telco;
- Chief Fraud Officer for a multinational telecoms group;
- Head of Revenue Assurance for a mid-sized ISP; or
- Selling in-flight wi-fi to airlines?
Being one of GRAPA’s highly qualified experts in global telecoms fraud and revenue assurance is perfect preparation for a job where you persuade airlines to implement wi-fi for their passengers. Congratulations to Louis Khor and I hope he succeeds in his new job as Proposal Manager for Gogo. We all know that Louis LOVED revenue assurance, so there must have been tears when he decided he had no chance of a career in revenue assurance. On the plus side, after 5 years at GRAPA, the only way is up!
Meanwhile, let me express my sincere condolences to former students of GRAPA, who must now realize their qualifications are totally worthless.
Portuguese vendor WeDo has announced the release of RAID:FMS 7, the latest version of their fraud management system. Their press release highlights the following enhancements:
- A step-by-step wizard to build customized data mining models;
- New statistical techniques to identify possible frauds and fraudsters; and
- Faster performance at crunching data.
Like other vendors, WeDo has timed the new release to coincide with their attendance at Mobile World Congress.
Mobile World Congress is upon us again. Even though I think MWC is rubbish, this is an important time for companies to announce something, ***anything***, just issue a press release and hurry up about it. I ignore most of these press releases, because they are rude. It is very impolite to announce new products and services that might equally be used by wireline telcos, just because a lot of wireless telcos are having a big party in Barcelona. However, I could not ignore the latest cVidya press release. I tried to. I really did try. But I kept thinking about it. I was compelled to think about it, because I had no idea what cVidya were trying to say. Dear readers, if you can explain what cVidya has just announced, then feel free to write in and explain.
Major Expansion of cVidya’s Market-Leading Revenue Assurance Solution
Okay, so this sounds like one of those adverts which begins: ‘the best product on the market just got even better.’ I always like those ads, because they are so daft. How can things be so great, yet always leave so much room for improvement?
MoneyMap® V8 ships with new business analytical layer, risk methodology and pre-defined packages
What is a new business analytical layer? Do RA people often complain about missing layers? I suppose the layer has something to do with analysing business stuff. But beyond that, I have no idea what the layer does. Maybe it just sits around doing nothing, like a layer of pointless fat. If it does something, maybe cVidya should say what it does.
Whilst I am bemused by the new business analytical layer, I am stunned by the revelation that cVidya have launched a new risk methodology. The new risk methodology arrives just 12 months after cVidya launched their ProactiV risk methodology. So what happened to ProactiV? That was new, only 12 months ago. Maybe cVidya realized that ProactiV was full of flaws, so they replaced it. Or maybe the new methodology is the same as the old methodology, but they decided to announce it a second time, in case you missed it first time. I would ask questions about the new methodology, and what makes it so new, but cVidya still have not answered my questions about the old methodology. Some things get better and better, whilst other things never change.
‘Pre-defined packages’. Whaddya mean by ‘pre-defined packages’? Imagine telling the love of your life that you are going to the shops to buy some pre-defined packages. Any normal person would assume you are having an affair, and you cannot be bothered to invent a decent cover story. Literally nobody, since the dawn of time, has ever bought anything for its pre-defined packages.
Enhanced with sophisticated business analytical capabilities and support for big data…
Was there a version of cVidya’s software that failed to include sophisticated business analytical capabilities? How much more sophisticated is the new stuff, compared to the old stuff? And in what sense does a revenue assurance tool need to provide support for big data? Is cVidya implying that telcos will be stuck with small data, unless they buy MoneyMap?
…Version 8 includes an array of advanced features that enable managers and analysts to easily pinpoint the most urgent Revenue Assurance issues and quickly address them.
Again, what is new about this? I thought these guys had been pinpointing the most urgent issues, and quickly addressing them, since their start-up first cranked out a reconciliation of leased lines to bills.
Some of us remember a time before cVidya existed. It was called 2001, and Stanley Kubrick made a film about it. Kubrick thought that we would be flying around Jupiter by the year 2001. When cVidya started, a year later, they concentrated on pioneering the technology of reconciling leased lines to bills. And they told everybody that reconciling leased lines to bills was the most important thing that anyone could do. Maybe that had something to do with the fact that their software could not process other forms of data, like CDRs. Perhaps cVidya is now admitting they spent most of their 12 years persuading customers to deal with minor stuff that suited their product range, instead of really urgent issues. In that sense, MoneyMap v8 might genuinely offer something new.
The new, highly business-orientated, version of MoneyMap…
‘Highly business-oriented’? What was the orientation of their old software? Was it leisure-oriented?
…is able to track the monetary value of each case and then aggregate the total value by line of business, business unit or another sub category
At last, we see some signs of sophisticated business analytics. In this case, it is the kind of analysis you perform by adding up both the rows and the columns of a spreadsheet.
It enables Revenue Assurance managers to access aggregated and comparable data based on different attributes, such as their personal needs…
‘Personal needs’? Do RA managers satisfy their personal needs using RA software? The only way I can imagine an RA manager using RA software to satisfy a personal need is if they fudge the reports to hide a fraud they committed.
A new case management system makes it straightforward for analysts to track and prevent revenue losses.
Otherwise known as a list. I also find lists can be competently maintained using a pencil and paper. The technology of pencil and paper was already proven to be robust and reliable, way back in 2001.
Drawing on cVidya’s deep knowledge and expertise in machine-to-machine (M2M) communications, LTE, mobile money, wholesale, cable and other technologies and verticals, MoneyMap 8 is designed to enable CSPs to quickly adapt to a constantly changing market.
Somebody decided that M2M, LTE, mobile money, wholesale and cable all needed to be mentioned somewhere. So here they are. I have literally no idea how any of this connects to the major expansion, the high business-orientation, or the pre-defined packages.
New pre-defined packages will significantly reduce CSPs’ revenue leakage as they deploy self-provisioning, sponsored data programs, connected living propositions and many other advanced services and models.
I think this says: ‘super rocket woo woo fantastic’. It might be a bit of the screenplay from 2001 which was cut from the final cinema version. If cVidya are trying to communicate something meaningful about their product, it must be in a language I do not recognize.
Before anyone says that all press releases are equally as bad, take a look at the press release that Lavastorm issued a few days ago. It gives a few simple bullets on the new things their FMS can do. Whilst words cannot tell me why one ‘visualization’ is better than another, the press release straightforwardly tells the reader about new functionalities and why they are helpful. It may not sound very sexy to let users save a search for later re-use, or to let them bulk edit multiple fraud cases, but at least we can comprehend what the software does.
In contrast, cVidya’s press release ends as follows:
“MoneyMap – the leading Revenue Assurance solution on the market – has evolved into an even more leading business bazooka that will ***vroom vroom*** superexcite executives and analysts and literally orgasm everyone we’re hoping to sell it to,” said Alon Aginsky, President and CEO of cVidya.
“The new pre-defined packages ***woof woof*** are both hyper-defined and ultra-packaged, making them far superior to the pre-defined packages you find elsewhere. The latest version of MoneyMap draws on insights gleaned from cVidya’s 12 ***just count ’em baby*** years of experience, starting with the reconciliation of leased lines to bills, and culminating in this year’s business-oriented risk-methodologized business-analytical layer that is so thick and creamy it removes stubborn stains that other washing powders leave behind.”
“During those 12 years, we have tackled every revenue assurance challenge that any service provider has ever faced anywhere on this planet, and we are unique in being able to say that whilst keeping a straight face. Also, we checked some dealer commissions for a service provider in orbit around Neptune. We are very proud to say we are still in business, still not locked in an asylum, and still better than we have ever been before. ***Bow Wow*** Not everybody knows this, but I used to be the 95th most powerful man in telecoms ***howls at the moon*** so if you stick with me, I’ll take you out of this world.”
Actually, some of that last bit was made up by me. But it is pretty similar to Aginsky’s quote from the actual press release. And it makes about as much sense.
So readers, if you can explain the differences between MoneyMap 8 and MoneyMap 7, I would be grateful for your insights… especially if you can share them in plain English. Previously I would have asked my loyal cVidya readers to comment, but there is no point. We all know they have nothing to say about their products, and this press release proves it.