I never blog rumours, but lots of bloggers do. Each to their own. So whilst I hear lots of rumours about Connectiva, the Indian revenue assurance vendor, I have been waiting patiently for official news. But telecommunications does more than leak revenues. It also leaks information. Or speculation. Or rumour. Or the grievances of disgruntled workers. You can decide for yourself, by visiting this blog apparently set up by Connectiva employees.

UK mobile operator O2 found themselves in trouble last week, when it was discovered they automatically sent the user’s telephone number to any website they visited. Any. The problem is fixed now, but the error that caused the privacy violation was created on January 10th and remained uncorrected until January 25th, according to O2′s blog. Whilst O2 were quick to resolve the issue once they had become aware of it, the most important lesson learned (we can only hope it is learned this time) is that customers have become adept at spotting the mistakes not caught by the operator’s formal testing. Lewis Peckover, a system administrator at a mobile gaming company, not only found the problem, but helpfully shared it with the world, writing a script so anyone could check if their O2 phone was broadcasting their number. You can see his script page here.

A knee-jerk reaction might be to demand more controls, more testing, more whatever. Without knowing how O2 works, I would not like to comment. Mistakes happen and will keep on happening; a demand for more and more controls can only lead us in ever decreasing circles. My reaction to this incident is quite different. First, O2 reacted quickly. That is important. Agility demonstrates concern and limits risk. Second, they were transparent. They did not keep quiet and hope the problem would disappear. Instead, they were proactive in talking to customers, press and regulators. This also limits the eventual damage done. Third, all telcos could benefit from making it easy for customers to give them information, and being responsive when acting upon it. It was easy for Lewis Peckover to tell the whole world about O2′s bug. O2 got the message, but they got it via a public route. If the same information had been passed to them privately, and if they responded as rapidly, no more harm would have been done to customers, but less harm would have been done to O2′s reputation. Customers can and will keep finding flaws, and the internet makes it easy for them to share them publicly. As with Facebook’s bug bounty, telcos can get error-spotting customers to work for the telco, not against the telco. Trying to avoid mistakes is obviously important and deserves the investment of time and effort. However, a tiny investment in helping customers to help the business means the issues can be resolved quickly and quietly – thus generating a positive return for the firm.

5 Whys is perhaps the best known technique for finding the root cause of problems. Developed in Japan and pioneered in Toyota, it belongs with quality management and Kaizen as one of the factors behind the high-precision, low-error Japanese manufacturing revolution. Part of its genius is that the method itself is so simple. Start with a problem. Ask why you have the problem. Whatever the answer, ask why again – why are things like that, why is that answer true, why is the business like that? Keep repeating the question every time you get an answer, until you have forced yourself to get to the very bottom, the essential root cause that underlies the problem and where it becomes impossible to ask why again. To get to the bottom may take more than 5 whys; it just happens that 5 is a reasonable guess at how many it will take. So to give a simple illustration of how 5 Whys would apply to RA, imagine a bill is in error. Why? Because a CDR is missing. Why? Because the switch was not working as expected. Why? It got overloaded. Why? Because actual call volumes were above the design spec. Why? You get the idea by now – just keep asking why until there is nothing left to learn.

Simple, huh? Well, getting the answers might be a lot of hard work. But the point is right – RA should keep asking why until it finds the real root causes of the leakages. And if not RA, then who should ask why? The answer to that is plain: if it is not RA’s job to uncover and address these root causes, then it is nobody’s job to uncover and address these root causes. RA is unusual in having a job spec that gives it the freedom to research, find, and drive the response to root causes which lead to leakage, wherever and whatever those root causes are.

But does every RA function habitually ask the 5 Whys? No. Why? Because they can get results more quickly without asking the 5 Whys. Why? Because drilling to the root cause may be time-consuming and RA can get credit for just treating the symptoms. Why? Because finding the root cause often involves more than analysing data that RA already has (or wants) and RA can choose to measure the benefits they add by just treating symptoms. Why? Because addressing symptoms does deliver nominal benefits that can keep their bosses happy and nobody is pushing RA to measure how well they dealt with root causes. Why? Because executive management is comfortable with just addressing symptoms and RA is comfortable with satisfying those more limited expectations of executive management. Why? Because nobody in RA or the executive team is motivated to change the business more fundamentally.

Have I made my point? I think so; RA can and should deal with fundamentals and lead the discovery of root causes in order to drive fundamental change. Why? Because I believe that if RA does this, then businesses will be better… and that is the root cause of this blog.

I have always been preoccupied by bias, but last year I spent a lot more time trying to understand what drives and enables it. Bias is important – no amount of data leads to a good decision if either the data or the decision-making logic is biased. If you appreciate that, you understand why bias is the greatest opponent to robust risk management, and why what seems like good risk management may be utterly flawed. The financial collapse is an excellent and relevant example. Bias is insidious; it often works beyond the limits of our comprehension. Its subtleties lie so deep they may be invisible even to scientists, the group in society that struggles to eliminate bias more than any other. A recent article in The New Yorker beautifully explains how endemic bias plagues the scientific community, even though scientists are not conscious of it. You can read it here. If we can understand why science fails to eliminate bias, leading to expensive and mistaken decisions, we can better understand how all-pervasive bias is a constant challenge to risk management.

Normally I spend a lot of time complaining that vendors and consultants talk an awful lot of nonsense about risk management. It is only fair that I give praise when someone bucks that trend. Jim DeLoach is managing director of Protiviti, the global firm with a notable expertise in risk. Look here for his short and brilliant explanation of “what is ERM and why it is important”. I particularly liked his critical summary of the reality of risk management:

…risk is often an afterthought to strategy and risk management is an appendage to performance management.

Too true!

Reading the website of the Bigfoot Field Researchers Organization (BFRO) I was stuck by the similarities with the website of the Global Revenue Assurance Blagger’s Association. Both issue standards (on how to collect Bigfoot evidence, on how to blag that you are an RA professional), both issue regular news updates with no genuine news in them, and both were created by someone who spends too much time developing websites instead of having a proper job. This got me thinking about all the similarities and differences between Bigfoot and GRAPA. Here is what I came up with…

• One is a myth created by hoaxers and perpetuated by people with an overactive imagination… and the other is Bigfoot.
• One is studied by a large number of professionals and scientists… and the other is GRAPA.
• One is often featured in videos of very poor quality… and the other is Bigfoot.
• One has a large and active following in North America… and the other is GRAPA.
• One is banned from Wikipedia because it fails to meet the standards for an encyclopedia entry… and the other is Bigfoot.
• One is supported by extensive research gathered in the field… and the other is GRAPA.
• One is a hairy backwoodsman… and the other is owned and run by a hairy backwoodsman.

Apologies to any Bigfoot hunters who are reading this; I mean no disrespect to you and I hope you prove the rest of the world wrong. But if you see a thick-set and confused fellow wandering amongst the trees of Sleepy Hollow, Illinois, then please do not take his picture. Any kind of attention will only encourage him. He is not Bigfoot, but a far more terrifying beast of legend, known as the ‘Papa Rob’. Feed him, if you must, but never accept the pieces of paper he will try to force on you. They may look pretty when hung on the wall, but you will be forever damned…