Eric Priezkalns is a founder of talkRA. He is a widely recognized expert on risk management and business assurance for communications providers. After a successful full-time career, Eric now splits his time between occasional consulting projects for trusted customers, and his many other passions. Eric was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless Group, T-Mobile UK, BSkyB, Worldcom UK, and Nawras, as well as advising various software developers and system integrators.
Eric is a qualified chartered accountant; he trained whilst employed by the Enterprise Risk Services division in Deloitte's London office. His Masters in Information Systems was earned with distinction, and he holds a first-class degree in Mathematics and Philosophy.
In 2006, Eric was already a popular speaker at conferences, but he decided to reach out to a broader audience with the first blog dedicated to revenue assurance. Many have since copied him, but none have matched his output.
Eric was the first leader of the the TM Forum's Enterprise Risk Management team, a founding member of the TM Forum’s Revenue Assurance team, and he developed the original Revenue Assurance Maturity Model. In the UK, Eric is known for his critique of billing accuracy regulations. In Qatar, Eric was a founding member of the National Committee for Internet Safety. Eric currently serves on the committee of the Revenue Assurance Group, and he is an editorial advisor to Black Swan.
Posted by: Eric in Opinion
Last week I mused on how the reduced market for business assurance means vendors need to consolidate, and how that will force many people to make tough but necessary changes. But I should be no hypocrite. It is no good saying others need to change, without accepting change myself. Six years have passed since fellow talkRA founder Matt Clark first welcomed readers to this website. Including the time spent on my Revenue Protect website, this is my eighth year of blogging about assurance. In that time, the technology has changed, the market has changed, the suppliers have changed, the customers have changed, the people have changed, the requirements have changed, the job specs have changed and even a stubborn git like me has changed (a little). talkRA needs to change as well.
Friends and colleagues know that I have been contemplating the future of talkRA for a while. There are very straightforward reasons why nothing has been done about it. Maintaining things as they are is enough to keep me busy, whilst it is not obvious what kinds of change would be an improvement. What do you think? I know that asking for comments is a sure way to guarantee that none will be received, but in this situation, even the absence of comments will provide useful feedback.
For the sake of argument, here are some options:
- Follow the technology – revenue assurance was always about having software to scrutinize large volumes of data, so follow the same group of software vendors, as they adapt the evolving technology to offer a wider range of products that address all sorts of new challenges.
- Risk is the new assurance – more and more of the content is about risk management away, so go the whole hog and start covering the full scope of risk management for comms providers.
- Keep on keepin’ on – everything is fine, and nobody else offers such good content about revenue assurance, so continue to maintain talkRA the way it currently is.
- Always leave them wanting more – now would be a good time to bow out and draw the curtains on talkRA. Everything that needed saying has already been said, so quit blogging and let the next generation take over.
What do you think? If you ran talkRA, what would you do?
Posted by: Eric in Opinion
There has been a lot of revealing news recently. But when I say ‘revealing’, I mean that in the sense of a man who sees dark clouds on the horizon, pulls out his binoculars, studies the skies carefully, tries to predict what will happen, and only reaches a conclusion when the rain is pouring on his head. The latest news ‘reveals’ that the market for revenue assurance and fraud management is contracting. Does this need saying? Hardly. It is obvious, and has been for years. And yet talkRA does need to say it, because if you receive your business assurance news from elsewhere, there is zero possibility of you reading about the decline of the market.
Let me summarize recent news. To begin with, an absence of anyone issuing press releases about sales is also a kind of news. They say ‘no news is good news’, but not in this instance. Companies that have to report results have been issuing disappointing numbers. Companies that do not report results have been saying as little as possible. The re-born Connectiva has shifted its focus away from RA and FM. Minor player Basset barely mentions assurance any more. Even Morisso Taieb, serial launcher of LinkedIn groups (such as the ‘RA Pros’ group) is sending out invitations to join a new group for ‘online lending professionals’ – which means there is not enough activity on his old groups, or he wants to get a job with a payday lender.
Everything points in the same direction: revenue assurance and fraud management have reached the point where the buzz is over, sales are rare, and former big-shots want to change job. So if any of you were hoping to be appointed the Chief Revenue Assurance Officer of a major telco, you might want to stop daydreaming, and to think more constructively about your career direction. The party is over, but the hangover will not last forever. We still need to get on with the rest of our lives. After the boom and bust comes a steady state of affairs, where the ongoing demand for assurance is satisfied, without excessive optimism about what might come in future.
Those of you who intend to manage revenue assurance and fraud management teams over next few years, need to be thinking very seriously about your current choice of supplier. Suppliers that were good choices during a phase of growth may be lousy choices during the steady state. Will your vendor still be in business, a few years from now? Will it be under new management? Will it have merged with another vendor, meaning you will have to switch to another supplier’s product whether you like it or not? Will the vendor persist, but milk you for fees, whilst having no intention of upgrading their product further, because they can find no market for it? Consider Connectiva. A start-up that raises a lot of capital may never reach the point where it turns a profit, and unprofitable firms cannot persist indefinitely. Consider Basset. Even if the supplier is viable, or is bought out, you may find the supplier has only a few customers for the product you use, and so has no reason to invest heavily in upgrading that product. Choosing the right suppliers ranks amongst the most important decisions that managers can make. Even if your supplier is currently satisfying requirements, there is still a need to plan for the future, and that future may involve a change of supplier.
My advice is straightforward. There is little future for business assurance if it relies upon too many undercapitalized, underperforming, small and loss-making vendors. Too much will be spent on marketing, too few resources will be directed into significant research and development. That means customers will have a lot of nominal choice, but only of similarly unimpressive, underdeveloped products. It is better that we all drive an identical Model T, and for every car to be black, than bickering about which horse we ride to work. Fewer vendors would be in everyone’s interests – except for those working for the vendors that miss the cut, and the telco staff who are too close to those particular vendors. We need vendors to be profitable, so they can be stable, and reinvest profits into development. That means bigger vendors, and fewer vendors, each taking a larger slice of a smaller cake. That is in the long-term interests of customers too, because investment in tools will only occur if a profit can be made from selling them.
Consolidation is good for the strong, who will survive, and bad for the weak, who will perish. Assurance has been the subject of a lot of hype, but hype tends to distract us from real weakness. I want to see a stronger, healthier assurance sector. To get that, we need to weed out the weaklings.
Posted by: Eric in Opinion
Do you ever share files for work? Most of us do, and most of us find it can be an annoyingly convoluted process. You might try to email the files, but discover that no amount of zipping will pack them small enough. I know of one technology firm in our sector that is too devoted to Microsoft, with the result that every time they email me an attachment, my Mac receives a useless winmail.dat file instead. To send large files, we could use FTP, but only a minority of telco employees will have FTP clients installed on their work computer (or know how to use them). Some of us sign up with internet middlemen like Dropbox, even though we know that any free service will eventually start asking for money. Google like to keep their services free, but if you try to share files using Google Docs, you discover that some people do not want to set up a Google account, whilst others are using browsers that are too old for Google’s interface to work properly. In the end, many resort to using a USB stick and carrying it from one computer to another – even though USB sticks are a proven security risk. What an extraordinarily bad advert this is for telecoms. We work in the telecoms sector, but we struggle with a basic and regular necessity – sending a file from one person to another.
So what is the way forward? Well, the answer is pretty straightforward, and the fact we struggle to find it tells us something about what is wrong with the business of electronic communication. My computer is on the internet. Your computer is on the internet. How hard can it be, to implement a method for the two computers to talk to each securely, just to send a file? It is not hard at all. The problem was a lack of motivation. The open source community has stepped up to fill the gap, like they so often do. OnionShare is a peer-to-peer (P2P) tool to share files of any size. It supports encryption, and because it runs over the Tor network, the people who send and receive files will remain anonymous even if somebody was trying to spy on them.
I suppose that last part also contributes to the problem. On the one hand, we want people to be able to communicate privately. On the other hand, we do not. The telecoms industry is torn. Large groups like Vodafone are taking a lead by disclosing how they try to protect human rights, whilst doing what is legally required to support surveillance. But telcos suffer a lot of government scrutiny on a lot of fronts; challenging a government’s snooping might lead to adverse government decisions when it comes to taxes, or price controls, or a hundred other areas where governments can mess with telecoms businesses and tilt the competitive playing field. And telco ‘partners’ might not like privacy for their own reasons. The music industry have nothing to gain from people being able to share files – which might be music files – without anyone being able to monitor who is sending what. P2P is far more problematic for media businesses than centralized services like YouTube, because it is easier to impose control over a service that has a centre and which is run for profit.
Should business assurance practitioners care? I suspect many would think not. The temptation is to think in terms of operations, rather than of the corporate strategy. Herein lies the major difficulty as some business assurance people seek to bridge the gap to risk management. If they cannot become more strategic in focus, they will fail. Trying to deliver effective assurance by solely managing operational risks is like installing better brakes, better seat belts, better bumpers, and better airbags in your motor car, and then handing the keys to a driver whose strategy is to run the car over a cliff. Whatever you were trying to accomplish at the operational level can be rendered insanely redundant by what occurs at the strategic level. Of course, the people who sell the brakes, seat belts, bumpers and airbags might not care that your efforts are doomed, which is why they will happily take over a strategic role and use it to define your job as purely operational in scope. They have nothing to lose by taking this approach. In contrast, you might lose your job, when a risk takes you over the cliff edge. In fact, if you go over a big enough cliff, everyone in your business might lose their job. The telco’s relationship to the government, to its customers, to its partners, and the proliferation of free software that encourages network traffic are all factors that will influence profits. If we are not gathering and understanding the data about aspects of ordinary routine communications activities – like sharing a file – then we are not really assuring anything. We are like passengers who assure the car is travelling within the speed limit, whilst failing to notice the wild-eyed stare of the driver, and how he has just turned the car off-road…
P2P traffic is both a source of profit and loss for telcos like ISPs. The desire to connect one computer to another computer will motivate customers to sign up with ISPs. On the other hand, the heaviest P2P users dominate the narrow band of customers whose bandwidth consumption is far greater than all other customers put together. Understanding how P2P services compete with other kinds of services is hence a factor in the setting of tariffs, monitoring usage limits, and planning for future network traffic. It would be better to anticipate changes in customer behaviour, rather than merely reacting to changes after we see them. More than this, P2P might be a competitor to services offered by our competitors, by our partners, and even by our own business. Telcos keep talking about moving up the value chain, and the dreaded fear of becoming ‘just’ a dumb bitpipe. OTT players may be our enemies, unless we try to partner with them. And whether we are doing it as a partnership, or by mimicking their offerings with a service created in-house, we also have an interest in network usage which competes with the value-added services being offered. Dropbox is a business. Netflix is a business. There are many business models threatened by the adoption of free P2P services, lawful or otherwise. Should telcos intervene in the flow of traffic over a network, in order to protect its own revenue streams, and those of other businesses which run services over the top of our networks? This leads us to the sticky subject of net neutrality. And it also begs a question: if P2P services are the enemy of the OTT business, and the OTT business is the enemy of my telco, then should I count my enemy’s enemy as a friend?
If my telco is able to charge for use in such a way that heavy exploitation of P2P is financially rewarding, and not a burden, there is no good reason for telcos to want to limit P2P traffic. P2P services are used by the consumer free of charge, except for the price levied by the network provider. In contrast, if the network is carrying the traffic of an OTT service, the consumer must pay for both the OTT provider and for the network use, suggesting the telco will receive a smaller share of revenues generated by a smaller volume of traffic. One solution to this latter problem is that the network provider seeks revenues from the OTT business – but is this likely to be as beneficial as preferring P2P to OTT traffic? Furthermore, the relative success of P2P makes the customer more reliant on one relationship with one supplier: the network provider. Trying to make money from OTT implies the network has already become dependent on a business that sits between the telco and the end consumers who ultimately pay for everything. Why would telcos want to encourage the emergence of large, powerful businesses that can exercise significant bargaining power to drive down the price charged for network use? By its nature, P2P services cut out the middlemen. As a result, P2P spares networks from the headache of having to recover some of its shortfall in revenues by trying to obtain money from a business which is motivated to drive up telecoms costs (by driving up network traffic) whilst sharing the least revenue possible with the network provider.
And this is before I mention compliance with government diktats, and the costs of compliance. People say there is a lot of money to be made from data, but data leads to a lot of costs too. We should avoid behaving like bankers: they took the money up front, and relied on taxpayers to cover the costs which came later. If telcos get themselves in a bad situation, there might not be a bailout for a second catastrophe caused by the misadventures of big business. Of course, a lot of bankers behaved well, which is why it is wrong to generalize. But if some telcos – or some OTT providers, whether in cooperation with telcos or independently of them – go too far with exploiting customer data, then all might suffer the backlash. And this is before I mention the risks that governments are also drawn to data, for reasons which might be moral and justified, or might not. Though there may be less revenue to be made from traffic which is distributed, encrypted, and secure – just like a lot of P2P traffic is – there will also be less cost, and less risk, because there will be less reason to engage in various kinds of data gathering and surveillance. Some will argue that centralized control is preferable, because it makes it easier to counter the worst abuses, including the transmission of child pornography and the coordination of terrorist activity. However, my observation would be that criminals and terrorists will choose to utilize P2P anyway, as will journalists reporting from inside repressive countries, and freedom fighters who want to counter official propaganda. There is a deep flaw in any logic which says we should push most ordinary people to use centralized modes of communication as a way to detect and control the activities of extremists. And so telcos need to be rational, and strategic, in deciding how best to encourage P2P traffic as a means to disrupt the business models of our competitors, whilst maximizing the revenues and minimizing the costs created by the network traffic.
One possible future involves business assurance becoming more forward-looking, and shifting the emphasis from detection of historic faults towards analysing data in order to accurately predict network use, customer behaviours etc. This creates the opportunity to increase revenues whilst being more efficient with expenditure. But you cannot predict the future without first constructing theories for how the future might play out, and understanding how you want it to play out. We are in danger of becoming like very clever car mechanics, sitting blindfold in the passenger seat: we know the engine is in perfect working order, but have no idea if the driver is going in the right direction. We risk becoming what the Germans would call a fachidiot; our narrow view allows us to absorb lots of data, but we cannot see anything else that is happening in the world. And so the implications of a simple task that many of us perform routinely – like how to get a file from one place to another, with all the consequences for cost, security, efficiency etc – is lost to us, even though the data travels over our own networks. I must admit that I was blind to this too, until somebody pointed me toward OnionShare, and by implication, everything I had been missing with how people could and should transmit files.
With the rise of Big Data, we should soon be in a position to know if a telco is better off having customers that provide for their own needs via freebie P2P technology, or customers whose needs are satisfied by OTT businesses. Answering the question, with all it entails, will still involve a lot of hard work. But the hardest job is identifying which questions should be asked, and why. Those teams that ask the right questions will find how effective machines can be, when they work for people. Those which ask the wrong questions, or who ask none, will be like my metaphorical car mechanic: possibly highly-skilled, but employed to service machines.
The vendor formerly known as Mara-Ison Connectiva has changed its official name to Connectiva Insights and Analytics Ltd, and has adopted the new (but very similar) brand name of iConnectiva; see their press release here.
The change of name is partly motivated by a desire to re-position themselves as a supplier of analytics solutions, in contrast to offering revenue assurance and fraud management tools. As the press release noted:
This is in line with the transformation of the company from a Telecom Revenue Assurance/Fraud Management product provider to an analytics solutions company.
This shift in focus is also enabled by underlying changes in technology:
The company is in process (sic) of porting its existing products RA (Affirm) and FMS (Sentry) to its big data technology based platform CMETRICA
What does this mean for the business assurance market? Put simply, it means the people running the new Connectiva think they will make more money by selling general-purpose analytics than from selling narrowly-defined RA and FMS tools. This is despite them claiming to run the “world’s largest revenue assurance deployment“.
I think they are right to change tack, given the decline in business assurance sales in recent years, including the original Connectiva’s collapse in 2012. Business assurance is an overcrowded market. Some of the current competitors need to look elsewhere for future revenues. It is right for Connectiva to change strategy – though the change has come much later than it should.
Posted by: Eric in Opinion
Does your telco have a SOC? That was the most fundamental question raised during the pre-conference training workshop at the WeDo WWUG14 user event, earlier this year. The SOC is a new addition to the family of xOCs. All network operators have a NOC, to monitor their network. Telcos have somewhat adopted the idea of a ROC, which is meant to monitor revenues, though the popularity of the concept may have been constrained by Subex’s decision to trademark the term ‘ROC’. Praesidium, the consulting unit of Mainroad, a sister company to WeDo, now say that telcos will increasingly need a SOC – a Security Operations Centre. So why do telcos need a SOC, and why is this being discussed at a conference for business assurance people?
If a NOC ensures the service is being provided to customers, the ROC ensures these services are generating a financial return to the telco. Complexity is being driven by the convergence of networks and IT, by the increasing sophistication of services, and by the range and power of the devices belonging to end users. This complexity makes security more challenging, and opens more security gaps that might lead to financial loss if left unclosed. These motivations suggest a similar solution to one which has been used before – implement an xOC, to continuously monitor the relevant internal and external intelligence feeds and information sources.
WWUG14 keynote speaker Robert Strickland, former CTO of Leap Wireless and former CIO of T-Mobile US, also talked about RA, fraud and security coming together. Whilst the end consequences might differ, the root causes of security loopholes, fraud weaknesses and revenue leaks will often be connected. This partly explains why a conference of business assurance people is being told about the need to implement a SOC.
However, I am not entirely convinced that the simple trend analysis, and the big bold metaphors and the repeating of established themes, leave any of us knowing what we are talking about, when we talk about the ‘convergence’ of RA, fraud and security, or the need for a SOC. The more operation centres you create, and the more they monitor disparate things, the more you raise the question of whether you could and should implement monitoring in a more holistic fashion. At the same time, saying that RA, fraud and security are converging sounds wonderful, until you wondered what a ‘converged’ practitioner looks like. There is not a single human being alive who is master of every topic that sits under the category of security. What are the chances that we might educate someone to do ‘converged’ RA, fraud and security? In fact, was there not some fundamental disagreement exhibited in this event, because we had a keynote speaker talking about convergence, whilst there was a workshop calling for another, specialized, operations centre to perform different, separate monitoring?
I think the root of this contradiction lies in complexity itself. When dealing with a complex problem, we need a big view that incorporates all aspects, or there is a risk that we misunderstand the problem, and fail to identify some elements of the causes, or some of the consequences that flow from them. This pushes us towards a ‘converged’ view, because we need to see and understand everything at once. However, complexity means an increase in detail, and there is a limit to how much detail any individual human can cope with. So as the volume of detailed information grows, it becomes necessary to create sub-divisions and sub-categories, compartmentalizing information and relying upon ever more narrowly-defined experts to manage each compartment. And that encourages us to establish yet more new, and specialized, teams.
In the past, I have written about ‘the zoom‘, the ability to shift your mental perspective from one where you work at incredibly low levels of detail, to one where you stand right back and see the big picture, to then zoom into detail elsewhere, and so appreciate all the connections. The ability to mentally ‘zoom’ is becoming more and more important, but that does not make it easier for people to master (or for some people to understand the point I am trying to make).
Whilst the call for both a converged view of security with business assurance, and for a SOC, are simultaneously both right, they are simultaneously both wrong. We need an appropriate level of resources to be deployed in managing all risks faced by telcos, and those resources may need to increase if risk profiles deteriorate. But we also need to understand the limits in coordinating resources. Efficiency degrades with scale, and eventually we reach a point where no amount of resources will help us to monitor more effectively, because the organization is unable to prioritize and to make the right decisions.
To put it another way, more monitoring is a viable strategy if there is a sensible limit to how much more monitoring is needed. But endless monitoring just leads to wasted resources – things are monitored for no good reason – whilst creating a logjam for decision-makers when nobody is able to prioritize the conflicting messages from all the data being monitored by different people around the business. So one strategy to deal with increasing complexity is not just to trumpet the mitigation of risks – in ways that specialist suppliers usually do – but to actively reduce complexity, by being less complex! And that might involve resisting the temptation to keep adding new technology to an already overly complicated architecture, aggressively decommissioning technology and services of declining importance, and splitting the telco into separate businesses.
Business assurance practitioners should welcome the convergence with security, but they would be wise to fear it too. It is true that the root causes of security exploits, frauds and leaks will be increasingly intertwined. But business assurance practitioners will not be able to rise to the challenge by taking the same happy-go-lucky, few-days-here-and-there, scam-training-but-who-cares-as-long-as-the-certificate-has-the-right-words-on-it, learn-by-trial-and-error approach to education that they have taken before. It was never fit for purpose, but we got away with it because nobody expected more, and nobody did better. However, this lax attitude to education would prove disastrous if applied to the coming challenges in security. Somebody needs to invest in people, to raise their knowledge and skill levels to the standard necessary to deal with the converged challenges of business assurance and security – and we know that privately-owned telcos tend to be lousy at making this kind of investment in their people.
Governments have realized the significance of the shortfall in private enterprise, and increasingly they are taking the lead by investing in cybersecurity, which includes a crucial investment in educating people. But these governments will rightly focus taxpayer’s money on the more narrow dimensions of security, and not on the broader and related commercial challenges concerning fraud and loss. If business assurance practitioners do not find a way to improve their education, the convergence of business assurance with security might prove to be nothing like a marriage of equal partners; it will be the takeover of business assurance by highly-trained security professionals.