Rob Chapman is a consultant working for Cartesian Ltd in the UK, specializing in Business Assurance.
Rob has worked in telecoms for more than eight years in Three, Cable & Wireless, Verizon Business and TalkTalk, with a focus on problem management, revenue/business assurance and risk.
The time fast approaches for the last Revenue Assurance Group session of 2013. We’ve got some great topics lined up for discussion, including the impacts of the unified telecoms market, revenue risk management and RA within a mergers and acquisitions environment – and of course other hot topics brought to the table by the attendees, to see what really matters to us all.
It’s going to be a good day and will also help to forge the path for RAG in 2014 and beyond. If you want to know more about it or to request joining it, you can find out more from the previous RAG related post or directly on the RAG website.
Otherwise, watch this space!
The Revenue Assurance Group (RAG) was set up by Cartesian in 2004 for the leading RA experts.
Since then, it’s developed beyond a UK-centric market, and is now being expanded out to other countries, and to include independent subject matter experts to ensure attendees and input are as rich as possible.
Not only that, we’re also finding that the traditional Revenue Assurance skillset harnessed in Telcos is being applied across Utilities and Retail, so we’re seeing a keen interest from professionals in those industries to join in. Cartesian host and co-ordinate the event, ensuing that it remains focused, topically current and runs smoothly.
We held the first 2013 Revenue Assurance Group session back in March and, as usual, it was a success. A key factor to this success and future of the RAG is that it’s free, collaborative and non-competitive, which we don’t just actively encourage, but insist upon!
In the March session we covered a variety of interesting topics with speakers on the code of practice for accuracy in Australia through to the pending EU Tax changes. Aside from the usual fabulous insights into our worlds from the thought leaders of RA, was the need for expansion of the group.
As mentioned, we used to be exclusive to UK operators, but have decided that the British RA community was better served by allowing everyone to take part. So – time for change!
From the next session (September 2013), we’re reducing the exclusions: no longer just UK-centric entities and not just network operators!
In real terms, this means we don’t lose the input of SMEs, such as Eric, who up until this point could only attend if they were speaking. This broadening will enrich the RAG further and bring even more expertise into the room for our discussions – helping us understand how our domains are expanding. It also means we can share innovations, initiatives and challenges from farther reaches sooner than before, ensuring that these thought leaders can contribute in this non-competitive, collaborative group for the good of Business Assurance and Risk Management.
If interested, and you want to know more about the RAG or want to be a part of it, visit the website at http://www.revenueassurancegroup.net or send us an email: email@example.com.
And because we’re firm fans of talkRA, we’d like to share what we’re doing in the UK RAG with all of you in the worldwide community of business assurance practitioners. That way, if you’re visiting London during one of our meetings, you’ll know to drop in and say hello!
In his post entitled ‘An ISP That Wants Privacy to be a USP‘, Eric Priezkalns reviewed the potential for Nicholas Merrill and the Calyx Institute to launch an ISP which guarantees unassailable privacy for its customers. Rob Chapman responds by questioning where to draw the line when it comes to the privacy of communications.
Ah yes – we all like our privacy, but what of our safety? It’s a difficult balancing act. I’ve been subject, many years ago now, to identity theft and resent the number of CCTV cameras which effectively track my movements day-to-day. However, when I think about the potential for threats which have been, can be and will be eliminated, I can’t complain too heavily.
We’re all, at least, fairly aware about the example of Google with the vans, aero and satellite shots and the public distain it’s been met with. However, does that example speak more about intent, use, disclosure or public understanding? Personally, I think that much of that example can be put down to a balance of ignorance and propaganda. Even if we haven’t known, and haven’t necessarily understood, what Google have and will use the information for, we have known for some time that it’s been gathered.
Though limited in understanding as to the complete solution and infrastructure to be put in place, I’m inclined to say that Mr Merrill’s plans are short-sighted or meant just to make a large point. Aside from the assurance challenges which this would pose – meaning a flat pricing model and the need of massive network capacity for resiliency – there remains the issue of the greater good.
Consider the old axiom which, for the most part, stands firm… if you do nothing wrong, you have nothing to hide. This remains an ideology when talking about governments and, for the vast majority of the democratic world, it remains our right to expect our governments to act responsibly and with sensitivity for our civil liberties. I know that’s a pretty rosy view and how things should be, but we have to hope for the best. Also, we should bear in mind that much of the surveillance, be it audio-visual or data related, is not actively used. Just because I’ve been caught on camera from leaving my house to getting to work, does not mean that I’ve been actively watched or tracked.
Then we come to the potential, commercial benefits which can be realised by ISPs who don’t treat data with enough sensitivity. There are significant challenges here, not just in juggling legal and regulatory handling of data, but also in these requirements and a natural urge to exploit the data which can give companies a lead in an ultra-competitive marketplace.
Let’s take the industry standard TR069 protocol which allows certain remote functionality for in-home devices. Many UK ISPs have been utilising this firmware and functionality for years for a variety of things from remote configuration of routers to improved diagnostic capabilities. This protocol allows for router parameter changes and the polling of data directly from routers. For the data, this is not just router specific information but can also pull information around state and parameter changes (i.e. passwords) and connected end-user devices (including MAC addresses). It also affords a means to change any of the user configurable parameters remotely, from the security settings to SSID and WiFi password.
We know the technology is out there in the market today, but the larger question remains around disclosure and commercial sensitivity to information which could be considered intrusive.
In terms of disclosure, as long as ISPs are not returning ‘intrusive’ data without first advising their customers of this, or at least offering an opt out mechanism, there should be a greatly reduced risk for customers feeling any kind of infringement. This does raise the question around what is reasonable to collect in the first place. Password information seems a clear winner to ensure it is excluded at all times, regardless of customer buy-in to any such scheme. However, other information is less of a risk if customers have not objected, such as the SSID and connected device information – but then the treatment and handling of such data should be careful with its use and visibility restricted. Other data poses no intrusion or threat and can easily be justified for use in aiding companies with in-home issues and service/diagnostics improvements.
We have the question about treatment, handling and use of the data. In the U.K., ISPs have an obligation to ensure that they follow DR&R regulations, which make communication related data which an IPS has processed available to the government upon lawful request. We also have Data Protection related regulation which means that the company must ensure proper, commercial handling of data. Then we have the question of companies wanting to utilise the data captured to enhance sales through targeted marketing and reduce churn. There is nothing particularly new or challenging in the scope of TR069 which will differ how ISPS already have to handle similar data (such as Radius logs). The real question for me is how do companies ensure that they don’t exploit information which they shouldn’t? This comes through a variety of areas: disclosure of the intended uses of both remote configuration and data, ensuring privacy policies and terms & conditions are updated accordingly, and that data intended purely for diagnostic support is held and managed away from the general business access and reporting*.
Of course, most of the general public have little idea as to exactly what information is captured as standard, or what could be. With only basic information as to who are the services users, I perceive the possibility of a fully encrypted service to be a serious risk and, whilst I admire and support the actions of Mr Merrill in his dealings with the FBI, I think that the pendulum has swung too far in the opposite direction to be healthy. All that said, most of this is based on assumption, and Eric makes a fine point that criminals already have access to public key cryptography, so where’s the harm offering it on a wider scale? I’ll be following things closely to see how they develop – and, of course, to get the chance to see the data.
*There is, of course, nothing within the Data Protection Act which precludes companies from retaining and using data longer than twelve months as long as there is no longer any association with the individual.
If you want something done quickly…
…give it to someone who’s busy! There’s always something to do; be it the daily chores of chasing up KPIs on the end-to-end, checking tariff changes or attending requirements workshops.
And – don’t get me wrong – it’s nice when you get to work in an RA function that’s well respected for being accurate, knowledgeable and is valued. But what happens when an RA function in this position starts to become bombarded by issues and requests because they’re seen as the ‘go to guys’?
The flood gates open – and usually for many things that are, essentially, nothing to do with RA‘s remit – at least technically not!
Perhaps this is down to a lack of clear definition of Revenue Assurance within the companies this happens in, or possibly because RA are the only people to know who to genuinely go to – or perhaps because it’s seen as a catch-all for ‘management’ who don’t want to be dealing with what may be perceived as a poisoned chalice. Who knows?! Whichever it is, certain impacts to the team and the business are inevitable. The team become overloaded and stretched too thinly, like butter spread across too much bread, to be able to perform their core tasks either properly or at all. This overloading of tasks from different sources carries with it another issue. When too many senior stakeholders are pushing for answers it usually results in conflicts in the management chain and RA (who are usually trying to please everyone) end up in the middle of it.
RA needs strong senior management support to be able to effectively push back on things that genuinely don’t concern them or where the risk isn’t great enough to warrant diverting resource from genuinely impacting issues and core tasks. Often the politics will decide but, as long as a senior stakeholder in the business is on-side, then RA can follow their steer on priorities.
Sadly, I once witnessed a re-org that left RA orphaned and thrown into what became a power struggle. The loss of management was like losing the Thames Barrier during a hurricane and the lack of strategic alignment for the team in the business resulted in the function being a dog with three masters. This lack of clear direction not only affected the morale of the entire team through strained resource and conflicting, mixed messages, but, over time, damaged the reputation of RA across the business, breaking down bridges that had taken years to build.
Yet, in opposition to this scenario, in other organisations RA is seen as an almost temporary function which, once the low hanging fruit has been picked, is seen to add little to no value or, worse still, is seen as an unnecessary cost leading to the function becoming disbanded. This seems clearly short-sighted, but if the RA function isn’t mature enough then what value are they able to add over time?
It worries me that, even now, there are RA functions that don’t achieve necessary support to develop maturity, which sit too far down the chain of command to have adequate protection and that they exist purely protected by individuals in the management chain rather than the senior positions. Perhaps adoption into Business Assurance proper will help shield RA and other fringe teams suffering the same strains.
Time and time again RA and Risk functions within companies try to yield fantastic results, returns and savings by looking for the next big opportunity coming down the pipeline, investing time and money in what sometimes seems nothing more than an exercise in visibility.
I’m not knocking being seen by the business as a useful initiative in its own right – not least of all because you’re only as good as your last ‘catch’, or because businesses have a way of forgetting what value you are unless you’re shouting doom and gloom. Nor am I suggesting that mitigation isn’t needed for the ventures and undertakings of any company.
What I am saying is that I have repeatedly seen a job half done, born from the need to keep up with changes. No matter where you go in telecoms you can see degradation of maintenance for either data or processes, be it for network structure, product development or simply the processes behind stock control of CPE and SLA’s for third parties. Given time, the fixes and mechanisms we put in place will either become outmoded or decay to the point where they add little or no value.
With data and people being at the core of every business, it seems obvious that these foundation stones must be treated with the respect they deserve. A single human error repeated time after time, a decision made without all relevant information or the implementation of something which isn’t fully considered can have a butterfly affect so profound that, before root cause and even be determined, the loss of revenue or brand damage can threaten and jeopardize an entire business. If this foundation isn’t properly built and maintained, the whole thing can come crashing down.
Our functions have a need to step in and correct problems, but what mechanism do we leave behind to monitor the health of our own solutions and how often, if at all, do we revisit any to ensure they are still either being followed or remain valid, effective controls? Not often – mostly not at all! There just isn’t the time, and management often doesn’t see the worth in it, thinking that once fixed there won’t be a reoccurrence.
I don’t think that anyone can say this isn’t true. Our roles too often seem like triage, patching up one wound and moving on to the next. There’s clear value in this but we have a need to record, maintain and revisit what we have done to ensure we provide a holistic approach in our undertakings.
Think of it like spinning plates; hard to get started but easy to keep it going as long as you don’t leave it alone entirely. Neglect it and sooner or later the plate will fall.