Archive for the Opinion Category
Posted by: Eric in News, Opinion
Take a deep breath, as what I am about to write might shock you. Some software developers who talk about risk management are lying to you. Or at least, they do not tell you the whole truth, by refusing to comment on the things they cannot do, or do not understand. New proof comes from a software developer that knows a lot about about risk management. Palisade has been making risk management software since 1984. Headquartered in New York, and with offices in Tokyo, Sydney, London and Rio de Janeiro, they sell cost-effective risk management software to all sorts of customers – because many big businesses have more sophisticated risk management than that found in telcos. Palisade’s tools are based on Monte Carlo simulation, and they have just released a new case study about Enterprise Risk Management in MegaFon, the Russian telco.
Monte Carlo? Some readers will not know what Monte Carlo simulation is, including readers who have some risk management responsibilities in their job description. That was why I slipped the phrase into the text. I want to provoke people into thinking about all the risk management tools and techniques they currently know nothing about. Revenue assurance should teach people that our failings stem from the limitations of our knowledge. And yet, whilst we recognize this truth, telecoms risk management suffers from an insular viewpoint. Some narrow people claim to have broad expertise on every subject, including the whole of risk management. In truth they know only a telecoms-specific view of the world, and can only thrive because telcos are so far behind other industries when it comes to implementing risk management. They are like false prophets, giving instruction to a small band of people who live on a remote island. Whilst they claim to have knowledge of the universe and its mysteries, they have no knowledge of the world beyond their island. The quickest evolutionary path is for telcos to learn how other sectors manage risk. Or in this case, we can also learn from MegaFon’s example.
Put simply, Monte Carlo techniques reveal the likelihood of different outcomes by setting up a game, and then rolling the dice repeatedly, to see which outcomes win most often, and which lose most often. In this context, the game is a mathematical model of an organization or a project, and the role of the dice is played by a random number generator. If we estimate probabilities for a variety of factors that will influence the results of an organization or project, we can then use random numbers to run multiple simulations of how the causal factors interact, in order to map the distribution of overall results. As such, we can quantify the range of risk in any decision, and hence alter decisions according to our appetite for risk.
A poker player cannot determine which cards he is dealt, but a good poker player wins more often than a bad poker player, because he makes better decisions. In the same way, we cannot control all the factors that influence our business, but we can make better decisions if we methodically measure the influence of factors outside of our control. The MegaFon case study helps to explain how to do that in practice.
Here are some key extracts from the case study, explaining how MegaFon uses Monte Carlo techniques to manage risk in their budgeting process:
Each branch [of MegaFon] states the risks it faces, such as competition, changes in legislation that will require it to operate differently, price increases and changes to staffing costs. They also calculate how much each budget will be over or under the forecast.
The risk management team at MegaFon’s headquarters amalgamates the information from each of its offices and simulates possible scenarios… allowing the five critical factors most likely to significantly affect the company’s gross revenue to be identified and therefore mitigated.
In addition… minimum, best case and median budget figures and the probability of their occurrence… are compared to the budget plans to determine whether the forecast is too aggressive or not ambitious enough.
As well as budgeting for business as usual, MegaFon uses their Palisade Monte Carlo tools to help them make better decisions for capital investment:
In 2012, MegaFon took the decision to invest in a large construction project with the aim of minimising its operating costs and improving network quality and control over technical operations.
Two potential locations were shortlisted and the management team used Palisade’s software to make an informed decision on the optimal one. It first used Palisade’s TopRank to perform sensitivity analysis to identify the factors in each location that would have the most influence over the total cost of the project.
From here, the team used @RISK to forecast how these critical factors might change. This allowed MegaFon to understand the most likely Net Present Values (NPVs) for each possible location and identify the risks for building or not building (i.e. opportunity cost) each data centre.
@RISK allowed MegaFon to use graphs to show easily how NPV and cash flows could change over time, and the probabilities of those changes occurring, rather than the static number that they would have had to rely on without the risk analysis tool.
This is a beautiful example of how to manage risk in a telco. Hence, it is tragic that so few telcos use techniques like these. The tragedy is even greater because some telcos listen to software firms that push ‘risk models’ that do not deserve the name. In the meantime, MegaFon is using tried and tested techniques which have already been automated, making them accessible to risk managers who do not have the time to build a Monte Carlo model from scratch.
Dmitry Shevchenko, Head of Risk Management at MegaFon, is quoted:
“Palisade’s decision support software is a well-balanced and flexible instrument that can be applied to a wide variety of situations, making it ideally suited to managing risk across the enterprise.”
Compare that to the misnamed ‘risk models’ found elsewhere, and we see why they are not genuine models of risk. There are many kinds of risk across the telco, and the models will be different for each telco. Some of the so-called ‘risk models’ being pushed at telcos only model one or two specific kinds of risk, and the models are inflexible, implying all telcos have a similar risk profile. Why would any risk manager use software to model only one kind of risk, in a way that forces him to use the same generic model as every other telco, when there is software that allows him to model every kind of risk, and to build a model that is specific to his company? I assume there is only one answer to my rhetorical question: the risk manager did not know there were other, better, tools that he could have used.
Mike Willett recently interviewed me for the talkRA podcast, and I fear I may have offended some people when he asked my thoughts about revenue assurance managers seeking to become risk managers. I was blunt. I said the problem was a lack of training, and the danger was that under-trained people may take on responsibilities without having an appreciation of the gaps in their skillset, and how that will alter their perception of risk. Already, I know that under-trained and under-skilled individuals are being given risk management jobs in telcos. This is not a good thing for their business, nor for the individual. Whilst it may feel like a promotion, the undertrained risk manager must push back, and ensure they have the skills needed for the job, or their failures will have serious implications for their business, their colleagues, and themselves. They need to find trustworthy advisors, and not just listen to the comforting, convenient nonsense spewed by the false prophets. When speaking to Mike, I drew upon an analogy coined by Abraham Maslow:
If you only have a hammer, you tend to see every problem as a nail.
There is no doubt that RA practitioners have some very useful skills that can be applied to manage risks more generally. They possess some powerful tools. But they do not have as wide a range of tools as they need in their toolbox, if they are genuinely going to manage the range of risks implied by a job title like ‘risk manager’. It is no good to turn around later, and make the excuse: “it’s my job to manage this risk, but not that risk”. Was it clear from the job title which risks were being managed? Was it clear from the job description, and the list of responsibilities? And where the risk manager decides they are not responsible for a certain kind of risk, who is responsible for identifying situations where the company faces a risk, but nobody is managing it? These are big questions. And once again, the telco world is being misled by people who, lacking any answer to the big questions, refuse to acknowledge them. They offer answers, but only to those questions where they already have an answer.
Techniques like Monte Carlo simulation should be in the toolbox of every risk manager, so they can be used when they are the best tool for the job. I hope this brief and excellent case study from MegaFon and Palisade helps to open some eyes to the limitations of the tools being used by some telco risk managers. There is a general rule for risk, which states we cannot manage a risk until we have identified it. Let us be honest with ourselves, and admit to the gaps in our knowledge, skills, and tools. When we do that, we create the possibility of improving our performance, and closing those gaps.
Posted by: Eric in Opinion
Imagine you worked for the Global Revenue Assurance Professional Association, which claims to be some kind of global and professional revenue assurance association, even though its head office is Papa Rob Mattison’s garage. During the 5 years you worked for GRAPA, you taught people how to do revenue assurance and fraud management. In parallel, you also sat examinations and received qualifications for all the subjects you teach. You honestly marked your own papers. And you scored 100% for the module on business ethics. Although you never worked for an actual telco, your CV says you are a GRAPA-qualified Telecoms Fraud Analyst (nice!), a GRAPA-qualified Practitioner of Revenue Assurance (cool!), a GRAPA-qualified Telecoms Fraud Officer (wow!), and a GRAPA-qualified Master of Revenue Assurance Management – how impressive is that!?!?! So when it comes time to leave GRAPA, what job do you do? Is it…
- Director of Revenue Assurance for a tier one telco;
- Chief Fraud Officer for a multinational telecoms group;
- Head of Revenue Assurance for a mid-sized ISP; or
- Selling in-flight wi-fi to airlines?
Being one of GRAPA’s highly qualified experts in global telecoms fraud and revenue assurance is perfect preparation for a job where you persuade airlines to implement wi-fi for their passengers. Congratulations to Louis Khor and I hope he succeeds in his new job as Proposal Manager for Gogo. We all know that Louis LOVED revenue assurance, so there must have been tears when he decided he had no chance of a career in revenue assurance. On the plus side, after 5 years at GRAPA, the only way is up!
Meanwhile, let me express my sincere condolences to former students of GRAPA, who must now realize their qualifications are totally worthless.
Posted by: Eric in Opinion
I must admit, it has been a while since I attended the Mobile World Congress. But there is a reason for that. It is because the mobile industry’s biggest annual bash is a bit… well, you know what I think already, given that you saw the title of this post.
MWC is probably a very good thing for some people. It is good for people who want to sell things. It is pretty good for people who want to buy things. But let us not kid ourselves. It is nothing but a big market. In that respect, it is not that different to a film festival, or a book fair, or a car boot sale. When it comes to markets, we can distract ourselves. We might talk about culture, or ideas, or the future, or what people wear. We can pretend we are learning about science and anticipating hot trends. But the reasons to spend all that money, flying people to one place, and running such a large event, comes down to basic human needs.
- Some people need to sell things to make money.
- Some powerful people need to buy things.
- Some other people need to seem powerful, for the sake of appearances, even though they are not going to buy anything.
I can dress this up, and complicate the story. For example, two organizations may meet at MWC to facilitate negotiation of a partnership. This is not buying and selling in the strict sense, but it is close enough. You already understand my point.
There was a time when people asked me if I was attending MWC, or would send me emails, suggesting we meet there. I may have been unintentionally rude to some of those people. I would stare quizzically at them, or not bother to reply to their emails. But from my point of view, it was a strange question to ask me. Why would I want to waste my time going to MWC? I am interested in learning things, not in buying things. And if I was going to sell myself, MWC would be a terrible place to do it, because I cannot compete with corporate salesmen who have lavish expense accounts. In this world, learning is better achieved by reading a book, or listening to a wise person speak honestly (and confidentially). We send students to schools and universities, not to shops. They go there to listen to teachers and academics, not sales assistants and marketing executives. MWC is a temporary shop. I could learn what things are on sale, and what things may be sold in future, but how does that teach me about things I am really interested in? The things that interest me are how and why people make mistakes, why we fail to calculate risk correctly, and where technology fails to work as expected. Trying to learn such things in a shop would be like trying to learn the benefits of chastity by visiting a brothel.
Nobody asks any more, thankfully, but I will not be attending this year’s MWC. So I will not be there in person, to hear Mark Zuckerberg tell me some rubbish about why Facebook is not massively over-valued. If Facebook is not overvalued, then the future must be a Facebook prison, where almost nobody chooses to use alternatives to Facebook. So even if investors in Facebook are correct, they are betting on a very creepy version of the future. I know what I think already, and I will read what Zuckerberg thinks later, if I have that much time to waste. I will be able to read it on the internet, which is cheaper, and more convenient, and less time-consuming. Hmmm… the internet is a funny thing. We buy it. We sell it. But somehow the most networked people in the world chose to communicate by speaking to an audience that sits in the same room as them. They choose to spend time on a plane, and they choose to bypass the internet. Presumably they do that because they think it is more effective to talk to people in person. And that tells you they must be talking rubbish, at one level or another.
Podcast: Play in new window
Some people are comfortable to ask questions, rather than face them.
Not so Eric Priezkalns of talkRA who stepped out of his interviewer status this week and allowed me, Mike Willett, to pose the questions to him – even though he couldn’t resist turning the questions back on me from time to time. When I proposed to Eric that he be the subject of a podcast, he willingly jumped at the opportunity and granted me full access to ask any question I wanted. What I was most interested in, though, was understanding Eric’s career path from accountant to today, to understand the things that influenced and drove him, the areas that have made him who he is today. Love or loathe Eric, I am sure you will find his insights and comments typical of what we have all come to expect of him – forthright, insightful and reflective. Enjoy this opportunity to get to know Eric a little bit better.
You can listen to this interview through your web browser, or download the mp3 file from here. If you want to be sure that you will never miss a talkRA podcast, you can also subscribe to the talkRA podcast via iTunes.
In my experience, there have been a few truths about fraud that remain as valid today as when I started out in telco fraud management in the late 1990s. Firstly, fraudsters are looking for the gaps that provide them with the maximum benefit, while at the lowest risk. Secondly, once they find this gap they will exploit this until either the gap gets closed or the risk/reward equation changes and they need, or choose to, look elsewhere.
As a result of this, the fraud manager’s response has been fairly uniform. When gaps are identified, then either systems and/or processes are re-designed to close the gap; or detection mechanisms are enhanced to more quickly identify when the fraud is detected. This all makes sense – close the gap and the fraudster has to expend effort to find a new gap, and that effort may be too much and they move on. Enhance your fraud management system and the benefits to the fraudster decline as the time available to profit from the exploit reduces and, again, they find themselves looking elsewhere. But there is another and third truth, that the fraudster is also intelligent and adaptive, and will continue to innovate to maximise their return.
Perhaps this response needs some further consideration and challenge. The cost of process and system re-design can be expensive with no guarantee that it will be successful – especially if this is process driven and relies on human intervention and judgement. Additional controls can also adversely impact the customer experience. The improvement of fraud detection can also take time and resources, especially if new data is required to be integrated and analysts trained on methods for detection. And yet, despite these challenges, fraud teams around the world are often remarkably adept to protecting their organisation from emerging threats.
However, recall the third truth. Once fraudsters learn of the response made and the changes it introduces, they also adapt their behaviour. The game of cat and mouse is underway and the pace accelerates as each new exploit is opened and then closed (even partially). Every time a telco responds, this provides crucial learnings and insight to the fraudsters on areas such as whether the action was even visible to the telco, how quickly they responded, what follow up action was taken, who took the follow up action. It enables the smart fraudster to understand not only the gaps but how to avoid suspicion and detection.
And so, I suggest, maybe telcos could seek to “defraud the fraudster”, to deceive the fraudster as to what the telco’s fraud management capabilities are. Once a fraudster has been identified, by slightly delaying a response, the fraudster may incorrectly assign the trigger for detection to a later action by the telco, as opposed to the real one. This then becomes the behaviour the fraudster tries to change to avoid detection. When the telco has awareness of the fraud occurring and can monitor and manage the risk at an appropriate level, then they can, at least in part, seek to control and alter the fraudster’s understanding of their processes. To provide a simplistic example: a telco has identified the CDR signature of a call-sell operation. Instead of shutting down the operation immediately on the basis of that signature being observed, perhaps a call is made to the “customer” asking about inconsistent account holder information and then this is the rationale for limiting service. The fraudster continues with the same call signature but invests their time looking at how they should set up their fraudulent accounts. Just as fraudsters confuse the telco, the telcos can confuse and frustrate the fraudster, by quickly closing accounts, seemingly for reasons the fraudster does not seem able to bypass.
Of course, the risk must be managed based on the organisation’s objectives and a balance is needed as I would not want to recommend allowing frauds to run without remediation – that sends a different and more dangerous message. But fraudsters learn quickly about cause and effect, and perhaps seeking to manipulate understanding this can help, in what remains the ongoing battle to manage telco fraud.