|Since we announced the publication of our book, Revenue Assurance: Expert Opinions for Communications Providers, the response has been overwhelming. In Britain the book made the top 10 for “Hot Future Releases in Telecommunications” on Amazon.co.uk. Thanks to everybody who has already pre-ordered a copy. Meanwhile, for everyone else, here is a proper look at the cover, and a list of online retailers where you can get your copy.|
Archive for January, 2011
Normally I would not dedicate a talkRA post to a promotional video, but there are two interesting things about this one featuring Danny Sangster, Senior Manager of Enterprise BI at XO Communications. First, and most obviously, there is no mention of needing or using specialized revenue assurance software. There is a Moore’s law undercurrent to what Danny says. As processing power increases, the need for specialization declines. Second, take note of how the language of ‘revenue assurance’ is used. Right from the beginning, Danny talks about margins, costs and profitability. These concepts are part of what ‘revenue assurance’ means to XO Communications. At first glance there may seem to be no connection between my two observations, but I believe there is a deep and fundamental relationship between them. Technology is an enabler, and language reflects what we do. As we attain new capabilities, our language evolves. If our technology allows us to be more versatile, then we can naturally adopt a more expansive role. Meaning is determined by how people use words in practice, and whilst marketeers might try to manipulate language, and standards-setters might try to define language, both can be overrun by the changes that happen in real life. The language and technology of revenue assurance keeps progressing and developing all the time. We will all change with it.
Here is the video…
Look carefully at the latest press release from Subex and you will find it raises some intriguing questions about the purpose of revenue assurance. On the surface of it, we hear a typical good news story: ‘leading SE Asian operator’, ‘successful implementation’, ‘now processing over 100 million CDRs a day’, ‘provides unprecedented automated correction capabilities’. But hold on… how do we feel about those last two statements when read together? There is nothing wrong with processing lots of data – well done to everyone involved. Unprecedented automated correction sounds good too, but what does it mean? The meaning is not obvious because, after all, this is unprecedented. One likely meaning, if this is applied to 100 million CDRs per day, is that data is being manipulated without human oversight. On the one hand, this can be a good thing. If there is something wrong with the data, then fix it as quickly and cheaply as possible. On the other hand, it begs a question about the role of RA, especially if we believe that RA has something to do with better operational efficiency. If it is efficient to automatically correct the errors in data, then why is it not more efficient to change systems so they produce the correct data in the first place?
17 01 2011
I remember I did not enjoy my time as a trainee auditor. There was a lot of work to do. We endured long hours and, when we eventually got home, we still had a lot of study for exams. We learned from textbooks and we learned on the job. The compensation, we were told, was that we would know our stuff through and through. We would have a valuable professional qualification, and its value could be relied upon. Looking back, the experience was painful, but that knowledge did get seared into my brain. No pain, no gain, as they say. Whilst I struggle to remember much of the mathematics I learned at university, my audit training comes back to me easily. Another thing I learned was that I would never stop learning. On the contrary, an appetite for learning is vital to success.
One of the first things we learned as auditors was how to determine the size of a sample for testing. The logic followed a simple question and answer procedure, so you did not need to know anything about statistics. It was crude, but easy to follow and reproduce. First, you asked yourself about the inherent risk that something would be wrong with the data you were auditing. Was it normal, or high? To keep things simple, everything was judged to be of high inherent risk or of normal inherent risk. Then, you asked yourself if you could rely on any of the business’ internal controls. You could either rely on them a lot, or a little, or not at all. By combining these two answers, you worked out the basis for how many tests to perform in your sample. A high inherent risk and no reliance on internal controls would give you the largest sample. A normal inherent risk and high reliance on internal controls would give the smallest sample. The technique was basic but effective. The goal was to determine how much work was needed to counter the category of risk that most concerns the auditor: detection risk, the possibility that the tests performed by the auditor would be inadequate to find a material error. Because the auditor can do more or less work, he can influence the detection risk, and so he needs to exercise judgement to determine how much work should be done to reduce the remaining risk, also known as the residual risk, to an acceptable level.
That is the most basic model of understanding risk as an auditor. Auditors appraise controls in order to understand its influence on the risks they face. It then surprised me to find this basic auditor’s model being mangled by Gadi Solotorevsky in his explanation of what risk management is supposedly about. In the interview, he asserts that he wants revenue assurance to ‘speak in the same language as risk management’. I have no argument with that goal, but if you want revenue assurance to speak the same language as risk management, you first have to learn the language of risk management. Based on this interview, Gadi has not learned the language of risk. Instead, he garbles it, selectively picking and choosing ideas, ignoring others, and making a number of simple but important mistakes. This is a bad sign if he is serious about his intention to speak the language of risk.
Let me illustrate Gadi’s misconceptions by expanding on the relationship between inherent risk, control risk and residual risk, a relationship I learned in my first weeks as an auditor but which has often featured in my career. He says:
This equation he cites is useful from an auditor’s perspective. But it is a gross distortion to suggest these are “the three kinds of risk” that risk managers talk about, as if everything in risk management revolves around control risk. Inherent risk and residual risk are nothing more than the ‘before’ and ‘after’ of a snapshot of risk, used to contextualize the influence on overall risk exerted by some intermediary factor. In the auditor’s model, the intermediary factor is the control environment. If we build a conceptual model solely around controls, then it is true that inherent risk is what we have before we consider the controls, and residual risk is what we have after we calculate the difference made by controls. However, the risk manager has no reason to limit their analysis solely to the difference made by controls. Even the auditor’s simplified model of risk incorporates a fourth kind of risk, detection risk, which is what auditors manage after considering the inherent and control risk. The auditor’s risk model relates to what an auditor is interested in, which is the danger that the audit might arrive at the wrong conclusion. Take a look at the risk management standards of ISO and you soon see that risk managers deal with a more complex picture of risk than the auditor’s model. An auditor is interested in inherent risk and control risk because they set the bounds for how much work the auditor should do. The auditor cannot change inherent risk, nor control risk, but they can evaluate them. The risk manager can influence both inherent risk and control risk. The risk manager also has additional options for how to treat the remaining, ‘residual’ risk, and these can be used to further reduce the business’ risk exposure. The risk manager is not focused on the reliability of an audit conclusion, but on the best interests of the business.
Note that the equation cited by Gadi has its roots in the audit model, but it stops at the point before the auditor begins his own assurance work. The impression it gives is that the only way businesses can alter their risk is by changing the control risk, the likelihood that errors will not be addressed by internal controls. This impression is very misleading. Maslow said that a man whose only tool is a hammer sees every problem as a nail. Gadi only ever advocates one tool – lots and lots of automated data analysis to find errors. This biases his understanding of risk and the work of his TMF RA team. The risk manager has many more tools at his disposal. A good risk manager picks the best tool for the job, and so needs to understand what range of tools are available. More and more checking of data is only one of the tools. Sometimes checking data is the best tool for the job, other times not.
One of the tools of the risk manager is to question whether a business wants to take risks, once those risks have been properly evaluated. A business can decide not to engage in or to discontinue an activity that brings a high level of risk for a low level of return. This would be changing the inherent risk faced by the business. There are other ways to change the inherent parameters of risk before we consider the need for controls. We should not confuse what it means for a risk to be ‘inherent’ by assuming that we cannot alter the inherent risk. Gadi used the example of sprinklers as a control that reduces the risk of a fire. But before we install sprinklers, we could also seek to ensure that the building is not made of flammable materials. Using flame-retardant materials is not a control, but it does reduce the inherent risk of fire, when compared to using less safe materials. That same thinking can equally well be applied to revenue leakage, by moving beyond the idea that RA only checks data for errors to getting RA involved in the design of systems and processes, improving them so the inherent risk of leakage is reduced. That thinking is epitomized by the lean manufacturing model, which tried to reduce reliance on large-scale quality checks of end products by building integrity into the manufacturing process. This approach can just as well be adopted by comms providers who want to reduce revenue leaks, but it does not equate to more investment in controls. On the contrary, there is less need for controls if processes are inherently error-free.
Another option for risk managers is to share risk. Insurance is the most common example of sharing risk, but there are others. Insurance is a kind of risk-sharing because the business pays an external party to bear some of the risk. The insurance premium is a cost to the business (reducing its profit) but the business gets the comfort of knowing the insurance policy will pay out and compensate the business for certain kinds of losses (reducing its risk exposure). Risk sharing reduces the risk borne by the business, but it is not a kind of control. It is revealing that one of Gadi’s slips was to say that risk management is “akin” to insurance. This implies they are somehow separate. A risk manager would understand that insurance is one of the tools to manage risks. It is not separate to risk management; it is one of the possible ways to respond to risk. Risk sharing already takes place in the realm of revenue assurance. Whenever an external company is paid according to the leakages they find and correct, they are sharing risk. If the external company finds nothing, they get paid nothing. If they find a lot wrong, they take their cut of the benefits they added and they make a lot. When RA managers think about managing risk, they should just as well think about whether an external firm would be willing to share the risk. If they cannot find an external firm willing to share the risk, that says something important about how outsiders perceive the risks and rewards of implementing additional assurance activities.
Another telling slip from Gadi comes when he says:
The error here is so basic that I doubt any risk manager would make it. When we measure risk, we measure in two dimensions: magnitude and probability. One of those elements, magnitude, can be stated in terms of money. In fact, the magnitude of most risks is expressed in terms of money. One can reasonably argue that you could measure all risk magnitudes in terms of money, if you are willing to overtly express losses like reputational damage or loss of human life in financial terms. In case anyone wants to get squeamish about reducing a human life to a monetary figure, bear in mind that life assurance policies do just that, with the premium calculated according to the amount that will be paid out and the likelihood that the person will die. Gadi’s dichotomy of measuring money versus measuring risk is false even within the realm of revenue assurance. RA does not just measure money. A lot of RA checks find nothing wrong. Even if a comms provider leaked 10% of revenue that would still mean 90% of revenue was not being leaked. In such a provider, a comprehensive program of RA controls would find no errors around 90% of the time. So RA controls measure probabilities as well as magnitudes, just as much as risk management does.
It is also worth observing that the language of risk management has come a long way since I was a trainee auditor. As an auditor, I was concerned with the amount of work needed to reduce audit risk to a tolerable level. But in recent years the language of risk has been standardized to make it very clear that risk is not something we should only seek to reduce. Risk managers should not look at a business from the perspective of an outsider. Risk has both upsides and downsides. As an auditor, I was only concerned with a downside (the possibility of reaching the wrong audit conclusion), but a business is in business because it intends to profit from the upsides of risk. A business that never took a risk would never innovate, never launch a new product, never find a new way to please customers. A business that never took a risk would fail. The risk manager does not seek to reduce risk, but to optimize it. We reduce risks if it is cost-effective to do so, meaning the cost of the mitigation is less than the expected financial benefit that flows from reducing risk. We seek to increase risk if this is justified by the increased returns. If a risk manager tends to spend most of their time and energy on risk reduction, it is only because some other business functions, like marketing, are already geared to look for opportunities that will increase risk. But the risk manager does not set himself in opposition to those functions, as part of some silly tug of war over business decisions. You cannot work with people if you set out to work against them. A risk manager moderates business decisions by seeking to assure the way risk is measured. That way, if a new marketing idea can deliver good returns for a reasonable risk, the risk manager will support it, not oppose it.
To be honest, I am not working with Gadi’s TMF RA team on these problems because I have no confidence they will address the fundamental misconceptions in the work they are currently undertaking. They have already gone too far. Pride alone will make it impossible to back-track at this stage, although I raised these same issues at an early stage of development. Put simply, their model is one-sided. It inevitably leads to the flawed conclusion that more controls are better than fewer controls because more controls means reduced risk. There is no reference to the cost of the controls or to optimizing risks. There is no mention of ways to alter risk parameters other than through implementing more controls. It was about a year ago that Gadi and I had a long conversation about the language of risk. He did not accept my criticisms then, and the work of his team has not deviated from the path he set out at that time. But my observations hardly matter. The language of risk is out there and well established. This language exists independently of the TMF, the RA community or even the communications industry. The language of risk is global and universal. The best codification of that language comes from ISO, the world’s largest developer and publisher of international standards. Only a fool would choose to go against the worldwide risk community that contributed to the ISO standards for risk management. RA people cannot unilaterally decide to change the language of risk, though they can learn how to speak it. So far, Gadi and his team make some similar sounds to the risk community, but their work has repeatedly distorted the meaning of risk.
Learning can be painful, but you need to get the basics right if you want to draw the right conclusions. The shaky language used by Gadi conflicts with the rock-solid and consistent use of language in risk management standards like ISO 31000. This is doubly ironic because the road to good risk management begins with consistent use of risk terminology across the whole enterprise. It rather looks like Gadi’s team started with a conclusion they want to reach – that everybody needs lots more controls – and have worked backwards from there to find ways to justify themselves. I think they are doomed to fail; they started building their new tower of language from the top, not from the bottom. Like the Tower of Babel, I expect it to collapse as soon as any genuine risk manager tries to climb it. In the meantime, a lot of time and effort will be distracted from the real challenge of putting revenue assurance into a proper risk context. If put into that wider context, there is the potential for RA to evolve and extend the techniques at its disposal. If not, then RA will only ever manage risk like an external auditor manages risks – deliberating whether it should do more or less of the same tests it always does, but remaining too narrow in scope to help the business to truly optimize its performance.
Time and time again RA and Risk functions within companies try to yield fantastic results, returns and savings by looking for the next big opportunity coming down the pipeline, investing time and money in what sometimes seems nothing more than an exercise in visibility.
I’m not knocking being seen by the business as a useful initiative in its own right – not least of all because you’re only as good as your last ‘catch’, or because businesses have a way of forgetting what value you are unless you’re shouting doom and gloom. Nor am I suggesting that mitigation isn’t needed for the ventures and undertakings of any company.
What I am saying is that I have repeatedly seen a job half done, born from the need to keep up with changes. No matter where you go in telecoms you can see degradation of maintenance for either data or processes, be it for network structure, product development or simply the processes behind stock control of CPE and SLA’s for third parties. Given time, the fixes and mechanisms we put in place will either become outmoded or decay to the point where they add little or no value.
With data and people being at the core of every business, it seems obvious that these foundation stones must be treated with the respect they deserve. A single human error repeated time after time, a decision made without all relevant information or the implementation of something which isn’t fully considered can have a butterfly affect so profound that, before root cause and even be determined, the loss of revenue or brand damage can threaten and jeopardize an entire business. If this foundation isn’t properly built and maintained, the whole thing can come crashing down.
Our functions have a need to step in and correct problems, but what mechanism do we leave behind to monitor the health of our own solutions and how often, if at all, do we revisit any to ensure they are still either being followed or remain valid, effective controls? Not often – mostly not at all! There just isn’t the time, and management often doesn’t see the worth in it, thinking that once fixed there won’t be a reoccurrence.
I don’t think that anyone can say this isn’t true. Our roles too often seem like triage, patching up one wound and moving on to the next. There’s clear value in this but we have a need to record, maintain and revisit what we have done to ensure we provide a holistic approach in our undertakings.
Think of it like spinning plates; hard to get started but easy to keep it going as long as you don’t leave it alone entirely. Neglect it and sooner or later the plate will fall.