Archive for September, 2011

The recent blizzard of stories about Groupon, the online deals site, highlights all kinds of risk areas, from unhappy execs leaving soon after joining, to the difficulty of timing an IPO. Amongst them was a good old fashioned risk that never seems to go away: the risk of reporting the wrong revenue figure. Revenue is the value of what you sold, right? Simple? Not so simple. In an era of inter-dependent businesses delivering all manner of services over the internet, sometimes it is not so easy to say who sold what. A change of accounting treatment has sliced Groupon’s reported revenues in half; see here for more. This being accounting, nothing has changed in the substance of the business, and the profits (or losses) and the cash generated (or being burned) is still the same. But it does mean that there is an effective change of opinion on whether Groupon’s sales were the same as what they billed (their old way of accounting) or whether Groupon’s sales are just their share of a partnership with merchants (the new way). That, in turn, tells us something about who is generating the revenues and where the business risks lie. Changing how to account for revenues may not change business fundamentals, but it does highlight the difference made to headline numbers by policy decisions, and hence the influence that these numbers have on investors. Presentation matters – nobody chooses one policy and then swaps to another policy without having had their reasons to think that one mode of presentation might make the business look better than another. Groupon’s switch of policy is a good reminder that, if you want to assure revenues, you had better know what the word ‘revenue’ means. With online businesses getting ever more complicated and involved, do not be surprised if the same old question of how to recognize revenues keeps come back again and again.

Bookmark and Share

If you want something done quickly…

…give it to someone who’s busy! There’s always something to do; be it the daily chores of chasing up KPIs on the end-to-end, checking tariff changes or attending requirements workshops.

And – don’t get me wrong – it’s nice when you get to work in an RA function that’s well respected for being accurate, knowledgeable and is valued. But what happens when an RA function in this position starts to become bombarded by issues and requests because they’re seen as the ‘go to guys’?

The flood gates open – and usually for many things that are, essentially, nothing to do with RA‘s remit – at least technically not!

Perhaps this is down to a lack of clear definition of Revenue Assurance within the companies this happens in, or possibly because RA are the only people to know who to genuinely go to – or perhaps because it’s seen as a catch-all for ‘management’ who don’t want to be dealing with what may be perceived as a poisoned chalice. Who knows?! Whichever it is, certain impacts to the team and the business are inevitable. The team become overloaded and stretched too thinly, like butter spread across too much bread, to be able to perform their core tasks either properly or at all. This overloading of tasks from different sources carries with it another issue. When too many senior stakeholders are pushing for answers it usually results in conflicts in the management chain and RA (who are usually trying to please everyone) end up in the middle of it.

RA needs strong senior management support to be able to effectively push back on things that genuinely don’t concern them or where the risk isn’t great enough to warrant diverting resource from genuinely impacting issues and core tasks. Often the politics will decide but, as long as a senior stakeholder in the business is on-side, then RA can follow their steer on priorities.

Sadly, I once witnessed a re-org that left RA orphaned and thrown into what became a power struggle. The loss of management was like losing the Thames Barrier during a hurricane and the lack of strategic alignment for the team in the business resulted in the function being a dog with three masters. This lack of clear direction not only affected the morale of the entire team through strained resource and conflicting, mixed messages, but, over time, damaged the reputation of RA across the business, breaking down bridges that had taken years to build.

Yet, in opposition to this scenario, in other organisations RA is seen as an almost temporary function which, once the low hanging fruit has been picked, is seen to add little to no value or, worse still, is seen as an unnecessary cost leading to the function becoming disbanded. This seems clearly short-sighted, but if the RA function isn’t mature enough then what value are they able to add over time?

It worries me that, even now, there are RA functions that don’t achieve necessary support to develop maturity, which sit too far down the chain of command to have adequate protection and that they exist purely protected by individuals in the management chain rather than the senior positions. Perhaps adoption into Business Assurance proper will help shield RA and other fringe teams suffering the same strains.

Bookmark and Share

Indian RA giant Subex has announced the sale of the Activation wing of its business to Netcracker; see the press release here. Netcracker will purchase the Activation assets for an undisclosed sum.

Subex dramatically diversified into the Activation business with the 2007 acquisition of Canadian firm Syndesis, which cost Subex USD165M in cash. The purchase proved disastrous. Management initially struggled to make the promised cost efficiencies, whilst Syndesis’ products fell well short of generating the revenues or margins that were expected. To pay for the acquisition, Subex also left itself straddled with an enormous debt overhang of USD180M of Foreign Currency Convertible Bonds (FCCBs) and no prospect of servicing them. The firm was unable to generate the additional cash needed to pay for the eventual redemption of the FCCBs, and a slump in the share price meant there was no prospect that they would be converted into equity. However, management regained focus and growth in their core strength of Business Optimization (a.k.a. “revenue assurance plus”), slimmed the business and returned to it profit, and successfully renegotiated the deal on the bonds, allowing the business to bounce back from its Syndesis-induced nadir. This sale closes the chapter on the sorry story of the Syndesis takeover, and means management will now concentrate on the products and services which made them global leaders in the first place.

Though the purchase price was not disclosed, a hint was given that it would be in the region of the USD26M. As reported in this article, Subex boss Subash Menon noted the deal would not impact the P&L, implying the amount received will equal the carrying value of the assets on the balance sheet. This would be less than half of the renegotiated value of Subex’s FCCBs, which are due for redemption in March 2012. Yet again, Subex’s share price has slid downhill since its FCCBs were renegotiated. The current share price is about 60% of the conversion price of Subex’s FCCBs. In other words, unless the share price has a surprising bull run, then Subex will have a struggle to service its FCCB debt, or more likely will need to renegotiate their terms again. Disposing of the remnant of Syndesis is good for the business in that it will improve profitability and allow Subex’s management team to focus on the company’s core strengths, which remain impressive. However, the debt incurred for the Syndesis acquisition continues to weigh Subex down.

Bookmark and Share

The old proverb says that “if you want a thing done well, do it yourself”. Rubbish. If you want a thing done well, get a few thousand other people to do it for you. No matter how good you are, the combined efforts of a few thousand other people is going to be better. Take security as an example. The reason why businesses keep getting hacked is because 10,000 hackers will always trump 100 code testers and auditors. Whatever loophole is missed by your people, the black hat hackers will have the motivation and the manpower to find it and exploit it. So how do you beat those 10,000 black hat hackers, wanting to steal your secrets and/or money?

Facebook have a solution that is on the right lines, with crowdsourcing as the key component. They do as much as they can internally, but then they also engage thousands of white hat hackers on their side. Facebook proved the worth of this approach in 2010, by adopting a policy which clarified how users should report security issues, and which gave users the assurance that they would not be held legally liable for the consequences of their research. This generated a lot of kudos for the oft-maligned social network; The Electronic Frontier Foundation went as far as applauding Facebook for their transparent stance on vulnerability disclosure. But the policy did more than earn kudos for Facebook. It rewarded Facebook, as white hat hackers found and disclosed previously unknown weaknesses, giving Facebook the chance to fix them. Now Facebook has taken the next logical step, by paying money to those who notify them of security bugs; you can read about Facebook’s ‘security bug bounty’ here. Bounties for individual bugs range from USD500 to USD5,000, and they have proven to be an enormous success. According to Facebook’s security blog, the bounty program paid out USD40,000 during its first three weeks. One person earned USD7,000 for the six issues he identified. It shows that Facebook is backing the intelligence of the social network, using the wisdom of crowds to shore up its defences. In a world where many security experts aim to promote themselves and earn revenues by publicly demonstrating the exploits they have devised, it makes perfect sense to use the internet to create a rapid-fire marketplace, with minimal middle-men and the fastest possible exchange of information. It is better to buy the knowledge of security flaws as quickly as possible, than do nothing and allow that knowledge to be sold through a market run by the black hat hackers and criminals. Expect other joined-up internet firms to follow Facebook’s lead.

Bookmark and Share

One in every six IT projects suffers a cost overrun of 200% or more. That is the startling conclusion of new research by Oxford University and McKinsey; see the summary story here.

The study reviewed 1471 IT projects costing more than USD170M. The mean average cost overrun was under 30%. However, this statistic hides the truth about the deviation, with a significant proportion of IT projects running well out of control. The research also found that the probability of an IT project running out of control is 20 times greater than the risk predicted by standard risk management models.

In the article, Bent Flyvbjerg, BT professor and the founding chair of major programme management at Oxford University, highlighted five basic controls to avoid such massive cost overruns. These controls are simple and obvious, but are still worth reiterating. For example, one recurring problem was that business cases for IT projects are often works of fantasy, or as Flyvbjerg put it:

“Costs are underestimated, schedules are underestimated, and benefits are overestimated. If you have all these biases in the business case you’re going to make the wrong decisions – that’s simple. If you get misinformation in the business case instead of information you’re going to make the wrong decisions.”

However, I cannot agree with all the conclusions as presented. Flyvbjerg and the marketing of this report keep using the phrase ‘black swan’ to explain why so many projects overrun so far outside the forecasted bounds. In other words, the project failures are blamed on events of very low probability and high impact. These events have devastating consequences but cannot be accurately forecast. Forgive me for cynicism, but I suspect the real reason for throwing ‘black swans’ into the mix is because it makes for sexy headlines, beloved of both consulting firms and academics wanting more research funds. The advice given by Flyvbjerg on how to counter risk makes a mockery of the idea that black swans cause so many IT projects to spiral out of control. For example, nobody would think a biased business case that overstates benefits and understates cost is a black swan. The risk of bias in forecasting is known to even the most naive manager (whether they do anything about it is a different question).

Let me analyse these findings about IT project risk another way, to clarify why the failing projects cannot all be due to black swans. If you cross the road and get killed by a meteorite falling from the sky, that is a black swan. If you cross the road and get killed by a car, I may agree you were unlucky. Perhaps it was pitch black, the road looked empty, the driver did not have his lights on and you were wearing an iPod so did not hear the car’s engine. If you cross the road, get killed by a car, but you already knew that one in six people who try to cross that road get killed, then you are an idiot. With odds of 1 in 6, the chance of a massive IT project overrun is no different to the odds when playing Russian Roulette. If somebody you knew put a bullet in their brain when playing Russian Roulette, I doubt you would excuse it as ‘black swan unpredictability’. This research only confirms what most of us know anecdotally: that many IT projects overrun badly and that huge numbers of excuses are made for this, but as the years go by, still many IT projects continue to overrun by shocking amounts. It is not good enough to play the imbecile who always believes the excuses, and then keeps being surprised by each new failure. If we want to manage risk, we start with transparent and honest assessment of the data. A lot of IT projects fail for reasons which we should be perfectly able to predict, such as bias in initial estimates. The only way to manage risk successfully is to admit that and do something about it.

Bookmark and Share