Archive for September, 2011

Vodafone Czech Republic has successfully implemented WeDo’s rating validation software, which will be used to assure the rating of prepaid calls. The agreed price for the deal has not been disclosed. You can read the WeDo press release here.

Bookmark and Share

In an era where the scope of revenue assurance is not clearly defined, we have a lot of opinion around what it should and what it should not contain. At times we see claims that go far beyond into futuristic needs and capabilities where things are showcased as ‘must needs’ for telecom revenue assurance. Guess what- I am still of the opinion, the first and foremost requirement is to fix the “basic issues”– and that is for both large and small operators and service providers.  All fanciful whims can follow later.  Here is a brief new article from the land of over a billion people- India. There are law suits going on between BSNL and other operators over interconnect charge disputes.

The fundamental issue is the need for a basic interconnect assurance system (which, I’m sure, happens to be in scope for conventional RA these days). If such a simple system was in place, up and running “properly” beyond sales presentations, for the operators involved it would have been far easy a challenge to solve.

But at times, in the wake of complicating things- we end up losing focus for the actual and most basic needs. The above article is an example portraying the same.

 

Bookmark and Share

Norman Marks of SAP maintains an excellent blog dedicated to governance, risk management and internal audit. For those not familiar with it, I recommend you read his recent post on making risk management a way of life. Marks makes such an eloquent and cogent argument, I would add nothing by putting it into my own words. I just want to say how much I agree with his assessment that:

The only way risk management has value is if it affects the way you do business. It must influence decisions and actions; otherwise, it is no more than decoration. Risk management should not be a ‘check-the-box’ activity. Used well, it can help an organization achieve and sustain optimal long-term performance.

We need more professionals to make the argument that risk management is a daily activity. Many ‘framework’ approaches tend to push the business to adopting a periodic approach, reminiscent of auditing. However, the Internal Audit function is already well placed to do Internal Audit’s work, including audits of risk management. The demand for improved risk management comes from something additional: the realization that effectively auditing the past is not sufficient to guarantee effective management of future risks.

Perhaps there is some fear that constrains us from insisting on the everyday nature of risk management. If done every day, it becomes clear that the person given the job title of ‘Risk Manager’ will not be able to manage every risk on a daily basis. Responsibility for risk has to be distributed, if action is going to be timely. Risk-related decisions made by the most appropriate people, and most decisions involve an element an risk. This diffusion of responsibility begs the question of how the risk manager adds value to the business, and can lead to a retreat into a manageable universe of tables and reports that list what happened since those tables and reports were last updated.

So how do we make the leap from periodic reviews of how well we managed risks during the past quarter, to genuine forward-looking risk management? I do not have all the answers, but I can draw on the experience of how revenue assurance has (or should have) developed over the past decade. These days the dominant marketing theme in revenue assurance is how it is evolving into business assurance. The words may be vary, but each vendor pushes a similar message. Go back a few years, and the RA industry was in thrall to a different message, which was summarized by the goal of being more “proactive”. I put the word in inverted commas because it was so often abused, and because it was used to refer to a vaguely-defined and somewhat contradictory constellation of proposals for how to improve revenue assurance. Though the intensity of the debate has subsided as the marketing pitches have changed, the TM Forum did the right thing when it pulled apart the idea of proactivity and showed how two very different kinds of improvement were being conflated. To do this required an analysis that went beyond a false dichotomy between reactive and proactive approaches.

We can all agree that we react to things that occur in the past, and we are proactive when we anticipate and change the future. But what about the here and now? This grounds us in the activities that need to be performed on a daily basis. By also talking about ‘active’ revenue assurance, which concerns the present, we can show how it differs from reactive and proactive revenue assurance. In particular, being active is not the same as being proactive; if we confuse them we fail to identify the different strategies for being active and for being proactive. The TMF’s separation of reactive, active and proactive revenue assurance can be generalized to all risk management. Consider the example of how we deal with the risk of a fire in a building…

  • Reactive: the building has already burned down. We are no longer dealing with an actual risk, but are rather dealing with the consequences of something that happened in the past. Our (re)actions involve locating staff to a new building, switching to backup facilities, recruiting to replace the people we tragically lost and making claims against our insurance policy.
  • Active: the building is on fire! We set off alarms, the sprinklers start working, we evacuate the people and get the fire brigade to fight the fire! There is no time to waste because what we do now is all important.
  • Proactive: this is real risk management, in the sense that the risk exists but the adverse impact is still only a future possibility. Our approach is to think ahead, doing such things as ensuring non-flammable materials are used in constructing the building, appointing fire wardens and drilling staff on evacuation, taking out insurance cover and putting plans in place for how the business recovers should the worst happen.

These ideas can get confused, because what we do proactively may involve preparing ourselves for what we will do in the event of a fire (how we act at that specific point in time) and when dealing with the after-effects. Though both are preparation of a sort, the goals are different. The fire drill trains our staff about how to evacuate. Sprinklers will not put out a fire if they were never installed. These proactive steps lead to a better response when a fire occurs, limiting the damage done. In contrast, to claim on insurance we first need to take out a policy, and to recover data from remote storage first requires that backups be stored remotely. These proactive steps enable a better response after the fire has run its course. However, we can do more to manage the risk of fire than improving our response to fires when they occur. One fundamental of risk management is that we can reduce a risk by reducing its impact of an event when it takes place, or by reducing the probability of the event taking place. Reducing the probability of the event is also proactive, but the emphasis is on prevention rather than cure, meaning the undesirable event is less likely or impossible. Returning to our example of a fire, this kind of proactivity is exemplified by using less flammable materials or by enforcing policies that make it less likely that staff will start fires.

Whilst it may never be possible to eliminate the risk of fire, sometimes we can make decisions that make a risk impossible. To take the example of Fukushima nuclear disaster, for all the steps taken to prevent it, some risk would always remain. Germany’s decision to abandon the nuclear option goes one step further, as alternative sources of energy will never have the same risks (though they may introduce others).

It is also worth bearing in mind that we do not need to choose an either-or approach to risk mitigation. For many risks, and certainly the most severe risks, we should be reducing risk through reactive, active and proactive steps. Being reactive is not wrong per se. Whilst none of us want to work in a dangerous building, it still makes sense to take out insurance even after taking every other step to reduce the likelihood of a fire and reduce the damage caused when a fire does occur. That said, the TMF’s analysis of revenue assurance into the proactive, active and reactive gives rise to two options for moving away from a purely reactive mode.

  • Shifting the emphasis from reactive to active: In short, this means reducing the delay in responding to a problem so the delay is reduced. Using the metaphor of a fire, reducing reliance on a reactive response by being more active would include activities like installing a sprinkler system to fight a fire from the moment it begins, instead of only relying on calling the fire brigade and waiting for them to arrive and fight the fire. In the language of risk management, the impact is reduced because the mitigating response is more timely.
  • Shifting the emphasis from reactive to proactive: This means taking preventative measures, so there are fewer problems. From our metaphor of a fire, this would involve identifying and eliminating fire hazards. In the language of risk management, there is no change to the impact, because the focus is on lowering the probability of the undesirable event.

Whilst I like Marks’ explanation of the need for daily risk management, he could have gone further by highlighting how these two options come up every day. We can monitor aspects of performance every day, and seek to identify ‘hotspots’ before they turn into metaphorical fires. Much of the near real-time data analysis done by revenue assurance falls into this category, but it can also apply to monitoring many other aspects of operational performance, such as understanding the load on the network, or keeping a close eye on the service levels of key suppliers. In addition, decisions are made every day that may introduce new risks, or conversely may prevent them. Those employed to manage risk try to get themselves into the information loop, so they can play a part when those decisions get made. For the big decisions, which will take a while to be made, the periodic approach may be rapid enough to ensure risks are properly calculated and understood. They may be rapid enough – a quarterly approach to managing risk registers will not influence, say, the decision to launch a new promotional tariffs if that decision can be made and executed within a month. For other, smaller, decisions, the periodic approach will never be quick enough. When a member of staff decides to let a stranger through the security gates, or if a contract is signed without a proper review, a periodic cycle of risk review will never be sufficient. In these latter cases, the emphasis must be on instilling a culture where the diffuse responsibility of risk management is understood and acted upon by everybody in the business.

It feels like it took a lot of words to spell out these basics of making risk-relevant decisions on a daily basis. There would be many a CxO who would have stopped reading by now. However, clarity about choices leads to better risk management. We need to work towards making it second nature to analyse risk-related decisions in terms of the proactive, active and reactive, where the options to reduce likelihood and reduce impact are all understood. Only then will risk management be successfully distributed throughout the business, and made part of everyone’s everyday routine.

Bookmark and Share

On Sunday there were red faces of embarrassment and red faces of anger as Turkish hacker group Turkguvenligi successfully hijacked the DNS records of a string of prominent UK websites. The list of companies affected included Vodafone, UPS, The Daily Telegraph newspaper, online gambling site Betfair and the sarcastic scribes at The Register. The latter reacted exactly as you would expect them to – by blowing raspberries at their provider, NetNames; you can read it here. Turkguvenligi used an SQL injection (how corny is that?) to get into the DNS panel of two domain name registrars, NetNames and Ascio. Having done that, they picked off some premium domain names and rerouted them via their own DNS servers to an alternate page set up by Turkguvenligi. If that all sounds like gobbledygook to you, then (1) shame on you – we are living in the age of the internet, and (2) it means the actual websites were untouched, but the internet’s DNS addressing system was corrupted to take users who typed in the right URL to the wrong website. Think of it like the postman delivering all your mail to somebody other than you. You sit there, clueless, wondering why you are not getting any mail any more. Then you discover it all went to some criminal operation instead, which then took advantage of your customers. Sophos gave a slightly more detailed explanation of DNS hijacking, including a screenshot of the page that Turkguvenligi redirected people to; see here.

Fortunately, the Turkish hackers were pranksters, and not mobsters, as was clear from the interview they gave to The Guardian; see here. But the damage could have been far worse. Sending users to the wrong site obviously creates great potential to steal information from unsuspecting members of the public. The internet, and any organization which uses the internet, depends on the security of the DNS system to function properly. Whilst the redirections were reportedly reversed within 3 hours, there is genuine cause for concern if ‘expert’ domain name providers can be hacked like this, especially as the hack was done by a group of jokers who just wanted to publicize themselves. The internet has become a cornerstone for how people and organizations communicate to each other; nobody (but a hacker) wants to see those connections hijacked.

Bookmark and Share

Criminals that steal copper cables are a plague on telcos, in both rich and poor countries. They disrupt services to customers, drive up costs and take away revenues. Take a look at this story about BT’s response to a spate of thefts in Northern Ireland.

Bookmark and Share