The United States’ Federal Trade Commission (FTC) has completed its final commission report on protecting consumer privacy; you can download it from here.

One key element is ‘do-not-track’, which means giving customers the right to switch off the tracking of what they do online. Whilst the FTC would be happy to see businesses adopt do-not-track on a voluntary basis, there is the threat it would be made mandatory otherwise. Jon Leibowitz, Chairman of the FTC, put it thus:

“We are confident that consumers will have an easy to use and effective Do Not Track option by the end of the year because companies are moving forward expeditiously to make it happen and because lawmakers will want to enact legislation if they don’t.”

However, the significance of do-not-track is perhaps not fully appreciated. Leibowitz clarified the choice he sees customers making when selecting do-not-track:

“Do Not Track from our perspective certainly means ‘do not collect’ — not ‘do not advertise back’…”

In other words, businesses that make money by gathering and analysing data simply will not have data on customers that select the do-not-track privacy option. This is a firmer stance than, say, collecting the data but not using it to choose adverts that match the customer’s profile. If customers routinely select the do-not-track option, they will blow a hole in a lot of data-driven online business models. Whilst the FTC’s attitude is clear, and they believe US legislators will back them, we can expect plenty of push back from businesses that feel threatened by do-not-track.

There are two sides to every story, and there are two sides to the story of risk. We like upsides. We do not like downsides. But we accept one to get the other, and this is why risk-taking is inherent to business. Without risk-taking, there will be no upside. People fondly remember Steve Jobs because he decided what people would like, and gave them it. Apple became hugely profitable because it innovated successfully. But no innovation is guaranteed to succeed, as none of us can see into the future with certainty. So when we talk about risk management, we must remember that limiting risk-taking might restrict the upsides of risk as well as the downsides of risk.

A while ago I posted a humourous series of puns where I substituted the word ‘bottom’ for ‘risk’. There was a half-serious intention behind the wordplay. First, bottoms are somewhat rude. We cover them up, people might not like to talk about them, some will be prudish about them etc. But they exist and they are part of our being. As comical as it sounds, ignoring bottoms does not make them go away. I can only see my bottom in the mirror, but it is definitely there. That gives us an analogy to risk, another topic that some people will deal with in a matter-of-fact way, whilst others feel very uncomfortable about it. Second, some bottoms are desirable and other bottoms are not. This is as much about taste as it is about science, but the truth that people have perferences is undeniable. The same is true of risk. To want more or less risk is as daft as saying we want more or less bottoms. It may be very hard to put into words what we do want, but we trust that we know what we want when we see it.

Dan Baker commented on my ‘bottom’ post, and I want to repeat the comment in full so I can then give the reply it deserves.

Eric,

This bottom business has got me curious. On the one hand, we know when a telecom marketing department gets too aggressive and creates a ton of services without minding the bottom line profitability of those services, the business could sink.

Then there’s the opposite scenario — the operator gets too cautious. It starts to cut corners by thinning down the ranks of the RA and fraud department, opening the door for negative black swans to fly in and do some damage.

So being too aggressive and too penny-pinching are both wrong, but for the life of me, how does risk department balances those things? They seem like apples vs. oranges.

How do you decide where to put the bottom ballast to keep the telecom ship sailing on an even keel?

To those of us not initiated in the dark art of risk management, an analogy to the real world would be most helpful. In the meantime, I tip my glass to you. Bottoms up.

Dan Baker

Dan is completely correct, and will get no argument from me. I hope my attempt at humour did not confuse the basic issue that risk management is about delivering the right balance of risks. As I comically noted, some bottoms are desirable and are pursued – businesses actively seek some kinds of risk and then take them. Some will choose to grow a bigger ‘bottom’ – because they want more risk.

However, let us be honest. My post was about real risk managers as well as the theory of risk management. Whilst the theory is sound, businesses are unlikely to employ risk managers with the expectation they will drive an increase in risk-taking. Why? Because many managers in business should already be incentivized to take risk. Banks did not fail because CROs chose to take more risk, though we could ask if they were diligent enough in questioning the risks being taken. If we work on an assumption that it is relatively easy to motivate a broad cross-section of managers to take risk (through job descriptions, bonuses etc) and that it is relatively hard to monitor if they take excess risk (perhaps as a result of poorly understood combinatorial effects of decisions made in silos), then the risk manager is there primarily to understand and monitor levels of risk, ensuring the system does not fall out of balance because of the natural inclination towards risk-taking. As such, the risk manager inevitably tends to be like the doctor advocating healthy exercise and good diet as an antidote to obesity. If confronted by a patient that is malnourished, then the doctor would give different advice. But, in practice, many of us live in societies where food is easily available, cheap, and heavily promoted, just as many of us work in businesses where management is inclined to take risks to promote sales and boost profits. Hence the risk manager should be no more biased than a doctor; if they seem to keep giving the same prescription, it is only because they keep treating patients with the same ailment.

That said, I do not disagree that some organizations may have cultures which are too inhibited towards risk-taking. Indeed, when we talk about an organizational culture we are already generalizing. Whilst some management may be readily incentivized to take risks, others in the same business are incentivized to oppose risks, and the way the business is run is designed to work through an adversarial process to arrive at the right conclusion. This is apparent in the way business cases tend to be proposed, opposed, and ultimately judged. Whilst risk managers talk about ‘the’ culture of an organization, it is truer to say that subsets of an organization have differing cultures. If business is run in adversarial way, then the business can become too risk-averse overall if the risk-averse subsets of the business culture are too powerful relative to the risk-seeking subsets of the business culture. One danger for risk managers is that they become like doctors who generalize too much, and end up becoming advocates for one side of an adversarial process, always trying to strengthen the anti-risk camp in a bitter feud with the pro-risk camp. But this is not inherently healthy, any more than a starvation diet is inherently healthy.

We might also say my last paragraph suffered from a bias in how risk is framed, where by ‘framing’ I mean that the way something is described has a significant influence on the human response. I talked about being risk-averse and risk-seeking, and these phrases are widely used and understood. But being risk averse does not mean deciding not to take risks. Doing nothing may be taking a risk. If the patient is sick, the doctor may need to act. Even if the patient is not seriously unwell, the doctor may recommend changes that will make the patient healthier. If we stick to the bare bones definition, then risk is uncertainty. Doing nothing may very likely – but not certainly – lead to a degree of stagnation and lost competitiveness over time. What degree? We are not certain! So even the extreme of risk ‘aversion’ is still choosing one kind of risk over other risks. There are no absolutely risk-free decisions in this world. For the proof of that, once again look at the financial crisis, and more specifically its second phase involving the governments of the Eurozone and, to a lesser extent, the US government. Many have lost their AAA credit rating. The Basel banking regulations have supposed a so-called ‘risk free’ class of assets. In short, it was supposed that banks needed no cover for default of high-quality government bonds. Whilst I would not go as far as this writer in Businessweek, I would agree that ‘risk-free’ was a shorthand for ‘risk so small we cannot be bothered to measure it’. But even governments can fail, and many national political arguments stem from disputes about whether national economies are competitive and the best way to promote growth. In those Western countries where the post-crisis economic debate still dominates politics, the issue can be crudely simplified to whether the previous stimulus provided by private sector lending and public sector spending failed to promote a proportionate degree of fundamental economic growth (all spending leads to growth – the question is how lasting the effects will be). Hence the debate about the correct response comes down to the extent to which it is better to substitute public sector stimulus for a reduction in private sector lending, or to accept more economic pain in the short run in order to weed out inefficiencies. So on the level of national governments, nobody is suggesting there is a simple dichotomy between the ‘risk-averse’ and the ‘risk-seeking’. On the contrary, the decisions are rightly seen as one of balance based on what kinds of risks are taken, public sector vs. private sector, short-term vs. long-term, workers vs. investors, and so forth. The parallel with risk management in businesses should be clear. Despite the way ERM theory is framed, businesses have the same challenge of finding the right balance.

With this in mind, even doing nothing can be repositioned as a decision to take a kind of risk – taking the kind of risk that you will lose market share etc as competitors improve their rival offerings. High-probability low-impact risks are still risks. Over a sufficiently extended period, being ‘risk averse’ just means taking a recurring high-probability low-impact risk that you lose competitiveness… and with the odds stacked the way they are then we know with a high degree of confidence that, in the long run, as competitors innovate, the business that is too risk averse will lose competitiveness.

How does a risk manager decide what amount of risk is too much risk? Well, here I can be definitive. That is not a decision the risk manager should take, though many do get involved in that decision because they are unclear about their goals. The right amount of risk is a decision for the business as a whole, as reflects the desires of stakeholders, also taken as a whole. Risk managers are there to monitor the variance from the desired level of risk, just as a doctor may monitor a patient’s weight and compare it to an ideal. What confuses the issue is there may be no definitive statement of the ideal degree of risk. Just as there are adversarial forces within the business, there are adversarial forces within its stakeholders. The challenge of expressing the goal is difficult, and may be sidelined into the kind of fudge that we observe politicians make: they accentuate the upsides in how their favoured policies promote job creation and growth, and talk down the downsides that are inherent to any real decision. From a governance perspective, risk managers need to promote the transparency and efficiency of the decision-making process, just as good government involves transparency and clear decisions. The risk manager should not pick a side in the adversarial debate. Slavishly focusing on the reduction of downside risk causes some risk managers to neglect the overarching downside caused by a recurring failure to take decisions with upside potential.

From the analogy of government, risk managers play a role equivalent to establishing an effective judiciary – they do not decide the laws, but they want to promote a system that reaches the right specific decisions and works inexorably towards reducing inconsistency in the system of laws. The jury makes the actual specific decisions, and in this case the jury consists of the whole management team. A good risk manager needs the strictly limited authority of a good judge, ensuring the evidence is heard (both for and against), the goal (the law) is understood by the decision-makers, and that there is consistency in decision-making, as far as that is humanly possible. They implement the scales of balanced risk-taking like a judge institutes the scales of blind justice. Good judges of risk do not favour keeping upside risk down, any more than our judiciary should favour punishing the wicked at the cost of bias against the innocent. Is this complicated and hard to perfect in practice? Of course! But we must keep the ideal in mind whilst dealing with the practicalities of how people think and make decisions.

When profits are to decline 85% in 2011-12, the cause of sustainability of business is burning the need of the hour. Review this article on the Indian telecom space- the second largest on this planet after China.. The chief reasons are attributed to:

1. higher depreciation charges due to the heavy borrowings for acquiring 3G licences and rolling out 3G services
2. Over spending on infrastructure
3. Hyper competition

The articles states “The total number of telephones has increased from 429.73 million on 31st March 2009 to 926.55 million on 31st December 2011.

The growth of wireless connections has been phenomenal, reaching 893.86 million connections at the end of December 2011. As a result, the share of wireless telephones has increased from 80.3 per cent in March 2007 to 96.4 percent in December 2011.”

These are staggering “growth” numbers, but what good is growth when the operators are cash strapped? I had learnt- “revenue is vanity, profit is sanity, and cash is reality”!

Often we have debated on the scope of Revenue Assurance, but here is a clear case where the task of RA has to simply outgrow from only making sure that leakages are fixed to actually ensuring that the bottom line is held in place while concentrating on the top line. As a matter of fact, according to ABI Research’s new study, “Indian Mobile Broadband Market,” Indian operators are executing a number of initiatives: offloading their capital and operating expenditure-intensive base station towers to tower management companies; forging relationships with not just Nokia, Samsung, and LG, but also lower cost handset manufacturers such as Huawei, ZTE, Micromax, and G’Five; repackaging their data plans into more affordable, lower-tier options; introducing not just low-cost tablets, but also 3G data plans; and encouraging “local” apps developers to create “local” software apps and content. Essentially the focus of cost containment is in place, and therefore it becomes even more important for RA teams to get real and account for both top lines and bottom lines.

It is time to get the ‘cash’ in place only to ensure business sustains!

Tony Poulos, the inimitable ‘insider’, has written another great blog comparing cybersecurity goals with net neutrality aspirations – and questioning how consistent they are. Yes, I know Tony is always writing great blogs, but anyone interested in both security and net neutrality should definitely take a look; see the post here.

For me, the key point is that the comms industry – and those overseeing it – are great at espousing various objectives, but weak at identifying and handling the contradictions that sometimes arise between them. Tony is unusual as pundits go, as he is not afraid to dive head-first into grey areas that others prefer to leave deliberately vague. In fact, it is a recurring theme in his writing, and just one of the good reasons to follow his output.

Subex, the Indian RA vendor has announced some good news: Gartner reportedly ranks Subex as having been the number one market leader in revenue assurance and fraud management during 2011. See here for the press release.

However, I am confused. Take a look at these excerpts from the press release:

…Gartner has ranked Subex as the market leader in the Revenue Assurance and Fraud Management for the second year in succession*.

The Gartner research report: “Market Share: Telecom Operations Management Systems (BSS, OSS and SDP), Worldwide, 2010-2011” highlights the overall OSS/BSS and Service Delivery Platform market. According to the report, Subex enjoys 9% market share and maintains its leadership position.

*RCR Wireless list, 2010

Regular readers will know I am often confused about who is the number one vendor. Last year I wrote how three vendors, cVidya and WeDo, as well as Subex, were each reportedly number one according to three different research firms. That would be confusing enough, though we could argue that different researchers might well gather different data, use different market definitions and hence come up with different headlines about which firm is number one. What is confusing me is that cVidya announced they were number one for 2010, according to Gartner. So now we have Gartner supposedly saying both that cVidya was number one in 2010, and that Subex was number one in 2011 for the second year in succession.

This was how cVidya put it last year:

Gartner has ranked cVidya as number 1 for global market share for 2010 in the revenue assurance and fraud management space for telecom operators based on revenue. The release of Gartner’s report “Market Share: Telecom Operations Management Systems (BSS, OSS and SDP), Worldwide, 2009-2010” follows cVidya’s recent wins in Revenue Assurance and Fraud Management and the launch of the Integrated Revenue Intelligence Solutions (IRIS®) suite in 2010.

Confused? I certainly am. I could audit Gartner’s output to try to get to the bottom of this silliness. But, in truth, I do not want to do that. I just want straightforward and credible results from research reports. If the same research firm is caught quoting that different firms are both number one for the same period, then the solution is to fix the research and fix the reporting of the research. That way we can have one, and only one, reported as being the number one.

Sometimes the biggest news is about what made the news. Last week, two reports from Juniper Research and KPMG generated the following headline on BBC News:

Mobile firms bleed billions to fraud and bill errors

I have not had time to digest the KPMG report, and I will not be buying the Juniper report. But I have a question for the industry. Are we glad to get this news coverage? Is this a good thing for people working in revenue assurance and fraud management?

Five years ago (!), I pointed out there is a double-edged saw when it comes to reporting losses. Big losses help to get big attention… but if you get attention, then you have to show you can do something about those losses. Hence, as a risk manager, my immediate concern when assessing the true degree of risk is to judge the impact of bias… including the bias of people who make money from selling reports and consulting services. Bias can work in two ways: overstating a problem if you are not responsible for it, and understating it if you are. Reporting loss rates of 15% might be a wonderful tactic if yesterday you were given the responsibility for managing the RA and Fraud Management department. But if you were in the job for five years and reported 15% of losses consistently over that period, I would fire you. No ifs, no buts, I would kick you out. And firing you would be for your own good – if you had that little effective influence, you need to get a new job for your own sake. So how do I read the ‘bleeding billions’ headline? I read it as fundamentally negative, because revenue assurance and fraud management is not new.

There is an easy way to deal with bias in reporting estimates, but sadly there is no evidence it has been used by either KPMG and Juniper. Instead of just estimating the scale of the current problem, and perhaps looking to the future, it also makes sense to look to the past. Is the problem bigger or smaller than it was last year, the year before that, five years ago, etc? As I also argued (over three years ago!) RA needs to cultivate a memory in order to see problems clearly and prevent the same mistakes from happening over and over. If we looked at our collective memory for loss, what would it tell us? I hope it tells us that loss is going down, for one simple reason: money is being spent on revenue assurance and fraud management that was not being spent on them before. That money needs to generate a return, or it is being wasted. Either way, the memory helps us to keep our estimates straight and honest – or else we are arguing that we are inadequate for the task we set ourselves.