Big and Small: Why Amdocs Fails to Spark Risk Management

Volunteering for the Risk & Assurance Group (RAG) has helped me to stay grounded in risk management, not just because RAG discusses the risks faced by telcos, but also because I deal with all the various risks faced by our small nonprofit corporation. Some of the risks are analogous to those faced by telcos, such as sponsors paying their invoices late. Other risks are quite different in nature, such as the risk of speakers being delayed en route, and thus leaving unexpected gaps in the agenda. Though one organization is much smaller than the other, I find managing the risks faced by RAG consumes as much time as managing the risks faced by a whole telco! This is true because risk managers spend a lot of their time prioritizing risks, and hence choosing which risks they will pay attention to, and where they will rely on others to manage risks without supervision. The difference in a very small organization is that there are no risks you do not supervise; you are always conscious of everything that can go wrong.

The contrast between big and small companies is enlightening. Big companies often suffer a silo mentality where people are pedantic about the narrowly-defined jobs they do, insisting they are not responsible for anything that falls outside of their job description. Risk managers may find the division of responsibilities to be an obstacle, because the actual risks faced by the business will not neatly map to its organization chart. This gives small telcos an advantage when it comes to doing risk management. When far fewer people are employed by the business, the staff are naturally more willing to take a fluid and expansive view of their responsibilities. Instead of arguing about who has the responsibility for performing a certain task or managing a certain risk, they all know that somebody or other has to address the challenge. People who work for small telcos are usually less fussy about sticking to their job specification, and this helps with tackling the many and varied risks that the business will encounter.

Working in a small telco can also be a very useful educational experience. Instead of facing bureaucratic divisions that limit what a member of staff can do, most employees are encouraged to be versatile, and they inevitably have more personal contact with a wider range of the functions performed by the telco. This much was confirmed during one of the panels at RAG Johannesburg, where Elgiva Sibisi compared her current job managing RAFM at MTN South Africa with the role she performed in the smaller MTN opco in Swaziland. Elgiva was very positive about the experience she gained in Swaziland, telling the audience about the breadth of insights she gained whilst there, and how this has helped her to gain a solid understanding of telco operations which she could drawn upon after moving to the larger South African business.

I often hear similarly upbeat messages from other RAFM practitioners that work for small telcos. That is why I will reach out to the small operators in the Pacific Islands Telecommunications Association and ask them to join us at RAG Sydney. At least one of their rank should give a presentation – about the way they tackle fraud, if nothing else. This also explains why I will be nagging Kathryn Garland of JT Group to speak at the next London meeting of RAG. As much as we like to hear from the big telcos and groups like MTN, BT, Vodafone and Deutsche Telekom, RAG will also benefit by encouraging bright people like Kathryn. Her experience of working for a smaller telco will help her to make conceptual and organizational connections that elude those working in the biggest firms.

Some of you are now wondering what any of this has to do with Amdocs, the company mentioned in the title of this piece. But perhaps you will start to discern the answer if I mention that Amdocs is a big business (with over 26,000 employees) but it is competing with much smaller businesses in the RAFM market. Despite the resources available to such a huge company, the marketing of their RAFM products and services is utterly hopeless. Part of the reason for their repeated failure is they have always had a back-to-front understanding of risk management. Instead of listening to telcos talking about the risks that worry them, their marketing strategy has always been to tell telcos what they should be worried about. Coincidentally, what Amdocs thinks telcos should worry about always matches the scope of the products they offer. They suffer from the most common mistake made by tech businesses: creating a product because you know how to make it, not because you know that customers want it. Consider this advertorial that Amdocs recently placed in VanillaPlus:

Don’t wait for lightning to strike! Securing your digital transformation

That sounds like a promising title. So why does the rest of the piece cover none of the digital transformation risks that telcos were talking about at RAG Johannesburg? Is it because ‘digital transformation’ sounds good in a headline, but Amdocs has nothing to say about the associated risks?

They say lightening never strikes the same place twice. Tell that to poor old Roy Cleveland Sullivan, who was struck by lightning several times during his 30-years career as a U.S. park ranger. Sullivan was extremely lucky to survive. Few do.

The moral of Sullivan’s story is simple: When you see a threat, take action. Don’t just hope it doesn’t happen again. It’s true for communication service providers as much as it is for park rangers.

***Worst analogy ever*** Are they trying to say that Park Ranger Sullivan kept failing to ‘take action’, even after the fourth or fifth time he was struck by lightning? That sounds like an enormous insult to him. Sullivan’s bad luck tells us more about statistics and the distribution of unlikely risk events – very few people are hit by lightning, but in a large enough population there will be some who are hit several times – than it does about Sullivan’s success or failure at dodging lightning bolts.

Real risk managers do not believe any old nonsense that somebody tells them. They do research, to assess the probability of a risk impact and how severe it might be. That is why real risk managers would soon learn that Ranger Sullivan lived in a country where you have a literal one-in-a-million chance of being struck by lightning each year. Hundreds of millions of people live in the USA, so it is likely that some Americans will be struck several times during their lifetime. This is the correct conclusion because the survival rate is better than you might think. Only 10 percent who suffer lightning strikes will die. So when this writer states “few” survive, he really means “I have no idea what the risks are, and never met a risk manager who explained the job involves checking facts to avoid relying on ignorant assumptions.”

Trivia buffs should note that Sullivan was struck by lightning on seven different occasions, which is not the same as saying he was struck several times. If the moral of the story is ‘take action’ then this inept writer is effectively blaming Sullivan for continuing to do his job, which required him to be outdoors. By working as a park ranger, Sullivan accepted the tiny but largely unavoidable risk of being struck by lightning.

Operational Risk Management (ORM) is the art of taking preventative measures against threats. In these tumultuous times for telcoms, with the transformation to digital in full swing, and the implementation of IoE and NFV technologies well underway, it’s more important than ever.

So will this article mention any risks that are specific to IoE or NFV? Of course not.

Hezi Zelevski, product and marketing lead for Amdocs’ Revenue Guard, has valuable news about the latest developments in the world of ORM and advice on why CSPs need to move forward quickly to meet new challenges, but without exposing themselves to old threats.

Actually, he is only going to tell us about the same old risks because that is all he knows about.

Q: What’s the difference between risk management and operational risk management?

Is that an actual question? If any of you cannot answer this question for yourself it can only be because you are unable to apply the concept of a subset.

A: Risk management is a broad term. It covers everything from securing physical assets like a building, and insuring it, to disaster-recovery process, among other things.

Operational risk management is a sub-category focused on the operational processes of CSPs like service assurance, revenue assurance, fraud management, billing accuracy, payment assurance and others.

Yes, but the sub-category of operational risk management also includes many other activities that Hezi leaves off his list. For example, lots of telcos employ people to perform operational tasks in IT security. The reasons why are obvious. Securing physical assets is largely operational too. Amdocs are trying to tell telcos what risks they should focus on, instead of being honest about the full range of risks that telcos face. Trying to define words so they match a suite of software products is an old trick they have used many times before. The trick has been failing, and will increasingly fail for Amdocs, not least because their competitors have a broader range of offerings which can mitigate a wider range of risks.

Q: How is technology changing ORM?

A: Most legacy risk management systems — whether they focus on revenue assurance or fraud prevention…

Excuse me as I interrupt. The article has taken two enormous steps down: from all risk management to operational risk management, and then from operational risk management to RAFM. I am a champion of RAFM professionals seeking to obtain new career opportunities by taking on a wider range of risk responsibilities, but it is simply wrong to pretend that ‘legacy risk management systems’ are synonymous with ‘revenue assurance or fraud management’. There are a lot more operating risks, and a lot more systems that have been devised to face them. Accepting Hezi’s sales pitch at face value will only help you to limit your career.

…depend on knowing what they’re looking for to provide detection and prevention.

Did you see the switch that Hezi tried to pull on you? We started with a piece about ‘preventative measures’ and already we are reduced to using data to detect errors and frauds that have already occurred. That is because Hezi sells software that detects errors and frauds after they occur. If security professionals managed operational risk like Hezi wants telcos to manage every risk then telcos would let members of the public stroll around their offices, looking wherever and taking whatever they like, but we would only seek to protect the assets after they went missing!

blah blah… algorithms that sift through huge amounts of data… blah blah

Seriously, there is no point reading the article. Within less than a hundred words we discover that Amdocs’ vision for the entirety of telecoms operational risk management is to fire everybody who does it because every risk manager can be replaced by software that only knows how to look for patterns in data.

…are traditional risks still a threat?

This question is an excuse to talk about all the old things Amdocs knows how to talk about, in the hope you did not notice they said nothing about risks relating to IoE or NFV.

…In fact, there’s a big risk in moving forward too quickly. Communication service providers currently lose about 3 percent of revenue every year to RA&FM-related issues. This is a huge number.

So now Amdocs is telling us that tackling the same frauds and causes of leakage for ten years in a row is equivalent to “moving forward too quickly”. It may be moving forward too quickly if you are a member of the (dwindling) R&D team working on their RAFM products. It is not moving forward too quickly if you want to hold on to your operational risk management job in a telco. Some of the rest of us need to be worrying about video streaming piracy, and OTT bypass, and SIM swapping, and all the other risks that telcos talk about at RAG conferences but which are ignored by this article. And these risks are not just identified as major concerns by telcos; they are also tackled by products and services offered by Amdocs’ rivals.

Or we could just keep repeating the mantra of ‘3 percent’ for the next decade, and see where that gets us. But we should know where this path leads. Consider all the former Cvidya employees who lost their jobs after their firm was acquired by Amdocs at a rock-bottom price. They did not anticipate the risks. Learn from their example.

To save time on this repetitive twaddle, we should skip to the conclusion…

Zelevski’s point that old risks continue to pose a threat for CSPs alongside new ones…

The article starts by promising to discuss new risks that have something to do with digital transformation, but never does. The whole piece is a swindle, designed to make you read about the same old risks that we all knew about before.

…was underscored last June when fraudsters operating out of the Pacific island of Tonga made news around the world. According to media reports, the unknown culprits used a classic “one ring” scam placing brief calls to numbers around the world, then charging high international call fees if they called back.

Same. Old. Risks. If we want to make progress with mitigating these risks perhaps we should listen to a fraud manager from a Tongan telco, instead of playing a continuous loop of the golden oldie sales pitches from an Israel software developer.

It was the oldest trick in the book, and yet in 2017 it apparently it (sic) still worked. For CSPs the lesson was clear: Lightning can strike the same place twice.

Something similar could be said about Amdocs’ marketing: it is the oldest trick in the book, and we have all read this book before, and we all know how the trick works. They can repeat, repeat, repeat the same messages but that does not make their products or services any better, newer, or more appealing to customers.

Let me now tell you a short story about how Amdocs manages their own risks. Amdocs, perhaps realizing they were missing out on an event that has quickly attained some significance in the RAFM market, decided they would attend RAG’s conference in Bonn. They booked a few seats for free, because even vendors are allowed free seats; we want RAG to be attended by people who care about risk and assurance, no matter who employs them. So some Amdocs employees could have come to RAG Bonn and listened to telcos talking about the risks they face and what they are doing to address them. But nobody from Amdocs showed up. Hezi Zelevski booked a seat but did not have the good manners to cancel his booking. (I have to think about such things because of the risk that we will have empty seats, or not enough seats, or that there is not enough food for guests, or we waste money on food that nobody eats.) A smarter business might have realized that what can be given for free can also be taken away for free. After the event, Amdocs took the hint, and offered to sponsor RAG Johannesburg. And that was when they really screwed up.

I understand that the vendors who sponsor RAG have to comply with laws in their country. But no business, not even Amdocs, needs RAG to provide them with an Israeli withholding tax certificate after previously telling us they intended to sponsor RAG via their UK subsidiary company. Instead of managing their risk of breaking Israeli tax law, which is irrelevant between UK businesses, Amdocs showed they are a big ugly multinational bureaucracy that lacks intelligence. That was bad enough, but the ‘qualification’ questionnaire sent by Amdocs to RAG was even worse. Consider that Amdocs has thousands of employees whilst RAG is a nonprofit run by volunteers. Is it necessary that Amdocs protect themselves from the ‘risk’ of engaging with RAG by demanding answers to the following questions?

  • Does your company provide products/services to Amdocs competitors? Errr… obviously! RAG runs conferences. One of the reasons Amdocs wanted to come is because all their competitors were already taking part in these conferences.
  • Were there any minor legal claims against you in the past 5 years, including by your employees? If so, please specify. Amdocs literally asks about all ***minor*** legal claims, although it is highly unlikely this would cause them to alter a business decision. Think of it this way: do you think they want to tell every telco about every minor legal claim against Amdocs?
  • Is your company accredited to ISO or equivalent certification? RAG runs very good conferences that people like to come to. Who needs a certificate?

So where did Amdocs’ risk management lead them? It resulted in a scenario where their marketing geniuses not only failed to sponsor a conference, not only failed to attend a conference for free, but have now got themselves effectively barred from future conferences. That is the price they will pay for thinking that a few thousand dollars can give them the power to waste other people’s time. But the good news for me is that it eliminates the risk that RAG would need to throw them out after they misbehaved on stage.

Intelligent human beings can think about risk creatively and respond to it appropriately. Machines and bureaucrats hammer away at the risks they are programmed to deal with, and are incapable of responding to any others. Amdocs bangs away at old threats for traditional telephony businesses, without offering a single observation about the plethora of risks involved in digital transformation, few of which can be managed by simply analyzing data. Why have they not addressed the declining value of their RAFM products by developing tools that anticipate emerging risks? Their marketeers understand the commercial dangers of missing important events that their competitors attend, but their exclusion has been guaranteed by the company’s mindless paper-pushing approach to trivial and irrelevant risks. Why do they ask to contribute to a nonprofit conference but then behave so arrogantly that it provoked this article? The answers to these questions reveal how Amdocs manages risk in practice, and explains why you should not take risk advice from Amdocs.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric's history as editor.