Take a deep breath, as what I am about to write might shock you. Some software developers who talk about risk management are lying to you. Or at least, they do not tell you the whole truth, by refusing to comment on the things they cannot do, or do not understand. New proof comes from a software developer that knows a lot about about risk management. Palisade has been making risk management software since 1984. Headquartered in New York, and with offices in Tokyo, Sydney, London and Rio de Janeiro, they sell cost-effective risk management software to all sorts of customers – because many big businesses have more sophisticated risk management than that found in telcos. Palisade’s tools are based on Monte Carlo simulation, and they have just released a new case study about Enterprise Risk Management in MegaFon, the Russian telco.
Monte Carlo? Some readers will not know what Monte Carlo simulation is, including readers who have some risk management responsibilities in their job description. That was why I slipped the phrase into the text. I want to provoke people into thinking about all the risk management tools and techniques they currently know nothing about. Revenue assurance should teach people that our failings stem from the limitations of our knowledge. And yet, whilst we recognize this truth, telecoms risk management suffers from an insular viewpoint. Some narrow people claim to have broad expertise on every subject, including the whole of risk management. In truth they know only a telecoms-specific view of the world, and can only thrive because telcos are so far behind other industries when it comes to implementing risk management. They are like false prophets, giving instruction to a small band of people who live on a remote island. Whilst they claim to have knowledge of the universe and its mysteries, they have no knowledge of the world beyond their island. The quickest evolutionary path is for telcos to learn how other sectors manage risk. Or in this case, we can also learn from MegaFon’s example.
Put simply, Monte Carlo techniques reveal the likelihood of different outcomes by setting up a game, and then rolling the dice repeatedly, to see which outcomes win most often, and which lose most often. In this context, the game is a mathematical model of an organization or a project, and the role of the dice is played by a random number generator. If we estimate probabilities for a variety of factors that will influence the results of an organization or project, we can then use random numbers to run multiple simulations of how the causal factors interact, in order to map the distribution of overall results. As such, we can quantify the range of risk in any decision, and hence alter decisions according to our appetite for risk.
A poker player cannot determine which cards he is dealt, but a good poker player wins more often than a bad poker player, because he makes better decisions. In the same way, we cannot control all the factors that influence our business, but we can make better decisions if we methodically measure the influence of factors outside of our control. The MegaFon case study helps to explain how to do that in practice.
Here are some key extracts from the case study, explaining how MegaFon uses Monte Carlo techniques to manage risk in their budgeting process:
Each branch [of MegaFon] states the risks it faces, such as competition, changes in legislation that will require it to operate differently, price increases and changes to staffing costs. They also calculate how much each budget will be over or under the forecast.
The risk management team at MegaFon’s headquarters amalgamates the information from each of its offices and simulates possible scenarios… allowing the five critical factors most likely to significantly affect the company’s gross revenue to be identified and therefore mitigated.
In addition… minimum, best case and median budget figures and the probability of their occurrence… are compared to the budget plans to determine whether the forecast is too aggressive or not ambitious enough.
As well as budgeting for business as usual, MegaFon uses their Palisade Monte Carlo tools to help them make better decisions for capital investment:
In 2012, MegaFon took the decision to invest in a large construction project with the aim of minimising its operating costs and improving network quality and control over technical operations.
Two potential locations were shortlisted and the management team used Palisade’s software to make an informed decision on the optimal one. It first used Palisade’s TopRank to perform sensitivity analysis to identify the factors in each location that would have the most influence over the total cost of the project.
From here, the team used @RISK to forecast how these critical factors might change. This allowed MegaFon to understand the most likely Net Present Values (NPVs) for each possible location and identify the risks for building or not building (i.e. opportunity cost) each data centre.
@RISK allowed MegaFon to use graphs to show easily how NPV and cash flows could change over time, and the probabilities of those changes occurring, rather than the static number that they would have had to rely on without the risk analysis tool.
This is a beautiful example of how to manage risk in a telco. Hence, it is tragic that so few telcos use techniques like these. The tragedy is even greater because some telcos listen to software firms that push ‘risk models’ that do not deserve the name. In the meantime, MegaFon is using tried and tested techniques which have already been automated, making them accessible to risk managers who do not have the time to build a Monte Carlo model from scratch.
Dmitry Shevchenko, Head of Risk Management at MegaFon, is quoted:
“Palisade’s decision support software is a well-balanced and flexible instrument that can be applied to a wide variety of situations, making it ideally suited to managing risk across the enterprise.”
Compare that to the misnamed ‘risk models’ found elsewhere, and we see why they are not genuine models of risk. There are many kinds of risk across the telco, and the models will be different for each telco. Some of the so-called ‘risk models’ being pushed at telcos only model one or two specific kinds of risk, and the models are inflexible, implying all telcos have a similar risk profile. Why would any risk manager use software to model only one kind of risk, in a way that forces him to use the same generic model as every other telco, when there is software that allows him to model every kind of risk, and to build a model that is specific to his company? I assume there is only one answer to my rhetorical question: the risk manager did not know there were other, better, tools that he could have used.
Mike Willett recently interviewed me for the talkRA podcast, and I fear I may have offended some people when he asked my thoughts about revenue assurance managers seeking to become risk managers. I was blunt. I said the problem was a lack of training, and the danger was that under-trained people may take on responsibilities without having an appreciation of the gaps in their skillset, and how that will alter their perception of risk. Already, I know that under-trained and under-skilled individuals are being given risk management jobs in telcos. This is not a good thing for their business, nor for the individual. Whilst it may feel like a promotion, the undertrained risk manager must push back, and ensure they have the skills needed for the job, or their failures will have serious implications for their business, their colleagues, and themselves. They need to find trustworthy advisors, and not just listen to the comforting, convenient nonsense spewed by the false prophets. When speaking to Mike, I drew upon an analogy coined by Abraham Maslow:
If you only have a hammer, you tend to see every problem as a nail.
There is no doubt that RA practitioners have some very useful skills that can be applied to manage risks more generally. They possess some powerful tools. But they do not have as wide a range of tools as they need in their toolbox, if they are genuinely going to manage the range of risks implied by a job title like ‘risk manager’. It is no good to turn around later, and make the excuse: “it’s my job to manage this risk, but not that risk”. Was it clear from the job title which risks were being managed? Was it clear from the job description, and the list of responsibilities? And where the risk manager decides they are not responsible for a certain kind of risk, who is responsible for identifying situations where the company faces a risk, but nobody is managing it? These are big questions. And once again, the telco world is being misled by people who, lacking any answer to the big questions, refuse to acknowledge them. They offer answers, but only to those questions where they already have an answer.
Techniques like Monte Carlo simulation should be in the toolbox of every risk manager, so they can be used when they are the best tool for the job. I hope this brief and excellent case study from MegaFon and Palisade helps to open some eyes to the limitations of the tools being used by some telco risk managers. There is a general rule for risk, which states we cannot manage a risk until we have identified it. Let us be honest with ourselves, and admit to the gaps in our knowledge, skills, and tools. When we do that, we create the possibility of improving our performance, and closing those gaps.