New Risk Management Case Study From MegaFon and Palisade

Take a deep breath, as what I am about to write might shock you. Some software developers who talk about risk management are lying to you. Or at least, they do not tell you the whole truth, by refusing to comment on the things they cannot do, or do not understand. New proof comes from a software developer that knows a lot about about risk management. Palisade has been making risk management software since 1984. Headquartered in New York, and with offices in Tokyo, Sydney, London and Rio de Janeiro, they sell cost-effective risk management software to all sorts of customers – because many big businesses have more sophisticated risk management than that found in telcos. Palisade’s tools are based on Monte Carlo simulation, and they have just released a new case study about Enterprise Risk Management in MegaFon, the Russian telco.

Monte Carlo? Some readers will not know what Monte Carlo simulation is, including readers who have some risk management responsibilities in their job description. That was why I slipped the phrase into the text. I want to provoke people into thinking about all the risk management tools and techniques they currently know nothing about. Revenue assurance should teach people that our failings stem from the limitations of our knowledge. And yet, whilst we recognize this truth, telecoms risk management suffers from an insular viewpoint. Some narrow people claim to have broad expertise on every subject, including the whole of risk management. In truth they know only a telecoms-specific view of the world, and can only thrive because telcos are so far behind other industries when it comes to implementing risk management. They are like false prophets, giving instruction to a small band of people who live on a remote island. Whilst they claim to have knowledge of the universe and its mysteries, they have no knowledge of the world beyond their island. The quickest evolutionary path is for telcos to learn how other sectors manage risk. Or in this case, we can also learn from MegaFon’s example.

Put simply, Monte Carlo techniques reveal the likelihood of different outcomes by setting up a game, and then rolling the dice repeatedly, to see which outcomes win most often, and which lose most often. In this context, the game is a mathematical model of an organization or a project, and the role of the dice is played by a random number generator. If we estimate probabilities for a variety of factors that will influence the results of an organization or project, we can then use random numbers to run multiple simulations of how the causal factors interact, in order to map the distribution of overall results. As such, we can quantify the range of risk in any decision, and hence alter decisions according to our appetite for risk.

A poker player cannot determine which cards he is dealt, but a good poker player wins more often than a bad poker player, because he makes better decisions. In the same way, we cannot control all the factors that influence our business, but we can make better decisions if we methodically measure the influence of factors outside of our control. The MegaFon case study helps to explain how to do that in practice.

Here are some key extracts from the case study, explaining how MegaFon uses Monte Carlo techniques to manage risk in their budgeting process:

Each branch [of MegaFon] states the risks it faces, such as competition, changes in legislation that will require it to operate differently, price increases and changes to staffing costs. They also calculate how much each budget will be over or under the forecast.

The risk management team at MegaFon’s headquarters amalgamates the information from each of its offices and simulates possible scenarios… allowing the five critical factors most likely to significantly affect the company’s gross revenue to be identified and therefore mitigated.

In addition… minimum, best case and median budget figures and the probability of their occurrence… are compared to the budget plans to determine whether the forecast is too aggressive or not ambitious enough.

As well as budgeting for business as usual, MegaFon uses their Palisade Monte Carlo tools to help them make better decisions for capital investment:

In 2012, MegaFon took the decision to invest in a large construction project with the aim of minimising its operating costs and improving network quality and control over technical operations.

Two potential locations were shortlisted and the management team used Palisade’s software to make an informed decision on the optimal one. It first used Palisade’s TopRank to perform sensitivity analysis to identify the factors in each location that would have the most influence over the total cost of the project.

From here, the team used @RISK to forecast how these critical factors might change. This allowed MegaFon to understand the most likely Net Present Values (NPVs) for each possible location and identify the risks for building or not building (i.e. opportunity cost) each data centre.

@RISK allowed MegaFon to use graphs to show easily how NPV and cash flows could change over time, and the probabilities of those changes occurring, rather than the static number that they would have had to rely on without the risk analysis tool.

This is a beautiful example of how to manage risk in a telco. Hence, it is tragic that so few telcos use techniques like these. The tragedy is even greater because some telcos listen to software firms that push ‘risk models’ that do not deserve the name. In the meantime, MegaFon is using tried and tested techniques which have already been automated, making them accessible to risk managers who do not have the time to build a Monte Carlo model from scratch.

Dmitry Shevchenko, Head of Risk Management at MegaFon, is quoted:

“Palisade’s decision support software is a well-balanced and flexible instrument that can be applied to a wide variety of situations, making it ideally suited to managing risk across the enterprise.”

Compare that to the misnamed ‘risk models’ found elsewhere, and we see why they are not genuine models of risk. There are many kinds of risk across the telco, and the models will be different for each telco. Some of the so-called ‘risk models’ being pushed at telcos only model one or two specific kinds of risk, and the models are inflexible, implying all telcos have a similar risk profile. Why would any risk manager use software to model only one kind of risk, in a way that forces him to use the same generic model as every other telco, when there is software that allows him to model every kind of risk, and to build a model that is specific to his company? I assume there is only one answer to my rhetorical question: the risk manager did not know there were other, better, tools that he could have used.

Mike Willett recently interviewed me for the talkRA podcast, and I fear I may have offended some people when he asked my thoughts about revenue assurance managers seeking to become risk managers. I was blunt. I said the problem was a lack of training, and the danger was that under-trained people may take on responsibilities without having an appreciation of the gaps in their skillset, and how that will alter their perception of risk. Already, I know that under-trained and under-skilled individuals are being given risk management jobs in telcos. This is not a good thing for their business, nor for the individual. Whilst it may feel like a promotion, the undertrained risk manager must push back, and ensure they have the skills needed for the job, or their failures will have serious implications for their business, their colleagues, and themselves. They need to find trustworthy advisors, and not just listen to the comforting, convenient nonsense spewed by the false prophets. When speaking to Mike, I drew upon an analogy coined by Abraham Maslow:

If you only have a hammer, you tend to see every problem as a nail.

There is no doubt that RA practitioners have some very useful skills that can be applied to manage risks more generally. They possess some powerful tools. But they do not have as wide a range of tools as they need in their toolbox, if they are genuinely going to manage the range of risks implied by a job title like ‘risk manager’. It is no good to turn around later, and make the excuse: “it’s my job to manage this risk, but not that risk”. Was it clear from the job title which risks were being managed? Was it clear from the job description, and the list of responsibilities? And where the risk manager decides they are not responsible for a certain kind of risk, who is responsible for identifying situations where the company faces a risk, but nobody is managing it? These are big questions. And once again, the telco world is being misled by people who, lacking any answer to the big questions, refuse to acknowledge them. They offer answers, but only to those questions where they already have an answer.

Techniques like Monte Carlo simulation should be in the toolbox of every risk manager, so they can be used when they are the best tool for the job. I hope this brief and excellent case study from MegaFon and Palisade helps to open some eyes to the limitations of the tools being used by some telco risk managers. There is a general rule for risk, which states we cannot manage a risk until we have identified it. Let us be honest with ourselves, and admit to the gaps in our knowledge, skills, and tools. When we do that, we create the possibility of improving our performance, and closing those gaps.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric's history as editor.
  • Daniel Peter

    Palisade’s case study is not very specific to Telco; these risk mitigation techniques are applicable for all capital budgeting activities. Risk managers need sound knowledge of statistical concepts and simulation techniques have to be applied in important decisions. Analysis ToolPak and Solver in Excel can add a lot of value in decision making process when used effectively

    • @ Daniel, I agree. This case study is not very specific to telco. I would like to highlight how some people are wrong to suggest they have a deep insight into risk management because they have specialized knowledge of telcos. In fact, their specialism works against them, if they have no knowledge of risk management as practised by other sectors, who may be more sophisticated than telcos. Individual risk profiles will vary from telco to telco, but the kinds of risks they face may have many similarities to the kinds of risks found outside telecoms. For example, telcos need to manage risks surrounding inventory just like any business which has inventory… but how often do we hear about telcos adopting techniques developed by non-telcos with big warehousing operations? Why wouldn’t they?

      Also, I agree that more generic office software can add a lot of value if used effectively. But then, this should hardly be surprising to RA practitioners. Many of them have used generic office software to accomplish their goals, when no specialist software was available. If anything, this reinforces my point that telco people need to teach each other about techniques, rather than relying on software vendors to set the agenda for how to do risk management, just like they have been allowed to set the agenda for RA. If you let software vendors set the agenda, we’ll always hear that problems can only be solved by buying off the shelf products. This influence can be unhealthy, as becomes obvious when you look at the ‘risk model’ pushed by the TM Forum. The same risk model is sold by cVidya as an automated product. Does anyone seriously believe that the TMF shouldn’t have just given us all an Excel example of a risk model, which every telco could then have easily modified to address the risk profile, without needing to pay a vendor to modify it? To describe such flagrantly exploitative behaviour as ‘best practice’ is an insult to anyone working in the field.