This article is the seventh in a series of ten about major issues facing revenue assurance and fraud management. The aim is to conduct a ‘reverse survey’ – the importance of the ten issues will be ranked according to how many people read and share each article. The subject of this piece has long been discussed by RAFM professionals, though the conversations tend to be casual and are rarely subjected to proper examination. We all know that the scope of compliance obligations can overlap with that of revenue assurance and fraud management, and this conjunction can occur for several reasons. But are externally enforced compliance rules helpful to RAFM, or a hindrance?
Never mind the work, count the jobs
There is a saying when it comes to clothes: ‘never mind the quality, feel the width’. The idea is that the quality of material is just one factor that determines price. The amount of material, and its weight, are also relevant. This principle is sound, even if some us choose not to buy suits cut from cheap cloth. For the same reason, there is nothing wrong with people wanting a job; even a bad job may be preferable to no job. So returning to a theme from my earlier post about professionalization, we can dance around the topic but one key influence over the decisions we make and the opinions we hold is whether people will get (and keep) jobs. And that is the key reason for RAFM practitioners to like regulation: we may think regulation creates jobs, and makes jobs safer, because the telco is compelled to do something it might not otherwise do.
So now you understand why I opened with that old saying about clothes. You might think you look good whilst wearing a cheap suit, and a cheap suit may be preferable to your birthday suit. But low quality is not preferable to high quality, and that is the risk when relying on regulation to write a job description. If the only way you can motivate a business to do something is to threaten them with a penalty if they do not, then what are the chances they will do it enthusiastically, and so give more than the minimum reward to the person employed to do it?
Perhaps something is better than nothing, even if that something has to be imposed by an external force. That is what this debate is really about: whether the impetus given by an externally-driven compliance program is better than fighting for RAFM on its own merits within the telco. We should also consider the possibility that external interference might do more harm than good because it forces telco staff to change their priorities and distracts them from the areas where their work should really be focused.
Examples in the real world
Regulators and legislators have been presented as proponents of RAFM, sometimes without their knowledge, on several distinct occasions. Nobody can do a thorough global review of the intersection between compliance and RAFM because compliance tends to be enforced on a national level and ours is a global industry. However, I will briefly discuss a few well-known instances of when compliance and RAFM have come together, so we can think clearly about what was supposed to happen, and what really happened.
Perhaps the best known intersection of compliance and RAFM occurred as a consequence of the Sarbanes-Oxley (SOX) Act of 2002, passed by the US government to reduce the likelihood of major corporate failures due to accounting mistakes and frauds. Though the law was passed in the USA it affected many international telcos because it applied to any business whose stocks were listed on a US exchange. Section 404 of SOX mandated an assessment of internal control, and this was often singled out as a vital reason to invest in RAFM, on the basis that RAFM is a discipline which implements internal controls. Many professionals jumped on this bandwagon, including some very senior qualified accountants. However, the high-level simplicity of the coincidence – SOX wants internal controls, RAFM wants internal controls – led many to miss the point of SOX entirely.
SOX was designed to protect shareholders. Shareholders need to be protected from the overstatement of the performance of a business, as that would lead them to invest in bad businesses which they would avoid if they knew the truth. Hence pertinent internal controls should be designed to detect and prevent error and fraud in order to lower the reported performance of the business, where necessary, by stifling any possible internal source of exaggeration. This thought process represents the essence of being risk conscious – we focus on the direction of risk so we counter the threats we are genuinely worried about.
At the same time, some RAFM people (and their accomplices) were arguing that SOX compliance mandated investment in controls to increase revenues, increase the amount billed, increase the cash collected and increase profits. They studiously avoided the suggestion that such controls might ever depress results, especially if they tackled internal frauds linked to bonuses, commission payments etc. They proposed the purchase of systems and implementation of controls that would never lead to reduced results; for example, hunting for missing CDRs will never lead to a reduction in revenues reported. RAFM was presented as a way to satisfy SOX that was also guaranteed to boost the actual performance of the company, whilst making no link to the motivating issue of SOX which was the misreporting of results. So SOX compliance is an archetype for how compliance can be presented as a motivator for RAFM even when there was no common control objective of any sort whatsoever. In short, some people were desperately using SOX as a motivation for investment in controls that had no actual relevance to SOX compliance.
In contrast to SOX, the UK’s metering and billing (M&B) regulations have had limited impact outside of their country of origin, mostly because they were always so unbelievable that few other regulators were daft enough to take them seriously. At a time when most telcos were struggling to reconcile intercarrier bills to their own records, when customers would regularly find plenty of errors and when telcos were getting used to the idea that there was a variance of several percentage points between what was billed and what should be billed, the UK proclaimed that every single phone bill was already so accurate that only a pedant with OCD would care about the odd penny-in-a-hundred-thousand that supposedly still went astray.
But as flawed and as ridiculous the UK’s M&B regulation was, it did create jobs and it did force investment. Many UK practitioners credit it with promoting investment in British RAFM, and not without justification. Some of those investment decisions were poor: UK telcos spent a lot of money on test call generators that repeatedly told them everything was fine, begging the question of how these tools were ever supposed to generate a return. And the irony was that things were far from fine; test calls were typically exercised with too little variation to identify the majority of errors that impacted billing accuracy. But the UK’s example is a relative success story when looking at situations when compliance is supposed to bolster RAFM. Money was invested on checking bills, unproven software was given a chance, and the UK recruited revenue assurance teams earlier than other nations.
Currently the ‘best’ argument for regulatory intervention in RAFM is focused on Africa, where various countries have implemented or are considering the imposition of national revenue assurance audits. These audits are presented as having two objectives, which are supposedly aligned. One is to ensure the government collects all the tax that is due to it from telcos. The other is to prevent revenue leakage as a result of simbox fraud. The proponents of such schemes hence argue that African telcos are so greedy they will illegally boost their returns by not paying their taxes honestly and so lazy that they fail to stop the illegal activities of criminals who eat into the telco’s returns.
I cannot comment on behalf of every African telco, so I cannot argue this view is definitely misguided. Perhaps some telcos are so corrupt, incompetent, self-serving and ineffective that they steal from the government because they feel that is easier than countering the criminals that steal from telcos. Time will tell; we shall see if these national schemes reduce fraud and lead to massive sustainable increases in tax collection, even though they are rolling out just as OTT bypass is skyrocketing in popularity and making both international termination fees and simbox fraud redundant. But if this dismal view of African telcos has any merit I would still question whether government intervention will benefit RAFM practitioners. Firstly, a centralized audit implies the competence lies with the central auditor, not with anybody working in the telco. More importantly, even the best government can only put limited time and resources into enforcing rules on bad businesses. If a business is so badly run that its fraud management team cannot make the argument for fraud prevention in the face of so much fraud that even the government thinks it can make easy money by preventing it, then they are working for a business where they will never succeed. Those with the requisite ability should simply take their talents elsewhere, or apply for a job in government.
Whose best interests were we interested in?
If we step back and avoid the temptation to be selfish, it is important to ask who is supposed to be served by the work of RAFM. Is it the customers? Or maybe the shareholders? Or somebody else entirely? For all the conferences I have attended and all the articles and blogs I have read, it is clear there is still a lot fuzziness about whose interests are being served, and this is one serious obstacle to RAFM becoming a genuine profession. I have no doubt that if we surveyed a room of current RAFM practitioners many would concentrate on pleasing their CFO, because he or she is the c-level executive they ultimately report to. Pleasing your boss is as natural and as obvious as wanting a job, but pleasing the CFO cannot be a reason to do RAFM. That answer is like the punchline to the old joke about the chicken crossing the road. Of course the chicken wants to get to the other side, but where after that? Of course people who work for the CFO will do what their CFO wants, but how can they do it well if they do not understand what the CFO is trying to accomplish?
Regulators have objectives. So do businesses. They differ, or else there would be no reason to have regulators. The answer to whether we should embrace regulation cannot be answered without first asking what the business is trying to do, and the role of RAFM in that context. Only then can we look at specific compliance programs and determine if they really help us to do good work.
In life we must talk in generalizations for the sake of brevity, then be prepared to deal with real complexity, and the reason we need RAFM is that real life is more complex than our hopes and ideals. It is idealistic to say a business has objectives, because a business is not a single person and there will always be tensions and competition between people inside the business. Some will care more about serving customers. Others will focus more on profits. None of this is difficult to understand. From time to time countries will feel the need for legislation and regulation to protect people from the potential failings of businesses, whether they are customers, shareholders, employees or other stakeholders. To determine if externally-imposed compliance objectives match our own priorities we must begin by being honest with ourselves, and identifying what our current priorities really are.
