The 2017 ‘Risk in Review’ study by PwC is not specific to risk management in telcos, and is too specific to the USA. However, a quick read allows us to contrast the key risk management messages being aimed at US executives with the way telcos manage risk around the world. Here are three takeaways that are worth highlighting.
1. Many businesses are moving risk to the front line, but not telcos
PwC repeat the same observation throughout their report: instead of just managing risk through a dedicated second-line team, businesses have more success if they move responsibility and decision-making to the front line.
Analysed year on year, our survey data shows a clear trend towards business unit and corporate executives taking the lead role by aligning ownership of key business risks with ownership of risk decision making.
In all, nearly two-thirds (63%) of our respondents said shifting more risk management responsibilities to the first line makes their companies more agile – this is, better at anticipating and mitigating risk events – and 46% have plans to further this shift within the next three years.
But perhaps you might find it hard to believe that telcos will improve risk management by shifting the responsibility towards their sales and customer service functions. That also fits with PwC’s data, which stated that technology, information, communications, entertainment and media firms were far less likely to be ‘front-liners’ than consumer, industrial, and financial firms.
2. Collaborative risk management benefits everyone
PwC make a strong argument for seeing risk management as a collective activity that works at every layer of the business.
First-line decision makers anticipate business risks, embed risk management in both strategic planning and tactical execution, and assign the right risks to be managed in the right places.
Second-line risk and compliance functions work collaboratively with the first line, providing checks and balances to optimise the risk management process.
Third-line internal audit objectively tests controls, and provides independent assurance, assessing first and second line risk activities.
This sounds a lot like the theories that propelled the original TMF RA Maturity Model, where the emphasis was on decentralization and transferring responsibility to operational units rather than trying to concentrate assurance work in a dedicated team. It also suggests that second line functions should seek a much more effective relationship with their colleagues in Internal Audit!
3. Chief Risk Officers are the norm
PwC does not say that big businesses should have a Chief Risk Officer (CRO). That is because they assume they already have one.
Even as companies are shifting risk management decision making towards corporate leadership and the business units, chief risk officers (CROs) are aiming to make their roles and functions more strategic.
PwC went on to state that 57 percent of CROs intend to increase their involvement in strategic planning during the next 18 months.
The perceived importance of the CRO was underlined by PwC when they stated his or her role is to enable…
…effecive risk management by promoting active monitoring, leading risk tolerance training, and coordinating with the CIO/CISO to manage cyberrisk organisation wide.
Contrast this ambition for CROs with our experience of risk management in telcos. We tend to focus on risk management at a much lower level, with the emphasis placed on catching specific operational errors. Perhaps that is because our most senior risk managers are expected to have an operational focus, and rarely communicate with c-level executives.
Conclusions
The study is not especially relevant to most telcos, but it does highlight that telcos may be falling behind in crucial areas. We know that we need a more integrated approach to risk management which connects operational details to strategic priorities. So far, most of us are bogged down in trying to make money from fixing detailed issues, and only a minority of telcos would think to appoint a CRO.
The complete PwC 2017 Risk in Review report can be downloaded from here.
It’s interesting how Telcos once led the risk management space by leveraging data digitalization to monitor (near) real-time controls on risk and as detailed information along the value chain starts to become more available they start fall behind. Do you see this more as a lack of focus on risk when compared with the speed of innovation that is required to keep them on the market or do you see this as a result of the lack of skilled resources that were mandatory to taking it further the innovation that telcos used to have to monitor data on risk management? Despite all this I still think that are some CSPs where RA departments for instance are “transmorphing” from IT skills to advanced audit capabilities.
Carlos, thanks for a great comment.
I don’t think ‘speed’ is any part of the problem – I think that’s just a terrible excuse used by people who don’t want to confront more severe issues with how telcos are run. If anything, ‘speed’ is a reason to invest more heavily in skills and technology to proactively manage risk, not a reason to focus on other matters. To put it simply, should you pay more or less attention to the road ahead if you choose to drive your car faster? Do you pay more or less attention when driving fast along a curvy cliff face instead of a straight flat road in the middle of nowhere?
The problem, as you have identified, is a lack of skilled resource, but the gap in skills goes up all the way to the board. It’s hard to recruit somebody with advanced skills if you have none of those skills yourself. That is because correctly identifying if somebody else is competent to perform a task is correlated to having the competency to perform the same task yourself.
In this instance, the ‘task’ of risk management is epistemological – it involves identifying where you have gaps in knowledge and reducing uncertainty by closing those gaps wherever practicable. So you might say the problem of telcos is exemplified by an old English saying: we have the blind leading the blind. They literally don’t know what risks they are taking, and can’t see the need to employ somebody who might tell them.
The irony, as you’ve somewhat pointed out, is that there are still some CSPs where an evolution is taking place in RA teams, despite the lack of support from above. These teams can see the truth of what is going wrong and are teaching their bosses to see the truth too.
Unfortunately, instead of incentivizing risk leaders to teach them more truth, most execs either refuse or are incapable of removing their blindfolds. They would rather run their businesses like Yahoo, TalkTalk or BT – and look at what happened to the value of those businesses as a result of the risks they didn’t even know they were taking. These businesses are so lacking in risk awareness that they run at speed like Wile E. Coyote chasing after Road Runner, and their chief risk management strategy is to believe that if they go over the edge of the cliff they won’t fall so long as they keep their legs moving and refuse to look down…