A typical assurance professional is a ‘Jack of all trades’ per the old English expression. Dealing with the complexity that causes otherwise unnoticed mistakes requires a multitalented individual who can competently perform numerous tasks. However, the downside to being the Jack of all trades is the perceived lack of mastery of any particular trade. In English, the phrase ‘Jack of all trades’ is often followed by ‘master of none’. Human beings are prejudiced against versatile individuals whose work does not conform to a narrow definiton, as can be seen by versions of the same idea being expressed through proverbs in different languages.
|Spanish||aprendiz de mucho, maestro de nada||apprentice of a lot, master of nothing|
|German||Ein Hans in allen Gassen gilt nichts,
den soll man hassen
|a Jack in every street is nothing;
you should hate him
|Cantonese||周身刀，无张利||equipped with knives all over,
yet none is sharp
|Hebrew||תפסת מרובה לא תפסת||he who has seized a lot, has not seized||Tamil||பல தொழில் கற்றவன் ஒரு தொழிலும் செய்யான்||he who starts many businesses
has no businesses
Being perceived as a Jack of all trades impedes the careers of most assurance staff. They neither receive the recognition nor the rewards commensurate with the varied roles they must play in order to protect their businesses. What can be done to switch from the prejudice that punishes the assurance professional for being second-rate at many tasks, to rewarding the same person for being first-rate at the specialized role of assuring the business?
One area that is going wrong for business assurance is that telcos are training people in specialisms that are not business assurance. Such training is offered for legitimate short-term reasons: nobody provides high-quality training that is focused on business assurance. This has led to a vicious downward cycle that the community has been unable to reverse. When telcos spend on training their business assurance staff, they purchase courses that are not strictly relevant to those employees. This money does not go towards incentivizing somebody else to develop good training for business assurance. The quality of courses remains poor, and managers in developed countries with larger training budgets will not consider them. The only significant market for these courses is based on the exploitation of low-paid workers in developing countries who think they are receiving US-grade training without learning that nobody in the USA has ever heard of their training provider.
In developed countries it is common to find business assurance managers who spend training budgets on the next best available topics, where there are high-quality courses that lead to genuinely respected qualifications. It is entirely appropriate to give somebody training in a domain like IT security if they are expected to work in their company’s IT Security department, but has serious downsides when given to employees responsible for business assurance. A business assurance professional does not need to know much about firewalls or bots but they should understand about revenue recognition, net present values and Monte Carlo methods. I write this precisely because I know many of you will have been taught nothing about the latter three topics and hence cannot appreciate how much your ability to perform your job has been hampered by lacking knowledge of these areas. Dentists are a kind of doctor but they are not expected to learn about brain surgery. Both business assurance professionals and IT security professionals are engaged in the management of risk, but that does not mean training that is vital for one is also going to be useful to the other.
Telcos demand that their assurance teams have an ever-increasing breadth of skills and knowledge, but the HR teams in telcos are incapable of developing their assurance staff within the limits of the budget they are willing to spend. Most assurance staff are forced to muddle along, learning on the job or taking peripheral training courses because no other form of education is available to them. The value of informal education should not be underestimated, but it is difficult to convey when changing jobs. Business assurance professionals are consequently underpaid and will remain underpaid, or they choose to switch to a more profitable career, further draining the pool of talent needed to develop the practice of business assurance.
The transferability of skills learned through business assurance is also difficult to demonstrate. Business assurance professionals may have learned a great deal through informal channels about the intricate low-level operational details of their current business, but they are not encouraged to think more generally about business objectives and how they might reapply their skills to another telco using different systems to deliver different services to a different market. The sheer variety of tasks performed by the best assurance staff is best explained by reference to the RAG Leakage Catalog, which includes 25 different categories of assurance, though no telco addresses them all. This variety makes it hard to summarize what an assurance professional does, and what they need to excel in their role.
The average recruitment consultant has no idea of what it means to manage risk or provide assurance in a modern telco. During the same day the assurance practitioner may serve as an engineer, investigator, data scientist and business advisor. The range of demands is increasing over time; only somebody near pension age can expect to reconcile CDRs for the remainder of their career. But instead of valuing staff appropriately, telcos often treat the specialists who have focused on assurance like dogsbodies with no special merit or insight. This is a disservice to assurance workers, and can only hurt the telco due to the greater amount of leakage they will endure as a consequence.
This problem has bugged me throughout my career, but not because I feel my career belongs in business assurance. On the contrary, I see the danger of focusing on a field that has failed to expand as it should. The failure of business assurance to gain more traction is partly due to a more general failure of enterprise risk management (ERM) within telcos. You mismanage the risks of the enterprise if you only focus effort on problems where it is easier to find the resources needed for remediation. The principles of ERM start with an assumption of an objective assessment of risk priorities, so that effort can be focused on where it is most needed. All telcos are mismanaged per the principles of ERM. Relevant data has consistently and conclusively shown how much value is lost every year because of an inability to deliver what a comprehensive business assurance program should deliver.
Data from RAG’s latest survey of revenue assurance, fraud management and cybersecurity leakages has reiterated a fact appreciated by most revenue assurance and business assurance managers, but rarely spoken of by others. Accidental revenue and cost leakages of the type usually addressed by revenue assurance and business assurance departments cause far greater losses for telcos than the actions of fraudsters, despite all the attention given to the latter. Comparing the value of these losses to the trivial amounts spent on business assurance reveals a fundamental failure of the most senior risk managers to direct spending towards activities that deliver the best return for the business. But we can hardly blame senior risk managers for believing that any lasting benefits they deliver will soon be forgotten. Nor can we blame junior managers for being junior if they are the only people making a real effort to manage risk. The lack of investment in business assurance is a byproduct of a fundamental refusal to adopt the key principles of enterprise risk management at the very top of the business.
It should not require charity to pay for the education of professionals tasked with chasing a pot of gold that is worth USD43bn per this year’s RAG survey, but this is what has happened to the undervalued and under-appreciated community of RA professionals. RAG has pulled together an inexpensive modular online platform for training at RAG Learning. The unfortunate truth is that investment in this platform is too low, and the fault lies with telcos. Vendors have contributed directly and indirectly to educating telco staff. Apart from a few exceptions, the blame for the underfunding for this collaborative education program lies with telcos who make no sustained effort to develop their RA staff.
Relying on charity is bad enough, but now telcos in rich countries are accelerating the downward cycle by exporting business assurance jobs to low-pay countries. It is no insult to professionals working in offshored jobs to observe that innovation and development requires investment, whilst businesses that only seek to lower operating costs for what they do will not plan to increase expenditure on innovation and development in the future. This also means they never intend to increase expenditure on developing their staff.
Our community needs to turn a negative into a positive, by replacing the conception of the Jack of all trades with that of the riskjack, where we understand this word means something akin to steeplejack or lumberjack: an unusual and challenging job that requires a high degree of training so the jack can adjust his or her approach to actual circumstances found on the ground (or up a tower). It does not matter if other people do not understand the level of training needed to do these jobs; what matters is that employers understand and pay for the level of training needed to do them well and safely, in order to avoid any mishaps.
We cannot simply decide to pay ourselves more or increase training budgets, but no worker ever negotiated a pay raise by silently hoping for the best. The professionals in our community can use their voices to push for a better deal. Just choosing to talk about enterprise risk in front of superiors is a step in the right direction, signaling that we want to make progress in our careers. Bargaining power comes from acting together, so take one of the free courses on RAG Learning and then complain – to me, to your managers, to everybody – that your telco will not pay for a certificate that confirms completion of the course, and that there are not more courses available because telcos lack the community spirit to contribute towards a cooperative program of course development. And if your telco offers you a thousand-dollar course on a subject that is peripheral to what you do, question whether they would confuse the role of a steeplejack with that of a lumberjack, and why they are implying you should change jobs to secure advancement.
These ideas are not new. Look below for a presentation covering these themes that I have given several times. The idea of workers acting collectively to improve their circumstances is very old indeed, and there are countless examples through history. The practice of business assurance is now too old for anyone to pretend that pay and career prospects will simply get better without anyone needing to agitate for it. You know that; now you must choose what you will do about it.