Dan Baker recently asked a good question about telecoms risk management:
Thanks for this [explanation of Enterprise Risk Management by Professor Stuart Greenbaum]. It’s a very fine explanation for a layman like myself. Particularly instructive for me was the distinction Professor Greenbaum makes between “core risks” and “ancillary risks”.
When a frozen gas pedal in Toyota cars was causing driving deaths in the U.S., he says Toyota initially didn’t understand what its core risks were. Toyota at first thought the core risks were around manufacturing automobiles. But it turns out they were really around Toyota’s safety record and product reliability. Very interesting.
In telecom, I assume Professor Greenbaum would classify revenue risks such as RA and fraud management in the ancillary category. But I would love to hear your own opinion of where the distinction between core and ancillary risks falls in our industry.
I am flattered to be asked this tricky question. After nearly 20 years of working in telecoms, I can remember long periods when nobody wanted my opinion, and I have met many people who were sick of hearing my opinions. There are even some people who are no longer able to hear my opinions, no matter how loud I shout. That said, I can only begin to give an answer by repeating one of the stock phrases I have often used, particularly during the times I worked as a consultant. When starting a new engagement, I was usually keen to impress the following on clients:
“When I tell you something, most of the time I will be repeating back something that you told me.”
Why would I be so candid? After all, I make it sound like it is a complete waste of money to employ a consultant. It is often a complete waste of money to employ a consultant, but it is not a complete waste of money to employ me as a consultant. Not usually. There are several reasons to make the statement. Some of them revolve around setting expectations for the client. In other words, if I had a mystery way to make a billion bucks I would not be sharing it for the kind of fees I was charging the client, and if the client shares no information with me, then that will severely limit the usefulness of the exercise. Another reason is to highlight the importance of editing. Good communication is not about sharing everything we know. It is about sharing what the audience needs to hear. That means organizing information and cutting out irrelevances – and there is a good chance that the client has all the information it needs, but is struggling with editing the information for themselves. And another good reason to make my admission is to make the client aware of the messages they give out, so they can start listening to themselves. Here I am talking about communication as more than just what people say to each other. A client tells me many things in many different ways. An extract of computerized data can tell me things about the client. I will be told things by observing how staff behave, their tone of voice, their interpersonal body language and so on. The feedback of the client’s customers can tell me many useful things about the client. And if I keep on listing the ways I ‘listen’ to my clients, then every other consultant will copy my techniques and I will never work again – so I will stop there. But you get the idea by now. A better business can reduce the need for consultants by ‘listening’ to itself. I would be a pretty poor consultant if I walked away, leaving the client feeling that I had done something mysterious that the client was simply incapable of reproducing for themselves, if they want to.
That was rather a long intro to what will be, on the face of it, a very short answer to Dan’s question. I will expand just a little by pointing out the distinction between a core risk and an ancillary risk is a helpful one when we step back and think about the strategy of the business, but it is less helpful when dealing with particular risks. A hurricane does not care if it sits in the ‘core’ or ‘ancillary’ category that I neatly typed up on a workpaper. And if a hurricane comes my way, I hope I focus on the essential task of not being blown away, and do not waste time reflecting on where the hurricane should sit in my risk taxonomy. What makes the distinction useful when considering the business strategy is that it helps to clarify what the business is trying to do and how it will do it successfully. The core risk of a business stems from the activities that give the business a competitive advantage. If we are talking about a genuinely competitive marketplace – and it is worth noting that many telcos are exempt from genuine competition – then the business will succeed precisely because it is better at managing its core risks compared to other businesses. Note that being better at managing a risk is not the same as reducing a risk. The least risky airline would have no planes, the least risky bank would make no loans, and so forth. Being better at managing risk means to deliberately, purposefully take on activities that generate risk, and to do so in such a way that the risk is optimal relative to the return. In other words, when looking at the strategic long-term, there is the greatest positive difference between the range of possible revenue and the range of possible cost, within the bounds sets by the risk appetite of the company’s investors. All I am doing here is merely repeating back what I have heard many wiser people say, but trying to state it in the language of risk management. Those wiser people may talk about ‘sticking to the knitting’ or ‘competitive advantage’, but I believe we are ultimately talking about the same thing. A core risk is inherent to the ‘knitting’, and is an integral component of the source of competitive advantage.
So what is core to a communication provider? I should be able to answer that by repeating back what comms providers tell me they do. Umm. Err… well that would be… err… communication. Now you can see why I stalled for so long before giving the simple answer. But having given it, we can now expand upon the answer, to see why it was a lot less obvious than it should be. To start with, let me start by tackling one obvious question: if communication is core to a communication provider, then why should we believe ‘safety’ is core to Toyota, instead of saying something more obvious like ‘making cars’. I think the difference is that we are wrong if we try to say that what the company does is the same as what the customer wants. Communication is core to communication providers because the motivation of customers is that they want to communicate. In contrast, the motivation of a purchaser of a Toyota car may be more refined than the desire to own a car. Here I want to briefly talk about the psychology of human motivation. Using Maslow’s hierarchy of needs, we can understand that a person may be motivated to attain some goal, and having attained it, their motivation then moves on to something else. At a lower level, the car may provide a basic need for its customer – probably related to commuting to work, going to places to buy necessities and so forth. If the car can perform that task, and satisfy that need, the customer can move on to satisfying further needs – they want a car that is trouble-free in order to optimize the time they spend traveling to social events, they want a car that is increasingly safe in order to safeguard the kids on the school run, and so forth. Or perhaps safety needs are easily fulfilled for the customer, and they are motivated to move on to other needs. Perhaps they buy a speedy two-seater to impress friends and the opposite sex. So what is core to Toyota is more than just fulfilling their customers’ desire for a car. What is core for Toyota is fulfilling the particular motivations that customers associate with Toyota cars, such as reliability. Hence the thrill of rapid acceleration is not core to Toyota in the way it would be core to Porsche.
After giving such an interesting, layered answer about motor cars, why not break out the layers for communication services? One reason not to do that is that I suspect customer motivation is far less nuanced and layered when it comes to buying a communication service. The purchaser of a car may have all sorts of motivations working at all sorts of levels. The purchaser of a phone service only wants one thing: to talk to Aunt Mabel. The consumer’s limited interest in the service provider has been somewhat proven by handset manufacturers. Customers will change network to get a handset they desire; they do not change handset to get the network they desire.
Of course I exaggerate a little, because some of us do not have an Aunt Mabel. But the essential point is that a customer’s motivation has very little to do with the specific features or qualities of the service. They get upset if you do not provide the service – for example, if there is a network outage. But this is not an attribute of the service being provided, it is another way of saying if a service is being provided. Whether the customer wants to talk to Aunt Mabel, or his girlfriend, or her workmate, or a corporate contact on the other side of the world, there is not a lot of nuance in how the communications provider satisfies a human desire. People want to talk to each other. And for all the fuss about modern technology, all communication is a variation on that theme. They might want to hear a voice that responds in real-time. People really want to speak to their loved ones immediately after a disaster is reported on the news. They might want to transmit text and for communication to be asynchronous. The cowardly husband may choose to send an SMS as apology for forgetting a marriage anniversary. But whether the communication involves sound, video, text, or occurs 1-way, 2-way, 3-way or more, all communication is motivated by somebody communicating to somebody else. At the extremes we get a business creating entertainment which they intend to share (at a price) with millions of people in an extremely one-sided mode of communication, or we might get the any-to-any anarchy of internet communication. Even at the extremes, the motivation stems from the content of the message and the audience, not from the technology. And therein lies the greatest core risk to telcos: that they cannot differentiate between themselves, and their services all tend to be commoditized.
I have glossed over an important distinction so far. Communication providers actually do very different things, even if they seem to be doing similar things to the outside world – and some communication providers are simply unknown to the outside world. A network operator is responsible for a lot more of the ‘communicating’ than many other kinds of communications provider. So they have a very particular profile for a certain kind of core risk relating to customer motivation. Going back to Maslow’s hierarchy, it is possible to attain a certain level of motivation, but then be dragged back down as lower-level needs are put into jeopardy. For example, nobody much cares about browsing an apps store for the latest entertaining game whilst being chased down the street by a mad axe murderer. When mad axe murderers come calling, then most of us want to call the police.
Network operators hence have a very particular risk dynamic relating to availability, reliability, disasters and continuity. The nature of disasters means that a lot of people will want to make calls at precisely the time when a network is most likely to be rendered inoperable. This creates a very acute core risk for a network operator – if they operated in a free market. In a truly free market, the operator might engage in exploitative practices to earn increased profit, by dramatically increasing the cost of a call in response to spikes in demand or to take advantage of the outages suffered by rival networks. And in a way, that might be fair to customers, because people may consciously or unconsciously prefer pricing models where they get a cheap service to call their Aunt Mabel on the weekend, and where the cost of that call is not inflated by an overhead needed to build a robust network, able to persist through disasters or cope with extreme spikes of demand.
By now, my discussion has become somewhat too theoretical, because the truth is that no network operators face competitive choices like these because governments will have already intervened to impose their own demands for how the networks support society. In practice, governments will allow a moderate overcharging of the call to Aunt Mabel in exchange for the increased investment to provide the extra network robustness at times of stress. So some of the risk dynamic is translated from the original dimensions of core risk, which assume a competitive marketplace, to an alternative core, where risk is driven by the deals struck between government and monopolistic and oligopolistic enterprises like network operators. In this alternative core, the key parameters of risk all condense on the negotiation with government, which both sets demands (like keeping a network running at times of stress) and can set prices (limiting the extent of true competition as a way to engineer profits that will finance certain kinds of investment desired by government). Of course, not all risk is translated into the negotiation with government, as there is still the actual decision-making about how to build and run a network, so the operator is still looking to attain the desired level of robustness at the least price.
At the other end of the spectrum, providers who have no network will tend to be relying on network providers to ensure continuity of service, though it is also fair to observe that inter-dependency is inherent to network providers too. The side of telecoms which faces the end customer is the side which tends to be most competitive. Here the core risk is genuinely a product of how to compete effectively, and it is relevant to review the various strategies outlined by Michael Porter e.g. cost leadership, innovation etc. Like airlines, comms providers can struggle to find non-superficial ways to differentiate themselves. Two competitors might buy and deploy the same technology, they will respond to changes in their rival’s tariffs and so on. Once the market is mature and saturated, key decisions for these providers will relate to cost management and procurement choices. However, we must bear in mind that even a basic set of customer requirements must be satisfied, so the challenge is for telcos to keep costs low whilst still meeting those requirements, and without suffering some other form of disadvantage – like fraud. But as Dan suggests, we can draw a line and say that cost optimization is the core risk whilst the acute desire to keep costs low has an influence on ancillary risks like fraud or underperforming staff.
As you can see, I have very rapidly narrowed down on a few potential candidates for the core risks: limited and short-lived opportunities for competitive differentiation; regulatory, legal and political risk relating to the basic economics of the business model; continuity and resilience for networks; and cost management as far as that underpins cost leadership. Obviously telcos suffer from far more risks than just the few I placed in the core, but I really do not feel we see the variety of customer motivation necessary to include a wider range of risks in the potential selection of the core. Customers of Apple, Toyota and HBO may have some very sophisticated motives when choosing their preferred supplier over the competition. Users of a phone service just want to speak to their Aunt Mabel. In doing so, they take some things for granted. They want the service to be available (within reason). They want to be charged accurately, per the tariff they agreed (or per how it was described to them). They want the quality of the line to be adequate, for the call not to drop and so forth. Most people are reasonable; they do not expect more than they were promised. So a lot of risk can occur where promises are not kept. I consider these risks to be ancillary because both sides should generally expect these promises will be kept. If they are not kept, then customers should rightly get upset. But the point I am making here is that these should be treated as essentials for being in business. They are not sources of competitive advantage in the normal sense.
Competitive advantage comes from satisfying a human motivation where the person does not already take this satisfaction for granted. Managing the risks that surround the satisfaction of this human goal is what gives a business its identity as a certain kind of business. However, being able to satisfy the most basic expectations of a commercial relationship is not an element of competitive advantage. If a business does not do that, the issue is not one of improving its risk management, but of attaining competency. And if the business is not competent, then it is reasonable to ask why it exists in the first place, because a free market should see incompetent businesses being quickly driven out of business. This can become muddled for many comms providers, precisely because of the tendency toward natural monopolies in networks, and because of the anti-competitive aspects of many relationships between comms providers and the state.