I remember I did not enjoy my time as a trainee auditor. There was a lot of work to do. We endured long hours and, when we eventually got home, we still had a lot of study for exams. We learned from textbooks and we learned on the job. The compensation, we were told, was that we would know our stuff through and through. We would have a valuable professional qualification, and its value could be relied upon. Looking back, the experience was painful, but that knowledge did get seared into my brain. No pain, no gain, as they say. Whilst I struggle to remember much of the mathematics I learned at university, my audit training comes back to me easily. Another thing I learned was that I would never stop learning. On the contrary, an appetite for learning is vital to success.
One of the first things we learned as auditors was how to determine the size of a sample for testing. The logic followed a simple question and answer procedure, so you did not need to know anything about statistics. It was crude, but easy to follow and reproduce. First, you asked yourself about the inherent risk that something would be wrong with the data you were auditing. Was it normal, or high? To keep things simple, everything was judged to be of high inherent risk or of normal inherent risk. Then, you asked yourself if you could rely on any of the business’ internal controls. You could either rely on them a lot, or a little, or not at all. By combining these two answers, you worked out the basis for how many tests to perform in your sample. A high inherent risk and no reliance on internal controls would give you the largest sample. A normal inherent risk and high reliance on internal controls would give the smallest sample. The technique was basic but effective. The goal was to determine how much work was needed to counter the category of risk that most concerns the auditor: detection risk, the possibility that the tests performed by the auditor would be inadequate to find a material error. Because the auditor can do more or less work, he can influence the detection risk, and so he needs to exercise judgement to determine how much work should be done to reduce the remaining risk, also known as the residual risk, to an acceptable level.
That is the most basic model of understanding risk as an auditor. Auditors appraise controls in order to understand its influence on the risks they face. It then surprised me to find this basic auditor’s model being mangled by Gadi Solotorevsky in his explanation of what risk management is supposedly about. In the interview, he asserts that he wants revenue assurance to ‘speak in the same language as risk management’. I have no argument with that goal, but if you want revenue assurance to speak the same language as risk management, you first have to learn the language of risk management. Based on this interview, Gadi has not learned the language of risk. Instead, he garbles it, selectively picking and choosing ideas, ignoring others, and making a number of simple but important mistakes. This is a bad sign if he is serious about his intention to speak the language of risk.
Let me illustrate Gadi’s misconceptions by expanding on the relationship between inherent risk, control risk and residual risk, a relationship I learned in my first weeks as an auditor but which has often featured in my career. He says:
“There are actually three kinds of risks that risk experts talk about: inherent risks, control risks and residual risks… residual risk is the risk remaining after you put the controls in, and there’s a formula that applies here: Residual Risk = Inherent risk x Control risk”
This equation he cites is useful from an auditor’s perspective. But it is a gross distortion to suggest these are “the three kinds of risk” that risk managers talk about, as if everything in risk management revolves around control risk. Inherent risk and residual risk are nothing more than the ‘before’ and ‘after’ of a snapshot of risk, used to contextualize the influence on overall risk exerted by some intermediary factor. In the auditor’s model, the intermediary factor is the control environment. If we build a conceptual model solely around controls, then it is true that inherent risk is what we have before we consider the controls, and residual risk is what we have after we calculate the difference made by controls. However, the risk manager has no reason to limit their analysis solely to the difference made by controls. Even the auditor’s simplified model of risk incorporates a fourth kind of risk, detection risk, which is what auditors manage after considering the inherent and control risk. The auditor’s risk model relates to what an auditor is interested in, which is the danger that the audit might arrive at the wrong conclusion. Take a look at the risk management standards of ISO and you soon see that risk managers deal with a more complex picture of risk than the auditor’s model. An auditor is interested in inherent risk and control risk because they set the bounds for how much work the auditor should do. The auditor cannot change inherent risk, nor control risk, but they can evaluate them. The risk manager can influence both inherent risk and control risk. The risk manager also has additional options for how to treat the remaining, ‘residual’ risk, and these can be used to further reduce the business’ risk exposure. The risk manager is not focused on the reliability of an audit conclusion, but on the best interests of the business.
Note that the equation cited by Gadi has its roots in the audit model, but it stops at the point before the auditor begins his own assurance work. The impression it gives is that the only way businesses can alter their risk is by changing the control risk, the likelihood that errors will not be addressed by internal controls. This impression is very misleading. Maslow said that a man whose only tool is a hammer sees every problem as a nail. Gadi only ever advocates one tool – lots and lots of automated data analysis to find errors. This biases his understanding of risk and the work of his TMF RA team. The risk manager has many more tools at his disposal. A good risk manager picks the best tool for the job, and so needs to understand what range of tools are available. More and more checking of data is only one of the tools. Sometimes checking data is the best tool for the job, other times not.
One of the tools of the risk manager is to question whether a business wants to take risks, once those risks have been properly evaluated. A business can decide not to engage in or to discontinue an activity that brings a high level of risk for a low level of return. This would be changing the inherent risk faced by the business. There are other ways to change the inherent parameters of risk before we consider the need for controls. We should not confuse what it means for a risk to be ‘inherent’ by assuming that we cannot alter the inherent risk. Gadi used the example of sprinklers as a control that reduces the risk of a fire. But before we install sprinklers, we could also seek to ensure that the building is not made of flammable materials. Using flame-retardant materials is not a control, but it does reduce the inherent risk of fire, when compared to using less safe materials. That same thinking can equally well be applied to revenue leakage, by moving beyond the idea that RA only checks data for errors to getting RA involved in the design of systems and processes, improving them so the inherent risk of leakage is reduced. That thinking is epitomized by the lean manufacturing model, which tried to reduce reliance on large-scale quality checks of end products by building integrity into the manufacturing process. This approach can just as well be adopted by comms providers who want to reduce revenue leaks, but it does not equate to more investment in controls. On the contrary, there is less need for controls if processes are inherently error-free.
Another option for risk managers is to share risk. Insurance is the most common example of sharing risk, but there are others. Insurance is a kind of risk-sharing because the business pays an external party to bear some of the risk. The insurance premium is a cost to the business (reducing its profit) but the business gets the comfort of knowing the insurance policy will pay out and compensate the business for certain kinds of losses (reducing its risk exposure). Risk sharing reduces the risk borne by the business, but it is not a kind of control. It is revealing that one of Gadi’s slips was to say that risk management is “akin” to insurance. This implies they are somehow separate. A risk manager would understand that insurance is one of the tools to manage risks. It is not separate to risk management; it is one of the possible ways to respond to risk. Risk sharing already takes place in the realm of revenue assurance. Whenever an external company is paid according to the leakages they find and correct, they are sharing risk. If the external company finds nothing, they get paid nothing. If they find a lot wrong, they take their cut of the benefits they added and they make a lot. When RA managers think about managing risk, they should just as well think about whether an external firm would be willing to share the risk. If they cannot find an external firm willing to share the risk, that says something important about how outsiders perceive the risks and rewards of implementing additional assurance activities.
Another telling slip from Gadi comes when he says:
“But Revenue Assurance and Risk Management speak two different languages. RA measures things in monetary terms – dollars, euros, etc. But risk management talks in terms of reducing risks.”
The error here is so basic that I doubt any risk manager would make it. When we measure risk, we measure in two dimensions: magnitude and probability. One of those elements, magnitude, can be stated in terms of money. In fact, the magnitude of most risks is expressed in terms of money. One can reasonably argue that you could measure all risk magnitudes in terms of money, if you are willing to overtly express losses like reputational damage or loss of human life in financial terms. In case anyone wants to get squeamish about reducing a human life to a monetary figure, bear in mind that life assurance policies do just that, with the premium calculated according to the amount that will be paid out and the likelihood that the person will die. Gadi’s dichotomy of measuring money versus measuring risk is false even within the realm of revenue assurance. RA does not just measure money. A lot of RA checks find nothing wrong. Even if a comms provider leaked 10% of revenue that would still mean 90% of revenue was not being leaked. In such a provider, a comprehensive program of RA controls would find no errors around 90% of the time. So RA controls measure probabilities as well as magnitudes, just as much as risk management does.
It is also worth observing that the language of risk management has come a long way since I was a trainee auditor. As an auditor, I was concerned with the amount of work needed to reduce audit risk to a tolerable level. But in recent years the language of risk has been standardized to make it very clear that risk is not something we should only seek to reduce. Risk managers should not look at a business from the perspective of an outsider. Risk has both upsides and downsides. As an auditor, I was only concerned with a downside (the possibility of reaching the wrong audit conclusion), but a business is in business because it intends to profit from the upsides of risk. A business that never took a risk would never innovate, never launch a new product, never find a new way to please customers. A business that never took a risk would fail. The risk manager does not seek to reduce risk, but to optimize it. We reduce risks if it is cost-effective to do so, meaning the cost of the mitigation is less than the expected financial benefit that flows from reducing risk. We seek to increase risk if this is justified by the increased returns. If a risk manager tends to spend most of their time and energy on risk reduction, it is only because some other business functions, like marketing, are already geared to look for opportunities that will increase risk. But the risk manager does not set himself in opposition to those functions, as part of some silly tug of war over business decisions. You cannot work with people if you set out to work against them. A risk manager moderates business decisions by seeking to assure the way risk is measured. That way, if a new marketing idea can deliver good returns for a reasonable risk, the risk manager will support it, not oppose it.
To be honest, I am not working with Gadi’s TMF RA team on these problems because I have no confidence they will address the fundamental misconceptions in the work they are currently undertaking. They have already gone too far. Pride alone will make it impossible to back-track at this stage, although I raised these same issues at an early stage of development. Put simply, their model is one-sided. It inevitably leads to the flawed conclusion that more controls are better than fewer controls because more controls means reduced risk. There is no reference to the cost of the controls or to optimizing risks. There is no mention of ways to alter risk parameters other than through implementing more controls. It was about a year ago that Gadi and I had a long conversation about the language of risk. He did not accept my criticisms then, and the work of his team has not deviated from the path he set out at that time. But my observations hardly matter. The language of risk is out there and well established. This language exists independently of the TMF, the RA community or even the communications industry. The language of risk is global and universal. The best codification of that language comes from ISO, the world’s largest developer and publisher of international standards. Only a fool would choose to go against the worldwide risk community that contributed to the ISO standards for risk management. RA people cannot unilaterally decide to change the language of risk, though they can learn how to speak it. So far, Gadi and his team make some similar sounds to the risk community, but their work has repeatedly distorted the meaning of risk.
Learning can be painful, but you need to get the basics right if you want to draw the right conclusions. The shaky language used by Gadi conflicts with the rock-solid and consistent use of language in risk management standards like ISO 31000. This is doubly ironic because the road to good risk management begins with consistent use of risk terminology across the whole enterprise. It rather looks like Gadi’s team started with a conclusion they want to reach – that everybody needs lots more controls – and have worked backwards from there to find ways to justify themselves. I think they are doomed to fail; they started building their new tower of language from the top, not from the bottom. Like the Tower of Babel, I expect it to collapse as soon as any genuine risk manager tries to climb it. In the meantime, a lot of time and effort will be distracted from the real challenge of putting revenue assurance into a proper risk context. If put into that wider context, there is the potential for RA to evolve and extend the techniques at its disposal. If not, then RA will only ever manage risk like an external auditor manages risks – deliberating whether it should do more or less of the same tests it always does, but remaining too narrow in scope to help the business to truly optimize its performance.