More On The Relationship Between Risk and Control

A couple of weeks ago, I wrote a lengthy post about why I despise the word ‘control’. Regular reader Michael Lazarou often leaves thoughtful comments, and he did the same this time, observing:

One of the problems is that RA specifically is seen as a control function – not a risk managing function. There are various risks which we are not trained to identify, not trained to deal with and certainly not mandated to deal with. Let me explain – I come to work as an an RA analyst with an IT/programming background and slowly acquire a high level understanding of telecoms in order to perform periodic dictated activities (or controls). This however, is actually the infant stage of RA and risk management – correct me if I am wrong.

In the grand scheme of things risk is everywhere (for telcos as well as others). The major risks with low proability shuold be taken off the table with a comprehensive plan to evaluate and deal with the risk. However, there are also industry risks – i.e. Google is a bigger threat to telco’s at the moment than anything else with the danger of reducing them all to simple mobile ISPs. Many are trying to evolve to provide “digital services” as well…

Specifically RA is not seen as part of risk management because of the process required to get to the final data/conclusions. It is a different matter to process the information and create a report with valuable information and another to analyse it. And usually most people – even top management – do not seem to get this.

I completely understand your rant, however I do not see things changing, since RA, risk and information reporting is still convoluted for many even within the industry. The priorities are selling and market share.

It must be said that I sympathize with everything Michael wrote. However, I also believe that he is contradicting what is openly stated by a very large number of people who work in revenue assurance: that revenue assurance is a kind of risk management, and that implementing controls is the way to respond to risk. I believe Michael is right, and that top management is correct in perceiving that the majority of RA functions exist to implement control, but not to manage risk. At the same time, I want to explain how controlling activities can be a genuine subset of risk management, but that some people working in RA are getting ahead of themselves by overstating the strength of this relationship.

Before I go any further, let me make an observation about science and philosophy. Science uses numbers. Philosophy does not. Science quantifies and measures. Philosophy makes argument without relying on quantification. Science has the advantage over philosophy, because quantification allows relationships to be fully described, in ways that philosophy cannot. So whilst a philosopher knows that light is fast, and tortoises are slow, a scientist can tell you how much faster light is, compared to a typical tortoise. This concept – the idea of quantification – is very important for understanding the relationship between RA and risk management at present, and how it might change in future. When we measure the world, we gain a sense of scale. Scale is very important for knowing which decisions would make sense, and which are silly. I can carry things in my backpack, but I cannot carry my car in my backpack. I can pour water into a cup, but I cannot pour the Atlantic Ocean into my cup. Hence, attaining a sense of scale is important for knowing when RA managers are talking sense about the relationship of their work to risk management, and when they are being very silly indeed.

There are very many RA managers who believe the next natural step in their career is to do risk management. I cannot completely argue against them, but I would caution them. I have done both, although it should be noted that I worked in risk management before specializing in RA, and then stepping back to do risk management again, whilst most RA managers have very limited experience of risk management outside of what they learned by doing RA.

Sometimes the overconfidence of RA managers is encouraged by software vendors, who throw the word ‘risk’ around in order to justify sales of software that cannot be justified except by pretending that the (certain, easily quantified) cost of their products will be justified by an appeal to (irrational, speculative, intangible) risk reduction. Only a few weeks ago I attended the UK RAG, where one individual openly stated (for the sake of being polite, I shall omit his name) that RA is a subset of risk management. He appealed to the room to agree with him. I gritted my teeth, not wanting to interrupt his presentation with a very long digression into why he was logically correct, but grossly over-simplifying at a practical level.

The mistake made by many RA practitioners, when they analyse the relationship between RA and risk management, is one of scale. RA is a subset of risk management in the same way that the water in my body is a subset of all the water in the global ecosystem, or in the way that one man can be a subset of a multinational corporation. So what they say is true, logically speaking, but lacks meaning because they have no sense of perspective. Without an appreciation of scale, many honestly intend to take the next step in their career, by taking on risk management for the whole of their business. In doing so, they do not realize that they are sitting at base camp, talking about leaping to the top of Mount Everest in one bound. No matter how strong they are, no matter how hard they climb, they will fall short if they try to scale the mountain of risk management using only the tools given to them by revenue assurance. Of course, the irony is that they lack clear measures, a clear roadmap, and a clear sense of where there destination is. As such, they may never reach the top of Mount Everest, but they might end up claiming they reached the top of risk management. Of course, the danger here is that the risk manager saves face, only by willfully deciding not to address very many real risks, and pretending they do not exist. This is the opposite of the ultimate goal of risk management.

Over-ambitious RA practitioners sometimes remind me of Christopher Columbus, who set sail from Europe, headed for China and India. Columbus was logically right in thinking he could reach his destination by travelling West instead of East. But as Columbus thought the world was one-third of its actual size, he had no idea that he would die long before he reached his destination. There was no way that he could have foreseen that his life would be saved by bumping into a ‘new’ continent. And hence that is where the names of the West Indies and American ‘Indians’ have came from, because Columbus died believing he really had travelled all the way to India.

So, the problem as I see it, is that a few theoretical abstractions are made, and lacking a sense of scale, RA managers feel they are ready to extrapolate from their domain of expertise into addressing any and every kind of risk, wrongly believing they have mastered any and every kind of risk management technique – i.e. the ‘technique’ of implementing more and more controls. What they really know is a very narrow subset, and they have a poor appreciation of the vast territories they have not ventured into. This is not a criticism. Some doctors are general practitioners, who aim to treat all patients of all illnesses. If general practitioners lack the necessary skills, they send the patient to relevant specialists. That is what a risk manager must do, when he covers enterprise-wide risks: he must understand when it is appropriate to engage relevant specialist skills that he lacks and should not be expected to have. Specialists are not inferior, just because they are very specialized. But the way that someone specializes in, say, academic research into the brain, or into revenue assurance, does make them suitable for other kinds of doctoring, or other kinds of risk management. Of course, the difference between doctors and risk professionals is that doctors must receive a general medical education before they specialize, whilst risk professionals never do.

When Michael states that RA departments are ‘controlling’ functions, I have no problem with that description, so long as we admit that a ‘controlling’ function engages in a very particular element of risk management. There is nothing to be gained by denying risk managers the possibility of implementing controls. But controls are to risk management what the colour blue is to artists; even Picasso could only paint so many pictures without wanting to use a little red, or green. I regularly hear RA managers stating, without any sense of how they are talking in huge abstractions, that all risk management can be reduce to the simplistic formula of (inherent risk) – (mitigation from controls) = (residual risk). They really do talk like that. If you doubt me, I challenge you to research what Dr. Gadi Solotorevsky, head to of the TMF’s RA team, has always written about risk. And he claims his views represent the views of telco employees. If you listened to Solotorevksy, control is everything, so inevitably he comes in the opposite direction to Michael’s line of thought. Whilst Michael states that RA is seen as a control function instead of a risk management function, Solotorevsky is talking as if implementing controls is the one and only way to manage risk.

So I think Michael is absolutely right that we are at the infant stage of RA and risk management, though I would also clarify that the infant stage of medicine should still be thought of as poorly related to the infant stage of the specialized subsets of medicine (like psychiatry, or paediatrics). The problem with infants is that they cannot imagine how big and complicated the world really is. And so, I find Solotorevsky’s views on risks to be very infantile, making him a bad influence on the TMF, and on telecoms in general. Please keep that in mind, whenever you are presented with a TMF standard that covers the topic of risk.

Michael is very right when he talks about the different approach needed for risks with low probabilities and high impacts. And yet another approach is needed for strategic risks, such as whether Google will become a competitor with your telco. As a practitioner scales Mount Everest, he should find that it is these two varieties of risk that should dominate his time, and neither of them can be address by a controls methodology. On the contrary, mucking around with 5*5 grids and risk registers gets in the way of dealing with these types of risks. Low probability high impact risks are too improbable to usefully quantify the probability, which blows a hole right through most techniques that simplistically demand you first calculate probabilty*magnitude to work it if a risk is worth dealing with. And strategic risks are even less susceptible to the controlling mindset, because the most common way of dealing with an external risk is by choosing to take more internal risk, whilst the controlling paradigm focuses slavishly on reducing internal risk and takes little notice of what happens in the external world.

Because of these factors, the real danger for a business is that its risk management gets stuck at a low level, not dealing with the biggest risks faced by the business. In these companies, risk managers think they add a lot of value by sweating the small stuff. In truth, they lack perspective, and too narrow a focus on operational controls can distract management attention and the business’ limited resources away from more proactive decision-making needed to address much bigger risks. So whilst I would never discourage an RA manager from wanting to manage their business’ risks, they need to understand how far they will need to journey, in order to do this. Instead of being a narrow advocate for more of the business’ resources to be spent on controls, they must stop try to compete with others within their business. More money on software to execute RA controls can be a bloody stupid waste of money, no matter what Gadi Solotorevsky says, if the money would have been better spent on developing a strategically important product, or on fitting a decent sprinkler system.

However, there is a way forward, and one major positive to how RA does its work. RA people use data. They are good with data. And data is the key to improving risk management. More quantification, more measurement, makes risk management better, just in the same way it makes science better. It leads to better decisions. However, whilst we develop immature approaches to risk management, we must balance this correct appreciation of the benefits of gathering and analysing data with an equally correct appreciation that decisions will still need to be made in the absence of useful data. Google’s behaviour as a competitor can still be a bigger risk than the risk posed by subscriber fraud, even if I have millions of examples of subscriber fraud, whilst having to guess what Google will do.

It can be tempting to focus management attention where data exists, and to ignore the need for decisions where there is no data – and RA managers have been just as guilty of this, because they seek to get attention through data. For many of them, data is their core skillset, and they underestimate their lack of skills when it comes to evaluating risk. However, a balanced approach needs to work backward from what decisions need to be made, looking for relevant data wherever it may be found. When it comes to strategic and low probability high impact risks, that data may be found in a meeting with a regulator, or in the newspaper, or in an academic journal, or from a bank, or from an opinion poll asking the public what they think about the safety of radio masts near their children’s school. Decisions still need to be made, even if data is scarce, or unobtainable. This is the opposite of the paradigm used by software companies, who inevitably start with the data they can obtain, then work out ways to exploit it. Revenue assurance, because its thinking has been dominated by software marketing, often falls into this same back-to-front methodology of looking for ways to exploit data, without asking which decisions are most important. And the importance of a decision is driven by the scale of the related risks, on both the upside and downside.

For the RA specialist to really mature into the risk management generalist, they must do something which goes against all the instincts they developed whilst working in RA. They must stop believing that the interests of their department are the same as the interests of their business. They must see their own bias for what it really is – the prejudice inevitably flows from selfish desires. Even if more RA controls would, when measured on their own, be beneficial to the company, it would be wrong to implement those controls if their implementation leads to higher risk overall, by blocking activities that need to be given more priority, or by taking resources away from where they are most needed. And for various reasons, both good and bad, top management may want the RA practitioner to remain focused on controlling activities, instead of seeing the bigger risk picture. In doing so, top management may be acting like a parent acts towards a child; they may be happy for the child to do its chores, without wanting to educate the child in all the ways of the world. But a child does not mature into an adult by merely doing what they are told. They mature when they understand why they do the things they do, and can judge for themselves if they are right or wrong. That is the biggest step of all.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.