Review of KPMG Global RA Survey: Part 2

This is part two of a two-part review. See here for part one.

Carving into the meat of KPMG’s latest RA survey, there were some telling figures on the estimated leakage suffered by telcos. Whilst the report headlined that 54% of telcos estimated that leakage (excluding fraud) was greater than 1%, I found it more interesting to think about the other side of the coin: that 46% said leakage was 1% or less. This implies that the median leakage is close to 1% and that typical claims of ‘average’ leakage are exaggerated. Hopefully this is a sign of progress and increased sophistication with several aspects of RA maturity: measurement, coverage, detection and prevention. With only 15% of telcos estimating their leakage is over 3%, a whopping 85% were claiming leakage to be 3% or less – which should help to put an end to the scare tactic of claiming that 5, 10, 15 or even 20% leakage is the norm. The leakage numbers reported in KPMG’s survey are reminiscent of the findings in the TMF’s benchmark study. The TMF report stated that the average measured leakage, excluding fraud, is 1%. One interesting quirk in KPMG’s report is that it says “leakage estimates by senior management were higher than estimates provided by RA function heads”. What would explain this? RA Heads should be the people with the most data and hence likeliest to be accurate, so after years of brainwashing, have senior executives finally changed from being complacent to being fearful of revenue loss? Might it be that RA heads now underestimating leakage, justifying the perception of year-on-year improvements thanks to their work? Or do senior managers take a broader view of what should be counted as leakage?

Continuing to examine the coldest, hardest numbers (which in RA sometimes means numbers that are as hard as a jelly that has been put in a pre-heated oven) the report examines the degree of leakage recovery. According to the report,

“Recovery of leakages ranged from 2.5% up to 37.5% of the total estimated revenue leakage. This indicates that a large portion of revenue leakage remains unrecovered.”

Hmmm…. are KPMG in the business of telling us the mind-numbingly obvious? Of course if recovery is less than 50% then that indicates a large portion is unrecovered! A more interesting observation is to note that this is again in line with the TMF’s benchmark results. The TMF found that, at best, half of measured leakage was recovered. Given that KPMG asked about estimated leakage, which will obviously be higher than measured leakage, their finding is consistent with that of the TMF. The report should really tell us – and conspicuously fails to mention – the reasons for such low levels of recovery. Is it because of weaknesses in the capabilities of telcos to recover leakage? Or is the TMF’s conclusion the right one – that a lot of leakage simply cannot be recovered? If the latter is true, it may be that 2.5% recovery is the most recovery possible!

The confusion about recovery neatly leads to another area of confusion in KPMG’s report – what it means for RA to be ‘self-funding’. In common parlance, this would mean the activity pays for itself, or that the benefits are greater than the costs. According to the survey, 54% of respondents thought their RA activities are not self-funding. Think about this – they are saying the amount spent on RA is higher than the benefit delivered by RA. I find this admission startling, not least because it leads to a really obvious conclusion on what to do with most RA departments: shut them down. If RA is motivated by financial benefit, and the benefits delivered are lower than the costs, then it is economically rational to stop doing RA. It would be irrational to continue doing it. Once again, instead of tackling the serious implications of this survey finding, KPMG resort to some low-stress but fallacious reasoning: “the investment required to sustain a ‘self-funding’ status increases continuously”. Rubbish. Complete rubbish. Insane, lunatic rubbish that if spouted by an accountant should justify that accountant being immediately stripped of their qualification and made a laughing stock by all other accountants. Follow KPMG’s logic through to its absurd conclusion and you discover that, if the trend continues, RA will eventually need to spend every penny that the business makes in order to be ‘self-funding’. This is nonsense, of course. Either ‘self-funding’ means paying for itself or it does not, and there must be a point where RA breaks even without needing a ‘continuous’ increase in investment. If you pay for yourself, you pay for yourself. If every year you need more money invested to keep on paying for yourself, then you are not paying for yourself at all.

Unlike KPMG, I reach a different conclusion about why 54% say their RA is not self-funding. Either they are doing a bad job, are immature in their approach to measuring the value of RA work, or they do not aspire to be self-funding. All three are possible. Taking the possibilities in reverse order, nobody says RA has to be self-funding. RA can make sense as a control discipline if it stops bad things that are impossible to measure or which upset customers. Another likely possibility is that RA people are better at keeping track of the dollar cost of their work than at putting a dollar value to the benefits. This is most obvious when trying to quantify the benefits of preventing a leakage before it happens. Finally, RA has generally grown and become established because pioneers worked hard – long before the phrase ‘revenue assurance’ was even in common parlance – to do things which generated good and obvious returns to their business. If there are telco RA teams out there sat around moaning that RA is just too hard and they cannot deliver benefits without first being gifted a big pot of money, I have no sympathy for them. RA would not exist if people had not found the ways to deliver benefits with minimal investment. They succeeded without all the software, vendors, consultants, conferences, surveys, white papers, websites, training and generalized support that RA people can now rely upon. If people find it just too hard to deliver a positive benefit unless they are given a lot more money to spend as an act of faith, then that is the best argument imaginable for not giving them the money in the first place.

Following on from all the sketchy logic about how RA generates a positive ROI, we find KPMG then arguing for the benefits of employing experts to help RA improve. Obviously they are thinking of themselves when they talk about experts. On the basis of the flawed conclusions they reach in the report, they do not deserve to be described as experts. However, there is a more important reason why KPMG cannot be experts in RA. Nobody is expert at RA. I know it probably once said on my business card that I am an expert, but nobody is genuinely expert at RA (including Papa Rob Mattison, the self-appointed hero of GRAPA). At best, you can be expert at parts of RA. If you need help with the formation, recruitment and strategy for an RA team, get somebody who knows how to do that. If you need help with identifying leakage for a certain kind of service and with recovering the amounts lost, get somebody who knows how to do that. But do not get a general-purpose RA expert and then trust them to be an expert on any RA work you need doing from the moment they walk in the door.

I argued in part one of this review that the real challenge for RA skills is to have the skill to learn and adapt. That means nobody can guarantee to have all the skills needed on the first day they walk in the door of a business. If you need expert help, do not follow KPMG’s suggestion of hiring someone for several months continuously. If you need help, do one or more of the following: engage a general-purpose expert for a short period, and get them to outline a plan with clear priorities of where you need more help to improve; engage specific experts to help with the specific areas where RA needs help; and form a relationship with an outside expert who will come back to your business and act as a guide and mentor every so often to help you stay on course and see things from an outsider’s perspective. Anyone calling themselves an RA expert is the equivalent of a General Practitioner in medicine. They may have a good general idea about most things in RA but some of their RA skills will be weaker than others. Use people like this to help you identify how to improve, but expect and ensure they step back from the task and refer you to other specialists when you really need them. These specialists may not even think of their work as being revenue assurance, but you will understand why it is.

The KPMG report goes on to identify that leading practice means using tools. Again, we see the same pattern of failure in the report, where important distinctions and options are not even identified, never mind discussed. Saying that people should use of tools is no more revealing of leading practice than saying that it is leading practice for accountants to use a calculator instead of an abacus. No mention is made of the real choices faced by telcos in how they acquire tools, and the specific alternatives to acquire dedicated specialized revenue assurance software or to adapt general enterprise informatics to the goal of RA. Both have their pros and cons, but by not mentioning the alternatives, this reader is left wondering if the authors are even aware of the choice. The only distinction made by KPMG is to contrast higher-cost with lower-cost solutions, where lower-cost solutions are bound to be general tools adapted for use in RA. The impression I take is that KPMG are simply unaware of telcos that have delivered high-end RA tool capability through adaptation and extension of enterprise resources for collecting, manipulating and analysing data.

One area which KPMG gets right is to highlight the trend in performing annual risk assessments as a precursor to setting priorities and plans for RA. It should be an area close to KPMG’s heart, as like all the Big 4 they use a risk-based approach for much of their work and, perhaps more importantly, they can sell risk assessments as either a standalone product or as gateway to selling follow-on services. KPMG also score points for linking RA to other areas needing assurance. Again, this should be inherent to the perspective of a Big 4 firm but it still needs to be made explicit when dealing with an RA industry that too often promotes functions that compete with, instead of cooperating with, those in the telco with complementary goals and methods. However, the report writers pull their punches once again. If you say that revenue assurance should be integrated with other assurance activities, you open the debate to whether revenue assurance should be driven by a standalone organizational unit or be integrated into the work of a more extensive unit. However you look at it, whether thinking of an RA department extending its scope to ‘business assurance’ or as a merger between existing departments, there are valid questions about the possible future place for RA in the organization chart. KPMG does not answer the question; in fact, they do not even acknowledge there is a question to answer.

You cannot identify the essential difficulty of KPMG’s report by looking at it alone. Look at other, seemingly unrelated KPMG reports, and the problem becomes very obvious. KPMG says RA should get reported up to the Board and Audit Committee. Every other KPMG report, on every other aspect of assurance, says exactly the same thing. If everything is to be reported up to the top level, then reporting needs to be integrated, or else reporting is a jumbled mess which is either ignored or causes overload. So what might cause of the narrowness of KPMG’s vision on integration of RA with the wider business? My guess would be that the report is hampered by being written by people who work in a market vertical – KPMG’s Information, Communications and Entertainment (ICE) division. Comparing KPMG to another Big 4 firm, Deloitte, might illustrate the significance of this. Deloitte places RA within a horizontal specialism: its Enterprise Risk Services division. Multiple narrowly-defined assurance activities like RA tend to be more common in telcos than in other industries because of the way that telcos have rapidly evolved, often without the benefit of a clear vision for how the organization should work. This is a weakness of telcos compared to other businesses, and the report’s authors cannot see the blind spot because they are not thinking about other businesses. I would speculate that if Deloitte had gathered the same data, they would have written far more on how RA can become part of a joined-up strategy to assurance and risk management that runs right across the business.

On safer ground, KPMG highlights the survey finding that 53% of RA departments report to the CFO. This is no surprise. They also point out that RA is treated with greater strategic importance than in developing markets the RA function tends to report to more senior people than in developed markets. Based on my own experience, I do not find this surprising either. However, the authors make a gross error in interpreting this result, especially for a global firm that works across many cultures. They wrote that this ‘highlights the larger business mandate and perspective in which RA is being pictured’. In some businesses, this is true – execs are not being held back by old prejudices and are more willing to see RA as a benefit. However, there are also cultural factors that KPMG ignores. In some parts of the world, everything reports to more senior people. By failing to allow for regional variances in how telcos are organized and governed, KPMG invalidates their conclusion that developing countries place more emphasis on RA compared to developed countries. From personal experience, I am conscious of the danger of tokenism – somebody writes a policy or creates a reporting line that seems to imply RA is taken seriously and it has ready access to senior people, but in practice it gets little time, attention or resources. It is a generalization, but tokenism is more prevalent in developing markets than in developed markets. Bear in mind that much of the survey had shown a disparity in the resources provided to RA according to the region of the world where the telco operates. In RA, like in other walks of life, actions speak louder than words. Senior engagement and buy-in is measured by the decisions they make and the resources they deploy, not by reporting lines or policy statements.

Once again on a more positive note, KPMG wisely highlight one telco’s ‘risk portfolio model’ approach, as used for every new product launched. The approach covers business, financial and operational risks. The question that comes to mind, however, is why the risk portfolio model is applied only to product launches, and not to every aspect of ongoing, joined-up business assurance? If it works for new products, then it should work just as well when considering old products and indeed every aspect of running a telco.

I suggest you read the report, despite my criticisms, because there is a lot of useful data. The report can be found here. Here are some other facts worthy of more analysis than I can give here:

  • 61% of respondents had no claw back clause in vendor agreements in case of leakages caused by vendor negligence of non-compliance; why is this easy and obvious risk mitigation being ignored?
  • More than 80% of telcos are changing their RA, plan to change their RA, or are writing a plan to change their RA; is this a sign that change is too slow in practice?
  • 43% said they were dissatisfied or only partially satisfied with their RA tools; is this because they do not have the desired tools or because the tools they have the tools but they did not live up to expectation?
  • Most operators said their largest revenue stream was also their most vulnerable to leakage; did they misunderstand the question, or does this blow a hole in the theory that the challenges of RA are driven by new products?

Before I summarize, I have to make one rather sour comment about KPMG’s professionalism. When you write a report, and you reproduce intellectual property owned by somebody else, you make this clear. You do not reproduce another’s intellectual property as if it is your own. A few years back, KPMG were circulating their own dreadfully poor version of an RA maturity model. Obviously they copied the idea from the TM Forum’s revenue assurance maturity model. They were using their model to market their services, but by so doing, they were showing themselves up. Only a fool would use a consultant’s marketing gimmick as a technique to help them formulate their strategy. Whilst KPMG called their gimmick a maturity model and were ripping off the title, the content was very much different, so nobody could complain. Now I see that the KPMG model has ‘evolved’ – evolved to being a flagrant copy of the content in the TMF’s model, as well as the title. I am not going to pursue KPMG with a law suit on behalf of the TMF, and the TMF would never bother as there is not enough money at stake. But theft is theft all the same, whatever is stolen. By not citing the source of the RA Maturity Model, KPMG are stealing. The authors should be ashamed of themselves.

The recurring theme in my criticism of the KPMG report is that it lacks imagination or any vision of the future of RA, and this might explain why they need to borrow ideas for lack of having their own. That is disappointing because RA was a discipline created by pioneers – people who had to have imagination or vision in order to sell the new idea of RA to the sceptical world of telecommunications. The clues of the future of RA are in the answers given by the respondents. KPMG naturally plays safe with its conclusions – it does not pay to offend potential customers – but even where there is no risk in going beyond a narrow and conservative interpretation of RA practice, the report writers shy away from diagnosing how RA can be improved or offering any new insight. This is doubly disappointing because the survey results themselves are full of surprises that should have provoked the report writers to stray from the formulaic analysis they have settled for. For a business that makes money interpreting information and selling advice, it is a serious criticism.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.