The TM Forum has an Enterprise Risk Management standard… sort of. It has been out for a little while, but not received much publicity. That is a shame, because whilst the small team that wrote it is obviously not capable of authoring an ERM standard that could compete with ISO31000 or COSO, what they have produced is unusually useful.
As typical of the TMF, their ERM document has the natty title of GB921R Enterprise Risk Management R15.5.0 Standard. But beyond that, the writing is straightforward. The executive summary explains the goals of the authors.
With this document the motivation is to create a blueprint for Enterprise Risk Management processes. In eTOM release 9.0 a similar addendum was published (addendum GB921E titled End-to-End Business Flows) which provides the decomposition of existing eTOM components into business process workflows. With regards to Enterprise Risk Management, the challenge for operators is to come to grips with a topic that spans all organizational areas and covers a wide variety of activities. Such challenges highlight the need for having a process blueprint which can deliver best practices.
Instead of trying to describe an all-encompassing approach for risk management, GB921R decomposes ERM into several categories that are important to telcos. It is possible to argue over whether they have included every process that belongs within the remit of ERM; for example, telcos have regulators, employees and bad debt, so somebody needs to manage the related risks, even if those people tend to work in well-established and specialized silos. However, GB921R does describe a series of important processes that belong at level 3 of the TMF’s eTOM. The process areas are listed below, in the order they are covered by the document.
- Business Continuity Management
- Fraud Management
- Insurance Management
- Revenue Assurance
- ITIL IT Service Continuity
- ITIL Problem Management
- ITIL Info Security Management
The document also mentions the obscure concept of ‘integrity management’, though this is not explained and the related section is still blank. Separating ITIL info security from the rest of security also seems like an odd choice – why is one not a subset of the other? Nevertheless, the areas listed above all belong within a guide to telco risk management, and it makes sense to construct a single reference guide for the key processes for managing risk in each area.
By not trying to be too ambitious, the authors have produced the blueprint they promised to deliver, whilst giving themselves plenty of room to keep elaborating the detail of how to manage risk. Better still, they have realized it is better to acknowledge other sources, such as ITIL, instead of duplicating good work done elsewhere.
I imagine most telco ERM professionals would find this document to be a useful checklist of the risk areas that will routinely demand their attention. The primary question for any telco will be to determine if suitably skilled and empowered staff have delegated responsibility for the processes described under each heading. If it does, then the routine of the ERM function will involve absorbing the outputs of these processes on a regular basis.
The document was written by a small team from a single business, Detecon. Though such teams can sometimes suffer from a narrow perspective, in this case it has probably helped to improve the cogency and consistency of the final product. Lead author Jawahar Sajjad and his colleagues deserve thanks for sharing such a convenient list of important risk management processes in telcos.
TMF members can download GB921R Enterprise Risk Management R15.5.0 Standard from here.