The TM Forum has an Enterprise Risk Management standard… sort of. It has been out for a little while, but not received much publicity. That is a shame, because whilst the small team that wrote it is obviously not capable of authoring an ERM standard that could compete with ISO31000 or COSO, what they have produced is unusually useful.
As typical of the TMF, their ERM document has the natty title of GB921R Enterprise Risk Management R15.5.0 Standard. But beyond that, the writing is straightforward. The executive summary explains the goals of the authors.
With this document the motivation is to create a blueprint for Enterprise Risk Management processes. In eTOM release 9.0 a similar addendum was published (addendum GB921E titled End-to-End Business Flows) which provides the decomposition of existing eTOM components into business process workflows. With regards to Enterprise Risk Management, the challenge for operators is to come to grips with a topic that spans all organizational areas and covers a wide variety of activities. Such challenges highlight the need for having a process blueprint which can deliver best practices.
Instead of trying to describe an all-encompassing approach for risk management, GB921R decomposes ERM into several categories that are important to telcos. It is possible to argue over whether they have included every process that belongs within the remit of ERM; for example, telcos have regulators, employees and bad debt, so somebody needs to manage the related risks, even if those people tend to work in well-established and specialized silos. However, GB921R does describe a series of important processes that belong at level 3 of the TMF’s eTOM. The process areas are listed below, in the order they are covered by the document.
- Business Continuity Management
- Fraud Management
- Insurance Management
- Revenue Assurance
- ITIL IT Service Continuity
- ITIL Problem Management
- ITIL Info Security Management
The document also mentions the obscure concept of ‘integrity management’, though this is not explained and the related section is still blank. Separating ITIL info security from the rest of security also seems like an odd choice – why is one not a subset of the other? Nevertheless, the areas listed above all belong within a guide to telco risk management, and it makes sense to construct a single reference guide for the key processes for managing risk in each area.
By not trying to be too ambitious, the authors have produced the blueprint they promised to deliver, whilst giving themselves plenty of room to keep elaborating the detail of how to manage risk. Better still, they have realized it is better to acknowledge other sources, such as ITIL, instead of duplicating good work done elsewhere.
I imagine most telco ERM professionals would find this document to be a useful checklist of the risk areas that will routinely demand their attention. The primary question for any telco will be to determine if suitably skilled and empowered staff have delegated responsibility for the processes described under each heading. If it does, then the routine of the ERM function will involve absorbing the outputs of these processes on a regular basis.
The document was written by a small team from a single business, Detecon. Though such teams can sometimes suffer from a narrow perspective, in this case it has probably helped to improve the cogency and consistency of the final product. Lead author Jawahar Sajjad and his colleagues deserve thanks for sharing such a convenient list of important risk management processes in telcos.
TMF members can download GB921R Enterprise Risk Management R15.5.0 Standard from here.
I just took a quick look through this standard. I’m not familiar with Frameworx. I looked through it to see if it would describe the telecoms environment in more detail to identify specialised risks. The document doesn’t refer to any telecoms paraphernalia. It’s completely general! It had one very interesting heading “Integrity Management” but that section was blank! Nothing on Health and Safety, Regulation, Strategy etc.
Telecoms ERM tends to adhere to the maxim: “learn to crawl before you learn to walk.” I agree that a comprehensive ERM remit would include areas like H&S, regulation and strategy, but the reality is that very few telcos are sufficiently joined-up to permit that. One important mitigating factor is that most telcos already have sophisticated and experienced functions which deal with the risks in each of the silos you mentioned. They should be joined together, but the priority tends to be the risks that are not adequately managed anywhere in the business. A fledgling ERM function often generates more immediate benefits by focusing on topics like BCM, security and fraud. That is not an excuse for a piecemeal approach to the scope of ERM, but it does reflect the practical realities as ERM teams try to gain traction by demonstrating the benefits that flow from their work.