Today I am going to tackle a subject that needs to be tackled by talkRA, and by everyone working in revenue assurance, fraud management and related fields. That subject is risk management. We can deal with it sooner, or later, but we will all have to respond eventually. Risk management will change the industry, not as quickly as some claim, but inevitably. That inevitability stems from the most powerful forces driving the improvement of risk management, which is not the desire of staff in an operational or assurance function, nor the desire of software vendors, nor the desire of CxOs, nor the desire of Boards, and nor is it limited to the communications industry. In fact, communications providers are well behind other industries when it comes to addressing risk. The drive towards enterprise risk management (ERM) comes from all shareholders of all businesses everywhere, and is codified in the demands of governments, regulators, corporate governance codes, stock markets and debt rating agencies. So let us deal with it, sketching a roadmap for how risk management will transform our businesses, and what that means for risk silos like revenue assurance. Good RA is all about looking ahead and being proactive. That means we should not ignore the coming wave of risk management, or try to pretend we can define and control the scope and expectations when the driving forces are so great. Even a powerful king in a formidable castle cannot long hide behind his thick walls and ignore the changes in the world outside. We need to plan ahead, be prepared, and get ourselves in shape to respond to the challenge.
An excellent article in CFO Magazine summarizes the forces behind ERM and the current state of play. Note that the article is clearly relevant to the readers of talkRA, even though it never mentions the comms industry specifically. Note that it begins by discussing very rare and very high impact risks, also known as ‘black swans’, which is quite the other end of the scale from the very high frequency but low individual impacts that get routinely tracked by RA Departments and automated RA systems. And note how general the article is when talking about risk, across any type of industry. The article gives an excellent one-sentence explanation of what ERM is, and how general it is:
ERM offers a “holistic methodology” for identifying, assessing, quantifying, and addressing strategic, operational, market, financial, and human risks in order to optimize the risk-return profile.
The message is that risk is as broad, wide and deep as the ocean. Telco RA leakages are drops that fall into this ocean.
The onus is on professionals to establish the stepwise links from the full generality of risk to the detail of how the many individual risks are managed, with many incremental steps from the very top to the level at which most of us currently work. Bearing in mind where the driving force is coming from, the two must join up. We cannot afford to have two camps, one starting top-down, the other starting bottom-up, thinking they are marching towards each other, but really walking along parallel lines. With that in mind, let me draw your attention to this quote from the CFO Magazine article:
Governance issues aside, ERM would get a major boost if it were widely regarded as an industry standard for best practices. “We are not talking about a one-size-fits-all standard, since risk management is part art and part science, and organizations differ by geographies, markets, business lines, and organizational structure,” Lam [James Lam, President of risk management consultancy James Lam & Associates] says. “It can, however, be an industry-by-industry standard, customized by companies within a given industry.”
A simple observation follows – there is no standard for ERM in telcos, and organizations like the GSMA Fraud Forum and the TM Forum are only embarking on the first tentative steps in that direction. Our risk senses should be tingling already – is their direction aligned to that of the people coming the other way? In other words, what is the route being followed by the people working in global risk across all industries? As they extend their work and tailor it for specific industries, are they walking a road that will meet with those who work in telecoms and are coming the other way? The only way to know is to reach out, make contacts, and find out who and what is coming in the other direction. That means being aware of trends in areas like corporate governance, a topic normally well outside the scope of the average RA manager. I can see some fledgling initiatives to take generic risk guidance and tailor subsets which will be relevant for particular industries. Getting involved with these helps me to track top-down progress, as well as bottom-up progress, and see how well the directions are aligned. Be under no doubt: there is a lot of ground to cover before the two will meet. Even so, the sooner we check that both camps have consistent bearings, the less frustration in orchestrating the meeting in the middle.
Indulge me as I also return to a favourite old topic, often discussed on talkRA – how RA has progressed over time. For example, see Hugh Robert’s excellent telling of the story of RA. To my mind, the theme has always been the same – take a little step, then another step, then another step. But whilst RA keeps growing and expanding, it has felt it has to ‘push’ into new areas, often against resistance. To give a stereotypical view of how RA has progressed, people started out dealing with problems in postpaid retail billing. Then they dealt with things that went wrong with systems and processes before the retail billing platform. Then they looked at wholesale and interconnect billing and settlement, or they looked at prepaid charging. Then they looked at other costs like dealer commissions or revenue share arrangements. Then they looked at network inventory, or customer experience management. In short, though we are fanning out in different directions, and covering more ground, each step is a little bit further than we travelled before. This is how we got from revenue assurance to what some people now prefer to call ‘business assurance’. But never before has somebody stood, far far away on the horizon, at the furthest point we can see, waving to us and calling us (probably by phone – it is too far to shout) to tell us we have to get to where they are, and we have to get there as quickly as possible. Never before has there been an enormous ‘pull’ from the forces behind risk management.
The pull of risk management will be very uncomfortable for some, no matter how many follow the current fashion of liberally throwing the word ‘risk’ into every conversation. When you are used to barging through closed doors and climbing over obstacles, and are used to painful and slow progress, it can be daunting to be faced by the wide plain and told you will need to run hard, long and fast to cover the ground and reach your destination. RA evolved in circumstances that suited, to use Hugh’s phrase, the monkeys and the giraffes – animals that are agile climbers or which are especially adapted to reach places that others cannot. The challenge of risk management demands animals that can run long and hard on the flat, covering vast distances. If the evolution from revenue assurance to business assurance has been the story of a little bit more followed by a little bit more and so on, then the evolution to ERM is most definitely not a little bit more. It is an awful lot more, with a long way to go in a direction determined by others, not decided by us. Now is not the time for slightly better monkeys or slightly better giraffes. Now is the time for gazelles. Those who want to make the journey will need to evolve. Those who want to step a little bit more, and a little bit more, and a little bit more will still make their own kind of progress, but they will not make it to the final destination. They lack the speed, stamina or sense of direction. So beware those who take a short walk and claim they have arrived at ‘risk management’. They went somewhere, but not far enough. Risk management is not a short walk down the road. Risk management is on the horizon.
From today, the talkRA editorial policy will change, to reflect the inevitable drive towards ERM in communications providers. We will publish content on an extensive range of risks for communications providers, alongside the existing content on revenue assurance and the related areas that we always included in our mission statement. I admit my vested interest – I stopped working in RA a long while ago, and have kept up my interest as more of a hobby than a professional need. I have made the leap into enterprise risk management, which means my career is actually turning full circle, as I worked in risk management before focusing on the niche risk silo that is revenue assurance. Back then, risk management existed as a loosely-affiliated bundle of risk silos, making specialization the likeliest route to career advancement. Circumstances have changed, and those silos really need to be brought together into the kind of integrated and holistic view of managing risk now being demanded by investors. No one silo should dominate or dictate to others. All have their relative merits and limitations. All need to find a way to work together, sewing together the patchwork. Environmental risk management, security, business continuity, insurance – we need to work with our colleagues to find a common understanding of the risks faced and the best ways to respond to them. Looking to the future, talkRA needs to review its mission statement and make sure it is fit for purpose in a changing world. Even the name of talkRA may need to change. But change is good. Evolution is good. We want better telcos, delivering better services to customers, and generating better returns to investors. Come with us as we dive into the ocean of risk, and swim towards future horizons.
A great post and one that needs and deserves more debate.
In the meetings and conversations that I have been a part of (both within and outside telcos), RA (using the traditional focus of RA rather than the wider business assurance definitions) hasn’t yet rated a mention as something that would hit the top 10 or so risks facing organisations today.
Why might this be? Perhaps RA practitioners have done a great job in removing leakage as a concern from the organisational consciousness. Possible but unlikely.
Perhaps then, its related to what I believe underpins risk and that is managing uncertainty. My thoughts are on not mature yet on this, but many organisations tend to build their revenue plans based on historical run-rates – which will then have any leakage already built into plan. So any leakages identified and fixed by RA (or anyone) are incremental to revenue – in essence, they are a nice bonus for the company. So why would boards worry about something that you never worried about in the first place?
Now, don’t get me wrong, RA has tremendous value to add to an organisation but how does it stack up to some of the other big risks organisations do concern themselves with – things like talent retention, competitive threats, disruptive technology, regulatory uncertainty, transformation projects, LTE roll-outs etc. It’s within this wider context of risk that RA will operate and I agree with your point that failure to understand what ERM may mean, could leave the unprepared RA manager shaking their head and asking “what just happened here?”.