Rene Felber’s recent article about change-blindness reminded me of one of my old posts. In particular, Rene wrote:
My daily work as a risk and revenue assurance practitioner at a telco includes understanding elements in depth, putting them together and discussing meaningful big picture information with the organization and then again focusing on the details and reinforcing processes and controls. With great regularity I appreciate that we construct a pretty complex picture which is rather difficult for most individuals to grasp.
Sometimes I imagine how valuable it would be to understand and share the full big picture with complete linkage to the detailed elements, in order to provide more meaning to individuals across the company. That’s truly difficult to realize – but it is worth trying.
In 2008, I came up with a metaphor to describe how the mind links detailed elements to a much bigger picture: the zoom. Like the lens of a camera, the human mind can zoom out and see the big picture, or it can zoom in and examine a small area in detail, but it cannot do both at the same time. An auditor, assurance practitioner or risk analyst must possess the skill to zoom in and out, whilst also being able to communicate the different pictures seen at each level of granularity, and explaining the connections between them.
One of the defining characteristics of a complex system is that a tiny change can have a huge impact, in the same way that the beat of a butterfly’s wings might change the course of a hurricane. Telcos are complex systems, where there is an extraordinary and rarely-understood interaction between millions of customers (both genuine and fraudsters), employees, management, software, hardware, and shareholders. Somebody somewhere must decide whether to invest vast amounts in rolling out new network capacity. Somebody somewhere else decides the protocols used so that differing network elements can talk to each other, or is responsible for configuring a back-end system. And yet another somebody somewhere is deciding whether to pick up their phone, and use it to speak to their mother, or husband, or boss. Within the milieux of these myriad interactions, there lies the potential for very many mistakes and failures. It is those mistakes that interest us, whether we are seeking to detect or prevent them.
Our work may involve tiny observations at the microscopic level. Examples include an error in a line of billing system code, a mistake in a tariff plan, a poorly-worded line in a contract, a similarity in the behavior of two suspected fraudsters, or a human tendency for our staff to perform a series of tasks in the wrong sequence. Because of complexity, the results may be macroscopic, leading to a very significant impact on the company’s revenues, profits, or share price. The connections may seem hard to believe; some will resist assigning such great importance to so many details. But history confirms the connection between the micro and the macro. The absence of simple controls over internet forms meant TalkTalk was vulnerable to a cyberattack that skewered its share price; some naughty code has tarnished the reputation of Volkswagen; and the incorrect interpretation of ambiguous tax rules leavesSprint facing a gigantic lawsuit. The more I look at our modern world, and the stories that dominate headlines, the more I see proof of the connections between the micro and the macro, and a struggle to manage the associated risks. However, I also see confirmation that we are losing that struggle.
Sometimes we simplify. The trend towards fewer, flatter tariffs is a good example of how businesses can wisely reduce complexity. Another good example comes from BT, who presented at the last RAG on the way they are automating and increasing the use of standard clauses when drawing up contracts with customers of their Global division. Even Big Data is an example of simplification. Putting aside the sheer scale of Big Data and the cleverness of the technologies used, the purpose is to make large and disparate data sets more open to scrutiny. But otherwise, we face increasing complexity. The number of phones keeps going up, and they are increasingly likely to be powerful mobile computers instead of dumb clients. Machines are going to talk to machines, and an explosion in remote sensors and computing technology will lead those machines to have much more to say. And whilst better cheaper technology may be the best friend of a good auditor, it can also be a friend to fraudsters and criminals too, helping them to hide their nefarious operations amidst a crowd of ordinary customers.
I wrote about the zoom in 2008, and am gratified that some people still mention that post to me, and tell me the metaphor helped them to explain the challenges they face at work. However, as the old guard makes way for a new generation of risk and assurance professionals, it is not obvious to me that we have made sufficient progress with the central challenge posed by the zoom: how do we make it easier to zoom in and out?
Vendors have gone some way to helping us cope with the zoom. For example, there is software that semi-automates root cause analysis, and they are a lot better at presenting aggregated data in ways that help executives to understand the big picture accumulated from a lot of detailed analysis. The same cannot be said of the frameworks we use, the standards we follow, or the education we give to staff. The zoom is primarily a human conceptual skill, it cannot be addressed by automation alone. To take a current example, one of the reasons why it is so important to analyze the risk posed by OTT bypass is because it impacts telcos, governments and customers in so many different ways, and because there are so many drawbacks to every different mitigation strategy. A machine cannot imagine all those connections, and then seek to evaluate the overall risk, but we can. As life and business grows more complex, professionals need to become more skilled at managing the zoom.
So how should we improve the ways we manage the zoom? As Rene pointed out, he is a risk and revenue assurance practitioner. This connection of responsibilities is increasingly common, and for good reason. So let us actively work to build a bridge between disparate frameworks, as used by risk and assurance professionals. Instead of following an Enterprise Risk Management standard, like ISO 31000, and also following some separate assurance and anti-fraud standards which were built on different foundations, let us begin the hard work of integrating and streamlining these standards. This will make it easier to zoom in to the detailed checks and data analysis performed at the lowest level, then zoom out so we can communicate at the highest levels of management the value of our findings using methods that are clearly consistent with how all other risks and impacts are valued.
And as Rene is involved in the TM Forum, let me also implore him to devise a super-structure for the work done by a variety of different TMF teams. When I was head of the TMF’s ERM team, I was keen to emphasize how RA, fraud management, and asset assurance were subsets of a single universe of risk, and how that universe also included the management of security, safety, regulatory and strategic risks. The TMF should revisit the way it tackles ERM as a holistic challenge. If it does not, there is a danger it will craft a variety of point solutions without any thought for how they are all meant to fit together; this would be like telling a variety of bricklayers, carpenters, roofers, electricians and plumbers to build a house without anyone laying out a single architectural plan.
The difficulty with the zoom is that it is an abstract idea. But when we deal with complexity, we need to work with abstract ideas, and turn them into practical tools. Now, more than ever before, the challenge of complexity is too great for any one person to simply ‘see’ how everything fits together. Nobody is that clever. Nobody knows enough. Instead of trying to be geniuses like Archimedes or Einstein (and note that geniuses never get paid what they are worth), we need to turn great insights into engineering principles that be followed by everyone, repeatedly. We need common methods so we can work together on big projects, just as networks need common protocols to talk to each other.
I believe the new generation of risk and assurance professionals have an advantage over the old guard: they are not prone to the false belief that one heroic professional can devise solutions for every problem. They know the world is too complex for the individual to manage it alone. A forum like the TMF needs to step back from presenting specific solutions to specific problems, and adopt a mantra of harmonizing with the analytical and evaluation techniques devised by others, including those which inform ERM standards like ISO 31000. And I suppose that we, as customers, should engage with such efforts to integrate risk and assurance analysis at all levels, whenever those efforts are genuine.
With that final thought in mind, let me encourage you to collaborate with others in the industry by completing the new TMF RA survey. You had better hurry; the deadline has been extended, but the survey will close on Monday 7th December. I recommend you submit your responses, but also to agitate for change, by asking that the next survey be an integrated survey that cuts across departmental silos, and covers all the risk and assurance disciplines as one.