I rarely include mathematical symbols in the title of Commsrisk articles but perhaps this will change after my recent pledge to disseminate more data through this website. There is only one problem when pursuing that particular goal for the risks faced by telcos: there is very little publicly available data.
We do have multiple lousy, biased surveys that draw upon tiny unrepresentative samples, but I struggle to understand why any competent risk manager would confuse the results of such a survey with reliable information. Aggregating the opinions of a dozen people who each apply a different interpretation to the same question is not the same as obtaining facts. This point is so straightforward that it should not need to be said, especially within the discipline of risk management, where the most important skill is the ability to draw mathematically sound inferences from the data that has been gathered. Nevertheless, it needs to be reiterated precisely because some people who claim to be expert in telecoms risk management routinely exploit the absence of mathematical skills and sparsity of public data in order to push some of the most idiotic dogmas I have ever heard. Here are some genuine examples of fact-free nonsense spouted by well-paid practitioners of telecoms risk management.
- You do not want to do too many tests. The more tests you perform, the more failures you find, and then you will never be able to explain them all.
- Telecoms charging is accurate to one thousandth of a percent.
- You can depend on customers to identify when they have been overcharged.
- Fraud must be occurring in our country because the mobile penetration rate is over 100 percent and nobody needs two phones.
- Relying on a sample is always risky because errors are more likely to occur in the places you did not look. It is more cost effective to check everything.
- 100 percent coverage in the assurance of revenues is unlikely to be cost effective.
The last two examples are especially egregious because I heard both fallacies repeated by the same person!
Telecoms risk management is not getting any better because, with the exception of the RAG Wangiri Blockchain, the numpties responsible for the worst dogmas have always been successful in blocking every attempt to increase transparency and the volume of robust data available for analysis. They do this because they profit from overselling when it suits them to oversell (“check everything because samples cannot be trusted!”) and they want to manipulate your budget when they have nothing to sell (“you are wasting money by trying to assure revenues for which I cannot sell you a product!”).
The data in the RAG Wangiri Blockchain is giving many telcos a fresh perspective on how their fraud intelligence compares to that of other telcos, so it is notable that the main counter-arguments also depend on dogma from vendors (“other fraud management systems deliver more false positives, so the benefits of sharing data are outweighed by the downsides of relying on poor data”). What is especially intriguing is that some telcos also parrot this argument. These telco managers genuinely believe they have superior data, and that their efforts to combat fraud would be somehow polluted by having access to more data of a lower quality. But this argument must be dogma, whether it comes from a vendor or a telco, because how can you possibly know that your data is of a higher quality than other data you refuse to look at?
Data is greater than dogma because only data can prove that dogma is wrong. Thankfully, this does appear to be a lesson understood by an increasing number of professional risk managers. Sadly, these professional risk managers work in other sectors than telecommunications. When I started working in telecoms I was impressed by the opportunity to harness enormous volumes of data that were beyond the imaginings of businesses in most other sectors. The exceptions to that rule were risk managers working for financial services and information technology businesses, but I believed that telcos would learn from their counterparts and rapidly close the skills gap. I was mistaken.
Instead of drawing on the proficiency of risk management in finance and IT, telcos have kept falling further behind, and have consequently been overtaken by the superior risk management techniques that can now also be found in sectors like media and logistics. Professionals in those sectors have embraced new networked monitoring capabilities that telcos always took for granted. The tragedy of the faux gurus of telco risk management is that they not only damaged telcos through bad risk decisions, they also doomed themselves and their acolytes into a low-skill dead end for their careers. Businesses willing to pay for superior risk management are not going to waste money on the idiot dogmas of people who emphasize that their value stems from how much they know about the detail of telco operations, but who then evidently rely on assumptions and instincts because they are so averse to using objective data to inform their risk analysis.
So if there is no data in telecoms risk management, and if the dogmatists successfully obstruct the sharing of data by telecoms risk managers, then how might we escape their intellectual and professional dead end? I was recently reminded of a side step I took many years ago. Hugh Roberts is the kind of person whose ability to visualize the future stretches so far ahead that some can struggle to see how he intends to get from here to there. In 2004 Hugh persuaded the TM Forum that it should encourage the birth of a revenue assurance working group. Hugh then called me and asked that I attend its first meeting, to guarantee at least one telco was represented in the room. So it was 17 years ago this month that I found myself in Newport Beach, California, and needing to contribute at least one new idea to this nascent RA team. I spoke about a topic we were experimenting with in T‑Mobile UK at the time: adapting the Capability Maturity Model of Carnegie Mellon University into a strategic roadmap and means of evaluating the maturity of revenue assurance. The suggestion was successful, in the sense it was adopted, and an utter failure, in the sense that data-free dogmatists ruined it, which was why I ultimately walked away from that TM Forum group some years later.
Whilst the Capability Maturity Model was created for use by software developers, it was the product of a rigorous examination of data collected from real organizations. The adaptations that we made in T‑Mobile UK were modest and tentative, based on the recognition that there was much in common between tasks like testing software and performing reconciliations of information systems, but that we did not have a lot of data from other telcos to justify radical alterations to the precepts of the original Capability Maturity Model. Our goal was hence to benchmark ourselves against a hypothetical timeline for improvement that mirrored that found in the software industry, whilst also encouraging other telcos to contribute their own revenue assurance maturity assessment so the model could be refined by reflecting on the data they provided. It came as a shock to the system to realize the dogmatists just intended to manipulate any data to fit the conclusions they wanted (“the secret to increasing maturity is to increase spending on our products!”) with the result that later iterations of the model became a futile exercise in telling the world how it should be, whilst showing no regard for empirical data that conflicted with their diktats. This gap between data and dogma became so severe that the leader of the TM Forum’s RA team openly complained that people completing his mangled RA maturity assessment were “deluded” because they did not give the answers he expected from them.
That was a terrible and sad episode within the history of telecoms risk management, but representative of much that has gone wrong. I was reminded of it only because of some recent good fortune which has seen me spending more time speaking with people who live in California about advances in risk management made by people whose careers are oriented around information technology. Much like the Capability Maturity Model offered a useful analogy to the work conducted inside telcos whilst being based on real data, these people have also been doing fascinating work in risk management and business assurance in total ignorance of the telecoms sector, but with great relevance to telcos if correctly reapplied. The experience has shown me how my career and the content covered by Commsrisk can be re-grounded in robust data.
One of these American information risk professionals kindly suggested I watch the annual conference of the Society of Information Risk Analysts (SIRA), a not-for-profit that has focused on quantitative management of information risk since 2011. Given that I always argued telecoms revenue assurance is a subset of information risk management, as exemplified by applying the original Capability Maturity Model to telcos, I foresee tremendous potential for telcos to reuse many of the methods to be covered during their event, SIRAcon21. And it is another good sign that the SIRAcon21 agenda includes a keynote speaker who has previously impressed audiences at several conferences organized by my association, the Risk & Assurance Group (RAG)! Anyone can register for online participation in SIRAcon21, which will be held August 4-6, but it will cost you USD300. However, that seems like great value compared to the amounts charged by dogmatists who have no new advice to share beyond the results of their latest crappy survey.
I knew I would like SIRA as soon as I learned their motto is data > dogma. When it comes to managing risk, this is the only principle that I will ever be dogmatic about.