Tags Posts tagged with "Risk Management"

Risk Management

3 1762

“In school, we’re rewarded for having the answer, not for asking a good question”

This quote from Richard Saul Wurman rightly describes how a normal human mind, as part of it’s social development process, adapts to the guidelines of “finding the answers”, rather than exploring the possibilities of asking the “right questions”.

And this mindset also reflects in our place of work. We are humanly tailored to explore satisfaction in having answers to all the questions. And in the process of being ‘answer ready’, we tend to become left brain heavy than the right. We become target driven and focus less and less on fresh set of questions which could challenge us further to drive improvement and innovation.

Fraud Management ‘function’ is no different. Being a ‘revenue protection’ function in a large ‘organization’ it is expected to act similar to a small, but important organ in human body.
Like hormone levels of an organ, health of an FM function is also measured in terms of subjective financial targets – either monthly, quarterly or yearly. And the corrective action starts when the achievements are found to be ‘less than optimum’.

But, as an experienced doctor would say – It’s the lifestyle you need to keep in check and not hormone levels to remain healthy!
Constant self-assessing questions such as – “Am I eating right ?”, “Am I sleeping right ?”, “Am I sitting right ?”, “Am I exercising right ?” etc. go a long way in guaranteeing you a healthy life. Periodic check-ups then becomes a method to confirm your good health rather than just means to detect illness or deficiencies.

Keeping healthy is a continuous process – be it human body or fraud management. It is actually a practice, than just a function.
And to setup a continuously improving fraud practice in your organization it is essential to keep asking relevant & timely questions across the following 8 pillars of this practice:

  • Influence
  • Organization
  • People
  • Process
  • Tools
  • Knowledge Management
  • Coverage
  • Continuous Improvement

While the questions could be an organization, risk or region specific, I personally always start with the following:

Influence:

  • Is our FM function on a driver seat or secondary role and working as a support function ?
  • How should we enhance the influence of our FM function ?
  • How do we keep showcasing enhanced value from FM function ?
  • How do we extend our internal & external interfacing and make the existing interfacing stronger ?

Organization:

  • How do we ensure fraud awareness keeps pace with the upgrading business dynamics ?
  • How do we enhance internal & external collaboration with FM function ?
  • How do we get higher return of investment from FM function ?
  • How to further reduce the fraud impact on the bottom line ?
  • How to make our fraud management practice more proactive ?

People:

  • Is resource acquisition better or resource development ?
  • How do we safeguard ourselves from attrition ?
  • Is our team structure agile enough while following industry standards ?
  • Do we have all the required roles and are the responsibilities clearly defined ?
  • Are we right, under or over staffed ?

Process:

  • Are my processes effective and easily exercisable ?
  • Are my processes future ready ?
  • Are my processes agile enough to adapt to any changes with acceptable TAT ?
  • Are we adopting and implementing industry best practices ?
  • What parts of my processes can be automated ?

Tools:

  • Is the Fraud Management tool adapted to my business environment ?
  • How do I ensure that the FM tool is fed accurate, complete and timely data ?
  • Are my fraud controls effective & efficient ? How do I reduce false positives ?
  • How do I ensure 100% automated fraud risk coverage ?
  • What capabilities do we need to acquire on tool front to be future ready ?
  • Are we ready against enormous data surge likely to be seen over next few years ? How do we benefit from it ?
  • Are we constantly learning from the industry in terms of fraud detection & prevention methods ?

Knowledge Management:

  • Is there sufficient attention on upgrading to the required skill sets ?
  • How do we enhance resource competency & knowledge against current & future services ?
  • Is our team keeping pace with constant fraud mutations ?
  • Is our team using the tools effectively & efficiently ?
  • Is our team knowledgeable and comfortable with processes ?
  • What are the top 5 areas of learning for the whole fraud function ?

Coverage:

  • Are we aware of all the fraud risks we are exposed to ? What is our current coverage levels ?
  • Do we know the gaps in terms of fraud risks coverage ? How can we improve ?
  • What is our strategy to become compliant to fraud risks introduced by new products and services ?
  • Are we ready for fast converging cross industry environment and the risks it introduces ?
  • What is our stand on customer and partner only risks ? How relevant they are for our business ? Is our current stand obsolete ?

Continuous Improvement:

  • What is our performance management strategy ?
  • Do we have effective KPIs ? Are these business relevant ?
  • How can we improve the fraud function’s effectiveness & maturity continuously ?
  • What metrics should I use to measure health of the overall FM function ?
  • Are we conducting sufficient & periodic RCA & decision analysis ?
  • How do we gather accumulated wisdom & actionable intelligence for improvement ?

Each of these questions can be a healthy point of discussion within your organization.
While these may give you a first hand view of health of your current fraud practice, more importantly, it may also open doors for a much detailed open table introspective sessions, enabling you to come up with much better & effective questions.

Remember, the key to remain healthy is to keep asking the ‘right’ questions.

As Albert Einstein rightly said – “If I had an hour to solve a problem and my life depended on the solution, I would spend the first 55 minutes determining the proper question to ask, for once I know the proper question, I could solve the problem in less than five minutes.”

0 602

Signalling level risks, specially fraudulent accesses from connected SS7 networks, is one area which is making a lot of noise in the assurance and security functions of Telecom organizations today.
The focus on the matter is such that most of the industry conferences talking about the current and next gen threats have a lot of matter being presented and shared on this topic – both from the operators and vendors alike.

What is it ?
The signalling level risks generally refer to SS7 (2G/3G) and Diameter (4G) level vulnerabilities (inherent or configuration based) which exposes operators to hacks/frauds through signalling control commands specially in roaming and interconnect scenarios. The scenario becomes more risky considering a normally configured SS7 infrastructure of an operator is accessible to any other operator in this world, either directly or through certain number of hops.
Now, just consider a situation where a rogue operator exists or a group of hackers with a malicious intent have got access to SS7 signalling of any less-secure operator in this world.
The losses due to signalling risks, while are still quite speculative, are expected to run in billions every year. Artificial inflation of traffic (specially A2P & P2A SMSes), Spamming, Spoofing, Refiling, profile modification, unlawful tracking, unethical disruptive activities from competition etc. are examples of some risks which have been found to be existing NOW with an estimated 100% infection rate.

Why is it happening ?
The SS7 signalling based vulnerabilities have been existing since very long, but have become part of news headlines recently due to certain revelations made by famous ethical hackers at certain high profile security conferences.
Some industry pundits make a point, which most of my industry connections agree with, is that these risks exist mostly due to the fact that operators tend to create unreliable partnerships and configure unregulated access (like open GT access, acceptance of any signalling command etc.) which enables malicious parties to connect to operators networks and conduct fraudulent activities very easily.
There have also been discussions around existence of services exploiting these signalling level vulnerabilities being offered in the grey markets through rougue hacking communities for a price.

Can you eradicate these risks ?
Ideal Solution: Operators need to sanitize their access configuration on SS7. Rethink, Reidentify, Reevaluate and Reconfigure the access levels.
But this is really difficult or maybe nearly impossible to achieve due to some practical issues on the ground, such as:

  • Most of the SS7 networks were configured long time back – There is an expertise issue operators are facing wrt SS7 networks now which limits their capability in terms of reconfiguration of SS7 based networks
  • It is a time consuming activity, which, would also lead to a lot of efforts on re-testing connectivity with all the partners, attracting a lot of investment
  • It may lead to reconfiguration of the signalling level configuration at the network level, and in certain instances, would require network downtime – A complete NO-NO for a lot of players out there. Situation becomes even more problematic for countries where Telecom Networks are considered a National Infrastructure.
  • Lastly, not every operator will take up this activity for many different reasons including the reasons like operators not participating in the awareness meetings/conferences being organized around the world or even like some rogue operators participating in malicious activities deliberately.

The problem becomes much more trickier from the fact that even one infected, unsecure or rogue operator in the world will continue to pose a threat to everyone else. And sanitizing each operator against these threats is a feat which is very unlikely to be achieved.

It is now unanimously being accepted that SS7 signal based networks are here to stay (atleast 10 years in developed markets and 20-25 in developing or lesser developed countries) and even their vulnerabilities, which are expected to grow by huge amounts considering the limelight it has received recently.

The bigger problem which has started giving sleepless nights to the fraud & security functions in operators moving towards 4G and setting up their networks over diameter protocol (provides 4G signalling framework) does not have native security standards inbuilt, but requires security mechanisms to be implemented on top, a practice always found susceptible to gaps). Also, the access methods are similar to SS7, so it exposes 4G networks to similar signalling risks as SS7.

What can be done now ?
For now, an approach of detection would be ideal until the industry identifies a way to plug these vulnerabilities around the world, which is definitely a few years away with a lot of research hours of investment.
An approach of detecting malicious signalling requests in your network still has few complexities to manage:

  • High false positive rates – A lot of signalling requests appearing to be malicious come out as configuration issues from the partners. Hence, domain expertise is essential to filter out ‘needle from the haystack’.
  • Sheer size of signalling data to be analyzed – big data support is required.
  • Skill set – This activity will surely require a knowledge upscaling and may be difficult for the traditional teams like fraud and risk management to absorb. Even teams like security, with less focus on fraud domain know how, is expected to find it difficult to add this activity in their set of responsibilities.

I feel industry partnerships with vendors, possessing both the domain knowledge, right skill set and technology built on big data platform is the way to go.

These partnerships, considering no-one has a complete answer to this rampant problem of signalling vulnerabilities as of now, need to be built on solid vendor capabilities, while being both liberal and experimental to give room for exploration.

0 363

Operators and global industry forums continue to wrestle with the question of whether or not to merge their fraud and security teams/work-groups to cope better with criminals who are breaking in through IP-based networks in order to derive profit for themselves (or their causes), or just to wreak havoc and disruption on their “enemies”.  Fraudsters are not just partaking in the traditional crimes of bypass fraud, roaming, Dial Through, AIT/PRS, Call Selling fraud etc., but also the exciting new stuff…. Phishing, malware, spoofing, DDoS, Trojans etc.

One can be forgiven for thinking that fostering closer links between fraud and security domains is breaking new ground in terms of responding to the threats posed by 4G/LTE, NextGen, the continued growth of e/m-commerce and the proliferation of data passing over networks.   I guess it is a sign of my advancing years that I can’t help feeling that we have been here before…

15 years ago, when I was prepping for an interview for my first job in the fraud management arena, I was listening open-mouthed as a fraud expert was explaining to me the finer points of PBX Hacking.  Thinking back, two things were very clear:-

  1. The Operator in the UK already had a merged fraud and security group (which they later separated out, then subsequently re-merged again, by the way).
  2. The main advice to combat PBX Hacking was prevention, not detection… and that meant security prevention. The operator was keen to tell its business customers that they needed to physically lock away their PBX equipment, protect their passwords, switch off unnecessary/vulnerable services such as DISA/Voicemail, carry out security awareness training for switchboard operators, support staff, suppliers, use barring at switch or extension level, keep PBX call logging records to see hacking attempts before they succeed, shred old copies of internal directories, vet their security/cleaning staff, etc. etc.   The FMS only stepped in when all the prevention activities failed and the PBX was breached.  By the time that happened, operators were already losing money directly, if they were responsible for the switch, or indirectly if their customers were liable.  Customers may have been unwittingly facilitating the fraud by their lack of security awareness etc. but even so, if a small business – used to paying perhaps $1000 a month for calls, suddenly gets a bill for $20000, they are going to fight it, refuse to pay it or be unable to pay it.  The indirect cost to the operator of customer complaints, disputes, potential court cases, damage to the brand, bad publicity, negotiated settlements, debt write-off and churn etc. can cost far more than the original bill.  It was a lose/lose situation… unless you were the fraudster.

These days, with the emergence of 4G/LTE, IP-based Networks, perpetrators are still committing the same underlying crime for the same motives as before, but now they are breaking in through a host of different entry points, wearing better disguises, carrying bigger SWAG bags and using faster getaway vehicles.  In truth, many operators are struggling to keep up with the high number and seemingly unpredictable nature of these attacks.

Security teams are traditionally very good at preventing access to networks, but they are not perfect.  The pace at which network elements, components, interfaces and transactions are increasing is making it impossible for all the preventative measures to be in-situ from day one.  Not to mention the surfeit of off-the shelf tools that fraudsters can use to break in to more and more lucrative areas of daily commerce.

In practice, Prevention alone cannot succeed.  Detection, Analysis and Response are also essential elements of the fraud management cycle.

Cycle

 

So, my point is this…. security and fraud teams cannot operate in silos.  Security teams must continue to try and prevent malicious intrusion as much as possible.  That requires taking in a lot of real-time data from the access points, identifying the nature of the content and the data patterns and quickly blocking anything that looks dubious.  But when the intruder gets in (and they do in their numbers), that is when the fraud team can also play their part.

Whilst the security team controls corporate IT networks, how well can they police the mobile workers and the homeworkers, the tablet users, the App Store/Android Users etc.?  And if you think that profiling subscribers was difficult historically, how much harder is it when you can’t even define what a subscriber is, let alone track their behaviour.  In the new world, the relationship between account holder, subscriber and product/service is not always obvious.  Also, the billing relationships for transactions can be mind-boggling.  Couple this with the speed at which these transactions are taking place and the value of services and content being passed across a proliferation of bearers, and you have a minefield to negotiate.

This is where a good Fraud Management System can supplement an operator’s security tools.  An FMS must now be equipped to take in much larger volumes of data than before, in many different forms and process it much quicker.   Any reputable FMS vendor will now be offering solutions with large scale, flexible data handling tools (including probe / deep packet inspection events), internal/sales partner audit logs/feeds, inline service/transaction monitoring, exhaustive rules engines (real-time, in-line and statistical), subscriber grouping & profiling features, reference data including Hotlists/Blacklists, fraud and device “fingerprinting” capabilities, ID verification, alarm prioritisation and established, flexible workflows, with a range of analytics tools and visualisation features.  All these components – in the hands of an experienced and well-managed fraud operations outfit – will help to choke fraudsters and drive them out to look for easier targets.

So, in summary, don’t let the security guys take all the strain at the prevention stage.  Share the data, share the knowledge and spread the load to the fraud team for a more comprehensive response.

To get more information about Subex Fraud products please click here.

People of a certain “vintage” will remember well the speech by former US Secretary of Defence, Donald Rumsfeld when questioned on the lack of evidence linking the Iraqi government with the supply of chemical weapons to terrorists. For many of us it took a second hearing to fully appreciate the difference between our “known knowns” and our “known unknowns”, and if you are anything like me then the concept of ‘unknown unknowns’ – well that took a little bit longer!

The speech has been the source of much discussion through the years and the basic principle has been applied to many situations and domains, including Fraud Management.  However, one of the most interesting parts of the speech has largely been overlooked in all of the focus on the “knowns” and “unknowns”. In responding to the question Rumsfeld’s first sentence was;
“Reports that say that something hasn’t happened are always interesting to me”.

Fraud management, as with most other operational functions, is largely focused on something happening, whether that is in relation to configuring rules in the Fraud Management System or in working out the effectiveness of your business function (people &  process). The emergence of certain fraud types through the years has started us on the track of reaping the benefits from looking at things that have not happened as a detection method but for many organizations the principle has not been fully embraced.

Most organizations are now looking into more detailed analytics, but within these analytics programs, how much emphasis is put on things that didn’t happen?  Additionally, in a dynamic environment such as Telecoms Fraud Management even what we “think” we know (“known knowns”) may be rapidly out-dated or superseded.

In the “Big Data” era things are likely to be even more challenging for Fraud Professionals as the haystack just got a lot bigger, so even trying to keep on top of what we think we know is going to be a challenge. To start trying to uncover our “Known Unknowns” and “Unknown unknowns”,  – that will take INSIGHT.

To get more information about Subex Insight please click here.

0 122

Subex Tweetup Series is a initiative for Subexians to share their knowledge and experience in the field emerging telecom trends and practices through Social Media interactions.

Today, Mr Rohit Maheshwari (Sr Director Business Consulting APAC) shared interesting insides on Internal Frauds. Internal Fraud has been a key area of concern for telecom operators since long. With the advent of new services like IP Services, Mobile Money and others operators will stand more exposed than ever. Below link contains more information on the conversation with Rohit. Please feel free to comment and add more inputs…

http://storify.com/ravishpatel/subex-tweetup-internalfraud

Whoever thought that the above picture would give flutters of fear to senior management one day?

But thanks to Mr. Nassim Taleb who brought the concept of the “Black Swan” event to the forefront, it’s what sleepless nights are born of. Of course, the Natalie Portman movie comes a close second…

Let’s start off with what Enterprise Risk Management is all about. As per Wikipedia:

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.”

I came across another definition by Jim Deloach, which I felt was equally (if not more) clear:

Enterprise Risk Management is the discipline, culture and control structure an organization has in place to continuously improve its risk management capabilities in a changing business environment.”

Essentially, my distillation of ERM is a framework which helps an organization to manage risk. Now, in a similar manner, I’m going to try and distill the Who, What, Where, When and Why of ERM. Please feel free to correct me, as I think I’m going to be a student of ERM till my dying day (not because of any misplaced sense of passion, but because ERM is an ocean).

Who

ERM is a complex, complex bit. Let’s begin by trying to understand who is the owner of the ERM framework.

ERM is kind of like voting – it’s everyone’s responsibility, but ultimately tends to get forgotten in a world of everyday complexities. However the buck should and will stop at the CEO. Under the CEO, we might see specialist roles like the Chief Risk Officer or Risk Managers or Auditors.

What

Hmmm…didn’t we define what ERM is? If we assume we know ERM because we know it’s definition, I would say that we are making the same mistake as the crew of the Titanic – what you see is a small part of a large thing.

ERM incorporates, as per COSO, 8 odd elements from Internal Environment to Monitoring. If I attempt to simplify, ERM constitutes all the elements of Universe measurement, Goal alignment, Risk & Mitigation and Measured Monitoring.

Where

Okay – so there’s  a huge laundry list of ERM related activities. Now where do we apply these…

As with everything else about ERM, my answer would be everywhere. ERM figures in all your day-to-day operational activities all the way to your 10 year strategic goal. In my experience, the space where ERM is given due importance today is primarily in Compliance. It’s been pointed out in various findings that ERM, as a complete practice, is quite immature.

When

Ah, this question. To be honest, I do not have a complete and convincing answer for this one. I would encourage you, the reader of this post, to provide your perspective.

In my view, the earlier the better. ERM is a vast area. It would be useful to start your ERM practice when the internal processes and universe is still manageable.

Why

Why you ask? In the words of George Mallory, when asked why he wanted to climb Mount Everest – Because it’s there.

To expand on this, ERM enables the business to safeguard itself against a potential cascade of risks which would threaten its existence. ERM enables large organization to be nimble and respond to opportunity. ERM aligns the organizational goal across all its functions not only from an operations perspective, but all the way into the strategic horizon. ERM would, though indirectly, improve customer and share-holder perception of the organization. I would say that the real question here is, why wouldn’t you implement an ERM framework. Here again, I invite the reader to give your perspective.

After reading this post, the obvious question you might have on your mind is – where do the swans come in. I think I’ll leave that for another post for now. The intent of this post was to provide a base on which we can build.

Authors note: I wish I knew who to credit for the wonderful picture I have used in this post.

Follow Us