Thursday, March 12, 2009
While it was amusing to watch the show, it set me thinking on some deeper issues around the meltdown that didn’t seem to have received the attention they deserved – the entire idea of ‘Governability’. The hundreds of billions in bail-out have gone largely into salvaging troubled mega corporations, with their toxic assets, and not to the smaller banks and other financial institutions. In fact, the smaller banks seem to be wooing away business from the big banks because of their stability and proximity to customers.
The question is: has the growing diversity of business under a single umbrella since the repeal of the Glass-Steagall Act in 1999 made governance difficult? Has the complexity of the various financial and derivative products made it impossible for executives and the board to manage the inherent risks in the business? Is there a size beyond which no company can be governed or managed effectively?
Expectations from the board and management
It is expected (and justifiably so) that the CEO and the executive leadership team are in complete control of all aspects of the operating and financial performance of a company. It is also expected that the board has the ability to oversee and govern the company at a sufficient level of depth to assure itself that it is well managed, that the business and financial risks are attended to and that the organization is legally and ethically above board. I would look at this as the basic fiduciary responsibilities of the executive team and the independent board members.
However, as a company becomes large and more complex, there is bound to be a point where the board and management are unable to provide the requisite executive attention and governance oversight to all critical aspects of the business. It is at that point that the company becomes too big to be governable.
How big is too big?
As always, there is no universal definition of appropriate size. It is for the board and the management to determine the point at which they feel they’ve lost control of all critical aspects of the business.
Just imagine the plight of independent board members at any large bank with hundreds of different lines of business, countries of operations, products, exposures and risks. Are they really capable of understanding and overseeing the various aspects of the business they have undertaken a fiduciary responsibility to govern?
Clearly, a Bear Sterns and Lehman, which could not predict their own fall a few weeks ahead of the actual occurrence, were too big. The management and the board were clearly not in control of the business. It is likely that a Bank of America, which looked solid but had to seek a government fund injection soon after its Merrill acquisition, may also be too large to be governed.
There are many factors that have contributed to the meltdown. The pursuit of growth and market dominance at any cost have led companies to bite off more than they can chew.; This has led not just to indigestion, but death or near death. To maintain the integrity and health of our financial systems, it is critical for the regulators to apply themselves to the aspect of governability.
Bringing governability into sharp focus
To bring governability and manageability into focus, we must clearly define the accountabilities of the CEO, his leadership team and the independent board members. We need to clearly distinguish between the corporation, as a distinct legal entity, from its management and board.
When someone is appointed as a CEO or as a senior executive in a corporation, there is an implicit understanding that he would perform his function with diligence. Similarly, it is expected that every independent board member will discharge his or her role with the same level of diligence and professionalism.
It is the responsibility of the management and the board to ensure that the company does not become unmanageable and ungovernable in any way – either in terms of size and / or complexity. This can be enforced by making the executives and board members personally accountable for negligence and misconduct in the discharge of their responsibilities. This is similar to the professional liability carried by any other professional, like a doctor, lawyer or accountant.
While Sarbanes-Oxley brought a level of individual accountability at the executive and board level to the accuracy of financial reporting, it could not prevent the failure of these mega corporations. The need, therefore, is for regulations to go beyond reporting accuracy to adequacy of management supervision and board oversight to the critical aspects of a corporation’s functioning.
The meltdown has brought out the shocking realization that the current form of capitalism is far from perfect and that free market mechanisms can create global havoc. While the economic repercussions have been quite severe for employees and investors, one of the few positive outcomes could have been to take a fundamental relook at the current financial system and subject it to a major overhaul. We have lost a significant part of this opportunity because of government interventions and bail-outs. It is now imperative for regulators and corporations to do what it takes to avoid a repeat of this fiasco. Ensuring manageability and governability is one necessary step in this direction.
CMD Mastek Ltd
Wednesday, March 4, 2009
We need concerted efforts along two broad streams to buck the trend and make the most of the downturn – increasing agility and discovering new opportunities.
One of the unique trends over the past year or two has been the increased variability of the external environment in both directions. As an example, gas prices went from $60 per barrel to $140 and back to $40 all in a matter of two years. The dollar, which had weakened considerably against the rupee, suddenly gained 28% against the rupee in under 12 months. In our own case, we saw a growth of 34% last year and we are now looking at less than half that number.
The level of variability is likely to continue in the future. The challenge for companies like us, then, is to respond to a downturn with the same speed and poise as taking advantage of an upturn or a special market opportunity. To illustrate, suppose we expect to make $16 of profits on a planned revenue of $100, we should be equally able to maintain that $16 profit if the revenue drops to $85 or take advantage of some sudden market opportunity and raise revenues to $115. Such variability of demand requires a lot more variability on our delivery and support side than we have today. I’d like ideas from all of you on how we can become far more agile as an enterprise – since this could be a significant competitive advantage for us in the future.
Discovering new opportunities
We know that the opportunities for new solutions and new platforms will grow exponentially as the markets revive. However, we still need to grow in the interim. We have made substantial investments in bringing in new leadership, in UK and US.
Our hypothesis is that there will always be visionaries and early adopters who will embrace new platforms ahead of the curve, and we need the leadership bandwidth to identify and capitalize on these opportunities. We are also expanding into Canada and parts of Europe to discover new opportunities within our existing verticals. I must mention that John and the North American team had a great turn out of prospective customers and partners when we did our Canada launch early February.
We need more ideas from all of you on new approaches to discover these opportunities. For instance, when I addressed Mastekeers in Pune, one person came up with the idea that we could leverage the virtual bench by training them in highly specialized, niche technologies / applications so that we can go after these market opportunities. I’d like our sales teams to figure out whether we have such possibilities within the insurance, wealth management or healthcare vertical – where we can bring in special expertise in some rare technologies / applications. Many more such ideas are required for us to buck the trend and grow faster than the industry in the next year.
These are uncertain times for businesses as well as individuals. Just as enterprises need to go the extra mile to emerge stronger from crises, so do professionals. This is the time for all of us to -- individually and collectively -- reflect on what we can do to make ourselves more relevant in the current context. This is the time for us to go beyond our existing skill sets and acquire new capabilities and knowledge to grow as individuals and professionals.
I invite suggestions and ideas from all of you on one can do to stay relevant and make a difference to themselves, their company and its customers.
In our internal discussions it came out that as a company we had no systematic process to deal with a terrorist attack. It became clear that we need a larger plan to cover the Business Parks that we operate in. At our SEEPZ facility, therefore, we called a meeting of all the companies operating from there along with the Commissioner. We were glad to note that the Commissioner had already received a directive from the Ministry of Commerce to beef up security within the zone.
However, we realized that this was important but inadequate. We require a Level 1 plan that involves not just the SEEPZ security personnel but also the security officers of each company. The plan would have to address various possible attack scenarios and how each company would be alerted, what response measures they would need to take and so on.
Further, we need to work out a Level 2 plan with the local police station, fire brigade, ambulance services etc. to handle situations that escalate beyond the ability of the SEEPZ security forces. Similarly, we need higher levels of escalation to the appropriate forces. We are planning to involve these agencies in our future meetings.
We are looking for NASSCOM and other industry groups to contribute to this process, even involving specialists from India and abroad who can advise us. It is important that every company, industrial park or zone, or residential colony gets together to formulate its own plan of response.
The events in Mumbai have clearly brought out a lack of preparedness in responding to terror in a systematic fashion. It would be pragmatic to have systematic approaches to responding to these attacks.
I envisage that a systematic response plan will involve the following:
- Classification of locations / building based on potential risk – high-risk buildings to low-risk buildings
- Prescribing different levels of security preparedness based on the nature of risk
- Coherent response strategies for different risk scenarios
- Close coordination with the security personnel in the location as well as proximate security forces
- Clear definitions of escalation levels, response times and processes, and handing over charge to forces of higher caliber at appropriate junctures
It will definitely be worthwhile to collaborate with the security agencies of other countries to learn and share best practices. It’s only with sustained, concerted efforts between governments and the public that humanity will discover the means not just to thwart terrorism but to eliminate it from the face of the earth.
Looking forward to other ideas from all of you.
Monday, January 5, 2009
The subprime crisis and the subsequent meltdown have had a mind-boggling impact across the globe. In this article, I would like to focus on their impact on the Indian IT services industry and the opportunities it is likely to throw up for companies operating in the ‘third wave’.
Three waves of evolution
When we look at globalization, specific industries in emerging economies typically go through three waves of evolution. The electronics industry, first in Japan, then in South-East Asia and now in China, are good examples of this. In the first wave, companies in emerging economies typically act as component suppliers to developed countries that manufacture the complete product. In the second wave, the local industry gains enough expertise to provide cost-effective contract manufacturing services—of either the entire product or major sub-assemblies. The third wave is when a set of firms start marketing these products under their own brand—initially within their own countries, and then going international.
We can trace the evolution of the software services industry in India using a similar paradigm.
Wave 1 (proving capability through people) started in the 70s and 80s and peaked in the mid-90s; it established the competence of the Indian software professional and the industry got results largely through staff augmentation.
Wave 2 (offshore development) established India as a destination for low-cost, high-quality programming services. The catalyst was the Y2K bug and Indian companies’ success in delivering these projects cost-effectively. Many Fortune 1000 companies discovered that moving their application maintenance and ongoing development activities to India was viable and attractive. The second wave of Indian IT started in the mid to the late 90s, and is at its mainstream phase today.
Wave 3 (strategic value delivery), which is emerging, will be characterized by Indian companies moving to high-value, IP-led services that are strategic to the customer and hence command premium, value-based pricing. The industry is already facing a severe shortage of talent, rising attrition levels and increasing salary costs. All indications are that the linear relationship between growth and headcount will not be sustainable. The future is in creating strong brands out of India that command the respect and trust of large global customers and hence the appropriate value.
Orders of short-term impact
The first order impact of the crisis is related to the banks that have either been unable to survive as stand-alone entities (like Bear Sterns and Lehman) or have taken a deep hit and are trying to recover on their own. These institutions may cancel some contracts, and downsize others. This will have an immediate impact as most of them are large customers of Indian services firms.
The second order impact will be on firms with large investment portfolios that have been exposed to subprime lending. A prime example is AIG. In such cases, the firms may get more conservative on new initiatives and discretionary projects, thereby impacting the revenues of Indian firms that service them.
The third order impact is based on fears of recession and the general conservatism that it is likely to bring in discretionary spending.
Given that 30% or 40% of Indian IT services revenues come from the BFSI segment, Nasscom has brought down its growth estimates from 30% to between 21% and 24% for the year.
The longer-term opportunities
While we can blame blind optimism and greed for the present crisis, at a more fundamental level it is a failure of systems. The quality of underwriting at the point of loan origination has failed. Systemic controls that ensure uniform and consistent application of underwriting rules would have done much to avoid bad loans. Credit scoring that took into account not just the propensity to pay but also the quantum of debt that a person had any hope of repaying would have brought these issues to light much earlier.
Better transparency and visibility of the underlying asset portfolio, and a more balanced approach while packaging a set of mortgages into bonds, would have helped monitor the health of the assets and the loans in real-time.
Better controls and risk management systems governing individual firms as well as the entire financial system would have helped to track the quantum of leverage and the risks associated with it—both from the perspective of board governance and regulatory oversight.
For too long, large institutions have been trying to get away with spending 80% of IT dollars on maintenance and only 20% on new initiatives. In a recent Information Week article, Rob Preston argues strongly against the 80-20 rule, and says that IT’s top priority is to release money for new projects.
The financial crisis is forcing mergers of huge, complex institutions that were individually ungovernable in the first place. The only possible way these institutions can be managed is with substantial investments in new IT applications that can track all the nuances of the underlying operations and provide meaningful online, real-time controls.
Implications for Indian IT
Clearly, the need is to reduce maintenance budgets and increase transformation budgets. Reduction in maintenance budgets will force companies to send more work offshore, which is good news for the Wave 2 services players in India. However, customers will force the vendors to bring in new efficiencies, and expect aggressive cost improvements year on year.
There are tremendous opportunities for the Wave 3 companies that have the expertise and intellectual property assets to bring better governability and manageability to these large enterprises. Indian companies will probably have to partner with local firms that have this expertise or hire these experts in-house (easier now). This is the time for these companies to make the investment so that they will be able to reap the benefits in the years to come.
We had several internal calls at Mastek, with our leadership teams in India and globally, trying to find out whether any of our employees or their families had been affected in any way (thankfully not), and how we should handle the impact of these attacks on our global clients, employees and partners.
During the past week, besides news reports, I have been watching the email trails, with hundreds of people expressing their anger and frustration at our inability as a city and a country to prevent such an attack or deal with it quickly and effectively. I’ve been a Mumbaikar for most of my adult life, so I can understand these reactions to terror striking so close to home.
However, while engaging our own teams in how we should respond to this situation in a pragmatic manner, I realize that we need a bottom up approach just as much as we need a top down approach. I also realize that we can have an effective mechanism to thwart terrorism, or at least contain the damage, only when all of us as responsible citizens and corporations plan for and demand a coherent response from the various security forces.
In our internal discussions it came out, quite obviously, that as a company we had no systematic process to deal with a terrorist attack. While we had fire drills, disaster recovery plans and business continuity plans as an essential part of serving a global clientele, we had somehow ignored a terrorist attack as a possibility. We have now set out to have this as part of our disaster response and recovery plan as a company.
In doing so, it became clear that we need a larger plan to cover the Business Parks that we operate in. At our SEEPZ facility, therefore, we called a meeting of all the companies operating from there along with the Commissioner. We were glad to note that the Commissioner had already received a directive from the Ministry of Commerce to beef up security within the zone.
However, we realized that this was important but inadequate to deal with a terrorist situation. What was required was a Level 1 plan that involved not just the SEEPZ security personnel but also the security officers of each company. They had to address various possible attack scenarios and a systematic response plan in terms of how each company would be alerted, what response measures they would need to take and so on. To ensure that people know how to respond to an attack, each company needs to have a core security task force with adequate training as well as drills.
As an example, while our fire drill expects people to leave office in an orderly fashion and assemble at a specified point a few meters from the building, a terrorist attack response will obviously need a very different strategy.
Further, we need to work out a Level 2 plan with the local police station, fire brigade, ambulance services etc. to handle situations that escalate beyond the ability of the SEEPZ security forces. Similarly, we need higher levels of escalation to the appropriate forces should the need arise. We are planning to involve these agencies in our future meetings.
As we walked through this process, we found that this was not just an issue of adding security people and giving them better ammunition; it was also a more planned approach to addressing these threats that involved all the stakeholders. In fact, a good parallel is the safety procedure in an aircraft. It begins by informing every passenger on every flight about the safety procedure. The cabin crew gets more training on how to handle a safety incident. The ground staff at the airport brings different areas of expertise in handling a safety incident. We need a similar approach in responding to terror attacks, albeit on a much wider scale.
Since five-star hotels were a target, we need to think about where to put up our own people as well as our clients. We have decided to solicit written responses from various hotels on their security plans and select a few hotels after a clear analysis.
I am going through some of our own experiences to serve as an example of the kind of ground-up response we would need. These are by no means comprehensive, and we are looking for NASSCOM and other industry groups to contribute to this process, even involving specialists from India and abroad who can advise us. It is important that every company, industrial park or zone, or residential colony gets together to formulate its own plan of response for us to have an effective approach as a city and nation.
The events in Mumbai have clearly brought out a lack of preparedness in responding to terror in a systematic fashion. It would be naïve for any of us to assume that terrorist attacks of these kinds are one-off. In today’s world, it would be safer to assume that terrorist attacks are as much a part of reality as natural disasters. Hence it would be pragmatic to have systematic approaches to responding to these attacks.
Although I have no expertise in the field of security, I can envisage that a systematic response plan will involve a classification of locations / building based on potential risk – high-risk buildings to low-risk buildings. It would involve prescribing different levels of security preparedness given the nature of risk. It would involve coherent response strategies for different risk scenarios, working closely with the security personnel in the location as well as proximate security forces. It would involve clear definitions of escalation levels, response times and processes, handing over charge to forces of higher caliber at appropriate junctures. Since the terrorists are well-trained and at Level 4 or 5 in terms of their competencies, we have to ensure that the security forces at the lower levels are trained to be at least at Level 3 while the high-caliber forces like NSG have to be clearly at Level 5.
Further, given that any such incidence becomes a television spectacle that the entire world watches in real time, it is important that media briefings are taken up as a specialist role and handled in a professional manner. There should be a clear brief to the media on what can be covered and what needs to be kept off the air for security reasons.
Clearly, prevention through better intelligence as well as quick post-attack closure are more important and effective, but are not the subject of this article.
While anger and recrimination are ways of responding to these recent events, we need to realize that the world is still trying to discover and learn how to respond to terrorist attacks of this nature. We may be behind the curve in India and need the political will and determination to educate ourselves, get our act together and set up the response systems. It will definitely be worthwhile to collaborate with the security agencies of other countries to learn and share best practices – since this is a global problem and not just restricted to India. It’s only with sustained, concerted efforts between governments and the public that humanity will discover the means not just to thwart terrorism but to eliminate it from the face of the earth.