Monday, January 5, 2009
The subprime crisis and the subsequent meltdown have had a mind-boggling impact across the globe. In this article, I would like to focus on their impact on the Indian IT services industry and the opportunities it is likely to throw up for companies operating in the ‘third wave’.
Three waves of evolution
When we look at globalization, specific industries in emerging economies typically go through three waves of evolution. The electronics industry, first in Japan, then in South-East Asia and now in China, are good examples of this. In the first wave, companies in emerging economies typically act as component suppliers to developed countries that manufacture the complete product. In the second wave, the local industry gains enough expertise to provide cost-effective contract manufacturing services—of either the entire product or major sub-assemblies. The third wave is when a set of firms start marketing these products under their own brand—initially within their own countries, and then going international.
We can trace the evolution of the software services industry in India using a similar paradigm.
Wave 1 (proving capability through people) started in the 70s and 80s and peaked in the mid-90s; it established the competence of the Indian software professional and the industry got results largely through staff augmentation.
Wave 2 (offshore development) established India as a destination for low-cost, high-quality programming services. The catalyst was the Y2K bug and Indian companies’ success in delivering these projects cost-effectively. Many Fortune 1000 companies discovered that moving their application maintenance and ongoing development activities to India was viable and attractive. The second wave of Indian IT started in the mid to the late 90s, and is at its mainstream phase today.
Wave 3 (strategic value delivery), which is emerging, will be characterized by Indian companies moving to high-value, IP-led services that are strategic to the customer and hence command premium, value-based pricing. The industry is already facing a severe shortage of talent, rising attrition levels and increasing salary costs. All indications are that the linear relationship between growth and headcount will not be sustainable. The future is in creating strong brands out of India that command the respect and trust of large global customers and hence the appropriate value.
Orders of short-term impact
The first order impact of the crisis is related to the banks that have either been unable to survive as stand-alone entities (like Bear Sterns and Lehman) or have taken a deep hit and are trying to recover on their own. These institutions may cancel some contracts, and downsize others. This will have an immediate impact as most of them are large customers of Indian services firms.
The second order impact will be on firms with large investment portfolios that have been exposed to subprime lending. A prime example is AIG. In such cases, the firms may get more conservative on new initiatives and discretionary projects, thereby impacting the revenues of Indian firms that service them.
The third order impact is based on fears of recession and the general conservatism that it is likely to bring in discretionary spending.
Given that 30% or 40% of Indian IT services revenues come from the BFSI segment, Nasscom has brought down its growth estimates from 30% to between 21% and 24% for the year.
The longer-term opportunities
While we can blame blind optimism and greed for the present crisis, at a more fundamental level it is a failure of systems. The quality of underwriting at the point of loan origination has failed. Systemic controls that ensure uniform and consistent application of underwriting rules would have done much to avoid bad loans. Credit scoring that took into account not just the propensity to pay but also the quantum of debt that a person had any hope of repaying would have brought these issues to light much earlier.
Better transparency and visibility of the underlying asset portfolio, and a more balanced approach while packaging a set of mortgages into bonds, would have helped monitor the health of the assets and the loans in real-time.
Better controls and risk management systems governing individual firms as well as the entire financial system would have helped to track the quantum of leverage and the risks associated with it—both from the perspective of board governance and regulatory oversight.
For too long, large institutions have been trying to get away with spending 80% of IT dollars on maintenance and only 20% on new initiatives. In a recent Information Week article, Rob Preston argues strongly against the 80-20 rule, and says that IT’s top priority is to release money for new projects.
The financial crisis is forcing mergers of huge, complex institutions that were individually ungovernable in the first place. The only possible way these institutions can be managed is with substantial investments in new IT applications that can track all the nuances of the underlying operations and provide meaningful online, real-time controls.
Implications for Indian IT
Clearly, the need is to reduce maintenance budgets and increase transformation budgets. Reduction in maintenance budgets will force companies to send more work offshore, which is good news for the Wave 2 services players in India. However, customers will force the vendors to bring in new efficiencies, and expect aggressive cost improvements year on year.
There are tremendous opportunities for the Wave 3 companies that have the expertise and intellectual property assets to bring better governability and manageability to these large enterprises. Indian companies will probably have to partner with local firms that have this expertise or hire these experts in-house (easier now). This is the time for these companies to make the investment so that they will be able to reap the benefits in the years to come.
We had several internal calls at Mastek, with our leadership teams in India and globally, trying to find out whether any of our employees or their families had been affected in any way (thankfully not), and how we should handle the impact of these attacks on our global clients, employees and partners.
During the past week, besides news reports, I have been watching the email trails, with hundreds of people expressing their anger and frustration at our inability as a city and a country to prevent such an attack or deal with it quickly and effectively. I’ve been a Mumbaikar for most of my adult life, so I can understand these reactions to terror striking so close to home.
However, while engaging our own teams in how we should respond to this situation in a pragmatic manner, I realize that we need a bottom up approach just as much as we need a top down approach. I also realize that we can have an effective mechanism to thwart terrorism, or at least contain the damage, only when all of us as responsible citizens and corporations plan for and demand a coherent response from the various security forces.
In our internal discussions it came out, quite obviously, that as a company we had no systematic process to deal with a terrorist attack. While we had fire drills, disaster recovery plans and business continuity plans as an essential part of serving a global clientele, we had somehow ignored a terrorist attack as a possibility. We have now set out to have this as part of our disaster response and recovery plan as a company.
In doing so, it became clear that we need a larger plan to cover the Business Parks that we operate in. At our SEEPZ facility, therefore, we called a meeting of all the companies operating from there along with the Commissioner. We were glad to note that the Commissioner had already received a directive from the Ministry of Commerce to beef up security within the zone.
However, we realized that this was important but inadequate to deal with a terrorist situation. What was required was a Level 1 plan that involved not just the SEEPZ security personnel but also the security officers of each company. They had to address various possible attack scenarios and a systematic response plan in terms of how each company would be alerted, what response measures they would need to take and so on. To ensure that people know how to respond to an attack, each company needs to have a core security task force with adequate training as well as drills.
As an example, while our fire drill expects people to leave office in an orderly fashion and assemble at a specified point a few meters from the building, a terrorist attack response will obviously need a very different strategy.
Further, we need to work out a Level 2 plan with the local police station, fire brigade, ambulance services etc. to handle situations that escalate beyond the ability of the SEEPZ security forces. Similarly, we need higher levels of escalation to the appropriate forces should the need arise. We are planning to involve these agencies in our future meetings.
As we walked through this process, we found that this was not just an issue of adding security people and giving them better ammunition; it was also a more planned approach to addressing these threats that involved all the stakeholders. In fact, a good parallel is the safety procedure in an aircraft. It begins by informing every passenger on every flight about the safety procedure. The cabin crew gets more training on how to handle a safety incident. The ground staff at the airport brings different areas of expertise in handling a safety incident. We need a similar approach in responding to terror attacks, albeit on a much wider scale.
Since five-star hotels were a target, we need to think about where to put up our own people as well as our clients. We have decided to solicit written responses from various hotels on their security plans and select a few hotels after a clear analysis.
I am going through some of our own experiences to serve as an example of the kind of ground-up response we would need. These are by no means comprehensive, and we are looking for NASSCOM and other industry groups to contribute to this process, even involving specialists from India and abroad who can advise us. It is important that every company, industrial park or zone, or residential colony gets together to formulate its own plan of response for us to have an effective approach as a city and nation.
The events in Mumbai have clearly brought out a lack of preparedness in responding to terror in a systematic fashion. It would be naïve for any of us to assume that terrorist attacks of these kinds are one-off. In today’s world, it would be safer to assume that terrorist attacks are as much a part of reality as natural disasters. Hence it would be pragmatic to have systematic approaches to responding to these attacks.
Although I have no expertise in the field of security, I can envisage that a systematic response plan will involve a classification of locations / building based on potential risk – high-risk buildings to low-risk buildings. It would involve prescribing different levels of security preparedness given the nature of risk. It would involve coherent response strategies for different risk scenarios, working closely with the security personnel in the location as well as proximate security forces. It would involve clear definitions of escalation levels, response times and processes, handing over charge to forces of higher caliber at appropriate junctures. Since the terrorists are well-trained and at Level 4 or 5 in terms of their competencies, we have to ensure that the security forces at the lower levels are trained to be at least at Level 3 while the high-caliber forces like NSG have to be clearly at Level 5.
Further, given that any such incidence becomes a television spectacle that the entire world watches in real time, it is important that media briefings are taken up as a specialist role and handled in a professional manner. There should be a clear brief to the media on what can be covered and what needs to be kept off the air for security reasons.
Clearly, prevention through better intelligence as well as quick post-attack closure are more important and effective, but are not the subject of this article.
While anger and recrimination are ways of responding to these recent events, we need to realize that the world is still trying to discover and learn how to respond to terrorist attacks of this nature. We may be behind the curve in India and need the political will and determination to educate ourselves, get our act together and set up the response systems. It will definitely be worthwhile to collaborate with the security agencies of other countries to learn and share best practices – since this is a global problem and not just restricted to India. It’s only with sustained, concerted efforts between governments and the public that humanity will discover the means not just to thwart terrorism but to eliminate it from the face of the earth.