Pages

Saturday, August 29, 2009

Hitchhiker’s Guide to the Corporate Galaxy – Part 1

Whether we are managers by profession or not very often we have to get things done by or with the help and cooperation of others. Sometimes it is by the people on whom we have some control and authority (like our children or subordinate officers) but most it is from people on whom we enjoy no such influence. It could be colleagues in other departments, people of other organisations or members of your club, the religious community you belong to or government officers with whom you have working relationships.

Getting cooperation in such situations is a tougher challenge. Although your control and authority increase with your ascent in the career ladder, this challenge also increases as the people who are critical to your success are often not the people on whom you have direct control. Likewise, this challenge intensifies with increase in the stakes of the project you are involved in and the diversity of the stake holders.

Management of this challenge is an art form which may not be taught in a Business School, and often your success is a function of how well you have mastered this art form; especially if the project under consideration has significant social relevance and requires cooperation from a broad cross section of people. In fact for success in politics and business, this skill is an absolute necessity.

To be successful it is important to develop a knack to identify the factors contributing this challenge. In this article I have tried to list few major factors to trigger our thoughts and to compile a survival kit.

1. Turf

Your project may be perceived to be an intrusion into the other person’s turf. Human beings, like their favourite pet, the dog, are very possessive of their turf to the extent of being identified with it.

2. Not Invented Here

Even if your project / idea could make a positive difference in somebody else’s turf, there could be often resistance because it is not ‘his idea/ baby’. Very often people find it difficult to be proud of somebody else’s baby.

3. Competition

Sometime success of your project could place you or perceive to place you in a position of comparative advantage or faster trajectory.

Then instead of trying to outperform you, many people will try to downplay/ disparage you. This is supposed to be a serious issue in Indian culture and is often referred as “Indian Crab Syndrome”

4. Ego

Many people may have very strong egos; especially people in position of power. With the feudalistic culture we come from and the “Raja Culture” often observed among people in power (irrespective of private or public sector), if your project requires cooperation from the self proclaimed kings you have a serious challenge.

5. Corruption

This could be for money, power or credit. But if the people whom you are dealing with are interested in having his pound of flesh, he will find ways to extract the same and if you are not willing to give into this demand, most often you will be stymied.

6. Survival threat

Sometimes success of your project could be a direct threat to the other person’s areas of interest or in worst case survival. Then you can expect a serious resistance, which is justified, at least from his point of view. The more disruptive / transformational your idea, the stronger and wider will be the spectrum of resistance.

7. Sheer Folly

Sometime you may be unlucky to have a moron or somebody for whom rigor mortis of brain has already set-in, and this can happen at all levels. He could be a young and immature kid or a senior person who, as Parkinson would point out, has risen up to his level of incompetence. This happens more often in organisations where there is little compulsion for performance and growth is dependent on connections than on merit.

8. Hidden Agenda

Hidden agendas at industry/ firm/ individual/ regulator level could also be at work against your project. These are more difficult to track as it is hidden behind a veil of apparent co-operation or hidden in the garb of protection of the weak.

9. Closed Mind

If you are working on a disruptive idea that changes the rules of the game and you are pitted against a closed mind, you are in serious problem. The closed mind is often seen among successful people and people in power. Some of them may develop a mindset wherein they think they are the ultimate authority in everything under the sun. Their ‘openness’ to ideas gets limited to throwing some new fad at you without thinking through.


We will discuss the survival strategies in my next posting.

Monday, August 24, 2009

Digital Security – Business, People and Economics

We live in a digital world. The extent to which our lives are exposed to this ‘digitization’ is increasing exponentially. Whether we like it or not and whether we are involved in information technology related activities or not, our lives are getting more and more dependent on ‘digits’. Health records, tax records, saving and investment records, records of buying habits; practically everything that affects our life including how we are governed are getting digital.

With the way our lives are increasingly getting dependent upon information systems, the Internet being one of the most prominent examples, there is a growing concern about the security and reliability of this fragile infrastructure.[1]

In this digital world whatever business we are in, we cannot afford to ignore the impact of information security. To begin with, computer security has been left in the hands of “computer security experts,” chiefly technologists whose technical understanding qualified them to shoulder the responsibility of keeping computers and their valuable information safe. With stand alone computers the key security issues were how to protect the data from being lost or corrupt or stolen. [1]

But today information security is not just a technological problem although technology forms an important component. For business this is like any other problem of managing of risk and the cost associated with it. Like in any domain, the security experts can find a solution to address most of the risks (except those of cosmic proportions like Tsunami or Starburst) that a person or organization face. It is a question of the resources that you can throw behind the security risk and the extent of abstinence/ isolation that you are willing to suffer. Thus it becomes more of a managerial issue of identifying the risk areas, its probabilities, its impact and cost –benefit ratio of mitigation.

Organizations optimize themselves to minimize their risk, and understanding those motivations is key to understanding computer security today. However each of the above elements of risk management is not amenable to straight forward computations. It has high dependence of the human idiosyncrasies, mental make-up, domain knowledge etc

So when we look at information security management we have to use a larger framework; a framework that takes in to account business compulsions, nature of people and economics of incentives.

The span of managerial response ranges from apathy resulting from ignorance or indifference to paranoia resulting from ignorance or spinelessness. This posting covers a broad survey of the above spectrum to provoke some thoughts. I don’t expect this in any way to be prescriptive or comprehensive.

On one end some business managers are unable to understand the risk in the right perspective. Risk triggers in the nature of “fight or flight’ is an elementary component of any living organism. But many of the risks that modern man is exposed do not require such response. This means that there’s an evolutionary advantage to being able to hold off the reflexive fight-or-flight response while you work out a more sophisticated analysis of the situation and your options for dealing with it. Human beings have a completely different pathway to deal with analyzing risk called neo-cortex, a more advanced part of the brain that developed very recently and appears only in mammals. It is intelligent and analytic. It can reason. It can make more nuanced trade-offs. It’s also much slower. But it’s hard for the neo-cortex to contradict the primary response from the amygdale.[2]

Psychologist Daniel Gilbert has made brilliant explanation on this conflict “The brain is a beautifully engineered get-out-of-the-way machine that constantly scans the environment for things out of whose way it should right now get. That’s what brains did for several hundred million years—and then, just a few million years ago, the mammalian brain learned a new trick: to predict the timing and location of dangers before they actually happened.

Our ability to duck that which is not yet coming is one of the brain’s most stunning innovations, and we wouldn’t have dental floss or 401(k) plans without it. But this innovation is in the early stages of development. The application that allows us to respond to visible baseballs is ancient and reliable, but the add-on utility that allows us to respond to threats that loom in an unseen future is still in beta testing.”

The above gets compounded by what the psychologists term the ‘optimism bias’; we often think that accidents happened to only the other fellow and end up taking extreme risks. [2] Therefore unless the manager consciously tries to hold on to the primitive response and analyze the risk, the responses may often be not optimum.

This situation gets compounded when it comes to information security and software products. Most business managers are used to the incentive structure in the production of physical goods. If Honda produces a car with a systemic flaw they are liable, but Microsoft can produce an operating system with multiple systemic flaws per week and not be liable. Software companies have been able to institute a framework denying them liability for faulty products. [3]

Many business managers don’t appreciate this different paradigm in the digital world when they take decisions with respect to information security. With most of the corporate assets increasingly getting to be digital this becomes a critical issue.
We also see behavior on the other end of the spectrum. The security engineering community has, like the environmental science community, built-in incentives to overstate the problem. This could be like a firewall vendor struggling to meet quarterly sales targets, or a professor trying to mine the `cyber-terrorism' industry for grants, or the information security division lobbying for more funds and more power.

I still remember some of the overselling that used to happen during the Y2K compliance. Our consultant wanted certificates from practically all vendors, who provided any electronic good, to give us certificate that his product is Y2K compliant.

The business manager gets totally taken in by the scaremongers of digital fraud. In the name of information security he ends up overspending on every latest gadget and every vocal consultant. Human mind has a tendency to react to recent events and events that are high on visibility. With the extent of sound bites that we are exposed on information security we naturally end up overreacting. I still remember our Government grounding the total A 320 fleet of aircraft of Indian Airlines for a long time after the accident in Bangaluru.

What we need to develop is a balance between these two extremes. As Andrew Odlyzko noted in a paper titled Economics, Psychology, and Sociology of Security, “The natural resilience of human society suggests yet again the natural analogies between biological defense systems and technological ones. An immune system does not provide absolute protection in the face of constantly evolving adversaries, but it provides adequate defense most of the time. In a society composed of people who are unsuited to formally secure systems, the best we can hope to do is to provide “speed bumps” that will reduce the threat of cyber attacks to that we face from more traditional sources.” [4]

In a digital world the balanced view has to be continuously re-balanced as the rate of change of environment is extremely quick paced, unlike in case of the conventional technology areas. You get hardly any time to relax with the comfort of equilibrium that you seem to have managed.

Summary

The key thoughts from the above discussion can be summarized as below:
1. Information security is not just about technology it is about the managerial choice that is exercised
2. Whether gadget or process, it should justify the merit. The idea is not to foolproof, but to identify the appropriate balance.
3. Managing of this risk should be an inherent part of the total organizational process and not the functional responsibility of an expert group
4. It is not a one-time activity or a periodic activity. It is a continuous game of ‘cops and robbers’.
5. Keep in mind that security should not and need not always compromise convenience if it has to, make it as bearable as far as possible.

References

1. Kevein J Soo Hoo, How Much Is Enough? A Risk Management Approach to Computer Security
2. Bruce Schneier,The Psychology of Security , January 21, 2008
3. William Yurcik and David Doss, Illinois State University Department of Applied Computer Science “CyberInsurance: A Market Solution to the Internet Security Market Failure”,
4. Andrew Odlyzko, Economics, Psychology, and Sociology of Security
5. Ross Anderson and Taylor Moore, Information security Economics – and Beyond
6. Ross Anderson, Why Information Security is Hard – an Economic Perspective
The above references include specific references of observations as well as the articles that have provided ideas for my talk.
This is extracted from the talk I delivered at the conference held at IIMA

Monday, August 17, 2009

Why I love my Mom’s Cooking?

I claim to be a good cook. I indulge in this passion occasionally. But when I do, I will also invite few friends so that I can show-off my culinary skills. I select some exquisite dishes from the collection of cookery books that my wife maintains. I will then ask my wife to get all the ingredients and get the maid to do all the cleaning, cutting and chopping. Then later in the afternoon after a nice nap, I will land up in the kitchen to commence my artistic composition of various ingredients to an exquisite rhapsody! At every point I will have my wife and the maid extending various implements to assist my operation like the nursing staff in an operation theatre. After the various concoctions find their way to the microwave, baking oven, refrigerator (as the case may be) I will leave it to the minions to take them at prescribed time period and present them for the consumption of the invited guests. Of course it is the job of the maid to remove all dishes and clean-up. I will almost fill the conversation during the dinner with the art that goes behind each of the dishes. What an excitement for me!

On the other hand I remember my Mom’s cooking. We had no gas supply and no gadgets like microwave, cooking range etc. Five of us were in colleges/ schools. One in medical college, two in Engineering Colleges, another one in regular college and the other in school. From breakfast, to packed lunch to evening snacks and the sumptuous dinner; all fresh from the kitchen, day in and day out, in addition to the teaching the kids, mending cows , and other chores of household.

My cooking is an occasional event, an aberration; primarily for my excitement and glory and not to help anybody’s hunger. Whereas my Mom’s cooking was meant to ensure that none of us went hungry. No ceremony. Just rigorous execution, just-in-time management of inventory, tight planning of cash flows, total customer satisfaction with outstanding social networks.

Unfortunately, it is the heroism that often gets recognised and not persistence and perseverance.

I remember the story narrated by an IAS officer about his tenure as the district collector of an inflammable district which often flared up at times of religious festivities. He used to take enormous efforts to get the occasion go without any incidence. There was a neighbouring district manned by his colleague, which also had similar explosive settings. The major difference used to be that at least once in a year there used to be a conflagration that hit the headlines which the collector had to manage with great difficulty. The credit naturally went to the second officer and very few could see the difference made by first one.

This happens in many private sector organisations too. The guy who solves a problem (which is often created by the same fellow) gets all the credit; but the guy who worked hard to prevent problems day- in and day-out and worked to bring about continuous improvements is seldom noticed. The credits and the bonus to the former, naturally encouraging high-profile project launches and other short-term strategies. We saw the impact of this short-termism in the meltdown of global financial markets.

What we need for sustained progress more is the discipline of my mother’s cooking (for that matter most mothers) than my heroism in cooking. As the proverb goes “success is 10% inspiration and 90% perspiration”.

Monday, August 10, 2009

To be or not to be - Part 3; Of Controls and Decontrols

Penicillin is the first antibiotic that was discovered. Over the years, penicillin and its derivatives became one of the most important drug families to fight infectious diseases in a very cost effective manner. The way in which the Government of India tried to manage price and supply of this drug makes an excellent case study on the impact of micromanagement of resource allocation by government.

In view of the criticality of this drug, the Government of India (GOI) set up facilities in two Public Sector Undertakings [PSUs] to manufacture penicillin. Within a short span of time, the capacity of these production facilities was incapable of meeting the demand. Even at Rs 1200 per unit (as against an international price of about Rs 600 per unit) these PSUs could just about meet the cost of production.

The government needed to keep the price low, keep the inefficient PSU afloat and also manage the shortage. A complex problem of optimisation!

The scene was perfect for control, corruption, privilege postings and bulk gratifications; sacrifices in the name of providing healthcare for the poor and needy. Now the government came out with a bizarre plan to manage price and supply of the drug in the domestic market without compromising the sustainability of the PSUs.

The department of Chemicals and Petrochemicals, the operating ministry for managing this complex social challenge of such national importance, in the beginning of the year would ask the industry players what their expected demand for the drug was for the oncoming year. Then they asked the PSUs how much they expected to produce during this period. Now the ministry officials, after significant deliberation even at the level of the secretary made allocation of domestic production to the buyers on some ratio of their expected demand and last year consumption. The ministry also fixed the price of penicillin to about Rs 1200 per unit. The government also ensured that no new licenses were given to produce this in India. Then to manage the demand these buyers were allowed duty free import in proportion to what they bought from domestic market.

The domestic suppliers were often unable to keep up with the supply they promised and although the price was fixed and the suppliers were PSUs the buyers were overcharged by demanding interest free deposits and other charges euphemistically called packing and forwarding charges. Even after all this, every month the buyers visited with begging bowls like supplicants. Once the buyers managed to buy from the domestic suppliers then they rushed for the import license; filling in bundles of forms that had to be pushed from table to table. The industry players had special skilled staff to manage this ‘logistics’. Once they got the import license, they had to woo the egos and line the purses of the customs department to clear the goods although it was duty free. Industry had specialists employed for this too.

A total waste of time and resources; but for some it provided opportunities for privileged postings and corruption. All for the benefit of the poor! Finally sense prevailed and such draconian controls on import and domestic production were lifted. Penicillin became available in the domestic market at less than half the price.

The story was similar for many more products. Cement is another excellent case in point. I remember standing with a begging bowl at the district collector’s office for allocation of cement to build our house. The construction activities had to be synchronised to match the erratic supply of this precious commodity. In fact almost at the end, when I wanted few more sacks of cement I had to buy the same from black market at three times the price.

Why am I remembering these past horrors?

One reason is to remind that there are still many areas where the policy makers appear to be micromanaging; supposedly for the larger good of the public. But in the end it just adds to corruption and inefficiency. The Air India kept alive on ventilator is a case in point.

More damaging outcome of such policies is that very small interest groups are able to influence policy makers to create market distortions and enrichment of the select few. Amartya Sen has beautifully described how the agriculture pricing policies destabilize market, fail to benefit the deserving farmers or the guy on the street and distort farming practices. As per him “The overall effect of the subsidy is more spectacular in transferring money to medium and large farmers with food to sell, than in giving food to the undernourished consumers” (For a detailed discussion on this, refer to “The Argumentative Indian” by Dr Sen page 212 to 215)

Even the free electricity to the farmer is the same story. The poor farmer gets no benefit as he can’t afford even a pump and the electricity board is in perpetual red!

Reminiscing of this past becomes even more relevant today when we hear cries for more government intervention and control on account of recent failings in the markets.

But I think the problem also lies in our basic feudalistic culture. I have had many opportunities to be associated with projects where the so called non-bureaucrats appear to be in positions that require them to be involved in areas of public policy. It was almost hilarious and shocking to see them changing their colour so fast. They suddenly wanted absolute control and were even worried whether the democratic process and market forces can be depended on for balanced development.

It is worthy to remember that as Garry Hammel noted in his famous book "Future of Management” democracy with its checks and balances and markets with its invisible hand are two of the few institutions in this world that have sustained for centuries.

We have few examples in India of right policy interventions revolutionising industry sectors. As Dr Ajay Shah noted in his article "Flying on One Engine” “In the story of India’s economic reforms, the revolutionary changes on the equity market stand out with respect to the magnitude of the change which has come about from 1993 to 2003 despite concerted political lobbying in trying to prevent change”

It is true that at times markets will fail. We need to try to correct the failure and not to abolish the market. What is needed when the market fails is to correct irresponsible behaviour for which rules have be in place and the regulators will have to intervene. But what we need is course correction and policy nudges and not wholesale nationalisation or control. Infants should be nurtured; but also exposed to the reality of the competitive world else they grow up to be spoiled brats. (Take a look at "Devastation of world financial markets - A case of Policy Reversals in India?” and "Checks & Balances - Who checks and Who balances” for some thoughts on this.)

It takes imagination and ability to think through the ground realities and to come up with policy framework that nurtures healthy competition and incentivise responsible behaviour instead of creating ‘tables with a value’ in government offices. What we need today is administrative reforms that would compel and encourage policy makers to be adept in this than become feudalistic despots.

Sunday, August 2, 2009

Learn to count- both Blessings and Failures

In my previous posting "E = MC Squared” I had written about the three drivers of operational excellence that we focus on. They were Measurement, Continuous improvement and Customer focus. This posting is a little more detail on the framework of measurement that we try to institutionalize. There no rocket science here; just one of the ways for structuring and prioritizing various matrices.

The Information Technology (IT) and Service industries, in spite of their exposure to data handling, data mining and their familiarity with money value of transactions, often messes up in the discipline of systematic measurement for operational efficiency. Their operational measurement discipline is not yet matured because the glamour and focus in these industries are still ‘cool functions’, “exciting features” and “latest gadgets’ than boring pursuit of efficiency gains.

So we turned for some lessons to process industry; especially hazardous chemical industry. The reasons were manifold and can be summarised as below.

1. The process industry has been around for hundreds of years and has matured over period of time whereas IT and Services industries are quite young and still evolving.

2. Many of their product lines have been commoditized with very low operating margins unlike the IT and Service industries which still enjoy significant margins arising out of novelty and innovation. This meant that the process industry has to squeeze out efficiency wherever possible.

3. In chemical process industry the cost of process breakdowns and safety breaches are often fatal and therefore the extent of public attention, scrutiny and audits is quite severe.

4. In process industry mostly the processes are integrated end-to-end with less control and knowledge of what is happening inside the pipes. This necessitates strong monitoring and control.

The framework of measurement we evolved has thus been helped a lot by the learning from the process industry. The three key elements of this framework are the following.

1. Flow management (Micromanagement)

These are matrices that keep track of each of the inputs to ensure that it passes through each process/ sub-process it was meant to traverse and that too without error. This becomes even more critical when some of the processes are quite new and evolving because in such cases the exceptions gets to be the norm and tend to get ignored; especially in computerised processes.

These errors lead to customer discontent and even revenue leakage. I remember long ago when many people received a letter from one of the large banks which admitted that they had not tracked the credit card transactions correctly and enjoined the recipients to make a payment on the basis of their own bills. (I am not sure how many actually paid. This is not a made up story either).

One of my friends who provide transaction billing solutions to large number of banks and telcos shared with me the extent of leakage he is able to unearth when his system is introduced first time.

2. Capacity Management (Macro management)

These are matrices that track the capacity of processes, people, service providers and machines. We try to establish and evolve measures for trends in capacity utilisation of each element to avoid surprise bottlenecks.

This continuous monitoring is even more critical in computer based operations as many of the computer systems and network equipments are shared resources for multiple processes and the utilisation is build up for each of the processes would be different. Very often the process managers give scanty attention to the capacity requirement of their processes and how this capacity utilisation varies with volume.

In computerised processes there is another often neglected component of capacity grabber. The queries needed by the business or regulator. These queries on one side use the same production capacity. On the other end very often these queries are prepared by the junior most programmers who often develop quite in-efficient queries that hog resources. Mostly these onetime queries become a norm and end up quietly eating up resources.

Another area which eats up capacity is the weakness in the design itself. For most of the programmers, the kick is in developing features. Once the features are up and running he has lost his interest and is keen to move to the next project. At the time of feature development these cool cats seldom give importance to program efficiencies and once they are developed they are too lazy (and often don’t even know) to spend the time and effort to fine-in my experience there will be scope for at least 100% improvement in process efficiency in most of the bespoke programs.

3. Service Levels

The best way to ensure focus in measurement and improvement is to have clearly defined service levels that we are willing to commit to our customers. We call it the Customer Service Commitments (CSC). These involve commitments on Turn-Around- Time (TAT), Quality and Cost.

We try to build time-series data of these parameters at every key process and service provider level. This time series data provides early triggers in terms of trend shifts and unusual volatility.

We also try to have a separate team (other than the team responsible for operation) to track the commitments to the ultimate customer.

What Next?

The next thing to having data in place is how we use the data. I believe that is the more difficult part because it involves change in habits and practices of human beings. And that is not easy! Very often the data tracking reports are seen and used as measures for compliance or to satisfy whims of the bosses.

Excitement is in trouble shooting, exception handling and heroism. Not in prevention of trouble. It is more interesting to fix people than systems.

What we continuously try is to inculcate a spirit of looking at data as a tool for continuous improvement by everybody at all levels. To make this a culture and not a ritual.This is because we believe that we can scale-up and excel only when each of us learn the art of decision making that is founded on data.

“Give the people the facts, and they will do the right thing??”