Satyam Scam: A CIO’s Survival Tale

Publish Date:2010-12-15

Summary:

It’s two years since the Satyam scam broke. For the first time, S.K Anapu, VP & Head- Enterprise Information Systems, Mahindra Satyam, speaks out about the experience of dealing with Government investigation.

Highlights:

Anapu’s team generated close to 500 GB of data over four months across all external agenciesHe allocated 17.5 manhours everyday to the excercise of data generation

Reader ROI:

How to deal with external investigation agenciesHow to invigorate your IT governanace and regulatory complianceHow to keep your team motivated in testing times

The 7th of January, 2009, was like any other crisp winter morning in Hyderabad. At Satyam Computer Services’ headquarters in L&T Infocity, employees streamed into the office giving the clear sky a quick pleased smile. None of them, including Srinivas Kishan Anapu, VP, Enterprise Information Systems, had any inkling of what the day had in store for them. No one could have guessed that they would make history that day; the darkest day in the history of the Indian IT industry.

But even if Anapu knew, he would have had no time to appreciate the big picture. He and his team would have to prep for what was going to be a painstakingly long ordeal as multiple government investigative agencies ripped into the company’s data, functions, and departments. For Anapu, it was an eye-opening experience in handling the fallout of a scam.

The Unfolding By the end of the first week, it became clearer just how large the financial scandal was. About Rs 5,000 crore of the Rs 5,300 crore in cash and bank loans that the company listed as assets for its second quarter, was non-existent. The extent of damage forced the government to take over the company’s administration. Anapu remembers multiple things taking place at about the same time. Multiple government agencies swung into action to carry out a full-scale investigation. The Crime Branch of Criminal Investigation Department (CB CID) started its inquiry by talking to what remained of Satyam’s management. Then on January 15th, 2009, new directors were appointed. And three days later, there was a blanket directive from the auditors not to restart any system.

Anapu also remembers how he received mandatory document retention notices from the international counsels on 8th January. He executed the order by completely backing up Satyam’s financial and HR data and applications. He also backed up a couple of other applications that were important to the management.

“These applications were backed up on two different hard drives. So, whenever we were asked to furnish data we could use the backup. We sealed the hard drives, signed them, and gave them to the CBI. Once we had accomplished this task, we stalled the production process,” says Anapu.

This was Anapu’s first challenge. “When I first heard that nothing should be changed in the production system, I was startled because you just can’t bring the production system to a grinding halt,” he recalls.

At this point, officials from Serious Frauds Investigation Office (SFIO), New Delhi, started pouring in at Satyam’s headquarters. They asked Anapu to furnish details of all of Satyam servers worldwide. Just like any other request he would have received from an internal customer, he provided the data to SFIO. Little did he realize that he was slowly getting dragged into a long-winding investigation. With his boss heading into retirement, the organization was counting on him; and he had no clue what he was getting into.

Challenge One: Working With Multiple Agencies

Anapu watched as investigative agencies worked on a war-footing to get to the bottom of the scam. They went as far as asking for information-including employee’s name, father’s name, application handled, role, etcetera-of critical members of the IT team. On February 23rd, the CB CID asked the IT department to deny Internet access to critical systems, especially finance.

They further requested Anapu to stop tele-working across all of Satyam’s locations.  Anapu was aware that even though his paycheck came from Satyam, he was reporting to the CBI for now. He knew that he had to maintain his cool under pressure. “I told myself not to get defensive, worked up, or irritated with all the interrogations with various external agencies,” recalls Anapu.

Over time, more external agencies like Brahmayya and Co, Deloitte, SFIO, SEBI, ROC, and the Income Tax Department started knocking on his door. Educating various external agencies was a tough task, he says. Every agency wanted the data in a different format. Out of the 600 people in Anapu’s IT team, 25 worked directly with the external agencies while the rest supported the 25.

“I asked my team to treat the agencies like internal customers—with their deadlines breathing down our necks—that they normally dealt with

By this time the pressure of the situation was taking a toll on Anapu’s team. But Anapu knew there were more challenges ahead. “I asked them to treat the agencies like the dozen-and-a-half internal customers-complete with their deadlines breathing down our necks-that they normally dealt with,” he says.

In the meanwhile, Anapu had his hands full. He had to marshal all the resources he could-including people, funding, material and support-to get things done. Interacting with so many external agencies is a mammoth task, he says, especially when their requests flow in incessantly. He decided to use Microsoft Project Plan to track each of the external agencies as individual projects. This would track requests, estimate the amount of time a task would take, and map a task to available resources.

With more systems in place, Anapu knew that he needed to discipline himself and his team. He got to the office by 7:30 am everyday to get ready for the 8:00 am huddle with his 20-member data processing team-despite regularly leaving at 1 am. Together they prepared for the 10 am meeting with investigative agencies in which they mapped out the day’s data processing requirements. They also discussed how each one of them would address the tasks for the day and chalked out their plan of action. “Requests came in on an hourly basis. So, we had to decide beforehand how we were supposed to address these requests, and if there was any conflict, how we could resolve them,” says Anapu.

Death by Data

Extrapolating and churning out data in different formats was a tedious process, remembers Anapu. And his department was churning out unprecedented volumes of it. Anapu calculates that they generated close to 500 GB of data over four months across all the external agencies. On a daily basis that amounted to 12 GB of data, 20 CDs, and 50-60 Excel sheets. According to Anapu, they allocated 17.5 manhours everyday to this exercise for three months.

As Satyam’s servers dished out data for the investigative agencies, business naturally slowed down. Hence, Anapu asked his team to create macros and automated scripts, churning out data, to run as batch files during off-peak times. These scripts were monitored and run by another team of 20 who worked in shifts to produce the reports. These reports were also analyzed in their 8.00 AM-10.00 AM discussions. And because the external agencies needed help analyzing and drawing patterns from the data, Anapu called in other internal competency units of the company.

“The results of the data analytics and the patterns we drew were quite interesting. Quite a few thought-provoking observations were made that laid the foundation for the CBI’s case. They found, for instance, that on most occasions, the fake invoices were generated between 11.30 PM and 3.30 AM. Rather than giving crude data to the agencies, we analyzed it,” says Anapu.

Challenge Two: Keeping Your Team Intact

Being the head of IT at Satyam, Anapu was very much in the line of fire with the CB CID. They grilled him and his team also with a barrage of uncomfortable questions: What was the role of finance and internal audit in the scam? What actually went wrong? Tell us all you know about inflating revenue figures and siphoning off funds. What was IT’s contribution? How come no one saw this? Was this a collaborative fraud, and if so what was you and your team’s role?

Quite naturally, he had no answers to the questions. But Anapu was very aware that the consequences would be severe if he said so, and did not help the CBI find answers. He knew that his job at that point was to gain trust of the investigative agencies. Anapu and his team worked day and night with the CBI helping them build their case and in less than four weeks, the entire team was widely trusted by the CBI and they believed that he could present the unvarnished truth in an appropriate and helpful manner.

“By this time I understood my position completely. But my team was getting severely de-motivated,” recalls Anapu. He says they expressed their displeasure with having to go through the grueling experience. Armed with professional credentials and degrees they wanted to move on. About 30 percent of his staff threatened to quit and Anapu feared that he would default on his deliverables. He knew that he had to address the problem-and fast. So he started laying a great deal of emphasis on communication and counseling. He tried to understand people and data before making judgments and action plans. There were times, he remembers, when he had to force himself to wait for others to catch up before acting. He says he also consciously used humor to ease the tension within the team. He created a climate in which people want to do their best. Anapu also pushed tasks and decisions down by empowering the best people in the teams.  He began to invite inputs from each person to increase ownership. He spent more time with his teammates engaging in light-hearted conversations, bringing friendly warmth to an otherwise unpleasant job.

Anapu also used reason with his team.

I couldn’t tell the CBI that I was only a custodian of the data and that they should speak to the respective owners

He explained to them why it counted to stick with the crisis-ridden company. “I told them that this was an unwanted situation for everyone but there was no way out of it. I told them that in this hour of crisis they had to take charge, that they were playing a critical role in facilitating the governance and compliance of the company. I also told them that they could put this episode in their resumes and that it would reflect well on them. There was plenty to learn and I told them to make the best of it,” he says. With these measures, Anapu brought down actual attrition to 5 percent.

Clearing the Fog

While he worked with the external agencies, Anapu simultaneously unleashed a crusade of changes to build a robust system internally. He identified SPOCs (Single Point of Contact) for each functional unit. He replaced universal access to the finance and HR applications and empowered SPOCs to funnel, channelize, and cater to each of the access requests. The next step he took was to implement quick controls across the enterprise.

Satyam’s IT landscape comprised 30 percent of packaged applications like SAP, Peoplesoft, and Oracle Financials, and 70 percent bespoke applications. Most of the applications followed their own authorization mechanism. Despite, huge user resistance, he implemented an Active Directory-based authentication process for close to 95 percent of the app environment in just 20 days.

At one point, management requested him to reconsider his decision because of the unrest within the organization. “I quelled their apprehensions by telling them that all I was doing was introducing a security layer on the applications and not tampering with the data. And instead of losing time over this, I adopted a big-bang approach,” he says.

As he took these corrective measures to put his house in order, the CBI gave him strict instructions not to alter any old data because that would tantamount to tampering with evidence. “At that point, I couldn’t have told the CBI that I am only the custodian of the data and that respective process owners of the various functional groups own the data.  Instead, for me, the challenge was to find a way to implement this directive without affecting the business. Data flows in a very heterogeneous, complex environment at our organization. Monitoring every transaction is a mammoth task,” he says.

Steering A New Course

Anapu knew that he would have to wear the new hat of a change manager to introduce some drastic changes. Predominantly, he had to get users to accept a new business process-and the technology that enabled it. He adopted a three-step approach to bring in the required changes. The first step, ‘Unfreeze’, reduced the forces maintaining the organization’s behavior at the present level. The next step, was to take the behavior of Satyam to a new level. And the third step, ‘Refreezing’, was to stabilize the organization at a new state of equilibrium.

As a change manager, he created and strictly followed the RACI Matrix, which was communicated to all functional process owners. Mandated Functional Requirements and Specification documents were to be duly filled in by process owners. A Change Management schedule was developed that recorded changes to the production environment, which happened only once a month. He also ensured that emergency changes needed to go through a rigorous approval process and that report generation requests would go live every Friday.

Today, Anapu is a wiser man. He strongly believes that IT governance is completely non-negotiable. If organizational processes do not support this, then the IT department should fine-tune the process and ensure that the governance levels are always maintained high, he says.

“At Satyam, IT was viewed as a department that worked at the backend only. It was treated as a cost center and not as a unit that had to be aligned with the business. I think IT should be in fusion with business. If IT is alignment with business, such situations can be averted,” says Anapu.

Today, Anapu heads a 250-member IT team as vice president of Enterprise Information Systems at Mahindra Satyam. On the path to strong recovery, Mahindra Satyam recorded profit of Rs 98 crore in the combined first and second quarter of 2011. Anapu is still busy playing a pivotal role in maintaining governance and compliance at its highest order and ensuring IT paves the strong foundation for the company to resurge to its days of glory.