30

Organizational Resilience | BSI and Cranfield School of Management

happening with the industry environment and with technologies, to make sure that

the strategic choice risk itself is being mitigated correctly.” The company has shifted

from a focus on “how you minimize risk to how you enable the business to take

risks, because in this unknown environment you need to take some risks to get the

return.”

Managing “the two-sided coin of strategy and risk” works by asking strategic

questions and discussing risk mitigation measures. For example, there was a

discussion about what needed to be changed in the business model. Infosys needed

to create new software platforms, so new product teams were formed, and they

created new software. Then the question became, ‘What are the risks that new

software will not gain in sales momentum?’ So it mitigated that risk by engaging the

existing sales teams to sell the new software. The next question was, ‘What is the

risk that the sales team does not have the competencies to do this?’ This provoked a

conversation about whether the company should just retrain its existing salespeople

or bring in new salespeople. The final mitigation was to “catalyze the existing sales

team with of some of the salespeople who were specialized in software sales,

including those obtained in an acquisition”.

To ensure excellence in strategy execution, Infosys has developed a corporate

scorecard, which gives it a roadmap for the next three to five years. Various

parameters including market penetration, operations, innovation, automation,

people, culture, and values are captured in the scorecard. The key issue is being

satisfied that the “new software-based services and the renewed traditional services

are providing a platform for consistent profitable growth”. Infosys also focuses

on system strength and process rigour, with a strong focus on safeguards in its

contracts and business continuity. With a large number of employees, Infosys has

“a lot of labour risks, safety risks, facilities risks, immigration risks and all kinds of

employee-related risks”. There is also, of course, fraud and cyber security, which are

traditional issues that Infosys addresses along with legal compliance. In the past,

resilience at Infosys relied on “policies, procedures, enforcement and accountability”,

but now it is seeing a move towards more analytics and agility.

One of the first things that employees came back and said was, “If you want me to

come up with new stuff I need to be able to access the Internet freely.” In the past,

access to the Internet was curtailed because it was thought to reduce productivity

and increase cyber risk. However, “now we are saying of course you need to go and

see what other people are doing, you need to part of forums outside, you need to

have access to information on the Internet because you need to be innovative and

collaborate.” But this change raised risk because the more open the network was to

the outside world, the greater the cyber security threat. Infosys “struggled with this

issue for quite some time, and finally we came up with an ‘open Internet’ policy,

where we could safeguard some of the critical risk”. The day it opened up its Internet

for most people to access most sites “we got a record number of cyber security hits

on our network – it was unprecedented, but luckily none of them came through

the firewall.” Importantly, Infosys recognized that this was going to happen and

prepared for it. To date, Infosys thinks productivity hasn’t been adversely affected

but innovation has improved. The open access Internet policy also “has a more

intangible cultural benefit, which is that people just feel they’ve got more freedom

and more empowerment to do things.”