India's software companies are wont to trumpet the quality of their processes. "Customers come to India for cost, but stay on for quality," they often say. The National Association of Software and Service Companies (Nasscom) is quick to point out that more than 60 per cent of the 100 plus companies assessed world-wide at level 5 (the highest level) of the Capability Maturity Model, integrated CMM and People-CMM are either Indian companies or multinationals that draw on Indian skills to provide software services to global corporations. But "� surprise, surprise "� not all these claims about adhering to quality standards stand up to strict scrutiny.
Problem one. Not all software companies that have been assessed for quality are assessed across the company "� often, individual divisions qualify for quality certificates. Companies that have not been assessed enterprise-wide sometimes don't explicitly state this, or revel in ambiguity.
Let's be crystal clear "� we're not saying that all Indian IT companies exaggerate or misrepresent their quality qualifications. That's certainly not the case. Companies like Wipro, Infosys Technologies and Cognizant Technologies have been assessed enterprise-wide in their software process assessments.
But, alas, such cases are not quite the rule in the IT industry. Some IT companies gloss over whether the entire company is certified. A Chennai-based company, for example, claims to have been one of the first in the world to be CMMi certified. It, however, did not mention in its press release that the initial assessment was not enterprise-wide and was limited to only two business units in Chennai.
Only two of the development centres in the city of another struggling but once high flying Chennai-based company were assessed at SEI-CMM level 5.
Indeed, many of India's software companies are not certified enterprise-wide. Only some business units or development centers of even large information technology (IT) companies like Tata Consultancy Services (TCS) and Satyam have been assessed against quality benchmarks. TCS, for example, has restricted itself to a limited number of centres or business units. Says, TCS spokesman Atul Takle: "TCS has never claimed 'enterprise wide' assessment. Neither have we publicised this. We say that 16 TCS centers have been assessed at CMM level 5. We have currently 30 centres in India, of which 15 are at level 5, and the 16th is in Uruguay."
Says Partha Iyengar, vice president at Gartner, the global IT consultancy and research organisation: "Yes, this is true. Not all companies are certified 'enterprise wide' "� in fact, 100 per cent of development centers of probably a minority of companies are certified, especially if you include some of the overseas development centers some of the Tier 1 companies have set up or acquired."
Realising that clients and prospective customers could be fooled by quality claims, Gartner, according to Iyengar, now encourages customers to specifically ask for the list of development centres that are assessed at various quality levels, and whether all the resources within a centre have been assessed.
Some IT company executives argue that companies should be assessed enterprise-wide, not piecemeal, though another school of thought argues the opposite case. As those who favour enterprise-wide assessments see it, this offers one big advantage "� work can be spread across locations, instead of being confined to one or two centres that have been assessed.
Says R Chandrasekaran, executive vice-president and managing director, Cognizant: "In today's context, with high volumes of work being offshored and deal sizes expanding, the quantum of business handled for a single customer is mind-boggling. In such a context, it would be naïve to expect one large development centre to take on such huge volumes."
Others too echo the point. Says Sambuddha Deb, quality head at Wipro: "It is always better to get yourselves assessed enterprise-wide for any quality certification. By going in for an enterprise wide certification I have uniformity in processes and quality across the organisation."
However, Satyam Computers does not subscribe to the enterprise-wide assessment model and has chosen to do a phased CMMi assessment. Three of its units are assessed at CMMi level 5 and it picked a small Bangalore-based company, Sitara Technologies, to do the assessment.
Sitara's lead assessor Raghav Nandyal too is dismissive of enterprise-wide assessments. "Enterprise wide assessments are a farce. Assessments can be done only in a phased manner. If one does parallel or multiple assessments across a company's offices or centres, one thing is for sure "� no two lead assessors can come up with the exact same finding."
Problem two is that SEI-CMM assessments need not be audited or revisited every year. Companies could go for the rating once, forget all about the process and quality needs in the years to come, and yet retain the rating. Unlike in the case of ISO certification, no mechanism exists for annual audits. Not all prospective customers are aware of this either.
To be sure, the SEI only recommends that companies adopt an CMM or CMMi assessment using a structured methodology every 18 months. This can be done by in-house quality assessors. As a result, companies need not be altogether honest about the process.
Still, the better IT companies do opt for frequent quality audits. Wipro and Cognizant, for instance, use organisations like KPMG to do their CMM assessment. KPMG insists on an annual health check up, so ensuring that an external quality audit takes place either annually or once in two years.
Sitara's Nandyal, however, trains his guns on annual audits "� they're just a money spinner for the quality auditors. "What happens if different assessors land up every time? How can they come to the same findings? In this business you cannot aggregate findings. Everything has to have a context. Please realise that no two level 5 or level 4 findings are the same," he says.
Problem three is that companies change their quality assessors "� that is, not all companies use the same assessing body for all their assessments. India has four notable, large assessing bodies: Quality Assurance International, KPMG and BVQI (Bureau Vertias) for SEI-based assessments, and STQC for security and business continuity assessments.
A couple of years ago Satyam was certified as ISO 9001:2000 by the France-based BVQI but its CMMi certification was done by the less well known Sitara. "We looked at Sitara to do our assessments as we needed to get assessed fast. It promised us a quick turnaround time. We needed two of our divisions, the automobile business unit and the Microsoft solutions group, to be CMMi certified immediately and Sitara did it for us," explains C R Nagaraj, senior vice president, quality, Satyam.
Says Iyengar: "It is not very uncommon to use different certifying bodies for different certification needs. What is important is the credibility and track record of the entity doing the assessment, as well as the credibility of the company that is getting the assessment done."
A small vendor that gets its certification from an unknown assessor would, in general, be more suspect than a large reputed firm that gets an assessment done by a smaller assessor. The theory here is that the larger companies have a lot more to lose from any monkey business with their assessment. They risk losing their reputation, which increasingly is going to count in winning deals.
Smaller companies are less expensive and are regarded as not being as stringent as assessors with global reputations. Asks one quality assessor: "Isn't it in the assessors' interest to assess the assessed company at the highest level? The words spreads if this does not happen, and the assessor may not get further business."
" At the end of the day, CMM is about "continuous" improvement, and to truly assess continuous improvement continuity in the assessment agency is critical," says an independent quality assessor.
Adds Iyengar: "This points out the reason a company would want to switch assessors "� if it does not want to have someone compare the ongoing improvements and baseline it to the previous situation. I'm not saying that this is the motive in all instances where the assessor is different, but it could be likely in quite a few of the cases. "
Why, then, do companies resort to piecemeal assessments, change assessors and resort to internal assessors? The answer, quite simply, is that the price leading quality certification companies charge can burn a hole in your pocket. "It can cost upwards of $30,000 (about Rs 13 lakhs) for a large development centre to be put through a quality assessment," Chandrasekaran points out. Not every IT company can afford to pay so much. Nor can every company opt for enterprise-wide assessments.
Still, enterprise-wide assessments and third-party independent assessments are viewed as important. Says an independent quality auditor: "Earlier, CMM level 4 or 5 certification was a qualifying criterion to get business from large corporations; today it's an elimination criterion. Customers today do not shortlist companies if they are not assessed at level 4 or level 5. This has led companies to finding ways and means to indicate that they are at level 4 or 5 to qualify in the first few rounds of proposals. Hence companies are taking these short cuts. The pressure to get business at any cost has made quality a casualty."
The good news is that companies are beginning to realise that short cuts don't work. That's because customers and research bodies have understood the nuances of the game. "Every request for proposal (RFP) from a customer and every questionnaire from reputable research bodies now asks for finer details on whether the assessment is enterprise-wide or not. If not, they ask which verticals, horizontals and competencies are assessed, which agency has assessed the company, how long this agency has been associated with the company's assessment and so on," says Natarajan Rajashree, head of quality and process at Cognizant.
So India's IT companies had better beware. There really are no short cuts to quality. Those that think otherwise will lose out to competitors in China and Pakistan "� the first set of companies there have already been assessed in line with SEI standards.
| Glossary Quality standards have been set by the Software Engineering Institute (SEI), part of Carnegie Mellon University. SEI is a federally funded research and development centre sponsored by the U.S. department of defence. The SEI's core purpose is to help others make measured improvements in their software engineering capabilities. The best known certifications are the Software Capability Maturity Model (SCMM "� a standard for software processes), the Systems Engineering Capability Maturity Model (SECMM), the newly integrated Capability Maturity Model (CMMI "� a standard for systems and software processes) the Capability Maturity Model, and People-CMM (P-CMM "� a standard for personnel at software companies). The idea is that an organisation should choose the model that best fits its objectives and use it both as a benchmark to determine its maturity and to identify areas where processes can be improved. |
