SOA Patterns: Service Firewall

Service Firewall

I mentioned in the Secure Message pattern that messages travel in “no-man’s land”. You can use the Secure Message or the Secured Infrastructure patterns helps deal with protecting the messages while traveling that space - but what do we do if the sender is malicious? An attacker send us a malicious messages (e.g. with a virus as a SOAP attachment) and it wouldn’t really help us that we manage to ensure that malicious message got to us intact and securely.

4.3.1 The Problem

To illustrate the type of attacks a malicious sender can cause let’s look at one of them a little closer. Figure 4.4 below an XML Denial of Service (XDoS) attack. In this type of attack a malicious sender attaches a lot of digital signatures to a message. Parsers that aren’t ready for this type of attack examine each of these signatures causing the service to slow down under the load.

Figure 4.4: Illustration of a XDoS attack. A malicious sender prepares an XML that looks valid but is loaded with a lot of digital signatures. An unsuspecting parser will try to verify each of these signatures while hogging down CPU cycles which can result in unavailability of the service.

Attacks using incoming messages as demonstrated in Figure 4.4 are one type of threat we need to handle, another related type of threats or problems has to do with outgoing messages. Here we need to make sure that private or classified information does not leak outside of the service. In this type of scenarios we want to find a way to make sure they hold only information allowed in the contract flows out of the service.

How can you protect a service against detect malicious incoming messages and prevent information disclosure on outgoing messages?

One option for dealing with malicious senders is to apply the Secured Infrastructure pattern (mentioned earlier in this chapter) and require certificates for authorizing clients. This means that clients that do not have a certificate will not be allowed to contact the systems. One problem with this approach is that it is only good when the number of service consumers is controlled and not open for the general public (e.g. exposed on the internet). Another limitation of the certificate approach is that it doesn’t handle attacks by insiders since they are authorized to access the system.

Another option is to incorporate the security logic that screens malicious content as part of the business logic. There are several problems with this approach the problem with this approach is that you get code duplication as there are many threats that are common to all services. Another problem is a that you the business logic is tainted with the security logic which makes it harder to write and maintain.

The better option is to externalize the security to another component. Let’s look at this option more closely.

4.3.2The Solution

SOA messages are application level components – however. the notion of messages is not new or unique to SOA. We (the computer industry) already have a lot of experience with messages on a lower level of the OSI stack - the network level, specifically TCP packers and UDP datagrams. TCP and UDP have few similarities with SOA messages, the interesting ones, for the purpose of this pattern are the threats they face. Since the threats are similar maybe we can also use the same solutions we’ve found to work for TCP and use them for our SOA messages.

Implement the Service Firewall pattern and intercept incoming and outgoing messages and inspect them in a dedicated software component or hardware.

Figure 4.5 The Service Firewall Pattern. The Service Firewall sits between the outside world and the actual service (or Edge). The Service Firewall scans, validate and audit both incoming and outgoing messages. Once a message is identified as problematic it can either be filtered out or cleansed.

The Service Firewall pattern is an application of the Edge Component pattern (see Chapter 2). Figure 4.5 above illustrates how the Service Firewall operates. First it intercepts each incoming and outgoing message and inspects it. Once intercepted the Service firewall can scan the message for malicious content such as viruses or XDOS attacks as mentioned in the sample scenario. Additionally, the Service Firewall can validate messages by making sure they conform to the contract, verifying property types and sizes etc. When a message is identified as problematic the Service Firewall can audit and log the message and then decide whether to filter it out or cleanse the problematic content and let it through.

The Service Firewall acts as a first line of defense for the service. As illustrated in Figure 4.5 below, when a request arrives at the firewall it is scanned and verified, requests that were authorized are then routed to the real service (or another Edge Component)

Figure 4.5 When a request arrives at a Service Firewall (an XML firewall in this illustration) it is screened for validity, for instance they firewall can check that an XML matches the predefined XSD. Authorized requests get through and unauthorized requests are rejected.

The idea behind a Service firewall is simple, the implementation, however is a little more complicated since there is a lot of functionality that has to be implemented to get each of the roles (scan, validate, filter etc.). On top of that you need a way to make sure the Service Firewall gets all the messages to be able to work

4.3.3 Technology Mapping

As mentioned in the patterns structure in Chapter 1, the technology mapping section takes a brief look at what does it mean to implement the pattern using existing technologies as well as mention instances where current technologies implement the pattern.

The simplest way to implement the Service Firewall pattern is to create a designated Edge Component, deploy it on the DMZ. Deploy the real service behind a regular firewall and

Implementing the Service Firewall pattern without using a regular firewall is a little more problematic as an attacker can just call the endpoints that is used by the actual service and bypass the Service Firewall altogether. In these situations you can rely on the interception capabilities of the technology you use.

For instance, Figure 4.6 below shows the relevant extension points offered by Windows Communications Foundation for intercepting incoming messages.

Figure 4.6. WCF supports a few dozens of extension points to control the way a message is handled when in enters or leave the service. You can use four of these extension points (depicted above) to implement the different roles defined in the Service Firewall pattern.

As illustrated in Figure 4.6 there are four relevant extension point (out of the few dozens of extension points supported by WCF) where you use classes to perform the various roles of the Service Firewall pattern. You can have classes that and verify addresses, verify contract, inspect the messages and inspect parameters – both for incoming and outgoing messages. You can then use code like in Code listing 4.1 to add these classes as interceptors when a message passes in or out of the service.

Public void SetInterceptors(ServiceDescription serviceDescription, ServiceHostBase serviceHostBase)

{

foreach (ChannelDispatcher ChannelDisp in serviceHostBase.ChannelDispatchers)

{

foreach (EndpointDispatcher EndPointDisp in ChannelDisp.Endpoints)

{

EndPointDisp.DispatchRuntime.MessageInspectors.Add(new MyMessageInspector());

foreach (DispatchOperation op in epDisp.DispatchRuntime.Operations)

op.ParameterInspectors.Add(new MyParameterInspector());

}

}

}

Code Listing 4.1. a WCF code snippet to add interceptors to incoming and outgoing messages handled by WCF. You can use these interceptors to implement the Service Firewall pattern and validate, scan etc. any message that passes in or out.

Another implementation option for the Service Firewall pattern is using hardware or embedded appliances. For instance, there are several companies like Layer7, IBM, Vordel and a few others that produce XML firewall appliances. The advantage of using XML appliances is that you can deploy them along with your other firewalls in the DMZ and have them serve as the first line of defense. Another Practical SOA

advantage is that these are platforms optimized for XML handling so the performance impact of the appliances is lower vs. self coded solution. One disadvantage of using hardware XML firewalls is setup costs (tens of thousands per unit) another disadvantage is increased maintenance complexity which comes both from managing an additional hardware type and more so from the double management of your SOA contract (both in the service and in the appliance).

Whether you use an appliance or implement the Service Firewall pattern in code it can really boost the security of your services by helping prevent threats like denial of service attacks or even just save some validation efforts for the service itself

4.3.4 Quality Attributes

As noted in the beginning of this chapter, the quality attributes section for security patterns discusses the threats that the pattern helps prevent.

The Service Firewall pattern is a very versatile pattern and it can be made to handle many types of threats. Table 4.4 below shows the threat categories and the actions that an implementation of the Service Firewall pattern can take to protect against threats in this category.

Threat	Actions
Tampering	Changing the content of request or a reaction
Validating that messages are not mal-formed
Information Disclosure	Scanning outgoing messages for protected content
Restricting reply addresses to a closed groups
Denial of Service	Preventing XDoS attacks by examining XMLs before validating each singnature
Blocking known attackers
Restricting Requestors addresses to a closed group
Scanning attachments for viruses
Elevation of Privilege	Examining an incoming message for injection attacks
Examining an incoming message for buffer overruns by validating contract and sizes of elements

Table 4.4 Threat categories and actions. List of the action that implementations of the Service Firewall can take and the threats these actions mitigate.

In Addition to the specifics of the threats that the Service Firewall pattern helps mitigate, we can also look at it from the wider scope of quality attributes. Like most of the patterns in chapter 4, the Service Firewall pattern is a security pattern. It is interesting to note that unlike most other security patterns it is relatively easy to add it on towards the end of a project. You should note however that it is not a completely free ride and for instance you still have to measure its impact on system performance, it can add an overhead in regards to contract maintenance etc.

12 Things You Know About Projects but Choose to Ignore

Bart Perkins

March 12, 2007 There is no mystery as to why projects succeed or fail; people have been writing about effective project management for millennia. More than 2,000 years ago, Sun Tzu described how to organize a successful, highly complex project (a military campaign) in The Art of War. Fred Brooks’ classic book, The Mythical Man-Month, offers management advice targeted at running large IT projects. The U.K. National Audit Office recently published an excellent guide to delivering successful IT-enabled business change (www.nao.org.uk/publications/nao_reports/06-07/060733es.htm). Over the past 10 years, virtually every major IT publication has printed articles on why large projects succeed or fail.

Despite all the excellent advice available, more than half of the major projects undertaken by IT departments still fail or get canceled. Stuart Orr, principal of Vision 2 Execution, reports that less than 20% of projects with an IT component are successful, with success defined as being delivered on time and on budget while meeting the original objectives.

We know what works. We just don’t do it.

Projects fail because people ignore the basic tenets of project success that we already know. Here are some of the common reasons — and there are many — for failure:

An ineffective executive sponsor. A weak or, even worse, nonexistent executive sponsor almost guarantees business project failure. Under weak executive leadership, all projects become IT projects rather than business initiatives with IT components. Since the 1980s, research has consistently found that effective executive sponsorship and active user involvement are critical to project success.

A poor business case. An incomplete business case allows incorrect expectations to be set — and missed. Many business cases describe business benefits in far-too-broad terms. Goals and benefits must be measurable, quantifiable and achievable.

The business case is no longer valid. Marketplace changes frequently invalidate original business assumptions, but teams often become so invested in a project that they ignore warning signs and continue as planned. When the market changes, revisit the business case and recalculate benefits to determine whether the project should continue.

The project is too big. Bigger projects require more discipline. It’s dangerous for an organization to undertake a project five or six times larger than any other it has successfully delivered.

A lack of dedicated resources. Large projects require concentration and dedication for the duration. But key people are frequently required to support critical projects while continuing to perform their existing full-time jobs. When Blue Cross attempted to build a new claims system in the 1980s, nearly 20% of its critical IT staffers were simultaneously assigned to other projects. The claims initiative failed. Project managers who don’t have control over the resources necessary for their projects are usually doomed.

Out of sight, out of mind. If your suppliers fail, you fail, and you own it. Don’t take your eyes off them.

Unnecessary complexity. Projects that attempt to be all things to all people usually result in systems that are difficult to use, and they eventually fail.

Cultural conflict. Projects that violate cultural norms of the organization seldom have a chance. The FBI’s Virtual Case File was designed to share information in a culture that values secrecy and rarely shares information across teams. Moreover, FBI culture views IT as a support function and a “necessary evil” rather than an integral part of the crime-solving process. The project violated multiple cultural norms and met with significant resistance. The Virtual Case File was finally killed after costing more than $100 million.

No contingency. Stuff happens. Projects need flexibility to address the inevitable surprises.

Too long without deliverables. Most organizations expect visible progress in six to nine months. Long projects without intermediate products risk losing executive interest, support and resources.

Betting on a new, unproven technology. Enough said.

An arbitrary release date. Date-driven projects have little chance of success. Will we ever learn to plan the project before picking the release date?

See anything new here? That’s exactly my point.

Next time, increase your chances for success by avoiding these common project pitfalls. Use the above list (and other industry guidelines) to evaluate your project. If you see too many signs of danger, cut your losses and either restructure the project or kill it.

Talk to experienced project managers and read project management literature to review what works and what doesn’t. Though, in fact, you already know.

Bart Perkins is managing partner at Louisville, Ky.-based Leverage Partners Inc., which helps organizations invest well in IT. Contact him at BartPerkins@ LeveragePartners.com.

SAP CRM and Siebel CRM -- a side-by-side comparison

At this point, I'd say the jury is still out on how Oracle will absorb Siebel's technology and how that new functionality will play out. Right now, do you think SAP has the upper hand when it comes to CRM? What does that mean for a prospective customer?
QUESTION ANSWERED BY: Srinivasa Katta Let's look at them side by side. See the strengths and weaknesses below.

SAP CRM
Strengths
SAP CRM is stronger than Siebel in terms of tighter integration with its back-end ERP system. Tighter integration in sales, service and logistics is also an inherent strength of SAP CRM with SAP ERP. SAP has a deep knowledge of manufacturing and engineer industry verticals. In addition, SAP BW -- SAP's BI application -- integrates seamlessly with SAP ERP and SAP CRM, while comprehensive reporting is almost out-of-box as well. SAP CRM also has the obvious strength when it comes to customers who are already running an SAP shop.

Weaknesses
SAP has not made significant in roads into the non-SAP ERP customer base. SAP CRM customers are mostly clients who have the SAP ERP installed base. SAP also has to strengthen vertical industry solutions.

Siebel CRM
Strengths
Siebel CRM has the upper hand in the depth and breadth of their CRM applications. Siebel has a large install base of customers compared to SAP CRM. In addition, Siebel industry-specific applications are stronger than those by SAP CRM.

Weaknesses
Siebel does not have a traditional ERP product. The integration costs to back-end ERP systems are very high. However, this may no longer be a factor if Siebel demonstrates seamless integration with Oracle back-end applications.

RFID Basics

By Jack Shandle

February 26, 2007

A basic Radio Frequency Identification (RFID) system consists of: an antenna; a transceiver with a decoder; and a transponder (also known as an RFID tag). Without software to utilize the information derived from reading the tags, however, the system would have little practical value. So it is wise to include middleware as a component.

A transponder, or tag, is electronically programmed with unique information sometimes as little as an identification number so the item it is attached to can be located and tracked. Some RFID tags are much more sophisticated. Electronic passports based on RFID technology, for example, can include biometric data about the passport holder and encryption capability as well.

When an antenna is packaged with a transceiver and decoder, it becomes an RFID reader. Depending on their output power and RF frequency, readers have ranges of from an inch to 100 feet or more. When an RFID tag passes through the reader's active zone, it detects the reader's activation signal. The reader decodes the data encoded in the tag's RFID chip and the data is sent over the wired communication infrastructure to corporate, institutional, of governmental databases where it is included in databases.

In the basic system, the antenna emits RF signals to activate the tag and read and write data to it.

Antennas are available in a variety of shapes and sizes depending on the application. They can be attached to any number of retail items such as clothing, inserted under the skin of livestock, or mounted on toll booths to monitor traffic passing by on a freeway.

When a steady stream of tags is expected in the application, the electromagnetic field produced by an antenna can be on all the time. But if constant interrogation is not required, the field can be activated by a sensor.

Tags vary in their technological sophistication and capabilities. Regardless of the type of tag, however, since there are always far more tags than readers in a system cost is a controlling factor. In many systems, the tags are discarded or destroyed.

Software consists of the embedded systems software that runs the hardware and middleware, which connects the local RFID system to corporate, governmental or institutional databases. In almost all RFID applications, middleware is by far the single most expensive part of the system.

Figure 1: RFID system components.

Passive RFID Tags

Passive RFID tags do not have internal power supply. Instead, they are powered by energy induced in the antenna by the RF signal. Most passive tags transmit by backscattering the carrier signal from the reader. The engineering challenge is to design an antenna that can collect power from the incoming signal and transmit it to the outbound backscatter signal. The response of a passive RFID tag is not necessarily just an ID number; the tag chip can contain non-volatile EEPROM for storing data.

Hitachi, Ltd. presently holds the record for the smallest passive tag. Its mu-Chip measuring 0.15x0.15mm (not including the antenna) is thinner than a sheet of paper. (7.5 micrometers). It transmits a unique 128-bit ID number hard coded into the chip as part of the manufacturing process and has a read range of 30 cm.

The lowest cost RFID tags cost about 5 cents each. Adding an antenna creates a tag that varies from the size of a postage stamp to the size of a post card. Passive tags have practical read distances ranging from about 10 cm to a few meters. Their simple design means that a printing process can be used to manufacture passive tags.

Active RFID tagsActive have an internal power source, which makes them more reliable and provides a wider range of operation. Their higher reliability is derived from the tag's ability to conduct a session with a reader during which transmission errors can be detected and corrected.

Many active tags have practical ranges of hundreds of meters, and a battery life of up to 10 years. Active tags can have a range of up to 300 feet and they typically have larger memories than passive tags, as well as the ability to store additional information sent by the transceiver. Presently, the smallest active tags are about the size of a coin and sell for a few dollars.

Due to the wide range of applications RFID continues to develop based on new standards and improvements in the technology and design. A few of these challenges include HF gen 2 standards, Near Field UHF technology, as well as mature and off-the-shelf hardware and sensor technology.

RFID Frequencies

RFID operate over several frequency ranges.,br>

• Low-frequency (LF): 125 to 134.2 kHz and 140 to 148.5 kHz. Typical applications include immobilization systems in automobiles, retail, and animal identification and it's tracking through the human food chain.
• High-frequency (HF): 13.56 MHz. Typical applications include tagging of rental items like books or uniforms, public transportation ticketing pharmaceuticals and other item tagging.
• Ultra-high-frequency (UHF): 860 MHz to 960 MHz. Typical applications include fixed asset tracking, baggage handling, and supply chain applications.

Standards

Although organizations such as EPC Global and AIM/ are involved in standardizing physical and system attributes, there is no global public body that governs the frequencies used for RFID on a world wide basis.

As a result, countries and regions have chosen independently which frequency bands are reserved for the use of RFID. LF and HF RFID tags can be used globally, with power levels harmonized on a global basis simplifying the desing of labels and readers.

For UHF frequencies, however, the situation is a bit more challenging. The heavily used frequency range of 860 MHz to 960 MHz was chosen for UHF RFID and this is creating challenges for the unified solutions. It will be no easy task to get the approval for the usage of RFID at UHF in all countries. But without a global standard, UHF companies that operate on a global scale will struggle to implement it cost effectively.

Multiple Frequencies, Varied Applications

LF and HF frequencies have been heavily utilized for RFID rollouts utilizing passive systems. Standardized LF and HF technologies have been available since 1995, while UHF has been available since 2001.

LF systems have an advantage in applications that have harsh operating conditions. High immunity to electrical noise and encryption technology are two decided advantages. A range of 1.5 metres can be reached. LF is also suitable applications involving liquids, organic materials and metals because it does not scatter when it meets these surfaces.

LF is already the major technology in: animal identification, access control, asset management solutions for gas cylinder, beer kegs and other high valued products. LF's range, performance and cost are being improved with new IC designs and more mature readers in the market.

An HF system is considered appropriate in applications where items are tagged and read/ write ranges of up to 1.5 metres are required. Encryption algorithms allow for protected data on the IC and EAS features in the tag, make anti theft prevention possible.

Typical applications today include tagging of library books, CDs and DVDs, pharmaceutical products for counterfeit prevention and many applications which require a very precise read and write environment.

New encryption algorithms are being used in HF to make the technology even more secure for short ranges. Faster protocols are being introduced to improve the reading and anti-collision speed. Additionally, new regulations are being worked on to allow for more power to be used to increase the read and write distance of the HF solutions.

UHF RFID

UHF is typically used for applications where of several meters are required. These include pallet and case identification in warehouses, as well as car authentication in a factory for production control purposes.

In the UHF space, only Far Field UHF technology has been available until recently, making identification of fluids and other organic material virtually impossible. Today the industry is working on Near-Field UHF (NF UHF) to get around these problems. With NF UHF, read distances of approximately 30 cm can be achieved, allowing for some item level tagging.

Figure 1 provides an overview of the performance of LF, HF, and UHF systems across several key areas. Tag construction will be discussed in the next few paragraphs.

Figure 2: Metals, field characteristics and tag construction are challenging for NF UHF.

Whereas HF and LF tags tend to have typical coil configurations that allow generic label designs, UHF tags come in many different configurations as they need to be optimized to the material the labels to which they are attached. This is largely due to the fact that UHF signals interact with tagged articles or adjacent materials more than HF or LF.

FF UHF is well characterized but work continues on optimizing hardware and software to solve application specific requirements. These include improving read rates, optimizing reader fields and working on the harmonization of regulations to allow UHF to be used on a world wide basis.

In 2006, work began on NF UHF has to analyze how it can be used to achieve item-level tagging.

Ongoing Research

With so much improvement in all three frequency ranges, it was becoming more difficult to choose the best frequency range for a specific application, particularly in choosing between HF and UHF.

Early in 2006, Deutsche Post World Net launched an initiative to evaluate industry usage of RFID across several industries including fashion, pharmaceutical and electronics. Other members of the DHL Innovation Initiative included IBM, Intel, Philips Semiconductors (now NXP Semiconductors) and SAP.

By including both HF and UHF systems in its testing and evaluations, the Initiative's goal was to determine optimum RFID solution for various applications within target industries.

Key factors being considered were the readability and writability of RFID tags under differing environmental conditions, when applied to the many materials found in a typical logistic environment.

Safety and Privacy

Two important considerations for deployment of RFID systems are privacy and safety.

Privacy issues largely revolve around the range in which the RF signal can be read or written as well as the use of security enhancing technologies like password protection and cryptology and destroy commend where required.

Cryptology technologies are well proven and deployed at large for HF, some LF solutions but not yet in UHF solutions.

Since the power of HF RFID signals drops off rapidly from the interrogator antenna, it has an inherent advantage over the far-field operation of typical UHF RFID chips. UHF fields can, however, be contained by using near field coupling between the interrogator antenna and the tagýthe technique used in the aforementioned NF UHF.

Health issues are still a matter of active study by regulatory agencies around the world. Allowable exposure is expressed in terms of power density. For a specific system with a known transmit power and frequency, this means that a minimum exposure distance can be calculated.

Regulatory bodies also make a distinction between allowable occupational exposure and allowable radiation exposure for the general public. Since the general public is not subject to more or less continuous exposure, the minimum distance is greater than for occupational exposure. Since NF UFH is a relatively new technology in terms of its use in RFID applications, it is not clear as of this time how the health issues will be sorted out.

Conclusion

Although the industry has, in the past, used LF or HF for item-level tagging and UHF for pallet and case-level tagging, NF UHF makes it possible to use NF UHF for item-level tagging. .

Initiatives to find the most cost effective technology for different applications are well underway. While technical efficiency is important, the studies also look at privacy, health, and security concerns that are often written into regulations.

There are also initiatives to harmonize a second-generation standard for HF, similar to the UHF Gen 2 standard already agreed to by EPCGlobal and ISO.

But it remains clear that there is no one-size-fits all solution for RFID. In countries where both HF and UHF frequencies can be utilized, issues such as tag performance repeatability, privacy, reliability, scalability and cost may tip the balance toward one frequency choice or the other. By making both available, system integrators have the option of determining the most appropriate solution and deploying it.

---

Jack Shandle is the site editor of WirelessNetDesignline. He holds BS in Electrical Enginering from the University of Pennsylvania and a MS in Communications from Temple University. Presently a freelance writer and editor, he formerly held management positions at several major electronics publications and can be reached at jshandle@earthlink.net. Copyright 2005 ý CMP Media LLC

Agile Documentation Strategies

Agile Documentation Strategies

Documentation is an important part of every system, agile or otherwise

By Scott Ambler,
Feb 05, 2007

Scott is a DDJ Senior Contributing Editor and author of numerous IT books. He can be contacted at www.ambysoft.com/ scottAmbler.html.

---

Documentation is an important part of every system, regardless of the paradigm followed to develop that system. Although agilists are sometimes maligned for what is perceived to be their cavalier attitude towards documentation, the fact is that we take documentation very seriously. Agilists adhere to the philosophy that your team's primary goal is to develop software, a message that sometime drowns out its sister philosophy that a project team's secondary goal is to enable the next effort. Because the "next effort" typically involves running, supporting, operating, and maintaining the system, chances are incredibly good that you're going to need to write some documentation along the way. It's possible to do so in an agile manner, and this month, I explore strategies for doing exactly this.

For some reason, the agile community seems to struggle to describe how we approach documentation. There are several explanations for this. First, the majority of agile developers prefer to focus on technical practices (such as regression testing, refactoring, and continuous integration) instead of "softer" practices (such as modeling, documentation, and governance). Hence, we talk about those things a lot more. Second, because the agile community is growing quickly, we have large numbers of novices who are in the early stages of learning—in their exuberance, they are all too eager to share their misperceptions with others, and a common misperception is that agilists don't document. Third, modeling and documentation practices weren't explicit in most first-generation agile methodologies, unlike second generation agile methods such as Open Unified Process (OpenUP) and Microsoft Solutions Framework (MSF) for Agile.

A Few Myths and Misconceptions

To understand the agile approach to documentation, you must first understand the potential misunderstandings about documentation that have seeped into traditional thinking:

• • Documentation isn't the primary issue—communication is. For example, your primary goal isn't to document requirements, it's to understand them so that you can implement them fully. Your primary goal isn't to document the architecture, it's to formulate a viable one that meets the long-term needs of your stakeholders. This isn't to say that you won't decide to invest in such documentation, but that isn't the raison d'tre for your project.
• • Comprehensive documentation does not ensure project success. Just because you have a detailed requirements specification that has been reviewed and signed off, that doesn't mean that the development team will read it, or if they do, that they will understand it, or if they do, that they will choose to work to the specification. Even when the "right thing" happens, comprehensive documentation still puts the project at risk because of the perceived need to keep the documentation up-to-date and consistent. Your real goal should be to create just enough documentation for the situation at hand; more on this later.
• • Documentation doesn't need to be perfect. People are flexible, they don't need perfect documentation. Furthermore, no matter how hard you work, it's very unlikely that you could create perfect documentation—even if you could, it isn't guaranteed that the readers will understand it anyway.
• • Few people actually want comprehensive documentation. When was the last time you met a maintenance programmer who trusted the system documentation that they were provided? Or an end-user who wanted to sit down and pore over a massive user manual? What people typically want is well-written, concise documentation describing a high-quality system, so why not invest your time to deliver that instead?
• • Documentation doesn't need to be standardized. Many organizations have adopted the unfortunate philosophy that repeatable processes lead to success, yet in reality what you really want is repeatable results (that is, the delivery of a high-quality system). The quest for repeatability often leads to templates, and because each system has its own unique set of issues, these templates have a tendency to grow over time into all inclusive monstrosities that do little more than justify bureaucracy. Try to achieve a reasonable level of consistency, but don't go overboard doing so.

Rethinking Documentation

Documentation is as much a part of the system as the working software itself. Your goal should be to develop documentation that is sufficient for the needs of its audience, and to do that you must work closely with your stakeholders to understand their actual requirements. I believe that this is where agilists truly differ from their traditionalist counterparts: Agilists treat documentation as a stakeholder requirement, not as something dictated by the process. Because documentation is a requirement, it is something that should be estimated by the development team and prioritized by the stakeholders. Because the resources that you have to invest in an IT project are finite, and because it's your stakeholder's money being spent, they should decide which documentation will be created and how comprehensive it needs to be.

Because your stakeholders are a varied bunch, they consist of end users, business management, IT management, operations staff, support staff, enterprise architects, and many more, chances are pretty good that most someone will identify the need for a document. But let's assume that they forgot to ask for system overview documentation. Does that mean that you don't create it? No, of course not. What you do is suggest to your stakeholders the need for such documentation, justify why it's important, estimate the total cost of ownership (TCO) of creating and maintaining it, and then let them decide whether the wish to invest in the documentation.

This is a very different approach than what traditional teams typically take. Traditional software processes define which documents need to be created, will often provide detailed guidelines and templates to help ensure completeness, will indicate when the documentation should be created, and who should receive it. The underlying assumption is that the stakeholders, the people who were smart enough to earn the money, aren't smart enough to determine how to spend the money and therefore those decisions are taken away from them in traditional processes. Not only is this incredibly arrogant, it is also ripe for abuse—hence the overly bureaucratic and documentation-heavy processes that we see in many organizations.

Many organizations justify their burdensome documentation practices on industry regulations such as the Food and Drug Administration (FDA) regulations, the Sarbanes-Oxley (SOX) act, or the Basel-II regulations. I've worked in organizations that have had these regulatory requirements inflicted upon them and I can safely assure you that it is possible to remain agile. The first, and more important, step is to actually read the regulations. Nowhere in them does it say that you need to be ineffective and wasteful, yet if you allow the paper-pushers within your organization to interpret the regulations (and doesn't it seem that they're always lining up to do so?) then inevitably you'll find yourself in a bureaucratic morass. The second step is to be actively involved with interpreting the regulations to ensure that your resulting process is as streamlined as possible yet still in compliance. Third, be prepared to evolve your process to reflect new versions of the regulations as they evolve over time. For example it is likely that SOX will be simplified soon, and I think that it will be interesting to see how many organizations choose to tear down the political empires that were justified based solely on SOX.

When to Document

Documentation should be created on a just-in-time (JIT) manner when you need it, and only if you need it. You should document something only when it has stabilized, otherwise you will be updating it endlessly as the situation changes. This is one of several reasons why it proves foolish to write comprehensive requirements documentation early in the system lifecycle—because your stakeholders will change their minds, usually for completely valid reasons, you discover that the investment in detailed documentation was counter-productive. The implication is that detailed documentation should be written after, or at least towards the end of, the development work. Yes, you likely need to do some very high-level modeling to think things through, but investing in detailed documentation too early is questionable at best. I present a critical examination of the big-requirements up front (BRUF) approach at www.agilemodeling.com/essays/examiningBRUF.htm.

Agile Modeling (AM) advises that you should update documentation only "when it hurts". People are flexible, if the documentation isn't perfect that's okay, they can figure it out. Millions of software systems are successfully running around the world as you read this paragraph, and how many do you honestly think have perfect documentation that is up to date and fully consistent? Perhaps a handful? How many billions of dollars, if not trillions, do you think has been wasted over the decades striving to produce perfect documentation? Your goal should be to produce documentation that is good enough for the situation at hand—once it's good enough any more investment in it is clearly a waste.

Documentation Alternatives

Agilists have rediscovered the concept of literate programming, of writing high-quality, easy-to-understand source code that contains embedded documentation. Furthermore, teams that take a behavior-driven design (BDD) approach consider their test suites to be executable, detailed documentation. Agile acceptance test suites forms a significant portion of the requirements documentation and developer test suites the design documentation. We follow AM's Single Source Information practice by having our tests do double-duty as specifications and therefore we require significantly less external documentation.

The "documentation is in the source code" philosophy covers the vast majority of technical documentation, but system overviews will still be required as will documentation for non-development staff. Andreas Rueping's book Agile Documentation: A Pattern Guide to Producing Lightweight Documents for Software Projects (John Wiley and Sons, 2003) defines a wonderful pattern language for improving the efforts of technical writers. Good documentation is concise—it overviews critical information such as design decisions and typically provides visual "roadmaps" showing the high-level relationships between things. Agilists focus on this style of documentation, and only write detailed documentation when it is needed and no better alternative exists.

Agile software developers travel as light as we possibly can, creating just enough documentation for the situation at hand in a just-in-time (JIT) manner. We believe that the benefit of having documentation must be greater than its total cost of ownership (TCO), that our stakeholders should decide whether to invest their money in it, and that we should strive to maximize the return on investment (ROI). Agilists are really smart about the way we write system, user, operations, and support documentation and as a result we tend to write significantly less documentation than our traditionalist colleagues. If you're interested in learning more about agile strategies for writing documentation, I highly suggest www.agilemodeling.com/essays/agileDocumentation.htm.

The Ethical Mind

The Ethical Mind

It’s not enough to espouse high standards. To live up to them—and help others do the same—requires an ethical cast of mind that lets you practice your principles consistently.

A Conversation with Psychologist Howard Gardner

Howard Gardner and Bronwyn Fryer

If you’re running a large company, don’t expect the public to like you. Soaring executive pay packages, continuing rounds of layoffs, and the memory of ethical failures at firms like Enron, WorldCom, and Hewlett-Packard have raised public animosity toward corporate executives as never before. A U.S. Roper poll conducted in 2005 revealed that 72% of respondents believed wrongdoing was widespread in industry. Only 2% felt that leaders of large firms were “very trustworthy” (a drop from 3% in 2004), and the pattern is “not improving,” according to Kathy Sheehan, a senior vice president at GFK Roper Consulting in New York. Meanwhile, the public increasingly demands that companies take better care of their employees, communities, and the environment.

It is now, more than ever, incumbent on business leaders to repair relations with customers and employees by stepping up to the ethical plate, says Howard Gardner, the John H. and Elisabeth A. Hobbs Professor of Cognition and Education at the Harvard Graduate School of Education in Cambridge, Massachusetts. Gardner is an influential cognitive and educational psychologist, not an ethicist per se. But as a psychologist, he believes that his first responsibility is to understand how moral and ethical capacities develop, or fail to develop. His reflection on ethical issues has deep underpinnings and a very long reach. In the seminal 1983 book Frames of Mind, he put forth his theory that individuals possess not one but multiple varieties of intelligence: linguistic, logical-mathematical, spatial, bodily-kinesthetic, musical, interpersonal, and intrapersonal. The theory, which Gardner continues to refine, has found broad acceptance in the educational community, and teachers around the globe tailor their lessons to the different kinds of intelligence.

Gardner became personally embroiled in ethical issues when he observed how his ideas were being adopted by educators: Some schools and policy makers claimed that certain racial and ethnic groups were lacking specific intelligences. As the founder of the theory, he felt an obligation to denounce such distorted interpretations of his work. Later, when he taught a course at Harvard called “Mind, Brain, and Education,” he found himself thinking about ethical dilemmas, such as those involved in brain and genetic testing and whether it’s wise to share troubling test results with parents, particularly when no proven intervention exists.

Gardner’s core insights into the ethical mind come from more than a dozen years of studying working professionals. Since 1995, he and teams of investigators at four universities have been researching the ways in which people aspire to do good work—that is, work of high quality that matters to society, enhances the lives of others, and is conducted in an ethical manner. The researchers have also observed firsthand the ways in which good work is eroded by cultural, economic, and technological forces. (For more on this long-term project, go to www.goodworkproject.com.) In his new book, Five Minds for the Future (forthcoming from Harvard Business School Press in 2007), Gardner cogitates on what it takes to develop an ethical mind-set. In this edited interview with senior editor Bronwyn Fryer, Gardner offers his thoughts about what managers must do to develop and maintain high standards for themselves and their organizations.

What is an ethical mind?

In thinking of the mind as a set of cognitive capacities, it helps to distinguish the ethical mind from the other four minds that we particularly need to cultivate if we are to thrive as individuals, as a community, and as the human race. The first of these, the disciplined mind, is what we gain through applying ourselves in a disciplined way in school. Over time, and with sufficient training, we gain expertise in one or more fields: We become experts in project management, accounting, music, dentistry, and so forth. A second kind of mind is the synthesizing mind, which can survey a wide range of sources, decide what is important and worth paying attention to, and weave this information together in a coherent fashion for oneself and others. [For more on the synthesizing mind, see “The HBR List: Breakthrough Ideas for 2006” (February 2006).] A third mind, the creating mind, casts about for new ideas and practices, innovates, takes chances, discovers. While each of these minds has long been valuable, all of them are essential in an era when we are deluged by information and when anything that can be automated will be.

Yet another kind of mind, less purely cognitive in flavor than the first three, is the respectful mind: the kind of open mind that tries to understand and form relationships with other human beings. A person with a respectful mind enjoys being exposed to different types of people. While not forgiving of all, she gives others the benefit of the doubt.

An ethical mind broadens respect for others into something more abstract. A person with an ethical mind asks herself, “What kind of a person, worker, and citizen do I want to be? If all workers in my profession adopted the mind-set I have, or if everyone did what I do, what would the world be like?”

A person with an ethical mind asks, “If all workers in my profession…did what I do, what would the world be like?”

It’s important to clarify the distinction between the respectful and the ethical mind, because we assume that one who is respectful is ethical and vice versa. I think you can be respectful without understanding why: As a child, you might have respected your parents and grandparents because you were taught to. But ethical conceptions and behaviors demand a certain capacity to go beyond your own experience as an individual person. Once you have developed an ethical mind, you become more like an impartial spectator of the team, the organization, the citizenry, the world. And you may have to sacrifice respect for another person if your role as a citizen or worker calls on you to do damage control to protect an idea or institution you believe in.

Whistle-blowers display ethical minds. Many people might see a top manager doing something unethical, but they won’t do anything about it because they want to keep their jobs, and they feel that they must respect the boss. A whistle-blower steps back from those concerns and considers the nature of work and the community in a larger way. He takes a mental leap past daily doings; his allegiance is to the workplace or the profession. He acts ethically even though it may cost him his respectful relation to his supervisor and, ultimately, his job and relation to his colleagues. He is able to do this because his own momentary well-being is less important than the broader mission he has endorsed.

It sounds as if the ethical mind is fundamentally more community focused than any of the other four minds. If that’s true, then how does the ethical mind develop?

An ethical orientation begins at home, where children see whether their parents take pride in their work, whether they “play fair,” whether they give the benefit of the doubt or are closed minded, and so on. Children absorb their parents’ religious and political values. As children get older, their peers have an enormous effect, especially in America. Just as influential is the behavior of the surrounding community toward its citizens. Are young and old people cared for? Beyond the necessary services, are there cultural and social events to learn from and participate in? Do parents take part in these “gluing” activities and expect their children to do the same?

My favorite example of an ethical community is a small city called Reggio Emilia in northern Italy. Aside from providing high-quality services and cultural benefits to its citizens, the city provides excellent infant and toddler centers and preschools. Children feel cared for by the community. So when they grow up, they return this regard by caring for others. They become good workers and good citizens. The tone has already been set at such a high level that one rarely encounters compromised—that is, qualitatively or ethically sullied—work. And in such cases, the ethical action taken by the community is to ostracize the compromised worker (in effect, if not by law) so he does not undermine community mores. This stance works as long as everyone sees that everyone wins.

What gets in the way of the ethical mind?

Sadly, even if you grow up with a strong ethical sense, the bad behavior of others can undermine it. A study conducted by Duke University recently found that 56% of students in the United States pursuing a master’s degree in business administration admit to cheating—the highest rate of cheating among graduate student groups. If you are a very ambitious MBA student and the people around you are cheating on their exams, you may assume that cheating is the price of success, or maybe you do it because “everyone does it.” You might even come to think of ethical behavior as a luxury. A study we published in 2004 found that although young professionals declared an understanding of and a desire to do good work, they felt that they had to succeed by whatever means. When they had made their mark, they told us, they would then become exemplary workers.

As young people go into business today, the temptation to skirt ethics is mounting. We live in a time of intense pressure on individuals and organizations to cut corners, pursue their own interests, and forget about the effect of their behavior on others. Additionally, many businesspeople have internalized Milton Friedman’s belief that if we let people pursue their interests and allow the processes of the marketplace to operate freely, positive moral and ethical consequences will magically follow. I am not one to question the power and benefits of the marketplace in any absolute sense. But markets are amoral; the line between shading earnings and committing outright fraud is not always clear. The chief rabbi of the United Kingdom, Jonathan Sacks, said it well: “When everything that matters can be bought and sold, when commitments can be broken because they are no longer to our advantage, when shopping becomes salvation and advertising slogans become our litany, when our worth is measured by how much we earn and spend, then the market is destroying the very virtues on which in the long run it depends.” Confidence in business is undermined; individuals distrust one another. Reggio Emilia seems light-years away.

Do you think it’s more difficult for businesspeople to adhere to an ethical mind than it is for other professionals?

Yes, because strictly speaking, business is not—nor has it ever been—a profession. Professions develop over long periods of time and gradually establish a set of control mechanisms and sanctions for those who violate the code. True professionals, from doctors and lawyers to engineers and architects, undergo extensive training and earn a license. If they do not act according to recognized standards, they can be expelled from their professional guild. In addition, mentoring is an understood component of regulated professions: A medical intern works with head residents or senior physicians who serve, in part, as ethical guides. But business lacks this model; you don’t need a license to practice. The only requirements are to make money and not run afoul of the law. Even if you start out with high personal ethical standards, it’s easy to wander off the proper path, because professional standards are a vocational option, not part of the territory. Certainly, there are businesspeople who act professionally, who feel obligated to serve their customers and employees and communities. Businesses can also voluntarily take on corporate social responsibility. But there are no penalties if they elect not to. And some economists argue that it is illegitimate for businesses to direct profits toward anything other than shareholders.

Would you say that compromised work is catching—in the same way that the emotional state of a leader affects others, as Daniel Goleman has observed?

Employees certainly listen to what their leaders say, and they watch what their leaders and colleagues do even more carefully. Employees feel psychologically emboldened or pressured to emulate the bad behavior they see in leaders and others who “get away with it.” Alternatively, leaders who model ethical behavior, especially in spite of the temptations of the market, inspire employees to do likewise and thus win for their firms in the long run. Though hoary, the example of CEO James Burke of Johnson & Johnson is still useful. When Burke immediately recalled all Tylenol products during the scare in the 1980s, he exemplified what it is to be ethical in the face of odds. In the end, his company benefited: Twenty-five years later, Johnson & Johnson is rated in the top spot for corporate reputation among large companies.

In business, it’s easy to wander off the proper path, because professional standards are a vocational option, not part of the territory.

It matters enormously whether the various interest groups with a stake in the work are in harmony or in conflict and whether the particular role models are confident about the hats they are wearing. When everyone is focused on the same thing, it’s easier to do good work. For example, in the late 1990s, our studies found that geneticists in the United States had a relatively easy time pursuing good work because everyone was focused on the same ends of better health and longer life. We found that journalists had a harder time pursuing good work because their desire to report objectively on the most important events clashed with the public’s desire for sensationalism and the pressure from publishers to generate advertising dollars and avoid controversy.

Then the real test of an individual’s—or a company’s—ethical fiber is what happens when there are potent pressures. How does one stand up to those pressures?

Well, if you are a leader, the best way for you to retain an ethical compass is to believe doing so is essential for the good of your organization. What are you trying to achieve? What are your goals, in the broad sense of doing good in the world? Once you understand these factors, you must state your beliefs unwaveringly from the first and tie rewards and sanctions to their realization.

When everything is going swimmingly, it is easier to hold yourself and others to high standards—the costs are not evident. But when circumstances are tempting you to drop your standards, you have to practice rigorous self-honesty. Being ethical really means not fooling yourself or others. I recommend that you look in the mirror from time to time, without squinting, and ask yourself if you are proceeding in ways you approve of. The questions to pose are “Am I being a good worker? And if not, what can I do to become one?”

I also believe that individuals increase their chances of carrying out good work when they make the time and take the opportunity to reflect on their broadly formulated mission and determine whether they are progressing toward its realization. There’s a great story—possibly apocryphal—about James Bryant Conant, the former president of Harvard. When he was offered the presidency, he said, “I’m happy to take it, but I can’t come to work on Wednesdays, because I have to go to Washington.” The hiring committee agreed to this condition. In fact, Conant didn’t go to Washington on Wednesdays; he just took the time to be quiet and read. He felt he needed a day each week to be alone with his thoughts. All executives ought to be able to step back and reflect and think about the nature of their work, develop new work projects, or solve work problems.

Another way to keep yourself on the ethical path is to undergo what I call “positive periodic inoculations.” These happen when you meet individuals or have experiences that force you to examine what you’re doing or to set a good example for others. A businessperson might be inoculated by the model of Aaron Feuerstein, the owner of Malden Mills, who kept paying his workers even after the mills burned down. Feuerstein’s action might inspire a leader to do something beneficial for employees, like give them an opportunity to acquire a desired skill. Another kind of inoculation—call it an “antiviral” one—allows you to draw object lessons from instances of compromised work. When Arthur Andersen went bankrupt following the Enron scandal, for example, auditors at other firms took a hard look at their own practices.

But we’re all subject to self-delusion. Certainly, one needs a more objective gauge than oneself.

Yes, and that’s why it’s important that other knowledgeable and candid individuals be consulted. Two worthy consultants could be your own mother—“If she knew everything I was doing, what would she think?”—and the press. Michael Hackworth, the cofounder and chairman of Cirrus Logic, uses this personal temperature gauge: He insists that he will not do something that would embarrass him if it were printed in the morning paper. Even if the stock drops temporarily, he knows that his honesty with the mirror builds his credibility in the long run.

Ideally, business leaders ought to have three types of counselors who are prepared to speak truth to their power. First, they need a trusted adviser within the organization. Second, they need the counsel of someone completely outside the organization, preferably an old friend who is a peer. Third, they need a genuinely independent board. If you actually listen to these three sources of information and act on the basis of what they say, then you cannot go too far wrong. George W. Bush is an example of a leader who has lacked—or at least disregarded—this kind of frank feedback. Franklin D. Roosevelt sought it regularly and was a far more effective president.

In hiring or promotion, are there ways companies can sort the wheat from the chaff?

It would be much wiser to admit people to business school who would never consider cheating—and there are some people like that—than to hope that at age 30, when they’re on the make, slippery characters can suddenly be converted into responsible paragons. That said, there is no substitute for detailed, textured, confidential oral recommendations from individuals who know the candidates well and will be honest. I don’t particularly trust written letters or the results of psychological tests. A single interview is not much help, either. A colleague of mine says “It takes ten lunches,” and I think there is truth in that.

I might also ask a young person about mentors. Our studies found that, across the board, many young professionals lack deep mentoring from individuals in authoritative positions. This was in contrast to veteran professionals, who spoke about important mentors and role models. So I might ask, “Who influenced you in cultivating a particular moral climate, and why?” The influence of antimentors—potential role models who had been unkind to their employees or who had shown behavior that others would not want to emulate—and a lack of mentors is something that we underestimated in our studies. Negative role models may be more powerful than is usually acknowledged. Of course, one has to listen carefully to which traits are considered to be positive and which ones are critiqued. Sometimes the responses are surprising.

What if you are in a position to speak truth to power? How do you gird yourself for that task?

With the assumption of authority and maturity comes the obligation to monitor what our peers are doing and, when necessary, to call them to account. As the seventeenth-century French playwright Jean-Baptiste Molière declared, “It is not only for what we do that we are held responsible but for what we do not do.”

It is not easy to confront offending individuals. But it is essential if you want to have an effective organization, be it a family or a Fortune 500 company. Two factors make it easier. First, you need a firm belief that what you are doing is right for the organization. Second, you don’t wait for egregious behavior. As soon as you—or others—see warning signs, you confront them, not in an accusatory fashion but in a fact-finding mode. If a person has been warned or counseled, it is much easier to take action the next time a wrong is identified.

As for confronting superiors, if that is impossible, you are not in the right organization. Of course, it is helpful to consult with others, to make sure that your perceptions are not aberrant. But if you are not prepared to resign or be fired for what you believe in, then you are not a worker, let alone a professional. You are a slave. Happily, in the United States, at least, most people have some options about where they work.

If you are not prepared to resign or be fired for what you believe in, then you are not a worker, let alone a professional. You are a slave.

In the end, you need to decide which side you’re on. There are so many ways in which the world could spiral either up toward health and a decent life for all or down into poverty, disease, ecological disaster—even nuclear warfare. If you are in a position to help tip the balance, you owe it to yourself, to your progeny, to your employees, to your community, and to the planet to do the right thing.

Punctuality: The Japanese way of business

Punctuality: The Japanese way of business

Karthik Tirupathi | February 21, 2007 | 15:39 IST

Economic relations between India and Japan have probably never been better, as both sides continue to reinforce their commitment to leverage each other's competencies and strengthen bilateral cooperation. This has opened a new world of opportunity for Indian professionals and businesspeople desirous of working or doing business in Japan.

However, success in business in Japan requires a strong understanding of Japanese business and culture. In the first of this three-part article based on my observations during many years of working with the Japanese, I note some essential pointers that will hopefully stand the Indian professional in good stead.

Part 1: Basic values that embody Japanese business people

No surprises: Punctuality, timeliness and sticking to commitments: The Japanese believe strongly in 'no hidden surprises' and are committed to a very high degree of predictability and consistent reliability (not just reliability). This is reflected in their business practices and everyday living, such that the train or bus schedule would read "Arrival: 8.23 p.m." and the train or bus would pull in exactly at that time!

In fact, being on time every time, is the first step towards building trust and reliability in Japan. This is true both in business as well as personal relationships.

Being organized and efficient, and adherence to deadlines (and a host of other similar virtues) are considered a way of life in Japan.

In India, arriving late for scheduled appointments is an acceptable practice. Perhaps, it owes itself to olden times when transportation was not efficiently organised and important people sometimes got held up and arrived late.

However, that has also resulted in situations where, if the relationship is strained, one person deliberately makes the other wait.

People in Japan, on the other hand, arrive for meetings at least 5 minutes before a scheduled 9:00 a.m. appointment! The simple logic is that it takes about 5 minutes to get seated and settled in and the meeting is support to START at 9 a.m.

Given the state of transportation infrastructure in India (roads and traffic jams mainly), there may be several unpredictable factors that can affect one's punctuality; However, lack of timeliness is not limited to meetings that require travel; the malaise of 'flexible time' seems to be prevalent with teleconferences too.

This practice of getting late can be overcome with advance planning and adequate preparation. At the very least, should one be getting late, it is important to inform well in advance so that the other person is not waiting and wasting time.

When the Indian associate says: "I will submit the report to you on Monday," the Japanese side expects it on Monday morning 9:00 a.m. Japan time, and not anytime during the day. It is therefore important to keep the 3.5-hour time difference in mind, Japan being ahead, when doing business with Japan.

In India, on the other hand, as long as one submits the report before midnight, it is considered as being submitted on Monday. If there is any delay, the Japanese expect to be informed well in advance and not at the last minute or after the delay has occurred!

Given "flexible" business practices, it is quite usual for Indians to factor such delays in their project, while the Japanese are accustomed to extreme precision. This often causes a lot of friction in a team where both professionals from both nationalities need to work side-by-side.

"No problem" syndrome

An Indian professional seeks to impress the Japanese counterpart with speed and efficiency. This is seen in immediate responses during discussions whereby the Indian says: "Sure, sure. . . no problem."

The Japanese interpretation of this phrase is, "How can the Indians say 'no problem' without even taking some time to consider all aspects of the problem? Surely they would not be professional."

What is needed in this situation is a response which goes like this: "We think we can do it, however, please give us 1 or 2 days to get back to you." It may seem bureaucratic, but the idea is to assure the Japanese that the matter has been given the due thought it deserved.

After the meeting, the Indian side has to remember all the committed deadlines and then get back to the Japanese counterpart with a "Yes, it can be done and will be done by XYZ date."

Of course, in the end this submission must be timely.

Preparing for a meeting

In keeping with the "no surprises" approach, the Japanese ensure that the agenda is agreed upon well in advance and all the necessary people from their side are invited and duly briefed.

I've seen seasoned senior Indian executives walk into a meeting empty-handed whereas the Japanese side comes in with a daily planner/agenda book, copious notes, a writing pad and a few big files!

This great reliance on the powers of memory by the Indian executives may be a bit unnerving for the Japanese, who see it as a potential cause for the proverbial 'slip through the cracks.'

The Japanese want to make it absolutely certain that nothing discussed at the meeting, whether of importance or not, is missed or forgotten.

The Japanese interpret not taking notes or recording dates and schedules as a sign of "lack of seriousness." What is needed for all Indian executives is to carry their respective note pads and make notes, even if they may not seem very useful. This will demonstrate the "symbolic" commitment to the relationship.

To the Japanese, an eye for detail and perceived importance towards quality are important evaluation criteria before entering into a partnership.

Quality before profit

Once a contract has been finalised, the Japanese expected certain minimum quality standards from the vendor. This quality need not necessarily have to be the best in the world, but it should be of mutually acceptable standards.

During the pre-sales phase, the Japanese would always take great pains to define this. Let's assume that this contracted quality is 70% of "best available quality." The Japanese would expect this benchmarked quality "time after time -- every time" and any reduction in quality below this accepted baseline is considered a major deviation.

A better quality level will be considered an improvement and highly appreciated, but the emphasis here is again on "no surprises ever." The focus is on consistent and reliable delivery of agreed quality all the time.

A general perception about India in Japan is that whilst good quality is available sometimes, good quality is not available consistently enough. There are wide variations and this is visible especially in manufactured products or in service standards.

This perceived "imprecision" (or range of deviance) seems to manifest even during our interpersonal interactions where one often hears "I will meet you around 2:00~4:00 PM" or "We will deliver it sometime this week."

The author is the president of Nihongo Bashi.