A much-anticipated strategic update continues the bank’s frustratingly slow pivot toward Asia, only with lower shareholder returns.
2 min
Another year, another familiar-sounding strategic update at HSBC. The behemoth’s need to reiterate its pivot to Asia underlines what a slow, awkward process it is.
The London-headquartered, China-focused bank announced full-year results on Tuesday. As at peers, revenues were hit by lower interest rates globally and chunky allowances for pandemic-related loan losses. Unlike at investment-banking rivals, the bump in trading revenues from HSBC’s own trimmed-back business was a meagre offset. A much-anticipated new strategy amounted to more of the same—except for lowered shareholders returns.
The shares fell in early trading, extending a year of underperformance. For much of the past decade the stock has traded at a premium to most European peers because of HSBC’s strong business in Hong Kong and mainland China, both profitable, fast-growing markets. But that gap has narrowed considerably in the past year, likely for two main reasons: Investors want faster organizational change, and they are concerned that HSBC’s trademark business model of bridging East and West is getting more difficult.
The bank broadly delivered on its 2020 targets. However, return on tangible equity or ROTE fell to just 3.1% from 8.4% a year earlier, and dividends were suspended at the British regulator’s request. The pandemic seems a valid excuse. The real disappointment was in its guidance for future returns. Target ROTE has been reduced and delayed, even with an additional $1 billion in cost cuts. Dividend expectations were pared back too: The growing quarterly payment has been replaced with a 40% to 55% payout ratio, possibly topped up with buybacks or special dividends.
Strategically, the bank is still focused on shifting more assets from Europe and the U.S. into Asia, as well as increasing its wealth management business and making its operations more digital. The direction of travel makes sense, but the pace remains frustratingly sedate, particularly as competition in the region is picking up. Discussions continue about long-mooted exits from retail operations in France and the U.S.
The speed of change might accelerate under Chief Financial Officer Ewen Stevenson, who was put in charge of the new overhaul. A relative outsider, he joined HSBC in 2019 from RBS, now known as NatWest, where he led a far-reaching revamp of what was once the largest bank in the world by assets.
HSBC’s shares are also weighed down by geopolitics. Management says little on the topic of Sino-American relations, except to highlight a long history of successfully bridging international divides. That discretion may be the best way to juggle conflicting priorities, but does little to assuage investor concerns that its dual identity may eventually become untenable.
The bank has no good answers to geopolitical questions, giving it all the more reason to address organizational ones. For a company that makes much of its position in exciting high-growth Asian markets, HSBC’s expected returns are surprisingly modest. For its shares to regain their old lustre, that needs to change.
Copyright 2020, Dow Jones & Company, Inc. All Rights Reserved Worldwide. LEARN MORE
What a quarter-million dollars gets you in the western capital.
Alexandre de Betak and his wife are focusing on their most personal project yet.
CIOs can take steps now to reduce risks associated with today’s IT landscape
3 min
As tech leaders race to bring Windows systems back online after Friday’s software update by cybersecurity company CrowdStrike crashed around 8.5 million machines worldwide, experts share with CIO Journal their takeaways for preparing for the next major information technology outage.
IT leaders should hold vendors deeply integrated within IT systems, such as CrowdStrike , to a “very high standard” of development, release quality and assurance, said Neil MacDonald , a Gartner vice president.
“Any security vendor has a responsibility to do extensive regression testing on all versions of Windows before an update is rolled out,” he said.
That involves asking existing vendors to explain how they write software, what testing they do and whether customers may choose how quickly to roll out an update.
“Incidents like this remind all of us in the CIO community of the importance of ensuring availability, reliability and security by prioritizing guardrails such as deployment and testing procedures and practices,” said Amy Farrow, chief information officer of IT automation and security company Infoblox.
While automatically accepting software updates has become the norm—and a recommended security practice—the CrowdStrike outage is a reminder to take a pause, some CIOs said.
“We still should be doing the full testing of packages and upgrades and new features,” said Paul Davis, a field chief information security officer at software development platform maker JFrog . undefined undefined Though it’s not feasible to test every update, especially for as many as hundreds of software vendors, Davis said he makes it a priority to test software patches according to their potential severity and size.
Automation, and maybe even artificial intelligence-based IT tools, can help.
“Humans are not very good at catching errors in thousands of lines of code,” said Jack Hidary, chief executive of AI and quantum company SandboxAQ. “We need AI trained to look for the interdependence of new software updates with the existing stack of software.”
An incident rendering Windows computers unusable is similar to a natural disaster with systems knocked offline, said Gartner’s MacDonald. That’s why businesses should consider natural disaster recovery plans for maintaining the resiliency of their operations.
One way to do that is to set up a “clean room,” or an environment isolated from other systems, to use to bring critical systems back online, according to Chirag Mehta, a cybersecurity analyst at Constellation Research.
Businesses should also hold tabletop exercises to simulate risk scenarios, including IT outages and potential cyber threats, Mehta said.
Companies that back up data regularly were likely less impacted by the CrowdStrike outage, according to Victor Zyamzin, chief business officer of security company Qrator Labs. “Another suggestion for companies, and we’ve been saying that again and again for decades, is that you should have some backup procedure applied, running and regularly tested,” he said.
For any vendor with a significant impact on company operations , MacDonald said companies can review their contracts and look for clauses indicating the vendors must provide reliable and stable software.
“That’s where you may have an advantage to say, if an update causes an outage, is there a clause in the contract that would cover that?” he said.
If it doesn’t, tech leaders can aim to negotiate a discount serving as a form of compensation at renewal time, MacDonald added.
The outage also highlights the importance of insurance in providing companies with bottom-line protection against cyber risks, said Peter Halprin, a partner with law firm Haynes Boone focused on cyber insurance.
This coverage can include protection against business income losses, such as those associated with an outage, whether caused by the insured company or a service provider, Halprin said.
The CrowdStrike update affected only devices running Microsoft Windows-based systems , prompting fresh questions over whether enterprises should rely on Windows computers.
CrowdStrike runs on Windows devices through access to the kernel, the part of an operating system containing a computer’s core functions. That’s not the same for Apple ’s Mac operating system and Linux, which don’t allow the same level of access, said Mehta.
Some businesses have converted to Chromebooks , simple laptops developed by Alphabet -owned Google that run on the Chrome operating system . “Not all of them require deeper access to things,” Mehta said. “What are you doing on your laptop that actually requires Windows?”
