the changing face of venture capital

In the Web 2.0 crowd, we can’t help but notice the money pouring into M&A activity and venture funding. In the endless cycle of boom and bust in San Francisco, we’re once again entrenched in madness. Paul Graham wrote a thoughtful article about the pressures facing venture capital firms in this environment.

Paul begins by talking about some of the areas Joe Kraus talked about this summer – how inexpensive it is to launch a business these days. Paul notes how this presents a problem for VC’s who need to unload a boatload of cash, because startups no longer need a boatload of cash to hit launch, between open source, better languages and cheaper hardware.

Paul continues:

Into this already bad situation comes the third problem: Sarbanes-Oxley. Sarbanes-Oxley is a law, passed after the Bubble, that drastically increases the regulatory burden on public companies. And in addition to the cost of compliance, which is at least two million dollars a year, the law introduces frightening legal exposure for corporate officers.

There is no question there are costs associated with Sarbanes-Oxley. Based on data received from Foley & Lardner’s 2004 and 2005 studies, the average cost of being public in FY 2004 (the first year of compliance for most filers) for a company with annual revenue under $1 billion has increased $851,000 (33%) over FY 2003. Further, from the enactment of the Sarbanes-Oxley Act through FY 2004, the average costs have increased a total of $2.4 million, representing a 223% increase. (FEI report)

However, if implemented correctly, costs will only decrease in the subsequent years. The bulk of time and effort in the first year of compliance is expended on risk analysis and mitigation, as the company navel gazes to identify areas of potential fraud, misuse and error. Once those risk elements are identified and remedied, the majority of ongoing effort needed in future years is ensuring those new controls are not compromised by any changes within the company. Is it a hassle? I won’t deny it. However, the law gives companies the excuse to do the right thing, to take care of security issues that haven’t yet risen to crisis level, to take care of problems before they have the opportunity to become disasters. And since all public companies need to do this, my company isn’t sacrificing competitive position by cleaning up its infrastructure.
It's been noted by many that the net result of compliance has been increased investor confidence, reflected in market performance.

Paul continues:

Largely because of Sarbanes-Oxley, few startups go public now. For all practical purposes, succeeding now equals getting bought. Which means VCs are now in the business of finding promising little 2-3 man startups and pumping them up into companies that cost $100 million to acquire. They didn't mean to be in this business; it's just what their business has evolved into.

He's right that there's been a tranformation, but Sarbanes-Oxley is not driving this shift. At the last bubble, it seemed easy to turn over an idea into a publicly traded powerhouse, but those who lived through that know the numbers. Only 6 of 1000 funded startups ever go public. Before 1999, it was common to run a business for 10 years prior to an IPO. Why wait that long? Most entrepreneurs don’t have only one idea in their lives, and building a business is so much more exciting than running one. Companies are anxious to strengthen their positions through acquisition, and everyone has a story about a company who turned down a lucrative offer only to soar into the ground at a fantastic rate of speed. Building for acquisition isn’t seen as settling anymore, it’s seen as smart strategy.

What’s happening to the VC’s may or may not be unfortunate. According to Business Week, almost half of all the venture-backed startups from 1999 and 2000 have survived. However, today, giant companies offering huge rolls of cash to an early stage company to pick up their IP and harness their brains have plowed over the VC business model. Seems it’s time for VC’s to finally do what they’ve been telling their clients to do for decades – adapt. VC’s need to figure out how to get in earlier, how to give back to entrepreneurs in early stages (as Paul suggests), and how to keep from becoming irrelevant.

It's startling how much misinformation is out there

I finally caught up this morning on an old trade publication, the first quarter newsletter from the Information Systems Special Interest Group of PMI.

In that newsletter there's an article by a consultant named David Kohrell, who is ostensibly trying to help technical project managers understand the complex regulatory environment, and emerging standards which affect their work. Sounds great, no?

However, he said that for a PM to address SOX, he needs to manage his projects effectively, understand budgetary impacts, and know how his projects are doing in comparison to others. What? What about tweaking methodologies to ensure appropriate approval and testing is performed? How about understanding access control, and determining the impacts of increased security on processes and systems? And most importantly, what about understanding the overall control environment, to recognize when my big project is going to compromise a critical control?

To add insult to injury, he then quotes this article:

Generally speaking, if it's an IT "best practice," it's usually good from a Sarbanes-Oxley perspective. There are a few exceptions to this rule, though; for example, some open source strategies, while seen as a best practice in the IT world, are arguably not in line with Sarbanes-Oxley requirements, as they contradict the key ideas within Sarbanes-Oxley that access to information should be purely on a "need to know" basis, and that processes should be controlled.

That's not the message we need to be giving to project managers. Open source could put my SOX compliance in jeopardy! It used to be commonly accepted that open source was inherently more secure than closed source, and that debate continues to rage. However, whether your source and processes are open or closed is ultimately irrelevant to SOX compliance.

SOX is concerned with procedural and technical control, to ensure accountability up the organizational chain. It's not that hard to comprehend, except when you are wading through the morass of misinformation.