• Investment World
• eWorld
• Catalyst
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest

Bharat Kumar
Raja Simhan T.E.

Manpower costs aren't a worry for Indian BPO vendors. Nor are the howls of protest against outsourcing. Safety of clients' confidential data is. And this will mean more expenditure in the coming years. Trust used to drive business. No more.

AS a child, you might have learnt this lesson: it is not only important to behave yourself. It is as important to be seen as well-behaved.

The IT-Enabled Services (ITES) industry in the country is going through similar growth pangs. They have probably always been careful about clients' data. But now, they are busy putting in place processes and infrastructure, while training employees, to be able to show clients that picture of perfection. This picture tells those clients that their confidential data is safe in the hands of these Indian vendors.

Though the above captures the essence of what is happening in the industry, it might make it sound simplistic. What Ranjit Pisharoty, director, technology, Lason India, has to say drives home the point. "Our capital expenditure has risen exponentially in the past one year. We have budgeted another $500,000 this year for capital expenditure related to information security. This is compared to less than $100,000, cumulatively spent under this head, in the previous seven or eight years." In the past year, Lason India has spent 50 per cent of its capital expenditure budget on security-related hardware and software. Pisharoty says, "The trend is continuing in the budget for the present year."

The company also has significant revenue expenditure in terms of hiring. "This year, we will hire 25 per cent additional staff to roll out, administer and form audit teams for the information security initiative." The company conducts internal audit teams to ensure that clients' data stays protected and the processes meant to protect them are followed.

The trio of mounting costs, the backlash against outsourcing and the need to remain inexpensive to attract clients is proving to be a challenge for many ITES/BPO outfits wanting to turn or remain decently profitable.

eWorld chatted up with seven companies in the business of business process outsourcing (BPO) and following is what they had to say.

Security concerns are a given

There is no escaping it. Sunil Gujral, Vice-President, Technologies, Wipro Spectramind, feels that for clients outsourcing processes to an offshore country such as India, which is thousand of miles away, security (both physical as well as information security) has been prime concern. "This perception has not changed over a period of time. Now, clients are becoming more and more (concerned) about the security framework and security practices being followed by their Indian partner." A lot of emphasis, therefore, is being put on ISO 17799 or BS7799 certification, HIPPA standards, (adherence to) Data Privacy Act and the like.

Most processes that BPO companies work on today involve distribution and management of sensitive and confidential data of customers. Says Gujral, "Call centre agents have access to information having client-specific Intellectual Property Rights (IPRs)." So a client's keenness to have secure processes in place is natural.

The vendor's job

S. Nagarajan, COO and founder, 24/7 Customer, a call-centre company, says his company has a stringent security policy in place to ensure client data security. The company's policy covers, "Network security tools, physical security, information security, employee-specific agreements and the like."

So what does a company vending offshore services do to assure clients? Gujral says, "We use the thin-client technology to remotely access several applications residing in the US or the UK." Thin clients are computers where no processing of information happens at the desktop of the user. All the processing and computations occur at a central server that could be located at the clients' site. Such a system also helps cut down unnecessary access to information that an employee (back in India) has no business tampering with.

Going beyond internal audits, Nagarajan says that the company allows customers themselves to conduct audits in the vendor's premises. "It gives clients a sense of reassurance."

Companies also depend on frameworks that are applicable industry-wide. Says Gujral, "We draw upon frameworks like BS 7799 / ISO 17799, CoBiT, ITIL and other best practices for standards definition." Spectramind also works with clients to carry out periodic reviews of existing policies and procedures for ensuring compliance. It also routinely evaluates the adequacy of a policy. Redesigning policy to address any newer requirements is also not unusual.

Interestingly, such certification serves another purpose. Says Nagarajan, "Certifications are normally a benchmark of the company's effort of keeping both quality and security of information at the highest. The other is, we have had the experience of dealing with international clients in the past and there are certain international standards companies have to follow to be competitive." In other words, vendors not complying with requirements or not following standards are simply not considered for outsourcing projects. 24/7 even educates customers who are not aware of these processes, says Nagarajan. According to him, "US Safe Harbor Rules will only enhance the capability of the BPO industry in India and make us internationally competitive as a country."

The change

Pisharoty says that his company has started seeing "unprecedented security-related requirements being put into agreements with clients." According to him, the number of third-party audits (that clients have asked for) has increased ten-fold in the past six months.

Here's an example. In a typical Request for Proposal (RFP), the security-related questionnaire might have filled two pages out of 50 just one year ago. Today, the same topic — along with process compliance issues — commands at least 25 pages with myriad supporting documents and diagrams demanded as attachments, says Pisharoty.

Privacy vs security

SlashSupport, in the business of offering technical support to clients, has an interesting perspective. It differentiates data security from data privacy. Says Sandip Deb, Vice-President, SlashSupport, "Data security was an issue some time ago. It still is. But today, data privacy, very different from security, is the primary concern of the western world." A lot of personal data gathered in the process of online transactions are `associative.' Deb explains, "A transaction leaves behind indelible trails that can be used to identify personal information — and hence impinge on the privacy — of the concerned person." As an organisation offering technical help, data privacy issues play a more important part in SlashSupport's interaction with clients.

Says Deb, "We deal with technology clients who are competitors in the marketplace." So, data privacy is important. Strict internal audits ensure that the company adheres to SAS 70 guidelines. Deb explains that SAS 70 (Statement of Auditing Standards, number 70) typically applies to a company of SlashSupport's profile. HipAA (Health Insurance Portability and Accountability Act) and GLB (the Gramm-Leach Bliley Act that protects privacy of financial information) impact processes specific to healthcare, and banking and finance companies, respectively.

Interestingly, R. Jagadish, CEO, Allsec Technologies, which is into call centres, sees recent regulations and resultant paranoia only leading to more paperwork. While clients have always been concerned about secure access and confidentiality of data, the focus on those has increased now. Also, he feels, "Taking care and reporting how we take care are two different things." It is only that the reporting requirements have increased. Also registrations have become more rigorous. For instance, the DNC law (the Do Not Call law that grants citizens the right to bar telemarketers from calling them) or collections law requires registrations including bonding in each of the states and they are being strictly followed as well, he says. (Bonding, in this context, is a security deposit made to the state government. The deposit would be used in case of a vendor default.)

US laws

The legal environment in the US is very demanding. Says Jagadish, "The Patriot Act compliance is a requirement." What is the impact of this compliance? He says, "An organisation needs a process to identify and report known or suspected fraudulent activity in accordance with the Bank Secrecy and US Patriot Acts. There are specific formats to report this to the client which would collate such information and accordingly report to the authorities."

Spectramind's own internal audit discovered that "certain aspects (of employees' work on client CapitalOne's telemarketing project) were not in keeping with our standards and practices." When Spectramind shared this finding with CapitalOne, the client ended all telemarketing work with Spectramind. In this case, Spectramind was possibly meeting demands of laws in the US, in addition to being upfront with the client.

Says Gujral, "We have put in processes to monitor compliance. However, when an employee is motivated to misuse (access) for deliberate personal gain, you cannot prevent this. But, you can discover it and make an example of it."

One mistake and you're out

Clients are demanding:

Stories in this Section
The window's getting smaller

Copyright © 2004, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line