The BPO industry is still considered a fledgling industry in the country.
However, the need for the organizations in the BPO space to mature, especially
in the area of risk management has been acute to say the very least
The
word risk tends to arouse a whole range of emotions in BPO organizations today.
However, the now common understanding is that good risk management is as
important to organizations as is the need to generate profit. Organizations have
learnt it the hard way that the case is not otherwise. Again, just having a risk
management framework is no longer good enough. Lack of robustness could result
in situations that destroy an organization's reputation and threaten the very
existence of the organization.
When the BPO industry
started its initial steps, operators felt that they owned nothing more than the
keystroke management on their customers' operations. Everything from process
documentation to controls to risk management was the responsibility of the
client organization. Very quickly, organizations began to understand that as
customers migrated their operations into a service provider, they released the
personnel that were hitherto doing these operations. This meant that customer
organizations suddenly saw a loss of experience in these areas of operations.
So, when the service provider made mistakes, there was none in the organization
who could ascertain the impact of these on end customers and their reaction. End
customers faced the brunt of such errors and the impact was immediately felt by
the organization outsourcing the service.
In the aftermath, the
outsourcer started demanding some level of control to be established within the
service provider organization to ensure that the service that was delivered was
of a certain basic standard. In a very short period, the service provider has
had to own up the risk element of the processes that were outsourced to them. To
that extent, the service provider's operations are 'integrated' into the
outsourcer's operations.
In the case of larger
outsourcers especially, this demand for a much higher quality of service was
severe and service providers felt the need to move up the learning curve very
fast and create an environment where the outsourcer felt as comfortable with the
service provider capability as with their own operations.
What it Means to the Service Providers
The need for the service provider hence, is to ensure that their risk
management framework and processes guarantee the delivery of a robust operating
environment to the outsourcer. Typically, since the service provider dealt
mainly with customer operations, this responsibility translated to managing down
operational risk rather than other types of risk, which largely continue to
remain within the outsourcer's ambit.
Service providers need
to identify a global standard, a best practice suggestion that would be in line
with the best that their customers could ask for. In this the Basel
committee's definition of operational risk comes in handy.
Operational risk as
per the Basel committee is defined as “The risk of direct or indirect loss
resulting from inadequate or failed internal processes, people and systems or
from external events”. The definition above includes legal risk, but excludes
strategic and reputation risk.
mso-fareast-font-family:"Times New Roman";mso-ansi-language:EN-US;mso-fareast-language: EN-US;mso-bidi-language:AR-SA">In the BPO space in India, the amount of regulatory oversight and control is not very high. Service providers are hence at liberty to identify and define control mechanisms to ensure compliance |
Introspection into
this view of operational risk will make it clear that it is quite a generic and
inclusive definition. All people related risks, be they relating to attrition,
skill sets, experience profile or deeper aspects such as succession planning and
talent management are included. Infrastructure in this parlance comprise,
besides others, space availability and logistical support. Technology risks
cover computer infrastructure, communication links, software, availability,
recoverability etc. Process risks include those relating to handoffs,
interfaces, end-to-end process governance issues, business continuity etc.
In practice in
organizations, at least the more advanced ones, pretty much everything that has
a risk aspect attached to it does get discussed at operational risk management
forums in the first instance and then get farmed out to other risk management
forums. This is because almost every risk, be it credit, liquidity or country
risk poses some amount of operational risk. All aspects of corporate governance
are discussed. Project risks and control breakdowns (breach of documented
control procedures) are also included into the ambit of operational risk
management. Information security has traditionally been an exclusive area of
technology. We are all aware how important information security is to BPO
service providers and the amount of time risk managers have spent discussing
measures to protect information security.
Besides the above,
when we include legal risks, the scope of operational risk management becomes
very broad. It is becoming increasingly obvious that compliance risk is becoming
a part of operational risk. It is important for us to understand what this means
to us as operators in the BPO-ITES space. Service providers should not loose
sight of actual responsibilities. In the BPO space in India, the amount of
regulatory oversight and control is not very high. Service providers are hence
at liberty to identify and define control mechanisms to ensure compliance. While
such an arrangement allows for a lot of flexibility, it places the onus squarely
on the service provider to ensure that all compliance angles are covered.
Compliance Responsibilities
Compliance responsibilities for the BPO service providers are divided into
three aspects: entity compliance, country compliance and group compliance.
Entity compliance deals with the legal aspects that impact the service provider
as a company incorporated locally i.e. the laws of the land. Many of the BPO
service providers are part of a group of companies. There would be certain
regulations that are applied across the group and would hence be applicable to
the service provider as well; these contribute to the group compliance
responsibilities of the service provider.
Finally, the country
compliance aspect; this is the one piece that service providers have yet to get
to terms with. Multi-client service providers deal with clients from several
countries. In these countries there are some regulations that apply to these
clients. When the clients outsource part of their operations to the service
provider, the responsibility to comply with client country regulations is at
times not transferred across. The clients' personnel however, have the
rightful perception that since their operation is migrated to the service
provider; the responsibility to ensure compliance also shifts. The service
provider assumes no responsibility to ensure the client's compliance while the
clients are far too removed from the actual operations to be reasonably certain
that their operations are now in full compliance. This situation causes a
dilemma for the clients. There is a slow shift in client perception that the
service provider has the compliance management responsibility for the client's
operations. If not addressed in a timely manner, this situation will lead to
friction in the relationship.
The legal risk besides
comprising the above compliance framework aspects, also includes the regular
daily responsibilities like conflicts management, contract breaches, IPR
infringement issues etc.
Setting up a Risk Management Framework
We have seen above in detail what risk management means to BPO service
providers. Let us now see what service providers need to do to setup a robust
risk management framework and make it operational.
The effectiveness of the risk management process in the organization will be only as good as the people implementing and managing the overarching process |
To identify what the
components are of a robust risk management framework, we do not have to look
beyond our daily lives. As we commute to and from office each day, we have to
use a vehicle, travel on the road, park the vehicle, swipe our way into the
office, take the vehicle out in the evening, commute again on the roads, park
the vehicle at home and get in. There are several risk assessment steps, control
measures and exception handling measures that are established as part of these
daily activities. For example, we identify what could go wrong (translated into
the risks posed to safe travel) with the vehicle as it is parked at home (tyre
pressure, fuel shortage, brakes functionality etc), the risks faced during
commuting to office (traffic on the road, civic disturbances if any) etc. Once
these risks are identified, we institute control measures (check the brake,
ensure fuel availability, check tyre pressure, traffic conditions etc). On a
day-to-day basis therefore, the ease of commuting to and from office is ensured
if the established control measures are adhered to without exception. This means
there should be a mechanism to track exceptions to the control measures. Every
exception is then handled appropriately in order to ensure that the main aim of
a safe commuting is achieved. However, when this is translated into an
organization, there is an obvious need to introduce a process driven approach,
to derive the same level of benefit. Organizations hence need to have a formal
risk assessment process, which is the foundation of the risk management
framework. The organization will define clear minimum control standards that
will ensure that the risk levels stay within acceptable levels. There will be a
clear exception reporting process to ensure that every exception will attract
the necessary level of attention. The key to implementation of an operational
risk management framework in organizations is a comprehensive risk assessment
process backed up by proactive control measures and a clear mechanism to handle
exceptions.
To
make the risk management framework operational, there are several aspects that
should be addressed. Ultimately, the effectiveness of the risk management
process in the organization will be only as good as the people implementing and
managing the overarching process. Larger organizations usually have a dedicated
risk management team headed by a top management executive. The Chief Risk
Officer is an empowered and respected individual with significant industry
exposure. There is also a formal risk management committee setup at an
organization level. Business heads of all critical functions of the organization
are represented at the corporate risk management forum. A clear proactive risk
reporting, monitoring and resolution process is instituted under the risk
committee.
Once the organizations
have made their risk management framework operational, it is important to
maintain the momentum and ensure that risk management in the organization is at
a level of excellence that will make their clients proud. In this regard, there
are certain initiatives that can help organizations. The concept of Process Risk
Analysis (PRA) is the one simple and effective approach that can ensure that the
risk management process of an organization remains current at all times. Process
risk analysis requires an organization to review every single process. The
process is broken down into process steps and then into activities. The risks
posed by everything that can go wrong in these activities are identified and
mitigation steps identified. The mitigating actions could then be used to
enhance the organization's minimum control standards. The proof of the
effectiveness of this approach is when the organization can evidence an
improving overall risk profile of the business through a pre-post risk mapping.
The benefits from the PRA process are varied. To senior managers, the process
provides a method to identify those survival critical processes in their
business that they will concentrate on, on a daily basis. For fresh starters,
the process provides training material that they can use to attain some process
competence. Risk managers can use PRA to ensure that the risk profile of the
business is constantly improved upon.
Conclusion
Earlier in this article, it was mentioned that there was a need for service
providers to identify and align their risk management practices along global
best practice. It would be very beneficial for the BPO industry if there were
one industry standard that achieves this objective. In this regard, there is a
definite role for quasi-regulatory bodies such as NASSCOM and CII. These bodies
have started taking some steps in this regard. However, these are very early
days and there is a lot to be done before we reach that level of discipline.
The author is a head of BCM, Risk and Compliance Scope International
(A Standard Chartered Subsidiary)