Operational Risk Management and BPO

The BPO industry is still considered a fledgling industry in the country.

However, the need for the organizations in the BPO space to mature, especially

in the area of risk management has been acute to say the very least

The

word risk tends to arouse a whole range of emotions in BPO organizations today.

However, the now common understanding is that good risk management is as

important to organizations as is the need to generate profit. Organizations have

learnt it the hard way that the case is not otherwise. Again, just having a risk

management framework is no longer good enough. Lack of robustness could result

in situations that destroy an organization's reputation and threaten the very

existence of the organization.

When the BPO industry

started its initial steps, operators felt that they owned nothing more than the

keystroke management on their customers' operations. Everything from process

documentation to controls to risk management was the responsibility of the

client organization. Very quickly, organizations began to understand that as

customers migrated their operations into a service provider, they released the

personnel that were hitherto doing these operations. This meant that customer

organizations suddenly saw a loss of experience in these areas of operations.

So, when the service provider made mistakes, there was none in the organization

who could ascertain the impact of these on end customers and their reaction. End

customers faced the brunt of such errors and the impact was immediately felt by

the organization outsourcing the service.

In the aftermath, the

outsourcer started demanding some level of control to be established within the

service provider organization to ensure that the service that was delivered was

of a certain basic standard. In a very short period, the service provider has

had to own up the risk element of the processes that were outsourced to them. To

that extent, the service provider's operations are 'integrated' into the

outsourcer's operations.

In the case of larger

outsourcers especially, this demand for a much higher quality of service was

severe and service providers felt the need to move up the learning curve very

fast and create an environment where the outsourcer felt as comfortable with the

service provider capability as with their own operations.

What it Means to the Service Providers



The need for the service provider hence, is to ensure that their risk

management framework and processes guarantee the delivery of a robust operating

environment to the outsourcer. Typically, since the service provider dealt

mainly with customer operations, this responsibility translated to managing down

operational risk rather than other types of risk, which largely continue to

remain within the outsourcer's ambit.

Service providers need

to identify a global standard, a best practice suggestion that would be in line

with the best that their customers could ask for. In this the Basel

committee's definition of operational risk comes in handy.

Operational risk as

per the Basel committee is defined as “The risk of direct or indirect loss

resulting from inadequate or failed internal processes, people and systems or

from external events”. The definition above includes legal risk, but excludes

strategic and reputation risk.

Introspection into

this view of operational risk will make it clear that it is quite a generic and

inclusive definition. All people related risks, be they relating to attrition,

skill sets, experience profile or deeper aspects such as succession planning and

talent management are included. Infrastructure in this parlance comprise,

besides others, space availability and logistical support. Technology risks

cover computer infrastructure, communication links, software, availability,

recoverability etc. Process risks include those relating to handoffs,

interfaces, end-to-end process governance issues, business continuity etc.

In practice in

organizations, at least the more advanced ones, pretty much everything that has

a risk aspect attached to it does get discussed at operational risk management

forums in the first instance and then get farmed out to other risk management

forums. This is because almost every risk, be it credit, liquidity or country

risk poses some amount of operational risk. All aspects of corporate governance

are discussed. Project risks and control breakdowns (breach of documented

control procedures) are also included into the ambit of operational risk

management. Information security has traditionally been an exclusive area of

technology. We are all aware how important information security is to BPO

service providers and the amount of time risk managers have spent discussing

measures to protect information security.

Besides the above,

when we include legal risks, the scope of operational risk management becomes

very broad. It is becoming increasingly obvious that compliance risk is becoming

a part of operational risk. It is important for us to understand what this means

to us as operators in the BPO-ITES space. Service providers should not loose

sight of actual responsibilities. In the BPO space in India, the amount of

regulatory oversight and control is not very high. Service providers are hence

at liberty to identify and define control mechanisms to ensure compliance. While

such an arrangement allows for a lot of flexibility, it places the onus squarely

on the service provider to ensure that all compliance angles are covered.

Compliance Responsibilities



Compliance responsibilities for the BPO service providers are divided into

three aspects: entity compliance, country compliance and group compliance.

Entity compliance deals with the legal aspects that impact the service provider

as a company incorporated locally i.e. the laws of the land. Many of the BPO

service providers are part of a group of companies. There would be certain

regulations that are applied across the group and would hence be applicable to

the service provider as well; these contribute to the group compliance

responsibilities of the service provider.

Finally, the country

compliance aspect; this is the one piece that service providers have yet to get

to terms with. Multi-client service providers deal with clients from several

countries. In these countries there are some regulations that apply to these

clients. When the clients outsource part of their operations to the service

provider, the responsibility to comply with client country regulations is at

times not transferred across. The clients' personnel however, have the

rightful perception that since their operation is migrated to the service

provider; the responsibility to ensure compliance also shifts. The service

provider assumes no responsibility to ensure the client's compliance while the

clients are far too removed from the actual operations to be reasonably certain

that their operations are now in full compliance. This situation causes a

dilemma for the clients. There is a slow shift in client perception that the

service provider has the compliance management responsibility for the client's

operations. If not addressed in a timely manner, this situation will lead to

friction in the relationship.

The legal risk besides

comprising the above compliance framework aspects, also includes the regular

daily responsibilities like conflicts management, contract breaches, IPR

infringement issues etc.

Setting up a Risk Management Framework



We have seen above in detail what risk management means to BPO service

providers. Let us now see what service providers need to do to setup a robust

risk management framework and make it operational.

To identify what the

components are of a robust risk management framework, we do not have to look

beyond our daily lives. As we commute to and from office each day, we have to

use a vehicle, travel on the road, park the vehicle, swipe our way into the

office, take the vehicle out in the evening, commute again on the roads, park

the vehicle at home and get in. There are several risk assessment steps, control

measures and exception handling measures that are established as part of these

daily activities. For example, we identify what could go wrong (translated into

the risks posed to safe travel) with the vehicle as it is parked at home (tyre

pressure, fuel shortage, brakes functionality etc), the risks faced during

commuting to office (traffic on the road, civic disturbances if any) etc. Once

these risks are identified, we institute control measures (check the brake,

ensure fuel availability, check tyre pressure, traffic conditions etc). On a

day-to-day basis therefore, the ease of commuting to and from office is ensured

if the established control measures are adhered to without exception. This means

there should be a mechanism to track exceptions to the control measures. Every

exception is then handled appropriately in order to ensure that the main aim of

a safe commuting is achieved. However, when this is translated into an

organization, there is an obvious need to introduce a process driven approach,

to derive the same level of benefit. Organizations hence need to have a formal

risk assessment process, which is the foundation of the risk management

framework. The organization will define clear minimum control standards that

will ensure that the risk levels stay within acceptable levels. There will be a

clear exception reporting process to ensure that every exception will attract

the necessary level of attention. The key to implementation of an operational

risk management framework in organizations is a comprehensive risk assessment

process backed up by proactive control measures and a clear mechanism to handle

exceptions.

 To

make the risk management framework operational, there are several aspects that

should be addressed. Ultimately, the effectiveness of the risk management

process in the organization will be only as good as the people implementing and

managing the overarching process. Larger organizations usually have a dedicated

risk management team headed by a top management executive. The Chief Risk

Officer is an empowered and respected individual with significant industry

exposure. There is also a formal risk management committee setup at an

organization level. Business heads of all critical functions of the organization

are represented at the corporate risk management forum. A clear proactive risk

reporting, monitoring and resolution process is instituted under the risk

committee.

Once the organizations

have made their risk management framework operational, it is important to

maintain the momentum and ensure that risk management in the organization is at

a level of excellence that will make their clients proud. In this regard, there

are certain initiatives that can help organizations. The concept of Process Risk

Analysis (PRA) is the one simple and effective approach that can ensure that the

risk management process of an organization remains current at all times. Process

risk analysis requires an organization to review every single process. The

process is broken down into process steps and then into activities. The risks

posed by everything that can go wrong in these activities are identified and

mitigation steps identified. The mitigating actions could then be used to

enhance the organization's minimum control standards. The proof of the

effectiveness of this approach is when the organization can evidence an

improving overall risk profile of the business through a pre-post risk mapping.

The benefits from the PRA process are varied. To senior managers, the process

provides a method to identify those survival critical processes in their

business that they will concentrate on, on a daily basis. For fresh starters,

the process provides training material that they can use to attain some process

competence. Risk managers can use PRA to ensure that the risk profile of the

business is constantly improved upon.

Conclusion



Earlier in this article, it was mentioned that there was a need for service

providers to identify and align their risk management practices along global

best practice. It would be very beneficial for the BPO industry if there were

one industry standard that achieves this objective. In this regard, there is a

definite role for quasi-regulatory bodies such as NASSCOM and CII. These bodies

have started taking some steps in this regard. However, these are very early

days and there is a lot to be done before we reach that level of discipline.

The author is a head of BCM, Risk and Compliance Scope International



(A Standard Chartered Subsidiary)