The following
interesting comment has been received from one of the readers of some of the
recent articles published in Naavi.org.
Dear Naavi,
Your passionate push for employee training as a
risk mitigation measure is well appreciated. I am working in a BPO and
associated with the security aspects. I should admit that until
the recent incidents came to light, security has never been treated as a cross
functional problem. It has been looked upon more as a technical issue of
providing anti virus cover, filtering spam, rejecting internet connectivity
and external e-mail access, disabling ports, floppy drives etc.
It was only last week that we had the first
joint meeting between the HR and the security department to discuss the
security issue as a joint problem. We agreed without much trouble that
employee training on cyber law awareness is an immediate necessity.
We also decided to put in a joint effort in
this regard more or less on the lines suggested by you. Your idea of
implementing the BPO employee's register suggested by Nasscom as an "Ethical
BPO Professional's Register" is a truly interesting proposition and I
personally wish that the idea becomes a success.
However, from my experience in the industry, I
feel that the current problem cannot be sorted out between the security and HR
departments alone. There is an overhead and marginal cost associated with the
implementation of the employee training, background checks etc which are to be
cleared by the Business development department. Most of our business is
driven on thin margins which are pre settled and any change in the cost
structure will have a stiff opposition.
We have therefore suggested to widen the
employee fraud prevention strategic team to include the business development
manager in future meetings. There is a doubt lingering in the back of my mind
whether this will ultimately lead to an agreement to carry a
certain level of residual risk after a risk-return trade off .
...............
It is good to
learn that a discussion has started in the BPO circles about how to achieve
the desired levels of security against employee frauds. The security
departments will normally accept a "Zero tolerance measure" ignoring both the
non financial impact on the HR department and the financial impact on the
business managers. But the HR will have their concerns and finally the finance
person will say "Zero Risk at Any Cost is not acceptable. Let us find a
midway".
I am sure that
the industry will sort out this issue based on the criticality of the
operation and the expectations of the customers. Ultimately BPO s may have to
put a "Risk Mitigation Surcharge" on their pricing to absorb the cost. Perhaps
availability of an external compliance management service on the lines of the
security BPOs for BPO s suggested earlier would make it easy for the BPOs to
determine the additional cost and pass on a part of it to the customer.
(Comments
welcome)
Naavi
July 3, 2005
Related Article/Information:
A
Positive List of BPO Employees
