Sometimes there just seems to be too many standards, and organizations either have to rely on intuition or the advice of their ‘consultant’ to go with one or the other. My guess is that on an operational level, most companies see compliance with standards or a quality system as a distraction, at best. Some probably view adopting a standard as a better way to market themselves and gain credibility. In my mind, some recent security breaches in the BPO industry have prompted industry watchers to question whether companies are really serious about implementing the security policies and processes (which they already have or are in planning mode). Most have heard that a well known financial services BPO was in the news because of an employee coordinated fraud that resulted in financial losses to several US based customers of its principal, a leading bank. What many people don’t know is that this BPO was the first in the industry here to attain BS7999 certification. A couple of questions come to my mind - was this certification relevant to the needs of the business? If so, then were there problems with the implementation that lead to such a blatant security breach….If not, then why was it adopted in the first place - if it couldn’t prevent such lapses. Again, another BPO was recently dragged into the public eye when one of its employees allegedly sold thousands of client records to a third party media outfit in a sting operation. The company backtracked, the employee was fired - but are there any safeguards in place to prevent other records being stolen, or for that matter, other companies getting their ‘fingers burnt’?

I don’t think so. Nasscom is making some noises, the PM’s office is ‘outraged’ and has since chaired a meeting with Government and industry representatives to ‘ensure that this doesn’t happen again’…

But how? There will be resistance from many if mandatory policies (which require systems and support) are forced down the industry’s palate. And again, there is a the question of which policies are applicable and how does one go about creating a basic Universal Set of Policies for the Outsourcing industry and then move forward to customizing the policies where applicable.

Existing standards like BS7799, COPC, etc can and should, of course be referred to when policies are defined and designed for a specific industry sector - but there are dangers to adopting one standard as a whole, because there may well be a few ‘blanks’ and ‘gaps’ - areas it does not address, and in terms of coverage.

That, my friends, is the interesting question.

Have a good one,

Rion