Re-focusing on Data Protection& Outsource Risk Mgmt

Re-focusing on Data Protection& Outsource Risk Mgmt


After the recent hotel attacks in Mumbai and the Satyam Computer Services scandal, could the perception that India is an unstable country finally mean the “bill” is coming due for companies that sought cheap but risky business operations in the region? Not necessarily


In October, Indian and foreign-owned software companies and outsourcers invoked their business continuity plans after government employees called a general strike that shut down the city of Bangalore. Though the strike lasted just one day, employees steered clear of commercial parks and urban hubs. Workloads were diverted to other locations throughout India or completed on extra shifts once the city was “re-opened,” both of which were practical business continuity options.

One can argue that strikes are somewhat predictable events, plans for which may be drawn up quickly and executed without much practice or precision. Wider civil disruptions, however, are another matter entirely. In the wake of such events as the terrorist incidents at the Taj and Oberoi hotels, one cannot argue the value of crisis management and communication. In addition, disclosures of fraud, mismanagement and insolvency such as those that occurred at Satyam all too often are triggers to execute crisis management and business continuity plans, especially when clients must divert certain operations and reacquire data. All of these incidents should serve as a further reminder to companies to have in place advanced, wellthought-out continuity planning beyond their four walls.

Challenges and Opportunities

Increasing contract terms cannot replace basic risk management techniques such as integrated risk assessments, continuity plan exercises, enhanced data protection and rigorous audits. A 2005 Protiviti/APICS survey revealed that appropriate investments in auditing outsource providers or offshore functions had not yet been made by a majority of companies with more than $1 billion in annual revenues. One can legitimately argue the economic pressures of the past 12 months have done little to change this statistic. The question remains – will incidents such as the Mumbai attacks bring this investment, or lack thereof, back into focus?

Though outsourcing is unlikely to cease, look for costs to potentially increase as outsource providers enhance security and resiliency and even build redundant locations across India to lessen the impact of future attacks. Accenture, one of the largest providers of outsourcing management, recently achieved the BS25999 certification verifying it has taken necessary steps to assess and plan for the risk of interruption at its locations across India. This certification is sure to grow in popularity as customers seek greater levels of assurance that their operations and data are safe. They also will be looking for ways to share the cost. In addition, alternative and creative methods for verifying and auditing service levels and controls may emerge as foreign executives decrease the number of visits to a now-troubled region.

Thus, in one sense, the bill is coming due. Whether the true cost of doing business in the region outweighs the benefits is still unknown, but expect further discussion about spreading the risk by moving operations to other regions or bringing them back to the United States.

Our Point of View

If your organization maintains or relies on operations in India, you should consider the following actions:

  • Enhance relations with local Indian authorities on preparations they are making to protect against or respond to future attacks.
  • Review risk assessments and impact analyses to include terrorist activity affecting employee safety and productivity.
  • Review company data residing in India and the access controls around that data.
  • Exercise existing emergency response, crisis management, business process and IT disaster recovery plans.

If your outsource providers have operations in India, you should consider the following actions:

  • Review the vendor’s redundant operations’ strategy, if any, and inquire about plans for shifting workloads.
  • Conduct a cost-benefit analysis for continuing the outsourcing arrangement while considering the compromised ability to audit overseas operations.
  • Identify independent firms with operations in India to perform periodic audits on your behalf and apply the same rigor as if you were performing the audit yourself.

How We Help Companies Succeed

Protiviti provides an array of technology and process solutions for implementing or enhancing existing business continuity, data protection and outsource risk management efforts. Our expertise in assessing risk, developing plans and simulating crises will maximize your business continuity investment. Our Information Protection Portal supports even the most complex, global privacy programs, and our experience auditing offshore operations ensures a rigorous, objective opinion is developed around control effectiveness.


Protiviti has helped clients assess risk by identifying exactly how their data flows around the globe and between outsource providers. Recently for one client, we leveraged our Information Protection Portal to process the details about this flow and make a comparison to relevant privacy regulations, flagging potential compliance issues and risks. We then developed strategies to address potential risks and ultimately preserve the client’s reputation, brand and market share. In addition, we monitored client e-mail activity, identifying and preventing valuable client data and intellectual property from being shared with outsource providers and others outside of the enterprise, either accidentally or maliciously.


Brett Williams
Nicholas Benvenuto

Ready to work with us?