Industry news

Channel 4’s recent Dispatches programme highlighted problems that Indian companies have had with data security. The sting operation managed to buy personal data on British citizens from Indian call centre workers. Data security in outsourcing arrangements has long been an issue that troubles many in the financial community; this high-profile failing of data security won’t allay fears. There are no easy solutions to data security, and it is only by being extremely thorough that firms can ensure that data is kept safe from fraud and theft.

Data security is at the heart of any outsourcing agreement. When financial companies outsource their IT, more often than not the data transferred to the supplier will contain confidential information. Outsourcing agreements are built on trust between end user and supplier. It’s crucial that the end user has to trust the supplier with this information and equally the supplier returns the favour by guarding this data in a suitable manner.

Undefined boundaries relating to the division of responsibility of security protocol are often the reason behind security lapses. When working with a supplier, the issue of responsibility is always a potential problem. This can often be exacerbated by an ‘out of sight out of mind’ attitude - this is not an approach that any organisation can afford to take, particularly with security. Suppliers need to be allowed to work with the data, but it helps if end users build the security policy, in conjunction with suppliers. If not, the left hand might not know what the right hand is doing and this may result in misaligned security objectives and achievements. It helps if throughout an outsourcing agreement the users visit the supplier location every 6 months or every year to make sure that all processes are up to scratch.

Companies need a wide range of procedures, covering physical security, IT security and the security of intellectual property in order to formulate a security policy and then a complete security programme. All these factors need to be considered and integrated into a security plan in order to safeguard data effectively.

Physical security

In the last month, three laptops containing Metropolitan Police payroll data were stolen from LogicaCMG, the UK IT services firm, demonstrating that breeches to physical security do occur. The first barrier to data theft has to be physical security. Customers’ data, particularly bank details, must be entirely protected from thieves. It is advisable to have a rigorous security structure that includes: card access control; employee badges; security guards; 24/7 video surveillance; dedicated, client approved and physically secured development centres; electronic motion censors (during non-business hours); mantrap-controlled entrances and exits; coded door locks and PIN cards. Vendors must cater to the needs of all of their customers, and some financial companies might require further physical security, and flexibility is the key on the part of the supplier.

IT / Data security

Other activities that companies should always practice include firewalls, anti-virus software and automatic patch updates. These are the basics. Businesses must be careful to ensure separate back-up and IT infrastructures exist for each client, and all data is backed up.

It helps if suppliers have further measures in place, to keep the data secure and to ensure the financial client retains full confidence in the security standards. Businesses must have a central monitoring system to monitor in-coming and out-going correspondences, as well as dedicated channels with encryption between customer and vendor.

Intellectual Property

Recent research has shown that banks should fear insiders more than hackers. Because of the potential for corruptibility it is imperative that processes are implemented to retain firms’ intellectual property.

The HR team, when hiring, should be thinking about defending the firm’s intellectual property. Strenuous screening and background checks should ensure that unscrupulous applicants never become employees. Employees should be educated about the legal requirements and responsibilities of working for the particular organisation. Staff should be made to sign non-disclosure agreements and not be allowed to use USB ports / sticks, as this is an easy way to take data (physically) outside of the organisation.

Complying with local area regulation is vital, and India, following the aforementioned security breeches, is in the process of formalising an equivalent of the Data Protection Act. However, in its absence, suppliers are falling over themselves to demonstrate data security compliance.

In Eastern Europe, strict laws defend the intellectual property of companies. If an employee has signed appropriate documents (as they should do when they join), then they could end up in prison for breaches of data security. Coupled with this, IT employees, especially those from Russia, have a scientific mentality that dates back to the times of the USSR, whereby attention to detail means that people are very sensitive to the threat of security breaches.

Security in financial IT outsourcing is imperative. It is the glue that creates a positive outsourcing bond. The whole outsourcing deal is built on trust at the heart of the relationship and if trust is present, it is a good stepping stone to build a healthy relationship. On the flip side, if a vendor demonstrates poor security, this can undermine the whole relationship, even if the actual work is going well. The message to vendors and customers in the financial industry is this: a security system, properly integrated between end user and supplier can be the base on which to build a long and healthy outsourcing relationship.

Ivan Gavrilyuk is CIO of Luxoft. For more information on Luxoft www.luxoft.com.

Whilst the trend towards offshoring has led the way in the global outsourcing industry for a number of years, offshoring locations such as India and China are now finally seeing a dent taken out of their global advantage. Whilst in the early years of outsourcing India was the dominant offshoring location for the UK, due to language capabilities, graduate workforce and the wage differential, there is now a significant trend towards nearshoring. In the last few years countries such as Russia and the Czech Republic have joined the fray, launching propositions to the UK market. Distinct advantages such as highly educated workforces and close cultural alignment are cited by organisations sending their processes to these destinations, and offshore destinations are feeling the strain.

Offshore outsourcing emerged initially as the main supplier destination largely due to cost, but also due to the numbers of skilled graduates and the experience gained within the IT sector, with these factors boosting India especially. However, there were a number of high profile offshoring failures amid claims that some UK companies jumped too quickly onto the offshoring bandwagon without adequately assessing the consequences and without considering alternative options.

Nearshore outsourcing is now on the rise, with end users sending processes to locations with a cultural, regulatory and physical proximity to the end user either as part of a global delivery model or as a replacement for the offshored service. Despite being less widely used than India, Central and Eastern Europe was seen in a recent survey by TPI as equally appealing an outsourcing location as India, with both destinations rated attractive by 59 per cent of respondents. The TPI report states that: ‘it appears likely that Central and Eastern Europe will make up ground on India’s lead over the next few years’.

There are undoubtedly advantages and disadvantages of offshore and nearshore models and generally they tend to be aligned to variables such as: the type of process that is being outsourced; the level of complexity of that process; the working culture of the client organisation; whether the process needs to be conducted during the office hours of the client organisation, or outside office hours etc.

One of the key differentiators between offshoring and nearshoring is the difference with management costs. Calculating the cost of offshoring is not as simple as comparing the wage differential between India and the UK. Cost assessments need to take into account the full range of variables that must be considered to confirm the immediate advantages and other benefits that are realised over time. Management costs involved in offshoring are often overlooked – evidently the further away a process is based from the country of origin, the higher the management investment of that process will be. Companies currently analyse cost savings on offshore deployments based on the current differentials with offshore and onshore employment markets alone when actually they need to take other factors into account, such as management time, wage inflation, attrition rates etc.

Certain functions will be more suited to offshoring, such as commoditised functions that require more generic and easily acquired and replaced skill sets. In contrast, more complex functions, such as those that require industry specific knowledge, are more susceptible to security risks and will have significantly different cost and risk profiles to commoditised functions. It is likely that processes of this kind will warrant tighter management control. In this scenario, a nearshore strategy could prove more effective, as it will enable access to the necessary skill sets, plus the mitigation of the risk and management problem as the geographical differences will be less. It will also enable the organisation to realise significant cost savings. When referring to offshore outsourcing’s capabilities, a recent report by KLG on current trends in global sourcing opined that “the savings profile for more complicated functions will have a markedly different profile and in some cases less savings than that offered by nearshore deployment opportunities”.

The offshore advantage held up until recently due to its remarkable advantage in terms of cost. The slow, but steady, erosion of this competitive advantage, including the shift away from cost as the most important reason behind an outsourcing agreement (a recent survey by the National Outsourcing Association found that 83 per cent of respondents saw a healthy relationship, as opposed to cost, as the key differentiator between success and failure in an outsourcing deal) means that offshore suppliers are facing a real challenge within the global outsourcing industry. As well as a healthy relationship, end users are now focusing on the need for regulatory compliance and tight security when entering an outsourcing agreement.

The negative publicity that offshore suppliers have received, particularly within the recent ‘Dispatches’ programme on Channel 4 (about data security breaches in Indian call centres), may or may not be merited. Either way it adds further weight to the increasing number of questions posed to offshore suppliers on a number of key outsourcing issues, including security and regulatory compliance. Whilst offshore outsourcing retains a lead in terms of sheer quantity of contracts in service, the nearshore dimension is adding a new element to the global outsourcing industry that cannot be ignored.

Competition is fierce in the investment community. Struggling against increasingly fickle consumer behaviour, investment companies are striving to find the Holy Grail of customer loyalty – trying to find the balance of cross selling the right products to customers and tying them in to longer term relationships. Customer promiscuity is on the increase in every industry and the financial sector is no different.

The companies which will gain prominence are those that step up to the mark in terms of customer management - the companies that put customers and their requirements at the centre of their businesses will be far more likely to succeed than those who shun what is often considered the softer side of business, to rely on hard nose sales tactics and uncoordinated efforts. But managing customers effectively can be a daunting task and even some of the biggest companies struggle to do it effectively.

But because of the few investment companies that manage customers effectively, a precedent has been set that companies need to attain in order to make any lasting impression on the customer. Customers are finally realising that rather than being at the mercy of their suppliers it is they who are in a strong position and consequently are demanding more – investment professionals need to realise this and meet the high service levels that customers are expecting.

So how can companies reach the requisite standards in customer management and start to build a reputation that makes them synonymous with high customer standards? Customer Relationship Management (CRM) is the principle technology used to interact with end users and as such is the most important tool in retaining customers. Embracing the latest CRM technologies is not optional - it is essential if investment companies want to keep a step ahead in the marketplace. And it’s not just the big multinationals that need to implement this technology. CRM is often associated with call centres, but in reality it has far wider reaching applications and should have a pivotal role in the customer management strategies of investment companies of all sizes.

European companies are increasing their investment in customer relationship management (CRM) software to increase revenues and grow their customer bases, according to Gartner. The analyst firm says the European market grew to $1.9bn (£1bn) in 2005, a 9.7 per cent increase on the previous year. This rise in spending on CRM software correlates strongly with the state of the economy, says Chris Pang, a senior research analyst at Gartner.

In the past, CRM has been an ambiguous term used to describe any customer interaction. However, as it matures as a business and technological process, more investment companies are beginning to realise that it refers to how a company manages its customers effectively, underpinned by carefully designed technology. Effective CRM is more of an ethos, a strategic practice that pervades every element of customer relations, underpinned by technology which is properly integrated into all relevant company systems. CRM feeds off information the company retains on existing customers and potential customers, carefully analysing it to aid in customer management, marketing and sales initiatives.

Whilst there is no blueprint to CRM and no one solution that will be suitable to all investment businesses, there are important factors that companies need to bear in mind in their approach to CRM. These include:

• Identifying factors that are important to clients - customers and their requirements should be the focal point if the business and a good CRM

• Promote a customer-oriented philosophy – this should resonate throughout the company and all staff should feel this

• Develop end-to-end processes to serve customers – a 360° view is essential in order to get a complete picture of the customer and make accurate inferences

• Provide successful and insightful customer support – letting a customer down when they need help the most is often the death knell in a supplier/customer relationship

• Track all aspects of sales – this allows a company to gather effective intelligence on what works and what doesn’t with different types of customer and completes a customer history to help achieve a 360° view

Most companies would agree that CRM is important to them but achieving a successful CRM system is something that needs careful attention. CRM technology is now able to be fully integrated with other business systems. Integration with the relevant marketing systems and client databases will ensure that more cross selling opportunities for investment professionals. Previously a CRM platform would have been a stand alone technology. Tying all systems together ensures greater efficiency, better sharing of data and less duplication of effort which ultimately serves to save time and consequently money and gives the customer a better experience.

The complexity of CRM projects, means that they are never plain sailing. However, CRM failures are largely due to human intervention as opposed to specific problems with the technology, according to analyst house Ovum. David Bradshaw, principal analyst at Ovum has commented, ”There have been instances of disappointing CRM projects but the decisions taken around the balance between service and cost is the problem with poor customer satisfaction.”

As with all technology, CRM is moving at a tremendous pace and the latest CRM technologies enable companies to know their customers better than ever before. The latest CRM can improve business/customer interaction in a number of ways. It can provide online access to product information and technical assistance around the clock. This can be directly to the customer in circumstances that suit but can also be within a company to enable all staff everywhere to have access to real time data online, regardless of employee location. The latest technology can also speed up processes to streamline systems and to cut costs through time efficiency and can provide mechanisms for managing customer communications and on-going support.

Data protection is another important issue to consider with regards to a CRM system – the data that is gathered can raise concerns over customer privacy. However, CRM generally involves making better use of customer information gathered as a result of routine customer interaction. The privacy debate generally focuses on the customer information stored in the centralised database itself. Fears over how companies handle this information arise, particularly when third parties are involved. Therefore effective CRM systems need to incorporate data protection policies and access processes, which should ensure that only staff who work with customer data can access it. This is particularly important in investment management due to the level of personal and financial information.

CRM is always evolving and the systems of the future will become more and more sophisticated. As investment companies strive to attain the competitive edge and attract and retain an increasingly fickle customer base, CRM will become core to the overall business strategy of the investment community. The outlay, in terms of resource, may seem daunting, but in order to survive, investment companies need to plough resources into an intelligent and effective approach to CRM.

Case study - Deutsche Bank

Deutsche Bank needed to build a business critical Customer Relationship Management (CRM) system with the objective of replacing the CRM application previously developed in-house. The new system needed to provide the sales division with a flexible work space that links CRM information with other business critical content to ensure an accurate, up-to-date and comprehensive overview of each client relationship. The main goal was that the new application should improve customer relationship quality, increase service efficiency and make the client more attuned to customer needs.

The application was deployed within a portal framework and is based on a three tier architecture. Employing a three-tier design, with the database and application installed on the server dramatically simplifies system maintainance, load balancing, upgrades and configuration. System users need only a standard web browser. The architecture works regardless of user operating system, thus avoiding the need to create different applications to accommodate different operating systems. All data is stored in an Oracle database and is retrieved through the business-logic layer and displayed via a web-based user interface.

An innovation introduced into the web-based system is the use of the Think Map module that displays client data in three dimensions, making it easy to analyse a lot of data in one graphic. Adding further convenience, the system’s interface gives sales staff access to all system functions and client information from one location and each user has the ability to customise his or her own application environment to best suit individual needs and preferences. The application’s interface is intuitive and presents bank staff with a look and feel in concert with the most well-known and popular business applications.

As a result of the implementation of the new CRM system, the time taken for data entry within the bank has been significantly reduced. For example, the time required to log a call report decreased from 8 minutes to 3 minutes, which results in 750 hours saved per month.

The new CRM system provides a single point of access to corporate clients’ data to all the parties and brought together sales, global relationship managers and senior investment bankers across the client organisation. The system is three times faster than its predecessor and the new functionality allows bankers to manage customer relationships in a more interactive and intelligent way.

The new system integrates with the majority of customer applications in the bank- database schemas, loading mechanisms and infrastructure, allowing the client to deliver updated business information to bankers as soon as it is available. Employing a three-tier design, with the database and application installed on the server dramatically simplifies system maintainance, load balancing, upgrades, and configuration.

The Deutsche Bank CRM project achieved a high degree of ROI, estimated at a saving of 30 – 40 per cent compared to conducting the project onshore.

Companies the UK over have been flocking in their droves to offshore processes such as IT services provision, call centre work and HR administration. From India to China, the Philippines to Mauritius, it seems that every country in the developing world has an offshoring proposition to tempt UK and European countries to engage with foreign suppliers. Offshore software development is another area that is taking off. Rather than resourcing a development capability in house, or outsourcing it to a local supplier, more and more IT houses, attracted by considerable cost savings are turning to offshore suppliers for their development requirements.

Opting for offshoring with cost savings in mind is all very well, but companies are often too absorbed in the economies of scale to judge the risks and threats of offshore development from an objective standpoint. The risks can be multiple, which highlights the necessity for sound testing and quality assurance procedures.

The geographical distance makes offshoring development a far riskier prospect. The time difference, the language and cultural differences can all impact on the quality of service that is being delivered. There is also the argument that development that is handled at an offshore location is much more difficult to control and manage. The disconnect between the local and the offshore operations can be considerable therefore it is essential that the company has stringent management practices in place and it increases the need for thorough specification and failsafe project controls.

Offshoring also limits a “working together” ethic, which can be useful in development projects –where it comes to analysing prototypes, for example, it can be difficult to bridge the gaps between local business analysts and offshore developers. Other risks arise from the fact that where offshore suppliers are very adept from a technical perspective, they are rarely au fait with the business issues that the organisation may be facing. Therefore due to the distance between the local and remote operations, there can be a substantial risk that the business application and the requirement could be misunderstood in design, development and testing terms – there can be lots of to-ing and fro-ing between the disparate offices, which can be problematic when you take the time difference into account.

Whilst the issues around outsourcing are evident, the benefits are undisputed. So how can organisations improve the way they do offshoring? When mitigating offshoring risk through sound testing and quality assurance procedures, the first rule of thumb is to establish an onshore, local operation that deals with the end user organisation as well as the offshore developer. They can ensure that the project undergoes thorough specification, which should then be clearly documented and communicated – this will give tight guidelines for the offshore operation to work within and as far as possible, will help to limit errors.

With offshore risk management, it is critical that quality gate controls at the customer organisation are established and an airtight quality plan is developed, led by the onshore operation. This is essential in order to ensure that all parties involved on the supplier and end user sides are singing from the same hymn sheet and up to speed with what is expected from them from a quality deliverance perspective.

The local operation also needs to concentrate on acceptance testing and business integration testing. And if the offshore operation is not as up to speed as necessary with the business issues, it is vital that the local operation has some procedure in place to mitigate this risk – this can often involve having representatives on site, in order to oversee development, or at least regular visitations and meetings to ensure the project is on track.

In our experience, the geographical distance in offshoring arrangements means that managing defects and deliveries back into the offshoring organisation can be really problematic. By the time the onshore operation assesses the work and feeds back to offshore operation, the offshore set up will have moved on to the next stage, as is typical of a production line. This means that both parties can be on the back foot with regards to dealing with defects – this can hinder the whole operation and can make the process very costly. Having appropriate and highly visible quality assurance in place will ensure that all defects are spotted and dealt with as effectively as possible and all deliveries are managed tightly. An infallible defect management system and clear communication about defects are also vital.

Before the project is even embarked upon, it is essential that quality assurance and testing procedures are outlined in the contract. It is highly beneficial if the offshoring contract details quality assurance and testing at each stage of the lifecycle linked to formal acceptance criteria. It is key that the offshoring operation is transparent so the local customer operation retains some control over the project lifecycle, so they can have visibility of the project design, development process and also, critically, of the testing procedures. This will ensure the end user organisation can review or witness the test and test audit trail to increase assurance before the product is delivered.

Box out

Some pointers that organisations need to bear in mind when testing offshore processes:

• Lack of strategic perception around testing: testing and quality assurance should be about the verification of a solution to fit the business. It is often regarded as an operational, tick box function and this is when flaws occur.

• Leaving it too late: generally the many types of testing required, which includes security testing, are only conducted prior to go live in offshoring projects. If problems are detected at an early stage, they can be corrected straight away minimising their effect on the contract overall.

• Deadline pressure: suppliers are often under serious pressure in offshoring contracts. Having to adhere to deadlines, fall within budget and meet stringent SLAs often means that security design and system testing takes a backseat.

• Where the responsibility lies: the offshoring environment can also cloud where the responsibility for testing lies. This could have been an issue for these financial companies and their suppliers.

• Testing and quality assurance in the contract: offshoring contracts should detail testing at each stage of the lifecycle linked to formal acceptance criteria. This will ensure that testing practices are conducted at regular intervals and adhered to throughout the course of the contract. This can flag up any problems and highlight areas where security flaws could exist.

End box out

Whilst the benefits of offshoring are undisputed in terms of cost and quality of service, it is essential that ironclad quality assurance and testing procedures are put in place. Cost effective offshoring may be, but if a software development project goes awry due to bad management and insufficient testing, it could cost the local customer organisation a good deal more in the long run.