Let's Build a Responsible Cyber Society

Risk Return Trade off in BPOs


The following interesting comment has been received from one of the readers of some of the recent articles published in Naavi.org.

Dear Naavi,

Your passionate push for employee training as a risk mitigation measure is well appreciated. I am working in a BPO and associated with the security aspects. I should admit that  until  the recent incidents came to light, security has never been treated as a cross functional problem. It has been looked upon more as a technical issue of providing anti virus cover, filtering spam, rejecting internet connectivity and external e-mail access, disabling ports, floppy drives etc.

It was only last week that we had the first joint meeting between the HR and the security department to discuss the security issue as a joint problem. We agreed without much trouble that employee training on cyber law awareness is an immediate necessity.

We also decided to put in a joint effort in this regard more or less on the lines suggested by you. Your idea of implementing the BPO employee's register suggested by Nasscom as an "Ethical BPO Professional's Register" is a truly interesting proposition and I personally wish that the idea becomes a success.

However, from my experience in the industry, I feel that the current problem cannot be sorted out between the security and HR departments alone. There is an overhead and marginal cost associated with the implementation of the employee training, background checks etc which are to be cleared  by the Business development department. Most of our business is driven on thin margins which are pre settled and any change in the cost structure will have a stiff opposition.

We have therefore suggested to widen the employee fraud prevention strategic team to include the business development manager in future meetings. There is a doubt lingering in the back of my mind whether this  will  ultimately lead to  an agreement to carry a certain level of residual risk after a risk-return trade off .


It is good to learn that a discussion has started in the BPO circles about how to achieve the desired levels of security against employee frauds. The security departments will normally accept a "Zero tolerance measure" ignoring both the non financial impact on the HR department and the financial impact on the business managers. But the HR will have their concerns and finally the finance person will say "Zero Risk at Any Cost is not acceptable. Let us find a midway".

I am sure that the industry will sort out this issue based on the criticality of the operation and the expectations of the customers. Ultimately BPO s may have to put a "Risk Mitigation Surcharge" on their pricing to absorb the cost. Perhaps availability of an external compliance management service on the lines of the security BPOs for BPO s suggested earlier would make it easy for the BPOs to determine the additional cost and pass on a part of it to the customer.

(Comments welcome)


July 3, 2005


Related Article/Information:

A Positive List of BPO Employees


For Structured Online Courses in Cyber laws, Visit Cyber Law College.com


Back To Naavi.org