For any services industry it is important to seamlessly integrate with its customers. To do this it is essential for a company to design its technology keeping in mind customer requirements. Otherwise technology can become a hindrance instead of an advantage.
The thing about technology is that while it is often the cornerstone of the customer service experience, the end user rarely comes face to face with it. It is the puppeteer behind the scene, an intangible.
In the BPO industry, where technology is the bedrock on which all other components of the business rest, it is no different. So while the customer demands quick, efficient, always-on service, they have no interest in the network that makes it possible, in the firewalls that protect their data or in the multiple redundancies that have been implemented to ensure uninterrupted service.
At ICICI OneSource we provide business process solutions to Fortune 500 and FTSE 100 companies. Offering a customer service experience that is at par with the best in the world, is not just a choice, it is a business goal. And technology provides the framework that allows processes and people to guarantee this customer service experience.
So what exactly does a global customer experience mean?
Take, for example, the requirement of being able to get through to your helpline the first time you try. Translating those into service level deliverables in terms of technology would mean capacity and bandwidth.
High availability of the network with minimal call drops from a technological perspective would mean network resilience, while good voice quality would be dependent on a well-tuned and well-configured network.
Lastly, as a customer you would like your query resolved in the least possible time, which transcribed would mean low latency networks. All of this, while ensuring sanctity of the data would mean network security.
When we started operations more than three years ago, the objective was clear -- to be India's leading BPO. The fact that our domain expertise (banking) necessitated processes with the maximum security meant that the company adopted a strategy of creating an 'always available' secure operating environment.
Ground reality though, of keeping the network up and running 24 X 7 was a challenge in itself for starters. To add to that each client (at any given time our company has an average of fifteen clients) had specific requirements wherein their technology infrastructure remained unchanged. So it meant ours had to adapt and yet provide seamless services from day one.
This is when we determined that we had to put in place a robust, cutting edge technology framework and architecture that ensured Confidentiality, Integrity, Availability (CIA) and Security to all clients and their customers at all times.
Customer confidentiality
We provide customer acquisition, customer retention and customer service solutions for global companies in the banking and financial services, utilities, telecom and media industries. That means we process credit card numbers, social security details, loan information, status of receivables to mortgage companies, etc.
This involves authentication of customer information like home telephone numbers, addresses and other data at the simplest level to verification of encrypted data at the high end.
All of this means that unless our technology provides the highest level of data security and confidentiality, companies and their customers will not trust us.
So how does our technology ensure this? As a safeguard, this personal information is split into separate databases so that sensitive data and customer names are not linked on the same table. This linking happens only through a software programme.
In most cases, this type of information doesn't even pass through our system. Instead, it remains on the client's own database servers, where we use 'thin client technology' to access it remotely.
The computer keys we press in India are treated as input by our client's system, and the output from that application can be redirected to our monitors here in India. Currently, a majority of our clients operate on the thin client technology, in which actual customer data never goes offshore.
Safeguarding the customer
We have a full time security team dedicated to the task of monitoring hacker sites, scanning the horizon, collecting and analysing intelligence and taking preventative action. Having this in-house security team that conducts much of its own detective work is unique in itself.
In addition to gathering intelligence, this team regularly tests our internal procedures by mounting simulated attacks and seeing how our systems respond. The internal safeguards aside, our InfoSec team also audits client security at installations to verify their effectiveness of controls.
This is done as part of our systematic Plan, Do, Check, Act, template to ensure security of data at all times and we have discovered that even the most experienced and vigilant systems can be improved upon.
Intrusion management in most companies including clients is limited to detection. But we have taken our Intrusion Detection Systems (IDS) a step further with the deployment of Intrusion Prevention Systems (IPS). We also maintain a thorough audit trail for forensic purposes.
Every time we log an event into our database, a timestamp is created, and a chronology of events is stored in a database. In the event of a suspected security breach, our team can go back to this database and derive the timeline of activities with great precision. We can then use this data as electronic evidence for forensic purposes, should it be required.
Availability to customers 24 X 7
Continuity plans form an integral part of the business strategy and are inherent to all our service offerings to clients. We have taken a three-tiered approach to our business continuity planning (BCP) strategy. At the core of our BCP solution is the Center BCP approach.
A thorough risk assessment using CRAMM (a state-of-the-art risk assessment tool recommended by NATO) forms the basis for developing our Center BCP. The plan addresses all possible threats to physical assets under the CIA.
An example of this would be a four level power redundancy plan to ensure continual power supply even, if there were to be a power blackout. The Center BCP ensures that our infrastructure is up and running 24X7
The second tier of our BCP solution is the Enterprise BCP wherein as a service provider we have taken a provisioning approach with investments in additional bandwidth and the decision to invest in a self-healing network.
What this essentially means is that the network can independently and judiciously take care of re-routing traffic from higher points of congestion to lower points of congestion and counter the threat of link failures and point-of-presence failures.
This is possible; given the virtual clouds the company has formed to link multiple points of presence in the United States and the Untied Kingdom and the multiple delivery centers in India (Figure 01).
The last tier of our BCP strategy is the Client BCP -- wherein the client undertakes a business impact analysis for each process assigning criticality to each process and specifies the RTO's & RPO's. For the uninitiated, RTO's are Recovery Time Objectives, while RPO's are Recovery Point Objectives, outlined, prioritised and specified for each process by our clients.
For example the client would specify that in the case of a denial of premise scenario, due to a natural disaster or fire a particular process would need to be recovered within 'x' hours. Sometimes the client RTO's require zero downtime in which case the same process would need to be run from two parallel locations. The RPO's would similarly refer to data retention requirements.
Based on the RTO's & RPO's we customise the BCP for each client. We have always managed to execute these BCP's for our client's faultlessly on demand and at the time of the internal audits.
To quote an actual example, one of our clients had specified an RTO of four hours and then surprised us one day with a request to execute. He actually traveled from the operational site to the BCP site with our employees and was pleasantly surprised to note that we had managed to recover operations of the processes within an hour of his request, effectively meeting the client RTO outlined in the his business continuity plan.
Another strategic technology initiative that ensures a high degree of availability across the end-to-end network is our Network Operations Centre (NOC). A centralised monitoring and control system, the NOC reduces the involvement of multiple contact points for problem resolution and ensures seamless integration and 24/7 monitoring of all critical WAN devices and links.
Customer security
We were India's first BPO organisation to attain BS7799 certification. Our policy therefore ensures that information systems are protected against unauthorised access and confidentiality of information is assured.
Our comprehensive security practice covers physical security, network security, applications, desktop and voice & data security. What it means is that clients are ensured of global standards of information security and data protection.
Security for us is a continuous process -- the framework incorporates the global standard from the Deming's Cycle, of a systematic Plan, Do, Check, Act, template that is based on a clearly crafted security calendar. Essential elements of this calendar are audit surveys conducted by both external auditors as well as internal auditors.
The audit reports are then shared with all our clients. Security briefings at induction, regular refresher courses, and customised briefing updates for our specialist staff such as guards and system administrators - also form an integral part of the calendar.
People security
But while the CIA model is used to ensure customer satisfaction and security of data at the high end, interestingly enough, the world over most security breaches the world over are attributed to the human factor.
It has been our endeavor to classify all client information as confidential and utilise the triple AAA model to ensure security. As part of the triple AAA model relying on Authentication, Authorization & Accounting we have swipe cards with restricted access.
Given that an employee can walk in today and take pictures of a computer screen with his cellphone -- all employees are required to leave bags, cell phones, PDAs and notebooks outside the workplace area in lockers.
All physical notes of conversations with customers are put through shredders at the end of each shift. Two factor authentications are used to limit and secure remote management access of data and resources.
ICICI OneSource leverages technology to perfect the 'templatisation' of centre resources and has setup a centralised control over enterprise resources, change control, access control and configuration management, allowing for little or no disruption in customer service delivery.
Thus, our goal in every project is to align our technology initiatives with the business processes of our customer's and advance their overall mission. Needless to state -- understanding that mission and how our customers operate, is critical in making technology a tool for customer service and not an end in itself.
The author is Managing Director and CEO of ICICI OneSource.
Published with the kind permission of The Smart Manager, India's first world class management magazine, available bi-monthly.