260 likes | 442 Views
Outsourcing Case Study - addressing the issues of security, confidentiality and privacy. Stephanie Hoogenbergen Associate Partner IBM Hong Kong 28 October 2005. Agenda. Changing Rules Case Study - Improve Service Delivery and Manage Risks Emphasize Performance & Benefits
E N D
OutsourcingCase Study - addressing the issues of security, confidentiality and privacy Stephanie Hoogenbergen Associate Partner IBM Hong Kong 28 October 2005
Agenda Changing Rules Case Study - Improve Service Delivery and Manage Risks Emphasize Performance & Benefits Key Considerations 1 Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
PPP Effective In-sourcing Privatisation Outsourcing Spectrum of Vehicles for Service Delivery Fully Public Fully Private A major challenge for government managers will be to find and develop new ways to finance and implement large-scale projects. Their challenge will be to find creative ways to extend the concept and scope of public-private partnerships. Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Process Enhancement Process Improvementwhile Outsourcing Cost Reduction Cost Take Out BPO Transforming through Process Outsourcing What is BTO ? • Business • Business Capabilities • Business Outcomes • Transformation • Step Change/Quantum/Strategic • Process Re-engineering • Technology Innovation • Labor Optimisation • Outsourcing • Operation by an external provider • Augmented Processing • BTO is Not • Tactical and Cost Only • Conventional Outsourcing • BPO – operating niche processes BTO Extended Enterprise Continuous Strategic Change while Outsourcing Process Change Return on Investment Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Determining what is Core and Non-coreIt is not simple and not rigid and you may meet resistance to change current understanding Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Agenda Changing Rules Case Study - bank Emphasize Performance & Benefits Key Considerations 2 Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Case Study – Leading Financial Services Group outsources critical functions to IBM India • BTO for key banking processes • Back office processing for a new basic bank account. • Card Collections: inbound and outbound including customer facing activities. Outcomes • World class organization and processes supported by the latest technology and talented people • Productivity improvements • Extension of scope after successful completion of pilot • Flexible structures enable faster responses to rapidly changing markets Challenge Overcome resistance and ensure a smooth and “no noise” transfer. Build a robust Framework for protecting Client Security & Confidentiality. Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Quote from Banking Code Standard Board “The Operational Control hangs together well and is not over managed” and “ If I would be setting up such an operation “this would be exactly how I would do it” IBM has a Robust Framework for protecting Client Security & Confidentiality • Network & Desktop Security • Personnel Control Security • Physical & Environmental Security • Regulatory & Process Compliance • Induction & Refresher Training • Monitoring & Controls (SLA) • BCP - Quarterly Operational Risk Checks Note: please find further reading in the appendices Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
IBMs Framework1. Network and Desktop Security • Segregation of customer data • Protection for internal and customer networks using Firewalls • Data transported between customer’s data center and IBM Delivery Centers is encrypted • No access to local disk drives or removable media on desktop • Agents cannot install any application on desktop or change settings set by directory administrator • Unique User IDs and a strong password policy • Automated deployment of antivirus updates and critical system patches Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
IBMs Framework3. Physical and Environmental Security Securing offices, rooms and facilities • Support functions and equipment, sited appropriately within the secure area to avoid demand for access • Electronic card readers limit access to specific areas. Access to confidential areas blocked for all IBM’ers irrespective of seniority except those authorized and working for the client Physical entry controls • Visitors to secure areas supervised/cleared and their date and time of entry and departure recorded • Access to sensitive information, and facilities, controlled and restricted to authorized persons • All personnel required to wear visible identification/photo ID • Access rights to secure areas regularly reviewed and updated Equipment security • Environmental conditions monitored • Continuity of power supplies include multiple feeds to avoid a single point of failure in the power supply; UPS; back-up generator Working in secure areas • 3rd party personnel provided restricted access, only when required • Appropriate surveillance carried out using closed circuit television cameras, etc. (24 hours) • Access to information equipment by hardware maintenance staff controlled Clear screen and clear desk policy. Critical information is secured using fire proof safes. Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
IBMs Framework7. BCP - Quarterly Operational Risk Checks Quarterly BCP with version control and walkthrough • Each quarter, operations and support personnel does a walk through with the BCP team of IBM, running through a scenario (bandh, fire, earthquake are some of the situations we have simulated in the past / fire drill is run every 6 months), and walks through the BCP plan, fine-tuning it each time. • Gaps in existing processes, communication plans, evacuation plans are all discussed, documented, actioned, and a new version of the BCP plan is issued, with copies for home and office, to all people managers Quarterly Operational Risk Checks • This check would cover Legal & Regulatory (including Health & Safety), Operational Risks (Process Controls, Losses, Fraud, Security, Service Standards, Audit reporting), Governance, People & Organisation (1-1's, appraisals, coaching), HR (induction, training, performance reviews, whistle-blowing, resource planning, time monitoring, sickness and holiday planning), Customer Treatment • Checks are done by a different person every quarter • Reviewed and signed off by IBM and Bank's managers jointly Responsibilities of the client (FCP and DR&C) • A communications cascade is run quarterly starting from the top to every employee (test with cascading down a password) • Total time taken to cascade and percentage of people who could be contacted is recorded. • Corrective actions such as changes in telephone / mobile numbers due to which the person could not be contacted are made to the employee information database Weekly Operations Review • Each week, an Operations Review covers Human Resources, Process Performance, Compliance, IT and any other issues, is minuted and actioned • The weekly HR review includes headcount last week, approved headcount, transfers in and out of the process, attrition, new joinees, shortage and bench. A separate HR sheet covers weekly attrition, looking at Band, Tenure, PBC rating, Manager, Process and Categorised reasons for attrition Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Agenda 1 Changing Rules 2 Case Study - Bank Emphasize Performance & Benefits 4 Key Considerations 3 Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Partnering options are rapidly expanding beyond the traditional outsourcing plays Increased demand for critical project and technology investments Heightened availability of private sector strategic partners with subject matter expertise Increase security and economic development by partnering with other jurisdictions Sourcing optionsfor routine and specialized functions Higher demand for better quality and more innovative services and products than the traditional competitively bid project can provide Increased openness of government leaders to innovative funding models Increased marketplace competition for skills and services and greater efficiency in the use of public resources Transaction costs continue to diminish through technology innovations Electronic filing and communication Electronic records retention and examination Online account management and self-service Coase’s Law Note: Transaction costs consist of search, contracting and coordination costs Why now? – Three enablers now make on demand government transformation attainable “Firms should only perform internally those functions that cannot be performed more cheaply by the market.”3 Externalize activities that can be performed cheaply elsewhere Conduct activities internally if transaction costs are too high Costs Internal Transaction + External External Transaction Transaction Efficiency Ronald Coase, “Nature of the Firm”, Economica, Nov 1937 Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Business Transformation Outsourcing enables new kinds of value creation beyond reducing costs Little or no costs to taxpayers 10X Increasing flexibility to adapt quickly Strategic Benefits 1X Innovating and Improving vs. Cost Cutting .1X Transformational Benefits Improve Customer Satisfaction Financial Benefits Focusing on Core / Redirect resources Speeding Time to Benefits / World class capabilities Shared risks / align outcomes Improve Service Delivery Reducing Costs Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Agenda 1 Changing Rules Case Study – Bank Emphasize Performance & Benefits Key Considerations 4 Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Be prepared for the Risks Good outsourcing contracts are the basis for a good partnership model. They will address all the risk areas and include the following key features. Area of Risk Key Features of the contract Possibility of compromised security Robust Framework for protecting Security & Confidentiality with Disaster recovery as a priority Loss of control over service level and service quality Use of service-level agreements Possibility of service disruption due to instability of vendor A reliable and strong partner with an excellent track record supported by BCP Shift management skills from “command & control” towards management of services Increased complexity of managing and monitoring the outsourcing contract Development of a robust HR plan and develop future organisation with a re-direction of tasks Personnel and Staffing issues / image issues Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Process Enhancement Process Improvementwhile Outsourcing And finally … We believe that the real attractive opportunities will have to feature transformation. In other words, outsourcing partners will not be competitive unless the government allows them to significantly revise the process. BTO Extended Enterprise Continuous Strategic Change while Outsourcing Process Change Cost Reduction Cost Take Out BPO Return on Investment Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Bruce Williamson Associate Partner Business Consulting Services %+852 2825 7220 È+852 9837 2850 )bruce.williamson@hk1.ibm.com • Isaac Chow • Associate Partner • Head, BCS Public Sector Hong Kong / Greater China • +852.2825.7223 È+852.9091.2722 )isaac.chow@hk1.ibm.com • Stephanie J Hoogenbergen • Associate Partner • Business Process Outsourcing - BCS • +852.2825.7867 È+852.2825.7867 • )hoogensj@hk1.ibm.com Contacts Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Further reading on the Bank Case Study and IBMs Framework for protecting Client Security & Confidentiality • Network & Desktop Security • Personnel Control Security • Physical & Environmental Security • Regulatory & Process Compliance • Induction & Refresher Training • Monitoring & Controls (SLA) • BCP - Quarterly Operational Risk Checks Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Back-up slide for further reading 2. Personnel Security • Personnel screening and policy • Availability of satisfactory character references, e.g. one business and one personal • A check (for completeness and accuracy) of the applicant’s curriculum vitae • Confirmation of claimed academic and professional qualifications • Independent identity check (passport or similar document) • Confidentiality agreements • Employees signs agreements as part of their initial terms and conditions of employment • Business conduct and security guidelines are signed annually • Adherence is a condition of employment • Casual staff and third party required to sign a confidentiality agreement • Information security education and training • Appropriate training and regular updates in organizational policies and procedures including security requirements, legal responsibilities and business controls • Reporting security incidents • A formal reporting procedure established, together with an incident response procedure, setting out the action to be taken on receipt of an incident report • Formal disciplinary process for employees who have violated organizational security policies and procedures Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Back-up slide for further reading 4. Regulatory & Process Compliance Compliance Roles & Responsibilities • Every employee needs to be aware of their individual Roles and Responsibilities within the Centre from a Compliance and Risk perspective. • The Roles & Responsibility have been communicated for each role within the centre (Operator, Team Leader – Operations, Process Manager – Operations, Assistant Manager – Compliance, Manager (LMLRO) – Compliance) Regulatory Compliance (Security/Data Protection) • User Guide for all agents • Posters and Screen Savers • Regular 1-1’s with Compliance Manager • Periodic Reports (Weekly/ Monthly) monitoring and follow-up • Self-Regulation & Correction (The Audit Game – Compliance is everyone’s responsibility!) Compliance Policies & Procedures • Based on the nature of service being provided and keeping in mind the regulatory requirements bespoke policies and procedures have been developed and communicated eg Scanned Image Deletion Procedure, Data Management Procedure, Clear Desk and Key Policy, Organization Chart policy, Money Laundering Disclosure Form Policy, Debit Card Payment details retention Policy, Policy on Live accounts in Training Room Monitoring & Control Systems • A 100% defect free environment can only be achieved by an effective monitoring and control system. All processes and procedures are regularly and comprehensively monitored and reported upon. • Various Logs and reports have been developed to ensure a consistent reporting mechanism eg call monitoring, clear desk return, data protection issues log, banking code issues log, complaints log, suspicious transactions log Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Back-up slide for further reading 5. Compliance Induction & Refresher training Banking Code • Introductory training is delivered as a part of the Induction Training Program • All Centre staff are provided with copies, fliers of the Banking Code with Team Leader’s being provided with the guidance notes • Enhanced training will be delivered on a regular basis Induction and ongoing training • Compliance and Risk awareness training as part of the induction • A full day Compliance training follows the induction training program for all “new to centre” staff. • Full refresher Training Schedule – one hour every month for all centre staff • A dedicated Compliance & Risk Trainer Financial Crime • Introductory training is delivered as a part of the Induction Training Program • All Centre staff are trained on Financial Crime Support guide for retail operations • Local Money Laundering Reporting Officer training completed • Proceeds of Crime Act Training (High Risk) delivered to all Centre staff Data Protection Act • Introductory training is delivered as a part of the Induction Training Program • All Centre staff are provided with Aide memoires for Identification and Verification and initial telephone introductions. Self certificates have also been completed following delivery of additional training by Process Experts. • Enhanced training will be delivered on a regular basis Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Back-up slide for further reading 6. Monitoring & Controls Delegation of Financial Crime Prevention, DR&C • Check whether applications (BBA) received meet the qualifying criteria and is compliant with current regulation eg identity proof, address, Know Your Customer information • Ensure information is captured correctly in the system and kept up-to date • Report suspicious activity from BBA customers on Money Laundering Disclosure forms to Transaction Monitoring Unit • Provide Management Information to and meet with the Head of FCP, DR&C, as agreed from time to time The Agreement • This document represents an agreement between Financial Crime Prevention, Distribution Risk & Compliance (DR&C), and the IBM Service Centre, Group Operations, and defines the services provided by both parties • The agreement seeks to provide both parties with a clear statement of expectations and responsibilities • The agreement can be re-negotiated when required and will be mutually endorsed by both parties Responsibilities of the client (FCP and DR&C) • Ensure the IBM Service Centre staff are kept informed of all relevant issues, initiatives and developments affecting it’s delegated functions and responsibilities. • Work together with the IBM Service Centre to improve the effectiveness and efficiency of BBA processes in the fight against Financial Crime • Formally meet with the Compliance Manager, IBM Service Center, as agreed from time to time Monitoring & Quality Assurance • All relevant reports will be produced by IBM and provided to the Head of Financial Crime Prevention, DR&C • Periodic reviews will be held between the Head of Financial Crime Prevention, DR&C or his deputy, and the Compliance Manager, IBM Service Centre, to confirm satisfaction and remedial action (incl. Group Audit Reports) • All Monitoring and Quality Assurance criteria will be measured against the overriding principle of evidencing that all reasonable steps have been taken to comply with both internal and external anti-money laundering requirements Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
People Maintaining & Updating the BCP Plan Business Risk & Impact Assessment Jointly owned BCP Critical Processes and Recovery Times Required Testing the BCP Plan Finance Processes Training & Communication Customer Specific BCP Plan Facilities Technology Back-up slide for further reading 7. Business Continuity Planning IBM has a robust business as usual operating environment which enables us to manage the risk to the client of disruption to negligible levels. Our approach focuses on the recovery of business processes with detailed actions for our people, facilities and technology. Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14
Back-up slide for further reading 7. Business Process Continuity Strategy Together with the client a Business Risk & Impact Assessment was undertaken to define and agree critical and non-critical processes which form a core part to operationalising the plan across the multiple BCP sites utilised. Business Risk & Impact Assessment Processes Processes CRITICAL CRITICAL High Operational/ Financial Impact Cross-Training Continue Critical – 100% NON-CRITICAL NON-CRITICAL Cross-Training SLA’s temporarily suspended on non-critical activities during recovery period Low Operational/ Financial Impact Main Centre Regional Centre Outsourcing - addressing security, confidentiality & privacy | Confidential | IBM | 15-Aug-14