An offshore risk mitigation strategy is essential to achieve the intended objectives of a captive delivery operation’s security program without compromising the confidentiality, integrity and availability of the parent company’s information. Many parents treat their offshore captives as extensions of their business units, rather than just secluded offshore units, and expect the captives to guarantee the same level of security controls and flexibility as the parents.
However, captives often experience challenges with implementing flexibility in access to the IT systems adopted by their parents without customizations to certain protocols such as the use of Internet, access to social networking sites, and access to mass storage devices. These issues can be complex, especially in healthcare or banking where offshore captives have to deal with sensitive and confidential information amid strong regulatory oversight.
Here are the Top 5 areas that must be considered if the parent unit hopes to extend its level of flexibility to an offshore captive environment:
- Evaluate the suitability of internal controls for offshore operations. Assess whether the parent’s existing security controls, internal policies and procedures, personnel controls, and physical and network controls are robust enough to be replicated “as is” i.e., without customization for an offshore captive environment. Your assessment will need to clearly delineate what proactive measures or steps need to be taken in case of an unplanned event or deviation. Be cognizant of risk to your organization’s reputation, and have a well-defined risk mitigation plan.
- Pay attention to people. Focus on your people and understand the nuances specific to attrition, background verification checks and the use of subcontractors in the captive operations. Understanding the difference in personnel profiles, backgrounds and behavior patterns helps with contrasting those from the parent unit and determining any specific requirements for customizations. For example, you may find that you need to adopt a background verification process more comprehensive than one followed by the parent unit. A rigorous process usually covers areas such as educational background, previous employment, credit status, criminal record and drug screening. Similarly, you should implement stronger controls when using subcontractors in the operations.
- Notice the local flavor. Understand the security and flexibility practices adopted by similar companies or captives in your locale. While it may be at odds with what is taken as the norm for the parent, this will provide an objective view of the “as-is” applicability of parent controls in a given offshore captive environment.
- Foster a culture of security. Given the rapidly changing security environment and emergence of newer sources of security risk, firms need to move away from assessing the effectiveness of an offshore risk strategy simply by the number of security controls in place. Focus on creating a culture of security where people don’t need to be reminded about security controls but rather understand their relevance and significance and follow them naturally.
- Train, train, train. Conduct regular and refresher courses on security and industry-specific security practices. Schedule training by frequency and level. Focus on measuring the effectiveness of your training programs through periodic tests and regular feedback sessions.
The seasoned offshore captive experts at ISG can help you achieve your enterprise sourcing goals through objective advice, knowledge of your industry and deep on-the-ground experience. For more information please contact us.