. 59
( 131 .)


underlying values and beliefs are uncovered. This is far more effective than sim-
ply asking a representative ˜What are the values and beliefs around here?™
The same is true of myths, legends and heroes. These are simply the anec-
dotal versions that give more direct and immediate meaning to the belief sys-
tems operating in the company. Myths, legends and heroes will present
themselves as you delve into the 12 domains, but only if qualitative data gath-
ering techniques are used.

CDD deliverables
All of the data collected by means of the CDD process is carefully analysed and
organised into a number of extremely valuable management tools to be used by
executive and senior management in planning the integration of the two organ-
isational cultures into a desired new culture of the merged organisation.
These tools include:

Detailed cultural profile of both organisations;
Perceptions of various constituencies of both organisations;
Details about current culture and the merger;
Specification of cultural similarities within the 12 cultural domains;
Specification of cultural differences within the 12 cultural domains;
Prediction, specification and prioritisation of ˜culture clash™ problems and
their impact on the merger;
Specific recommendations on avoidance and/or minimisation of culture
clash problems; and
Integration road map for implementation of recommendations.

Given this information and these management tools, key decisions can be made
early in the merger process that will:
Minimise culture clash problems;
Facilitate the optimum integration of the two cultures; and
Greatly increase the probability of success of the merger.
Chapter 13 “ Social and cultural risk management 305

Culture, strategy outsourcing and off-shoring: the
Indian case study
For some time, the world has been talking about the ˜Indian BPO Success Story™ “
which describes the business process outsourcing (BPO) industry that is growing
at a phenomenal pace of 59% year on year and contributing nearly a quarter to
the total IT exports revenue. Many strategy experts attribute this growth to the
inherent advantages that India possesses, i.e. low cost base, vast English speak-
ing population and a highly skilled labour force. Undoubtedly, cost savings due
to labour arbitrage continues to be one of the most compelling factors for off-
shoring processes to India. In addition to this, rising vendor sophistication,
improved process and project management skills and quality standards have
given India a pre-eminent position in the US$275 billion global outsourcing
market. However, the real challenge before India lies in its ability to maintain
its strengths and build newer capabilities to tackle increasing competition from
countries like Ireland, China and Israel, etc.
With the objective to chart a strategic road map for unhindered growth of this
industry and to gauge the perception of Indian BPO service providers on various
issues, ASSOCHAM conducted the First BPO Industry Confidence Survey in the
months of May“June 2003. Coincidently, this was also the period when domestic
and international media highlighted the outsourcing backlash in the US, Australia
and European countries and the possible impact it could have on the Indian BPO
industry. This nationwide survey evinced a huge response especially from the
BPO SMEs. Leading companies like eFunds International, Bhilwara Infotech, 24/7
Customer Access, Transworks, HCL BPO, ITI Limited and Indigo Lever also
participated in this opinion poll. Overall, 160 CEOs responded to this survey.

Research methodology
In planning this survey, the ASSOCHAM BPO Research Team implicitly
accepted the potential, opportunity and drivers of the trend to outsource
processes to India. The questionnaire survey was specifically modelled to
study the underlying issues that could become future threats for this industry.
Accordingly, the questions covered the following aspects:
Short- and long-term impact of:
Slow pace of regulatory reforms;
Infrastructure bottlenecks;
Lack of streamlined approach for branding Indian BPO services;
Increasing competition from other countries with similar capabilities;
Increasing service level requirements;
Geo-political situation in subcontinent;
Rising attrition rates/other HR issues; and
US and European backlash against outsourcing.
Level of satisfaction on the human resources and telecom infrastructure in
Part C “ Overview of the Social Aspects of Business Risks

Acceptability of the government policies/initiatives in this field;
Future direction of the government™s BPO agenda; and
Overall confidence on the future prospects of this industry.

Findings of the survey
The survey revealed the following results.

Short and long term impact analysis
The slow pace of regulatory reforms: the members of ASSOCHAM BPO
Steering Committee have recognised regulatory issues as one of the major con-
cerns for Indian companies in this area. While the government has increased
support to the IT/ITES industry, many industry experts point to the tardy pace
of these reforms.
Industry opinions:
Short to medium term (0“2 years) “ moderate impact (50%); and
Long term (2“5 years) “ serious impact (54%).
The survey clearly showed that industry is concerned over the long-term impli-
cations of slow pace of regulatory reforms. Broadly, the policies/acts pertinent
for this industry are:
Information Technology Act 2000;
Software technology park policy;
Foreign investment policy;
Venture capital investment policy;
Overseas investment policies (M&A, ADR/GDR, remittance of profits, etc.); and
Other fiscal incentives.
The government in consultation with industry associations should chalk out a
time-bound plan that covers the various loopholes in the above-mentioned
Infrastructure bottlenecks: availability and reliability of infrastructure facili-
ties is still a cause of serious concern. However, the government is attempting
to strengthen telecom infrastructure and build fibre-optic networks in city cen-
tres of software activity, as well as providing uninterrupted power supply.
Much of these efforts have drastically improved power availability and telecom
Industry opinion:
Short to medium term (0“2 years) “ serious impact (86%); and
Long term (2“5 years) “ very serious impact (47%).
An overwhelming 86% of the respondents view infrastructure as a serious
cause of concern in the short term. In the long term, the majority felt that poor
infrastructure would have a very serious impact.
Chapter 13 “ Social and cultural risk management 307

Lack of streamlined approach for branding Indian BPO services: industry
experts have often suggested that India should have ˜umbrella brand™ for IT and
ITES (information technology enabled services) industry. The marketing of
India as a BPO destination until now has been mostly at the behest of service
providers themselves. The industry/government partnership in this field needs
to be strengthened. Currently there is lack of a streamlined approach on brand-
ing Indian BPO abroad.

Data protection laws in India
One of the key aspects of outsourcing relates to the resolution of any concern
that business partners should ensure that the culture is honoured. By way of
example, the data protection laws of India must be understood.
Currently there is no statutory legislation in relation to data protection in
India. Unlike the UK/EU countries, India has no codified Data Protection Act
setting out the rules for processing personal information applicable to paper
records as well as those held electronically.
The issue of privacy has, in a very limited way, been addressed under the
Information Technology Act 2000 (IT Act). The IT Act provides protection from
unauthorised disclosure of information by a person who has secured access to
such information in pursuance of powers conferred under the IT Act. The pro-
vision is also limited to information accessed and passed on ˜without the con-
sent of the person™ who the information relates to. The provision is thus
extremely narrow in its application.
There is, therefore, a growing concern over the absence of data protection
laws in India and the impact inadequate legal protection will have on personal
data being transferred to India from the western world. Such concern (together
with a host of other reasons) is also hindering Indian business process out-
sourcing (BPO) companies from gaining lucrative contracts in certain key seg-
ments such government tenders and contracts. The Indian government has,
therefore, been facing tremendous pressure recently to enact an appropriate
data protection law to ward off any adverse impact on the Indian BPO industry.

Need for such data protection laws
Today, the largest portion of BPO work coming to India is low-end call centre
and data processing work. If India has to exploit the full potential of the out-
sourcing opportunity, then it has to move up the value chain. Outsourced work
in intellectual property rights (IPR)-intensive areas such as clinical research,
engineering design and legal research is the way ahead for Indian BPO compa-
nies. In the absence of adequate data protection laws, Indian BPO outfits are
finding it difficult to move up the value chain and risk being relegated to doing
low end work like billing, insurance claims processing and of course transcrip-
tion. Accordingly, the move up the value chain for Indian BPO entities will
greatly be facilitated by enactment of an appropriate data protection law.
Part C “ Overview of the Social Aspects of Business Risks

Data protection legislation
Further, with the globalisation of business and ease of transfer of information,
the requirement to protect the personal/sensitive data of Indians as a diaspora
is also being felt. Today Indians who use mobile phones are regularly being
inundated with unwanted advertisements, their email boxes are being flooded
with unsolicited data and their personal information is being freely traded, or
exploited by persons who possess it. Given the lack of an adequate data protec-
tion regime there is very little that an ordinary Indian citizen can do to prevent
such exploitation.

Methods adopted to satisfy concerns over data transfer
While the absence of adequate data protection laws in India is a serious
deterrent, for data flowing into the country in connection with the off-shoring
activities being carried out, Indian BPO outfits have alleviated concerns of
their customers by attempting to adhere to major US and European regulations
either by contracting to adhere to such regulations or by obtaining appropriate
Most Tier I BPO companies today have certifications that comply with reg-
ulations like the Sarbanes-Oxley Act, Safe Harbor Act, GLBA for Financial
Services, FDCPA (Fair Debt Collection Practices Act), OCC regulations for
banking and HIPAA for healthcare. While most laws and certifications are ori-
ented around verticals, there are laws like the UK Data Protection (DPA) Act
and the Sarbanes-Oxley Act, which are laws for data security across different
industries. The requirements of such horizontally oriented legislations are
overcome by contractual arrangements between the BPO vendor and their

Change on the horizon
A recent study has found that more than 40 countries around the world have
enacted, or are preparing to enact, laws that protect the privacy and integrity of
personal consumer data. India is not, however, one among them. Given the
above stated concerns, enactment of appropriate legislation in other countries
and the need for an adequate data protection regime being felt, it is becoming
extremely important for India to enact the same if it desires to continue its lead-
ing position as the preferred off-shoring destination.
Recognising this need, since the turn of the century there has been talk of
India enacting some sort of data protection regime. The first such action was
initiated by NASSCOM (the apex technology body of India) when the trade
body tried to push through a drafting exercise but it appears that the exercise
has not been pursued further.
Recently, there has now been talk of the Indian government™s recognising
the urgency of the situation and to hasten the process, is considering an amend-
ment to the Information Technology Act of 2000. It is still unclear what the
Chapter 13 “ Social and cultural risk management 309

exact shape of the final legislation will be; however, it is expected that such
legislation will be comprehensive. The amendment is expected to come into
force later this year or early next year. However, whether or not such a legisla-
tion is introduced in the Indian Parliament or the shape such legislation will
take will depend on the result of the ongoing elections in India, result of the
pending legislations against outsourcing in the US and pressure by the EU to
enact the same.

Shape that the proposed Indian legislation is likely to take
It is very important to understand the fundamental purpose of any data protec-
tion law and existing regulations in other countries in order to comment on the
shape that any proposed Indian legislation would take. The driving force,
worldwide, for the enactment of data protection laws has been the protection of
personal data and information of citizens and providing a framework that facil-
itates trade and commerce between countries, while not compromising an indi-
vidual™s privacy. There is no reason to conclude that in the Indian context it is
likely to be any different “ except that the over-riding consideration of enact-
ment of a data protection regime is to ensure India maintains its pole position
as the preferred destination for off-shoring activities.
According to the EU guidelines, EU countries may transfer personal data
only after determining that ˜the third country in question ensures an adequate
level of protection™. It further goes on to provide that the EU shall consider the
˜rules of law ¦ in the third country™ to make this determination.
The EU guidelines are an outcome of the OECD guidelines of 1980 which
list eight broad principles to be adhered to in protecting personal information
of the citizens of the country. They are:
(a) Collection Limitation Principle
There should be limits to the collection of personal data and any such data
should be obtained by lawful and fair means and, where appropriate, with
the knowledge or consent of the data subject.
(b) Data Quality Principle
Personal data should be relevant to the purposes for which they are to be
used and, to the extent necessary for those purposes, should be accurate,
complete and kept up-to-date.
(c) Purpose Specification Principle
The purposes for which personal data are collected should be specified not
later than at the time of data collection and the subsequent use limited to
the fulfilment of those purposes or such others as are not incompatible with
those purposes and as are specified on each occasion of change of purpose.


. 59
( 131 .)