India's outsourcing sector comprises both business process and IT outsourcing, and it has been growing at an annual rate of about 37 percent over the last few years. Growth has jumped from approximately $3.1 billion in 2004 to nearly $11 billion in 2008. Yet, despite such a strong market to protect, a senior Indian special forces source described the response to the Mumbai terrorist attack as having "far too many command centers, with each one trying to best guess the other, [leading] to confusion and delayed operations", adding: "there appears to have been a lack of detailed, precise planning".
With India having captured nearly 37 percent of the global outsourcing market and with that market being supported by nearly 700,000 employees, India obviously has a vested interest in ensuring that its outsourcing market is not damaged by such terrorist attacks. India's outsourcing market has relied heavily on support from English-speaking countries, with the U.K. and North America together accounting for about 87 percent of India's outsourcing market revenues. North America, primarily the U.S., accounts for roughly two-thirds of the market alone. In addition, the value of the outsourcing deals to India increasingly exceeds $50 million per contract and the majority of those deals include IT infrastructure components and business-critical applications.
While one can never protect against every eventuality, India will need to correct its "lack of detailed, precise planning" in order to ensure that its outsourcing market is not damaged in either the short or long terms. That lesson is something that companies can also heed by including measures to protect their data and business-critical applications in their outsourcing contracts. Those measures include ensuring that a company's outsourcing agreement has robust and detailed security, disaster recovery and business continuity requirements. For instance, it is best practice to have backup storage and business continuity sites in separate cities from where the actual operations are located. Companies that outsource need to ensure they assess the impact on their business if they were to have an outsource operator hit by a terrorist attack or other disaster. The business continuity plan must include crisis management protocols, proper command structures and contain detailed planning to ensure the viability and practicality of the plan. Companies outsourcing their business critical operations must be able to participate in the testing of such procedures and have a full understanding of how much data loss would occur, and the length of time involved, before their outsource service provider is up and running again at a full-service level.
There are other protections that can be included in any outsource agreement, such as step-in rights that allow a company to take over and perform the services themselves or arrange for a different third party to deliver the services for an interim period. In an extreme instance where an outsource service provider could not perform the services at all, the company should have the ability to terminate the contract. The best measures of protecting a company's data and business critical applications are, however, always preventative. Provided a company has suitable safeguards in place to cope with a future disaster on a similar scale to the recent Mumbai attacks, there seems to be no legitimate reason for companies to rethink their outsourcing arrangements.
While it is likely that businesses will approach the Indian outsourcing market more cautiously in the short term because of the terrorist attack, Mumbai, like all other cities that have been the victim of terrorist attacks, such as New York, Madrid and London, will recover quickly. The Foreign Office reports as many as seven terrorist-related attacks across India since May 2008 alone, most of which failed to hit the headlines in Britain, let alone drive down the outsourcing industry's success. As tragic as the Mumbai terrorist attack was, it did not target operational business centers. Instead it was aimed at terrorizing the population and the citizens of those countries most associated with the war on terror: Britain and the U.S.. As with other attacks, the aim is to create fear, and succumbing to that fear must be resisted.
When contemplating an outsource to India, companies must bear in mind that there are many outsourcing providers spread across different areas, such as Chennai, Bangalore and Pune, to name a few. A large terrorist attack on one city should not be a reflection on the country as a whole or indeed as a sign of things to come. While the location of an outsource provider may be of some importance, the focus of any outsource must be on the benefit derived from the services being provided while at the same time ensuring that certain key protections are built into the contract. It is possible to mitigate damage from a terrorist attack and that starts with ensuring industry best practice security at any outsourcing provider's facilities and agreeing a detailed and robust disaster recovery and business continuity plan. India's outsourcing industry is well established and, when it makes good commercial sense for a company, outsourcing to India is still a good solution.