By Sudin Apte
On Saturday, September 13, 2008, terrorists struck India once again. New Delhi, India’s National Capital, was hit by five consecutive bomb blasts of moderate intensity. More than a month ago, Bangalore saw six such blasts; and the following day, Ahmedabad, a key financial hub, was hit by seven blasts. There were similar terrorist attacks in Hyderabad, Jaipur, and a year prior in Mumbai and Delhi as well. Immediately after the terrorist attacks, the Indian government and political parties went through the standard drill — press statements, announcements of some immediate measures, and the usual political bickering. On Sunday, September 14th, New Delhi — and more specifically, the areas targeted by the blasts — were functioning normally (at least on the surface).

Clearly, firms that send their work to offshore locations in India need to take note. If India continues to suffer from terrorist attacks, sourcing professionals should re-visit risk and explore ways to mitigate it. Here are some steps I believe companies should take with their Indian service providers:
·  Re-examine suppliers’ disaster recovery and business continuity plans. Traditional disaster plans for events like earthquakes and fires fall short of the “new age” disasters caused by terrorists. Firms should focus on a supplier’s ability to shift their work — ideally along with trained resources — to alternate locations in record time. Factors such as proximity to airports, continuity of flight connections, and a city’s terrorism attack history and plans in the event of an attack are some new points firms should look at.
·  Increase your emphasis in the continuity of process and applications, not just infrastructure. Given that much of the work outsourced to India is process centric — be it BPO, call centers, or applications hosting — it is of the utmost importance that process continuity and application hot swapping is maintained. Our experience shows that traditional disaster plans place much greater emphasis on the data center and the network.
·  Promote usage at smaller cities. Tier two and tier three Indian cities are — at least to date — less risky. Bangalore, Delhi, and Mumbai have seen multiple rounds of organized terrorist attacks and will likely remain as soft targets. In comparison, tier two locations such as Cochin, Coimbatore, Mangalore, and Pune have so far been relatively safe places. In addition, these places offer less attrition and are much more cost effective.
·  Assess your supplier’s campus security. While Forrester has noticed that security — especially at the entrance of firms with larger campuses such as Infosys and Wipro — has been substantially increased in the last two years, we encourage sourcing professionals to check whether the provider has multiple levels of security in place. If possible, conduct random inspections, ask the provider to show their campus security log, and periodically witness steps they have taken to ensure that they can deliver the work without disruption. Since clients (and analysts) often all pass through one standard gate to access secure areas on campus, arrangements may appear sufficient. But given that several providers’ campuses house over 10,000 people, have a dozen or more gates, and use more than 300 buses to transport the staff, one can imagine the complexity of the challenge.