Secured service delivery model for outsourced services in a business process outsourcing relationship

: In business process outsourcing (BPO), the model of delivery of processed service and communication media between the client and service provider are critical factors in a successful client-provider relationship. The client’s business objectives would not be achieved if processed services are delivered through unsecured channels and truncated communication. This study explores these issues through a case study of seven medium and large scale Indian BPO service providers, followed up with a larger scale questionnaire-based on Indian providers. Analysis revealed that a significant number of providers have onshore and offshore clients whose processed services are delivered through secured channels. The choice of a delivery model is influenced by both the client and service provider when the provider is either a medium or large scale organization, whilst small scale providers do not contribute to decision making for choice of delivery model. Further, the study revealed that in successful outsourcing relationships, providers deliver services through remote access to a client’s server, email through a dedicated server, dashboard on a cloud, and teleconferencing. To improve security, these channels could be enclosed in any of the following: virtual private network (VPN), transport layer security (TLS)/secure socket layer (SSL), internet protocol security (IPsec) and third party platform, such as citrix. Thus, outsourcing relationships that are built around these security platforms, and decision making process surrounding the choice of a delivery model could reduce outsourcing failures witnessed in BPO relationships.


Introduction
Most services in business organisations are information technology enabled services (ITES). Within this context, services are processed and delivered through a platform provided by information technology (IT) and comprising of hardware, software and human resources. These work in tandem to deliver a business process and associated service, which according to Wang [1], benefit customers and service providers alike. Business process outsourcing (BPO), a subset of the outsourcing market, represents approximately 48% [2] of the total global outsourcing industry. BPO transfers complete operational ownership of one or more of a firm's business processes to an external service provider that, in turn, manages the processes to deliver services according to agreed predefined metrics [3]. In the financial sector and other security sensitive sectors, the model of service delivery adopted is paramount. Financial institutions in the European Union (EU) engage in offshore outsourcing [4], for the sole purpose of reducing processing cost and concentrating on their core competence [5]. According to a view [6], a significant number of processes are outsourced to services providers' resident in India where outsourced services are processed by the service provider and delivered to the outsourcer. Therefore, to facilitate effective service delivery, a reliable and robust IT adoption process must involve both the outsourcer and service provider. While service delivery is a set of integrated processes describing the "how" of a service [7], researchers tend to focus on the economic implication of BPO [8][9] and the system integration of client and provider [10], rather than delve into the security features within the delivery platform. Our paper seeks to do this and in doing so explore the delivery of client's processed services in a BPO relationship. While researchers [11][12] posited that security is a key component in a successful outsourcing relationship, these studies are deficient in identifying the required security features and how they could be integrated in the service delivery model. Therefore, our paper explores service delivery models of BPO service providers based in India to unravel the security features integrated in the service delivery model and better understand the role of a secured channel in a successful BPO relationship. The study adopts an exploratory sequential mixed method approach to gain a breadth and depth of understanding regarding the implementation of security features in service delivery platforms. In the next section, we present the theoretical underpinning relating to the outsourcing decision framework, reasons for outsourcing, and provider's selection processes which are different phases that could determine the success or failure of a BPO relationship.

Background of Study
To improve outsourcing relationships, potential clients should consider an outsourcing decision framework which considers their motivation, reason for outsourcing, risks associated with outsourcing, and business goals before taking a decision to outsource [13]. The decision framework identifies key motivation factors for outsourcing to include costs, strategy, and politics. Therefore, the success of an outsourcing relationship could be predicted by the choice of a service provider. Thus, it is essential that after the decision to outsource, clients should choose the right service provider [14], normally, based on the provider's capabilities [15]. Figure 1 details the outsourcing decision framework, which a client could adopt to manage the risks associated with outsourcing. Key components in the framework include reasons for outsourcing, associated risks, and service providers' capabilities. According to Feeny [16], clients exploring the potential benefits of outsourcing business processes need to look carefully at their own goals and be clear about what supplier capabilities they need. This implies that the first step in identifying potential suppliers is for a company to consider its own requirements and the competencies required. Researchers [17] have indicated specific provider's competencies that must be demonstrated, including the size of the provider, strength of the IT infrastructure, domain expertise, web-enabled technology for delivery and project management skills.
In terms of size, large BPO providers tend to have strong financial background and domain expertise but should be chosen with caution [18], as they handle various business processes for more than one client, including competing business institutions [19]. Despite this, outsourcing can leverage costs, business strategy and political decisions for maximum advantage. As such, costs and strategy are the main drivers for outsourcing within the private sector, with political agendas having a greater influence on outsourcing decisions in the public sector [20]. In both instances, it is commonly a norm that outside vendors are regarded as specialist who can provide similar or better levels of service at a lower cost than available in-house. Notwithstanding the specific factors in the outsourcing decision framework, research has shown that the mode of service delivery is critical in determining a successful relationship [21]. Therefore, this section presents three key means of delivery mode available for BPOs: dedicated private network, cloud computing, and desktop virtualization. Understanding these and the characteristics and implications of their implementation would provide their respective benefits and detriments.

Dedicated Private Network Delivery Model
Traditionally, dedicated international or local link connectivity is established through a satellite between the client and service provider purposely for service delivery and other communications. Using a third-party network service, organisations in the UK engage companies like British Telecom (BT) that provides a telecom backbone that allows a dedicated distributed network system to run. Such networks are usually private, robust, highly secured, high performance, provide global access solution and work at a reduced cost. In addition, virtual private networks (VPN) provided by client or providers facilitate service delivery models that are equally secure, fast and reliable between remotes sites [22]. In this context, a client and a provider can establish a network-as-a-service which is connected securely and privately using an IP routing mechanism [23]. The US VPN [24] identified VPN as the key to BPO industry and suggested privacy and improved communication between client and provider as its benefit. For example, an outsourcing client and a service provider would set up a VPN server and then install the client's VPN software on the provider's domain. At the server side, a router and a firewall are installed. Now, using the internet as a platform, the provider would login to the VPN server after undergoing authentication through the router and firewall to deliver processed services. The communication between the service provider and the client is encrypted at both ends as an additional level of security. In the absence of a secured communication medium between a client and a provider, Loban and Noles [25] suggest that the link would be vulnerable to reconnaissance attacks, where hackers would scan for answering internet protocol (IP) addresses and port numbers, and IP spoofing. Through this mechanism, business rivals and competitors could pry for business intelligence that would destroy their businesses. However, secured VPN typically allows providers to encapsulate processed services into a special VPN data frame that provides information to the receiving client so that it can reassemble the data at the destination [26]. In so doing, data destination is not compromised and clients' sensitive data are protected.

Cloud Computing (CC)
Organizations have been outsourcing various processes and providers have delivered services through direct links [7][8][9][10][11][12][13][14][15][16][17][18], but the advent of cloud computing (CC) provided another option for service delivery. Concisely, CC is a metaphor that expresses the Web as a platform where computing applications are hoisted and provided to authorized users as a service. Hurwitz [27] define CC as a networking solution in which everything from computing power to computing infrastructure, applications, and business processes to personal collaboration, can be delivered to a client as a service wherever and whenever it is required. The emergence of cloud computing streamlines on-demand provision of software, hardware and data services; while focusing on the economies of scale in IT solutions' deployment and operations [28]. Clients could adopt cloud services from providers in the form of software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-aservice (IaaS). SaaS is a delivery model whereby a provider licenses an application to customers for use as a service on demand. For example, Windows azure, Force.com, Google App Engine, and Apache Strators services. Through these platforms, providers could process client services and deliver a processed service back to the client without any physical contact between the cloud provider, outsourcing client or the service provider.
PaaS is one of the categories of services provided by cloud computing. Instead of investing in new applications required to process client services, service providers would adopt applications in the cloud to manage, store, and process client services. In cloud based BPOs, Ciovica [29] identified PaaS as one of the core technical enablers of service delivery to clients. Similarly, IaaS is the delivery of computer infrastructure as a service, whereby, clients make use of storage devices, software, data centres, and network equipment instead of buying their own. According to Bourne [30], worldwide market forecast for public cloud services of all types could grow from $209 in 2016 to $246 billion in 2017. This phenomenon would continue to attract start-ups as well as organizations moving for expansion to start outsourcing internet enabled services (ITES) instead of building IT solutions. Organisations that embraced CC listed several benefits, which included lower costs, hypervisor protection against network attacks, low-cost disaster recovery, data storage solutions, real time detection of system tampering and ubiquitous network access [31]. However, some organisations that are yet to incorporate the services of the cloud have continuously questioned the associated risks and security features to contain it. Over the years, the International Data Corporation (IDC) survey indicates that respective CIO's cited security as the top challenge preventing their firms from adopting cloud services [32]. This concern is corroborated by Seccombe [33] assertion that CC is targeted to provide better utilization of resources using virtualization techniques and to take up much of the work load from the client; however, it is burdened with security risks. Although delivery of services over the cloud has its proven benefits, Wilkins [34] suggests that both clients and providers should structure their Service Level Agreement (SLA) with the cloud partner in such a way that it would provide assurances of accountability, liability, compliance, ownership of data, and smooth disengagement when term of service has ended.

Desktop Virtualisation
Golden [35] described desktop virtualisation as "a concept Business Process Outsourcing Relationship where access to a single piece of hardware, like a server, is coordinated so that multiple computers (thin clients) can share that single piece of hardware without end users being aware that they are actually sharing anything at all". Regardless of geographical location, end users through a thin client device could access servers and work on or view application software like MS Office and deliver processed services. Virtualisation technology has been extensively used to virtualise server, desktop, and applications, which are used by "stateless thin clients" without knowing the antecedents of the real system. Typically, the largest Indian BPO service providers have, over the years, delivered services to significant number of clients within the banking industry [36]. The benefits of virtualisation include better management of physical resources, improved virtualised storage system, mobile computing, security, and reduction in costs of providing services. According to Forrester research institute [37], 99 out of the Fortune 500 companies use VMware to facilitate desktop virtualization technology to power their data centre, safeguard against disasters, improve development life circle and more efficiently manage desktop environment for their business process outsourcing service delivery. VMware made it possible for firms to maintain a single PC at their corporate centre with operating system and applications, and then virtualize the desktop for their end users or BPO service providers to access from anywhere through the internet.
In BPO relationships, there has been a record number of failures [18,38], and research suggests that some of these failures were caused by unsecured service delivery model and network configuration [39,40]. The extant literature has shown that there is insufficient information about what constitutes a secured delivery mode or how security features could be integrated within the delivery mode. Thus, the next section introduces the research method detailing specific steps undertaken to study the delivery modes adopted by different service providers in India in order to proffer a model with an acceptable level of security.

Research method
For the purpose ensuring validity and reliability, understanding and corroboration [41] of data and findings, a mixed method design and case study strategy was implemented for the study of Indian BPO service providers. The aim was to explore, through both qualitative and quantitative approaches, how service providers deliver processed services to their clients. Thus, through the qualitative study, 14 individuals involved in services processing and delivery were interviewed from seven service provider organisations, and a further questionnaire-based study of 156 organisations through the quantitative study. [42] Creswell suggested that the findings of these phases are triangulated to provide a final analysis and conclusion.

Case Study
According to Neuman [43], the case study is "an empirical inquiry that investigates a contemporary phenomenon in depth and within its real-life context, especially when the boundaries between phenomenon and context are not clearly evident". Considering India's prominent role in BPO destination ranking [44,45] for global offshore services and its description as the "world office" [46], the decision was taken to choose BPO organisations from India. The selection of cases was by purposeful sampling and self-selection. Service providers with onshore and offshore clients with a minimum of five years in operation were targeted. Thus, from the list of service providers provided by the National Association of Software and Services Companies (Nasscom) of India on the Internet, a total of 180 organisations were approached as potential participants. Consequently, a letter introducing the study was sent to relevant individuals in these organisations, and was followed up with a research ethics letter. After several exchange of mails, seven (7) BPO service provider organisations agreed to participate in the study. This meets the validity of case study research based as identified [47]. Being wary of the pitfalls (e.g. bias) of nonrandom sampling, and given that, this is to an extent selfselecting, the researchers made sure that only those organisations that fulfilled the criteria indicated earlier were selected. Data collection was done through face-to face semistructured interviews of individuals involved in service processing and delivery. According to Kendall [48], qualitative interviews are used to gather more in-depth insights on participant attitudes, thoughts and actions. The interviewer travelled to India and within five weeks conducted fourteen interviews at different BPO organisations situated at different BPO hubs scattered all over India. These individuals were selected based on acquiring a significant number of years of experience in business processing and its delivery. Table 1 presents the organizations' background.  Table 2 presents five interview questions (Q1, Q2, Q3, Q4, Q5) asked to interviewees, to explore how processed services are delivered to clients. These questions include how do you deliver a processed service back to your client; does model of delivery affect meeting client's objective(s); who decides on the choice of a delivery model (you or your client); what factor(s) guides you in making this decision; and is cloud computing part of your organisations delivery model (table 2). In table 3, interviewees' responses to questions Q1 to Q5 are reduced to themes using thematic analysis. Primarily, this is to ascertain participant's views on the case of study.  Table 3 shows that the delivery mode is mutually agreed, but the provider's expertise plays a significant contribution to the decision making. In this aspect, large service provider organizations with many years of experience tend to influence the decision making [21]. The next section is the quantitative investigation of a larger number of service providers in India. The themes derived in table 3 formed the basis for the quantitative study purposely to provide a broader understanding of the study.

Quantitative Study
The themes and statements obtained through thematic analysis of qualitative study informed the questions formulated for the quantitative study. Based on these themes, a 27 questions Likert scale based questionnaire was developed and distributed as an on line questionnaire to a targeted audience. The list of Indian service providers was obtained from Nasscom and BPOwatchindia websites. These two organisations frequently release a list of registered BPO service providers in India. Each listed BPO organisation has a link to its parent homepage, which was visited to ascertain that their service provision background met the basic criteria of this research, and, also to obtain contact details. This activity identified an initial sample of 754 potential participants. Further, it was discovered that only 358 BPO organisations provided financial services. This number represents a larger base of the target population (service providers) when compared with the 7 service providers involved in the case study. Through their respective email addresses, a letter introducing the research study and a request letter to participate in the study were sent to relevant individuals within each organisation. Then, a link to the questionnaire was distributed to 358 potential participants. Participants were specifically requested to forward the questionnaire to the right person within the organisation if they do not hold any position relating to IT platform and service processing. Such positions include IT manager, Process leader, VP, Project manager, and management level of the organisation. After forty-four days, a total of 156 valid responses were received which represents 44% response rate. This value is consistent with Baruch [48] assertion that the average response rate required for studies at organisational level is 37.2%. A total number of 128 of the 358 potential participants did not respond to the questionnaire, while 74 responses were invalid because respondents did meet the position. Business Process Outsourcing Relationship

Results
This section presents the results based on detailed analysis of the data in both qualitative and quantitative studies, i.e., the case study of the service providers and the large-scale questionnaire based study of service providers. The results are then triangulated to determine the overall findings. These results are categorised into three areas: service delivery mode decision distribution, clients and providers communication frequency, secured channels for service delivery and communication.

Service Delivery Mode Decision Distribution
Services processed by service providers are delivered to their clients who are located either onshore, offshore or both (table 1 and figure 2). In table 3, the study revealed that in medium and large scale organisations the service providers and clients mutually agree on the model of service delivery. Two different interviewees at different locations who responded to Q2 as follows corroborate this: "we give preference to the client. When a client selects a delivery model that is compromised, we do advise against such a model but if the client insists we would go along with them. This happens in 5 out of 100" (BPO1).
"client is the king. They are the ones to decide but it is up to us to accept" (BPO6).
In table 3, Q4, amongst the factors considered for delivery model decision, security, client's requirements and cost were dominant. Other factors included in the table are available professional skills, client's requirements, turnaround time and alignment in the existing line of business. This is further corroborated by an interviewee's response to Q4 as follows: "……for us, feasibility from our end, cost effect involved and its alignment in the existing line of business" (BPO4).
A delivery model should be secure and reliable, accommodate client's requirement, provide enough bandwidth and improve client's performance. Such reliable models for service delivery are remote access to client's server, dashboard on the cloud, drop box, email through a dedicated server and customer relationship management software (CRM). Unsecured delivery model means service level agreement (SLA) would not be fulfilled, real-time applications would fail to meet clients objectives, commercial confidentiality could be compromised, downtime in every delivery and total failure in both clients and providers performances. Figure 3 represents client's distribution of BPO organisations that participated in the online questionnaire. Organisations with onshore and offshore clients accounted for 78% while those operating only onshore or offshore are 11% respectively. In figure 4, it is clear that the size of organization has a great influence on who decides on the BPO delivery model. Responses show that in a client -small (1-49) BPO provider relationship, clients dominantly decide on the delivery model while in a medium  or large (=>250) service provider's relationship, both client and provider significantly contribute to the selection of delivery model. The figure 4 further indicates that 33 out of the 34 small BPO organisations that participated in the questionnaire study, clients singularly decided on how the service would be delivered. Similarly, 73 out of 86 medium and 32 out of 36 large organisations jointly contributed to the decision making with their respective clients on the model of service delivery. However, the decision to choosing a delivery model is benched on key factors that could enhance performances at both the client and provider's domain.    Figure 6 expresses the importance of communication between a client and a service provider, which translates to monitoring of service processing and its delivery. The majority (56%) of service providers say they communicate with their client's frequently, 26% communicate as the job dictates, with 8% twice in a day and 3% once in a day. However, 7% did not know and therefore could not say. Throughout the study, respondents emphasized on the importance of communication primarily to monitor and oversee the processing and delivery of services. This is corroborated in the quantitative study where 56% (figure 6) of the respondents indicated that both clients and providers communicate frequently in a day. Although clients outsourced their services, processing and delivery are not entirely left in the hands of providers -for a successful relationship clients are involved at every stage. One of the IT managers succinctly said: "….. we talk every day, a lot of times, sometimes they call each one of us by name -yes we know each other very well. It's like a family united by a common objective. All these are in addition to our monthly teleconference round table where we assess our operations and issues that might arise." (BPO1).

Secured Channels for Service Delivery and Communication
This section is the core component of this study, and thus presents the data analysis and the development of a secured delivery model for BPO services through detailed data validation and rigorous steps. This is aimed at developing a reliable secured model that would improve client-provider relationships. Based on responses to Q1 in table 3, there are six different channels through which providers deliver processed services. These channels are labelled CM1-CM6 and explored via a matrix question in the questionnaire. Table  4 presents these factors upon which the questionnaire was based. Table 4. Factors from thematic analysis considered in the matrix question.

S/no
Factors CM1 Email through dedicated server CM2 Remote access to client's server CM3 Dashboard on the cloud CM4 Teleconference CM5 Mobile phone CM6 Email through a third party server The labels CM1 -CM6 represents email through a dedicated server, remote access to client's server, dashboard on the cloud, teleconferencing, mobile phone, and email through a third party server. Responses to the matrix questions were first tested through principal component analysis (PCA) to determine their scale of preference, security and relevance in service delivery. Then, they were subjected to factor analysis in order to reduce the 156 valid responses and determine the latency between the components. In table 5, to ascertain the suitability of factor analysis, Kaiser-Meyer-Olkin (KMO) value was found to be 0.621 (significant value = 0.6), Bartlett's test of Sphericity [50, pp. 192, 188] = 0.000 (significant value p < 0.05). These values are presented in table 5 and indicates the suitability of factor analysis. .000 The PCA test produced three components (CM1, CM2, CM3) with eigenvalues of more than 1 and percentage values of 35.97%, 18.2% and 16.8% of the variance respectively. Business Process Outsourcing Relationship The scree plot as seen in figure 7 depicts these three components above the value of 1 and the rest falling below. In both cases (PCA and Scree Plot), Pallant [50, pp. 192, 188] suggests that components with eigenvalues of more than 1, and above the value of 1 in a scree plot tests should be investigated further. Therefore, to ascertain the level of relevance for each factor, CM1, CM2, CM3, CM4, CM5, and CM6 were subjected to Oblimin rotation test, which revealed the presence of a simple structure with some variables loading substantially more than others. In table 6, CM1, CM2, and CM3 showed strongly (shaded) both in pattern and structure coefficients. These values are consistent with the recordings in scree plot and PCA tests. It implies that service providers mostly deliver services through (i) email through a dedicated server, (ii) remote access to client's server, (iii) dashboard on the cloud and to an extent (iv) teleconferencing. In order to understand which platform best describes a secured network channel through which client's system could be accessed, respondents were asked to select all that apply (see figure 8). Most respondents preferred virtual private network (VPN) and transport layer security/secure socket layer (TLS/SSL) as secured networks for communication and service delivery. These organisations set up VPN and give access to their client or vice versa. Other selections include TLS/SSL, internet protocol security (IPsec) and third party platform such as Citrix. This implies that the preferable platform is VPN and followed by TSL/SSL.

Discussion
This study revealed that the model of service delivery selected is deemed a critical factor in achieving service level agreement (SLA) and client's satisfaction. It appears that the model intricacies span from decision making to secured delivery for communication/service delivery to onshore and offshore clients. Most BPO organisations are linked with onshore and offshore clients, so when choosing a delivery model, client and service providers mutually agree on a model that would make their business objectives a reality. In a relationship where the service provider is a medium or large organisation, the mutual agreement is largely influenced by the service providers expertise and track record of years of experience in their domain. Most small service providers lack the expertise and years of experience to influence the choice of delivery model; hence, clients decide and require the service provider to utilise their selected model for service delivery. Communication is a critical factor in a successful client-server relationship; most organisations communicate frequently in addition to their weekly or monthly round table meeting through teleconferencing or physically.
Findings in our study have shown that to achieve SLA and improve client's performances; network channels, which provide communication and service delivery, must be secured. To achieve this, both clients and providers jointly develop and adopt a secured model that would enhance delivery processes. Although previous research [51,17,14] has shown that investing in IT infrastructure is a prerequisite for successful outsourcing relationships, these studies failed to demonstrate how specific IT component would affect the relationship. At some point, customers felt that the Internet as a platform for delivery of processed services lacked adequate security [52], which reduced customers' conviction. Thus, a secured delivery model increases client's confidence and trust in process outsourcing, and could be one of the key reasons for the tremendous growth and interest shown by clients in business process outsourcing over the years. In table 7, the result of the factor analysis listed the four most secured channels in the order of weightages as email through a dedicated server (0.984), remote access to client's server (0.900), dashboard on a cloud (0.833), and teleconference (0.807). Predominantly, medium and large organizations with many years of experience in outsourcing, modeled their respective service delivery processes along these four specific channels. For a successful outsourcing relationship, it is therefore desirable to recommend these key channels to potential clients and service providers in outsourcing relationship. It would reduce failures, protect clients' business secrets and improve overall performances. In addition, service providers reinforced the network security by adding a second layer of security platform that enveloped CM1, CM2, CM3, and CM4. These are installed and maintained within the client and provider's domains. The second layer is predominantly VPN, TSL/SSL, IPsec and to an extent third party platforms, such as Citrix. By implementing these levels of security both clients and service providers expectedly achieved their respective business objectives. In the absence of identifying and implementing specific security components within the IT infrastructure, the chances of achieving the SLA would be highly reduced.

Conclusion
In conclusion, the use of dedicated email server, remote access to client's server, dashboard on a cloud and teleconference within the platform of VPN, TSL/SSL, and IPsec significantly increase security that translates to client's satisfaction. In effect, the study identified the security features and how it would be integrated into the delivery model towards establishing a secured delivery channel. Therefore, the process of integrating different resources to form an IT system that secures and delivers a processed service that would lead to an outsourcer achieving its business goals is described as service delivery. Within these environments, both onshore and offshore clients would not only achieve SLA but also expand the scope of engagement. However, organisations (client and provider) that fail to put in place prerequisite IT resources would probably not achieve their business goals.
Although this study is exploratory and limited to the views of service providers, it has created potential areas for further study. The same instruments used in this study could be modified to perform similar research on outsourcing clients in order to understand their own views, especially preferred mode of service delivery. Though the weaknesses and strengths of qualitative and quantitative methods complemented each other, we would have preferred a larger number of organisations than what we have in this study. Thus, further research in this study could be performed with larger number of service providers to further confirm the findings in this study.