Case Analysis: Standard Op Procedures
Security threats are evolving, complexities are increasing and the solutions need to be constantly updated
Photo Credit :
This case study is interesting in several aspects. While the larger issue is investments, or lack of them, in IT by large organisations, the issues which Madhur as a customer is dealing with in this specific instance, are different.
We see two broad issues which Madhur faces here when dealing with Prescott, an e-tailer who obviously has many gaps in critical functions. Many of us would have faced these issues when we interface with service providers like banks, utilities, retailers, or similar organisations.
First is customer service, which more often than not, is unsatisfactory. Second is gaps in security and compliance with data privacy and cyber security laws. Let us talk about customer service, especially when handling complaints from irate customers over phone, e-mail or chat.
Most of us would find this situation very familiar where we are frustrated by the time it takes to reach a human voice who can understand the problem that we are dealing with and then inability of the person to comprehend or solve the problem.
Managing customer services through phone, chat, and IVR is a complex function and while a fair deal of maturity has been reached over the last few decades in this, evolving technologies and consumer behaviours ensure that the bar is raised for enterprises continuously.
What Aniket has told Madhur is not untrue. There is immense pressure on costs and productivity, and as companies strive to cut down the per call costs on recurring basis, efficiencies take a beating. Retailers, more so e-tailers, face immense cost pressures as they work on thin margins. The focus therefore is to improve user experience for online transactions and investments in offline and customer service are kept to essential. Companies invest in IVR Technologies and automated systems so that number of human beings can be reduced as much as possible. Many e-tailers also compromise on training costs which impacts user experience.
A lot of companies outsource the service operations to large-scale service providers who have economies of scale and armies of agents trained in managing irate customers and mature processes for speedy resolution of customer complaints. There have been cases of companies bringing back operations inhouse after the service levels and customer satisfaction has impacted sales and reputation.
Irrespective of whether customer service operations are retained inhouse, the critical areas of investments are training, technology and robust processes for tracking and minimising customer issues. Reasons for poor customer service experienced by Madhur are not just related to under-investment in technology. They also relate to under-investments in training, appropriate oversight and lack of standard operating procedures.
The fact that Prescott has been traditionally a brick-and-mortar retailer and has recently forayed into e-tailing could be a possible reason. Many companies which migrate from an offline business model to online have a shared service model where the same set of people service both the customers. The rhythm of both customer types are different and the training of customer service representatives and the method of resolution also differs greatly. A casual approach to these — training and operational processes — often leads to sloppy people and processes, dissatisfied customers and eventual impact on sales.
The second important issue here, which has deep ramifications, is dealing with sensitive information like customer credit card details. Data privacy and how to deal with customer data is a most sensitive subject in all consumer centric organisations like banks and retailers. Complex legislations govern this area and procedures and rules are framed to ensure the company does not violate the laws of land where they are operating in.
Prescott seems to have erred on multiple counts here. Madhur claims that Prescott is the only site he has used for shopping. If his credit card has not been stolen, clearly the credit card information has been stolen from one of the vulnerable points.
In India, the Reserve Bank of India (RBI) has introduced many steps to prevent credit cards frauds. It has ensured strict data security standards for POS terminals, introduced concept of SMS alert on mobile and OTP (One Time Transaction Password) for IVR based transactions. It has mandated issuance of EMV Chip and PIN enabled credit cards, and introduced option to select and set limit of international usage.
This significantly reduces instances of credit card frauds in India compared to the developed economies. In many cases, as seems to be the case with Madhur, the card information is stolen in India and card used outside India.
Theft of customer information and credit card data is a big, big concern. In recent years, global giants such as eBay, Home Depot, Michael’s Stores, Staples, Target and TJX have been impacted by millions of records being accessed from their online database.
While a lot of time the card details are sold by rogue employees, in most cases, this is the case of organised hacker gangs who engage in large scale data thefts from large organisations.
If this has to be prevented, enterprises have to invest in multiple layers of security — at the infrastructure and applications level. Prescott’s culture towards IT seems to be influenced by its historical brick-and-mortar business and they do not seem to have understood the realities of dealing with IT security for online businesses. That would explain the data thefts if that is due to lack of appropriate security software.
Another obvious area where Prescott seems to have goofed up is retaining the card information without permission of customer. Madhur is right in demanding that customer consent is essential for his credit card information to be retained. In this age of social media, angry customers who have suffered from this action of Prescott can cause huge damage to the reputation of the brand and sales.
As he discovers the fact that Prescott has retained his card information without his permission, Prescott is running huge risks here. If Madhur chooses to sue Prescott for saving his card information, they stand to lose a lot.
So, what should Prescott do. There are three obvious areas which any smart retailer would focus on — specific to the examples thrown up in this case. Customer service , compliance and data security.
Companies often end up being penny wise pound foolish when it comes to customer service. They cut costs in training and hiring right employees, which can go a long way to ensure satisfied customers. In this age of reducing patience and timelines, having service folks with right attitude and with patience is rare and companies should not cut corners in that area.
Compliance with laws of land (Section 43A – ITAA) has detailed provisions about data security and how to deal with personal information. Companies should invest in regular audits to ensure their practices and procedures are compliant with all the laws which deal with relevant areas. These audits are seen as nuisance by many and also cost money and it is easy to avoid them. However, one expensive case of breach is enough to wipe out all the savings made by skipping the audit, not to talk about the loss of reputation and hit to the brand value.
Lastly, investments in security and data protection are sacrosanct. There is a great deal of expertise available today to identify and deploy the right levels of security systems at different vulnerability points. This area continues to be much talked about but continues to be underinvested in almost all organisations. Technology is evolving rapidly and options for rogue behaviour are also increasing exponentially. The solutions are not always keeping pace with problems, but many companies are constantly running to stay at the same place. The foolish ones do nothing and die.
Many companies invest in expensive security software in some areas and then when budgets get exhausted, cut down on security investments in other areas. That is criminal and can come back to bite you later. Like in cases of non-compliance, losses in case of security breach can wipe out the savings made due to not investing in security systems. Also, investing once is not enough. Threats are evolving, complexities are increasing and the solutions need to be constantly updated. So, companies have to be on their toes and constantly on their guard.
Sadly, Prescott is not alone in this. They are more norm than exception if we look around. However, there are enough examples of companies that have robust processes, that invest in appropriate security and that have invested in right levels of customer service.
What Prescott needs is to benchmark with the best, think strategically and in its own long-term interest, without the baggage of past, and invest in right areas — for a secure future for itself.
Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.