HRM Practitioners

Follow Us:

@the-hrm-practitioners

Contact

Case Study – IT & Data

The client delivers application development, managed services and data operations to global customers across regulated industries. Thousands of employees had access to client systems, sensitive data and proprietary code, often working in hybrid and offshore-onshore delivery models.

While the company held key security certifications, leadership was concerned that people-related risks—inside delivery teams and vendor ecosystems—could still undermine client trust and contractual commitments.

The engagement surfaced three primary challenge areas:

Data theft risks

  • Incidents and near-misses involving unauthorised downloads, transfers of code and attempts to move data outside approved channels.
  • Limited visibility into how frequently risky behaviours occurred below the threshold of formal incidents.

Contract breaches

  • Growing pressure from global clients around SLA adherence, data handling obligations, offboarding controls and use of subcontractors.
  • Concerns that a serious insider incident could be interpreted as breach of contract, triggering penalties or even termination.

Global client compliance expectations

  • Complex and evolving requirements from clients related to privacy, information security, whistleblower mechanisms and escalation protocols.
  • Need to demonstrate not just technical controls, but a robust culture and governance framework around employee conduct and risk.
Leadership wanted a partner who could align people-risk governance with the organisation’s security posture and contractual landscape.

HRMP designed an intervention centred on whistleblowing, policy strengthening and ERA governance tailored to IT/ITES realities.

DWF Portal deployment

  • Implemented the Disclose Without Fear (DWF) Portal as a secure, anonymous channel for employees and contractors to report data misuse, policy violations and ethical concerns.
  • Configured workflows so information security, HR, Compliance and Legal teams received relevant alerts and could collaborate on investigations.
  • Launched a communication campaign highlighting non-retaliation, examples of reportable concerns and the importance of early raising of red flags.

Policy & process strengthening

  • Reviewed and tightened policies covering acceptable use, data handling, remote work, removable media, personal devices and offboarding.
  • Clarified consequences for violations, including misuse of privileged access, unauthorised code movement and client data exposure.
  • Embedded checks into onboarding, project assignment and access provisioning to ensure that high-risk roles had additional scrutiny and approvals.

ERA governance

  • Integrated people-risk themes into existing information security and risk governance forums, creating a joint view across HR, Security, Compliance and Delivery.
  • Defined roles, responsibilities and escalation paths for handling insider risk incidents, including when and how to notify clients.
  • Developed board- and client-facing reporting templates that summarised key indicators, incidents, actions taken and continuous improvement initiatives.

Over the subsequent review periods, the client observed tangible risk and business outcomes.

Averted contract termination

  • A serious insider data-handling incident was surfaced early via the DWF Portal, investigated quickly and remediated transparently using the strengthened governance framework.
  • Proactive disclosure and detailed documentation reassured the affected client, who chose to continue the relationship with enhanced controls instead of terminating the contract.

Penalties avoided

  • By aligning policies and incident response with contract and regulatory expectations, the organisation avoided potential financial penalties and legal exposure arising from the incident and related gaps.

Improved client trust scores

  • In subsequent vendor assessments and security reviews, clients noted faster, more transparent responses to concerns and clearer evidence of a functioning whistleblowing and governance framework.
  • This translated into improved scores on trust, risk management and compliance dimensions in key client scorecards.
Internally, the leadership gained a much clearer view of insider risk trends and the effectiveness of controls, beyond formal security metrics.

HRMP helped us connect our security controls with real, day-to-day people behaviour. When a sensitive incident occurred, the combination of the DWF Portal, clear policies and ERA governance meant we could act fast, be transparent with our client and preserve a strategic relationship that was at risk.

Business Head & CISO

Global IT Consulting Firm