90 likes | 227 Views
May 26 & 27. “ Mitigating Offshoring Risks in a Global Business Environment“. Marsh Technology Conference 2005 Zurich, Switzerland. Definitions. Offshoring is the performance of certain business functions in another country primarily to achieve economic benefits .
E N D
May 26 & 27 “Mitigating Offshoring Risks in a Global Business Environment“ Marsh Technology Conference 2005 Zurich, Switzerland.
Definitions • Offshoring is the performance of certain business functions in another country primarily to achieve economic benefits. • Outsourced to a vendor, who manages the process for a fee or percent of the savings; • Company-owned process, where operations are developed in a host country • Typical business functions targeted for offshoring include: • Software development • Technology design, build or assembly • Customer service • Business process operations
Offshoring has Compelling Economics • Cost reduction- From 2003 through 2008, U.S. businesses will save a projected $20 billion using offshore resources1 • Production costs are30-50% lower in China vs. traditional U.S. manufacturing2 • Quality - Offshoring provides good quality e.g. Indian service providers often provide CMM Level 5, Six Sigma, ISO 9000 and BS 7799 certifications. • Competition- Time zone advantages exist as well as larger pools of talent. It enables a company to remain competitive in their market. • New Markets- By operating “in-country”, new growth opportunities may be opened up and leveraged. - A data switch is made by 3-Com in China for about $180,000. Cisco’s competitive switch is $245,000--a 25% price gap. 3-Com is “getting four engineers for the price of one” 3 - India's National Association of Software & Service Companies (Nasscom) alone expects its outsourcing business will surge more than 26 percent to 28 percent in 20054 1 Global Insight report 2003 2 Business Week 02-06-04 3 Ibid 4 Nasscom Study 2005
Offshoringalso has Serious Threats IP theft Natural disaster Political instability Risk Mitigation Capabilities Internal cyber-threats Terror incident Offshore Operations Business Plan Response & Recovery Capabilities Counterfeiting products Major IT outage External cyber-incident • What Defines a Serious Threat? • Impacts the business plan • Fast developing • Creates long-term change • High stress to organization • Large-scale
Offshore Risk & Security Process Phase 1 Phase 2 Phase 3 INPUTS • Assess and Analyze Design and Plan Deploy and Monitor MAJOR STEPS Project Initiation and Assessments Program Design and Strategy Planning Plan Deployment • Deploy improvement components of offshore risk master plan • Security policies & controls • Regulatory compliance • Technology continuity • Project Management • IP Protection • 2. Implement monitoring process for continuous improvement • Analyze offshore risk gaps: • Current security policies & controls • Regulatory compliance • Technology continuity • Project management • Security governance • Incident response process • 2.Create offshore risk mitigation plan: • Define offshore risk controls • Align risk controls to the business plan • Outline processes for measuring results • 1. Offshore risk assessment process: • Threat and Risk assessment: • Business impact • Technology trends • Security environment • Threats and vulnerabilities • Project Management • Regulatory compliance • Policies & standards • Technology continuity • Statement of applicability • Protection of IP ACTIONS • Offshore project risk management framework • Regulatory Compliance Report • Incident response plan • Continuous improvement process for risk mitigation • Offshore Risk Mitigation Master Plan • Prioritized activities • Funding and resources • Timeline • Success criteria • Team structure • Risk/Impact matrix • Documented offshore risk controls status • 3. Offshore Project Management strategy DELIVER-ABLES
First Step: a Threat and Risk Assessment Kroll Offshore Risk Workshop Deliverable (Example) High Define • Threats, their probability and the business impact Classify • Risk impact of the threats Analyze • Existing controls • Business processes • Overall preparedness posture Design • Develop an initial option to address each risk Product Counterfeiting Technology Outage Kidnap & Ranson Cyber-terror Product Design Loss Risk Impact Transfer Change Business Impact Risk Management Options Monitor Control Low R&D theft Low Cyber-fraud Regulatory Non-compliance Low High Risk Probability
Consider These Questions: • Have you conducted a thorough offshore risk assessment and analysis • Do you have written policies for IP protection with your service provider and your customers? • Is there a seasoned offshore specialist in charge of the program? • Do you have external legal advice? • What is the track record for the target region/vendor for risk incidents? • Are there country-specific issues e.g. bribery, corruption, counterfeiting, ineffective law enforcement, data protections laws? • What is the security status of the region’s IT and network infrastructure where your service provider is located? • What is the region/country record for successful prosecution of cyber-crimes? • What is the in-country policy for employee privacy, background screening, hiring/firing, etc? • Are there exposures due to ancillary agreements with other contractors? • Do they meet your standards as well as those of your customers?