Marsh Technology Conference 2005Zurich, Switzerland.

May 26 & 27

“Mitigating Offshoring Risksin a Global Business Environment“

“Mitigating Offshoring Risksin a Global Business Environment“

2

Definitions

Offshoring is the performance of certain business functions in another country primarily to achieve economic benefits.

– Outsourced to a vendor, who manages the process for a fee or percent of the savings;

– Company-owned process, where operations are developed in a host country

Typical business functions targeted for offshoring include:

– Software development

– Technology design, build or assembly

– Customer service

– Business process operations

3

Cost reduction- From 2003 through 2008, U.S. businesses will save a projected $20 billion using offshore resources1

- Production costs are 30-50% lower in China vs. traditional U.S. manufacturing2

Quality - Offshoring provides good quality e.g. Indian service providers often provide CMM Level 5, Six Sigma, ISO 9000 and BS 7799 certifications.

Competition- Time zone advantages exist as well as larger pools of talent. It enables a company to remain competitive in their market.

New Markets- By operating “in-country”, new growth opportunities may be opened up and leveraged.

Offshoring has Compelling Economics

1 Global Insight report 20032 Business Week 02-06-043 Ibid4 Nasscom Study 2005

- A data switch is made by 3-Com in China for about $180,000. Cisco’s competitive switch is $245,000--a 25% price gap. 3-Com is “getting four engineers for the price of one” 3

- India's National Association of Software & Service Companies (Nasscom) alone expects its outsourcing business will surge more than 26 percent to 28 percent in 20054

4

Offshoring also has Serious Threats

BusinessPlan

Internal cyber-Internal cyber-threatsthreats

Counterfeiting Counterfeiting productsproducts

Political Political instabilityinstability

Major IT Major IT outageoutage

Terror Terror incidentincident

Natural Natural disasterdisaster

External cyber-External cyber-incidentincident

IP theftIP theft

Offshore Offshore OperationsOperations

What Defines a Serious Threat?What Defines a Serious Threat?• Impacts the business planImpacts the business plan• Fast developingFast developing• Creates long-term changeCreates long-term change• High stress to organizationHigh stress to organization• Large-scaleLarge-scale

Risk Mitigation Capabilities

Risk Mitigation Capabilities

Response & Recovery

Capabilities

Response & Recovery

Capabilities

5

Offshore Risk & Security Process

Project Initiation and Assessments

Program Design and Strategy Planning

Plan Deployment

ACTIONS

DELIVER-ABLES

MAJOR STEPS

INPUTS Assess and Analyze

1. Offshore risk assessment process:

• Threat and Risk assessment:

• Business impact• Technology trends• Security environment• Threats and vulnerabilities• Project Management• Regulatory compliance• Policies & standards • Technology continuity • Statement of applicability • Protection of IP

1.Analyze offshore risk gaps:• Current security policies &

controls• Regulatory compliance • Technology continuity• Project management• Security governance• Incident response process2.Create offshore risk mitigation

plan:• Define offshore risk controls• Align risk controls to the

business plan• Outline processes for measuring

results

1.Deploy improvement components of offshore risk master plan

• Security policies & controls• Regulatory compliance• Technology continuity• Project Management• IP Protection

2. Implement monitoring process for continuous improvement

Design and Plan Deploy and Monitor

1. Risk/Impact matrix2. Documented offshore risk

controls status3. Offshore Project

Management strategy

1. Offshore Risk Mitigation Master Plan

• Prioritized activities• Funding and resources• Timeline• Success criteria• Team structure

1. Offshore project risk management framework

2. Regulatory Compliance Report

3. Incident response plan4. Continuous improvement

process for risk mitigation

Phase 1Phase 1 Phase 2 Phase 2 Phase 3 Phase 3

6

First Step: a Threat and Risk Assessment

Define

Threats, their probability and the business impact

Classify

Risk impact of the threats

Analyze

Existing controls

Business processes

Overall preparedness posture

Design

Develop an initial option to address each risk

LowLow

Ris

k Im

pac

t

ChangeChange

MonitorMonitor ControlControl

Risk ProbabilityRisk ProbabilityHighHigh

HighHigh

Cyber-fraudRegulatory Non-compliance

Product Design Loss

Product Counterfeiting

LowLow

Bu

sin

ess

Imp

act

Bu

sin

ess

Imp

act

R&D theft

Kroll Offshore Risk Workshop Deliverable (Example)Kroll Offshore Risk Workshop Deliverable (Example)

TransferTransfer

Technology Outage

Kidnap & Ranson

Risk Management OptionsRisk Management Options

Cyber-terror

7

Consider These Questions:

Have you conducted a thorough offshore risk assessment and analysis

Do you have written policies for IP protection with your service provider and your customers?

Is there a seasoned offshore specialist in charge of the program?

Do you have external legal advice?

What is the track record for the target region/vendor for risk incidents?

Are there country-specific issues e.g. bribery, corruption, counterfeiting, ineffective law enforcement, data protections laws?

What is the security status of the region’s IT and network infrastructure where your service provider is located?

What is the region/country record for successful prosecution of cyber-crimes?

What is the in-country policy for employee privacy, background screening, hiring/firing, etc?

Are there exposures due to ancillary agreements with other contractors?

Do they meet your standards as well as those of your customers?

8

DiscussionDiscussion