Marsh Technology Conference 2005 Zurich, Switzerland. May 26 & 27 “ Mitigating Offshoring Risks in...
-
Upload
gervase-gregory -
Category
Documents
-
view
212 -
download
0
Transcript of Marsh Technology Conference 2005 Zurich, Switzerland. May 26 & 27 “ Mitigating Offshoring Risks in...
Marsh Technology Conference 2005Zurich, Switzerland.
May 26 & 27
“Mitigating Offshoring Risksin a Global Business Environment“
“Mitigating Offshoring Risksin a Global Business Environment“
2
Definitions
Offshoring is the performance of certain business functions in another country primarily to achieve economic benefits.
– Outsourced to a vendor, who manages the process for a fee or percent of the savings;
– Company-owned process, where operations are developed in a host country
Typical business functions targeted for offshoring include:
– Software development
– Technology design, build or assembly
– Customer service
– Business process operations
3
Cost reduction- From 2003 through 2008, U.S. businesses will save a projected $20 billion using offshore resources1
- Production costs are 30-50% lower in China vs. traditional U.S. manufacturing2
Quality - Offshoring provides good quality e.g. Indian service providers often provide CMM Level 5, Six Sigma, ISO 9000 and BS 7799 certifications.
Competition- Time zone advantages exist as well as larger pools of talent. It enables a company to remain competitive in their market.
New Markets- By operating “in-country”, new growth opportunities may be opened up and leveraged.
Offshoring has Compelling Economics
1 Global Insight report 20032 Business Week 02-06-043 Ibid4 Nasscom Study 2005
- A data switch is made by 3-Com in China for about $180,000. Cisco’s competitive switch is $245,000--a 25% price gap. 3-Com is “getting four engineers for the price of one” 3
- India's National Association of Software & Service Companies (Nasscom) alone expects its outsourcing business will surge more than 26 percent to 28 percent in 20054
4
Offshoring also has Serious Threats
BusinessPlan
Internal cyber-Internal cyber-threatsthreats
Counterfeiting Counterfeiting productsproducts
Political Political instabilityinstability
Major IT Major IT outageoutage
Terror Terror incidentincident
Natural Natural disasterdisaster
External cyber-External cyber-incidentincident
IP theftIP theft
Offshore Offshore OperationsOperations
What Defines a Serious Threat?What Defines a Serious Threat?• Impacts the business planImpacts the business plan• Fast developingFast developing• Creates long-term changeCreates long-term change• High stress to organizationHigh stress to organization• Large-scaleLarge-scale
Risk Mitigation Capabilities
Risk Mitigation Capabilities
Response & Recovery
Capabilities
Response & Recovery
Capabilities
5
Offshore Risk & Security Process
Project Initiation and Assessments
Program Design and Strategy Planning
Plan Deployment
ACTIONS
DELIVER-ABLES
MAJOR STEPS
INPUTS Assess and Analyze
1. Offshore risk assessment process:
• Threat and Risk assessment:
• Business impact• Technology trends• Security environment• Threats and vulnerabilities• Project Management• Regulatory compliance• Policies & standards • Technology continuity • Statement of applicability • Protection of IP
1.Analyze offshore risk gaps:• Current security policies &
controls• Regulatory compliance • Technology continuity• Project management• Security governance• Incident response process2.Create offshore risk mitigation
plan:• Define offshore risk controls• Align risk controls to the
business plan• Outline processes for measuring
results
1.Deploy improvement components of offshore risk master plan
• Security policies & controls• Regulatory compliance• Technology continuity• Project Management• IP Protection
2. Implement monitoring process for continuous improvement
Design and Plan Deploy and Monitor
1. Risk/Impact matrix2. Documented offshore risk
controls status3. Offshore Project
Management strategy
1. Offshore Risk Mitigation Master Plan
• Prioritized activities• Funding and resources• Timeline• Success criteria• Team structure
1. Offshore project risk management framework
2. Regulatory Compliance Report
3. Incident response plan4. Continuous improvement
process for risk mitigation
Phase 1Phase 1 Phase 2 Phase 2 Phase 3 Phase 3
6
First Step: a Threat and Risk Assessment
Define
Threats, their probability and the business impact
Classify
Risk impact of the threats
Analyze
Existing controls
Business processes
Overall preparedness posture
Design
Develop an initial option to address each risk
LowLow
Ris
k Im
pac
t
ChangeChange
MonitorMonitor ControlControl
Risk ProbabilityRisk ProbabilityHighHigh
HighHigh
Cyber-fraudRegulatory Non-compliance
Product Design Loss
Product Counterfeiting
LowLow
Bu
sin
ess
Imp
act
Bu
sin
ess
Imp
act
R&D theft
Kroll Offshore Risk Workshop Deliverable (Example)Kroll Offshore Risk Workshop Deliverable (Example)
TransferTransfer
Technology Outage
Kidnap & Ranson
Risk Management OptionsRisk Management Options
Cyber-terror
7
Consider These Questions:
Have you conducted a thorough offshore risk assessment and analysis
Do you have written policies for IP protection with your service provider and your customers?
Is there a seasoned offshore specialist in charge of the program?
Do you have external legal advice?
What is the track record for the target region/vendor for risk incidents?
Are there country-specific issues e.g. bribery, corruption, counterfeiting, ineffective law enforcement, data protections laws?
What is the security status of the region’s IT and network infrastructure where your service provider is located?
What is the region/country record for successful prosecution of cyber-crimes?
What is the in-country policy for employee privacy, background screening, hiring/firing, etc?
Are there exposures due to ancillary agreements with other contractors?
Do they meet your standards as well as those of your customers?
8
DiscussionDiscussion