Transcript Title goes here – this sample illustrates a two

May 26 & 27
“Mitigating Offshoring Risks
in a Global Business Environment“
Marsh Technology Conference 2005
Zurich, Switzerland.
Definitions


Offshoring is the performance of certain business functions in another country
primarily to achieve economic benefits.
–
Outsourced to a vendor, who manages the process for a fee or percent of
the savings;
–
Company-owned process, where operations are developed in a host
country
Typical business functions targeted for offshoring include:
– Software development
– Technology design, build or assembly
– Customer service
– Business process operations
2
Offshoring has Compelling Economics

Cost reduction- From 2003 through 2008, U.S. businesses will save a projected $20 billion using
offshore resources1
-
Production costs are 30-50% lower in China vs. traditional U.S. manufacturing2

Quality - Offshoring provides good quality e.g. Indian service providers often provide CMM Level 5,
Six Sigma, ISO 9000 and BS 7799 certifications.

Competition- Time zone advantages exist as well as larger pools of talent. It enables a company to
remain competitive in their market.

New Markets- By operating “in-country”, new growth opportunities may be opened up and leveraged.
- A data switch is made by 3-Com in China for about $180,000. Cisco’s competitive switch is
$245,000--a 25% price gap. 3-Com is “getting four engineers for the price of one” 3
- India's National Association of Software & Service Companies (Nasscom) alone expects its
outsourcing business will surge more than 26 percent to 28 percent in 2005 4
1
Global Insight report 2003
Week 02-06-04
3 Ibid
4 Nasscom Study 2005
2 Business
3
Offshoring also has Serious Threats
IP theft
Natural
disaster
Terror
incident
Political
instability
Business
Plan
Counterfeiting
External cyberproducts
incident
Risk Mitigation
Capabilities
Internal cyberthreats
Major IT
outage
Response &
Recovery
Capabilities
Offshore
Operations
What Defines a Serious Threat?
• Impacts the business plan
• Fast developing
• Creates long-term change
• High stress to organization
• Large-scale
4
Offshore Risk & Security Process
INPUTS
MAJOR
STEPS
ACTIONS
DELIVERABLES
Phase 1
Phase 2
Assess and Analyze
Design and Plan
Project Initiation and
Assessments
1. Offshore risk assessment
process:
• Threat and Risk
assessment:
• Business impact
• Technology trends
• Security environment
• Threats and vulnerabilities
• Project Management
• Regulatory compliance
• Policies & standards
• Technology continuity
• Statement of applicability
• Protection of IP
1. Risk/Impact matrix
2. Documented offshore risk
controls status
3. Offshore Project
Management strategy
Phase 3
Deploy and Monitor
Program Design and
Strategy Planning
1. Analyze offshore risk gaps:
• Current security policies &
controls
• Regulatory compliance
• Technology continuity
• Project management
• Security governance
• Incident response process
2.Create offshore risk mitigation
plan:
• Define offshore risk controls
• Align risk controls to the
business plan
• Outline processes for measuring
results
1. Offshore Risk Mitigation
Master Plan
• Prioritized activities
• Funding and resources
• Timeline
• Success criteria
• Team structure
Plan Deployment
1. Deploy improvement
components of offshore risk
master plan
•
•
•
•
•
Security policies & controls
Regulatory compliance
Technology continuity
Project Management
IP Protection
2. Implement monitoring
process for continuous
improvement
1. Offshore project risk
management framework
2. Regulatory Compliance
Report
3. Incident response plan
4. Continuous improvement
process for risk mitigation
5
First Step: a Threat and Risk Assessment
Kroll Offshore Risk Workshop Deliverable (Example)
Define

Threats, their probability and the
business impact
Kidnap &
Ranson
Classify
Analyze

Existing controls

Business processes

Overall preparedness posture
Design

Cyber-terror
Risk impact of the threats
Develop an initial option to address
each risk
Business Impact

Technology
Outage
Transfer
Risk Impact
High
Product
Counterfeiting
Product Design
Loss
Change
Risk Management Options
Monitor
Low
Control
R&D theft
Low
Regulatory
Non-compliance
Low
Risk Probability
Cyber-fraud
High
6
Consider These Questions:

Have you conducted a thorough offshore risk assessment and analysis

Do you have written policies for IP protection with your service provider
and your customers?

Is there a seasoned offshore specialist in charge of the program?

Do you have external legal advice?

What is the track record for the target region/vendor for risk incidents?

Are there country-specific issues e.g. bribery, corruption, counterfeiting,
ineffective law enforcement, data protections laws?

What is the security status of the region’s IT and network infrastructure
where your service provider is located?

What is the region/country record for successful prosecution of cybercrimes?

What is the in-country policy for employee privacy, background
screening, hiring/firing, etc?

Are there exposures due to ancillary agreements with other contractors?

Do they meet your standards as well as those of your customers?
7
Discussion
8