Post on 01-Jan-2016
description
Succeeding in China: The Risk of Doing Business
in China
Presenters:Andrew Walker, Director, Deloitte Consulting Jim Chapman, Partner, Foley & Lardner LLP
Silicon Valley RIMS
January 31, 2013
The Focus of this presentation is on identifying and mitigating the risks of doing business in China
1. China represents a large and attractive market for Multi-National Companies (MNCs)
2. There have been a series of well-publicized incidents involving U.S. companies operating in China
3. MNC’s have found ways to be successful in China – to both grow their businesses & mitigate risks
4. A programmatic approach to risk reduction has proven to be the most successful approach
Macroeconomic Issues in China
China offers significant market attractiveness for MNCs
# 1GDP Growth (9.3%) among emerging
and developed nations
Sources: (1) WorldBank (2) UNCTAD (3) IMF projections, Deloitte Analysis
# 1 United Nations FDI Attraction Index Rank 2
# 1 Country Population (1.35 Billion)
# 1 Total Exports ($1.90 Trillion)
# 2 Total Imports ($1.66 Trillion)
# 2 Total GDP ($7.3 Trillion)
$13.2
$9.4
$20.3
$49.8
$5.9
$5.3
$12.5$39.4
Global GDP Share3
2010 2017 (proj.)
China provides MNCs with a strong economic and demographic foundation for growth and projects to continue dwarfing other major emerging markets
China’s Global Positioning1
+12.2%
CAGR
China’s demographic and economic profile make it the world’s fastest growing economy.
China offers significant market potential that can be hampered by significant risks
Companies are expecting increased revenues from China over the next 3 years
However, unique risks may limit MNCs ability to capture the growth potential . . .
4%
10%
30%
25%
14%
16%
Decrease/No Change
Increase by less than 10%
Increase by 10-24%
Increase by 25-49%
Increase by 50-99%
Increase by 100% or more
Revenue Expectations from China in next 3 years
Sources: (1) Deloitte Consulting emerging markets survey conducted in 2011; (2) Weekly Economic Update (7/9/12) (3) 22 companies reporting revenue earned in China, Economist Intelligence Unite and Deloitte Analysis
Global weakness has affected China’s economic growth, slowing to 7.6% in Q2
2012, however the China market is growing faster than the global average indicating
continued investment opportunity
Potential revenue opportunity in China
Risk-adjusted revenue
Bil
lio
ns
As documented in mainstream newspapers, magazines, journals, and trade publications…
Changing regulatory landscape is making China more attractive for MNC
India
European Union
Brazil
Indonesia
United States
China
Russia
119
62
55
53
52
50
49
Number of Recently Initiated Trade Restrictive Measures
Despite increased global protectionism, China has imposed fewer restrictive trade measures1 compared to other major economies. During the same period 21
new trade liberalizing measures were initiated.
Sources: (1) Data from 9/2008 – 7/2011; Mohini, D., Hoekman, B., and Malouche, M., “Taking Stock of Trade Protectionism Since 2008” (2) UNCTAD
Chi
na
Uni
ted
Sta
tes
Ger
man
y
Uni
ted
Kin
gdom
Fra
nce
Japa
n
Indi
a
Spa
in
Can
ada
UA
E
Bra
zil
010203040506070
Chart Title
Top Destinations for MNC Investment
Over 60% of executives surveyed by the UN Conference on Trade and Development cited China as a top 10 destination for investment between 2012 and
20142.
In addition to China’s economic and demographic profile, new leadership and policy changes are making China a top destination for investment.
2005 2010 2015E20
40
60
80
100
120
140
MNCs already operating in China are expecting substantial near-term revenue growth
55% of surveyed companies are expecting increased revenues from China between 2011 and 2014.
4%
10%
30%
25%
14%
16%
Decrease/No Change
Increase by less than 10%
Increase by 10-24%
Increase by 25-49%
Increase by 50-99%
Increase by 100% or more
Revenue Expectations from China1
Overview
Sources: (1) Deloitte Consulting emerging markets survey conducted in 2011; (2) 22 companies reporting revenue earned in China, Economist Intelligence Unit and Deloitte Analysis; (3) The Economist
An index of 135 companies weighted by their revenue share from China has climbed 129% since 2009 compared with the S&P 500’s gain of 57%.3
Potential Revenue Opportunity
in China ($B)2
Legal, Regulatory and Transaction Issues
Technology Transfer Legal Framework
China’s Regulations on Administration of Technology Import and Export (Technology Regulations), effective January 1, 2002, govern the import and export of technologies into and out of China.
The Technology Regulations classify technologies into three broad categories, including:
1. Prohibited technologies: Cannot be imported into or exported out of China.
2. Restricted technologies: Import and export must be pre-approved by the relevant Chinese governmental authority, and copies of the relevant technology transfer agreement must be submitted to the relevant governmental authority.
3. Permitted technologies: Can be imported into or exported out of China without prior Chinese governmental approval.
Forms of Technology Transfers
Patent assignments
Assignments of patent application rights
Patent licensing
Assignments of know-how or trade secrets
Licensing of know-how or trade secrets
Technical services and other unspecified forms of technology transfer covered by the Technology Regulations
Cooperative research and development contracts
Technology consultancy contracts
Technical training contracts
Technology brokerage contracts
Software import and export contracts
Trademark licenses or assignments involving patented or non-patented technology
Technology transactions may take a variety of forms. All of the following transactions are subject to the Technology Regulations:
Applicable Contract Law
Unified Contract Law, adopted in 1999 provides substantial freedom for the parties to enter into agreements.
Obstacles to Technology Transfer to China
Lack of control over future developments, modifications and enhancements of transferred technologies.
Warranty requirements.
Collecting royalties and other payments.
Protection of Intellectual Property.
Lack of Trust.
Mandatory Provisions of Chinese Law
Chinese law requires that the foreign licensor to: “Guarantee” that the licensed technology be complete,
correct, valid, and capable of accomplishing the specified technological objectives.
“Guarantee” that it is the legal owner of, or the party with the right to license, the technology.
If the Chinese licensee infringes on another party’s right by using the licensed technology pursuant to the license agreement, the licensor is required to bear the responsibility for such infringement.
Prohibitions
The Technology Regulations prohibit the following provisions: Requiring the transferee to accept incidental conditions unnecessary for the
imported technology, including the purchase of unnecessary items. Requiring the transferee to pay for, or undertake obligations relating to, a
technology for which the patent right has expired or has been announced as invalid.
Restricting the transferee’s improvement of the technology provided by the transferor, or restricting the transferee’s use of the improved technology.
• Restricting the transferee’s acquisition from a third party of any technology similar to, or competitive with, the technology provided by the transferor.
• Unreasonably restricting the transferee’s channels or sources for the purchase of raw material, parts, components, products, or equipment.
• Unreasonably restricting the quantity, variety, or price of products produced by the transferee.
• Unreasonably restricting the transferee’s export channels for products manufactured by the transferee using the transferred technology.
Key Issues of a Technology Transfer Agreement
Field of use
Geographic scope/territory
License fees and payment terms
Ownership of technology
Ownership of improvements
Exclusive or non-exclusive/sublicense
Nondisclosure
Noncompetition
Term/termination
Indemnities/liabilities
Dispute resolution
Governing law
Governing language (i.e., Chinese or English)
Typically, a technology license agreement will cover the following key issues points:
Key To Successful Technology Transfer
Find the “right” licensee.
Invest in the relationship and work to build trust.
Thoroughly document the transaction.
Work to keep interests aligned.
Maintain constant communication and support.
Risks and Mitigation Strategies
Type of Risk
IP Protection
Negative Impact on USG-Related Business
Export / OFAC Compliance
Compromise of U.S. Ethics Laws
Ineffective Legal Entity and Business Structure
Partner Turning Competitor
Market Restrictions
Profitability in China
Supply Chain & Operational Risks
Mitigating risks to profitability and value creation is criticalAll are related to protecting a company’s brand/reputation
Po
ten
tia
l Im
pac
t
Likelihood
Hig
h
HighMedium
Lo
w
2
78
3
1
Export / OFAC Compliance
USG-Related Business
Market Restrictions
6
45
U.S. Ethics Laws
1
2
3
4
5
6
7
8
IP Protection
Profitability in China
Ineffective Legal Entity & Business
Structure
Partner Turning Competitor
9
9Supply Chain
IP Risks in China
Local companies are known to introduce rival products within 2-6 months of a new product introduction by an MNC
Significant number of IP related lawsuits between MNCs and Chinese companies indicate existence of IP infringement practices (~60,000 in 2011, up from ~43,000 in 2010)2
Government regulations on IP creation and usage makes it mandatory for MNCs to share IP in China in certain instances
Protecting IP is typically cited as the most significant challenge to operating in China
Sources: (1) Deloitte Consulting emerging markets survey conducted in 2011, (2) China Patent Agent LTD., (3) Nera Economic Consulting estimate
Infrastructure problems
Supply chain capabilities
Establishing partnerships with local companies
Protectionist policies or government red tape
Adequate supply of skilled labor
Providing afforable products and services
Brand awareness in the market
Understanding customers buying behavior
Competition from local competitors
Adequate IP protection
0% 20% 40% 60% 80%
18%
24%
31%
37%
38%
43%
45%
45%
49%
58%
% of Companies Citing Challenges in China as
Significant1
An IP protection strategy should be integrated from the product strategy through the operating model and tactics
Identify products being sold in China
Identify the products and services best suited to China market – determine whether to:
1. Take the whole stack (but restrict access to core technology), or 2. Dedicate less valuable technology that is sufficient to meet current
market demand
Establish a clear integrated strategy
Create a China IP Protection Control Structure that integrates politics, partners, people, process, vendors, and technology
Define clear operating model (e.g., human resources, vendor management, manufacturing, supply chain, information technology)
Manage operations with IP protection in mind
Redesign R&D processes to increase compartmentalization and protection; this will result in higher IP management costs
Program, implement, and commercialize technology development with value management in mind, building IP protection into processes
Apply the right tactics to protect IP
Define processes and controls throughout all business functions to safeguard IP Change product development cadence and release cycles
1
Imp
lem
en
tati
on
Ste
ps 2
3
4
In addition to IP protection concerns, there is a risk that U.S. government (USG) agencies could have concerns about offshore operations in certain countries
Mitigation ApproachKey Risks
Certain USG agencies may have concerns surrounding their product and/or service providers operating in certain countries
Key concerns appear to revolve around the following:
― Loss of U.S. IP
― Products or product code being infiltrated or corrupted by foreign parties
― Network and IT access into USG data centers or systems
― USG related information becoming accessible
Companies should wall-off foreign operations from public sector business in a way that is auditable
Leading practices include creating two sets of operational, network, and IT firewalls:
1. Between Offshore and US businesses
2. Between US and US Government Services divisions
Companies should proactively develop programs to educate government customers
Mitigation approach should be structured to address operations for each business function across eight key security threads
Negative USG perceptions of the company may impact existing and future contracts / business may lead to loss of revenue and USG audits
Function: Information Technology
Security
Thread
Physical
People
Process
Product
Systems
Physical Data
Electronic Data
Vendors / Suppliers
Supporting BusinessSelling Product
Research & Development Product & Delivery
Product Development, Delivery, & Support
ProxyCo Current State
Maintenance Sales & Marketing Finance Human Resources Facility & Security IT
Vendor/Suppliers (Real Estate, Procurement and Other)
Systems (Recruitment, Development, Administration and Performance Management)
Physical Data (Design, Development, Deployment, Operations and Performance Management)
Physical (Real Estate) (Business and Financial Strategy, Mergers and Acquisitions, Tax Management, Risk Management, Compliance Management, Program Management and Performance Management)
People (Marketing, Sales, Delivery/Provisioning, Billing and Service)
Process (Innovation and Design, Supply Chain Management, Production Operations and Logistics)
Security Threads
Note: Many actions could logically be associated with other or multiple process groupings.For example, many customer and product actions are likely to have heavy IT and HR components.
Electronic Data
Legal
Privileged and Confidential for ProxyCo and Deloitte Consulting Only As of Month 20XX
Is ProxyCo's banking management process independent of the parent’s?
Has ProxyCo established a fully separate and distinct finance process and
functional organization that will manage the Finance Function's activities?
Are Finance temporary employees compliant with the terms of the NSA?
Are Finance subcontractors compliant with the terms of the NSA?
Do any of ProxyCo's Finance personnel also work for the parent?
Does the Finance Function report to an executive at ProxyCo?
Have the Finance Function's policies and procedures pertaining to the NSA been
reviewed with employees?
Does the Finance Function have security policies and a training plan?
Is access to classified / sensitive information restricted only to the appropriate personnel?
Is the Finance Function staffed only by ProxyCo's employees?
Is classified / sensitive information stored in the Finance facilities in a secure manner?
Are physical records of financial statements accessible by the parent company?
Are controls in place to ensure that there is no unauthorized access
into the Finance facilities?
Are physical records, project plans, and contracts stored within ProxyCo securely?
Is the Finance Function physically separated from the parent?
Does ProxyCo outsource any Finance activities?
Has ProxyCo established independent Finance systems from the parent?
Are ProxyCo's Finance IT systems accessible by the parent's employees?
Are physical records, project plans, and contracts stored within ProxyCo securely?
Is the Human Resources (HR) Function physically separated from the parent?
Are controls in place to ensure that there is no unauthorized access into the HR facilities?
Is classified / sensitive information stored in the HR facilities in a secure manner?
Is the HR Function staffed only by ProxyCo's employees?
Is access to classified / sensitive information restricted only to the appropriate personnel?
Does the HR Function have security policies and a training plan?
Have the HR Function's policies and procedures pertaining to NSA requirements
been reviewed with employees?
Does the HR Function report to an executive at ProxyCo?
What exit policies and procedures are used by ProxyCo?
What is ProxyCo's screening process for new employees?
Does ProxyCo hire foreign nationals?
Are security clearances managed by an approved security officer?
Do any of ProxyCo's HR personnel also work for the parent?
Do people outside of ProxyCo have access to ProxyCo's employee records?
Are HR subcontractors complaint with the terms of the NSA?
Are HR temporary employees compliant with the terms of the NSA?
Has ProxyCo established a fully separate and distinct HR process and functional organization that will manage the HR
Function’s activities?
What is the process for managing security clearances?
Are physical records, project plans, and contracts stored within ProxyCo securely?
Is classified / sensitive information stored in the Legal facilities in a secure manner?
Is the Legal Function staffed only by ProxyCo's employees?
Is access to classified / sensitive information restricted only to the appropriate personnel?
Does the Legal Function have security policies and a training plan?
Have the Legal Function's policies and procedures pertaining to the NSA been
reviewed with employees?
Does the Legal Function report to an executive at ProxyCo?
Do any of ProxyCo's Legal personnel also work for the parent?
Are Legal subcontractors complaint with the terms of the NSA?
Are Legal temporary employees compliant with the terms of the NSA?
Are Legal employment decisions appropriately documented and reviewed?
Has ProxyCo established a fully separate and distinct legal process and functional
organization that will manage the activities of ProxyCo's Legal Function?
What is the process for conducting confidential investigations for ProxyCo?
Is there an investigations board, separate from the parent that will handle all investigations for
ProxyCo?
Does ProxyCo outsource any Legal activities to vendors who have not agreed
to the terms of the NSA?
Are ProxyCo's Legal IT systems accessible by the parent's employees?
Is the Legal Function physically separated from the parent?
Are controls in place to ensure that there is no unauthorized access into the Legal facilities?
Is the Facility & Security Function physically separated from the parent?
Are physical records, project plans, and contracts stored within ProxyCo securely?
Are controls in place to ensure that there is no unauthorized access into the Facility &
Security facilities?
Are there video surveillance systems?
Is classified / sensitive information stored at the Facility & Security facilities in a secure
manner?
Is the Facility & Security Function staffed only by ProxyCo's employees?
Is access to classified / sensitive information restricted only to the appropriate personnel?
Does the Facility & Security Function have security policies and a training plan?
Have the Facility & Security Function's policies and procedures pertaining to the
NSA been reviewed with employees?
Does the Facility & Security staff report to an executive at ProxyCo?
Do any of ProxyCo's Facility & Security personnel also work for the parent?
Are Facility & Security subcontractors compliant with the terms of the NSA?
Are Facility & Security temporary employees compliant with the terms of the NSA?
Which individuals have access to the video surveillance systems?
Are there security personnel for all facilities?
Are the security personnel properly trained and vetted to work at cleared facilities?
Is there a separate and independent body that monitors the access and behaviors of the
Facility & Security staff, including contact between the staff and the parent?
Are there individuals assigned to continuously monitor intrusions and / or any suspicious activities, and are these individuals direct
employees of ProxyCo?
Is the Information Technology (IT) Function physically separated from the parent?
Are physical records, project plans, and contracts stored within ProxyCo securely?
Is the IT Function staffed only by ProxyCo’s employees?
Does the IT Function have security policies and a training plan?
Have the IT Function's policies and procedures pertaining to the NSA been
reviewed with employees?
Does the IT Staff report to an executive at ProxyCo?
Do any of ProxyCo's IT personnel also work for the parent?
Has ProxyCo established a fully separate and distinct IT process and functional
organization that will manage the IT activities?
Are there a set of security requirements been provided to IT based on the NSA and other government documents that IT can use to
take appropriate steps?
Have electronic security perimeters been established?
Is there a process for securing hardware?
Are there any automatic escalation processes to alert management of intrusions and / or
suspicious activity?
Has ProxyCo established independent IT systems from the parent?
Are there one-time or recurring data transfers between ProxyCo and the parent?
Have all existing data repositories been identified and are they within ProxyCo?
Has ProxyCo's IT data been wiped from the IT systems that the parent has access to?
Has the wiped data from IT systems provided to the parent been tracked and managed?
Has ProxyCo established a separate secure, independent data repository for IT and
related information?
Are controls in place to ensure that there is no unauthorized access into the IT facilities?
Is classified / sensitive information stored in the IT facilities in a secure manner?
Are IT subcontractors compliant with the terms of the NSA?
Are IT temporary employees compliant with the terms of the NSA?
Is there a separate and independent body that monitors the access and behaviors of IT staff,
including contact between IT staff and the parent?
Are there people assigned to continuously monitor intrusions and / or any suspicious
activities, and are these people direct employees of ProxyCo?
Does the parent have access to any classified / sensitive data that is under the
custody of ProxyCo's IT Staff?
Is there a well-documented and regularly revisited process for incident reporting and
response planning?
Are processes in place to govern how ProxyCo’s staff engage and interact with
the parent’s staff?
Are IT processes appropriately documented?
Are ProxyCo's IT systems accessible by the parent's employees?
Are the IT systems protected by firewalls?
Are any IT services outsourced to foreign countries?
Are any data connections between ProxyCo and the parent appropriately
audited and firewalled?
Has extensive testing been conducted to ensure the integrity of the firewall?
Are there any links on ProxyCo's website that can take users to secured areas?
Are all data repositories securely hosted for only ProxyCo?
Are company websites governed closely by security specialists to cleanse them any
sensitive or classified information?
Is the Maintenance Function physically separated from the parent?
Are physical records, project plans, and contracts stored within ProxyCo securely?
Are controls in place to ensure that there is no unauthorized access into the Maintenance
facilities?
Is classified / sensitive information stored in the Maintenance facilities in a secure manner?
Is the Maintenance Function staffed only by ProxyCo's employees?
Does the Maintenance Function have security policies and a training plan?
Have the Maintenance Function's policies and procedures pertaining to the NSA been
reviewed with employees?
Does the Maintenance Function report to an executive at ProxyCo?
Do any of ProxyCo's Maintenance personnel also work for the parent?
Are the Maintenance subcontractors compliant with the terms of the NSA?
Are the Maintenance temporary employees compliant with the terms of the NSA?
Has ProxyCo established a fully separate and distinct maintenance process and
functional organization that will manage the Maintenance Function's activities?
Are Maintenance processes appropriately documented?
Has ProxyCo established independent Maintenance systems from the parent?
Is there a database for maintaining agreements / contracts?
Are all Maintenance systems secured with a firewall?
Where are product components / supplies stored prior to completion?
Are controls in place to ensure that there is no unauthorized access into the Product &
Delivery facilities?
Is classified / sensitive information stored in the Product & Delivery facilities in a secure
manner?
What procedures are taken to ensure that the shipping and delivery of products is secure?
What security procedures / plans are in place to secure warehouses and facilities that
distribute ProxyCo’s products / technologies?
Are the vehicles by which ProxyCo’s products are transported designed to prevent
destruction or malicious activity / theft?
Does the Product & Delivery Function report to an executive at ProxyCo?
Do any of ProxyCo's Product & Delivery personnel also work for the parent?
Are Product & Delivery subcontractors compliant with the terms of the NSA?
Are Product & Delivery temporary employees compliant with the terms of the NSA?
Do the individuals involved in the distribution network have the appropriate level of
clearance to transport sensitive technologies / products?
Does the Product & Delivery Function have controls in place to regulate individuals who
handle the products?
Which individuals have access to or are responsibility for tracking the products
in route?
Does ProxyCo outsource / subcontract any Product & Delivery activities?
Are ProxyCo's products securely shipped and delivered?
Are Product & Delivery processes appropriately documented?
Are ProxyCo’s manufacturing systems and supporting systems accessible
by outside parties?
Are the product assembly guides in the Product & Delivery Function securely
monitored and stored?
Are there appropriate controls in place to ensure that data cannot be leaked from inside
ProxyCo and that data cannot be accessed from outside of ProxyCo?
Is there a firewall to prevent data storage outside of ProxyCo's servers?
Has extensive testing been conducted to ensure the integrity of the firewall?
Is the Product & Delivery Function physically separated from the parent?
Will non-Product & Delivery employees be granted access into the Product & Delivery
facilities?
Is visible badge identification required at all times in the Product & Delivery facilities?
Are emergency response procedures in place for the Product & Delivery facilities?
Are physical records, project plans, and contracts stored within ProxyCo securely?
Where is product inventory stored prior to shipment?
Is the Product & Delivery Function staffed only by ProxyCo's employees?
Is access to classified / sensitive information restricted only to the appropriate personnel?
Which Key Management Personnel have influence over or access
to the Product & Delivery Function?
What level of clearance is required to have access to the Product & Delivery Function?
Do any of the personnel that have access to the Product & Delivery Function not have the appropriate level of security clearance
required for those facilities?
Which personnel outside of the Product and Delivery Function's employees are allowed to
be in the Product & Delivery facilities?
Does the Product & Delivery Function have security policies and a training plan?
Have the Product & Delivery Function's policies and procedures pertaining to the
NSA been reviewed with employees?
Has ProxyCo established a fully separate and distinct Product & Delivery process and functional organization that will manage the
Product & Delivery Function's activities?
What is the process for supporting ProxyCo's Product & Delivery operations
in high-risk countries?
Has ProxyCo established independent Product & Delivery systems from the parent?
Are ProxyCo's Product & Delivery IT systems accessible by the
parent's employees?
Have all existing data repositories been identified and are they within ProxyCo?
Has ProxyCo's Product & Delivery data been wiped from the IT systems that the
parent has access to?
Has the wiped data from IT systems provided to the parent been tracked and managed?
Has ProxyCo established a separate secure, independent data repository for
Product & Delivery and related information?
Are physical records, project plans, and contracts stored within ProxyCo securely?
What additional security is used to protect the R&D facilities?
Are controls in place to ensure that there is no unauthorized access into the R&D facilities?
Is classified / sensitive information stored in the R&D facilities in a secure manner?
Does the R&D Function have security policies and a training plan?
Has the R&D Function's policies and procedures pertaining to the NSA been
reviewed with employees?
Does the R&D Function report to an executive at ProxyCo?
Do any of ProxyCo's R&D personnel also work for the parent?
Does the company control information and access from outside researchers?
Does ProxyCo outsource any R&D activities?
Are there controls in place to protect ProxyCo's intellectual property from
being transferred to the parent?
Are R&D processes appropriately documented?
Are ProxyCo’s R&D systems and supporting systems accessible by outside parties?
Has ProxyCo established a separate secure, independent data repository for R&D and
related information?
Are there appropriate controls in place to ensure that data cannot be leaked from inside
ProxyCo and that data cannot be accessed from outside of ProxyCo?
Is there a firewall to prevent data storage outside of ProxyCo's servers?
Has extensive testing been conductedto ensure the integrity of the firewall?
What is the process for keeping ProxyCo's vendor lists confidential?
What information does ProxyCo share with vendors?
Is the Research and Development (R&D) Function physically separated from the
parent?
Will non-R&D employee badges be granted access into R&D facilities?
Is visible badge identification required at all times in R&D facilities?
Are emergency response procedures in place for the R&D facilities?
Is the R&D Function staffed only by ProxyCo's employees?
Do only authorized personnel have full access to the R&D Function?
Which Key Management Personnel (KMP) have influence over or access to the R&D
Function?
Is access to classified / sensitive information restricted only to the appropriate personnel?
Which personnel outside of the R&D Function’s employees are allowed to be in the
R&D facilities?
Has ProxyCo established a fully separate and distinct R&D process and functional organization that will manage the R&D
Function's activities?
What is the process for supporting ProxyCo's R&D operations in high-risk countries?
Does the company have any joint R&D activities with outside parties?
Has ProxyCo established independent R&D systems from the parent?
Are ProxyCo's R&D IT systems accessible by the parent's employees?
Have all existing data repositories been identified and are they within ProxyCo?
Has ProxyCo's R&D data been wiped from the IT systems that the parent has access to?
Has the wiped data from IT systems provided to the parent been tracked and managed?
Has ProxyCo established a fully separate and distinct set of R&D Service Level Agreements (SLAs) with its vendors?
Do ProxyCo and the parentshare any vendors?
Have all existing data repositories been identified and are they within ProxyCo?
Has ProxyCo's Maintenance data been wiped from the IT systems that the parent has
access to?
Has the wiped data from IT systems provided to the parent been tracked and managed?
Has ProxyCo established a separate secure, independent data repository for Maintenance
and related information?
Has ProxyCo established a fully separate and distinct set of Maintenance SLAs with its
vendors?
Are multiple vendors used for Maintenance?
Have all existing data repositories been identified and are they within ProxyCo?
Has ProxyCo's Finance data been wiped from the IT systems that the parent has
access to?
Has the wiped data from IT systems provided to the parent been tracked and managed?
Has ProxyCo established a separate secure, independent data repository for
Finance and related information?
Is there a firewall to prevent data storage outside of ProxyCo's servers?
What procedures are in place to protect the sensitivity and integrity of ProxyCo's
financial data?
Has ProxyCo established a fully separate and distinct set of Finance SLAs
with its vendors?
Does ProxyCo share any vendors with the parent?
How much access do vendors have to financial data from classified / sensitive areas?
What is the process for keeping classified / sensitive employee records secure?
Has ProxyCo established independent HR systems from the parent?
Are ProxyCo's HR IT systems accessible by the parent's employees?
Have all existing data repositories been identified and are they within ProxyCo?
Has ProxyCo's HR data been wiped from the IT systems that the parent has access to?
Has the wiped data from IT systems provided to the parent been tracked and managed?
Has ProxyCo established a separate secure, independent data repository for HR
and related information?
Is there a firewall to prevent data storage outside of ProxyCo's servers?
Has extensive testing been conducted to ensure the integrity of the firewall?
Has ProxyCo established a fully separate and distinct set of HR SLAs with its vendors?
Do ProxyCo and the parent have any shared contracts with any HR vendors?
Are vendors that access ProxyCo’s systems fully compliant with the NSA?
Have all existing data repositories been identified and are they within ProxyCo?
Has ProxyCo's Legal data been wiped from the IT systems that the parent has
access to?
Has the wiped data from IT systems provided to the parent been tracked and managed?
Has ProxyCo established a separate secure, independent data repository for Legal
and related information?
Is there a firewall to prevent data storage outside of ProxyCo's servers?
Has extensive testing been conducted to ensure integrity of the firewall?
Has ProxyCo established a fully separate and distinct set of Legal SLAs with its
vendors?
Do ProxyCo and the parent share any vendors?
Are vendors that access ProxyCo’s systems fully compliant with the NSA?
Has ProxyCo established a fully separate and distinct process and functional
organization that will manage ProxyCo's Facility & Security Function's activities?
Are any of the following activities outsourced: lease administration, space management,
lease transactions, and shipping?
Has ProxyCo established independent Facility & Security systems from the parent?
Does ProxyCo have separate voice and data infrastructure for its facilities?
Are ProxyCo's servers stored in a secure area outside of the parent’s facilities?
Is the process for moving physical data from one facility to another secure, documented,
and followed?
Is the movement of classified / sensitive data properly restricted?
Have all existing data repositories been identified and are they within ProxyCo?
Has ProxyCo's Facility & Security data been wiped from the IT systems that the
parent has access to?
Has the wiped data from IT systems provided to the parent been tracked and managed?
Has ProxyCo established a separate secure, independent data repository for
Facility & Security and related information?
Is badging and surveillance data properly protected?
Has ProxyCo established a fully separate and distinct set of Facility & Security
SLAs with its vendors?
Is there a firewall to prevent data storage outside of ProxyCo's servers?
Has ProxyCo established a fully separate and distinct set of IT SLAs with its vendors?
How much access do vendors have to ProxyCo's IT systems and infrastructure without the appropriate level of control?
Is any data hosted in offshore locations?
Is there a separate body or function that monitors vendors' activities on ProxyCo's
IT systems and infrastructure?
Are vendors that access ProxyCo’s systems fully compliant with the NSA?
Supply Chain
Is the Supply Chain Function physically separated from the parent?
Are physical records, project plans, and contracts stored within ProxyCo
securely?
Is the shipping and delivery of inputs securely handled?
Are the warehouses and facilities that receive ProxyCo's inputs appropriately secured?
Are controls in place to ensure that there is no unauthorized access into the Supply
Chain facilities?
Is classified / sensitive information stored in the Supply Chain facilities in a secure
manner?
Is the Supply Chain Function staffed only by ProxyCo's employees?
Is access to classified / sensitive information restricted only to the appropriate personnel?
Does the Supply Chain Function have security policies and a training plan?
Has the Supply Chain Function's policies and procedures pertaining to the NSA been
reviewed with employees?
Does the Supply Chain Function report to an executive at ProxyCo?
Do only authorized personnel have full access to the Supply Chain Function?
Does ProxyCo have controls in place to regulate and monitor the individuals who
handle the inputs?
Do any of ProxyCo's Supply Chain personnel also work for the parent?
Are Supply Chain subcontractors compliant with the terms of the NSA?
Are Supply Chain temporary employees compliant with the terms of the NSA?
Has ProxyCo established a fully separate and distinct Supply Chain process and functional organization that will manage the activities of
ProxyCo's Supply Chain Function?
Does ProxyCo outsource any Supply Chain activities?
Are Supply Chain processes appropriately documented?
Has ProxyCo established independent Supply Chain systems from the parent?
How are physical invoices filed and stored?
Have all existing data repositories been identified and are they within ProxyCo?
Has ProxyCo's Supply Chain data been wiped from the IT systems that the parent
has access to?
Has the wiped data from IT systems provided to the parent been tracked and managed?
Has ProxyCo established a separate secure, independent data repository for Supply Chain and related information?
Has ProxyCo established a fully separate and distinct set of Supply Chain SLAs with its
vendors?
Does ProxyCo and the parent share any vendors?
What is the process for keeping ProxyCo's vendor lists confidential?
Has ProxyCo established independent Legal systems from the parent to manage and
support the company's Legal Function?
What information does ProxyCo share with its vendors?
Does ProxyCo have sole responsibility for all supplier selection, subcontracting, and
supplier management activities?
How much product information is transferred to the vendors' databases and how secure is
this information transfer?
What information does ProxyCo share with vendors?
Does ProxyCo have travel and shipping contracts independent of the parent?
Are there access controls in place to monitor individuals who are given access to the
products and technologies being delivered?
Has ProxyCo established a fully separate and distinct set of Product & Delivery SLAs
with its vendors?
Does ProxyCo and the parent share any vendors?
How much product information is transferred to vendors' databases and how secure is this
information transfer?
What is the process for keeping ProxyCo's vendor lists confidential?
Are Finance processes appropriately documented?
Is financial and accounting information transmitted to the parent's Finance Function?
Is access to classified / sensitive information restricted only to the appropriate personnel?
Does ProxyCo have the processes and controls necessary to safeguard classified / sensitive or protected software code prior to the release of
the hardware for maintenance?
Is there a defined process for using the parent's Maintenance Function?
Is data on the devices being repaired wiped for all devices leaving ProxyCo?
Are HR processes appropriately documented?
Are patents exclusively owned by the mitigated entity?
Are Legal processes appropriately documented?
Are Facility & Security processes appropriately documented?
Is the Sales & Marketing Function physically separated from the parent?
Are physical records, project plans, and contracts stored within ProxyCo securely?
Is the Sales & Marketing Function staffed only by ProxyCo's employees?
Is access to classified / sensitive information restricted only to the appropriate personnel?
Does the Sales & Marketing Function have security policies and a training plan?
Have the Sales & Marketing Function's policies and procedures pertaining to the NSA
been reviewed with employees?
Does the Sales & Marketing Function report to an executive at ProxyCo?
Do Sales & Marketing personnel sell or market any of the parent's products?
Do any of ProxyCo's Sales & Marketing personnel also work for the parent?
Are Sales & Marketing subcontractors compliant with the terms of the NSA?
Are Sales & Marketing temporary employees compliant with the terms of the NSA?
Do Sales & Marketing personnel travel to foreign countries to conduct business?
Has ProxyCo established a fully separate and distinct Sales & Marketing process and functional organization that will manage the
Sales & Marketing Function's activities?
Does ProxyCo sell and track products on behalf of the parent?
Is ProxyCo's sales planning independent of the parent?
Does ProxyCo outsource any Sales & Marketing activities?
Does ProxyCo have IT support for Sales & Marketing operations, including intranet and extranet enterprise portal capabilities
and CRM?
Are Sales & Marketing processes appropriately documented?
Are ProxyCo marketing and branding decisions independent
of the parent?
Are appropriate processes in place to ensure that marketing target lists and information
are kept confidential?
Has ProxyCo established independent Sales & Marketing systems from the parent?
Are ProxyCo's Customer Relationship Management (CRM) systems accessible by
the parent's employees?
Does ProxyCo have an independent intranet on which to design, develop, publish,
and maintain content?
Do Sales personnel maintain classified / sensitive information in their physical custody while visiting with prospective clients and / or
visiting trade shows?
Have all existing data repositories been identified and are they within ProxyCo?
Has ProxyCo's Sales & Marketing data been wiped from the IT systems that the
parent has access to?
Has the wiped data from IT systems provided to the parent been tracked and managed?
Has ProxyCo established a separate secure, independent data repository for
Sales & Marketing and related information?
Are any products or services inappropriately detailed on the company’s website or in
marketing material?
Where are CRM records stored, who has access to them & who has had access
to them?
Has ProxyCo established a fully separate and distinct set of Sales & Marketing SLAs
with its vendors?
Protecting IP and assuaging U.S. Government concerns requires a reengineered operating model
Functional ExampleDeloitte’s FOCI-Mitigation Toolset(Foreign, Ownership, Control, or Influence)
Corruption in China –pace of change, growing economic prosperity, historical practices
US FCPA – Prohibits payments of something of value to foreign officials or members of a political party to obtain or retain business.
Violations and Penalties – Anti-bribery:
Individual criminal fines up to $250,000 and imprisonment up to 5 years
Companies may be fined $2 million for each violation
Violations and Penalties – Violation of accounting provisions
Individual criminal fines up to $5 million and imprisonment up to 20 years
Companies may be fined $25 million for each violation
What is an improper gift or payment?
FCPA prohibits corrupt payments through intermediaries
What are the risks?Foreign Corrupt Practices Act
Large sales to governmental agencies or SOE’s with high unit price and low frequency;
A request for commission payments to be made to bank accounts in other countries or to people or companies who did not perform the services; Excessive payments or commissions for services rendered or insufficient staff to perform the services to be rendered;
Vague deliverables in contracts;
Losing bidders hired as subcontractors;
Favorable treatment of one supplier over another;
Lack of relevant experience of a successful bidder;
Unnecessary third parties performing services;
Lack of documentation from agents;
A representative or distributor has family or business ties with government officials;
A representative or distributor requires that his or her identity not be disclosed;
A potential government customer recommends or requires that the U.S. company use a particular representative or distributor;
A representative or distributor makes requests such as backdating or altering invoices; or
A representative or distributor requests that an invoice be inflated.
Understand the Danger SignsU.S. Foreign Corrupt Practices Act
Process and procedures Oversight Audit
Components of Program FCPA Compliance Program
Embezzlement RiskWhat to watch out for?
Mitigation ApproachKey Risks
Fraud is rampant in China – “Opportunistic” vs. “Systemic Malfeasance”
There is a view that there are no consequences
It is OK to take advantage of a foreigner
Pre-employment screening – verify everything Certificate of No Criminal Record –provided by
local police station and can be verified Manage the HR Manager in China – Kick-
backs and payoffs are common Do not allow the GM to hire the finance
manager
Contractual RiskWhat to watch out for?
Mitigation ApproachKey Risks
Chinese view of contracts - tool for building a relationship
Negotiation and re-negotiation Enforcement
Formation basics Understand the role of contracts – Use strong
contractual protections such as arbitration outside of China, governing law and language, waiver of sovereign immunity
Build personal relationships on a day-by-day basis
Learn the culture – role of relationships, how foreigners are viewed, the role of “face”, humility, sincerity and other concepts
Understand the role of contracts and cultural differences.
Human Capital RiskWhat to watch out for?
Mitigation ApproachKey Risks
The Chinese view of the workplace Employees are not important Hierarchy *Loyalty – To whom do the key
employees owe their loyalty? Turnover and its costs
Integration Training Loyalty programs
Loyalty issues control and influence protection of IP and one’s brand and reputation
Operating Risk What to watch out for?
Mitigation ApproachKey Risks
Supply chain visibility – downstream and upstream – and chain of command
Control over costs and pricing Differences in protection of property
and business continuity efforts / requirements
Quality control and assurance IP
Compartmentalize production Control the production process Keep key technologies in the US Employ rapid versioning Integrate supply chain requirements through
contracts, quality assurance, and risk management best practices
Visibility is most important in understanding critical operational risks
Risks should be managed through an integrated, cross-functional program
Function Responsible For Mitigating Risk
Legal & Risk
1 2 3 4 5
IT
1 3 5
Sales & Marketing
2 3 5 6 8
Finance
1 5 8
Operations
1 3 5 6 8 7
Executive Office
5 6 87
HR
1 2 63 4
Type of Risk
IP Protection
Negative Impact on USG-Related Business
Export / OFAC Compliance
Compromise of U.S. Ethics Laws
Ineffective Legal Entity & Business Structure
Partner Turning Competitor
Market Restrictions
Profitability in China
2
3
4
5
6
7
8
Sample Roadmap
Do not leave common sense at the border Understand the role of the Chinese government in day-today business
and develop a governmental relations program Develop “guanxi” Select the “right partners, suppliers and resellers Always have strong legal foundation for business relationships
Key Lessons LearnedSummary
Andy is a strategy advisor with more than 15 years of experience leading efforts to help business executives overcome their most pressing challenges. His primary focus is on advising companies on ways to improve financial position by restructuring their operating models to improve the focus on future growth prospects.
In addition to this focus area, Andy is a lead in Deloitte’s cross-border investment practice with a focus on helping companies meet U.S. national security expectations, as well as helping them protect their intellectual property as they expand globally. He has led Deloitte’s efforts on a number of high profile CFIUS cases.
Andy has worked with telecom and high tech clients and has worked in China, Latin America and Europe on their behalf. He is the author of a number of articles, including, most recently an article published in the Wall Street Journal entitled “Improving the Yield on your corporate investment portfolio.”
Director
Strategy Practice
Deloitte Consulting
Jim is a partner at Foley & Lardner, a leading international law firm. He is a corporate and securities lawyer focusing on start-up and emerging publicly traded and privately held companies looking to expand domestically and internationally and the venture capitalists, private equity groups and angels that invest in them. He has substantial experience in international transactions including mergers and acquisitions, foreign direct investment, technology transfers and joint ventures in China.
Jim has been involved in approximately 250 mergers, acquisitions and finance transactions and is the author of approximately 50 articles and has given over 50 presentations in the last four years on issues related to raising venture capital, mergers and acquisitions, start-ups, doing business in China and other topics.
Jim has been recognized by Law 500 as one of the best lawyers in the US for mergers and acquisitions, was named one of the Top 25 Clean Tech Lawyers in California in 2011 by the Daily Journal and one of Northern California’s Super Lawyers by San Francisco Magazine and Law and Politics Media.
Partner
Foley & Lardner, LLP