Succeeding in China: The Risk of Doing Business in China

Succeeding in China: The Risk of Doing Business

in China

Presenters:Andrew Walker, Director, Deloitte Consulting Jim Chapman, Partner, Foley & Lardner LLP

Silicon Valley RIMS

January 31, 2013

The Focus of this presentation is on identifying and mitigating the risks of doing business in China

1. China represents a large and attractive market for Multi-National Companies (MNCs)

2. There have been a series of well-publicized incidents involving U.S. companies operating in China

3. MNC’s have found ways to be successful in China – to both grow their businesses & mitigate risks

4. A programmatic approach to risk reduction has proven to be the most successful approach

Macroeconomic Issues in China

China offers significant market attractiveness for MNCs

# 1GDP Growth (9.3%) among emerging

and developed nations

Sources: (1) WorldBank (2) UNCTAD (3) IMF projections, Deloitte Analysis

# 1 United Nations FDI Attraction Index Rank 2

# 1 Country Population (1.35 Billion)

# 1 Total Exports ($1.90 Trillion)

# 2 Total Imports ($1.66 Trillion)

# 2 Total GDP ($7.3 Trillion)

$13.2

$9.4

$20.3

$49.8

$5.9

$5.3

$12.5$39.4

Global GDP Share3

2010 2017 (proj.)

China provides MNCs with a strong economic and demographic foundation for growth and projects to continue dwarfing other major emerging markets

China’s Global Positioning1

+12.2%

CAGR

China’s demographic and economic profile make it the world’s fastest growing economy.

China offers significant market potential that can be hampered by significant risks

Companies are expecting increased revenues from China over the next 3 years

However, unique risks may limit MNCs ability to capture the growth potential . . .

4%

10%

30%

25%

14%

16%

Decrease/No Change

Increase by less than 10%

Increase by 10-24%

Increase by 25-49%

Increase by 50-99%

Increase by 100% or more

Revenue Expectations from China in next 3 years

Sources: (1) Deloitte Consulting emerging markets survey conducted in 2011; (2) Weekly Economic Update (7/9/12) (3) 22 companies reporting revenue earned in China, Economist Intelligence Unite and Deloitte Analysis

Global weakness has affected China’s economic growth, slowing to 7.6% in Q2

2012, however the China market is growing faster than the global average indicating

continued investment opportunity

Potential revenue opportunity in China

Risk-adjusted revenue

Bil

lio

ns

As documented in mainstream newspapers, magazines, journals, and trade publications…

Changing regulatory landscape is making China more attractive for MNC

India

European Union

Brazil

Indonesia

United States

China

Russia

119

62

55

53

52

50

49

Number of Recently Initiated Trade Restrictive Measures

Despite increased global protectionism, China has imposed fewer restrictive trade measures1 compared to other major economies. During the same period 21

new trade liberalizing measures were initiated.

Sources: (1) Data from 9/2008 – 7/2011; Mohini, D., Hoekman, B., and Malouche, M., “Taking Stock of Trade Protectionism Since 2008” (2) UNCTAD

Chi

na

Uni

ted

Sta

tes

Ger

man

y

Uni

ted

Kin

gdom

Fra

nce

Japa

n

Indi

a

Spa

in

Can

ada

UA

E

Bra

zil

010203040506070

Chart Title

Top Destinations for MNC Investment

Over 60% of executives surveyed by the UN Conference on Trade and Development cited China as a top 10 destination for investment between 2012 and

20142.

In addition to China’s economic and demographic profile, new leadership and policy changes are making China a top destination for investment.

2005 2010 2015E20

40

60

80

100

120

140

MNCs already operating in China are expecting substantial near-term revenue growth

55% of surveyed companies are expecting increased revenues from China between 2011 and 2014.

4%

10%

30%

25%

14%

16%

Decrease/No Change

Increase by less than 10%

Increase by 10-24%

Increase by 25-49%

Increase by 50-99%

Increase by 100% or more

Revenue Expectations from China1

Overview

Sources: (1) Deloitte Consulting emerging markets survey conducted in 2011; (2) 22 companies reporting revenue earned in China, Economist Intelligence Unit and Deloitte Analysis; (3) The Economist

An index of 135 companies weighted by their revenue share from China has climbed 129% since 2009 compared with the S&P 500’s gain of 57%.3

Potential Revenue Opportunity

in China ($B)2

Legal, Regulatory and Transaction Issues

Technology Transfer Legal Framework

China’s Regulations on Administration of Technology Import and Export (Technology Regulations), effective January 1, 2002, govern the import and export of technologies into and out of China.

The Technology Regulations classify technologies into three broad categories, including:

1. Prohibited technologies: Cannot be imported into or exported out of China.

2. Restricted technologies: Import and export must be pre-approved by the relevant Chinese governmental authority, and copies of the relevant technology transfer agreement must be submitted to the relevant governmental authority.

3. Permitted technologies: Can be imported into or exported out of China without prior Chinese governmental approval.

Forms of Technology Transfers

Patent assignments

Assignments of patent application rights

Patent licensing

Assignments of know-how or trade secrets

Licensing of know-how or trade secrets

Technical services and other unspecified forms of technology transfer covered by the Technology Regulations

Cooperative research and development contracts

Technology consultancy contracts

Technical training contracts

Technology brokerage contracts

Software import and export contracts

Trademark licenses or assignments involving patented or non-patented technology

Technology transactions may take a variety of forms. All of the following transactions are subject to the Technology Regulations:

Applicable Contract Law

Unified Contract Law, adopted in 1999 provides substantial freedom for the parties to enter into agreements.

Obstacles to Technology Transfer to China

Lack of control over future developments, modifications and enhancements of transferred technologies.

Warranty requirements.

Collecting royalties and other payments.

Protection of Intellectual Property.

Lack of Trust.

Mandatory Provisions of Chinese Law

Chinese law requires that the foreign licensor to: “Guarantee” that the licensed technology be complete,

correct, valid, and capable of accomplishing the specified technological objectives.

“Guarantee” that it is the legal owner of, or the party with the right to license, the technology.

If the Chinese licensee infringes on another party’s right by using the licensed technology pursuant to the license agreement, the licensor is required to bear the responsibility for such infringement.

Prohibitions

The Technology Regulations prohibit the following provisions: Requiring the transferee to accept incidental conditions unnecessary for the

imported technology, including the purchase of unnecessary items. Requiring the transferee to pay for, or undertake obligations relating to, a

technology for which the patent right has expired or has been announced as invalid.

Restricting the transferee’s improvement of the technology provided by the transferor, or restricting the transferee’s use of the improved technology.

• Restricting the transferee’s acquisition from a third party of any technology similar to, or competitive with, the technology provided by the transferor.

• Unreasonably restricting the transferee’s channels or sources for the purchase of raw material, parts, components, products, or equipment.

• Unreasonably restricting the quantity, variety, or price of products produced by the transferee.

• Unreasonably restricting the transferee’s export channels for products manufactured by the transferee using the transferred technology.

Key Issues of a Technology Transfer Agreement

Field of use

Geographic scope/territory

License fees and payment terms

Ownership of technology

Ownership of improvements

Exclusive or non-exclusive/sublicense

Nondisclosure

Noncompetition

Term/termination

Indemnities/liabilities

Dispute resolution

Governing law

Governing language (i.e., Chinese or English)

Typically, a technology license agreement will cover the following key issues points:

Key To Successful Technology Transfer

Find the “right” licensee.

Invest in the relationship and work to build trust.

Thoroughly document the transaction.

Work to keep interests aligned.

Maintain constant communication and support.

Risks and Mitigation Strategies

Type of Risk

IP Protection

Negative Impact on USG-Related Business

Export / OFAC Compliance

Compromise of U.S. Ethics Laws

Ineffective Legal Entity and Business Structure

Partner Turning Competitor

Market Restrictions

Profitability in China

Supply Chain & Operational Risks

Mitigating risks to profitability and value creation is criticalAll are related to protecting a company’s brand/reputation

Po

ten

tia

l Im

pac

t

Likelihood

Hig

h

HighMedium

Lo

w

2

78

3

1


USG-Related Business

Market Restrictions

6

45

U.S. Ethics Laws

1

2

3

4

5

6

7

8

IP Protection


Ineffective Legal Entity & Business

Structure


9

9Supply Chain

IP Risks in China

Local companies are known to introduce rival products within 2-6 months of a new product introduction by an MNC

Significant number of IP related lawsuits between MNCs and Chinese companies indicate existence of IP infringement practices (~60,000 in 2011, up from ~43,000 in 2010)2

Government regulations on IP creation and usage makes it mandatory for MNCs to share IP in China in certain instances

Protecting IP is typically cited as the most significant challenge to operating in China

Sources: (1) Deloitte Consulting emerging markets survey conducted in 2011, (2) China Patent Agent LTD., (3) Nera Economic Consulting estimate

Infrastructure problems

Supply chain capabilities

Establishing partnerships with local companies

Protectionist policies or government red tape

Adequate supply of skilled labor

Providing afforable products and services

Brand awareness in the market

Understanding customers buying behavior

Competition from local competitors

Adequate IP protection

0% 20% 40% 60% 80%

18%

24%

31%

37%

38%

43%

45%

45%

49%

58%

% of Companies Citing Challenges in China as

Significant1

An IP protection strategy should be integrated from the product strategy through the operating model and tactics

Identify products being sold in China

Identify the products and services best suited to China market – determine whether to:

1. Take the whole stack (but restrict access to core technology), or 2. Dedicate less valuable technology that is sufficient to meet current

market demand

Establish a clear integrated strategy

Create a China IP Protection Control Structure that integrates politics, partners, people, process, vendors, and technology

Define clear operating model (e.g., human resources, vendor management, manufacturing, supply chain, information technology)

Manage operations with IP protection in mind

Redesign R&D processes to increase compartmentalization and protection; this will result in higher IP management costs

Program, implement, and commercialize technology development with value management in mind, building IP protection into processes

Apply the right tactics to protect IP

Define processes and controls throughout all business functions to safeguard IP Change product development cadence and release cycles

1

Imp

lem

en

tati

on

Ste

ps 2

3

4

In addition to IP protection concerns, there is a risk that U.S. government (USG) agencies could have concerns about offshore operations in certain countries

Mitigation ApproachKey Risks

Certain USG agencies may have concerns surrounding their product and/or service providers operating in certain countries

Key concerns appear to revolve around the following:

― Loss of U.S. IP

― Products or product code being infiltrated or corrupted by foreign parties

― Network and IT access into USG data centers or systems

― USG related information becoming accessible

Companies should wall-off foreign operations from public sector business in a way that is auditable

Leading practices include creating two sets of operational, network, and IT firewalls:

1. Between Offshore and US businesses

2. Between US and US Government Services divisions

Companies should proactively develop programs to educate government customers

Mitigation approach should be structured to address operations for each business function across eight key security threads

Negative USG perceptions of the company may impact existing and future contracts / business may lead to loss of revenue and USG audits

Function: Information Technology

Security

Thread

Physical

People

Process

Product

Systems

Physical Data

Electronic Data

Vendors / Suppliers

Supporting BusinessSelling Product

Research & Development Product & Delivery

Product Development, Delivery, & Support

ProxyCo Current State

Maintenance Sales & Marketing Finance Human Resources Facility & Security IT

Vendor/Suppliers (Real Estate, Procurement and Other)

Systems (Recruitment, Development, Administration and Performance Management)

Physical Data (Design, Development, Deployment, Operations and Performance Management)

Physical (Real Estate) (Business and Financial Strategy, Mergers and Acquisitions, Tax Management, Risk Management, Compliance Management, Program Management and Performance Management)

People (Marketing, Sales, Delivery/Provisioning, Billing and Service)

Process (Innovation and Design, Supply Chain Management, Production Operations and Logistics)

Security Threads

Note: Many actions could logically be associated with other or multiple process groupings.For example, many customer and product actions are likely to have heavy IT and HR components.

Electronic Data

Legal

Privileged and Confidential for ProxyCo and Deloitte Consulting Only As of Month 20XX

Is ProxyCo's banking management process independent of the parent’s?

Has ProxyCo established a fully separate and distinct finance process and

functional organization that will manage the Finance Function's activities?

Are Finance temporary employees compliant with the terms of the NSA?

Are Finance subcontractors compliant with the terms of the NSA?

Do any of ProxyCo's Finance personnel also work for the parent?

Does the Finance Function report to an executive at ProxyCo?

Have the Finance Function's policies and procedures pertaining to the NSA been

reviewed with employees?

Does the Finance Function have security policies and a training plan?

Is access to classified / sensitive information restricted only to the appropriate personnel?

Is the Finance Function staffed only by ProxyCo's employees?

Is classified / sensitive information stored in the Finance facilities in a secure manner?

Are physical records of financial statements accessible by the parent company?

Are controls in place to ensure that there is no unauthorized access

into the Finance facilities?

Are physical records, project plans, and contracts stored within ProxyCo securely?

Is the Finance Function physically separated from the parent?

Does ProxyCo outsource any Finance activities?

Has ProxyCo established independent Finance systems from the parent?

Are ProxyCo's Finance IT systems accessible by the parent's employees?


Is the Human Resources (HR) Function physically separated from the parent?

Are controls in place to ensure that there is no unauthorized access into the HR facilities?

Is classified / sensitive information stored in the HR facilities in a secure manner?

Is the HR Function staffed only by ProxyCo's employees?


Does the HR Function have security policies and a training plan?

Have the HR Function's policies and procedures pertaining to NSA requirements

been reviewed with employees?

Does the HR Function report to an executive at ProxyCo?

What exit policies and procedures are used by ProxyCo?

What is ProxyCo's screening process for new employees?

Does ProxyCo hire foreign nationals?

Are security clearances managed by an approved security officer?

Do any of ProxyCo's HR personnel also work for the parent?

Do people outside of ProxyCo have access to ProxyCo's employee records?

Are HR subcontractors complaint with the terms of the NSA?

Are HR temporary employees compliant with the terms of the NSA?

Has ProxyCo established a fully separate and distinct HR process and functional organization that will manage the HR

Function’s activities?

What is the process for managing security clearances?


Is classified / sensitive information stored in the Legal facilities in a secure manner?

Is the Legal Function staffed only by ProxyCo's employees?


Does the Legal Function have security policies and a training plan?

Have the Legal Function's policies and procedures pertaining to the NSA been


Does the Legal Function report to an executive at ProxyCo?

Do any of ProxyCo's Legal personnel also work for the parent?

Are Legal subcontractors complaint with the terms of the NSA?

Are Legal temporary employees compliant with the terms of the NSA?

Are Legal employment decisions appropriately documented and reviewed?

Has ProxyCo established a fully separate and distinct legal process and functional

organization that will manage the activities of ProxyCo's Legal Function?

What is the process for conducting confidential investigations for ProxyCo?

Is there an investigations board, separate from the parent that will handle all investigations for

ProxyCo?

Does ProxyCo outsource any Legal activities to vendors who have not agreed

to the terms of the NSA?

Are ProxyCo's Legal IT systems accessible by the parent's employees?

Is the Legal Function physically separated from the parent?

Are controls in place to ensure that there is no unauthorized access into the Legal facilities?

Is the Facility & Security Function physically separated from the parent?


Are controls in place to ensure that there is no unauthorized access into the Facility &

Security facilities?

Are there video surveillance systems?

Is classified / sensitive information stored at the Facility & Security facilities in a secure

manner?

Is the Facility & Security Function staffed only by ProxyCo's employees?


Does the Facility & Security Function have security policies and a training plan?

Have the Facility & Security Function's policies and procedures pertaining to the

NSA been reviewed with employees?

Does the Facility & Security staff report to an executive at ProxyCo?

Do any of ProxyCo's Facility & Security personnel also work for the parent?

Are Facility & Security subcontractors compliant with the terms of the NSA?

Are Facility & Security temporary employees compliant with the terms of the NSA?

Which individuals have access to the video surveillance systems?

Are there security personnel for all facilities?

Are the security personnel properly trained and vetted to work at cleared facilities?

Is there a separate and independent body that monitors the access and behaviors of the

Facility & Security staff, including contact between the staff and the parent?

Are there individuals assigned to continuously monitor intrusions and / or any suspicious activities, and are these individuals direct

employees of ProxyCo?

Is the Information Technology (IT) Function physically separated from the parent?


Is the IT Function staffed only by ProxyCo’s employees?

Does the IT Function have security policies and a training plan?

Have the IT Function's policies and procedures pertaining to the NSA been


Does the IT Staff report to an executive at ProxyCo?

Do any of ProxyCo's IT personnel also work for the parent?

Has ProxyCo established a fully separate and distinct IT process and functional

organization that will manage the IT activities?

Are there a set of security requirements been provided to IT based on the NSA and other government documents that IT can use to

take appropriate steps?

Have electronic security perimeters been established?

Is there a process for securing hardware?

Are there any automatic escalation processes to alert management of intrusions and / or

suspicious activity?

Has ProxyCo established independent IT systems from the parent?

Are there one-time or recurring data transfers between ProxyCo and the parent?

Have all existing data repositories been identified and are they within ProxyCo?

Has ProxyCo's IT data been wiped from the IT systems that the parent has access to?

Has the wiped data from IT systems provided to the parent been tracked and managed?

Has ProxyCo established a separate secure, independent data repository for IT and

related information?

Are controls in place to ensure that there is no unauthorized access into the IT facilities?

Is classified / sensitive information stored in the IT facilities in a secure manner?

Are IT subcontractors compliant with the terms of the NSA?

Are IT temporary employees compliant with the terms of the NSA?

Is there a separate and independent body that monitors the access and behaviors of IT staff,

including contact between IT staff and the parent?

Are there people assigned to continuously monitor intrusions and / or any suspicious

activities, and are these people direct employees of ProxyCo?

Does the parent have access to any classified / sensitive data that is under the

custody of ProxyCo's IT Staff?

Is there a well-documented and regularly revisited process for incident reporting and

response planning?

Are processes in place to govern how ProxyCo’s staff engage and interact with

the parent’s staff?

Are IT processes appropriately documented?

Are ProxyCo's IT systems accessible by the parent's employees?

Are the IT systems protected by firewalls?

Are any IT services outsourced to foreign countries?

Are any data connections between ProxyCo and the parent appropriately

audited and firewalled?

Has extensive testing been conducted to ensure the integrity of the firewall?

Are there any links on ProxyCo's website that can take users to secured areas?

Are all data repositories securely hosted for only ProxyCo?

Are company websites governed closely by security specialists to cleanse them any

sensitive or classified information?

Is the Maintenance Function physically separated from the parent?


Are controls in place to ensure that there is no unauthorized access into the Maintenance

facilities?

Is classified / sensitive information stored in the Maintenance facilities in a secure manner?

Is the Maintenance Function staffed only by ProxyCo's employees?

Does the Maintenance Function have security policies and a training plan?

Have the Maintenance Function's policies and procedures pertaining to the NSA been


Does the Maintenance Function report to an executive at ProxyCo?

Do any of ProxyCo's Maintenance personnel also work for the parent?

Are the Maintenance subcontractors compliant with the terms of the NSA?

Are the Maintenance temporary employees compliant with the terms of the NSA?

Has ProxyCo established a fully separate and distinct maintenance process and

functional organization that will manage the Maintenance Function's activities?

Are Maintenance processes appropriately documented?

Has ProxyCo established independent Maintenance systems from the parent?

Is there a database for maintaining agreements / contracts?

Are all Maintenance systems secured with a firewall?

Where are product components / supplies stored prior to completion?

Are controls in place to ensure that there is no unauthorized access into the Product &

Delivery facilities?

Is classified / sensitive information stored in the Product & Delivery facilities in a secure

manner?

What procedures are taken to ensure that the shipping and delivery of products is secure?

What security procedures / plans are in place to secure warehouses and facilities that

distribute ProxyCo’s products / technologies?

Are the vehicles by which ProxyCo’s products are transported designed to prevent

destruction or malicious activity / theft?

Does the Product & Delivery Function report to an executive at ProxyCo?

Do any of ProxyCo's Product & Delivery personnel also work for the parent?

Are Product & Delivery subcontractors compliant with the terms of the NSA?

Are Product & Delivery temporary employees compliant with the terms of the NSA?

Do the individuals involved in the distribution network have the appropriate level of

clearance to transport sensitive technologies / products?

Does the Product & Delivery Function have controls in place to regulate individuals who

handle the products?

Which individuals have access to or are responsibility for tracking the products

in route?

Does ProxyCo outsource / subcontract any Product & Delivery activities?

Are ProxyCo's products securely shipped and delivered?

Are Product & Delivery processes appropriately documented?

Are ProxyCo’s manufacturing systems and supporting systems accessible

by outside parties?

Are the product assembly guides in the Product & Delivery Function securely

monitored and stored?

Are there appropriate controls in place to ensure that data cannot be leaked from inside

ProxyCo and that data cannot be accessed from outside of ProxyCo?

Is there a firewall to prevent data storage outside of ProxyCo's servers?


Is the Product & Delivery Function physically separated from the parent?

Will non-Product & Delivery employees be granted access into the Product & Delivery

facilities?

Is visible badge identification required at all times in the Product & Delivery facilities?

Are emergency response procedures in place for the Product & Delivery facilities?


Where is product inventory stored prior to shipment?

Is the Product & Delivery Function staffed only by ProxyCo's employees?


Which Key Management Personnel have influence over or access

to the Product & Delivery Function?

What level of clearance is required to have access to the Product & Delivery Function?

Do any of the personnel that have access to the Product & Delivery Function not have the appropriate level of security clearance

required for those facilities?

Which personnel outside of the Product and Delivery Function's employees are allowed to

be in the Product & Delivery facilities?

Does the Product & Delivery Function have security policies and a training plan?

Have the Product & Delivery Function's policies and procedures pertaining to the

NSA been reviewed with employees?

Has ProxyCo established a fully separate and distinct Product & Delivery process and functional organization that will manage the

Product & Delivery Function's activities?

What is the process for supporting ProxyCo's Product & Delivery operations

in high-risk countries?

Has ProxyCo established independent Product & Delivery systems from the parent?

Are ProxyCo's Product & Delivery IT systems accessible by the

parent's employees?


Has ProxyCo's Product & Delivery data been wiped from the IT systems that the

parent has access to?


Has ProxyCo established a separate secure, independent data repository for

Product & Delivery and related information?


What additional security is used to protect the R&D facilities?

Are controls in place to ensure that there is no unauthorized access into the R&D facilities?

Is classified / sensitive information stored in the R&D facilities in a secure manner?

Does the R&D Function have security policies and a training plan?

Has the R&D Function's policies and procedures pertaining to the NSA been


Does the R&D Function report to an executive at ProxyCo?

Do any of ProxyCo's R&D personnel also work for the parent?

Does the company control information and access from outside researchers?

Does ProxyCo outsource any R&D activities?

Are there controls in place to protect ProxyCo's intellectual property from

being transferred to the parent?

Are R&D processes appropriately documented?

Are ProxyCo’s R&D systems and supporting systems accessible by outside parties?

Has ProxyCo established a separate secure, independent data repository for R&D and

related information?

Are there appropriate controls in place to ensure that data cannot be leaked from inside

ProxyCo and that data cannot be accessed from outside of ProxyCo?


Has extensive testing been conductedto ensure the integrity of the firewall?

What is the process for keeping ProxyCo's vendor lists confidential?

What information does ProxyCo share with vendors?

Is the Research and Development (R&D) Function physically separated from the

parent?

Will non-R&D employee badges be granted access into R&D facilities?

Is visible badge identification required at all times in R&D facilities?

Are emergency response procedures in place for the R&D facilities?

Is the R&D Function staffed only by ProxyCo's employees?

Do only authorized personnel have full access to the R&D Function?

Which Key Management Personnel (KMP) have influence over or access to the R&D

Function?


Which personnel outside of the R&D Function’s employees are allowed to be in the

R&D facilities?

Has ProxyCo established a fully separate and distinct R&D process and functional organization that will manage the R&D

Function's activities?

What is the process for supporting ProxyCo's R&D operations in high-risk countries?

Does the company have any joint R&D activities with outside parties?

Has ProxyCo established independent R&D systems from the parent?

Are ProxyCo's R&D IT systems accessible by the parent's employees?


Has ProxyCo's R&D data been wiped from the IT systems that the parent has access to?


Has ProxyCo established a fully separate and distinct set of R&D Service Level Agreements (SLAs) with its vendors?

Do ProxyCo and the parentshare any vendors?


Has ProxyCo's Maintenance data been wiped from the IT systems that the parent has

access to?


Has ProxyCo established a separate secure, independent data repository for Maintenance

and related information?

Has ProxyCo established a fully separate and distinct set of Maintenance SLAs with its

vendors?

Are multiple vendors used for Maintenance?


Has ProxyCo's Finance data been wiped from the IT systems that the parent has

access to?



Finance and related information?


What procedures are in place to protect the sensitivity and integrity of ProxyCo's

financial data?

Has ProxyCo established a fully separate and distinct set of Finance SLAs

with its vendors?

Does ProxyCo share any vendors with the parent?

How much access do vendors have to financial data from classified / sensitive areas?

What is the process for keeping classified / sensitive employee records secure?

Has ProxyCo established independent HR systems from the parent?

Are ProxyCo's HR IT systems accessible by the parent's employees?


Has ProxyCo's HR data been wiped from the IT systems that the parent has access to?


Has ProxyCo established a separate secure, independent data repository for HR




Has ProxyCo established a fully separate and distinct set of HR SLAs with its vendors?

Do ProxyCo and the parent have any shared contracts with any HR vendors?

Are vendors that access ProxyCo’s systems fully compliant with the NSA?


Has ProxyCo's Legal data been wiped from the IT systems that the parent has

access to?


Has ProxyCo established a separate secure, independent data repository for Legal



Has extensive testing been conducted to ensure integrity of the firewall?

Has ProxyCo established a fully separate and distinct set of Legal SLAs with its

vendors?

Do ProxyCo and the parent share any vendors?


Has ProxyCo established a fully separate and distinct process and functional

organization that will manage ProxyCo's Facility & Security Function's activities?

Are any of the following activities outsourced: lease administration, space management,

lease transactions, and shipping?

Has ProxyCo established independent Facility & Security systems from the parent?

Does ProxyCo have separate voice and data infrastructure for its facilities?

Are ProxyCo's servers stored in a secure area outside of the parent’s facilities?

Is the process for moving physical data from one facility to another secure, documented,

and followed?

Is the movement of classified / sensitive data properly restricted?


Has ProxyCo's Facility & Security data been wiped from the IT systems that the




Facility & Security and related information?

Is badging and surveillance data properly protected?

Has ProxyCo established a fully separate and distinct set of Facility & Security

SLAs with its vendors?


Has ProxyCo established a fully separate and distinct set of IT SLAs with its vendors?

How much access do vendors have to ProxyCo's IT systems and infrastructure without the appropriate level of control?

Is any data hosted in offshore locations?

Is there a separate body or function that monitors vendors' activities on ProxyCo's

IT systems and infrastructure?


Supply Chain

Is the Supply Chain Function physically separated from the parent?

Are physical records, project plans, and contracts stored within ProxyCo

securely?

Is the shipping and delivery of inputs securely handled?

Are the warehouses and facilities that receive ProxyCo's inputs appropriately secured?

Are controls in place to ensure that there is no unauthorized access into the Supply

Chain facilities?

Is classified / sensitive information stored in the Supply Chain facilities in a secure

manner?

Is the Supply Chain Function staffed only by ProxyCo's employees?


Does the Supply Chain Function have security policies and a training plan?

Has the Supply Chain Function's policies and procedures pertaining to the NSA been


Does the Supply Chain Function report to an executive at ProxyCo?

Do only authorized personnel have full access to the Supply Chain Function?

Does ProxyCo have controls in place to regulate and monitor the individuals who

handle the inputs?

Do any of ProxyCo's Supply Chain personnel also work for the parent?

Are Supply Chain subcontractors compliant with the terms of the NSA?

Are Supply Chain temporary employees compliant with the terms of the NSA?

Has ProxyCo established a fully separate and distinct Supply Chain process and functional organization that will manage the activities of

ProxyCo's Supply Chain Function?

Does ProxyCo outsource any Supply Chain activities?

Are Supply Chain processes appropriately documented?

Has ProxyCo established independent Supply Chain systems from the parent?

How are physical invoices filed and stored?


Has ProxyCo's Supply Chain data been wiped from the IT systems that the parent

has access to?


Has ProxyCo established a separate secure, independent data repository for Supply Chain and related information?

Has ProxyCo established a fully separate and distinct set of Supply Chain SLAs with its

vendors?

Does ProxyCo and the parent share any vendors?


Has ProxyCo established independent Legal systems from the parent to manage and

support the company's Legal Function?

What information does ProxyCo share with its vendors?

Does ProxyCo have sole responsibility for all supplier selection, subcontracting, and

supplier management activities?

How much product information is transferred to the vendors' databases and how secure is

this information transfer?

What information does ProxyCo share with vendors?

Does ProxyCo have travel and shipping contracts independent of the parent?

Are there access controls in place to monitor individuals who are given access to the

products and technologies being delivered?

Has ProxyCo established a fully separate and distinct set of Product & Delivery SLAs

with its vendors?

Does ProxyCo and the parent share any vendors?

How much product information is transferred to vendors' databases and how secure is this

information transfer?


Are Finance processes appropriately documented?

Is financial and accounting information transmitted to the parent's Finance Function?


Does ProxyCo have the processes and controls necessary to safeguard classified / sensitive or protected software code prior to the release of

the hardware for maintenance?

Is there a defined process for using the parent's Maintenance Function?

Is data on the devices being repaired wiped for all devices leaving ProxyCo?

Are HR processes appropriately documented?

Are patents exclusively owned by the mitigated entity?

Are Legal processes appropriately documented?

Are Facility & Security processes appropriately documented?

Is the Sales & Marketing Function physically separated from the parent?


Is the Sales & Marketing Function staffed only by ProxyCo's employees?


Does the Sales & Marketing Function have security policies and a training plan?

Have the Sales & Marketing Function's policies and procedures pertaining to the NSA

been reviewed with employees?

Does the Sales & Marketing Function report to an executive at ProxyCo?

Do Sales & Marketing personnel sell or market any of the parent's products?

Do any of ProxyCo's Sales & Marketing personnel also work for the parent?

Are Sales & Marketing subcontractors compliant with the terms of the NSA?

Are Sales & Marketing temporary employees compliant with the terms of the NSA?

Do Sales & Marketing personnel travel to foreign countries to conduct business?

Has ProxyCo established a fully separate and distinct Sales & Marketing process and functional organization that will manage the

Sales & Marketing Function's activities?

Does ProxyCo sell and track products on behalf of the parent?

Is ProxyCo's sales planning independent of the parent?

Does ProxyCo outsource any Sales & Marketing activities?

Does ProxyCo have IT support for Sales & Marketing operations, including intranet and extranet enterprise portal capabilities

and CRM?

Are Sales & Marketing processes appropriately documented?

Are ProxyCo marketing and branding decisions independent

of the parent?

Are appropriate processes in place to ensure that marketing target lists and information

are kept confidential?

Has ProxyCo established independent Sales & Marketing systems from the parent?

Are ProxyCo's Customer Relationship Management (CRM) systems accessible by

the parent's employees?

Does ProxyCo have an independent intranet on which to design, develop, publish,

and maintain content?

Do Sales personnel maintain classified / sensitive information in their physical custody while visiting with prospective clients and / or

visiting trade shows?


Has ProxyCo's Sales & Marketing data been wiped from the IT systems that the




Sales & Marketing and related information?

Are any products or services inappropriately detailed on the company’s website or in

marketing material?

Where are CRM records stored, who has access to them & who has had access

to them?

Has ProxyCo established a fully separate and distinct set of Sales & Marketing SLAs

with its vendors?

Protecting IP and assuaging U.S. Government concerns requires a reengineered operating model

Functional ExampleDeloitte’s FOCI-Mitigation Toolset(Foreign, Ownership, Control, or Influence)

Corruption in China –pace of change, growing economic prosperity, historical practices

US FCPA – Prohibits payments of something of value to foreign officials or members of a political party to obtain or retain business.

Violations and Penalties – Anti-bribery:

Individual criminal fines up to $250,000 and imprisonment up to 5 years

Companies may be fined $2 million for each violation

Violations and Penalties – Violation of accounting provisions

Individual criminal fines up to $5 million and imprisonment up to 20 years

Companies may be fined $25 million for each violation

What is an improper gift or payment?

FCPA prohibits corrupt payments through intermediaries

What are the risks?Foreign Corrupt Practices Act

Large sales to governmental agencies or SOE’s with high unit price and low frequency;

A request for commission payments to be made to bank accounts in other countries or to people or companies who did not perform the services; Excessive payments or commissions for services rendered or insufficient staff to perform the services to be rendered;

Vague deliverables in contracts;

Losing bidders hired as subcontractors;

Favorable treatment of one supplier over another;

Lack of relevant experience of a successful bidder;

Unnecessary third parties performing services;

Lack of documentation from agents;

A representative or distributor has family or business ties with government officials;

A representative or distributor requires that his or her identity not be disclosed;

A potential government customer recommends or requires that the U.S. company use a particular representative or distributor;

A representative or distributor makes requests such as backdating or altering invoices; or

A representative or distributor requests that an invoice be inflated.

Understand the Danger SignsU.S. Foreign Corrupt Practices Act

Process and procedures Oversight Audit

Components of Program FCPA Compliance Program

Embezzlement RiskWhat to watch out for?


Fraud is rampant in China – “Opportunistic” vs. “Systemic Malfeasance”

There is a view that there are no consequences

It is OK to take advantage of a foreigner

Pre-employment screening – verify everything Certificate of No Criminal Record –provided by

local police station and can be verified Manage the HR Manager in China – Kick-

backs and payoffs are common Do not allow the GM to hire the finance

manager

Contractual RiskWhat to watch out for?


Chinese view of contracts - tool for building a relationship

Negotiation and re-negotiation Enforcement

Formation basics Understand the role of contracts – Use strong

contractual protections such as arbitration outside of China, governing law and language, waiver of sovereign immunity

Build personal relationships on a day-by-day basis

Learn the culture – role of relationships, how foreigners are viewed, the role of “face”, humility, sincerity and other concepts

Understand the role of contracts and cultural differences.

Human Capital RiskWhat to watch out for?


The Chinese view of the workplace Employees are not important Hierarchy *Loyalty – To whom do the key

employees owe their loyalty? Turnover and its costs

Integration Training Loyalty programs

Loyalty issues control and influence protection of IP and one’s brand and reputation

Operating Risk What to watch out for?


Supply chain visibility – downstream and upstream – and chain of command

Control over costs and pricing Differences in protection of property

and business continuity efforts / requirements

Quality control and assurance IP

Compartmentalize production Control the production process Keep key technologies in the US Employ rapid versioning Integrate supply chain requirements through

contracts, quality assurance, and risk management best practices

Visibility is most important in understanding critical operational risks

Risks should be managed through an integrated, cross-functional program

Function Responsible For Mitigating Risk

Legal & Risk

1 2 3 4 5

IT

1 3 5

Sales & Marketing

2 3 5 6 8

Finance

1 5 8

Operations

1 3 5 6 8 7

Executive Office

5 6 87

HR

1 2 63 4

Type of Risk

IP Protection

Negative Impact on USG-Related Business


Compromise of U.S. Ethics Laws

Ineffective Legal Entity & Business Structure


Market Restrictions


2

3

4

5

6

7

8

Sample Roadmap

Do not leave common sense at the border Understand the role of the Chinese government in day-today business

and develop a governmental relations program Develop “guanxi” Select the “right partners, suppliers and resellers Always have strong legal foundation for business relationships

Key Lessons LearnedSummary

Andy is a strategy advisor with more than 15 years of experience leading efforts to help business executives overcome their most pressing challenges. His primary focus is on advising companies on ways to improve financial position by restructuring their operating models to improve the focus on future growth prospects.

In addition to this focus area, Andy is a lead in Deloitte’s cross-border investment practice with a focus on helping companies meet U.S. national security expectations, as well as helping them protect their intellectual property as they expand globally. He has led Deloitte’s efforts on a number of high profile CFIUS cases.

Andy has worked with telecom and high tech clients and has worked in China, Latin America and Europe on their behalf. He is the author of a number of articles, including, most recently an article published in the Wall Street Journal entitled “Improving the Yield on your corporate investment portfolio.”

Director

Strategy Practice

Deloitte Consulting

Jim is a partner at Foley & Lardner, a leading international law firm. He is a corporate and securities lawyer focusing on start-up and emerging publicly traded and privately held companies looking to expand domestically and internationally and the venture capitalists, private equity groups and angels that invest in them. He has substantial experience in international transactions including mergers and acquisitions, foreign direct investment, technology transfers and joint ventures in China.

Jim has been involved in approximately 250 mergers, acquisitions and finance transactions and is the author of approximately 50 articles and has given over 50 presentations in the last four years on issues related to raising venture capital, mergers and acquisitions, start-ups, doing business in China and other topics.

Jim has been recognized by Law 500 as one of the best lawyers in the US for mergers and acquisitions, was named one of the Top 25 Clean Tech Lawyers in California in 2011 by the Daily Journal and one of Northern California’s Super Lawyers by San Francisco Magazine and Law and Politics Media.

Partner

Foley & Lardner, LLP

Succeeding in China: The Risk of Doing Business in China

Documents

Transcript of Succeeding in China: The Risk of Doing Business in China