A Framework for Risk Management in Asia
 The growing list of risks surrounding global services delivery in Asia throws up fresh challenges, but few new forms of mitigation. The key to navigating this risk is flexibility
 by Tully Moss, The Magellan Alliance


In the world of risk management, there are two well-known world maps. The first world map shows areas prone to natural catastrophes — including earthquakes, volcanoes and tropical storms — and it has been developed by one of the largest re-insurance companies, MunichRe. The second world map highlights political and economic risks, and is produced by the second largest insurance broker, Aon. Overlay these two maps — one of natural hazards and the other of geopolitical risks — and you'll find a dense concentration of risks in that part of the world receiving the greatest amount of offshore outsourcing — Asia.

History would indicate that these maps are indeed an accurate reflection of the risks in Asia. Over the past few decades, Asia has experienced more natural and man-made turmoil than any other continent. Consider just a few of the natural catastrophes. In December of 2004, an earthquake off the coast of Indonesia triggered a tsunami that killed over 200,000 people. More recently, in October of last year, about 83,000 people lost their lives in an earthquake that occurred in Pakistan. Closer to one of the centers of offshore activity, Mumbai, India, monsoon rains killed several hundred people last year. And in 2002, the deadly Severe Acute Respiratory Syndrome (SARS) outbreak that began in China also killed several hundred people. All told, natural calamities, over the past 30 years, have taken over half a million lives in Asia.

Now, what about the geopolitical risks? Turning to the Aon map of political and economic risks, we see that most of Asia is considered to be at medium-level risk, at best. To reach its overall conclusions about country risk, Aon assessed each nation in terms of nine geopolitical risks: Economic, exchange transfer, sovereign non-payment, legal and regulatory, political interference, supply-chain vulnerability, civil disturbance, terrorism and war. India, the outsourcing star, is seen as vulnerable to five of these risks: Civil disturbance, political interference, legal and regulatory problems, supply-chain vulnerability and terrorism. China is seen as being vulnerable to the same five risks, with the exception that terrorism is not perceived to be a risk, whereas war is.

Within the legal and regulatory risk category, China poses an especially acute risk-management challenge with intellectual property theft. China is a country where there is rule by law more than there is rule of law. In that kind of environment, power and powerful relationships trump the law, all the time. The level of distrust is so high that most multinational companies will not bring their most advanced technology to China. In a telling conversation we recently had with the management of a leading pharmaceutical firm, they indicated that while they have several hundred highly competent Ph.D.s in China performing well on basic research and clamoring to do more advanced work, the pharmaceutical firm is reluctant to allow anything more than fairly routine work for fear of technology being stolen and patented by an employee, if something truly significant were discovered.

Among Asian countries making a play for outsourcing business, only Singapore is perceived by Aon as having the highest level of safety. Recognizing that the cost of doing business in Singapore makes it prohibitively expensive for mainstream outsourcing work, the country is positioning itself as a safe harbor for outsourcing work that requires a high degree of security, and as a location for “hot seats” in case of disruptions to outsourcing operations elsewhere in Asia.

Singapore's next-door neighbor, Malaysia, which Aon has rated as being in the second safest category in terms of geopolitical risks, is a sleeper on the outsourcing scene. Costs that are higher than those in India and other prominent outsourcing destinations, low English language proficiency and an aversion to outsourcing work on the part of younger workers has left Malaysia as an “also-ran” in the outsourcing game. But if serious questions arose about stability and security in other countries, the attractiveness of Malaysia could be elevated.

Location Risk

RANK* COUNTRY RISK**
1 India Medium risk
2 China Medium risk
3 Malaysia Medium-low risk
4 The Philippines Medium-high risk
5 Singapore Medium-low risk
6 Thailand Medium risk
7 Czech Republic Low risk
8 Chile Low risk
9 Canada Low risk
10 Brazil Medium-low risk
11 U.S.A. Low risk
12 Egypt Medium-high risk
13 Indonesia Medium-high risk
14 Jordan Medium-high risk
15 Bulgaria Medium risk
16 Slovakia Low risk
17 Mexico Medium risk
18 Poland Medium-low risk
19 Hungary Low risk
20 UAE Medium-low risk
21 Costa Rica Medium risk
22 Ghana Medium-high risk
23 Argentina Medium-high risk
24 Romania Medium risk
25 Jamaica Medium-high risk
26 Vietnam Medium-low risk
27 Russia Medium risk
28 U.K. Low risk
29 Australia Low risk
30 Tunisia Medium risk
31 Germany Low risk
32 South Africa Medium risk
33 Israel Medium risk
34 New Zealand Low risk
35 France Low risk
36 Panama Medium risk
37 Portugal Low risk
38 Spain Low risk
39 Ireland Low risk
40 Turkey Medium risk
* LOCATION RANK ACCORDING TO AT KEARNEY GLOBAL SERVICES INDEX 2005
** RISK PROFILE ACCORDING TO AON 2006 POLITICAL & ECONOMIC RISK MAP

With so much potential instability in Asia — both natural and geopolitical — risk management is a critically important issue. This raises a basic question: While companies have rushed to Asia, reaching for a high return on outsourcing in lower wage rate countries, have they also put on blinders about the risks? Or, have they in fact, taken appropriate risk management and business recovery initiatives to mitigate the risks and dependencies inherent in their Asian operations?

Turning East

By raising these questions, we're not saying, “Don't go to Asia.” In fact, we're saying just the opposite, “Go!” The cost savings and opportunities for process improvement are far too compelling not to go. But, if you go — or if you're already there — be clear-eyed about the risks, mitigate those risks, and then turn that risk mitigation into a strategic advantage. But, first, let's answer the question: Have companies put on blinders about the risks? The answer, as we shall see, is a mixed one.

In terms of three fundamentals of risk management — planning, redundancy and geographical diversity — the larger players in the offshore outsourcing and shared services game excel. But in terms of taking risk management to the next level — flipping it and turning what normally is a defensive activity into a strategic advantage — only a few exceptional companies have achieved a level of performance where they reap a daily — not disruption-dependent, but daily — advantage.

This advantage that the exceptional few enjoy is well articulated in an excellent book about supply-chain management, The Resilient Enterprise by MIT professor Yossi Sheffi. Professor Sheffi's basic contention is that “the characteristics that make for successful firms in today's uncertain marketplace are the same characteristics that make them resilient.” Resilient companies — those that do the best job of bouncing back from disruptions — are the ones that have a high degree of flexibility. And flexible companies tend to be those that not only do well in crises but are also top marketplace performers on a day-to-day basis. A classic example of a highly flexible company would be Dell Computer, with its make-to-order business model. Other examples of resilient companies can be found in industries such as the airline, fashion and high-end technology, where natural disruptions or the fickle tastes of consumers mandate a high degree of flexibility.

Professor Sheffi illustrates his fundamental points about flexibility with a tale of two companies. Both faced the same catastrophic situation. One exemplified what it means to be a flexible company. The other did not. One emerged an even stronger industry leader. The other was forced into an exit strategy.

On the night of March 17, 2000, a single bolt of lightning descended on a semiconductor manufacturing facility in Albuquerque, New Mexico, causing a fire in a furnace. Sprinklers went off, and the fire was extinguished in less than 10 minutes. The damage seemed minor. Philips NV, the Dutch electronics corporation that owned the plant, thought the facility would be back in operation within a week. Little did they realize, that it would take them months.

Semiconductor manufacturing requires pristinely clean facilities. The smoke, soot and water from the fire, as well as detritus from the boots of firefighters trampling around the clean room had badly contaminated the site. The extent of the contamination of the site and the extensive cleanup efforts required to bring the room back up to standard were not known at first, and the extent of the delay dawned on people only gradually, over time.

Two Scandinavian mobile phone manufacturers — Nokia and Ericsson — accounted for 40% of the manufacturing affected by the fire. One of these, Nokia, not only survived but also continued to expand its market share. The other, Ericsson, could not. Due to Nokia's superior internal-communications processes that ensured that bad news traveled fast and at all levels of its organization; strong, deep relationships with its suppliers; and its ability to jump more quickly on securing capacity at other facilities, helped it to stay on top of the situation — never assuming that the consequences would be as mild as initially predicted.

Ericsson's internal communications and response timing seriously lagged those of Nokia, and it paid a very dear price for that. Within six months of the fire, its market share declined from 12% to nine percent. At the end of 2000, Ericsson announced a loss in excess of $2 billion from its mobile phone operations. And within a year of the fire, Ericsson had begun a retreat from the business, forming a joint venture with Sony so that it could retain at least a foothold in the business. In the meantime, Nokia, Ericsson's competitor headquartered at the other end of the Baltic Sea, had increased its market share from 27% to 30%.

So, what did Nokia have that Ericsson did not, and what are the implications for offshore outsourcing and captive services operations in Asia? Nokia had the key attributes of a resilient enterprise: Vigorous, free flow of communications internally and deep-rooted relations with its suppliers.

The kind of robust communications and deep relations with suppliers exhibited by Nokia are much harder to achieve than the three fundamentals that we previously said had been mastered by most of the larger outsourcing operations — planning, redundancy and geographical diversity — which primarily require capital investments. But what Nokia achieved is a reflection of corporate culture, which is notoriously difficult to change.

So what have we learned that might be of help to outsourcing and shared-services operations? Here are a few guidelines:

•
It's not the plan, it's the people . One key insight that has emerged from natural catastrophes in the U.S.A. is that planning is not enough. Almost every company of any size has a business continuity or business recovery plan. Too often these plans are out of date, located in a part of the company that itself is vulnerable to disruption or dependent on people who have left the company. The merit of these plans all too frequently crumble in the chaotic moments after a catastrophe has struck

•
Create — don't copy or dictate — the plan . Don't follow a cookie-cutter approach. Don't just benchmark others and utilize best practices. The most creative, flexible and effective approaches to disaster recovery are the ones that have been developed internally and that are unique to individual companies. These planning efforts typically are the result of vigorous participation by the employees who would be responsible for bringing a business back on line. These employees are the ones most aware of weaknesses within the system and often have the most creative ideas for how to address those weaknesses

•
Geographic diversity counts . In August of 2005, Hurricane Katrina dealt a rude awakening to banks along the Gulf Coast, the great majority of which no doubt had business-continuity plans. With both land lines and mobile phone services knocked out, management struggled to find ways of communicating. It also found that having backup sites close to the home office was of no help if the backup site itself had been affected by the storm. Some of the Gulf Coast banks were not able to recover their system applications until the January of 2006

•
Supplier diversity is not a must — but should be considered . The supplier-diversity issue is typically discussed in terms of the trade off between the best-of-breed and one-throat-to-choke. Because the costs of vendor management and communications can rise dramatically with additional suppliers, there are compelling economic advantages on the one-throat-to-choke end of the equation. But, if you have only one throat, can it really be choked in times of disruption? And if there is only one throat, is that a top-tier or second-tier provider? The vendor landscape is likely to change dramatically over the next five to ten years with substantial industry consolidation. Look closely at the finances of second-tier providers before engaging them

•
Practice the plan . The better practitioners of disaster-recovery planning know it's not enough to have a plan on the shelf. They run surprise exercises to see how thoroughly employees have internalized those plans when they are confronted with scenarios they may not have thought of previously

•
Assess your suppliers' resiliency . Yes, they no doubt have a business-continuity plan, too, and if it's a major outsourcing firm that you're dealing with, it's probably an impressive plan. But, don't take that plan at face value. Probe for how freely communications flow within the provider's organization. Probe also for the depth of the relationships they have with their key suppliers

•
Communicate, communicate, communicate . Those companies that do best in crises are the ones that have fluid lines of communication. These communications need to freely flow not just internally but also with customers and vendors — and communication needs to flow on an ongoing basis, not just when there is a crisis. Bear in mind that if you have mitigated risk by having geographic and perhaps supplier diversity, you have increased communications-related risks, which can be technological in nature (as with the Gulf Coast banks in the aftermath of Hurricane Katrina) or can be related to the challenges of communicating across different cultures and languages.

Following these approaches brings not just great risk mitigation, but a strategic advantage that yields benefits not just in times of crisis but also on a daily basis.

* * *

This article is courtesy of Tully Moss and Global Services magazine (globalservicesmedia.com)