LINEBURG


<< . .

 8
( 36)



. . >>





0
0
0




0
0
0
0




r-0
r-0
r-0
r-0




n-
n-
n-




p-
n-




p-
n-




p-
p-
p-




c-
c-
c-
c-
c-
e-
Pr




Timeline (2000“2004)
Cumulative savings All costs

Figure 2.2 Actual consolidated spreadsheet graph for T-Corp Ohio SSD case. The large upward
sloping curve represents cumulative savings.
Source: T-Corp, as developed by managers before offshore engagement.




Offshore risks

Any cross-border business increases risks; this is a constant in doing international busi-
ness. Risk is the uncertainty in doing business. Offshore risks should not be seen in the
same category as the largely predictable “extra” offshore costs, covered earlier in this
chapter, which result from various factors such as dif¬culties in knowledge transfer,
45 Offshore economics and offshore risks


cultural communication problems, and increased coordination overhead. Offshore risks
are the surprises. In business we do not like surprises. This section focuses on those the
risks, listed in Exhibit 2.2, which are greater because the work is done offshore.
The most important of the offshore risks is country risk, which is introduced here
and expanded upon in Chapter 4, The Offshore Country Menu. Country risk is a broad,
umbrella term, encompassing within it political risk and ¬nancial risk.
Offshoring is about working in developing or emerging countries, which have histori-
cally been more volatile, less stable, less predictable, and less transparent. Offshoring
software work exposes the company to a myriad of issues in the host country.
The consequences of country risk can be severe because they affect, among other
things, business continuity “ the ability of the ¬rm to continue its core operations.
When offshoring, companies are exposed to increased risks of war, terrorism, rioting,
uprising, con¬scation, expropriation, and currency crises. These are real risks. They do
happen. We just do not know how to predict them, especially the big, shocking events.
A number of companies measure and rank these country-level risks, but they have been
shown to be quite poor at predicting the big surprises “ the crises, such as the
Argentinean collapse of 2001“2002, or the Asian ¬nancial crisis of 1997. Therefore,
these country risk assessments are of limited use in evaluating offshoring. One country-
level ¬nancial risk is currency risk, the risk of exposure due to change in exchange
rates. Absent a crisis, this risk can be mitigated by determining the currency of pay-
ment in the case of an outsourcer, or by currency hedging.
Another part of country risk is the risk of government regulatory changes. This is
also called sovereign risk. A generation ago it was common to fear con¬scation,
nationalization, and expropriation. These seem less likely today. However, govern-
ments may change tax or subsidy structures that once favored offshore operations mak-
ing them less attractive. Thus, favorable tax treatments in, say, the Philippines or China
may change. Governments may also change the regulations that govern technology
joint ventures in order to favor the local partner.
Once IT operations are in a country, most country risks are not controllable. The risk
may be diversi¬ed, mitigated, or insured,24 but it cannot be controlled since in theory,


Country


Intellectual Property (IP)


Loss of proprietary knowledge


Data security


Corruption


System security


Contractual


Infrastructure


Societal and regulatory changes in your home country





Exhibit 2.2 Risk categories that are introduced or may be greater due to offshoring.
46 The fundamentals


no single company has the power, for example, to stop a war between India and
Pakistan. We heard an interesting rumor on this issue of controlling risk: during the
Indian“Pakistani tensions of 2002, GE™s CEO spoke to India™s Premier and warned
him that if war breaks out, GE will have to move most of its vast operations out of
India. After a brief period of crisis, tensions subsided (see also the GE case in
Chapter 5).
Large ¬rms with substantial operations in India have reacted to the issue of country
risk by diversifying to multiple nations (sometimes called multiple sourcing). IT man-
agers mitigate the risk consequences by devoting more attention to their offshore con-
tingency plans. Such plans may include mirrored systems or backup sites in another
country, such as Singapore or Mauritius. Attention must be focused on whether the off-
shore unit has actually tested the backup plan. Equally important is the need for exten-
sive system and maintenance documentation so that other staff can, if needed, pick up
the work in case of crisis.


Risk likelihood and severity
When offshoring, a ¬rm™s goal is to reduce the ¬rm™s risk exposure, which is the prod-
uct of the probability of a bad outcome and the severity of its consequences.
Consider the case of a hypothetical leading-edge Swedish software company, Björn,
developing a state-of-the-art product. Björn™s software code is its crown jewels. But, also
vital is the know-how in the minds of the key engineers gained from working with the core
software and with its specialized customers. What can go wrong here “ what are the
risks? Firstly, the software code can be copied and used in the product of Björn™s chief
rival Kjerstin-Tech. Secondly, key people can transfer knowledge to Kjerstin-Tech.
What is the probability of these two adverse events happening? This is a key ques-
tion. In Sweden, Björn may be able to legally enforce its code ownership against
Kjerstin-Tech. The mere knowledge of enforcement may give pause to Kjerstin-Tech.
Björn may also be able to prevent some knowledge seepage through non-compete legal
clauses in individual employment contracts. Beyond the legal limitations, it may also
be able to control its “intellectual capital” through various “social controls,” which are
typically achieved by keeping knowledge in just one location.
On the other hand, in many offshore countries these restrictions and barriers are
weaker or non-existent. Therefore, we can say that the probability of such an adverse
event is higher offshore. It is more likely; perhaps, slightly more likely; perhaps, a lot
more likely. For example, the performance-based contracts, which are increasingly
common offshore, drive engineers to leave ¬rms, exacerbating turnover, leading to
increased likelihood that these engineers take with them specialized knowledge.
Next, we come to the severity of the event. Let us assume that the severity of these
adverse events to Björn is high. If code or know-how falls into the hands of Kjerstin-
Tech, it will take away 20% of Björn™s market share. But it really does not matter if the
47 Offshore economics and offshore risks


thief is a Swede, an American, or Chinese. Once it happens, the severity “ loss of 20%
market share “ is the same.
However, loss of key assets (code, knowledge) may have more severe competitive risks
if a foreign ¬rm, we call it Foreign-Soft, uses those assets to improve its products and
build its base in various foreign countries, slowly encroaching on Björn™s global compet-
itiveness. In such a case, the severity of the adverse event may be even higher offshore.


Eight additional offshore risks
The risk illustrated in the Björn example is IP risk and this is the ¬rst of the additional
risks presented here. Eight offshoring risks are introduced in this section.25 This is not
a compilation of all project and outsourcing risks,26 of which many exist, but rather
those risks which are either “new” because of offshoring or for which the probability
or severity of them occurring may be higher due to offshoring.
Intellectual Property (IP) risk. In most of the target developing nations, enforcement
of IP breaches is rare, while theft of software code or ideas (trade secrets) leaves the
aggrieved party little practical recourse. Two recent examples illustrate these perils,
but they also illustrate the emerging regime of remedies and enforcement. The ¬rst
case, in China, occurred when one of the leading technology companies, Huawei, used
some of Cisco™s code, complete with comments and errors, in its own products. Huawei
has become a direct competitor of Cisco in China and in emerging markets.27 The case
was settled by mutual agreement by the two parties in 2004.
The second case is of SolidWorks, a US software product ¬rm which outsourced to an
Indian provider, GSSL. A software engineer working on this software was ¬red from
GSSL and copied the software code before he left. He then contacted several competi-
tors of SolidWorks in an attempt to sell them the stolen code. He was caught by a sting
operation conducted by the US FBI and the Indian Central Bureau of Intelligence.28
Loss of proprietary knowledge risk. This is a long-term strategic risk faced by some
companies, mostly in software products and embedded software. Knowledge leakage far
from home may be more likely or have more serious consequences than such knowledge
leakage at home. The hypothetical Swedish case described above illustrates this risk.
Critical know-how may trickle to competitors, who may be in a better position to cap-
italize on this knowledge competitively. The consequences of this risk do not appear
until several years later, and thus, many managers, with their short-term orientation,
may be less mindful of its consequences. This risk is also interesting vis-à-vis the pub-
lic policy debate taking place in the US about its national competitiveness.
Next, several criminal risks are likelier when offshoring, or have greater severity of
adverse outcomes, or both:
— Data security risk. Increased attention to privacy concerns regarding personal,

individual data began ¬rst with the European Union (stemming from its 1998
Directive) and more recently in the US. The IT community will likely need to
48 The fundamentals


devote greater attention to this topic, particularly for IT-enabled services. In one
case a Pakistani subcontract worker threatened to post US patient medical data on
the Internet if his ¬nancial claims were not met.29
— Corruption risk. This includes both grand and petty corruption. This risk applies to

offshore subsidiaries, while ¬rms outsourcing offshore are largely immune to this
risk because the cost is absorbed by the offshore provider.
— System security risk. There is increased likelihood of insiders inserting

malicious code or leaving open vulnerabilities, or entering corporate networks
via privileged access. Terrorists are likely to exploit these routes in the years
to come.
We move on to two project-related risks that are likelier when offshoring, or have
greater severity of adverse outcomes, or both:
— Contractual risks. These are greater when offshoring, particularly when

outsourcing. Adverse outcomes appear when there is a dispute between the
parties which the parties cannot resolve. Foreign legal disputes may take longer
to resolve, may be subject to corruption, or favor the local company over
the foreign company. This risk can be mitigated by contracting with a
company that has legal standing in your country (see more in Chapter 6 on
legal issues).
— Infrastructure risk. The dependability of the communications infrastructure is

lower in some offshore destinations. While the probability of failure may be
higher, the severity is unlikely to be great. Companies mitigate this risk by
securing multiple communication links to the offshore unit or provider.
The last of the offshore risks is at home: the risk of societal and regulatory changes in
your home country. Societal changes impact company reputation and are dif¬cult to
anticipate. Political backlash due to offshoring began emerging in the early 2000s, in
the US, UK, and Germany (see Chapter 12, Offshore Politics). The fear of a poor pub-
lic image then begins to drive decision-making. For example, some American business
managers have reacted by making offshoring a clandestine activity. They hide infor-
mation about their offshoring as much as possible. Alternatively, they choose to
outsource to a US-based provider with offshore IT resources, who then turns around
and performs the work offshore. Additionally, companies may come under scrutiny
by non-governmental organizations (NGOs) or the media, for perceived social or
economic injustice such as “sweatshop” operations offshore. All of this reverberates
into the organization itself. Employee morale may be damaged because of lay-offs
or loss of career opportunities. The public relations backlash leads to bitterness
among departing or remaining staff. This may lead to loss of key talent, primarily in
high-tech ¬rms.
Regulatory impacts to offshoring emerged in the US and Europe by the early 2000s.
For example, the Committee of European Banking Supervisors proposed to ban out-
sourcing of “strategic or core activities.” Some IT work may qualify within this de¬nition.
49 Offshore economics and offshore risks


The American Federal Deposit Insurance Corporation, which regulates banks, pro-
hibits ¬nancial ¬rms from hiring workers with criminal convictions; such a restriction
applies to those managing systems in foreign locations. Finally, countries may become
embargoed for other reasons in full or in part. For example, the US has, or has had, at
least partial trade restrictions on a medley of countries in recent decades: South Africa,
Libya, Iran, and Cuba, to name a few.


Assessing and managing offshore risk
Risk assessment needs to take place up-front, before going offshore, but also on an
ongoing basis. Many ¬rms conduct some type of country risk assessment before they
enter a country (ex ante). However, it is rare that ¬rms continue to conduct regular
assessments once they already have operations in-country. This is a mistake. Com-
panies need to continually assess risks by collecting data from experts, but particularly
from people who are in-country, on the ground. The sensationalist news coverage that
we all watch is not a reliable source for risk assessments.
The process of risk assessment is largely a qualitative exercise best done with mul-
tiple managers™ input. The risks are listed, just as they are listed in Exhibit 2.2. Then
the probability of each risk type occurring is assessed either by number (e.g. 0“10) or
label (e.g. low, high). The consequences of each risk occurrence must then be assessed.
For example, a system security break-in may be rated as having severe consequences.
Finally, managers must review mitigation approaches for each of the risks, particularly
the higher-probability and higher-severity risks. Managers can act to speci¬cally lower
the probability of an adverse outcome occurring and can lower the severity of the
adverse outcome.
There are differences between large and small ¬rms regarding offshore risks.
Strictly speaking, for a large ¬rm, the risk is the mathematical expected value, namely
the product of the likelihood and the severity. However, for small ¬rms, some risks,
such as IP risk, can be so severe as to lead to the company™s downfall. Is such a risk
worth the cost savings of offshoring?
In closing, offshore cost savings and risks all tie back together. Executives weigh
greater risks against greater costs savings. “[¦] We are debating if the [offshore] cost
savings are worth the IP security risk”30 is an illustrative quote by the Vice President
of US-¬rm New Health Science, which develops medical products to help detect cir-
culatory abnormalities. Indeed, views of IP risks and their close cousin, loss of propri-
etary knowledge, vary greatly in the software community. In spite of the knowledge
about the risks, as well as knowledge of known cases, most software product ¬rms™
managers are not concerned about IP risk.31 Since managers are aware that there is a
chance of the adverse event taking place (the probability is non-zero) then they may be
assessing the severity of loss as being low. It is also possible that they are simply
assessing the bene¬ts to be greater than the severity of loss.
50 The fundamentals




Concluding lessons

Wages are only part of the story: if you hire directly, pay attention to bene¬ts and fully


burdened costs. If you outsource, pay attention to charge rates and onshore rates.
Summarized country wage data represent only a ¬rst step: pay attention to the signi¬cant


differences by region within country and to signi¬cant differences by position (junior
programmer versus senior project manager).
Know the “extra” offshore cost items, and then, most importantly, manage them closely.


Benchmark your current processes properly so that you can make an informed decision


about whether offshoring leads to real cost savings.
Assess the trade-offs of the four major decision factors:


“ cost savings due to wage differentials,
“ “extra” offshore costs,
“ strategic bene¬ts of offshoring,
“ additional risks from offshoring.
Know the nine offshore risks as they apply to your company.


Continually assess offshore risks: ¬rst at the outset of offshoring and then on an ongoing


basis. Assess both probability and severity of each risk category.
Actively manage risk mitigation: diversify to multiple sources and countries; set up


contingency plans, backup sites, mirrored systems, and test the contingency plans. Carefully
document all processes handled by offshore companies and offshore personnel.
3 Beginning the offshore journey



Floral Systems (an alias) is a medium-sized Dutch software company. Driven by
a need to reduce costs, it decided that the next release of its software product
was to be built in India. The Dutch project manager had just met a representa-
tive of a large Indian provider at an American IT fair and decided to sign a con-
tract with that ¬rm. Problems started to occur almost as soon as the project got
under way. Floral Systems used a development platform called Progress, which
is not widely known in India. The Dutch ¬rm had overlooked the fact that the
Indian staff had no experience with the latest version of Progress, which was
quite different from earlier versions. Knowledge transfer from Floral Systems to
the provider also proved dif¬cult. One year later, the offshore project was a
failure and was abandoned. The company not only wasted a lot of money, but
because its next product release could not be delivered on time, clients started to
lose con¬dence. The project manager had already lost his job.

A more successful Dutch example is Metatude, which was founded in 2000. At
that time, due to the IT labor shortage, this start-up could not recruit experi-
enced software engineers. It had no choice but to go offshore. Initially,
Metatude investigated three countries: Bulgaria, India, and Bangladesh.
Having prepared itself well, and weighing the trade-offs, it decided to focus on
Bangladesh. Two managers visited this country for two weeks and had meetings
with various service providers, foreign users, as well as the local Dutch
embassy. Three of these providers were selected to bid on Metatude™s request
for proposal (RFP). Metatude chose one of these providers and then success-
fully built its very ¬rst software product offshore.

The offshore journey is not always easy, as the ¬rst Dutch example above illustrates.
There are many companies sending out work to far away countries and experiencing

<< . .

 8
( 36)



. . >>

Copyright Design by: Sunlight webdesign