Succeeding in China:
The Risk of Doing Business
in China
Presenters:
Andrew Walker, Director, Deloitte Consulting
Jim Chapman, Partner, Foley & Lardner LLP
Silicon Valley RIMS
January 31, 2013
The Focus of this presentation is on identifying and mitigating the
risks of doing business in China
1. China represents a large and attractive market for Multi-National Companies (MNCs)
2. There have been a series of well-publicized incidents involving U.S. companies operating
in China
3. MNC’s have found ways to be successful in China – to both grow their businesses &
mitigate risks
4. A programmatic approach to risk reduction has proven to be the most successful
approach
Macroeconomic Issues
in China
China offers significant market attractiveness for MNCs
China’s demographic and economic profile make it the world’s fastest growing economy.
China’s Global Positioning1
#1
Global GDP Share3
GDP Growth (9.3%) among emerging
and developed nations
2010
2017 (proj.)
$13.2
$5.9
+12.2%
CAGR
$5.3
#1
United Nations FDI Attraction Index
Rank 2
$9.4
$39.4
$12.5
$49.8
$20.3
#1
Country Population (1.35 Billion)
#1
Total Exports ($1.90 Trillion)
#2
Total GDP ($7.3 Trillion)
#2
Total Imports ($1.66 Trillion)
China
Brazil, India, & Russia
Other Countries
Developed World
China provides MNCs with a strong economic and
demographic foundation for growth and projects to
continue dwarfing other major emerging markets
Sources: (1) WorldBank (2) UNCTAD (3) IMF projections, Deloitte Analysis
China offers significant market potential that can be
hampered by significant risks
However, unique risks may limit MNCs ability to
capture the growth potential . . .
Revenue Expectations
from China in next 3 years
Billions
Companies are expecting increased revenues
from China over the next 3 years
Potential revenue opportunity in China
Risk-adjusted
revenue
30%
10%
4%
25%
16%
Decrease/No Change
Increase by less than 10%
Increase by 10-24%
Increase by 25-49%
Increase by 50-99%
Increase by 100% or more
14%
Global weakness has affected China’s
economic growth, slowing to 7.6% in Q2
2012, however the China market is growing
faster than the global average indicating
continued investment opportunity
As documented in mainstream newspapers,
magazines, journals, and trade publications…
Sources: (1) Deloitte Consulting emerging markets survey conducted in 2011; (2) Weekly Economic Update (7/9/12) (3) 22
companies reporting revenue earned in China, Economist Intelligence Unite and Deloitte Analysis
Changing regulatory landscape is making China more
attractive for MNC
In addition to China’s economic and demographic profile, new leadership and policy changes
are making China a top destination for investment.
Number of Recently Initiated Trade
Restrictive Measures
Top Destinations for MNC Investment
Despite increased global protectionism, China has
imposed fewer restrictive trade measures1 compared
to other major economies. During the same period 21
new trade liberalizing measures were initiated.
Over 60% of executives surveyed by the UN
Conference on Trade and Development cited China as
a top 10 destination for investment between 2012 and
20142.
European Union
India
62
119
Sources: (1) Data from 9/2008 – 7/2011; Mohini, D., Hoekman, B., and Malouche, M., “Taking Stock of Trade Protectionism Since 2008” (2) UNCTAD
Brazil
UAE
55
Canada
Brazil
Spain
53
India
Indonesia
Japan
52
France
United States
United Kingdom
50
Germany
China
70
60
50
40
30
20
10
0
United States
49
China
Russia
Overview
MNCs already operating in China are expecting
substantial near-term revenue growth
55% of surveyed companies are expecting increased revenues from China between 2011 and
2014.
Potential Revenue Opportunity
Revenue Expectations
from China1
30%
140
Decrease/No Change
10%
Increase by less than 10%
4%
25%
100
80
Increase by 25-49%
60
Increase by 100% or more
14%
120
Increase by 10-24%
Increase by 50-99%
16%
in China ($B)2
40
20
2005
2010
2015E
An index of 135 companies weighted by their revenue share from China has
climbed 129% since 2009 compared with the S&P 500’s gain of 57%.3
Sources: (1) Deloitte Consulting emerging markets survey conducted in 2011; (2) 22 companies reporting revenue earned in China, Economist Intelligence Unit and
Deloitte Analysis; (3) The Economist
Legal, Regulatory and
Transaction Issues
Technology Transfer Legal Framework
China’s Regulations on Administration of Technology Import and Export
(Technology Regulations), effective January 1, 2002, govern the import
and export of technologies into and out of China.
The Technology Regulations classify technologies into three broad
categories, including:
1. Prohibited technologies: Cannot be imported into or exported out of
China.
2. Restricted technologies: Import and export must be pre-approved by the
relevant Chinese governmental authority, and copies of the relevant
technology transfer agreement must be submitted to the relevant
governmental authority.
3. Permitted technologies: Can be imported into or exported out of China
without prior Chinese governmental approval.
Forms of Technology Transfers
Technology transactions may take a variety of forms. All of the
following transactions are subject to the Technology
Regulations:
 Patent assignments
 Cooperative research and development
contracts
 Assignments of patent application rights
 Technology consultancy contracts
 Patent licensing
 Technical training contracts
 Assignments of know-how or trade
secrets
 Technology brokerage contracts
 Licensing of know-how or trade secrets
 Software import and export contracts
 Technical services and other unspecified
forms of technology transfer covered by
the Technology Regulations
 Trademark licenses or assignments
involving patented or non-patented
technology
Applicable Contract Law
Unified Contract Law, adopted in 1999 provides
substantial freedom for the parties to enter into
agreements.
Obstacles to Technology Transfer to China
 Lack of control over future developments, modifications and
enhancements of transferred technologies.
 Warranty requirements.
 Collecting royalties and other payments.
 Protection of Intellectual Property.
 Lack of Trust.
Mandatory Provisions of Chinese Law
Chinese law requires that the foreign licensor to:
 “Guarantee” that the licensed technology be complete,
correct, valid, and capable of accomplishing the specified
technological objectives.
 “Guarantee” that it is the legal owner of, or the party with
the right to license, the technology.
 If the Chinese licensee infringes on another party’s right by
using the licensed technology pursuant to the license
agreement, the licensor is required to bear the
responsibility for such infringement.
Prohibitions
The Technology Regulations prohibit the following provisions:
 Requiring the transferee to accept incidental conditions unnecessary for the
imported technology, including the purchase of unnecessary items.
 Requiring the transferee to pay for, or undertake obligations relating to, a
technology for which the patent right has expired or has been announced as
invalid.
 Restricting the transferee’s improvement of the technology provided by the
transferor, or restricting the transferee’s use of the improved technology.
• Restricting the transferee’s acquisition from a third party of any technology
similar to, or competitive with, the technology provided by the transferor.
• Unreasonably restricting the transferee’s channels or sources for the purchase
of raw material, parts, components, products, or equipment.
• Unreasonably restricting the quantity, variety, or price of products produced by
the transferee.
• Unreasonably restricting the transferee’s export channels for products
manufactured by the transferee using the transferred technology.
Key Issues of a Technology Transfer Agreement
Typically, a technology license agreement will cover
the following key issues points:
 Field of use
 Nondisclosure
 Geographic scope/territory
 Noncompetition
 License fees and payment terms  Term/termination
 Ownership of technology
 Indemnities/liabilities
 Ownership of improvements
 Dispute resolution
 Exclusive or nonexclusive/sublicense
 Governing law
 Governing language
(i.e., Chinese or English)
Key To Successful Technology Transfer
 Find the “right” licensee.
 Invest in the relationship and work to build trust.
 Thoroughly document the transaction.
 Work to keep interests aligned.
 Maintain constant communication and support.
Risks and Mitigation
Strategies
Type of Risk
1
IP Protection
High
Mitigating risks to profitability and value creation is
critical
All are related to protecting a company’s brand/reputation
USG-Related
Business
2
3
Negative Impact on USG-Related
Business
Export / OFAC Compliance
4
Compromise of U.S. Ethics Laws
5
Ineffective Legal Entity and Business
Structure
6
Partner Turning Competitor
Potential Impact
2
IP Protection
Ineffective Legal
Entity & Business
Structure
1
U.S. Ethics Laws
Export / OFAC
Compliance
5
4
3
9
Partner Turning
Supply Competitor
Chain
6
Profitability in
China
8
Market
Restrictions
7
Market Restrictions
8
Profitability in China
9
Supply Chain & Operational Risks
Low
7
Medium
High
Likelihood
Protecting IP is typically cited as the most
significant challenge to operating in China
% of Companies Citing Challenges
in China as Significant1
Adequate IP protection
58%
Competition from local
competitors
Understanding customers
buying behavior
Brand awareness in the
market
Providing afforable
products and services
Adequate supply of
skilled labor
Protectionist policies or
government red tape
Establishing partnerships
with local companies
49%
45%
45%
43%
38%
37%
IP Risks in China
 Local companies are known to introduce
rival products within 2-6 months of a new
product introduction by an MNC
 Significant number of IP related lawsuits
between MNCs and Chinese companies
indicate existence of IP infringement
practices (~60,000 in 2011, up from
~43,000 in 2010)2
 Government regulations on IP creation and
usage makes it mandatory for MNCs to
share IP in China in certain instances
31%
Supply chain capabilities
24%
Infrastructure problems
18%
0%
20% 40% 60% 80%
Sources: (1) Deloitte Consulting emerging markets survey conducted in 2011, (2) China Patent Agent LTD., (3) Nera Economic Consulting estimate
An IP protection strategy should be integrated from the
product strategy through the operating model and tactics
Implementation Steps
1
Identify
products being
sold
in China
 Identify the products and services best suited to China market – determine
whether to:
1. Take the whole stack (but restrict access to core technology), or
2. Dedicate less valuable technology that is sufficient to meet current market
demand
Establish a
clear integrated
strategy
 Create a China IP Protection Control Structure that integrates politics, partners,
people, process, vendors, and technology
 Define clear operating model (e.g., human resources, vendor management,
manufacturing, supply chain, information technology)
Manage
operations with
IP protection in
mind
 Redesign R&D processes to increase compartmentalization and protection; this
will result in higher IP management costs
 Program, implement, and commercialize technology development with value
management in mind, building IP protection into processes
Apply the right
tactics to
protect IP
 Define processes and controls throughout all business functions to safeguard IP
 Change product development cadence and release cycles
2
3
4
In addition to IP protection concerns, there is a risk that U.S.
government (USG) agencies could have concerns about offshore
operations in certain countries
Key Risks
 Certain USG agencies may have
concerns surrounding their product
and/or service providers operating in
certain countries
 Key concerns appear to revolve around
the following:
―
Loss of U.S. IP
―
Products or product code being
infiltrated or corrupted by foreign
parties
―
―
Network and IT access into USG
data centers or systems
USG related information becoming
accessible
Mitigation Approach
 Companies should wall-off foreign operations
from public sector business in a way that is
auditable
 Leading practices include creating two sets of
operational, network, and IT firewalls:
1. Between Offshore and US businesses
2. Between US and US Government Services
divisions
 Companies should proactively develop programs
to educate government customers
 Mitigation approach should be structured to
address operations for each business function
across eight key security threads
Negative USG perceptions of the company may impact existing and future contracts /
business may lead to loss of revenue and USG audits
Protecting IP and assuaging U.S. Government concerns
requires a reengineered operating model
Deloitte’s FOCI-Mitigation Toolset
(Foreign, Ownership, Control, or Influence)
Functional Example
Function: Information Technology
ProxyCo Current State
Research & Development
Supply Chain
Selling Product
Product & Delivery
Maintenance
Sales & Marketing
Physical
Supporting Business
Finance
Human Resources
Legal
Facility & Security
IT
Is the Research and Development (R&D)
Function physically separated from the
parent?
Are physical records, project plans, and
contracts stored within ProxyCo securely?
Is the Supply Chain Function physically
separated from the parent?
Is the Product & Delivery Function
physically separated from the parent?
Where are product components / supplies
stored prior to completion?
Is the Maintenance Function physically
separated from the parent?
Is the Sales & Marketing Function
physically separated from the parent?
Is the Finance Function physically
separated from the parent?
Is the Human Resources (HR) Function
physically separated from the parent?
Is the Legal Function physically separated
from the parent?
Is the Facility & Security Function physically
separated from the parent?
Is the Information Technology (IT) Function
physically separated from the parent?
Are controls in place to ensure that there is no
unauthorized access into the IT facilities?
Will non-R&D employee badges be
granted access into R&D facilities?
What additional security is used to
protect the R&D facilities?
Are physical records, project plans, and
contracts stored within ProxyCo
securely?
Will non-Product & Delivery employees be
granted access into the Product & Delivery
facilities?
Are controls in place to ensure that there is no
unauthorized access into the Product &
Delivery facilities?
Are physical records, project plans, and
contracts stored within ProxyCo securely?
Are physical records, project plans, and
contracts stored within ProxyCo securely?
Are physical records, project plans, and
contracts stored within ProxyCo securely?
Are physical records, project plans, and
contracts stored within ProxyCo securely?
Are physical records, project plans, and
contracts stored within ProxyCo securely?
Are physical records, project plans, and
contracts stored within ProxyCo securely?
Are physical records, project plans, and
contracts stored within ProxyCo securely?
Is classified / sensitive information stored in
the IT facilities in a secure manner?
Is visible badge identification required
at all times in R&D facilities?
Are controls in place to ensure that there is no
unauthorized access into the R&D facilities?
Is the shipping and delivery of inputs
securely handled?
Is visible badge identification required at all
times in the Product & Delivery facilities?
Is classified / sensitive information stored in
the Product & Delivery facilities in a secure
manner?
Are controls in place to ensure that there is no
unauthorized access into the Maintenance
facilities?
Is the Sales & Marketing Function staffed
only by ProxyCo's employees?
Are controls in place to
ensure that there is no unauthorized access
into the Finance facilities?
Are controls in place to ensure that there is no
unauthorized access into the HR facilities?
Are controls in place to ensure that there is no
unauthorized access into the Legal facilities?
Are controls in place to ensure that there is no
unauthorized access into the Facility &
Security facilities?
Is the IT Function staffed only by
ProxyCo’s employees?
Are IT subcontractors compliant with the
terms of the NSA?
Are emergency response procedures in
place for the R&D facilities?
Is classified / sensitive information stored
in the R&D facilities in a secure manner?
Are the warehouses and facilities that receive
ProxyCo's inputs appropriately secured?
Are emergency response procedures in place
for the Product & Delivery facilities?
What procedures are taken to ensure that the
shipping and delivery of products is secure?
Is classified / sensitive information stored in
the Maintenance facilities in a secure manner?
Is access to classified / sensitive information
restricted only to the appropriate personnel?
Are physical records of financial statements
accessible by the parent company?
Is classified / sensitive information stored in
the HR facilities in a secure manner?
Is classified / sensitive information stored in
the Legal facilities in a secure manner?
Are there video surveillance systems?
Does the IT Function have security policies
and a training plan?
Are IT temporary employees compliant with
the terms of the NSA?
Is the R&D Function staffed only by
ProxyCo's employees?
Does the R&D Function have security
policies and a training plan?
Are controls in place to ensure that there
is no unauthorized access into the Supply
Chain facilities?
Are physical records, project plans, and
contracts stored within ProxyCo securely?
What security procedures / plans are in place
to secure warehouses and facilities that
distribute ProxyCo’s products / technologies?
Is the Maintenance Function staffed only by
ProxyCo's employees?
Does the Sales & Marketing Function have
security policies and a training plan?
Is classified / sensitive information stored in
the Finance facilities in a secure manner?
Is the HR Function staffed only by ProxyCo's
employees?
Is the Legal Function staffed only by
ProxyCo's employees?
Is classified / sensitive information stored at
the Facility & Security facilities in a secure
manner?
Have the IT Function's policies and
procedures pertaining to the NSA been
reviewed with employees?
Is there a separate and independent body that
monitors the access and behaviors of IT staff,
including contact between IT staff
and the parent?
Do only authorized personnel have full
access to the R&D Function?
Has the R&D Function's policies and
procedures pertaining to the NSA been
reviewed with employees?
Is classified / sensitive information stored
in the Supply Chain facilities in a secure
manner?
Where is product inventory stored
prior to shipment?
Are the vehicles by which ProxyCo’s products
are transported designed to prevent
destruction or malicious activity / theft?
Does the Maintenance Function have security
policies and a training plan?
Have the Sales & Marketing Function's
policies and procedures pertaining to the NSA
been reviewed with employees?
Is the Finance Function staffed only by
ProxyCo's employees?
Is access to classified / sensitive information
restricted only to the appropriate personnel?
Is access to classified / sensitive information
restricted only to the appropriate personnel?
Is the Facility & Security Function staffed only
by ProxyCo's employees?
Does the IT Staff report to an executive
at ProxyCo?
Are there people assigned to continuously
monitor intrusions and / or any suspicious
activities, and are these people direct
employees of ProxyCo?
Which Key Management Personnel (KMP)
have influence over or access to the R&D
Function?
Does the R&D Function report to an
executive at ProxyCo?
Is the Supply Chain Function staffed only
by ProxyCo's employees?
Is the Product & Delivery Function staffed
only by ProxyCo's employees?
Does the Product & Delivery Function
report to an executive at ProxyCo?
Have the Maintenance Function's policies and
procedures pertaining to the NSA been
reviewed with employees?
Does the Sales & Marketing Function report
to an executive at ProxyCo?
Is access to classified / sensitive information
restricted only to the appropriate personnel?
Does the HR Function have security policies
and a training plan?
Does the Legal Function have security policies
and a training plan?
Is access to classified / sensitive information
restricted only to the appropriate personnel?
Do any of ProxyCo's IT personnel also
work for the parent?
Does the parent have access to any
classified / sensitive data that is under the
custody of ProxyCo's IT Staff?
Is access to classified / sensitive information
restricted only to the appropriate personnel?
Do any of ProxyCo's R&D
personnel also work for the parent?
Is access to classified / sensitive information
restricted only to the appropriate personnel?
Is access to classified / sensitive information
restricted only to the appropriate personnel?
Do any of ProxyCo's Product &
Delivery personnel also work for the parent?
Does the Maintenance Function report to an
executive at ProxyCo?
Do Sales & Marketing personnel sell or
market any of the parent's products?
Does the Finance Function have security
policies and a training plan?
Have the HR Function's policies and
procedures pertaining to NSA requirements
been reviewed with employees?
Have the Legal Function's policies and
procedures pertaining to the NSA been
reviewed with employees?
Does the Facility & Security Function have
security policies and a training plan?
Has ProxyCo established a fully separate
and distinct IT process and functional
organization that will manage the IT activities?
Is there a well-documented and regularly
revisited process for incident reporting and
response planning?
Which personnel outside of the R&D
Function’s employees are allowed to be in the
R&D facilities?
Does the company control information
and access from outside researchers?
Does the Supply Chain Function have
security policies and a training plan?
Which Key Management Personnel have
influence over or access
to the Product & Delivery Function?
Are Product & Delivery subcontractors
compliant with the terms of the NSA?
Do any of ProxyCo's Maintenance personnel
also work for the parent?
Do any of ProxyCo's Sales &
Marketing personnel also work for the parent?
Have the Finance Function's policies and
procedures pertaining to the NSA been
reviewed with employees?
Does the HR Function report to an executive
at ProxyCo?
Does the Legal Function report to an
executive at ProxyCo?
Have the Facility & Security Function's
policies and procedures pertaining to the
NSA been reviewed with employees?
Are there a set of security requirements been
provided to IT based on the NSA and other
government documents that IT can use to
take appropriate steps?
Are processes in place to govern how
ProxyCo’s staff engage and interact with
the parent’s staff?
Has ProxyCo established a fully separate
and distinct R&D process and functional
organization that will manage the R&D
Function's activities?
Does ProxyCo outsource
any R&D activities?
Has the Supply Chain Function's policies and
procedures pertaining to the NSA been
reviewed with employees?
What level of clearance is required to have
access to the Product & Delivery Function?
Are Product & Delivery temporary employees
compliant with the terms of the NSA?
Are the Maintenance subcontractors
compliant with the terms of the NSA?
Are Sales & Marketing subcontractors
compliant with the terms of the NSA?
Does the Finance Function report to an
executive at ProxyCo?
What exit policies and procedures are used by
ProxyCo?
Do any of ProxyCo's Legal personnel
also work for the parent?
Does the Facility & Security staff report to an
executive at ProxyCo?
Have electronic security perimeters been
established?
Are IT processes appropriately documented?
What is the process for supporting ProxyCo's
R&D operations in high-risk countries?
Are there controls in place to protect
ProxyCo's intellectual property from
being transferred to the parent?
Does the Supply Chain Function report to
an executive at ProxyCo?
Do any of the personnel that have access to
the Product & Delivery Function not have
the appropriate level of security clearance
required for those facilities?
Do the individuals involved in the distribution
network have the appropriate level of
clearance to transport sensitive
technologies / products?
Are the Maintenance temporary employees
compliant with the terms of the NSA?
Are Sales & Marketing temporary employees
compliant with the terms of the NSA?
Do any of ProxyCo's Finance personnel
also work for the parent?
What is ProxyCo's screening process for
new employees?
Are Legal subcontractors complaint with the
terms of the NSA?
Do any of ProxyCo's Facility & Security
personnel also work for the parent?
Is there a process for securing hardware?
Are ProxyCo's IT systems accessible by
the parent's employees?
Does the company have any joint R&D
activities with outside parties?
Are R&D processes
appropriately documented?
Do only authorized personnel have full
access to the Supply Chain Function?
Which personnel outside of the Product and
Delivery Function's employees are allowed to
be in the Product & Delivery facilities?
Does the Product & Delivery Function have
controls in place to regulate individuals who
handle the products?
Is access to classified / sensitive information
restricted only to the appropriate personnel?
Do Sales & Marketing personnel travel to
foreign countries to conduct business?
Are Finance subcontractors compliant with the
terms of the NSA?
Does ProxyCo hire foreign nationals?
Are Legal temporary employees compliant
with the terms of the NSA?
Are Facility & Security subcontractors
compliant with the terms of the NSA?
Are there any automatic escalation processes
to alert management of intrusions and / or
suspicious activity?
Are the IT systems protected by firewalls?
Has ProxyCo established independent
R&D systems from the parent?
Are ProxyCo’s R&D systems and supporting
systems accessible by outside parties?
Does ProxyCo have controls in place
to regulate and monitor the individuals who
handle the inputs?
Does the Product & Delivery Function have
security policies and a training plan?
Which individuals have access to or are
responsibility for tracking the products
in route?
Has ProxyCo established a fully separate and
distinct maintenance process and
functional organization that will manage the
Maintenance Function's activities?
Has ProxyCo established a fully separate
and distinct Sales & Marketing process and
functional organization that will manage the
Sales & Marketing Function's activities?
Are Finance temporary employees compliant
with the terms of the NSA?
Are security clearances managed by an
approved security officer?
Are Legal employment decisions appropriately
documented and reviewed?
Are Facility & Security temporary employees
compliant with the terms of the NSA?
Has ProxyCo established independent IT
systems from the parent?
Are any IT services outsourced to foreign
countries?
Are ProxyCo's R&D IT systems accessible
by the parent's employees?
Has ProxyCo established a separate secure,
independent data repository for R&D and
related information?
Do any of ProxyCo's Supply Chain
personnel also work for the parent?
Have the Product & Delivery Function's
policies and procedures pertaining to the
NSA been reviewed with employees?
Does ProxyCo outsource / subcontract
any Product & Delivery activities?
Does ProxyCo have the processes and controls
necessary to safeguard classified / sensitive or
protected software code prior to the release of
the hardware for maintenance?
Does ProxyCo sell and track products
on behalf of the parent?
Has ProxyCo established a fully
separate and distinct finance process and
functional organization that will manage the
Finance Function's activities?
Do any of ProxyCo's HR personnel also
work for the parent?
Has ProxyCo established a fully separate
and distinct legal process and functional
organization that will manage the activities of
ProxyCo's Legal Function?
Which individuals have access to the video
surveillance systems?
Are there one-time or recurring data transfers
between ProxyCo and the parent?
Are any data connections between
ProxyCo and the parent appropriately
audited and firewalled?
Have all existing data repositories been
identified and are they within ProxyCo?
Are there appropriate controls in place to
ensure that data cannot be leaked from inside
ProxyCo and that data cannot be accessed
from outside of ProxyCo?
Are Supply Chain subcontractors compliant
with the terms of the NSA?
Has ProxyCo established a fully separate
and distinct Product & Delivery process and
functional organization that will manage the
Product & Delivery Function's activities?
Are ProxyCo's products securely
shipped and delivered?
Is there a defined process for using the
parent's Maintenance Function?
Is ProxyCo's sales planning
independent of the parent?
Is ProxyCo's banking management
process independent of the parent’s?
Do people outside of ProxyCo have
access to ProxyCo's employee records?
What is the process for conducting confidential
investigations for ProxyCo?
Are there security personnel for all facilities?
Have all existing data repositories been
identified and are they within ProxyCo?
Has extensive testing been conducted to
ensure the integrity of the firewall?
Has ProxyCo's R&D data been wiped from the
IT systems that the parent has access to?
Is there a firewall to prevent data storage
outside of ProxyCo's servers?
Are Supply Chain temporary employees
compliant with the terms of the NSA?
What is the process for supporting
ProxyCo's Product & Delivery operations
in high-risk countries?
Are Product & Delivery processes
appropriately documented?
Is data on the devices being repaired wiped
for all devices leaving ProxyCo?
Does ProxyCo outsource
any Sales & Marketing activities?
Is financial and accounting information
transmitted to the parent's Finance Function?
Are HR subcontractors complaint with the
terms of the NSA?
Is there an investigations board, separate from
the parent that will handle all investigations for
ProxyCo?
Are the security personnel properly trained
and vetted to work at cleared facilities?
Has ProxyCo's IT data been wiped from
the IT systems that the parent has access to?
Are there any links on ProxyCo's website
that can take users to secured areas?
Has the wiped data from IT systems provided
to the parent been tracked and managed?
Has extensive testing been conducted
to ensure the integrity of the firewall?
Has ProxyCo established a fully separate and
distinct Supply Chain process and functional
organization that will manage the activities of
ProxyCo's Supply Chain Function?
Has ProxyCo established independent
Product & Delivery systems from the parent?
Are ProxyCo’s manufacturing systems
and supporting systems accessible
by outside parties?
Are Maintenance processes appropriately
documented?
Does ProxyCo have IT support for Sales
& Marketing operations, including intranet
and extranet enterprise portal capabilities
and CRM?
Does ProxyCo outsource any Finance
activities?
Are HR temporary employees compliant
with the terms of the NSA?
Does ProxyCo outsource any Legal
activities to vendors who have not agreed
to the terms of the NSA?
Is there a separate and independent body
that monitors the access and behaviors of the
Facility & Security staff, including contact
between the staff and the parent?
Has the wiped data from IT systems provided
to the parent been tracked and managed?
Are all data repositories securely hosted for
only ProxyCo?
Has ProxyCo established a fully separate
and distinct set of R&D Service Level
Agreements (SLAs) with its vendors?
What is the process for keeping
ProxyCo's vendor lists confidential?
Does ProxyCo outsource
any Supply Chain activities?
Are ProxyCo's Product & Delivery
IT systems accessible by the
parent's employees?
Are the product assembly guides in the
Product & Delivery Function securely
monitored and stored?
Has ProxyCo established independent
Maintenance systems from the parent?
Are Sales & Marketing processes
appropriately documented?
Are Finance processes appropriately
documented?
Has ProxyCo established a fully separate
and distinct HR process and functional
organization that will manage the HR
Function’s activities?
Are patents exclusively owned by the
mitigated entity?
Are there individuals assigned to continuously
monitor intrusions and / or any suspicious
activities, and are these individuals direct
employees of ProxyCo?
Has ProxyCo established a separate
secure, independent data repository for IT and
related information?
Are company websites governed closely by
security specialists to cleanse them any
sensitive or classified information?
Are Supply Chain processes
appropriately documented?
Have all existing data repositories been
identified and are they within ProxyCo?
Are there appropriate controls in place to
ensure that data cannot be leaked from inside
ProxyCo and that data cannot be accessed
from outside of ProxyCo?
Is there a database for maintaining
agreements / contracts?
Are ProxyCo marketing
and branding decisions independent
of the parent?
Has ProxyCo established independent
Finance systems from the parent?
What is the process for managing security
clearances?
Are Legal processes appropriately
documented?
Has ProxyCo established a fully separate
and distinct process and functional
organization that will manage ProxyCo's
Facility & Security Function's activities?
Is there a firewall to prevent data storage
outside of ProxyCo's servers?
Is any data hosted in offshore locations?
Has ProxyCo established independent Supply
Chain systems from the parent?
Has ProxyCo's Product & Delivery data
been wiped from the IT systems that the
parent has access to?
Is there a firewall to prevent data storage
outside of ProxyCo's servers?
Are all Maintenance systems secured with
a firewall?
Are appropriate processes in place to ensure
that marketing target lists and information
are kept confidential?
Are ProxyCo's Finance IT systems
accessible by the parent's employees?
What is the process for keeping classified /
sensitive employee records secure?
Has ProxyCo established independent
Legal systems from the parent to manage and
support the company's Legal Function?
Are any of the following activities outsourced:
lease administration, space management,
lease transactions, and shipping?
Has ProxyCo established a fully separate
and distinct set of IT SLAs with its vendors?
Is there a separate body or function that
monitors vendors' activities on ProxyCo's
IT systems and infrastructure?
How are physical invoices filed and stored?
Has the wiped data from IT systems provided
to the parent been tracked and managed?
Has extensive testing been conducted to
ensure the integrity of the firewall?
Have all existing data repositories been
identified and are they within ProxyCo?
Have all existing data repositories been
identified and are they within ProxyCo?
Are HR processes appropriately documented?
Are ProxyCo's Legal IT systems accessible
by the parent's employees?
Are Facility & Security processes
appropriately documented?
How much access do vendors have to
ProxyCo's IT systems and infrastructure
without the appropriate level of control?
Are vendors that access ProxyCo’s
systems fully compliant with the NSA?
Has ProxyCo established independent
Facility & Security systems from the parent?
Do ProxyCo and the parent
share any vendors?
What information does ProxyCo
share with vendors?
Security Threads
Physical (Real Estate)
(Business and Financial Strategy, Mergers and Acquisitions, Tax Management, Risk
Management, Compliance Management, Program Management and Performance Management)
Have all existing data repositories been
identified and are they within ProxyCo?
Has ProxyCo established a separate
secure, independent data repository for
Product & Delivery and related information?
How much product information is transferred
to the vendors' databases and how secure is
this information transfer?
Has ProxyCo's Maintenance data been wiped
from the IT systems that the parent has
access to?
Are ProxyCo's Customer Relationship
Management (CRM) systems accessible by
the parent's employees?
Has ProxyCo's Finance data been wiped
from the IT systems that the parent has
access to?
Has ProxyCo established independent
HR systems from the parent?
Have all existing data repositories been
identified and are they within ProxyCo?
Has ProxyCo's Supply Chain data been
wiped from the IT systems that the parent
has access to?
Has ProxyCo established a fully separate
and distinct set of Product & Delivery SLAs
with its vendors?
What information does ProxyCo
share with vendors?
Has the wiped data from IT systems provided
to the parent been tracked and managed?
Does ProxyCo have an independent
intranet on which to design, develop, publish,
and maintain content?
Has the wiped data from IT systems provided
to the parent been tracked and managed?
Are ProxyCo's HR IT systems accessible
by the parent's employees?
Has ProxyCo's Legal data been wiped
from the IT systems that the parent has
access to?
Does ProxyCo have separate voice and
data infrastructure for its facilities?
Has the wiped data from IT systems provided
to the parent been tracked and managed?
Does ProxyCo and the parent share
any vendors?
Does ProxyCo have travel and shipping
contracts independent of the parent?
Has ProxyCo established a separate secure,
independent data repository for Maintenance
and related information?
Do Sales personnel maintain classified /
sensitive information in their physical custody
while visiting with prospective clients and / or
visiting trade shows?
Has ProxyCo established a separate
secure, independent data repository for
Finance and related information?
Have all existing data repositories been
identified and are they within ProxyCo?
Has the wiped data from IT systems provided
to the parent been tracked and managed?
Are ProxyCo's servers stored in a
secure area outside of the parent’s facilities?
Has ProxyCo established a separate
secure, independent data repository for
Supply Chain and related information?
How much product information is transferred
to vendors' databases and how secure is this
information transfer?
Are there access controls in place to monitor
individuals who are given access to the
products and technologies being delivered?
Has ProxyCo established a fully separate and
distinct set of Maintenance SLAs with its
vendors?
Have all existing data repositories been
identified and are they within ProxyCo?
Is there a firewall to prevent data storage
outside of ProxyCo's servers?
Has ProxyCo's HR data been wiped from
the IT systems that the parent has access to?
Has ProxyCo established a separate
secure, independent data repository for Legal
and related information?
Is the process for moving physical data from
one facility to another secure, documented,
and followed?
Has ProxyCo established a fully separate
and distinct set of Supply Chain SLAs with its
vendors?
What is the process for keeping
ProxyCo's vendor lists confidential?
Are multiple vendors used for Maintenance?
Has ProxyCo's Sales & Marketing data
been wiped from the IT systems that the
parent has access to?
What procedures are in place to protect the
sensitivity and integrity of ProxyCo's
financial data?
Has the wiped data from IT systems provided
to the parent been tracked and managed?
Is there a firewall to prevent data storage
outside of ProxyCo's servers?
Is the movement of classified / sensitive data
properly restricted?
People
(Marketing, Sales, Delivery/Provisioning, Billing and Service)
Has ProxyCo established independent
Sales & Marketing systems from the parent?
Process
(Recruitment, Development, Administration and Performance Management)
Physical Data
(Design, Development, Deployment, Operations and Performance Management)
Process
Product
Systems
Physical Data
(Innovation and Design, Supply Chain Management, Production Operations and Logistics)
Systems
People
Security Thread
Product Development, Delivery,
& Support
Electronic Data
Vendor/Suppliers
Does ProxyCo and the parent share
any vendors?
Has the wiped data from IT systems provided
to the parent been tracked and managed?
Has ProxyCo established a fully
separate and distinct set of Finance SLAs
with its vendors?
Has ProxyCo established a separate
secure, independent data repository for HR
and related information?
Has extensive testing been conducted to
ensure integrity of the firewall?
Have all existing data repositories been
identified and are they within ProxyCo?
What is the process for keeping ProxyCo's
vendor lists confidential?
Has ProxyCo established a separate
secure, independent data repository for
Sales & Marketing and related information?
Does ProxyCo share any vendors with the
parent?
Is there a firewall to prevent data storage
outside of ProxyCo's servers?
Has ProxyCo established a fully separate
and distinct set of Legal SLAs with its
vendors?
Has ProxyCo's Facility & Security data
been wiped from the IT systems that the
parent has access to?
What information does ProxyCo share
with its vendors?
Are any products or services inappropriately
detailed on the company’s website or in
marketing material?
How much access do vendors have to
financial data from classified / sensitive areas?
Has extensive testing been conducted to
ensure the integrity of the firewall?
Do ProxyCo and the parent share any
vendors?
Has the wiped data from IT systems provided
to the parent been tracked and managed?
Does ProxyCo have sole responsibility for
all supplier selection, subcontracting, and
supplier management activities?
Where are CRM records stored, who
has access to them & who has had access
to them?
Has ProxyCo established a fully separate
and distinct set of HR SLAs with its vendors?
Are vendors that access ProxyCo’s
systems fully compliant with the NSA?
Has ProxyCo established a separate
secure, independent data repository for
Facility & Security and related information?
Has ProxyCo established a fully separate
and distinct set of Sales & Marketing SLAs
with its vendors?
Do ProxyCo and the parent have any
shared contracts with any HR vendors?
Is badging and surveillance data properly
protected?
Are vendors that access ProxyCo’s
systems fully compliant with the NSA?
Has ProxyCo established a fully
separate and distinct set of Facility & Security
SLAs with its vendors?
(Real Estate, Procurement and Other)
Note: Many actions could logically be associated with other or multiple process groupings.
For example, many customer and product actions are likely to have heavy IT and HR components.
Privileged and Confidential for ProxyCo and Deloitte Consulting Only
Electronic Data
As of Month 20XX
Vendors / Suppliers
Foreign Corrupt Practices Act
What are the risks?
Corruption in China –pace of change, growing economic prosperity, historical practices
US FCPA – Prohibits payments of something of value to foreign officials or members of a
political party to obtain or retain business.
Violations and Penalties – Anti-bribery:
 Individual criminal fines up to $250,000 and imprisonment up to 5 years
 Companies may be fined $2 million for each violation
 Violations and Penalties – Violation of accounting provisions
 Individual criminal fines up to $5 million and imprisonment up to 20 years
 Companies may be fined $25 million for each violation
What is an improper gift or payment?
FCPA prohibits corrupt payments through intermediaries
U.S. Foreign Corrupt Practices Act
Understand the Danger Signs
 Large sales to governmental agencies or SOE’s with high unit price and low frequency;
 A request for commission payments to be made to bank accounts in other countries or to
people or companies who did not perform the services; Excessive payments or
commissions for services rendered or insufficient staff to perform the services to be
rendered;
 Vague deliverables in contracts;
 Losing bidders hired as subcontractors;
 Favorable treatment of one supplier over another;
 Lack of relevant experience of a successful bidder;
 Unnecessary third parties performing services;
 Lack of documentation from agents;
 A representative or distributor has family or business ties with government officials;
 A representative or distributor requires that his or her identity not be disclosed;
 A potential government customer recommends or requires that the U.S. company use a
particular representative or distributor;
 A representative or distributor makes requests such as backdating or altering invoices; or
 A representative or distributor requests that an invoice be inflated.
FCPA Compliance Program
Components of Program
 Process and procedures
 Oversight
 Audit
Embezzlement Risk
What to watch out for?
Key Risks
 Fraud is rampant in China –
“Opportunistic” vs. “Systemic
Malfeasance”
 There is a view that there are no
consequences
 It is OK to take advantage of a
foreigner
Mitigation Approach
 Pre-employment screening – verify everything
 Certificate of No Criminal Record –provided by
local police station and can be verified
 Manage the HR Manager in China – Kickbacks and payoffs are common
 Do not allow the GM to hire the finance
manager
Contractual Risk
What to watch out for?
Key Risks
 Chinese view of contracts - tool for
building a relationship
 Negotiation and re-negotiation
 Enforcement
Mitigation Approach
 Formation basics
 Understand the role of contracts – Use strong
contractual protections such as arbitration
outside of China, governing law and language,
waiver of sovereign immunity
 Build personal relationships on a day-by-day
basis
 Learn the culture – role of relationships, how
foreigners are viewed, the role of “face”,
humility, sincerity and other concepts
Understand the role of contracts and cultural differences.
Human Capital Risk
What to watch out for?
Key Risks




The Chinese view of the workplace
Employees are not important
Hierarchy
*Loyalty – To whom do the key
employees owe their loyalty?
 Turnover and its costs
Mitigation Approach
 Integration
 Training
 Loyalty programs
Loyalty issues control and influence protection of IP and one’s brand and reputation
Operating Risk
What to watch out for?
Key Risks
 Supply chain visibility – downstream
and upstream – and chain of
command
 Control over costs and pricing
 Differences in protection of property
and business continuity efforts /
requirements
 Quality control and assurance
 IP
Mitigation Approach





Compartmentalize production
Control the production process
Keep key technologies in the US
Employ rapid versioning
Integrate supply chain requirements through
contracts, quality assurance, and risk
management best practices
Visibility is most important in understanding critical operational risks
Risks should be managed through an integrated,
cross-functional program
Function Responsible For Mitigating Risk
Type of Risk
Executive Office
5
IP Protection
Operations
2
Negative Impact on
USG-Related Business
3
Export / OFAC
Compliance
4
Compromise of U.S.
Ethics Laws
5
Ineffective Legal Entity &
Business Structure
6
Partner Turning
Competitor
7
Market Restrictions
8
Profitability in China
1
3
5
2
6
3
7
8
Sales & Marketing
8
7
2
3
HR
1
6
5
6
Finance
8
1
IT
4
6
1
3
5
8
Legal & Risk
5
Sample Roadmap
1
2
3
4
5
Summary
Key Lessons Learned
 Do not leave common sense at the border
 Understand the role of the Chinese government in day-today business
and develop a governmental relations program
 Develop “guanxi”
 Select the “right partners, suppliers and resellers
 Always have strong legal foundation for business relationships
Andy is a strategy advisor with more than 15 years of
experience leading efforts to help business
executives overcome their most pressing challenges.
His primary focus is on advising companies on ways
to improve financial position by restructuring their
operating models to improve the focus on future
growth prospects.
Director
Strategy Practice
Deloitte Consulting
In addition to this focus area, Andy is a lead in
Deloitte’s cross-border investment practice with a
focus on helping companies meet U.S. national
security expectations, as well as helping them
protect their intellectual property as they expand
globally. He has led Deloitte’s efforts on a number of
high profile CFIUS cases.
Andy has worked with telecom and high tech clients
and has worked in China, Latin America and Europe
on their behalf. He is the author of a number of
articles, including, most recently an article published
in the Wall Street Journal entitled “Improving the
Yield on your corporate investment portfolio.”
Jim is a partner at Foley & Lardner, a leading international law
firm. He is a corporate and securities lawyer focusing on startup and emerging publicly traded and privately held companies
looking to expand domestically and internationally and the
venture capitalists, private equity groups and angels that invest
in them. He has substantial experience in international
transactions including mergers and acquisitions, foreign direct
investment, technology transfers and joint ventures in China.
Partner
Foley & Lardner, LLP
Jim has been involved in approximately 250 mergers,
acquisitions and finance transactions and is the author of
approximately 50 articles and has given over 50 presentations
in the last four years on issues related to raising venture
capital, mergers and acquisitions, start-ups, doing business in
China and other topics.
Jim has been recognized by Law 500 as one of the best lawyers
in the US for mergers and acquisitions, was named one of the
Top 25 Clean Tech Lawyers in California in 2011 by the Daily
Journal and one of Northern California’s Super Lawyers by San
Francisco Magazine and Law and Politics Media.