Stan Lepeak, Managing Director, Global Research, KPMG Shared Services and Outsourcing Advisory

KPMG’s Shared Services and Outsourcing Advisory (SSOA) practice’s global leadership team recently completed a tour of Asia Pacific during which it examined sourcing trends into and out of that market.  This is the second in a series of blogs that will share these findings and insights.

Mention doing any sort of business in China and one of the top concerns typically cited is the risk of intellectual property theft and related concerns over exposure of private or sensitive data (e.g., firm or client data) in the market.  Some western firms have cited IP risk as a worthy cost of doing business in China given the lucrative nature of the China market.  This perspective has more merit relative to intellectual property (IP) than to sensitive data such as customer information, which if breached can create potentially serious public relations and legal problems.

While there is a pretty clear case against the China market relative to such products as bootlegged entertainment media, fake Rolexes and related hard goods, the case against it around transgressions with other types of IP and data is less clear. This is not to say that breaches do not occur but it is important to put the risk of exposure in the China market in perspective with other markets in which organizations operate.

Few of the western or non-China based firms that the KPMG sourcing advisory practice met with on its recent China tour expressed undue concerns over IP or data exposure risks.  This sample is self-selecting, however, in that all of these firms have chosen to establish shared services or outsourcing operations in China.  Often these operations are supporting local China business, so locating support functions outside of the market would carry additional risks and complexities.

The key question is whether these early adopters of a more aggressive onshore China strategy for back-office operations are risk astute or overtly risk exposed.   The degree to which this is determined depends more so on IP and data protection policies, practices and procedures than whether the data is resident on servers in Chengdu or Chicago.   There has been no shortage of examples of data breaches occurring in western markets typically due to weak IT security practices or internal employee-created holes.  And Internet IP residing on systems housed in a western market are a short digital connection from many other global markets, nefarious or not.

There was one financial services firm we met with that had curtailed the scope of its China investment based on executive-level concern over exposure of client data in the China market.  The reality, however, was that this data would still have been housed in the home western market and only accessed from China.  It was more a concern over the public appearance on hosting customer data offshore in China than the technical reality of doing it that concerned management.

China has stepped up a public campaign to crack down on IP theft.  It has also introduced new guidelines on data privacy protection.   In another measure of progress, the number of ISO 27001 certifications (Information technology — Security techniques — Information security management systems – Requirements) in China has tripled since 2008 and China currently (as of June 2011) ranks third in the world on the number of certifications behind Japan (3,840 registered), India (526) and China with 497.*

How much these moves have improved the IP and data privacy environment in China is being debated, but they are moves in the right direction.   More important for user organizations to keep in mind is that government mandates and oversight are only one element in addressing IP and data risks.  Ultimately it is the user organization that must focus on limiting these risks.   Greater legal recourse after the fact is laudable, but with most IP and data theft it is akin to addressing barn door problems after the horse has departed.

Organizations investing in shared services and services outsourcing operations in China must assess and understand the risks related to IP theft and critical data breaches.  They must weigh these risks against their own risk profile and move forward accordingly.  Most importantly they must develop adequate IP and data protection policies, practices and procedures and apply them globally, not assuming when it comes to risk and protection west is best and east is least.

*certification data obtained from the International Register of ISMS Certificates, managed and maintained by the ISMS International Users Group (IUG). http://www.iso27001certificates.com/

Filed under: Market Trends and News, Offshore & Captive Centers, Outsourcing, Regulations Compliance by EquaTerra