Information Technology Risk Issues Facing US Companies Seeking Global Expansion

Rewards and risks surround any organization considering the notion of going global, and identifying the potential risks of expansion can be challenging. One area that is often overlooked is that of information technology (IT) risk (Goodwill, 2006). The purpose of this essay is to discuss how the explosion of information technology and the incredible advances in global communications pose significant risks to American global organizations as they expand in the international environment. This essay examines four areas of IT risk: ineffective or nonexistent IT risk management programs, supply chain fraud, technology risk associated with entering into a joint venture (JV) and foreign protectionism practices. Each issue is discussed, as well as potential solutions to mitigate risk.

Poor IT Risk Management Programs

Lack of (effective) established IT risk management programs, especially in the financial services sector, creates an inherent risk in that it exposes data that is supposed to be privy and confidential. Ernst & Young issued a report in February, 2008 indicating that 22 percent of companies surveyed with assets over $10 billion have no formal IT risk management program, and that more than 40 percent of executives (Curtis, 2008) “did not feel their firm was effective in risk reporting and disclosure, risk and issues management, and trend analysis” (Curtis, 2008, par. 2). The issue of IT risk management is overlooked, as most companies focus on political, economic, environmental and regulatory risks (Curtis, 2008).

Supply Chain Fraud

Supply chain fraud is an issue that is currently on the rise (Anonymous, 2008), especially among international shippers (Hoffman, 2008). According to the Federal Bureau of Investigation supply chain fraud is costing US shippers an estimated $15 billion to $30 billion annually (Hoffman, 2008). “Vulnerabilities for companies increase as they expand and globalize, add new information-technology systems, and as their supply chains become more extended and complex” (Anonymous, 2008, par. 2). Also, “[s]ince it is relatively cheap and easy to store information electronically, companies are holding on to data (and) information longer, which increases risks for fraud due to the increased volume" (Demichelis, cited in Hoffman, 2008, par. 2). Lastly, the supply chain is open to fraud “because of global growth and increased outsourcing, according to a recent Global Fraud Report released by Kroll, the New York-based risk consulting firm” (Yoo-chul, 2008, par. 3). Most of the incidents of fraud are considered to be carried on from the inside (Hoffman, 2008).

Joint Ventures

Entering into a JV is an inherently risky decision, as A JV, in essence, is a partnership between two or more entities. Partnerships do have a high degree of risk due to joint and several liability of the entity’s owners, which is why many international JVs fail (Borgonjon & Hoffman, 2008). “Nearly 30 years of experience has taught foreign investors that, when possible, it is better to go it alone” (Borgonjon & Hoffman, 2008, par. 3). This is not to say that JVs aren’t attractive in certain markets, though. The easiest way to enter the Chinese market and share in the rewards (i.e., increased profitability, higher market share, and exploitation of technology) is via JV (Collins, 2007; Borgonjon & Hoffman, 2008). The disadvantage to sharing technology is that existing intellectual property is difficult to protect once it is shared by the JV, especially in China (Collins, 2007).

Technological Protectionism

US firms attempting to expand into other areas of the world may encounter practices of protectionism, which are designed to restrict foreign trade (Gupta & Govindarajan, 2004). Protectionism of technology occurs when a country establishes its own unique technical standards for the purposes of shutting out foreign competition (China Post, 2008). This puts US based and other companies at an unfair disadvantage. “Many American companies have expressed concern about security standards for information technology products that made it costly for them to enter the Chinese market” (Padilla, cited in China Post, 2008). JapanChina is using this method of protectionism to provide its companies with a competitive advantage (China Post, 2008). attempted this practice in the 1980s, and it failed (China Post, 2008). Currently,

Combating IT Risk

In terms of IT risk management programs, it is important to first have an effective system of internal controls in place. An established, written system of checks and balances is a good start to mitigating risk (Robbins & Coultier, 2007), but it is not enough to have written policies and procedures. Internal controls must be carried through and enforced from the top down (Kinney, 2000), and management must refrain from overriding controls (Horngren, Harrison, & Bamber, 2006)

Also, the design of the IT Risk management system should be carefully considered.

The problem with many IT risk management programs that leads to their ineffectiveness is the fact that most large companies place risk in the various silos of the organization. Many international organizations are designed to have multiple lines of business, each with its own IT systems. Even though the processes from multiple silos overlap – due to common processes and services – there is no common, binding understanding and/or assessment of the IT risks involved in the organization as a whole. The need for convergence – or at minimum integrated risk management - exists (Curtis, 2008).

The problem with converging systems is the fact that most risk management solutions vendors and software packages are designed for specific aspects of the organization: there is no blanket package yet available to facilitate an integrated approach (Curtis, 2008; Goodwill, 2006). However, the push towards a more holistic approach to IT risk management is starting to be met by market demands:

“There is a movement toward automating the risk management process to make it lower in cost and more efficient… The tools supporting risk management are evolving and becoming more integrated. This is where we see opportunity, [in part] by implementing acommon risk language to roll up and report risk to an organization (Barrett, cited in Curtis, 2008, par. 16).

The holistic approach can be a viable solution to other areas of IT risk, such as supply chain fraud. “[S]hippers and service providers invest heavily in security guards, fences, access controls and locks” (Hoffman, 2008, par. 6), but a level of internal controls deemed adequate from a textbook approach is not enough to deter fraud. The human element is being ignored (Hoffman, 2008). Chains, locks, and a well-documented system of internal controls is sufficient to be in compliance with “Customs-Trade Partnership Against Terrorism and Transported Assets Protection Association security programs” (Hoffman, 2008, par. 7), but the controls will not prevent “a part-time warehouse worker

with temporary access codes who knows when the high-value cargo is leaving” (Hoffman, 2008, par. 7) from engaging in fraudulent activity.

“The lesson is that you really have to approach protecting your business and supply chain with a very holistic approach… There has to be some actual human element to try to beat those systems once you're compliant. There is no silver bullet (Hoffman, 2008, par. 8).

The holistic approach can also work well when deciding whether to do business in China, but it should be in used in conjunction with every effort to carefully and properly plan expansion. Any US company seeking to expand into the Chinese market should consider placing tight controls over the supply chain management, constantly monitoring and reviewing quality control programs, as well as finding the right company to do business with (Canning, 2008).

“U.S. companies looking to do business with China, therefore, would be wise to adopt the famous Boy Scout motto: ‘Be Prepared.’ Armed with the right information and resources, they will be able to reap financial and other rewards from relationships with respectable Chinese manufacturers. To ensure the highest quality and safety of the private label end products, Bi [sourcing specialist in China] recommends that companies thoroughly research the industry to identify highly qualified manufacturers. An expert who’s bilingual in English and Chinese is critical to this effort and should be involved from the very beginning. After the deal is authorized, the U.S. buyer should put someone in place to monitor the production on a continuous basis” (Canning, 2008, par 20-22).

Companies that do not have the resources necessary to effectively set up operations in China should seek a sourcing agent who can assist the U.S. organization in finding reputable companies to do business with (Canning, 2008). Much like finding the right business partner, employee, or investor, the U.S. company seeking to go into a JV with a Chinese firm should find someone who can be trusted. Despite China’s reputation, a perfect marriage in business can be attained (Cunningham, Cunningham, and Park, 2008).

Careful consideration should also be taken when dealing with China’s stance on technological protectionism. When faced with this issue, U.S. companies wishing to do business with the Chinese have three options:

Invest the necessary resources to effectively enter the Chinese market.

Postpone the decision to do business in China until the short-term effects of protectionism are short lived.

Consider entering into another country.

Summary

This essay discusses how the explosion of information technology and the incredible advances in global communications pose significant risks to American global organizations as they expand in the international environment by examining four areas of IT risk: ineffective or nonexistent IT risk management programs, supply chain fraud, technology risk associated with entering into a joint venture (JV) and foreign protectionism practices. Textbook solutions and hasty decisions are not adequate to hedge IT-related risks. Rather, careful planning and a holistic approach are favored.

Anonymous (May 12, 208). Report: supply chains are at greater risk for fraud. Shipping Digest, 85 (4446). Retrieved May 24, 2008 from the EBSCOHost database.

Canning, K. (April, 2008). Risky business. Private Label Buyer, 24 (11). Retrieved May 24, 2008 from the EBSCOHost database.

China Post. (May 10, 2008). U.S. warns China of technological isolation. China Post. Retrieved May 24, 2008 from the EBSCOHost database.

Collins, M. (December, 2007). Outsourcing: the good, the bad, and the ugly. Industrial Maintenance & Plant Operation, 68(12). Retrieved March 3, 2008 from the EBSCOhost database.

Cunningham, M. G., Cunningham, D. B. & Park, D. (March 2008). Reflections on doing business in China: a case study. International Journal of Management, 25 (1). Retrieved May 24, 2008 from the EBSCOHost database.

Curtis, C. E. (March 17, 2008). Emphasis on IT risk management driving new solutions. Securities Industries News, 20(11). Retrieved May 24, 2008 from the EBSCOHost database.

Goodwill, B. May 16, 2006). Get IT integrated for risk management, bosses told. Computer Weekly, 00104787. Retrieved May 24, 2008 from the EBSCOHost database.

Grosse, R. E. (2000). Thunderbird on global business strategy. New York: John Wiley & Sons.

Gupta, A. K., & Govindarajan, V. (2004). Global Strategy and Organization. New York: John Wiley & Sons.

Hoffman, W. (May 12, 2008). Fighting supply chain fraud. Traffic World, 272 (19). Retrieved May 24, 2008 from the EBSCOHost database.

Horngren, C. T., Harrison, W, & Bamber, L. Accounting. Upper Saddle River, NJ: Prentice Hall, 2006.

Kinney. W. R. Information Quality Assurance and Internal Control for Management Decision Making. New York: McGraw-Hill, 2000.

Koremans, S. (October 19, 2007). Outsourcing: how to make it work. B&T Weekly, 57(2633). Retrieved March 3, 2008 from the EBSCOhost database.

Robbins, S.P. & Coulter (2007). Management, (9^th ed.). Pearson: Upper Saddle River, NJ.

Schultz, R. A. (2006). Contemporary issues in ethics and information technology. Hershey, PA: Idea Group, Inc.

Yoo-chul, K. (May 5, 2008). Supply chain fraud top concern for firms. World News Connection. Retrieved May 24, 2008 from the EBSCOHost database.