(puspamitra, nabarun, balmukund_s, rajni_ms, Shilpi_Jain01, judef)@infosys.com. Abstractâ Software companies typically select new countries of operation ...
2012 IEEE Seventh International Conference on Global Software Engineering Workshops
A Risk Framework for New Country Compliance for Global Software Companies
Puspamitra Mishra, Nabarun Roy, Balamukund S, Rajni M S, Shilpi Jain, Jude Fernandez Infosys Bangalore, India (puspamitra, nabarun, balmukund_s, rajni_ms, Shilpi_Jain01, judef)@infosys.com
these countries were new countries for operation. In either of the cases cited above, the main development work is usually done in any of the company’s already established software development centers. However, there is always the need for setting up some level of local presence in the new country for customization, deployment and ongoing support. The challenge for the IT organization (products or services) in either case is to be cognizant of the risks involved in operating out of the new country before committing to the deal. This is important both from a risk mitigation to company operations as well as to ensure full compliance to all local laws and regulations. This can be a complex task due to the large number of potential countries involved. For large IT organizations, the cumulative number of countries that need to be covered can exceed 100. The point of decision is often at the time of deal making or proposal submission. The sales team and project managers involved need to have adequate information about the country or set of countries involved in the proposal. They will need reliable guidance as to the overall risk profile of the country(ies), for e.g., a go-no-go decision, or as in some cases, proceed with caution, subject to certain conditions. It is not practical to expect the sales team to perform this analysis each time. It makes more sense for this to be performed by a central or corporate group which owns and continuously assesses and updates the risk profiles for all applicable countries. Another challenge is the multiple areas of risks categories with sub-elements under each category that need close analysis during decision making. There are various risk areas such as, safety and security, immigration, legal aspects, compensation and benefits, language and cultural aspects amongst others. The risk levels for each parameter and subparameter is not constant and can vary based on situational changes. These need to be tracked and analysed on an ongoing basis so as to enable right decision making, for e.g., changes in safety and security parameters or legal aspects in a country. In several cases, the risk information may be unavailable or partially available at a point in time. As IT organizations engage with large corporations in strategic partnerships, and execute large and complex transformation programs, risks are inherent and ever changing, and need to be managed. Effective de-risking and ongoing compliance is a key ingredient in ensuring success, profitability and sustainability. Also, as the organization becomes larger, the number of projects, programs and managers multiply. A delivery leader manages multiple tasks and there is an information overload of parameters, issues, risks from
Abstract— Software companies typically select new countries of operation based on cost, talent availability and other factors. In certain cases, however, new countries of operation are determined by customer locations and preferences. For e.g., a product implementation for a customer in a new country or a global rollout of an application increasingly involves setting up some level of operations in new countries. Newer, less familiar countries are unknown entities from the aspect of the risk of setting up and running software operations. There is the need for a comprehensive risk framework that can aid in the proactive assessment of risk for a new country to enable the right business decision to be made. Additionally, the framework should enable the organization to proactively manage, respond to the risks well ahead of time, and ultimately help to establish successful operations in total compliance. We analyse the risk framework new country compliance from a large IT services company and propose areas of further research to increase the robustness of this framework. Keywords - New Country penetration, Risk Framework, Compliance.
I.
INTRODUCTION
Challenges of global software development have been studied largely from the angle of the spread of software development from out of one or two locations to offshore centers spread out across the world. This began with the offshoring trends in the 1990s and has now grown such that multiple countries across continents are today attractive locations for software development [1][2]. Consequently, this space has received considerable attention from researchers [3]. In this paper we focus on a different scenario of globalization of software development, namely from the angle of newer markets to be addressed for software products and services. For a software product organization, this can take the form of selling, deploying and supporting their product to a client in a new country, where the organization has never operated before. For IT services organizations, it can take the form of a global rollout of a software application (for e.g., large ERP applications) for a client organization across its operations in multiple countries. For eg, a multinational manufacturing organization based in Europe has operating branches spread out across a large number of countries across Asia, Latin America in addition to those in Europe and the United States. In the course of the adoption of a new ERP package, the rollout was on a global scale covering all current countries of operations. For the IT services organization carrying out this rollout, several of 978-0-7695-4788-6/12 $26.00 © 2012 IEEE DOI 10.1109/ICGSEW.2012.22
1
types mentioned here include, fraud, employment practices (discrimination, safety, employee health etc.), business disruption etc. Operational risks are mostly based on an exclusion principle such as "every type of non-quantifiable risk." Another categorization of operational risks is provided by Muermann and Oktem [8]. They mention that potential risks may emerge because of the following factors: legal and regulatory norms, employment practices, political and crime situations. In addition Shapiro [9], and Pettit et al., [10] have identified that economic risks and political risks can also hamper new setup in overseas. Dowling Jr [11] explores the ramifications of different status of employees in a country (floating or registered) and stresses the risks of being in non-compliance with local regulations. The paper also explores the various dimensions of the HR dimensions of formally employing employees in a new country. The aspects covered include the structure of the business entity, compensation and benefits, local hire issues, contracts and overall HR administration.
multiple projects and people. There is a need to ensure that the right risks come to the attention of the manager and action is taken at the right time. The risks evaluated and addressed proactively can avoid serious issues during project execution. Considering the above, there is the need for a comprehensive, yet easy to adopt(use) framework based on which ongoing risk assessments can be carried out, and cumulative scores for each country be made available. In this paper, we elaborate in some detail on the New Country Risk Evaluation framework which was developed and implemented at Infosys Limited, India. Our analysis of current literature did not reveal significant research done in similar areas and hence we believe that this work can add some value to this domain of study. We also evaluate this model and identify future needs for research. II.
EXISTING LITERATURE FOR NEW COUNTRY COMPLIANCE FRAMEWORKS
A. Literature Analysis Rating of countries is not a new concept. Several agencies carry out country ratings on different parameters and make these available for further use. The most visible amongst these are the credit rating agencies which rate a country as to its credit worthiness, i.e., its ability to repay its debts. When it comes to selecting a new country from an investment standpoint, there are several well-known agencies which publish their country ratings; e.g., Dun & Bradstreet, Moody's, Standard & Poor's and Fitch [4]. Country risk refers to the risk of investing in a country, dependent on changes in the business environment that may adversely affect operating profits or the value of assets in a specific country. For example, financial factors such as currency controls, devaluation or regulatory changes, or stability factors such as mass riots, civil war and other potential events contribute to companies' operational risks. This term is also sometimes referred to as political risk; however, country risk is a more general term that generally refers only to risks affecting all companies operating within a particular country [5]. On another dimension, the World Bank along with the International Finance Corporation publishes a ranking of countries with regard to the ‘ease of doing business.’ Here a high ranking on this index implies that regulatory environment is more conducive to the starting and operation of a local firm. This index computes the average of the country's percentile rankings on 10 topics, each made up of a variety of indicators, with equal weight to each topic. These cover ease of starting a business, dealing with construction permits, electricity, property registration, taxation, contracts etc [6]. The risk associated with the theme of this paper is narrower in nature and is somewhat aligned to the term Operational Risk. As the name suggests, these risks arise from the execution of the company’s business processes. The Basel Committee defines operational risk as: "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events" [7]. The various risk
III.
FRAMEWORK ELEMENTS
Taking a decision on setting up operations (at any level) out of a new country is always been a complex decision especially for countries on which prior information is not easily available. This decision is an elaborate process and multiple parameters around which information needs to be collected, analyses and evaluation and finally arriving at a risk score for each parameter. The individual risk scores are then collated together to compute the comprehensive risk score for each country. The risk elements to be analysed cover multiple information domains. These include the applicable mode of operations as per the country regulations, tax implication and regulatory requirements, compensation and benefits and payroll considerations, issues related to staffing of required non-local experts to assist clients during various stages of software implementation etc. Additionally issues to be analysed include immigration processes and challenges, language, living conditions for the employees in the new location, hiring of local talents (for e.g., ease of getting the right talents, making the local hire integrate with the parent organization process and work culture). At a macro level, the operational risks can be bucketed into the following categories below. Due to lack of space, we are only attempting a representative description of the risk elements and sub-elements. 1) Safety & Security: This covers the aspects of employee safety and security in the country and can be a potential show stopper. For e.g., crime rate in a country can have an impact on the employee safety. 2) Mode of operation in the country: The organization may decide to open a branch or a subsidiary in the new country if there is a business case for it. Alternatively it may decide to operate through a secondment partner if the laws of the country allow such an option. Having a branch provides more flexibility from the perspective of project execution as there is no dependency on a third party, but it could involve
2
•
some overhead costs. In the secondment option, the execution could get impacted if the partner chosen is not efficient. Further, the organization will not be able to directly hire talents in the new country [11]. 3) Payroll Setup: The norms and regulations regarding salary and benefits structure and payroll process, overtime and night shift allowance etc. are some of the important aspects to be considered to stay in compliance with local government regulations [11]. 4) Legal and Taxation aspects: This refers to questions on different modes of taxes / cost that are applicable. For e.g., service tax on the invoice raised by the client [6]. 5) Working Hours: Each country will have its own set of rules on maximum work hours, number of leaves and holidays. These rules need to be considered from the perspective of the current practices of the company and the extent of similarity or dissonance it might cause [11]. 6) Immigration: The paperwork, effort and timelines needed to process work permits and other required visas vary across countries and may not be known upfront. In some cases, it is not possible to predict lead times to obtain a visa. In some countries this lead time could be very high, while in some cases, there could be additional constraints such as fixed quotas for visa per year etc. In several cases there is cooling off period required between consecutive travels to help in better planning. Additionally, the company needs to know upfront if any group in the workforce is not allowed to work in a particular country e.g., women. Also it might not be possible to operate out of a country if there is a travel advisory against travelling to a particular country [11]. 7) Delivery: If staffing is to be done by local hires, the following risk aspects need to be considered: a) Ability to attract talent: This will be influenced by the brand image of the organization in that country [11] b) Induction: In the absence of proper induction, the local hires may not represent the organization appropriately in front of customers c) Reporting: If the workforce in the country is small, then the employee(s) may have to report to a manager who is in different country and time zone. If there is not enough engagement happening, the local employee may feel alienated. The manager may not understand local work culture, motivating factors. d) Global team challenges: In case of a globally dispersed team with multiple nationalities, there would more challenges, some are listed below: • As team will be spread across different time zones, some members may have to take late evening/early morning calls. This may not be acceptable to all. If this involves overtime that needs to be planned for. • Proficiency in a common working language (e.g., English) may be an issue in some countries
IV.
Cultural norms may vary e.g. acceptance of ambiguity, process discipline, time keeping, tolerance towards strong language may differ across nationalities and can influence decisions on entry into a new country [12]. FRAMEWORK ELABORATION & VALIDATION
Typical process in organizations actively involved in entering new countries, bring together various departments like legal, immigration, payroll, HR, tax and the business team to work in tandem to establish operations in the new country. At the point of creating the framework, Infosys already had experience of operating in 80 plus countries. However, the relevant information for new country risk evaluation was scattered across multiple systems and departments and retrieving the same while responding to a customer requirement was cumbersome and time consuming. To enable systematic decision making, the need was felt for a framework and process to manage the above risks proactively and on an ongoing basis. A. Development of the Framework The proposed framework was developed as follows. The risks outlined in the above section were identified and investigated after a detailed discussions and assessments with various stakeholders (for e.g., payroll questions with the HRD-Compensation & Benefits group). A risk questionnaire was designed to elicit and assess the risks for each country, based on the parameters or categories mentioned in the previous section. A risk scoring mechanism was developed based on the relative importance or weightage of the risk questions, and the possible responses to the questions. The risk scoring model was developed at both the category level as well as the country level. A risk classification model was developed based on the risk scores. TABLE I.
COUNTRY RISK LEVELS
Country Risk Level Green
Safe to operate with minimal risk
Yellow
There are risks – Need to plan
Amber
There are substantial risks – Need to plan
Red
Show Stopper issues - Not advisable to operate
After completing the framework the next step was to collect information on the above operational risks for the 80+ countries where the organization has operated and make it available to all managers in a single portal. Countries were assessed and rated red / amber / yellow / green based (Table 1) on the capability and risk of the organization to operate there. This risk inputs are taken from all relevant stakeholders namely, HR / Legal / Payroll / Immigration / Customer service groups / Service delivery team. The risk level was validated by reviewing the actual situation on ground, and the risk scoring model was adjusted suitably and strengthened.
3
are initiated with the objective to mo ove the country towards a ‘green’ status.
A periodic assessment process was set uup to ensure that the data is kept up to date as and when new countries are onboarded or when there is a change in the rissk scenario in any country. Based on the above, the Country Riisk Management Framework was created (Fig. 1). Intended aas a proactive risk management framework, this is designed to bring in the right prioritization, rigor and consistency on risk identification, risk response planning, actions and riskk-based decision making. It also has an integrated riskk dashboard for management use.
V.
EVALUATION OF F THE MODEL
This framework was implementted in November 2011on a portal to enable access to teams accross the organization and since then has undergone periiodic refinements. The framework has seen significant usaage by sales and project teams to guide their decision making with regard to deals pertaining to new countries. Since then, the framework has proved to be useful on multiple occaasions, especially for new countries in South America, Africa, Eastern Europe etc. where till date previous operational set up did not exist. In several cases, it also helped to begin n the country compliance assessment process for a new counttry in parallel to the deal process, thus enhancing the coveraage of the framework. In certain cases, it has also led to setting up branches for operation in new countries thus paving the way for more business to be carried out from theree. One of the significant strengths of this framework is that it brings together all areas of countrry compliance in a single portal. It brings coherence and visibility to all requirements of setting operations in a new coun ntry. This helps the sales and delivery managers to prepare and take proactive actions in partnership with other groups. Itt brings together a set of SMEs from legal, immigration ettc. and enables them to collaborate via this portal. Currently the portal does not have h much to offer from learning angle to newcomers to the model. The portal could be enhanced to host or link to a set of FAQs, rules, compliance procedures so that information i is available readily. This will help educate and create c awareness amongst the sales and delivery teams and alsso save time lost in them reaching out to the SMEs. Therre is further scope for automation. For e.g., a sales / deliv very person anywhere in the organization should be able to lo og a request on the portal to initiate the compliance proccess for new country compliance. Subsequent steps can n be automated through suitable workflows for speeding up p the process as time to market is also important. Some amount of external benchmarking of the framework has been done. Efforrts are on to bring in comparisons with other similar models, m as well as do ongoing analyses of the various paraameters in the framework with experts around the world.
Figure 1. Country Risk Management Fraamework
Periodic risk assessment is achieved by means of a comprehensive risk questionnaire across thhe following risk dimensions: legal, immigration, compensattion and benefits, working conditions, payroll, tax and serviice delivery. The risk questionnaire has to be answered by the respective functional Leads namely, HR, Legal, Payrooll, Immigration, Customer service, Service delivery. This is to be done for each country where operations is expected to start, or is in progress. B. Risk Measurement, Mitigation & Governnance Risk is measured based on the responsees provided to the risk questionnaire. Risk is measured for eachh country as well as each category within the country. Thee risk score is a function of: weightage of the risk question, weightage of the risk response and the nature of the risk – singular risk i.e. show stopper vs. a general risk. Current countries of operation and prosspective countries based on business priorities are identifiedd and prioritized. The different units in the organization iddentify countries where the operations are expected to starrt. For all ‘nongreen’ countries where operations are expeected to start, the various functional leads from immigration, llegal etc. work to set up the processes required for smooth opperations thereby mitigating the risks of operating in those couuntries. The risk level and risk details of the vvarious countries measured by means of the periodic assessm ment process are made available in a portal. The prioritized ccountries and risk levels are monitored and tracked continuoously and actions
VI.
D NEXT STEPS LEARNINGS AND
In today’s fast-moving business world, speed is of the essence as organizations seek to close on new business opportunities. However, as in cases of new country operations set up, it is equally impo ortant the required rigor is brought in as due diligence before decisions on new countries can be made and allso to ensure ongoing compliance in accordance with local regulations. Organizations which can balance rig gor and speed in a mature manner can aim for business success whilst being in compliance with the law of the land..
4
[5] Euromoney, "Euromoney Country Risk," [Online]. Available:
This detailed framework covering a cross-section of various domains important to new country compliance has brought in significant value of rigor as well as speed of decision making. Today it has brought in organization-wide visibility, focus and improvement on risk predictability and risk response actions. Further it has helped improve on timely alerts at various levels to the leadership.
http://www.euromoneycountryrisk.com/Methodology.aspx. [Accessed 15 May 2012].
[6] The World Bank Group, "Doing Business 2012: Doing Business in a More Transparent World," 20 October 2011 . [Online]. Available: http://www.doingbusiness.org/. [Accessed 09 May 2012].
[7] Bank for International Settlements, Operational Risk: Consultative Document, Basel Committee on Banking Supervision, 2001.
ACKNOWLEDGMENT
[8] A. Muermann and U. Oktem, "The Near-Miss Management of
We wish to acknowledge the contributions of several individuals from different groups in the company who were instrumental in setting up this framework. A framework as comprehensive as this and covering multiple domains needs the sustained and committed involvement of different functions. This has proved to be vital for the success of this framework.
Operational Risk," The Journal of Risk Finance, pp. 25-36, 2002.
[9] A. C. Shapiro, "Capital Budgeting for the Multinational
Corporation," Financial Management, vol. 7, no. 1, pp. 7-16, 1978.
[10] J. Pettit, M. Ferguson and R. Gluck, "A Method for Estimating
Global Corporate Capital Costs: The Case of Bestfoods.," Journal of Applied Corporate Finance, vol. 12, no. 3, p. 80–90, 1999.
[11] D. C. Dowling Jr., "New-Country Start-Up HR Toolkit: What You
Need to Know When Launching Employment Operations In Some New Overseas Jurisdiction," September 2008. [Online]. Available: http://apps.americanbar.org/intlaw/committees/tax_estate_individu als/employment/map_files/ABA.GEM.Start-Up.HR.Toolkit.pdf. [Accessed 09 May 2012].
REFERENCES [1] D. Damian and D. Moitra, "Global Software Development: How Far Have We Come?," IEEE Software, pp. 23(5):17-19, 2006.
[12] F. T. Rothaermel, S. Kotha and H. K. Steensma, "International
[2] W. Aspray, F. Mayadas and M. Y. Vardi, "Globalization and
Market Entry by U.S. Internet Firms: An Empirical Analysis of Country Risk, National Culture, and Market Size," Journal of Management, pp. 56-82, February 2006.
Offshoring of Software," Report of the ACM Job Migration Task Force, Association for Computing Machinery, New York, 2006.
[3] M. Jiménez, M. Piattini and A. Vizcaíno, "Challenges and
Improvements in Distributed Software Development: A Systematic Review," Advances in Software Engineering, 2009.
[4] A. Afonso, P. Gomes and P. Rother, "What “Hides” Behind
Sovereign Debt Ratings?," 19 January 2007. [Online]. Available: http://ssrn.com/abstract=954705. [Accessed 15 May 2012].
5