For multinational corporations, the challenge of keeping pace with China’s rapidly transforming economy is exacerbated by the need to increase competitiveness and productivity, while remaining responsive to rising costs. As operations grow in size and complexity, the risks posed by internal control deficiencies are amplified. The “cost of loss” for failures to carefully manage critical assets extends far beyond the balance sheet, particularly in the manufacturing sector, where losses of critical physical assets and intellectual property (IP) expose multinationals to reputational risk on a global scale. Moreover, employee theft, counterfeiting and infringement are all too common challenges for businesses operating in China, increasing the need for risk-mitigation strategies that consider market-driven factors facilitating illicit activity behind the scenes. In a weakened control environment, fraudsters steal assets by exploiting procedural and technical loopholes, resulting in potential leakage of IP to bad actors. Lastly, China’s “new normal” of COVID controls limits multinationals’ ability to meaningfully audit sites and monitor critical assets. Regrettably, the emphasis on protecting physical assets and IP often languishes until a critical event rekindles the focus on critical asset protection, but oftentimes the effort is too little and too late. It is imperative that enterprises pay greater attention to protecting their assets and having an investigative mindset is key to achieving this goal.
Challenges to protecting assets
Businesses operating in China, particularly multinational manufacturing firms, face myriad challenges in securing and protecting their critical physical assets and IP.
“Whack-a-mole” mentality: Businesses tend to take a piecemeal or superficial approach to management, reacting to problems as they occur, instead of anticipating and preventing them before they take place. Businesses often fail to proactively identify or make an inventory of their critical physical assets or IP, to understand the current protective measures and potential loopholes regarding the assets. Meanwhile, a company’s response to the loss of critical assets is often no more than reactive window-dressing, rather than an orchestrated exercise in identifying and mitigating the root causes behind the breach.
Cost control: The protection of assets cannot be separated from a company’s investment in internal controls. Businesses often face the dilemma of pursuing cost management versus investing in means to secure their critical assets. Protective measures and security resources are unevenly applied to high-value materials and finished goods, as processes, such as repair, scrap, recycling and general waste, give way to cost considerations. While waste and scrap disposal can generally bring non-operating income to a company, well-intentioned recycling efforts can present a security risk, as failures to properly destroy scrap material can encourage counterfeiting and IP loss. Strict cost control is also manifested in a lack of internal control or loss-prevention functions for critical asset protection. As a result, responsibility for asset protection rests with the leaders of the business unit, who are not subject-matter experts in loss prevention. In addition, a lack of track and trace capability covering the lifecycle of the product (raw materials, work in process, finished goods, repair and scrap) can stimulate and enable theft schemes.
Inadequate processes: Oftentimes, production processes are not created or reviewed from a security risk perspective. Rather, they are focused on manufacturing goods efficiently in a “lean” environment, which continually evolves to reduce waste. The concept of “waste” here does not account for losses due to malfeasance, and manufacturers generally have inadequate compliance policies, training methods or reporting methods to encourage employees to report suspected misconduct. Insufficient checks and balances are another cause of asset loss. A lack of cross-functional controls leads to supervisory weakness and a loss of critical physical assets or IP. For example, Control Risks worked with a client, whose scrapped finished or semi-finished products were reviewed and approved by its Quality Assurance team (QA). The disposal of the scrapped goods was handled by operators without QA’s supervision, which meant that the scrapped goods could be removed from the factory and repackaged for sale.
Strategies and solutions
To achieve operational success in China, businesses should develop an asset protection programme that seeks to: 1) identify critical assets; 2) conduct gap analyses of protective measures, which should be in place versus those that are currently in place; and 3) assess current vulnerabilities. From a compliance perspective, it is critical to shift from a reactive management style to one that encourages employees to speak up on matters pertaining to critical asset protection.
Identification and assessment with an “investigative mindset”
Carry out an onsite risk assessment of procedures relating to surveillance, storage, production, packaging, waste and scrap management, to identify vulnerabilities regarding asset protection, to check whether these are in line with corporate SOPs, and to ensure that there is robust information technology to mitigate unauthorised access to critical IP.
Treat the priority risks identified and take measures to prevent them in a timely manner. Create a loss-prevention plan, including policies and procedures, which inform who, what, why and how a protection mechanism for critical physical assets and IP is to be implemented.
Utilise a "value-stream mapping” with a risk focus, to shift analysis of traditional manufacturing efficiency towards the goal of critical asset protection. Mapping out the production value-stream from a risk perspective can help identify gaps in security. While manufacturers vigorously improve security regarding high-value materials (HVM) and finished goods, processes, such as repair, scrap, recycling and general waste, tend to be overlooked. Fraudsters can circumvent these processes to divert HVM and IP through the waste stream, which is often facilitated by colluding scrap companies cherry-picking your company’s “trash”.
In lean manufacturing, the term “Gemba walk” refers to an informal visit to the production line, in which managers can make first-hand observations of the actual manufacturing environment in terms of quality, safety and general tidiness. By using an investigative mindset, Gemba walks can become an invaluable tool to pinpoint control gaps. Below are a few tips for investigators on Gemba walks:
- Are the empty cartons in the recycling bin really empty? Could the cardboard recycling stream be used to divert product and materials to colluding recyclers?
- Are there any log-in credentials visible on system access points? Do they suggest password sharing? For example, is the username something generic, such as “Admin” or “DayShiftPackout1”?
- Are employees using camera-enabled mobile phones, in line with company policy? Can employees take and transmit photos from design areas?
- Are managers allowed to skip security protocols when entering/exiting the production area?
Internal controls and compliance
- Establish a dedicated internal control and compliance function. Define objectives and values of loss prevention, formulate an organisational structure for the function based on the future direction of the company, and clarify roles and responsibilities. Ensure the independence of the team.
- Enhance checks and balances in production to strengthen cross-functional supervision for asset protection, and ensure asset-protection becomes part of the compliance programme as well as the employee handbook.
- Conduct root-cause analysis, distil post-incident learnings, and carry out improvements, with the view of preventing incidents from recurring.
- Develop an employee training programme to educate staff on the importance of protecting assets, to foster a culture of asset protection in the company.
- Assess the business’s overall “speak-up” culture and design appropriate programmes to identify weaknesses and address concerns.
- Educate employees to think that the true “cost of loss” of a loss of critical assets is not just a financial figure; it has an impact on the company’s brand, reputation and operations.
Developing resilience in asset protection in China is more challenging now than ever before. Enterprises need to have deeper insights into what their key assets are and where their vulnerabilities lie. Stakeholders need to embrace the scepticism associated with an investigative mindset to temper manufacturing experts’ focus on efficiency, quality and the elimination of waste. They should establish a robust asset protection programme that covers both preventative measures as well as response and containment capabilities, and that builds strong awareness among employees. A mix of formal and informal assessment processes can help prevent costly breaches and reactive investigations, and internal controls and compliance improvements can help break the cycle of knee-jerk responses.