Depending on the main threats to your organisation and your risk appetite, you may be able to put in place mitigations or conditions which manage the risk of doing business with or in a potentially hostile state to an acceptable level.
For example, if a foreign consortium intends to buy a minority stake in your business and you have concerns about one of the members of the consortium then you may be able to rely on the remaining members to ensure any conditions are complied with. However, if you are establishing a joint venture or giving up control of a large part of your organisation then any risks will become increasingly difficult to manage.
A large technology company outsources the manufacturing of its goods. This allows the company to benefit from lower labour costs, however it does present a number of risks.
The overseas country could be considered a hostile environment, with strong state intervention, and has publicly stated its intention to develop capabilities in the area that the company excels.
In order to protect its long term competitive advantage while minimising short term operating costs, the company has ring-fenced all intellectual property and research and development within its home state while only outsourcing parts of its manufacturing process.
You will also need assurances that any mitigation measures put in place are being complied with and are effective. This is not a one-time activity - it will require ongoing monitoring which can be resource intensive and expensive.
Joint ventures (JV) are one of the most common forms of foreign investment. It creates a limited liability company between the foreign party and the domestic party, who together share the profits, losses and the management of the JV.
The local party in a JV can offer well established distribution channels, government relationships, and significant knowledge of the local market – however this isn’t the only reason JV’s are so popular. In some countries, certain industries are off limits to foreign investors unless they partner with a domestic party.
Due to the shared nature of a JV you may find that you have lost control of your intellectual property and technical know-how and soon find similar products competing against you in the market.
Setting up a JV could help you establish a presence in an emerging market, however you should be aware of the risks.
This may not make the market inaccessible – but you should consider mitigations early in the process. In circumstances where it is feasible, this could include setting up a JV which is solely focussed on older models of your product or technical knowledge in order to safeguard your competitive advantage.
1. Decide which risks can be mitigated
Here are some things to consider. You will have other considerations dependent on your context.
For more detailed protective security consideration, have a look here - Secure Business: practical steps
Physical security
- Have you identified your sensitive holding and sites, especially those most at risk in relation to the business venture or engagement?
- Is the physical access to the sensitive holdings and sites limited to only those individuals who need it?
Cyber security
- Are your systems appropriately designed to segregate sensitive networks and systems from those accessible to the wider organisation and overseas parties?
- Have you determined what data is appropriate to share with the overseas parties? Have you put in place technical measures to limit access to just that data?
- Have you considered the implications of different local laws and regulations on how you protect your data. Overseas parties might operate under regimes that could compel them to release data or cooperate with their state.
- How will you ensure that your partners and suppliers protect the system access and information that you have shared with them?
Personnel security
- Have you completed a risk assessment of roles to ensure additional security arrangement are in place for people who work in roles requiring access to sensitive information or critical capabilities?
- Are you conducting pre-employment screening on all new-starters and individuals who are moving between roles within an organisation?
- Do you have additional policies and checks in place for your high-risk roles and foreign nationals (including dual-citizens)?
Security leadership
- Have you provided a structure for the ongoing governance of the business venture or engagement to ensure the risk management strategy remains effective over time?
- Are you aware of how individual business ventures and engagements may affect your global business and your long term intentions?
A small UK communication company had a number of contracts to produce sensitive technology for government departments and private UK industry. In seeking new funding, the company was approached by a foreign investor with possible links to a foreign state.
Following a risk assessment a number of mitigations were agreed to protect the company’s intellectual property while it engaged with the foreign investors.
This included:
- compartmentalising the most sensitive projects of the company,
- ensuring effective cyber arrangements were in place to audit access to the sensitive information,
- that access was granted only to individuals who had the appropriate security clearances, and
- identifying an owner of the risks associated with the transaction at Board-level.
These mitigations also protected the company’s reputation and ensured its chances of getting future government contracts were not damaged. The protections had to be agreed and fully implemented prior to the part-sale of the company.
2. How can the risks be mitigated?
The next step is to consider the best mechanism to use to ensure your mitigation is effective. This will depend on the mitigation measure as well as the type of the business venture or engagement.
If your interactions with the overseas party is purely financial with very little or no access to sensitive propriety information then the best mechanism may be changes to internal processes to build your internal security capability and enhance security culture.
Alternatively, if the relationship with the overseas party is more complex, with deeper levels of access, then a more formal mechanism may be more appropriate, such as a legal deed or contractual arrangement with the overseas party.
It is important to consider how effective any legal or contractual arrangement is, especially if you are relying on enforcement in an overseas jurisdiction with strong state intervention.
The agreement will depend on your risk appetite and may include things like ensuring the retention of the current supply chain, maintaining operations or data in the UK, or requiring a notification when personnel changes are made in certain parts of the organisation or with the overseas party.
Your strategic and protective security teams as well as your legal advisors will need to be a part of this process from the beginning. Mitigations, regardless of mechanism, are only effective if they are agreed and implemented prior to any in-depth engagement with the overseas party.
A purchase of a UK aerospace company by an overseas consortium raised national security concerns.
The UK company held sensitive UK government material and defence contracts. The company also held a number of military export licences.
The overseas consortium had links to a foreign state and the foreign state had previously tried to acquire UK technology and intellectual property in the military and aerospace sectors.
Due to the level of risk present, the company decided to work with UK government to put in place legal deeds in addition to protective security mitigations.
Two Deeds of Undertaking were put in place to address some of the concerns. The first restricted information which could be shared between the UK company and the overseas consortium (controlled items, sensitive information and IP). The second was between the UK company and government to appoint an independent auditor to ensure the arrangement was adhered to. Both deeds were enforceable by British courts.
3. Will it remain effective over time?
Commercial relationships can be enduring over a long term. The integrity of your mitigations will need to be maintained for the duration of the business or engagement.
Change of personnel
As the individuals in critical roles (including leadership and operational) change you will need to ensure they are aware of the risks and agreed mitigations. This will include within your organisation as well as the overseas party.
Ongoing audit process
Any mitigation will need to be paired with a structured approach to compliance and ensuring the ongoing integrity of the mitigation.
Review and update
The mitigation measures will also date. A regular and ongoing review process will ensure your mitigations stay current and reflect best practice.
Being a part of the UK government’s supply chain presents opportunities for an organisation to be at the leading edge of innovation.
For example, the Ministry of Defence (MOD) is one of the biggest public procurement organisations in Europe and manages some of the most complex and technologically advanced requirements in the world.
The MOD is also the UK’s single largest customer and buys everything from military fighting vehicles to education services. The sensitivities of UK government and the MOD’s work mean that suppliers must be vigilant about hostile actors seeking information on the UK’s capabilities.
Failure to consider and manage the risks involved with foreign investment and trade can result in the loss of current and future contracts with the UK government.
In addition to advice from your security teams, here are some further places you can go for information
NPSA
