Mitigating the Risks of Doing Business in Indonesia
In an increasingly competitive environment, multinational companies continue to expand and move into new and unfamiliar territories, either to take advantage of lower operating costs, a cheaper workforce, access to untapped natural resources or what is perceived as a potentially large market. In their haste to take advantage of these ‘attractions’, companies often fail to carry out the necessary due-diligence and research to identify the potential risks and pitfalls associated with such a venture.
Indonesia, like many other developing countries, aside from presenting attractive opportunities also presents a variety of potential risks to which investors may be exposed and vulnerable. These risks range from six years of political and economic turmoil, a history of civil unrest, religious conflict and the threat posed by Islamic extremist groups, socio-economic issues and the resulting effect of increased unemployment, which is estimated now to be as high as 40% of a population of 220 million and as a result rising crime. This is in addition to having to work within an environment which for the unprepared cannot only be costly, but also challenging in terms of:
- A poor regulatory environment and lack of transparency;
- An ineffective and corrupt legal system; and
- An increasingly militant labour force, with manpower laws heavily in favour of the workforce.
Security and Risk Management Strategy
Organisations seeking to enter and do business in Indonesia need to mitigate these risks by putting in place a well planned risk management strategy to ensure from the outset that they have carried out not only an assessment of the risks, but are also well positioned to manage any situation that may present a threat to their assets be it people, proprietary information, property or reputation. Such a strategy needs to have a number of elements in place, including but not limited to the following:
- A clear directive and security policy driven by Executive Management at headquarters level.
- A defined and enhanced security budget than would otherwise be assigned to most new start-ups.
- A dedicated Security Manager, to manage and coordinate security needs. If not available, this can be contracted to third parties with the relevant experience, local knowledge, capability and local presence.
- A Crisis Management Team (CMT) comprising key department heads, trained in their respective roles and responsibilities.
- A Crisis Management Center (CMC) strategically located and suitably equipped from which the CMT can operate.
- Crisis Management and Emergency Response Plans. These plans will guide the CMT through any incident to enable them to effectively and efficiently respond, so that normal operations can resume in a timely manner, whilst minimising costs and damage to reputation.
- Standard Security Operating Procedures for managing routine security duties, undertaken by both in-house and/or contracted parties.
Protection of Assets
Human Resources have to be a key asset within most organizations and as such need to be protected. In order to obtain a maximum return from one’s employees, it is necessary to create an environment whereby they can focus on the business issues, without having to concern themselves with security related issues. To this end the organization needs to implement a programme that provides the necessary reassurance the company is looking after their interests and well being, including that of their dependants.
To this end and in order to minimize the risk to employees, be they expatriate or local nationals, a personnel security programme needs to be established and a number of pro-active procedures and measures need to be implemented or made available, including but not limited to the following:
- Identification of appropriate and secure accommodations, which may entail a survey of possible apartments and then independent security audits of the specific residence. It is also recommended to have domestic staff trained in security awareness techniques from information security to how to respond to an incident.
- Security Awareness Briefings, be it for expatriates newly arrived in country, existing employees, both nationals and expatriates, and at all levels from domestic staff and drivers to senior executives.
- Access to daily risk reports so that all those in country have an ongoing understanding and awareness of the relevant issues, which may have a security implication.
- For those traveling executives who may feel threatened or who are not familiar with the local environment to have an ability to call upon a reliable resource to provide vehicles with trained security drivers and low profile security officers to meet and greet upon arrival and escort them whilst in-country.
- There may be occasions where as a result of an internal dispute or incident, key corporate personnel may be ‘targeted’ and as such feel threatened. It is essential that at this time they be provided with the appropriate support and reassurance that their well-being is being addressed.
Information, be it propriety or otherwise, will often have a value and as such is in need of protection or at least kept on a ‘need-to-know’ basis. In a competitive market with a limited number of firms competing closely for the same projects, relationships at all levels are developed and as such can lead to information being compromised, usually in return for some pecuniary advantage. Typical examples may be a clerk passing on verbal or written proprietary information to an external party. With most information now in digital format, it may involve the unauthorized access into, deletion or removal of information from the organisation’s computer and data systems.
In most cases of computer assisted fraud, or computer intrusion, companies are left with seemingly scant evidence from which to understand the depth of the problem. Where were they vulnerable? Will it happen again? What was seen or taken? Who should they trust? Computer crime has the same effect as many other crimes. It leaves a feeling of violation and suspicion in many corners. Organisations need to be able to focus employee activities on facts not rumors. Whether the need is to understand the depth of a crime, or the perpetrator, specialist skills are required. Few organisations have these skills readily to hand, and often destroy valuable clues by “having a go”.
Computer Security and Forensic Services
Ensuring that the company’s computer systems and data networks have the necessary software and protection measures in place and as and when something appears to be amiss using Computer Forensics to provide the what, where and if possible, the who of a computer infiltration, be it from internal, or external sources. If the intention is to prosecute, this is a way to gather relevant evidence but with the limited legal system in Indonesia, it may be that prosecution is not an option, in which case the service could provide enough confirmation for an investigation to continue in a certain direction or evidence obtained to have an employee removed from their position.
Protection of Property
Indonesia has in the past years experienced an ongoing number of bombings, which have occurred in Government facilities including, Police Headquarters, Parliament buildings and Jakarta’s Soekarno Hatta Airport, as well as Commercial Facilities such as the Jakarta Stock Exchange, Marriott Hotel and others.
Companies involved in the storage, distribution or manufacturing of product are also faced with ongoing theft of product from their facilities. In some cases, particularly where the company may experience labour related disputes, the threat may then arise in the form of criminal damage, sabotage or arson.
Dissatisfied employees or managers with a more entrepreneurial approach may undertake to compete with their existing employer and decide to set up or support a parallel operation and as such steal or divert raw materials or compete through producing an imitation or counterfeit product.
As a result of this threat and potential loss of physical assets as a result, it is necessary to ensure that the company has the necessary insurance coverage, including from terrorist related attacks, but also to carry out site-specific threat assessments at the locations where the company intends to establish its presence. In this way the organisation can put in place appropriate physical and procedural security measures that are commensurate with the threat in order to deter, detect and defend itself against such threats or in the case of terrorism at least present a ‘harder target’.
Reputation, Social Accountability and Compliance
From a business standpoint and where a company wishes to protect its reputation rather than its physical assets, its brand rather than its stock, and its integrity rather than its office building, Indonesia presents numerous concerns that need to be considered and addressed in any effort to achieve good Corporate Governance. These include, but are not limited to:
- Lack of transparency, corporate governance
- Poor regulatory environment
- Widespread corruption
- Overvalued assets
- Organized crime, money laundering, counterfeiting, trafficking (humans, drugs, arms)
- Conflicts of interest
- Theft of proprietary information
- Industrial disputes
All this is in an era where organizations have legal obligations to their employees and stakeholders with potentially serious ramifications against non-compliance. There is therefore a need to enforce and instill within any company a work ethic that adheres to the principles of ‘good corporate governance’. As discussed with the Indonesian legal system and limited ability to take either civil or criminal action, it is often left to companies to not only impart this need upon its employees but to also enforce it and with the recently introduced manpower laws this can often backfire against the employer.
In light of the above, it is therefore necessary for the Company to take all practicable preventative measures to ensure that it meets internationally accepted standards, prevents such risks from being realized. To do this there is a need to carry out one’s due diligence on potential employees and business partners as well as third party contractors,
Whether to hire a particular employee is one of the most critical business decisions a company makes. Recruiting new staff members based on personal recommendations and appearance is not enough. Experience has taught many major corporations that objective and comprehensive screening of candidates prior to employment might have helped to avoid the following problems, among others:
- Conflicts of interest
- Corporate espionage
- Theft of proprietary information
- Contravention of corporate compliance issues
- Corporate fraud
Employment screening services are an essential process to safeguard a corporation from hiring persons who are either unqualified or of questionable integrity. This is particularly so in Indonesia where there is a history of job placement through nepotism, and a thriving business in ‘priced qualifications’.
It is recommended to screen both existing and new employees at all levels. The extent and level of screening is determined by the nature of the position to be filled. Even the lowest level of employee might have access to proprietary information and processes that are critical to the efficient running of the company. Companies should also consider screening personnel being either relocated to or promoted into areas where they will have additional responsibilities.
The overall objective of employment screening is to protect a company against hiring personnel who attempt to either exaggerate or make false claims about their qualifications, work experience and personal background, or withhold information about these aspects that would be relevant to employment.
Specifically, the process should seek to:
- Identify inconsistencies, fabrications, omissions or exaggerations in a candidate’s résumé
- Confirm a candidate’s previous working experience and highlight any character weaknesses
- Reveal any previously recorded occasions of misconduct, which could embarrass the employer and potentially damage its credibility or image.
The future problems that will result from the choice of an unsuitable
business partner should not be underestimated. Profiling the background,
standing, ownership and reputation of prospective business partners is
an essential first stage in the due diligence process, not only in terms
of identifying actual and potential shortcomings, but also as an integral
element of any good corporate governance programme. Conducting prompt
and thorough due diligence is vital for ensuring that a compliance program
is efficient and effective.
Due diligence is recommended at two consecutive levels, with allowance made for use of specialist investigative techniques after due consultation for further focused enquiries if required.
The lowest level check should provide a basic check on the company or individual concerned through information available in the public domain, utilizing database resources wherever possible. In some countries, where information is not readily available from a database, a more labor-intensive search may be required. A basic check can be used as a preliminary review or to focus subsequent enquiries. This alone may not verify whether the company actually exists in anything other than name only.
A more thorough level of check greatly expands enquiries to provide not only tangible proof that the entity exists, but can also give an accurate appraisal in terms of reputation, business and financial status.
As in many Asian countries, irregularities in purchasing and other fraudulent insider schemes are common in Indonesia. The choice and monitoring of a relationship with a vendor is important to reduce the risks involved.
The overall aim and objective of the vendor auditing programme, or the screening of contractors, is to ensure complete transparency in the supply chain, that is to:
- Ensure suppliers are legitimate and ethical and are not merely 'middle-men’
- Remove the possibility of 'bogus' companies being established and potential conflicts of interest
- Prevent collusion between a company’s employees and vendors resulting in corrupt practices
- Demonstrate the Company’s commitment to mitigating and eliminating fraud within the supply chain, particularly within the procurement function
The difficulty in implementing an effective vendor-auditing program is that the people who may be defrauding your company can be the very same people entrusted with the checking in the first place. The use of an outside service provider removes this risk.
Specialist Investigation Services
The findings of an initial due diligence may indicate the need for a more focused or specialist investigation, in which case an investigation can be tailored to meet the specific needs identified.
It is noteworthy that Indonesia presents some specific challenges when conducting due diligence on a company or individual. Records in Indonesia are poor. Few records are required to be kept, and those that are oftentimes are incomplete or unreliable. In most instances records are not centrally held, and are rarely computerized. This means that local expertise and a fair amount of legwork is required to conduct such checks in Indonesia.
Social Accountability Auditing
From sweatshops and child labor to environmental damage and unsafe working conditions, subcontractors of large multinational corporations have the ability to do immense damage to the reputations, and bottom lines, of the companies who contract them. Some of the world's most valuable brands have been severely damaged by the negative publicity and subsequent consumer activism, resulting from the unethical practices of these subcontractors.
A Social Accountability Programme is a strategic holistic approach to all of the issues that face a company who entrust their operations to contractors in Asia. Indonesia has a large manufacturing base in many different business lines with factories often located in remote places. Those that feel least under scrutiny are the ones that often need the closest monitoring by local, knowledgeable and independentrisk management professionals.
The ultimate aim of any Social Accountability Programme is the protection of corporate reputation from being damaged by the unscrupulous activities of subcontractors and/or vendors. Audits should be carried out to ensure :
- Adherence to local laws & international standards
- Company labor policy standards (compensation, working hours)
- Environmental standards
- Health & safety standards
Such programmes should go beyond initial certification; regular compliance monitoring is an essential feature of any Social Accountability Programme.
Summary and Conclusion
Indonesia remains an attractive country in which to do business in for many. In order to reduce vulnerability to the myriad of risks it presents, companies must take a pro-active approach to security and risk management. Doing so naturally reduces the chances of a company becoming a victim, but also minimizes the likely fallout in the event an incident were to occur. An effective risk prevention and mitigation plan will enable the company to effectively respond, recover and resume normal business operations within the shortest time frame possible so as to minimize the potential business impact either financially or from a reputation standpoint.
Our thanks to Nick Duder, of PT Hill Konsultan Indonesia for his contribution of this article.
Other interesting articles on Risk Management in Indonesia: