Managing Risk in Pursuit of FDI Opportunity

In 1996, business in Thailand was booming, with headlines hailing the Tiger economy’s enviable growth rates. A material part of that remarkable economic growth was the inbound foreign direct investment (FDI). Then came the Asian Financial Crisis in 1997, and the Global Financial Crisis in 2007. A decade later, Thailand is seen as a desirable destination for FDI due in part to promotion through the Board of Investment and initiatives like the Eastern Economic Corridor and Thailand 4.0.

Yet, Thailand’s economic development is entering a new phase, and it is increasingly a source of outward FDI (OFDI), both regionally within the Association of Southeast Asian Nations (ASEAN) and globally. The pursuit of business growth, at home and abroad, presents enticing opportunities to put OFDI capital to work. However, businesses in Thailand should carefully plan and implement controls to mitigate the numerous risks that are encountered along the path to realizing a return on investment that meets or exceeds organizational goals.

OFDI Risks and Opportunities

The global economy continues to strengthen as the Global Financial Crisis shrinks in the world’s collective rear-view mirror. Thailand, traditionally a destination of FDI, is increasingly investing in neighboring countries and even further afield. In fact, Thailand OFDI nearly doubled over the past decade according to the Bank of Thailand. The Bank of Thailand’s data in the chart below also bear out some other noteworthy trends in the country’s OFDI.

The comparison of the beginning and ending years’ OFDI is meant to be an indicative glance rather than an exhaustive analysis of the time period.  Unfortunately, a deeper economic analysis is beyond the scope of this article (those wishing to gain greater insight into these macro trends are encouraged to seek economic consultation).

Thanks to near-record low-interest rates and high liquidity, capital is largely available to pursue any number of OFDI projects targeting business growth. The key to realizing a return on investment is to make risk management a deliberate part of the investment and operations strategy. The complete list of threats is long, but below is a shortlist of the most commonly mentioned risks heard from businesses operating in Thailand and ASEAN:

  • Reputational
  • Political
  • Regulatory
  • Security
  • Fraud
  • Cyber
  • Natural disaster

One might observe that these concerns are not peculiar to Thailand or ASEAN, and this is absolutely correct.

Proactive risk management involves developing an understanding of the risk context through activities like conducting threat assessments; reviewing or developing fit-for-purpose plans, policies and procedures; executing process health checks and audits; and undertaking due diligence on potential business partners.

The goal of proactive risk management is building compliant, resilient, and secure organizations. This deliberate approach to risk management is still important when operating in domestic or familiar markets, but risk management takes on even greater significance when those same organizations are considering an investment in a different country.

Building A Compliant Organization

Being compliant is more important and complicated than ever as OFDI can involve overlapping regulatory regimes that exercise authority over multiple sectors. Thailand’s Minister of Industry, Uttama Savanayana, stated at the recent “Bangkok Post ASEAN@50: In Retrospect” seminar that connectivity and collaboration are global forces that must be leveraged for Thailand firms to grow, saying “no one can go it alone these days.” Such connectivity and collaboration, while key, introduces additional compliance risk from joint venture and business partners across borders.

Due diligence is a familiar compliance term to managers considering foreign investment. However, business decision makers must not look at due diligence as a tick-the-box exercise. It is surprising how many due diligence checks on individuals or businesses begin and end with internet searches. It is not uncommon to hear a joint venture in another country is about to be finalized simply because the joint venture partner is considered to have a “good reputation,” but deeper research often reveals a far different picture.

A few such recent cases involved American companies based in Thailand looking to enter joint ventures with businessmen in Myanmar and Cambodia. The American companies initially engaged those businessmen due to their strong commercial reputations in their home markets. However, rigorous third party due diligence revealed both potential joint venture partners were involved in a litany of illicit activities that could expose the American partner to reputational risk as well as Foreign Corrupt Practices Act violations.

Proper due diligence should go beyond public source searches of court, police and financial records and include research based on insights from people who have knowledge regarding the history of the target business entity and behavior of the individuals running the business. Business leaders considering such a joint venture may determine they have the risk appetite to complete the deal, but it is far better to enter such an arrangement with eyes wide open.

Building A Resilient Organization

Singapore’s former Prime Minister, Senior Minister Goh Chok Tong, also spoke at the ASEAN@50 seminar in November. He declared “resilience” by design as the theme for Singapore’s chairmanship of ASEAN in 2018. That is to say, organizations will be encouraged to take deliberate steps to plan and prepare for uncertainty and mitigate negative consequences, rather than rely on individual perseverance alone to overcome difficult situations after a significant loss has occurred. It is more important than ever to build resilience into organizations as greater connectivity and collaboration between Thailand and other countries not only generates new opportunities for growth, but introduces additional risks as well.

Business continuity and crisis management planning are at the heart of resilience by design, but they can also be some of the least well-understood and implemented risk management best practices. Business continuity and crisis management are all too often delegated as ancillary duties to a staff member who has not had the benefit of education, training or experience on these crucial matters. As a result, a business leader might discover too late the company’s business continuity/crisis management plans are little more than templates downloaded from the internet with the corporate logo printed on the corner of each page.

A good business continuity plan should be based on a specific business impact analysis that elucidates the potential effects of threats to the organization’s brand, profitability and strategic objectives. The crisis management plan provides a framework for responding to the threats identified in the business continuity plan when those threats transition from being risks to actual incidents. It is worth noting that even a good crisis management plan will not help much if the crisis management team is not proficient with using the tool.

To illustrate the difference between familiarity and proficiency, think about the following question: If you had a serious fall at home resulting in a severe injury, who would you trust to provide initial medical treatment and get you to the hospital located far from home, at night, during a thunderstorm? Would you trust your 16-year-old son or daughter who just received their driver’s license and basic first aid training? Or would you trust the emergency medical services team who is well-practiced at using the tools of the trade to mitigate damage and facilitate a speedy recovery? Granted, few people wish to deal with crises as often as paramedics treat accident patients. Still, regular crisis management team training and exercises are highly recommended to develop the proficiency that will prove instrumental in protecting the organization’s brand, people, and assets when crises strike.

Building A Secure Organization

Business leaders clearly value the security of their people and assets, without which they cannot operate. On the other hand, relatively few managers, save security professionals, have a comprehensive understanding of what is required to secure critical assets. When asked what security controls are in place, General Managers often confidently respond they have secure organizations simply because they have installed a video surveillance system or have a contract guard force.

Upon closer inspection, those same managers are surprised to discover the guards do not monitor the camera feeds because that activity is not specified in the contract. Furthermore, if the guards were using the cameras in real time, they would find some cameras do not cover critical assets, record unusable images, or are simply inoperable (in which case there is no footage available for forensic

Building a secure organization begins with understanding the threat context and vulnerabilities of critical assets. Greenfield investments benefit greatly from security-by-design where fit-forpurpose controls like perimeter barriers, access controls and video surveillance are integrated from project inception. Investment in existing operations may warrant a review to determine where security control systems may be missing or inadequate for the desired level of protection for staff or assets.

Finally, companies from all enterprises must endeavor to stay abreast of the ever-evolving cyber threat landscape. Southeast Asia and Thailand in particular, stand out as hotbeds of global cyber threat activity.

In fact, one of the most recent variants of the WannaCry virus uses Thai as its primary language. The key issues to understand are who might target you and what methods threat actors will employ to achieve their objectives at your expense. This cyber threat intelligence will inform the organization’s cyber security program approach.

Taking Informed Risks to Seize Opportunity

Fueled by macroeconomic trends and government initiatives, Thailand OFDI is on the rise. Thai corporations and Thailand-based American multinational companies are pursuing OFDI to achieve organic and inorganic growth. OFDI involves risk, to be certain, but risk taking is a prerequisite to success and must be approached in a thoughtful and deliberate manner. Business leaders who are contemplating or currently engaged in Thailand OFDI should reflect on whether their organizations are secure, compliant and resilient. In practical terms, corporate risk management processes, policies, plans and procedures need to be fit for their purpose. This means designing risk management tools that specifically address the unique aspects of each business’s operations.

If reading this article has created a sense of uneasiness about the state of your organization’s risk management readiness, that is a good outcome. It is far better to question and verify that you are prepared to manage the multitude of risks that could derail progress toward strategic success than be lulled into a sense of complacency.

By: Derek Taylor
Derek Taylor is an Associate Director at Control Risks’ Southeast Asia office.
He can be contacted at



Related News / Blog