Multi-Jurisdictional Business Transformations

Download

Business transformations in large organisations pose various challenges. These are multiplied if the organisation has an international footprint and intended business transformation covers more than one jurisdiction.  

Diverging Priorities between the Group and Local Presences and Cultural, Structural & Organisational Differences are only some examples which have to be managed when transforming businesses on that scale.


Diverging Priorities between the Group and Local Presences:

In order to manage costs and reduce complexity, the Group tends to centralise services, eliminate responsibility overlaps and streamline operational processes. In contrast, a local presence, e.g. branch or subsidiary, focuses on expanding local business operations, management of associated risks, local regulatory compliance and retention of knowledge, e.g. to provide appropriate information for regulatory enquiries.

Cultural, Structural & Organisational Differences:

Besides different time zones, local presences in different regions of the world may be set up and operate in their own unique way. For example, technological capabilities may differ from region to region. Furthermore, depending on the size of the local presence, organisational structures may differ, e.g. no dedicated IT department – IT services are provided by the Group or a regional hub. Another difference may be that local functions such as COO or Finance operate with limited staff constraining capabilities to support business transformations.

All these aspects need to be taken into account, when setting up and executing a business transformation spanning multiple jurisdictions. Chances for success increase with following approach[1]:


1) Governance & Communication

During the planning and structuring phase of the business transformation, local differences need to be taken into account. Clear responsibilities have to be defined and local representatives nominated to support the transformation, i.e. lead and manage the change program locally. Nominees should be in a position to make decisions for their jurisdiction and be familiar with organisational structures as well as their peculiarities.

Furthermore, an appropriate governance structure needs to be established. Such a governance is headed by an appropriate steering committee led by the transformation manager or owner. The entire governance structure should be communicated throughout the organisation to increase awareness and involvement.


2) Operating Model

For a successful business transformation spanning multiple jurisdictions, an Operating Model needs to be created – in collaboration with all stakeholders. This model not only describes the responsibilities of individual jurisdictions but also how they intend to cooperate with each other, i.e. who provides which services to whom and how the provided service is reimbursed. Roles and responsibilities need to clarified and appropriately staffed to utilise local knowledge, expertise and organisational structures.

An important part of the Operating Model is a framework outlining how key components of the transformation work together and to what degree single jurisdictions are supported by centralised, standardised services. Key is to find the least common denominator for the largest number of jurisdictions. This common denominator should be standardised and centrally managed on global level. Deviating requirements may still be standardised and centralised on regional level. In contrast, peculiarities unique to single jurisdictions need to be implemented and managed locally. This approach ensures that challenges posed by Diverging Priorities between the Group and Local Presences are addressed.

Designing such a framework is no small feat. One of the biggest challenges is to agree with all jurisdictions to establishing the framework and sustain it over time. However, the optimal mix between standardisation/centralisation and local flexibility ensures that additional requirements for single jurisdictions can be covered easily while ensuring cost effectiveness, reduction of complexities and minimisation of responsibility overlaps.

Once the Operating Model is agreed, it can be used for the actual execution of the business transformation. This will uncover shortcomings and necessary improvements for a successful future cooperation.


3) Transformation Planning

On the basis of the Operating Model, a plan for action (transformation program plan) can be devised. Important is that the Operating Model remains the center piece of the program plan in order to identify and improve on weaknesses as well as increase efficiency over time.

Transforming multiple jurisdictions at the same time increases the complexity of the entire change program. If possible, a sequential approach should be used. The sequential approach focuses on one jurisdiction for testing and verification of intended business changes before the scope is enlarged to include other jurisdictions. The sequential approach ensures that objectives are delivered in expected quality and lessons learnt can be incorporated for following jurisdictions.

Since a purely jurisdiction by jurisdiction approach lengthens the timeline of the business transformation, creation of groups on the basis of size, complexity or business model is advisable.

Timelines, resources and agreed objectives may differ from jurisdiction to jurisdiction or from region to region. Therefore, a plan for each jurisdiction should be devised. This provides maximum flexibility in order to accommodate local priorities as well as Cultural, Structural and Organisational Differences. Furthermore, latest developments such as new local regulatory requirements, increased outsourcing to reduce the cost base etc. can be taken into account.


4) Execution

Depending on the Operating Model and underlying program plan, the business transformation can be executed. Similar to standardised program management, scope creep, interdependencies, risks and resources need to be monitored as well as managed carefully for each jurisdiction. Smart fall-back solutions need to be considered in order to ensure continuation of operations at all times.

An additional aspect to consider is knowledge retention. During the business transformation, various options are considered and decisions made. Documenting why options were approved or rejected and which decisions were made based on which reasoning ensures that the transformed businesses (within a jurisdiction or across multiple jurisdictions) retain crucial knowledge which enables them to perform adjustments or remediation activities at a later stage.


5) Consolidation & Sustainability

After businesses of multiple jurisdictions are transformed, consolidation steps need to be initiated to tighten the established framework, increase efficiency and ensure sustainability. Established processes may have consolidation potential, systems could be aligned to create synergies and organisational structures may be adjusted, e.g. expert teams provide services on regional or global level [2]. Furthermore, various process steps may be automated.

Local resources involved in the business transformation of their jurisdiction should remain in a position which enables them to influence and shape further measures to increase efficiency and ensure sustainability over time.


 

In summary, planning and structuring of a multi-jurisdictional transformation are key to success. Furthermore, centralising the least common denominator of intended changes provides various benefits. These include realisation of cost efficiencies and reduction of complexities while retaining sufficient flexibility for single jurisdictions. The transformation execution can be further enhanced by nominating local representatives with sufficient decision-making power and local know-how.



Example: Implementation of GDPR

By 25th March 2018 organisations which operate in the European Union or process /control data of clients with European citizenship/residency must comply with the General Data Protection Regulation (GDPR).

Australian companies may be impacted if they serve EU clients or process/control data of these clients. Furthermore, the Australian regulator may release its own version of GDPR applicable to Australian companies[3]. Due to the scale and complexity of GDPR requirements it is expected that organisations will continue to increase effectiveness and efficiency of their compliance with GDPR even after given date.

Let’s assume an Australian company has a branch in the EU and serves EU clients. Hence, the branch located in the EU (and related operations outside of the EU) needs to comply with GDPR.¬†Furthermore, the organisation expects that the Australian regulator will review the Australian Privacy Principles (APP) due to recent breaches of privacy globally and release of the Open Banking governance framework. In addition, the industry expects that privacy acts will be tightened in different parts of the world, e.g. Asia[4]. In summary, the organisation needs to comply with GDPR for its EU operations and with similar requirements not only in Australia but in Asia[5].


1) Governance & Communication

The board of the organisation decided to implement requirements for GDPR for all European operations and leverage the transformation for each jurisdiction in which similar requirements are expected.

In cooperation with the transformation program sponsor and respective legal/ compliance function all impacted jurisdictions are identified. A representative for each jurisdiction is nominated to head the local transformation. Representatives are selected based on previous transformation experience as well as familiarity with the local organisation and peculiarities.

Furthermore, a governance body with representatives of all jurisdictions is established. This body has sufficient decision power to support the global and local transformations. Since EU operations are impacted most, a separate local governance body is considered but rejected to retain integrity of the intended global transformation and underlying Operating Model.

The governance structure is approved by all impacted jurisdictions and communicated throughout the entire organisation. This increases the awareness of privacy requirements and intended business transformations.


2) Operating Model

Representatives of all jurisdictions (or delegates) create an Operating Model outlining how each jurisdiction will collaborate. Additionally, an underlying framework is designed which takes into account core requirements of GDPR and expected variations in different jurisdictions. For example, it is agreed to centralise client consent management while specific local requirements will be covered by respective jurisdiction.

Supported by strong collaboration on jurisdictional level, 60% of GDPR requirements are identified to be applicable for all jurisdictions and can be standardised as a centralised service. These 60% represent the least common denominator. It is understood that the remaining 40% are non-standardised requirements to be implemented locally by respective jurisdiction.


3) Transformation Planning

Based on agreed Operating Model, a program execution plan is created. Since the EU branch needs to comply with GDPR first, establishment of the framework for that local presence receives the highest priority. Compliance in other jurisdictions is prioritised according to release dates of local regulations. Lessons learnt indicate improvements to the framework and provide input for local adjustments as well.

Each jurisdiction is individually planned, has local experts to support the transformation and runs according to agreed local timeline.


4) Execution

GDPR is implemented for the EU branch first. Experiences, options as well as decisions are documented and the Operating Model adjusted according to identified shortcomings, e.g. adjustment of details to be captured for evidencing data protection activities in case of breaches. During the execution and before starting with a new jurisdiction, step 5) Consolidation & Sustainability is executed to identify additional standardisation potential for following jurisdictions.

After consolidating processes, systems and organisational structures, the transformation of the next jurisdiction – Australia – is started. Interdependencies such centralised consent management as well as other service deliveries across jurisdictions are monitored and adjustments made as necessary.


5) Consolidation & Sustainability

As with other large business transformations, the entire Operating Model and underlying framework is reviewed frequently. For GDPR and related regulations, key review aspects include:

  • flexibility to implement new rules within the framework (changed GDPR rules/ similar or dissimilar regulations in other jurisdictions)
  • standardisation potential for implemented rules including outsourcing to specialised providers
  • analysis of escalations, durations to execute the framework and Operating Model, e.g. how long does it take to include a new/changed requirement
  • analysis of resource allocation and identification of potential synergies on IT side, e.g. creation of regulatory reports for local consumption

An annual review cycle is established for the first three years. Afterwards, the reviews are performed every two years.


[1] Underlying assumption is that goals/objectives were set and agreed with the sponsor (e.g. board), a preliminary gap analysis was performed, objectives aligned with the organisation’s strategy and the targeted business architecture was agreed on.

[2] Note that appropriate outsourcing management needs to be established for centralised or cross-jurisdictional services.

[3] Note that the Australian Privacy Act was amended with Notifiable Data Breaches (NDP) in 2017 but may need to be amended/reviewed in order to accommodate a governance framework for customer data sharing (Open Banking).

[4] Singapore and China are tightening their privacy acts with supporting requirements in their Cyber Security bills.

[5] To focus on challenges faced when transforming businesses on multi-jurisdictional level, gap analysis, analysis/interpretation of GDPR rules as well as other relevant regulations and assurance of strategic alignment are assumed to be performed in parallel.

 

 

 

%d bloggers like this: