GCC Session 2 - Key operating models and How to build Cyber-resilient GCC operations

This webinar discusses operating models for GCCs and how to build cyber resilience. You can view the webinar and summary for the first installment that covered why India is a hot destination for GCCs and how organizations can navigate setting up GCCs in India.

Understanding GCC Life Cycle

“Global capability centers (GCCs) have evolved from cost generators to strategic business enablers and value generators.” - Mark Lessem, Senior Executive Director at Nexdigm

Marc Lessem explained the basics of a GCC set up as a lifecycle:

• Initial stage: With an aim of cost reduction, the majority of transactional activities and budgets are offshored under local governance
• Growth stage: With an increase in demand for service and talent pool, companies move from cost reduction to upgrading service standards and overall efficiency
• Integration stage: A GCC transforms into globally integrated business service centers with a strong focus on value and innovation

Different types of GCC Operating Models

Marc Lessem listed out the various GCC operating models that could be adopted:

• Captive Models: These are offshore units that act as subsidiaries to their global businesses. This model offers low risk but comes with a high setup time, costs, and low scalability.
• Build, Operate, Transfer (BOT): The global organization works with partners to set up GCC, where the partner manages the initial operations and transfers ownership once the capability center reaches desired efficiency. This reduces the setup time and risks but requires high investment.
• Managed Services: Business Process Management Services are hired to complement the global organization for offering scalable, uninterrupted support and resources. Here, the setup time, investment, and cost of ownership are low but involve high risks.

How to decide your GCC operating model?

“A certain period of transition takes place, so it is very important to have the right team, right kind of people with transition background with transition experience who can help you with that.” - Suhail Akhtar, Head at IG India

For any chosen operating model, an organization needs to have a long-term strategy for a successful GCC setup. Depending on the goals of the global organization, one can choose BOT or Captive models when they want to accelerate go-to-market in that region. Managed services are chosen when scalability is of prime importance. It can take 10-12 months to implement captive models, while for others, it requires less time.

Here are the key considerations while working on your chosen GCC operating model shared by the panelists:

• Have a clear understanding of why as an organization, you want to outsource business processes into GCC. Also, what is the end goal you want to achieve by doing so, which could be in terms of costs, improving efficiency, scaling, etc.
• Ensure GCCs don’t distract you from your core business
• Identify stakeholders and educate them on the best practices for each operating model to determine the feasibility
• Discuss the processes to be outsourced and ones to be retained within the organization. Perform cost v/s benefit analysis for clarity
• Set up a relevant channel of communication between partners and parent organization
• Set expectations by implementing KPIs to measure the performance and ROI of GCCs
• Ensure organizational stability by focusing on standardization of processes to be outsourced so that you can find the right partners for services required for alignment and compatibility
• Consider the growth of employees who are a part of your GCC operating model. Try to automate transactional chores so that they get more value-added projects as the GCC scales

As an organization, one must understand that GCCs are not an outsourcing engagement. Hence, one must inculcate the right kind of culture that mirrors your corporate values on the on-site location for the model chosen.

How can GCC partners and parent organizations build trust?

Partners are an extension to your organization, hence it’s important to foster long-term relationships for a fruitful journey. Key points to consider include:

• Transparency and empathy are key for two parties to work cordially towards success
• Focus on resolving issues than practicing the blame game
• Have a clear incentives strategy to improve performance
• Have a mutual understanding for owning failures
• Focus on building relationships that work for a long run
• Ensure none of the parties move past their comfort zone at the initial stages of GCC operating model execution to work on strengths

Building a cybersecurity strategy

“Secure code practices in one's development plan goes a long way to build a platform for being cyber resilient.” - Mark Lessem, Senior Executive Director at Nexdigm

As customers and governments get educated about data privacy and security, it is important for organizations to integrate cybersecurity measures with their business strategy to adequately protect the involved stakeholders. Here are some aspects to be taken into account for embracing cybersecurity during the planning stage:

• It will help you with the management of regulatory requirements and be compliant with non-negotiable local data privacy laws
• Become robust by auditing for potential threats using attack simulations, penetration testing, etc.
• Draft Standard Operating Procedures and unique codes for handling servers networks applications and the people operating them both offline and on the cloud

Aligning cybersecurity with your business processes coupled with Business Continuity Plan (BCP) will ensure your work is never halted due to various hurdles that unsecured practices lead to.

How to implement cybersecurity at a GCC?

Maintaining a secure environment is key but also requires discipline from all stakeholders to ensure smooth execution and seriousness in following the decided protocols. Here are some suggestions by the panelists for the same:

• Consider having a zero-trust security architecture that involves verification of all interactions and categorization of data that can be accessed as per hierarchy and need
• Ensure your people are aware and educated repeatedly about various security protocols to be adhered to
• Use relevant tools and analytics to monitor security implemented
• Conduct regular audits and reviews for the security layers implemented

Your level of security will depend on the GCC operating model.

The captive model would require simpler solutions since it uses the same network as the parent organization. While Managed Services would require complex cybersecurity layers due to two different networks and data flow between them. - Nimish Shah, Vice President at Nexdigm

In conclusion, ensure all major stakeholders understand the purpose of GCC and take accountability for its scale to get the maximum benefits in terms of innovation.