1

Aerospace & Defence:Seize the Opportunity for Efficient Compliance First EditionPosition Paper2017

Position Paper

22

Summary

How vulnerable is your business to export control regulatory compliance?

Export control regulatory compliance is producing significant change in the Aerospace & Defence industry. Composed of a complex supplier network, the Aerospace & Defence industry has the overall responsibility to protect and control the movement of assets and services from unauthorised users.

Even established businesses often lack the resources to make the kinds of innovative improvements they need in order to comply in this highly regulated and changing marketplace.

DXC technology’s integrated approach helps businesses to understand the challenges, discover the full potential of existing systems, and focus on innovation to create an efficient compliance environment.

What is your biggest vulnerability when considering export compliance?

Are compliance activities currently considered a constraint on the services you provide?

Do they restrict the ability to react to new market opportunities?

Do you have total visibility of controlled assets across the entire product life cycle?

Do you provide employees with adequate training and clearance to work with export-controlled technologies?

Have you prepared for the recent changes to regulatory compliance?

Do you actively assess your suppliers to identify any gaps in capability?

Have you considered the implications of noncompliance?

Ask Yourself…Table of contents

Executive Summary 3

Recent Compliance Performance Failures 4

We Understand the Problem 5

This Is a Global Challenge 5

Challenges Include Establishing Strategic Vision and Accountability 7

We Can Help You Find a Solution 7

Business Drives Compliance 7

Technology Enables Compliance 8

Looking to the Future: Thought Leadership 9

How DXC Can Help You 10

Position Paper

3

Executive SummaryAuthority to export is a privilege — one that can be removed — and not a right. With that reality in mind and as a result of emerging technologies, Aerospace & Defence companies are rethinking their approach to the authority to export, to demonstrate an increasingly automated and secure level of compliance.

Over the past 5 years, many companies in the industry have been extensively audited to demonstrate compliance against renewed export control regulations. Some companies are being fined significantly and required to sign consent agreements to ensure that export compliance breaches are rectified within a given time period. The implications of noncompliance are significant:

• Under U.S. law, the ability to export is a privilege, not a right. Failure to complywith export control regulations can have severe consequences, with penaltiesreaching up to $250,000 per occurrence. This can result in fines that run intomillions of dollars.

• The U.S. government may impose a “denial of export privileges” as a penaltyfor compliance violations, which means that penalised companies may not exportgoods or services and may no longer compete for government contracts.

• Sanctions can be imposed on officers, directors, and employees for directviolations or failure to properly supervise subordinates. Other violations includeaiding, abetting, and conspiring to make a prohibited export. Services such astransportation, freight forwarding, brokering, and other export facilitationactivities are also subject to the sanctions.

Emerging technologies are enabling government bodies to require a level of process automation that can segregate controlled data and ultimately provide an “always on” auditing capability. When considering compliance, organisations face a number of challenges, including cultural and systematic issues that question the maturity of their compliance landscape. Traditionally seen as a reactive environment, a localised quick-fix culture often results in inconsistent delivery of compliance-related activities. Heroics are often needed by specialist resources to act in response to a violation — which, at this stage, is often too late.

DXC has demonstrated recent success working with clients around the world to deliver sustainable business transformation to embed compliance within their organisations. We have done so by taking our clients through a journey that establishes a firm vision and standardisation in compliance.

A critical step toward achieving compliance is to ensure effective governance structures are established, to demonstrate true ownership and accountability. The culture aspect is about everyone knowing what they need to do and the importance of their role within the organisation. Transformation to next-generation technology can be used to enable a standardised way of working that demonstrates compliance.

A critical step to achieving compliance is to ensure effective governance structures are established to demonstrate true ownership and accountability.

3

Position Paper

4

Recent compliance performance failuresGlobal export regulations have been established as a measure to protect global security. International governments see regulation of production and distribution of military technologies as a major priority. These regulations are one of the only external threats to the defence industry that has the ability to close any manufacturer, regardless of scale, by removing their licence to operate.

There are substantial implications for any violation of export regulations. The associated penalties (often up to $250,000 per violation) could be considered enough to cripple even an established global organisation. Penalties over the past 6 years are shown below.

4

Year Company Penalty (If Known)

2016

Marc Turi and Turi Defense Group, Inc

Microwave Engineering Corporation

Rocky Mountain Instrument Company

2014Intersil Corporation

Esterline Technologies Corporation $20 million

2013

Meggitt-USA, Inc

Aeroflex Incorporated

Raytheon Company $8 million (Source: Reuters)

2012

United Technologies Corporation $55 million

Alpine Aerospace Corporation

TS Trade Tech Incorporated

2011 BAE Systems Inc. $78 million

2010BAE Systems (US) $400 million

BAE Systems (UK) £30 million

Note: Contains information on all consent agreements: https://www.pmddtc.state.gov/compliance/poa.html

Position Paper

5

We understand the problemAt its most basic form, export compliance breaks down into the recording, management, and control of who performs the activity, what product or service it concerns, where in the world the activity takes place, and why they are doing it (i.e., end use). Only with these pieces of information can you evaluate compliance against regulations and licence-applicability to make a proceed-or-deny decision.

5

Who? What? Where? Why?

Pro

du

ct

Loca

tio

n

End

Use

Su

pp

lie

r

This is a global challenge

Political landscape, increased security, and threats to national security

Most defence manufacturers operate globally, spanning international borders and interfacing with multiple regulatory bodies. Recent political and economic changes have heightened the focus on the regulation of controlled materials.

In the UK, a referendum resulting in the UK’s departure from the European Union has left the applicability of some EU-derived elements of the UK’s legal and regulatory framework for arms exports in question. At the point of departure, significant changes to the regulatory landscape may be necessary. There is also a challenge for UK-based manufacturers to adopt ITAR, EAR, and UK licencing regulations in an effective way.* The extent of the challenges they face is expanded upon in the next section.

In Europe, there is a challenge to control the export of dual-use technology and military goods, which is considered a crucial aspect of national security for each European country. Companies with European headquarters are grappling with the export regulations at the local, national and global levels. Europe consists of 44 countries, creating a complex network of internal borders. But it also has many external borders, creating a complex environment to control the movement of military goods. Membership and participation in the North Atlantic Treaty Organisation (NATO) adds to this complexity.

The Asia-Pacific region is experiencing increased tension, in particular in the South China Sea, which is driving increased defence activity and increased government spending. With this comes a reliance on advanced military technology, a significant amount of which comes from U.S. companies. Competition in the region is increasing, and pressures are being applied to Australian defence services companies to be more cost-effective, innovative and security conscious, with on-time delivery. DXC has identified capability gaps in local defence organisations to manage and comply with the strict requirements that arise from DEC, ITAR, EAR and the newly introduced National Institute of Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organisations standard. Government and industry organisations tend to have a reactionary approach to compliance that creates difficulties and delays with tendering and project mobilisation, delivery, and problem-solving instances of noncompliance.

* More information on the effect of Brexit: (http://researchbriefings.parliament.uk/ResearchBriefing/Summary/CBP-7551 )

Export controls restrict the export of goods, technology, technical data, and certain controlled services in the interest of protecting national security. The following are examples of regulatory bodies:

• Export Control Organisation (ECO) was implemented by the UK government to control commercial dual-useand military goods.

• Export Administration Regulations (EAR) was implemented by the U.S. Department of Commercefor items that have both a commercial and potential military use.

• International Traffic in Arms Regulations (ITAR) was implemented by the U.S. Department of State for military items and defence services.

• Office of Foreign Assets Control (OFAC), implemented by the U.S. Treasury Department, administers and enforces economic trade sanctions toprotect foreign policy and national security goals.

• Defence Export Controls (DEC) Australia is responsible to the Ministerfor Defence for regulating the export of defence and strategic goods and technologies.

Position Paper

6

Australia-based companies and their respective local supply chains involved in delivering and supporting U.S.-sourced defence technologies and capabilities have a business imperative to maintain compliance with local legislation and policies as well as ITAR, EAR and NIST standards. The business methods they employ to do this are recognised as critical enablers for organisations to remain engaged in delivering current business activities as well as winning future work that utilises U.S.-sourced defence technologies and capabilities.

Challenges include establishing strategic vision and accountability

Organisations considering export compliance face a number of challenges that involve cultural and systematic issues that question the maturity of their compliance environment. Historically, there is a lack of awareness and compliance accountability within organisations often, accentuated by an absence of strategic direction. Visible accountability needs to be established within an organisation to ensure strategic focus regarding export compliance as well as continual improvement necessary to stay in control of compliance regulations.

A culture of trying to fix export compliance issues after they have already been established as issues is not what’s required. In organisations where compliance experts are sole providers of compliance mitigations, creating a silo of knowledge, risk increases significantly. Experts are often distracted by a heavy administrative workload, ultimately causing time delays and distraction from their total business value.

At the core lies a lack of trust in information and data governance structures, due to the following issues:

• Strength of data underpins reliable and repeatable export compliancemanagement, which involves data validity, completeness, consistency, accuracy,verifiability and accessibility.

• Licence and agreement information repositories are often outdated, inaccurateand poorly maintained.

• Asset and location information (tangible and intangible) is often the most maturepart of any organisation. Typically, multiple complex technologies are implementedto manage information in real time, resulting in a lack of wider integration tomaximise business value as well as a lack of definition of internal electronicboundaries.

• Identity and controls information tools are often disconnected from the corebusiness, resulting in a lack of visibility of resource movement throughout theorganisation, often leading to ineffective controls or unknown user activity.

A culture of trying to fix export compliance issues after they have already been established is not what’s required.

Position Paper

7

We can help you find a solutionDXC has demonstrated success working with A&D clients to deliver sustainable business transformation to embed compliance within normal working practises. Through extensive engagement and problem analysis we have identified the following considerations for compliance-focused transformations.

Business drives complianceConsistency is key to the performance of any compliance-centric transformation, establishing a proactive compliance service that follows a standardised process to deliver a consistent message. A centralised compliance service can unlock a number of benefits including the release of cost efficiencies, a proactive internal consultation service, knowledge sharing, a streamlined process of operations, and easily auditable systems and data.

Establishing strong partnerships throughout the supply chain ensures accuracy of information, reduces duplication of effort, and checks controlled assets upon entry to the business. Partnerships throughout the supply chain work together to improve supplier engagement to demonstrate the importance of compliance, ensuring all assets are marked at source and tracked throughout their life.

Internal governance structures must be established to drive accuracy and improve integrity of information, establishing firm accountability and ownership; each function should be responsible for the maintenance and governance of specific data related to their area of expertise. For example, Human Resources (HR) should be responsible for all HR-related identity information including security clearance, nationality, training records and details of criminal convictions. The governance layer will ensure the data stored within the systems is fit for purpose and trusted at every occasion.

One of the largest impacting benefits comes when businesses leverage communication channels to significantly increase awareness and understanding at all levels of the organisation, using plain language every employee can understand.

Classif cation

Management & Control

T

rack

ing

Sup

plie

r

Compliance Legislation

Licence

Man

agem

ent

In

vestigations Management

Manag

ement

Asset

Identity

Ass

et

SERVICE MANAGEMENT

PO

LIC

Y M

AN

AGEMENT CHANGE M

AN

AG

EME

NT

RELATIONSHIP MANAGEMENT

OP

TIM

ISA

TIO

N O

F PROCESSES GREATER CUSTOM

ER SATISFA

CT

ION

RETU

RN ON INVESTMENT POSITIVE CULTURAL

SHIF

T

Central Supportive

ServiceStandard Approach

Instantly Available

Information

Always- On

Auditability

Embedded Within the Business

Employee Under-

standing

Position Paper

8

To truly change any organisation, compliance must be embedded within its culture, ensuring there is shared responsibility or emotional connection. Over time this will increase awareness, allowing specific vulnerabilities to be targeted by communications campaigns such as “Do I need a licence?” to explain all possible instances where a licence may be needed. This can be used to increase the vigilance within the entire organisation and lighten the load on compliance experts.

Technology enables complianceThe true potential of compliance is unlocked when a successful business transformation is combined with a series of technologies to improve the accuracy and agility of the compliance service.

A critical step of this transformation is to ascertain that information sources are accurate, ensuring data governance is in place. Identity, Licence, Asset, and Location Information sources must be trustworthy as they hold the key to any compliance-based decision.

Inclusion of a data management system such as an Export Control Dashboard can give compliance teams instant access to data, supporting effective management and audit control.

Once the information is trusted, accurate and governed, the business can begin to leverage this newfound integrity to create an efficient compliance culture, using the accuracy of this information to reduce duplication of effort and eliminate outlying costs. Examples of the benefits of increased data governance include the following:

• Trusted Licence information allows accurate monitoring, reporting, andmaintenance of licence records, which serves as insurance against any violation.This can be configured to produce a simple “Yes/No” decision-making process forqueries regarding licensable activities.

• Unlocking the true potential in Identity Management and Controls will allow anorganisation to perform necessary screening checks and monitor clearancevalidity in real time to create a digital footprint, enabling the organisation to makeinformed decisions on access to systems or buildings, or eligibility to work on aparticular product line.

• Asset tracking can be used to unleash the full power of any supply chain, enablingan organisation to pinpoint any asset’s location at any time, regardless of itsposition in the product life cycle. The key is to ensure all assets are marked withvisibility of classification; both physical and electronic marking should be used toensure controlled assets are instantly identifiable. This also involves data withinERP, MRP, PLM and other core business systems.

W

hy?

Wha

t?

Where

?W

ho

?

Once the information is trusted, accurate and governed, the business can begin to leverage this newfound integrity to create an efficient compliance culture.

Position Paper

9

Looking to the future: Thought leadership

Shared Vision and Empowering Workforce

On the surface, compliance appears to be a systematic change involving precise technological adjustment to adhere to regulatory requirements. However, the greatest success is achieved when the entire business promotes a compliance culture, developing a knowledgeable and informed connection with the reason why they need to comply and fully understanding the responsibilities associated with compliance-related activities. Establishing a shared vision empowers the workforce, clearly defining roles and responsibilities to be sure that each employee considers any risk of noncompliance at every stage of the journey.

Emergence of Digital Compliance

At the heart of this complex problem lies core business data. If an effective combination of technology and governance is established, any company can unlock an array of next-generation digital technologies with the potential to significantly disrupt the industry. Fully integrated licence information can enable an organisation to make real-time decisions through a business intelligence platform e.g., use digital technologies such as machine learning to produce increasingly accurate decision-making functionalities at the touch of a button. In addition, voice recognition technology could be used as a compliance-focused equivalent.

W

hy?

Wha

t?

Where?

Wh

o?

?Quest

ion??

Answer

?Initial Inputs Outputs

Vision

Leadership Buy-in

Interviews with Key Stakeholders

VisionIntention Workshop (Level 1 Enablers)

• Vision & Drivers

• Challenges

• Strengths

• Opportunities(Level 1 Enablers)

Strategy

User Experience

Building Block Construction (Including Service Analysis)

Business Model Canvas Strategic Assessment

Maturity Assessment (Level 2 Enablers)

• Capability MaturityAssessment

• Desired Outcomes

• Business Model Canvas

• Customer Perception Analysis

Transformation Preparation

Mobilisation of Team

Engagement and Communications

Governance Structuring

• Governance Structure

• Commercial Contracts

• Communication Plan

• Engagement Strategy

• Program Setup

Authors

Graham Jardine is a Senior Consultant at DXC specialising in the Aerospace & Defence industry. Graham has experience working with some of the industry’s largest clients, specialising in Compliance and Transformation Strategy.

gjardine@dxc.com

How can DXC help You?To help clients transform with clarity and pace, DXC has created a proven framework of activities that will add agility to any compliance-focused transformation.

Establishing a Compliance Strategy

DXC’s Compliance Consultancy Framework helps clients shape their compliance journey through defining their vision, establishing strategic direction, and creating a robust transformation program. We conduct detailed analysis of the strategic vision and orchestrate a maturity assessment to help understand exactly where the client is today and the path to success.

Focus on Transformation

DXC leads each client in establishing a stable transformation program that allows them to work with existing partners, gain new levels of innovation and efficiency, use innovative forms of engagement to dramatically increase compliance, control costs and improve the customer experience.

Learn more at dxc.technology/aerospace_defense

Regional Contacts(Australia and New Zealand)

Dean Coughran is an Industry Leader in Manufacturing/Aerospace & Defence (A&D) at DXC. He is focused on solving the most critical business issues that affect the industry. Dean sees this global initiative as a critical step forward for the A&D industry.

dcoughran@dxc.com

Simon Aplin is a Senior Consultant at DXC specialising in Export Compliance in the Aerospace & Defence industry. Simon has extensive experience across the defence, ICT and nuclear industries, managing export compliance requirements across global trade markets. He has worked with large defence companies and government organisations to facilitate business solutions that are fully compliant with complex export controls.

www.dxc.technology

About DXC

DXC Technology (NYSE: DXC) is the world’s leading independent, end-to-end IT services company, helping clients harness the power of innovation to thrive on change. Created by the merger of CSC and the Enterprise Services business of Hewlett Packard Enterprise, DXC Technology serves nearly 6,000 private and public sector clients across 70 countries. The company’s technology independence, global talent and extensive partner alliance combine to deliver powerful next-generation IT services and solutions. DXC Technology is recognized among the best corporate citizens globally. For more information, visit www.dxc.technology.

© 2017 DXC Technology Company. All rights reserved. MD_6193a-18. April 2017

Position Paper