M/HQ Group · Stage 1 Tech Strategy

Current-State Assessment and Gap Report

Workflow, systems, integration and capability gaps across the Group

Deliverable 1 of 4
M/HQ · Rethink · RAA
Prepared by CrossVal · Draft for internal review · June 2026
Confidential

1Executive summary

The M/HQ Group has scaled faster than its systems have integrated. Across M/HQ, Rethink and RAA, the people, the service lines and the entity portfolio have grown, while the systems beneath them have stayed separate. The work of holding the Group together has been carried by its teams and by Excel, rather than by connected systems. This report sets out what we found in the current state, and where the gaps are.

The Group has named three success criteria for this programme: accuracy, governance and scalability, set out in the proposal. On the current evidence, all three are constrained by the same root cause, and it is not the absence of a capable core system. It is how data gets in and how it moves.

Accuracy is constrained at the point of entry. Data is keyed by hand, re-keyed across ViewPoint, Xero, KYC360 and Excel, and reconciled manually. Mismatches are created at capture and carried downstream.
Governance is constrained between systems. There is no automated integration, so the audit trail breaks at each handoff. Onboarding, compliance monitoring and regulatory calendars run largely outside systems, with no system-driven alerts.
Scalability is constrained by manual effort. Effort scales with headcount and with the entity portfolio. The intercompany servicing model, where M/HQ onboards and Rethink or RAA service the same client, multiplies the duplication.

The shape of the Group. One client is serviced by more than one entity, and each handoff re-enters data the previous step already held.

This report does two things. First, it records the current state across the priority functions: the systems landscape, the integration state, the data, and the functional and control gaps that follow. Each gap is classified by how it could be closed: by configuring tools the Group already has or has selected, by integrating those tools, by remediating data, or by a genuinely new capability where none of the first three is enough. This ordering is deliberate. A gap is only a candidate for a new build, including any AI tool, once configuration, integration and data have been ruled out.

Second, it prioritises. Each vertical of the business is placed on a matrix of the value of the function against the risk carried if it fails, where risk means exposure to external regulatory, audit, tax, AML and fiduciary scrutiny. Onboarding, compliance and audit sit at the top of both axes: they are high value and a failure there is examined by an outside party. Functions such as recruitment and marketing carry real value but contained exposure, because no external party audits them.

One current-state finding sits underneath everything else and should be read before the detail: data capture across the Group is manual and largely happens outside systems. Onboarding is run outside systems, data is entered by hand between ViewPoint and Xero, and Excel sits between almost every pair of platforms. That pattern, manual capture and manual movement, shapes the gaps that follow.

2Scope, method and how to read this report

2.1 What this deliverable covers

This is the first of the four Stage 1 deliverables set out in the proposal. It covers the current state and the gaps: workflow, systems, integration and capability, across the priority functions of the Group. It does not set the future-state design, the roadmap, the investment case or the operating model. Those are Deliverables 2, 3 and 4, and this report is written to feed them.

It builds on two documents already shared with the Group during the engagement, the project plan and the mid-engagement update. Where a finding or recommendation here continues a point already made in those, or in the proposal, the source is named inline so the thread is easy to follow.

2.2 Evidence base

The findings draw on the Week 1 discovery sessions across the Group (nine sessions, three CrossVal members in each, around 27 hours of direct discovery, as recorded in the project plan), the function-level follow-ups in the weeks since, the process and workflow documentation supplied by the teams, the systems and data sessions with the Group systems function, and the vendor sessions held during the engagement. Where a finding rests on a single source or has not yet been quantified, it is marked as such.

2.3 Sequencing note

The data quality assessment is presented before the gap analysis. The Group's scope lists data as a later item, but a gap cannot be classified reliably until the state of the underlying data is understood. The deliverables to the Group are unchanged; only the internal order differs. This was flagged in the proposal.

2.4 How gaps are classified: the closure-path framework

Every gap in this report is tagged with how it could be closed. The order matters, and it runs from the lowest cost and risk to the highest. AI and bespoke builds are the last resort, not the first move. This follows the proposal, which asks specifically for the functional and control gaps that cannot be addressed by configuring or integrating existing tools.

Tag	Closure path	Meaning
C	Configuration	Closed by configuring a tool the Group already has, for example existing ViewPoint workflows or Xero configuration. No new system.
I	Integration	Closed by connecting tools that already exist, so data moves between them without a person in the middle. Replaces Excel as the bridge.
D	Data remediation	Closed by cleaning, standardising and resolving the underlying data, including enforcing a single client and entity identifier.
N	New capability	Not closeable by the above. A genuine functional or control gap that needs a new capability, where a procured tool, an AI tool or a build is assessed (Deliverable 2).

The ordering principle. Configuration, integration and data remediation are exhausted before any new capability is considered. This keeps the strategy architecture-first.

2.5 How functions are prioritised: value against risk

Each vertical is scored on two axes. Value of the function captures its strategic weight, its link to revenue, the volume of work it carries and whether it constrains the Group's ability to grow. Risk on failure captures the consequence of getting it wrong, and is driven by external scrutiny: whether a regulator, an auditor, a tax authority or an AML or fiduciary obligation examines the output. The full matrix is in Section 7.

A note on the scores

The value and risk scores are an evidence-based first read, offered for the steering group to calibrate. Precise sizing of effort and cost belongs to the roadmap (Deliverable 3) and is not asserted here. In line with the proposal, pain points are not sized with estimates the Group has not asked for.

3Current-state systems landscape

The Group runs on a set of capable but disconnected platforms. M/HQ runs almost entirely on ViewPoint, an on-premise 2019 build that carries CRM, finance, compliance and invoicing. Rethink and RAA run finance and invoicing on Xero and use ViewPoint only for leads and CRM. Screening, audit, HR and document storage each sit on their own tools. No automated link runs between any of them.

System	Used by	Purpose	State
ViewPoint (2019)	M/HQ (full); Rethink, RAA (lead and CRM only)	CRM, onboarding, compliance, finance, invoicing, workflows	On-premise, SQL back end, 2019 interface.
Xero	Rethink, RAA	Accounting and invoicing	In use. New AI-enabled, UAE-tax version anticipated. Annual-accounting clients still served manually in Excel.
KYC360 (RiskScreen)	M/HQ, compliance	Sanctions and screening during onboarding	In use; results are re-keyed into the client record by hand.
ComplyAdvantage	Rethink	Screening for outsourced compliance services	In use.
Complyfin	Rethink	Background screening for outsourced compliance clients	In use. Onboarding largely run outside systems.
Inflo	RAA	Audit execution and document retention	In use. Does not currently support working-paper creation.
BlueSky	Group (HR)	HRMS	In use. Not integrated to finance.
M365 / Copilot Studio	Group systems team	Productivity; a custom tool tracks physical-file movement	In use at team level. No Group-wide assistant in place.
File storage	Group	Documents and records	Split across ViewPoint document holder, on-premise NAS, OneDrive and shared drives, plus a physical green-file room (10-year retention).

3.1 Observations

A capable core on dated foundations. ViewPoint carries genuine workflow logic for onboarding, risk scoring and invoicing, but the 2019 on-premise build is slow for finance work, cannot produce aging reports for historical dates, and requires twice-daily backups. Custom reports and workflows depend on the systems team's SQL work.
Two finance worlds. M/HQ invoices in ViewPoint; Rethink and RAA invoice in Xero. Any Group view of finance requires the two to be merged by hand.
Screening and audit are siloed tools. KYC360, ComplyAdvantage, Complyfin and Inflo each do their job, but none writes back to the system of record, so the same data is captured more than once.
Storage is fragmented, including on paper. Records live in four digital locations and one physical room. The green-file room exists because files were once lost when staff left, which itself signals the control risk in dispersed storage.

4Current-state integration architecture

There is essentially no automated integration between the Group's systems. The connective work that integration would normally do is carried by the team and by Excel. This is the single most consequential current-state finding, because it is the common cause behind the duplicate entry, the broken audit trail and the manual reporting that recur in every function.

The integration layer is people. Every system hangs off a manual bridge of Excel and email. No automated link runs between the core systems; each connection depends on staff re-keying data by hand.

Excel sits between almost every pair of systems. The table below records the main bridges that are currently carried by people rather than by the systems.

From	To	What moves today, and how
ViewPoint	Xero	Client, entity and fee data merged by hand in Excel for any cross-entity finance view.
KYC360 / screening	ViewPoint	Screening and identification data re-keyed manually into the client record.
BlueSky (HR)	Xero	Payroll and people data moved manually; no link between HR and finance.
Country-risk and AML tools	ViewPoint	Risk inputs transcribed into the onboarding and risk workflows.
ViewPoint / Xero	Excel reporting	Data exported and reassembled in spreadsheets before any number reaches leadership.

The integration layer is people. Because the bridges are manual, throughput is bounded by staff time and accuracy depends on individual diligence.
The audit trail breaks at every handoff. When data is re-keyed rather than passed, there is no system record of what moved, when or by whom. This is a governance gap, not only an efficiency one.
The integration gap and the capture gap are linked. Data is bridged by hand between systems and entered by hand into them. Both are present in the current state and recur through the gaps that follow.

5Data quality assessment

Data quality is the precondition for everything that follows. The gaps in Section 6 cannot be closed reliably, and no reporting or AI layer can be trusted, while the underlying data is inconsistent and unresolved. The current state is workable but fragile, and it has not been built to join cleanly across the three entities.

Current-state data quality. A qualitative read across five dimensions. The data is workable but not yet built to join cleanly across systems.

Dimension	Current state	Consequence
Consistency	Client and entity names are not fully standardised (for example Ltd. against Ltd) and differ between systems.	Records do not match across systems, so every merge needs manual mapping.
Uniqueness / identity	A shared master-file identifier concept exists but is not enforced end to end.	The same client or entity is held more than once, with no reliable single key to join on.
Completeness	CRM export is basic; some fields such as email and phone must be entered by hand after export.	Records are partial; downstream work re-gathers what should already be held.
Accuracy	Reporting requires manual verification, and source teams are often asked to correct data first. One live pipeline dashboard carries broken references.	Senior time is spent validating rather than analysing; figures can be wrong at source.
Lineage / history	Consolidation across the three entities only began in 2025; pre-2023 Rethink files sit on a shared drive, outside ViewPoint.	History is uneven and not all of it is in the system of record.

Underlying finding: capture is manual and outside systems

Across onboarding, accounting and reporting, data is captured by hand and frequently outside any system. This is the current-state fact that the data, integration and capability gaps share. How to address it is a future-state question; that it is the binding constraint is a current-state observation.

6Functional and control gap analysis

This section sets out the gaps function by function, then consolidates them into a single register. Functional gaps concern work that is slower, more manual or more error-prone than it needs to be. Control gaps concern governance: audit trail, oversight, segregation and retention. The Group's regulated context means control gaps carry weight beyond their operational cost, and they are called out separately in the register.

Several of the priority gaps below were first floated as quick-win candidates in the project plan, shared there as unsized hypotheses. Here they sit in the full gap picture and are classified by closure path.

6.1 Priority functions

Client onboarding and KYC / screening

Onboarding is run largely outside systems, across email, Excel, ViewPoint and the screening tools, with identification data entered more than once. Document requests, validation and follow-ups are manual, and ongoing monitoring schedules are set by hand after onboarding. The intercompany model concentrates the load here: a single fund can bring many underlying entities to be taken on, and compliance officer time is heavily weighted toward intake. This is the leading candidate for prioritisation, consistent with the early read shared in the mid-engagement update; its precise sizing is to be validated in the gap quantification, not assumed.

Regulatory compliance and monitoring

Compliance calendars are built manually per entity, with deadline logic recalculated every year and no system-driven alerts. Compliance Monitoring Programme plans are rebuilt by hand each cycle, including a twelve-tab spreadsheet recreated annually, with no system memory between cycles. Findings and remediation are tracked manually. The volume is concentrated in four well-defined processes: onboarding, periodic reviews, regulatory returns and the monitoring programme.

Audit (RAA)

Audit execution sits in Inflo, but Inflo does not currently support working-paper creation, which is the most pressing need. Working papers and reports are drafted from templates by hand. Technical papers and memos are not standardised; only two areas have been done so far. Lists of requirements and planning and completion letters are produced manually against standard formats.

Annual accounting and tax (Rethink)

Annual-accounting clients are served manually in Excel. Bank statements are posted by hand, and trial balances and computations are prepared manually from data spread across systems and emails. Outsourced clients sit on Xero, but the annual-accounting work has not moved off spreadsheets.

Corporate secretarial and renewals (M/HQ)

After each renewal, current-year filings are marked complete and the next year's are recreated by hand, entity by entity, against predictable logic. Monthly renewal reporting is produced by exporting from ViewPoint into Excel and filtering, validating and commenting manually. The work is high-volume and repetitive relative to the judgement it requires.

Master data and cross-entity reporting

Any cross-entity report requires ViewPoint and Xero to be mapped together by hand before a number can be produced; the finance team describes this as the first step before every report. The Client Data Tape is consolidated manually from Xero, ViewPoint, M/HQ data and Excel registers, with identifiers and names matched by hand. Because this dataset feeds regulatory reporting, its manual assembly is both a functional and a control gap.

Invoicing and finance operations

In M/HQ, a ten-line invoice takes fifteen to twenty minutes to create, through repeated selection of matters, service lines and disbursements, with no automated notification when an invoice is requested. Approved fee tables are keyed line by line into ViewPoint or Xero from email approvals, leaving the approval-to-billing trail disconnected. Accounts-receivable reporting is extracted and cleansed manually each cycle, and aging reports cannot be produced for historical dates.

6.2 Other functions

Fiduciary and private banking reviews. Quarterly bank-statement requests, reviews, file notes and fee schedules are handled manually. Moderate volume, but fiduciary and AML exposure keeps the risk above the value.
Systems, IT and data security. The IT asset register is kept in Excel; client security questionnaires are answered by hand (around five hours each and rising in frequency, with little overlap between them); ADGM and DIFC register monitoring is fully manual with no API; and physical green-file movement is tracked by email, partly mitigated by a Copilot Studio tool the team built.
Corporate structuring. Structuring proposals and appendices are template-driven and produced manually. High strategic value, but the output is advisory and not externally audited as a process.
Lead management and CRM. Leads arrive by email and referral; staff search ViewPoint for duplicates and rebuild context from email and Excel before any outreach. CRM export is basic, so contact details are re-keyed.
HR and recruitment. Candidate follow-ups are manual or absent, and rejections are sometimes issued only after the process closes. Real impact on candidate experience and employer brand, but no external party audits it.
Marketing. Research, content drafting, fact-sheet checking and document beautification are manual. Lower value for automation and contained exposure.

6.3 Consolidated gap register

Type: F functional, C control. Path: C configure, I integrate, D data, N new capability (Section 2.4). Risk: exposure on failure.

Function	Gap (current state)	Type	Path	Risk
Onboarding / KYC	Intake run outside systems; ID data captured repeatedly across email, Excel, ViewPoint and screening tools	F	I D N	High
Onboarding / KYC	No system-driven document request, validation or follow-up; chasing is manual	F	I N	High
Onboarding / KYC	Ongoing monitoring schedules set manually post-onboarding; no risk-based refresh	C	I N	High
Onboarding / KYC	Audit trail broken across onboarding systems	C	I	High
Reg. compliance	Compliance calendars built per entity by hand; annual deadline logic; no system alerts	C	C D N	High
Reg. compliance	Monitoring programme rebuilt each cycle (12-tab spreadsheet); no system memory	F	C N	High
Reg. compliance	Findings and remediation tracked manually; no exception escalation	C	I N	High
Audit (RAA)	Working papers unsupported by current tooling; drafted from templates by hand	F	N	High
Audit (RAA)	Technical papers and memos not standardised across areas	F	N	Med
Accounting & tax	Annual-accounting clients served manually in Excel; statements keyed by hand	F	C D N	High
Accounting & tax	Source data spread across systems and emails; manual reconciliation	F	I D	Med
Corp sec & renewals	Post-renewal roll-forward done manually per entity	F	C I	Med
Corp sec & renewals	Monthly renewal reporting: export, filter, validate and comment by hand	F	C D	Med
Master data	No enforced single client and entity identifier end to end	C	D	High
Master data	Client Data Tape consolidated manually; feeds regulatory reporting	C	D I	High
Master data	Cross-entity reporting needs manual ViewPoint to Xero mapping first	F	I D	Med
Invoicing & finance	Invoice creation slow and manual (10-line invoice 15 to 20 minutes)	F	C	Med
Invoicing & finance	No auto-notification of invoice requests; manual checks	C	C N	Med
Invoicing & finance	Fee approvals re-keyed line by line; approval-to-billing trail disconnected	C	I N	Med
Invoicing & finance	AR reporting extracted and cleansed manually; no historical aging	F	C D	Med
Fiduciary	Bank-statement requests, reviews, file notes and fee schedules manual	F	N	Med
Systems / security	Client security questionnaires answered manually; rising volume	F	N	Med
Systems / security	IT asset register maintained in Excel	C	C N	Med
Systems / security	Physical green-file movement tracked by email (10-year retention)	C	N	Med
Lead mgmt / CRM	Manual duplicate search and context rebuild before outreach; basic CRM export	F	I D N	Med
Structuring	Proposals and appendices produced manually from templates	F	N	Low
HR / recruitment	Candidate follow-ups manual or absent; no status-driven communication	F	N	Low
Marketing	Research, content, fact-sheet checks and beautification manual	F	N	Low

7Prioritisation matrix: value against risk

The gaps above are real across the whole Group, but they should not be addressed in the same order or with the same urgency. We prioritise each vertical on two axes. The first is the value of the function. The second is the risk carried if it fails, and that risk is driven by external scrutiny.

The risk axis is the one that distinguishes this Group from a typical business. Getting onboarding or compliance wrong is examined by a regulator or an auditor, and the consequence is fines, licence risk or fiduciary breach. Getting recruitment wrong costs time and goodwill, but no external party audits it, so the exposure is contained. Value tells us where the prize is; risk tells us where an error is least forgivable. The functions that score high on both are where the programme should start.

Value against risk, all thirteen verticals. The priority cluster (top right) is high value and externally examined. Recruitment and marketing sit in defer: real, but contained.

Reading the matrix. The priority cluster (top right) is onboarding and KYC, regulatory compliance and monitoring, audit, annual accounting and tax, master data and reporting, corporate secretarial and renewals, and invoicing and finance operations. These are high value and externally examined. Efficiency plays (lower right) such as structuring and lead management carry value with contained exposure and are strong automation candidates without the same urgency. Control functions (upper left) such as fiduciary reviews and data security warrant attention to de-risk them even though their automation upside is smaller. Recruitment and marketing sit in defer: real but contained.

7.1 Scoring rationale

The scores are an evidence-based first calibration for the steering group to adjust. They are qualitative reads, not sized estimates; effort and cost are quantified in Deliverable 3.

Function	Value	Risk	Why it sits where it does
Onboarding & KYC	5.0	5.0	Gateway to all revenue and the heaviest manual load; directly under AML and regulatory scrutiny.
Reg. compliance & monitoring	4.6	4.8	Core service line and statutory obligation; failure is examined by regulators.
Audit (RAA)	4.0	4.6	Revenue line held to auditing standards; the output is the audit itself.
Annual accounting & tax	4.2	4.0	Revenue line with tax-authority exposure; still fully manual in Excel.
Master data & reporting	4.5	3.8	Feeds every report and regulatory submission; integrity risk is systemic.
Corp secretarial & renewals	4.2	3.5	High volume with statutory filing deadlines; predictable logic done by hand.
Invoicing & finance ops	4.0	3.0	Touches cash across all entities; financial control rather than external audit.
Fiduciary / private banking	2.9	3.8	Lower volume, but fiduciary duty and AML keep the exposure high.
Systems, IT & data security	2.9	3.2	Enabling function; data-protection and retention obligations raise the risk.
Corporate structuring	3.6	2.6	High strategic and revenue value; advisory output, not externally audited as a process.
Lead management & CRM	3.3	2.0	Affects conversion and front-of-funnel value; contained external exposure.
HR & recruitment	2.4	1.5	Internal efficiency and employer brand; no external party audits the process.
Marketing	2.0	1.3	Supports growth; lowest automation value and contained exposure.

8Cross-group themes

Six themes are consistent across every entity and every function we have met, first set out in the mid-engagement update. None of them is unexpected. Together they describe a Group that has scaled faster than its systems have integrated, and they are the through-line of the gaps above.

Excel is doing connective work the systems do not. Spreadsheets bridge ViewPoint to Xero, BlueSky to Xero, KYC360 to ViewPoint and the risk tools to ViewPoint. The integration work has been carried by the team's expertise rather than by the systems.
The same record is captured more than once. A client, employee or filing is held in two or three systems with no single source of truth. The shared identifier concept exists but is not enforced end to end.
The teams hold the logic; the systems do not yet. Renewals roll forward, compliance calendars regenerate, board minutes follow templates and proposals come from a catalogue. The logic is well understood and currently executed by hand.
Document-heavy drafting is the most consistent capability candidate. Board minutes, audit working papers, compliance summaries and proposals were flagged across functions as work where a drafting assistant would pay back, without changing the underlying review.
Reporting is the biggest finance time sink. Cross-entity reporting takes a meaningful share of finance time, mostly in reconciling ViewPoint and Xero before any number is produced.
Compliance volume sits in four clearly defined processes. Onboarding, periodic reviews, regulatory returns and the monitoring programme account for most of the compliance team's time, and they are well defined enough that supporting tools should land well.

9Dependencies, access and risks

The binding constraint on Stage 1 is the engagement clock, the six-week schedule set out in the project plan. The dependencies below are the items that, if delayed, push the analysis or the later deliverables. They are current as at this draft and reviewed in the weekly steering check-in.

9.1 Access and information dependencies

System and folder access. ViewPoint and network-folder access for the CrossVal team is required to verify workflows directly rather than through description.
Source artefacts. Workflow flowcharts, the acronym glossary, sample draft and final invoices, and the employee-onboarding materials were requested and sharpen the gap detail when received.
Outstanding sessions. Any remaining function sessions should be closed early, as the gap register depends on them being complete.

9.2 Current-state risk register

This register covers current-state and engagement risks only. Forward-looking risks around target-system delivery and sourcing are addressed in Deliverables 2 and 3.

Risk	Rating	Mitigation
Data quality blocks reliable gap closure and reporting	High	Treat data remediation and a single enforced identifier as a precondition, not a later clean-up; stage it ahead of dependent work.
Manual, out-of-system data capture is the root cause of duplicate entry and broken trails	High	Flag the capture problem now so the future-state work addresses how data is entered, not only where it is held.
Broken audit trail across systems is a governance exposure in a regulated context	High	Prioritise control gaps (onboarding trail, monitoring escalation, master data) alongside efficiency gains.
Access delays compress the analysis window	Med	Confirm ViewPoint and folder access early; close outstanding sessions in the next steering cycle.
Key-person dependency on the systems team for SQL reports and workflows	Med	Document current reports and workflow logic during discovery so knowledge is not single-threaded.
Rising client security-questionnaire load diverts the systems team	Med	Note as a recurring demand to be designed for, not absorbed ad hoc.
Physical-file retention obligation carries fine risk if movement is mistracked	Med	Recognise the existing Copilot Studio tracker as a partial control; assess hardening it.
Change adoption: teams are satisfied with the current ViewPoint and may resist disruption	Med	Lead with quick wins that give time back; treat adoption as a workstream, not an afterthought.

AAppendix: assumption log

#	Assumption
1	Findings reflect the discovery sessions and documentation available at the date of this draft; later sessions and direct system access may refine specific gaps.
2	Target-system selection, design, sizing and sourcing are out of scope for this current-state report and are addressed in Deliverables 2 and 3.
3	Value and risk scores are qualitative, evidence-based reads for steering-group calibration, not sized estimates of effort or benefit.
4	Onboarding is treated as the leading prioritisation candidate on current evidence; quantitative confirmation is a gap-quantification step, not an assumption.
5	Entity and headcount figures are approximate and drawn from Group-supplied data; they are used for context, not for sizing.
6	Observed timings (for example invoice creation and security-questionnaire effort) are single-source discovery observations unless corroborated.
7	The engagement runs on the revised six-week schedule set out in the project plan and mid-engagement update; dates in this report follow that schedule.

End of Deliverable 1. This report establishes the current state and the gaps. Deliverable 2 sets the future-state design and operating model on this basis; Deliverable 3 sequences and sources the work; Deliverable 4 governs the engagement and the Stage 2 decision.