Senior advisory for regulated and complex businesses.

Lariat advises regulated and complex businesses across Operational Excellence, Compliance, Information Security, Transaction Advisory, Data & AI Governance, and Quality & Audit Readiness. Each practice is led by a senior specialist with 10+ years in their domain. Where your problem spans more than one — most do — we work as a single team.

Operations & Transformation

We help organisations redesign how they operate — from target operating models and ERP programmes to S&OP and post-merger integration. Our work is grounded in delivery: we don't write strategy decks for someone else to execute.

What we do

Packaged offerings

Operations Diagnostic — 4 weeks

Independent review of your operating model, processes, and performance. Outputs: prioritised improvement roadmap with quantified opportunity.

ERP Readiness Assessment — 3 weeks

Pre-implementation readiness review for SAP, D365, or NetSuite programmes. Outputs: risk register, mobilisation plan, recommended governance.

Embedded PMO Lead — 6–12 months

Interim senior PMO leadership for complex transformation programmes.

Selected work

Operations · Pharma · Global Programme

Building the process foundation for Lean Six Sigma and digitalisation across global operations at a top-5 pharma company.

The challenge. A top-5 global pharmaceutical company needed to standardise and document its end-to-end global operations before it could pursue Lean Six Sigma improvements and digitalisation at scale. Operations spanned eight distinct workstreams — order fulfilment, warehousing, command centre, master data, vendor management, sustainability, compliance, and digital capabilities — but the existing process landscape was fragmented, undocumented in places, and held in silos. Without a single source of truth, neither continuous improvement nor process mining could begin.

The work. Lariat embedded a senior PMO into the programme. We established the governance, planning cadence, RACI model, and stakeholder engagement framework — and ran the operating rhythm against weekly status, escalations, and sponsor reporting throughout. From there, we led 38 processes across Tier 1 and Tier 2 from stakeholder interviews through validation and approval, and into the central process repository as the agreed single source of truth. Where workstream scope was ambiguous, we drove the alignment sessions to resolve it. Where downstream Lean Six Sigma and digitalisation work depended on Phase 1 outputs, we sequenced delivery so the handover was clean.

The outcome. By project close, Tier 1 was fully delivered against the agreed scope, the central process repository was live, and the foundation for Phase 2 was in place. Phase 2 — Lean Six Sigma analysis and digitalisation workshops — launched on schedule, on the structure Lariat built. The client now has the documented baseline required for process mining, organisational design, and digital workshop prioritisation across global operations.

Six-month embedded PMO engagement · Eight workstreams · 38 processes mapped, validated, and uploaded · Phase 1 delivered, Phase 2 enabled · Senior-led, single Lariat consultant.


Operations · MedTech · Emerging Markets

Process baseline for an ERP-led integration of two medtech portfolios across emerging markets.

The challenge. A global medtech group had decided to combine two related device portfolios — historically run as separate businesses with distinct ERPs, supply chains and commercial models — into a single regional operating model. The change required a redesigned logistical and financial flow built around a shared ERP and a new in-country distribution structure, replacing a centralised European hub model with local distribution entities holding inventory in-market. Medtech integrations carry process complexity that pharma or FMCG programmes do not: installed-base equipment movements, consignment stock at hospitals and clinics, traceability obligations, returns that often flow into controlled destruction rather than resale, and a spares-and-consumables lifecycle that sits alongside the primary device flow. Several emerging-market geographies were in scope, with one selected as the integration pilot.

The work. Working inside the client's continuous-improvement function and partnering with a programme-office analyst, Lariat ran daily working sessions with operations, customer service and finance SMEs to elicit the real-world As-Is across the end-to-end value chain: customer order, intercompany inbound, outbound, inventory and destruction, returns, and the field-equipment and consumables flows specific to medical devices. We produced colour-coded Level-2 process maps to a single visual standard, with documentation events (sales order, invoice, delivery note, intercompany pricing trigger, serial/lot capture) surfaced as discrete steps so the maps could support both ERP configuration and downstream regulatory and control mapping. We modelled the To-Be flows for the highest-risk processes — surfacing where the new in-market entity layer changed billing, intercompany pricing, master-data ownership, and the returns-versus-destruction decision distinctive to regulated medical devices.

The outcome. By the end of the engagement the programme had a sign-off-ready As-Is baseline for the pilot market, a To-Be reference for the highest-risk flows, and a decision-grade view of which ERP candidate could support the proposed model with the least re-engineering. The pilot maps became the template applied to the remaining focus markets in subsequent programme waves.

Pilot-market engagement · Eight end-to-end process flows mapped at L2 · As-Is + To-Be deliverables · Embedded inside the client's continuous-improvement team.


Supply Chain · Pharma · European Release

Cutting EU release lead times for a global pharma's European supply chain.

The challenge. A top-tier pharmaceutical group's European release function — the QP certification step that gates finished goods into the European market — was consistently missing internal target lead times. Several factors were converging at once: new-product-launch volumes from non-EU manufacturing sites were rising; the certification team had absorbed significant turnover, partly as colleagues moved across to support COVID-vaccine programmes; and the existing prioritisation model couldn't surface which batches actually needed acceleration to avoid stock-outs. The business was concerned about patient supply, competent-authority perception, and credibility of the planning numbers used downstream.

The work. Working inside the global supply-chain function, Lariat ran a Lean Six Sigma DMAIC across the end-to-end EU release process — mapping the as-is flow from goods receipt at EU sites through inspection, testing and QP certification, segmented by supply-chain archetype (EU-origin vs. mutual-recognition vs. third-country imports, finished vs. semi-finished). We quantified actual stop-over-time and inspection durations by archetype, identified the disproportionate contributors to overall lead time, and benchmarked them against contractual and clinical need. We redesigned the prioritisation framework — including a clear escalation pyramid, segment classifications, and decision criteria — so that planners, release scientists and supply-chain leads had one source of truth on which batches mattered most. We defined revised target lead times by archetype, the standard work and confirmation steps to hit them, and the monthly performance reporting that would let leadership see whether the new operating model was actually holding.

The outcome. The programme landed agreed revised target lead times by supply-chain archetype, a prioritisation and escalation framework adopted across the release and planning communities, and a monthly performance baseline that made the new operating model defensible to supply-chain leadership and downstream stakeholders. The work created the foundation on which further automation and resource-flex initiatives were sequenced.

End-to-end EU release DMAIC · Six supply-chain archetypes analysed · Prioritisation + escalation framework adopted · Monthly performance baseline established.


Discuss an operations engagement →

Regulatory & Compliance

We advise regulated firms — payments, e-money, fintech, crypto — through authorisation, supervision, and complex change. Our partners hold FCA-approved person status and bring direct experience of the regulator's expectations on both sides of the table.

What we do

Packaged offerings

FCA Authorisation Readiness — 6 weeks

Gap assessment against FCA expectations, application drafting, and submission support. Typical engagement runs 6–12 months end-to-end.

MLRO-as-a-Service

Outsourced or co-sourced MLRO function for authorised firms. Includes risk assessment, oversight reporting, and regulatory liaison.

Financial Crime Health Check — 3 weeks

Independent review of your AML/CTF framework against current regulatory expectations. Outputs: prioritised remediation plan.

Selected work

Regulatory · Payments · M&A

FINTRAC-registered Canadian MSB transferred to a new owner in twelve days.

Client context. An EU-licensed fintech needed a registered Canadian entity to access North American payment rails without restructuring under US Money Transmitter Licences. A fresh FINTRAC registration would have taken three to six months, plus six to twelve weeks to clear banking. The target was a dormant BC corporation with 100% of shares held by a single seller, an active FINTRAC MSB registration, a clean AML history, and no operating activity.

Approach. Lariat ran the engagement end-to-end. Buyer matching and NDA up front, no-shop throughout. A five-day due diligence window covered corporate records, licence standing, AML history, and no-activity confirmation — with the full FINTRAC licensed-service scope, including virtual currency, surfaced so the buyer understood the obligations attaching to the registration. The SPA was drafted to a direct buyer–seller structure, with consideration fixed and the receiving wallet verified before funds moved. On signing, Lariat filed the BC Registry director change and the FINTRAC shareholder, director, and compliance-officer updates.

Outcome. The regulatory transfer completed within five business days of signing — the fastest turnaround in the market. Full handover followed on day twelve: share certificate and registers, current corporate filings, and registry and FINTRAC portal access. The buyer went from introduction to an operational FINTRAC-registered entity in twelve days, collapsing a two-quarter timeline.

Twelve-day end-to-end transfer · BC-incorporated FINTRAC-registered MSB · Five-day regulatory transfer · Direct buyer–seller SPA · Full FINTRAC scope disclosed at DD · Clean handover · Buyer Matching · SPA Drafting · Regulatory Filing · Compliance Advisory.


Compliance · Payments

"Lariat took us from initial FCA scoping to authorised PI in eleven months. Their command of the regulator's expectations made the difference between a polished application and a credible one."

— CEO, FCA-authorised payments firm

Discuss a regulatory engagement →

Information Security & Privacy

We design, implement, and audit the controls that protect regulated data and earn regulator and customer trust. Our practice holds CISM, CIPP/E, CIPM, and PCIP — and works equally well with technical teams and boards.

What we do

Packaged offerings

ISMS Scoping & Readiness — 4 weeks

Define ISMS scope, identify control gaps, and produce an ISO 27001 certification roadmap.

GDPR Programme Review — 3 weeks

Independent assessment of your data protection programme against current ICO expectations and case law. Outputs: prioritised remediation plan.

Fractional DPO

Outsourced Data Protection Officer for organisations needing senior privacy leadership without a full-time hire.

Selected work

Security · Payments

ISO 27001 certification in seven months for an FCA-authorised payments firm.

Client context. A UK-based, FCA-authorised payments institution processing card-not-present and open-banking transactions for e-commerce merchants. ISO 27001 certification was required within seven months to satisfy a tier-1 banking partner's onboarding and to strengthen the firm's Series B positioning. Existing controls were fragmented across Confluence and spreadsheets — workable for FCA SYSC, but well short of an auditable ISMS.

Approach. Alexander led the programme end-to-end, drawing on CyberAdviser's Framework Construction, Risk Management, and Certifications service lines. Month 1: gap analysis against ISO 27001:2022, mapped to existing FCA, PCI DSS, and GDPR obligations to avoid duplicate controls. Months 2–3: ISMS construction — Statement of Applicability, policy stack, asset and supplier registers, and a risk methodology operating at strategic, tactical, and operational levels. Months 4–5: operationalising controls — incident response, BC/DR testing, secure SDLC integration, vulnerability management, and supplier assurance across the payment processor, KYC vendor, and AWS eu-west-2 estate. Month 6: internal audit and management review. Month 7: Stage 1 and Stage 2 external audits.

Outcome. Certified on first attempt with two minor non-conformities, both closed within the corrective action window. Banking partner onboarding cleared in week 32. The ISMS was designed for reuse and now underpins the firm's PCI DSS v4.0 programme and planned SOC 2 Type II, avoiding parallel compliance estates.

Seven-month end-to-end programme · ISO 27001:2022 · Certified first attempt, two minor non-conformities · Banking partner onboarding cleared week 32 · ISMS now underpins PCI DSS v4.0 and SOC 2 Type II · Framework Construction · Risk Management · Certifications.


Discuss a security engagement →

Transaction Advisory

We advise on acquisitions, disposals, and investments in regulated and complex businesses. Our work spans transaction readiness, due diligence, and post-completion integration — grounded in operational and regulatory reality.

Looking to acquire a regulated entity directly? We also sell ready-made, FINTRAC-registered Canada MSB companies with a five-day ownership transfer.

What we do

Packaged offerings

Transaction Readiness Assessment — 4 weeks

Readiness review for founders and boards preparing for sale or investment. Outputs: management information pack, identified risk areas, recommended remediation.

Buy-side Due Diligence

Commercial, operational, and regulatory assessment of target businesses for acquirers. Outputs: due diligence report, risk-rated findings, integration considerations.

Integration Planning Sprint — 6 weeks

Rapid integration planning for newly completed deals. Outputs: 100-day plan, workstream structure, governance framework.

Selected work

Transaction Advisory · Payments

Lariat advised on the acquisition and post-completion integration of three regulated payments businesses, spanning FCA authorisation transfer, AML uplift, and operational consolidation across fourteen months.

Discuss a transaction →

Data & AI Governance

We help regulated firms govern their data assets and AI systems — building the frameworks, controls, and audit trails that satisfy regulators and make data-intensive operations sustainable.

What we do

Packaged offerings

Data Governance Diagnostic — 4 weeks

Assessment of your current data governance posture against regulatory expectations. Outputs: gap report, prioritised improvement roadmap.

AI Governance Framework — 6 weeks

Design and implementation of an AI governance framework proportionate to your risk profile and regulatory obligations.

DPIA Support

End-to-end DPIA facilitation for high-risk processing activities, including AI-driven decision-making systems.

Selected work

Data Governance · Payments

A regulated payments firm needed to demonstrate data governance controls for an FCA-led regulatory review. Lariat designed and implemented a data lineage and classification framework within eight weeks, enabling the firm to present a credible control environment to the regulator.

Discuss a data governance engagement →

Quality & Audit Readiness

We prepare regulated firms for internal, external, and regulatory audits — building the documentation, testing evidence, and control environments that hold up to scrutiny.

What we do

Packaged offerings

Audit Readiness Sprint — 3 weeks

Rapid review of your audit readiness posture: mock auditor walkthroughs, evidence gap analysis, and a clear remediation plan.

QMS Gap Assessment — 4 weeks

Assessment of your quality management system against ISO 9001 or sector-specific standards. Outputs: gap report, certification roadmap.

Regulatory Inspection Preparation

End-to-end preparation for regulator-led inspections: dry runs, document assembly, and management briefings.

Selected work

Quality & Audit · Pharma

A pharmaceutical distributor facing a GMP inspection had significant documentation gaps. Lariat implemented a quality management system and prepared the team for inspection within twelve weeks. The firm passed with no critical findings.

Discuss audit readiness →

Sectors

Our practices apply across regulated and complex industries. The following sectors represent the majority of our work over the past five years.

Financial Services & Payments

FCA-authorised firms, payments and e-money institutions, MSBs, regulated crypto.

Pharmaceutical, MedTech & Life Sciences

Manufacturers, distributors and medical-device makers operating under GxP/GMP/GDP, with global supply-chain complexity.

Retail & Consumer Goods

Omnichannel retailers, FMCG groups, and consumer brands navigating supply chain volatility.

Technology & SaaS

Mid-market and growth-stage technology firms scaling operations and customer trust.

Professional Services

Regulated advisors, accounting and legal firms with operational and data protection complexity.

Canada MSB & Cross-Border Payments

FINTRAC-registered MSBs, cross-border remittance operators, and firms launching regulated payment corridors in Canada.

Crypto & Digital Assets

Regulated crypto asset service providers, exchange operators, and custodians navigating FCA, MiCA, and FINTRAC requirements.

How we engage

Lariat is intentionally small. Engagements are led personally by a practice partner, supported by a curated network of associates we've worked with for years. You hire the people who will do the work.

Senior-led, always.

A Lariat engagement is led by a partner, not handed to a junior team. Day-to-day delivery is by people you've met.

Scoped honestly.

We propose the smallest engagement that solves your problem. If a four-week diagnostic answers the question, we don't sell a four-month programme.

Independent.

No software vendor partnerships, no implementation kickbacks, no incentive to recommend the wrong tool.

Six practices, one conversation.

Tell us your problem and we'll route you to the right practice — or to all three. Most engagements start with a 30-minute discovery call.

Back to top