The idea of “transforming” a business has a magical ring to it, conjuring up visions of wizardry that changes ugly, unproductive ducklings into beautiful, streamlined swans.
But as Toronto-based Aviva Canada Inc. discovered in the course of its transformation project, there is no magic wand that can be waved to change a business. Hard work and effective communication to bring all parties into the accord — senior management, business units and IT — was where real wizardry was needed.
Aviva Canada is a provider of home, auto and business insurance, with more than 2.2 million customers across Canada and over 3,000 independent broker partners selling its products.
The company’s ambition is to double its market share in three to five years, says Javier de la Cuba, executive vice-president at Aviva. Senior executives realized they would have to change the way they did business to meet aggressive growth targets. Transforming the way IT managed and delivered services was a fundamental requirement for growth.
Book Review
In December 2004, the company embarked on an IT governance project. “We wanted to find a different way of managing IT, so we looked at how the function was structured, the sourcing of services, the tools that we use, and so on,” says de la Cuba.
For example, the company wanted to increase online broker transactions from about 15 per cent to 90 per cent, and developed a Web portal to facilitate the increase. In the past, the number of brokers with online access was restricted, says Eduardo Bersani, CIO at Aviva, but the changes raised concerns about security, controls and support.
“As we increase the broker base with access to our internal systems, we have to dramatically change the way we support a much larger population of external users. Our structure was too small and unprepared to deal with this,” he says.
The company has already seen dramatic growth in the past few years, growing from a relatively small company generating about $450 million in revenue in 1998 to $3.3 billion today. Aviva modernized its IT infrastructure and upgraded its applications over the years, but its controls structure did not keep pace.
“Our controls remained much as they were when we were a smaller IBM mainframe shop in 2000. So we had controls but they were appropriate for that kind of environment,” says Bersani.
The IT governance project meant reviewing all IT functions in conjunction with the business units, and implementing an open, recognized controls framework such as COBIT to define control objectives, and various best practice standards such as ITIL to improve IT processes and service delivery, PMBOK to improve IT project evaluation and discipline, and ISO 17799 to improve security. Aviva worked with The Manta Group, an IT governance consultancy based in Toronto, to implement the project.
The fundamental issue at Aviva and many other IT shops is that controls are IT-centric, says Fariba Anderson, partner at The Manta Group. IT staff generate statistics that are meaningful to them. For example, system availability was 99 per cent during the last quarter, which tells them how to run their operating budgets. But the stats don’t communicate or manage the impact of that one per cent downtime to the business, she says.
“Measuring something doesn’t mean you are controlling it. In finance, a true control is making sure the person who writes the cheques doesn’t cash them — not generating statistics about how many checks are written and cashed,” says Anderson. Aviva used COBIT to make the controls relevant by defining them by their business impact, which introduced a common language for both IT and business units, and changed the metrics used to their effectiveness, she says.
The rigor and discipline of using a formal IT governance framework to design controls helps IT define expectations when it is challenged by audit. For example, Aviva has targeted the implementation of level 4 security standards of ISO 17799 by next year. That sets the reference framework when they are audited, says de la Cuba.
“So if we want to achieve level 4, and level 5 means doing things like walking on water, then the audit report should not say, you’re not walking on water. If the business units say they are happy if we achieve level 4, and IT says we’re going to achieve it in 2006, then we expect audit to evaluate us on our ability to sustain level 4, but no more, and no less.
Other companies have problems with the audit process because they don’t set that expectation up front, says de la Cuba. “I’ve seen that many, many times.”
QuickLink 051602
Related links:
The Rise of Enterprise Risk Management and Governance
How business orientation shapes IT governance