COBIT Case Study: Erickson Improves Business Processes
Erickson Retirement Communities is one of the leading national developers of fullservice retirement communities, headquartered near Baltimore, Maryland, USA. Erickson
has built a network of 20 communities that combine a maintenance-free active lifestyle
with amenities, social activities, and wellness and medical centers.
Erickson Retirement Communities introduced a corporate enterprise risk management
and compliance (ERMC) program to focus on sound business processes and the
underlying technology that supports them. The goal was to achieve secure information
management, resilient processes, risk management and adaptive processes. Erickson CIO,
John Lambeth, CISA, used COBIT in a previous organization and led Erickson down the
path of initiating the IT Process Excellence Program using COBIT as the controls
framework.
Although Erickson is a privately held company and is not subject to compliance with
Sarbanes-Oxley regulations, a number of board members are from publicly traded
organizations and they endorsed the decision to implement controls using an industry
good practices framework—COBIT. They recognized that COBIT bridges the gap among
control requirements, technical issues and business risk.
Goals for COBIT Implementation
Erickson’s goals in adopting the globally recognized COBIT framework include:
Align IT objectives with business objectives
Enable clear policy development and good practice for IT control
Emphasize regulatory compliance
Help increase value attained from IT
Establish a strong process orientation/culture
Create a foundation for IT governance
“Our strategy has been one of implementing new or improved processes, policies,
procedures and tools with the intent of increasing our value to the business—without
burdening our staff with unnecessary work,” said Brian L. Porter, director of IT
Governance and Process Excellence Program at Erickson. “We believe we can achieve
that goal and as such have created a motto for the program: Practical Application of
Reasonable Controls.”
Based on a high-level assessment of IT functions, including input from Erickson’s
external auditing firm, six process areas were initially identified as key risk points:
Manage Projects (PO10), Install and Accredit Solutions and Changes (AI7), Ensure
Systems Security (DS5), Manage the Configuration (DS9), Manage Data (DS11) and
Manage Operations (DS13).
The company’s process of using COBIT is quite simple. For each process area, a
workgroup was formed. The groups’ first activity was to review the associated control
objectives, practices, risk drivers and value drivers. From there, the workgroups assessed
the current state (high level) of the department and prioritized the control objectives. The
next step was to identify opportunities for improvement and initiate an action plan based
on a desired future state. As part of their charter, all workgroups incorporated the process
control (PC1-PC6) requirements into their efforts and deliverables.
Results and Future Plans
Erickson’s IT governance program efforts have been well received and are ongoing. The
company has implemented an improved change management process, policy and
procedure based on COBIT and ITIL guidance. In addition, an IT security policy and
procedure for account provisioning is near completion, and a new service management
system that will address service request, incident and problem management will be rolled
out later in the year. Other achievements have occurred in the areas of IT facilities
management, data management and human resource management. Further, Erickson has
expanded its focus to address additional process areas and IT governance using COBIT.
As part of addressing any process area, workgroups routinely develop workflow diagrams
and narratives, and incorporate them into Erickson’s standard for a policy and procedure.
The board of directors is involved in IT governance via steering committees that address
strategic project oversight. In addition, Erickson values its relationship between its
business unit and the IT department, and, as a result, IT goals and objectives are aligned
with business goals and objectives.
“Overall, COBIT has been a tremendous asset to our IT Governance and Process
Excellence Program,” said Porter. “We also plan to explore using Val IT and Risk IT
because of their value to our long-term efforts.”
Questions :
•
•
•
•
Please summarize the case
What’s generating all of the extra project requests?
What problems arise from over-commitment?
What’s your assessment of company’s IT Governance?
Sumber :
http://www.itgi.org/Template_ITGI.cfm?Section=ITGI&CONTENTID=50971&TEMPL
ATE=/ContentManagement/ContentDisplay.cfm