© 2014 ISACA. All rights reserved. 1
Bottler Company Caselet: Using COBIT® 5
© 2014 ISACA. All rights reserved.
© 2014 ISACA. All rights reserved.
ISACA has designed and created the Bottler Company Caselet: Using COBIT® 5 (the ‘Work’) primarily as an educational resource for educational professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, security governance and assurance professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: [email protected]
Web site: www.isaca.org
2
© 2014 ISACA. All rights reserved.
© 2014 ISACA. All rights reserved. No part of this publication may be used, copied,
reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any
form by any means (electronic, mechanical, photocopying, recording or otherwise) without the
prior written authorisation of ISACA. Reproduction and use of all or portions of this publication
are permitted solely for academic, internal and non-commercial use and for
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work.
Provide Feedback: www.isaca.org/basic-concept-caselets
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
Reservation of Rights
3
© 2014 ISACA. All rights reserved.
Author
Krishna Seeburn, Ph.D., CFE, CIA, CISSP, FBCS, LLM, PMP, Riesling Consulting Group, Mauritius
Board of Directors
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, International President
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Vice President
Juan Luis Carselle, CISA, CGEIT, CRISC, RadioShack Mexico, Mexico, Vice PresidentRamses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice
PresidentTheresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of
Representatives, USA, Vice President Vittal Raj, CISA, CISM, CGEIT, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice PresidentMarc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Vice PresidentGregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International PresidentKenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International
PresidentChristos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, DirectorKrysten McCabe, CISA, The Home Depot, USA, DirectorJo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich, Australia, Director
Credentialing and Career Management Board
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Chairman
Bernard Battistin, CISA, CMA, Office of the Auditor General of Canada, CanadaRichard Brisebois, CISA, CGA, CanadaTerry Chrisman, CGEIT, CRISC, GE Money, USAErik Friebolin, CISA, CISM, CRISC, CISSP, PCI-QSA, ITIL, USAFrank Nielsen, CISA, CGEIT, CCSA, CIA, Nordea, Denmark Hitoshi Ota, CISA, CISM, CGEIT, CRISC, CIA, Mizuho Corporate Bank, JapanCarmen Ozores Fernandes, CISA, CRISC, BrazilSteven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission, USA
AcknowledgementsProfessional Standards and Career Management Committee
Steven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission,
USA, Chairman
Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP, HP Enterprises Security
Services, UK
Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA, Myers and Stauffer LLC, USA
Alisdair McKenzie, CISA, CISSP, ITCP, I S Assurance Services, New Zealand
Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP, University of North Texas, USA
Katsumi Sakagawa, CISA, CRISC, PMP, JIEC Co. Ltd., Japan
Ian Sanderson, CISA, CRISC, FCA, NATO, Belgium
Timothy Smith, CISA, CISSP, CPA, LPL Financial, USA
Todd Weinman, CPS, The Weinman Group, USA
Academic Program Subcommittee
Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP, University of North Texas, USA,
Chairman
Umesh R. Hodeghatta, Xavier Institute of Management, India
Matthew Liotine, Ph.D., CBCP, CSSBB, MBCI, University of Illinois at Chicago, USA
Joshua Onome Imoniana, Ph.D., CGEIT, Universidade Presbiteriana Mackenzie, Brazil
Nebil Messabia, Canada
Kumar Srikanteswaran, CISA, CMA, PMP, India
Sadir Vanderloot, CISA, CISM, CCNA, CCSA, NCSA, Sheffield Hallam University,
Sweden
Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands
Hiroshi Yoshida, Ph.D., CGEIT, CRISC, Nagoya Bunri University, Japan
4
© 2014 ISACA. All rights reserved.
This caselet was developed to support the
Basic Foundational Concepts Student Book: Using COBIT® 5,
www.isaca.org/basic-concepts-student-book
Student Book
5
© 2014 ISACA. All rights reserved.
• Value governance is way for enterprises to manage
benefits realised, resources, value and risk.
• Value management is framework that ensures that an
enterprise achieves the maximum value from its
investments at an affordable cost and at an acceptable
level of risk.
How does it
benefit a CIO?
6
How does it
benefit an
enterprise?
What is value
governance?
© 2014 ISACA. All rights reserved.
• Commonly, most enterprises treat IT and related projects as mainly cost centres, but by using and looking at value management throughout a project—from the initial thought, to the start, the implementation and the final deliverables—it is important to track and understand them.
• It is important to align investments with business objectives. By going through a value management process, you evaluate whether an investment in technology and supporting people, process and technology matches the objective and can deliver the right value or return on investments.
• For example, enterprise resource planning (ERP) projects often fail because the important risk has not been reviewed properly, which causes the ERP cost to be oversized (e.g., when a company might only need an invoicing system).
How does it
benefit a CIO?
7
How does it
benefit an
enterprise?
What is value
governance?
© 2014 ISACA. All rights reserved.
To be able to show management and senior management that
IT investments are realisable, every effort should be made to
ensure employer expectations are met, rather than getting
the ‘toy’ you want.
How does it
benefit a CIO?
8
How does it
benefit an
enterprise?
What is value
governance?
© 2014 ISACA. All rights reserved.
• Company Profile – Bottler Company LLC
• Background Information
• Your Role
• Your Tasks
• Notes
• Questions
9
Agenda
© 2014 ISACA. All rights reserved. 10
Bottler Company LLC – Profile
Large corporation that
consists of approximately
25,000 employees and
contractors
Publicly held company that
went public two years ago,
after a long tradition and its
foundation in 1935
© 2014 ISACA. All rights reserved. 11
Background – What We Do
• Largest independent bottler in the soft drink industry
• Knows that canning and bottling technology could make or
break the bottom line and it maintains the best and most high-
tech equipment
• On the other hand, information technology was something that
had been swept under the rug for some time and not kept
current.
• Since 1935, the bottler has been acquiring territory and
expanding the business. As a result, the need for better
information grew.
What We Do
Org. Structure
Operational
Competition
Business Goals
Financials
© 2014 ISACA. All rights reserved. 12
Background – Financials
Bottler Company has been profitable ever since its inception.
Last year, its gross revenue was US $180 million dollars, with a profit
margin of slightly less than 2 percent, while it was expecting a 10 percent
profit margin.
Bottler Company could charge more for bottling and canning and raise its
profit margin, but its competitive advantage would decrease and would
affect its general growth.
The cost of establishing new products is the main reason profit has still
been quite appreciable, but executive management has made the decision
to slow expansion.
Territorial growth was not a real consideration at the time, but addition of
new products is a main concern.
Reducing product development will be bad for the business.
What We Do
Org. Structure
Operational
Competition
Business Goals
Financials
© 2014 ISACA. All rights reserved. 13
Background – Org. Structure
What We Do
Org. Structure
Operational
Competition
Business Goals
Financials
President/CEO
CFO
Financial Ops
Audit Accounting
COO
CIO
IT Staff Infrastruc-
ture
IT Staff Develop-
ment
Ad hoc IT Contract-
ors
PhySec/ Facilities
VP, Business
Business Units
Business Opera-tions
VP, Adminis-tration
HR Legal Compliance
© 2014 ISACA. All rights reserved. 14
Background – Org. Structure
The board of directors:
• Is composed of members from Bottler Company and from other
organisations, with outsiders comprising the majority. Most
board members have had some experience working within the
industry and are, for the most part, aware of the methods of
operation.
• Has low risk tolerance, although the business risk comfort level
of some members was exceeded by the past initiative to
concentrate on expansion rather than products.
• Has a president who is also the CEO.
What We Do
Org. Structure
Operational
Competition
Business Goals
Financials
© 2014 ISACA. All rights reserved. 15
Background – Org. Structure
The executive committee
• Consists of :
₋ Chief executive officer (CEO)/president
₋ Chief financial officer (CFO)
₋ Chief operating officer (COO)
₋ Vice president (VP) of business
₋ Vice president (VP) of administration
• Has a low risk tolerance, like the board.
• Has an excellent reputation for hiring top talent, giving broad
guidelines and goals to key individuals, and then later
determining how well each person met the goals.
• Has a current major goal of becoming more profitable and
competitive to keep to the innovation edge over the
competition.
What We Do
Org. Structure
Operational
Competition
Business Goals
Financials
© 2014 ISACA. All rights reserved. 16
Background – Operational
Financial management is the responsibility of the CFO:
• It consists of financial operations, which, amongst other things,
handles contracts, procurement and disbursements,
accounting, and audit.
• The CFO is under pressure to cut costs to increase profitability.
• Further, the information recovered from actual IT systems does
not give a real-time view of the state of affairs.
Operations management is the responsibility of COO:
• It consists of plant and facility operations, physical security,
logistics (including transportation), IT and a few other smaller
functions.
What We Do
Org. Structure
Operational
Competition
Business Goals
Financials
© 2014 ISACA. All rights reserved. 17
Background – Operational
IT management is the domain of the chief information officer
(CIO) and is not one of the four major functions within the
enterprise:
• The CIO oversees the IT systems and other ad hoc IT systems
by department and has no overall view of the system. Most
of the work is carried out by outside external consultants on
a needs basis.
• The CIO is not on par with the other C-level executives. He
reports to the COO.
• The CIO is there to run the day-to-day systems of the
company and does not have any strategic view in terms of
long- or short-term strategy all together.
What We Do
Org. Structure
Operational
Competition
Business Goals
Financials
© 2014 ISACA. All rights reserved. 18
Background – Operational
• To keep up with company growth, new computer systems
were added in different departments as the need grew.
• As it grew, the different stand-alone systems became
more mismatched and the need for integrated systems
became apparent.
What We Do
Org. Structure
Operational
Competition
Business Goals
Financials
© 2014 ISACA. All rights reserved. 19
Background – Competition
• Bottler Company is more focused on innovative product
development than its competitors.
• It has organised and expanded massively in North and South
America. This enables Bottler Company to have constant,
reliable fixed costs.
• This cost savings is, in part, passed on to its main customers,
thereby making them the provider with the lowest prices and
quality products in the Americas.
• The product development and innovative focus plus a slight
inclination to expansion has given them the edge on quality
and knowing exactly what the market desires, and it has kept
them abreast of everyone in the industry.
• Consumers are always demanding more, and Bottler Company
needed and wanted to be prepared.
What We Do
Org. Structure
Operational
Competition
Business Goals
Financials
© 2014 ISACA. All rights reserved. 20
Background – Business Goals
• The number one business goal is to become more profitable,
because it is now a public company, and a value company for its
consumers, who are always demanding more.
• Proposing new product lines was important, but executives of
the company had continuously expressed their desire for
timelier financial information and decision-making tools from
the different departments.
What We Do
Org. Structure
Operational
Competition
Business Goals
Financials
© 2014 ISACA. All rights reserved.
• The existing systems were unable to handle requests such as decision making or timelier financial and other important information.
• Any customised reporting was developed from a multitude of sources and compiled manually.
• ERP gained recognition over the years. It became the topic of discussion as alternatives were contemplated and the company tried to formulate a solution that would meet the needs of the individual departments, be compatible companywide and facilitate the integrated communication that was desperately needed.
• These issues were significant enough to warrant an overall re-engineering of business practices, and the bottler decided to start researching viable options.
21
The Problems
© 2014 ISACA. All rights reserved.
• A great deal of time and money was spent to research options, outline necessary attributes and perform feasibility studies. Employees spent several months completing a study to justify expenditures for the new system, and this, along with the inherent need for a new, integrated system, led to the decision to implement ERP.
• After a great deal of research and discussion, an executive steering committee, with the guidance of outside consultants and the COO with the indirect help of the CIO/IT Department, decided to implement an ERP system.
• The idea was that the new system would be capable of handling company growth, communicating between departments and producing customisablerobust reports.
22
The Problems (cont.)
© 2014 ISACA. All rights reserved.
• The ERP vendor was ‘slicing and dicing’ capabilities for reporting that accompanied the software.
• The ERP vendor offered other features that were very attractive to the bottler. The financial module, with its abilities to track profit, forecast sales and manage cash flow, was also a feature the executives liked.
• They also liked the fact that the human resources and payroll modules would feed benefits and compensation and time and labor information as much as manufacturing and distribution information to the profit reports.
23
The Problems (cont.)
© 2014 ISACA. All rights reserved.
• Management appreciated the fact that production scheduling, cost of goods and inventory would all automatically update to the income statement.
• Once sold on the overall package, the executive committee gave a green light to go ahead with ERP implementation.
• Although the ERP product seemed to be the solution to its problems, the bottler still had an enormous amount of work to do. No matter the size of the company, implementing an ERP system is not a trivial project.
• The bottler chose not to take the advice of the independent consultants it hired during the ERP product evaluation and recommendation phase, and instead chose its own path for the implementation effort.
24
The Problems (cont.)
© 2014 ISACA. All rights reserved.
• This lack of faith in the consultants’ advice made the implementation process even more challenging.
• With a young, inexperienced professional staff and a very limited IT staff, the undertaking was more than everyone bargained for.
• Too much time-consuming and technical work was assigned to employees who did not have ERP expertise or the proper training.
• In addition to this lack of expertise, employees were not provided assistance when it came to keeping up with their regular job duties.
• The bottler had a history of a ‘do-it-yourself’ philosophy for all projects undertaken.
25
The Problems (cont.)
© 2014 ISACA. All rights reserved.
• Due to enormous workload of the ERP implementation effort, a great deal of strain was placed on the employees involved in the project.
• Communications problems increased. Roles and responsibilities that had not been defined clearly started posing a problem, and the CIO had to take the driver’s seat without the right support to steer the project.
• Communication issues, including employee encouragement concerns, also added
to the burden of the human resources problem. Due to breakdowns in the
channel of communication and the lack of management support, many
constituents, including high-level employees, resigned. Some were voluntary;
many others were not.
• With already-looming challenges, the project was off to a shaky start. Choosing
the proper project team and planning its involvement would be the next major
issue at hand.
26
The Problems (cont.)
© 2014 ISACA. All rights reserved.
Your position: CIO
Experience: Worked in the
IT arena for more than 10
years.
Training: Completed the
Bottler Company LLC
internal management
training programme within
three months of starting
your position, and you
plan to enroll in IT
management and financial
courses soon.
27
Your team: The information technology department consists of two technical staff members and an assistant who report to you.
The team’s role: They deal with change requests, configuration management, and day-to-day report building and IT support issues, amongst other duties.
The previous contractor/consultant in the recommendation phase suggested part-time help be provided to your IT department and other departmental employees in the project, which was ignored by the executives because of the ‘do-it-yourself’ philosophy.
Your Role
© 2014 ISACA. All rights reserved.
1. Design a business process for the enterprise, list the workings and challenges of the enterprise, and understand its vision, mission and challenges/objectives.
2. Identify the relationships amongst principles, processes and practices.
3. Establish the pain points signaling the need for better value management as well as trigger events that would compel business leaders to begin building on value.
28
Your Tasks
© 2014 ISACA. All rights reserved.
5. Outline a typical ‘future state’ – what the common characteristics and outcomes of a value-driven enterprise look like.
6. Build a set of instructions on how to conduct an assessment of the enterprise’s current state.
7. Identify the most critical elements in managing organisational change that are required to sustain value over time.
29
Your Tasks (cont.)
© 2014 ISACA. All rights reserved.
• Many enterprises choose to acquire an ERP system to serve as a common system for their wide range of daily operations.
• Various business benefits can be realised from ERP investments due to operational performance improvements. For instance, ERP systems embed industry best practice processes, which enterprises can leverage to achieve a discontinuous improvement in performance.
• However, many ERP investments fail to deliver on their promised benefits due to deficient ERP investment appraisals caused by inflated expected benefits and underestimated cost and risk.
30
Notes
© 2014 ISACA. All rights reserved.
• Therefore, improved governance of enterprise IT (GEIT) in general, and governance of ERP system acquisitions in particular, are crucial for success. One of GEIT’s key practices is the development, maintenance and utilisation of a proper business case throughout an investment’s economic life cycle.
• What are the key elements of an ERP investment business case, and which GEIT best practices are relevant? Furthermore, do such practices resonate with management and finance best practices, which are expected by executive business leaders who control access to funds?
31
Notes (cont.)
© 2014 ISACA. All rights reserved.
Some of the questions that should be asked include:
1. What issues is the CIO facing?
2. Why have these issues surfaced?
3. Using the key components of a business case, define how you would use them
to define the key areas of benefits, risk, appraisal and cost.
4. Using COBIT 5 as a guide, identify the core domains that you would use to
manage and drive your project and then map them to the real-life actions you
would need to get the job done.
32
Discussion Questions