Industries

Success Stories

Technology Products

Get Started

Our Services

Retail IT Case Study

An Insightful Approach to Sarbanes Oxley Compliance

Food Lion, LLC, is a leading US Grocer with more than 1,200 stores in 11 Southeast and Mid-Atlantic states, and
more than 70,000 employees. The Information Technology Department at Food Lion's corporate headquarters in Salisbury, N.C., is responsible for all software and hardware technology infrastructure used to support Food Lion's operations and implements more than 300 changes per month.

The Challenge

The Food Lion IT team had recently received a clean internal IT systems audit; however, a number of items were identified through the audit process as potentialareas of risk in light of upcoming Sarbanes Oxley 404 compliance requirements. Dale Edmiston, Food Lion's Senior Manager of I.T. Operations, saw the pain and additional workload of the early Sarbanes filers, and wanted to address Sarbanes Oxley 404 compliance proactively, with a consistent process approach.

According to Dale, "At the time, emergency or 'short notice' changes represented a pretty significant portion of our changes. The root cause of this was lack of adequate lead time in the planning activities, and inconsistent high level change processes." This also pointed to potential significant inefficiencies in the way work was performed. While there were no formal return on investment (ROI) targets set at the outset of the project, Dale knew that identical tasks were being completed by multiple groups for a given change. Dale saw the potential to improve compliance, reduce risk, improve service quality, and improve efficiency, thereby absorbing the additional workload of Sarbanes Oxley 404 compliance without increasing staff. Dale engaged long term Food Lion business partner Evergreen, to analyze the problem and help create a solution to meet it. Dale selected Evergreen based on their focus on the business problem, their depth of experience in enterprise change management solutions, their knowledge of Food Lion's operations, their successful track record at Food Lion, and their experience with the relevant technology.

Approach

Working as a team, Evergreen and Food Lion began by defining a clear picture of the project's desired business
outcomes:

  • Automating compliance with Sarbanes Oxley requirements -current and future
  • Reducing risk inherent in the change process - making 80 percent of all changes routine rather than
    emergency
  • Improving service quality, consistency and efficiency

Upfront analysis showed that big improvements were possible: A consistent, streamlined enterprise change
management process could address all of the business goals.

The logical first activity was updating the body of policy governance. Fortunately, there were strong, relevant standards which could be leveraged in the IT Infrastructure Library (ITIL®), and those of the Control Objectives for Information and Related Technologies (CobiT®), widely accepted as the standard for defining the scope of Sarbanes compliance projects. As both are large bodies of knowledge, Evergreen extracted those parts relevant to addressing the need, and created a single, cross referenced compliance matrix. This greatly simplified the amount of policy change required. Along with this, a formal Change Advisory Board (CAB) was established to provide overall policy guidance, ongoing management, and oversight.

Next, processes were updated to be consistent with the new policy set, and technology was leveraged to drive the adoption of new processes, as well as improvements in efficiency and consistency. Evergreen developed an effective self service solution by creating an easy user interface, and moved the responsibility for change creation primarily to the requestor. A business rulesbased "risk calculator" was built into the request process, whereby the initial change risk and materiality were determined by the requestor's answers to a series of questions, enabling an automated routing of the change request.

As with any enterprise level business change, you cannot succeed unless you reach a high rate of user adoption
within in a reasonable timeframe. Given the expected normal resistance to change, Food Lion needed users to move to the new system quickly, and block the old ways of processing changes. This was accomplished by focusing on training and getting the CAB to reject change requests not submitted through appropriate channels.

Results

Food Lion's new enterprise change management process for hardware, software, database, and application groups was fully adopted and in use within 2 months of its initial availability and included:

  • Compliance with Sarbanes Oxley 404 audit requirements was automated, and the on-going effort required to support these activities was reduced by 75 percent. Additional changes to policy are accommodated easily, by updating the business rules in the user interface.
  • Risk inherent in IT changes was significantly reduced by automation of process, clear requirements for designing and proposing a change, and by ensuring that all parties relevant to a particular change are
    involved in the process. The CAB is able to focus its efforts only on changes worthy of its involvement,
    based on more effective routing of proposed changes from the user interface.
  • The percentage of emergency changes has dropped from a majority, to less than 5 percent.
  • The IT staff's perception of change management has gone from predominantly firefighting and reactive, to planned and proactive.
  • Service quality and consistency have also improved dramatically, directly related to the reductions in risk
    and inconsistent processes.
  • Those involved in the change process initially were highly skeptical of any efficiency gains, concerned
    that the new processes would increase their workloads. In fact, those interviewed later estimated
    that the new system reduced the time spent processing changes by 25 to 35 percent. They also
    noted that there was a significant reduction in time required to process large, complex changes. They
    attributed the improvements to self-service, streamlining of the request process, better routing of changes, reduced re-work due to a much higher percentage of correctly structured changes, and reduced steps required by the elimination of redundancies.

Conclusions

At a higher level, Food Lion achieved two very significant gains. They didn't just automate enterprise compliance with Sarbanes Oxley, they created a way to align the entire IT organization with required policy quickly and efficiently. Food Lion also empowered their IT organization to do what they were trying to do all along to work more effectively as one team, not a collection of technical silos. Better understanding of the big picture by IT staffers, along with a proactive approach to management of IT leads to higher job satisfaction and a clearer sense of purpose.

Contact Us

Fill out this form to contact one of our consultants, or visit our contact page for phone, fax, address and complete contact information.

Name*:
Email*:
Phone*:
Company*:
Your comments:

Other Resources

© 2007 Evergreen Systems, Inc, a provider of ITIL consulting and other IT process improvement services for Fortune 500 clientele. All rights reserved.