Erickson Retirement Communities is one of the leading national developers of full-service retirement communities, headquartered near Baltimore, Maryland, USA. Erickson has built a network of 20 communities that combine a maintenance-free active lifestyle with amenities, social activities, and wellness and medical centers.
Erickson Retirement Communities introduced a corporate enterprise risk management and compliance (ERMC) program to focus on sound business processes and the underlying technology that supports them. The goal was to achieve secure information management, resilient processes, risk management and adaptive processes. Erickson CIO, John Lambeth, CISA, used COBIT in a previous organization and led Erickson down the path of initiating the IT Process Excellence Program using COBIT as the controls framework.
Although Erickson is a privately held company and is not subject to compliance with Sarbanes-Oxley regulations, a number of board members are from publicly traded organizations and they endorsed the decision to implement controls using an industry good practices framework—COBIT. They recognized that COBIT bridges the gap among control requirements, technical issues and business risk.
Goals for COBIT Implementation
Erickson’s goals in adopting the globally recognized COBI
T framework include:
- Align IT objectives with business objectives
- Enable clear policy development and good practice for IT control
- Emphasize regulatory compliance
- Help increase value attained from IT
- Establish a strong process orientation/culture
- Create a foundation for IT governance
“Our strategy has been one of implementing new or improved processes, policies, procedures and tools with the intent of increasing our value to the business—without burdening our staff with unnecessary work,” said Brian L. Porter, director of IT Governance and Process Excellence Program at Erickson. “We believe we can achieve that goal and as such have created a motto for the program: Practical Application of Reasonable Controls.”
Based on a high-level assessment of IT functions, including input from Erickson’s external auditing firm, six process areas were initially identified as key risk points: Manage Projects (PO10), Install and Accredit Solutions and Changes (AI7), Ensure Systems Security (DS5), Manage the Configuration (DS9), Manage Data (DS11) and Manage Operations (DS13).
The company’s process of using COBIT is quite simple. For each process area, a workgroup was formed. The groups’ first activity was to review the associated control objectives, practices, risk drivers and value drivers. From there, the workgroups assessed the current state (high level) of the department and prioritized the control objectives. The next step was to identify opportunities for improvement and initiate an action plan based on a desired future state. As part of their charter, all workgroups incorporated the process control (PC1-PC6) requirements into their efforts and deliverables.
Results and Future Plans
Erickson’s IT governance program efforts have been well received and are ongoing. The company has implemented an improved change management process, policy and procedure based on COBIT and ITIL guidance. In addition, an IT security policy and procedure for account provisioning is near completion, and a new service management system that will address service request, incident and problem management will be rolled out later in the year. Other achievements have occurred in the areas of IT facilities management, data management and human resource management. Further, Erickson has expanded its focus to address additional process areas and IT governance using COBIT.
As part of addressing any process area, workgroups routinely develop workflow diagrams and narratives, and incorporate them into Erickson’s standard for a policy and procedure.
The board of directors is involved in IT governance via steering committees that address strategic project oversight. In addition, Erickson values its relationship between its business unit and the IT department, and, as a result, IT goals and objectives are aligned with business goals and objectives.
“Overall, COBIT has been a tremendous asset to our IT Governance and Process Excellence Program,” said Porter. “We also plan to explore using Val IT and Risk IT because of their value to our long-term efforts.”