COBIT Case Study: South African Breweries Limited 

 

Abstract

SAB Ltd. (South African Breweries Limited), a division of SAB plc, manufactures and distributes beer and non-alcoholic beverages in Europe, Asia and Africa. More than 200 of the organisation's 7,000 employees work in the information systems field. After learning about COBIT (Control Objectives for Information and related Technology) from the Gartner Group, SAB Ltd. used COBIT to develop an IT and enterprise architecture strategy document. The SAB Ltd. approach fostered partnering opportunities between IS audit and the IT community. The IS audit team implemented value-added components to the reviews, which allowed a more rigorous interpretation of IT risk. Once the business benefits of COBIT were communicated, senior business executives realised the framework could help determine accountability for processes and improve IT governance. By using the framework as the basis for an accountability matrix, SAB Ltd. began achieving a role-based IT organisation with defined process measures to ensure customer value.

Background

SAB Ltd. (South African Breweries Limited) is a division of SAB plc, which has more than 34,000 employees working for 70 breweries in 21 countries, as well as substantial hotel and gaming interests in Southern Africa. SAB plc was first registered in London in 1895 as SAB Limited. It was registered on the Johannesburg Stock Exchange in 1897 as the first industrial share. Since then it has grown to manufacture and distribute beer and non-alcoholic beverages in Europe, Asia and Africa.

SAB Ltd. generates 53 percent of the SAB plc operating profit and employs 6,500 full-time and 500 part-time employees. More than 200 of these employees work in the information systems field.

Process

SAB Ltd. first heard about Control Objectives for Information and related Technology (COBIT) through the ISACA web site (www.isaca.org) and soon after used COBIT when developing the SAB Ltd. IT/enterprise architecture strategy document. Gartner Group research was used extensively in the development of this document. After thoroughly researching COBIT's methodology to improve IT governance at SAB Ltd., Stuart Macgregor, then manager of SAB Ltd.'s Information Resource Management (IRM) team, was invited to Chicago, IL, USA to participate in ISACA's development of the COBIT 3rd Edition© Management Guidelines.

SAB Ltd. began its implementation by developing a COBIT questionnaire that assessed the IT management team's perception of IT process effectiveness, risk and the relative priority for improvement. This approach increased the IT organisation's readiness to adopt COBIT as its primary IT governance tool.

SAB Ltd. then used several techniques to gain senior management support for adopting COBIT. Presentations were given to groups including regional IT managers, the IT steering committee and IT managers. Pre-presentation reading, such as the COBIT Executive Summary, was distributed widely throughout the business and IT departments.

Although there was early resistance to the COBIT framework, the education campaign fostered a critical mass and resulted in strong support from the IT management team, which recognised that the COBIT framework could assist in assigning accountability for processes and improving governance within the IT organisation. SAB Ltd. then used the framework as the basis for an accountability matrix. The strategy was to move toward a role-based IT organisation with defined process measures to ensure customer value.

Using COBIT as a resource, SAB Ltd. developed an IT and enterprise architecture strategy document. This document served to further increase awareness of COBIT's benefits among SAB Ltd.'s IT and business communities. For each of the 34 COBIT processes, the development team documented the SAB Ltd.:

  • Target environment
  • Business objectives
  • IT portfolio services or deliverables from the IT process
  • Current situation analysis
  • Strategy and action items required to move from the current situation to the desired situation

At this point, PricewaterhouseCoopers (PwC) added its capabilities to the implementation process. Together with PwC, SAB modeled COBIT IT processes using the ARIS (Architecture of Integrated Information Systems) business process modeling tool set. Additional best practice information was obtained from the IT Infrastructure Library (ITIL) and the BS7799 standard. Content from BS7799 was captured into ARIS and linked to COBIT processes. The models were designed to answer the six interrogatives of what, how, where, when, who and why from different perspectives.

The SAB Ltd. team used portions of the COBIT 3rd Edition draft version to develop an IT customer satisfaction survey. The survey applied balanced scorecard concepts developed by Robert S. Kaplan and David P. Norton, and was sent to the SAB Ltd. board of directors, general managers, heads of departments and regional executives. Several factors contributed to the positive feedback and high response level of this survey, including the web-based approach to collect the survey responses, the questionnaire design and the statistical processing of the survey results.

Next, SAB Ltd. deployed an intranet COBIT web site that included the draft Management Guidelines IT process maturity models and eventually the final 3rd edition release. The intranet site includes the ARIS process models of the COBIT IT processes and the ability to assess current and desired IT process capability maturity. It also provides easy access to the COBIT open standard content and has received positive reviews from the SAB Ltd. IT community.

The SAB Ltd. IT departments use the COBIT intranet site to gain a detailed understanding of the COBIT processes and control objectives. This is especially useful when they are in the process of answering PwC's Tr-ICS (Technology Related In-Control Services) questionnaires. Tr-ICS is a simplified and practical risk analysis methodology which borrows from SPRINT (Simplified Process for Risk Identification), a risk analysis methodology developed by the Information Security Forum (ISF). IT risk is assessed for each COBIT IT process, with specific questions derived from 302 high-level control objectives.

SAB Ltd. extended the Tr-ICS tool to enable intranet based scoring and management of the review, to support, for example, assigning the questionnaires, tracking the progress, and storing and processing the results. In essence, there is a Tr-ICS question for each COBIT control objective. Coupling Tr-ICS reviews with the easy intranet access to control objectives and the COBIT 3rd Edition content has resulted in an overall improvement in corporate-wide understanding and appreciation for IT governance.

This implementation approach also is a good example of partnering opportunities between IS audit and the IT community. The IS audit team has implemented value-added components to the reviews, which resulted in a change of focus that allows a more rigorous interpretation of IT risk. As of the development of this case study, eight reviews were successfully performed and results were published by IS audit on the SAB Ltd. intranet.

Mr. Macgregor was then selected as a core member of the team that developed the SAB plc global IT strategy. In addition to providing a framework for IT control, COBIT's process maturity models were used extensively in the definition of the SAB plc global IT strategy to:

  • Assess IT process capability maturity (actual and desired) for South Africa, Africa and Europe IT departments.
  • Identify the steps or actions required to improve IT process capability maturity.
  • Identify and understand areas of knowledge sharing across the group.
  • Facilitate IT organisational design, e.g., determine the level of process consolidation and level of consistency for COBIT processes on a global, regional and local basis.
  • Define IT services based on COBIT IT processes.
  • Identify the key headlines, or what should be the focus, to support the business in achieving desired capabilities. This was essential in establishing business and IT alignment.

Conclusion

The SAB Ltd. team found that the extensive education campaign, supported by pre-reading materials and presentations prior to implementation, greatly increased awareness and support of COBIT among SAB Ltd.'s IT and business communities. Once the overall business benefits of COBIT were communicated, senior business executives realised the framework could help determine accountability for processes and improve IT governance. By using the framework as the basis for an accountability matrix, SAB Ltd. began achieving a role-based IT organisation with defined process measures to ensure customer value.

COBIT 3rd Edition provides a global performance improvement framework that helps achieve this by:

  • Establishing common key performance indicators across the group to enable internal and external benchmarking comparisons
  • Providing template business processes, supported by systems to enable rapid transfer of good practices
  • Supporting a more consistent approach for sharing knowledge by encapsulating the best thinking into the process models and supporting documentation

COBIT 3rd Edition will continue to be instrumental in supporting the globalisation of IT within SAB plc. This will require developing new ways of working for SAB plc to lead globally in strategy, planning, governance and IT performance measurement.