Whenever CIO Ron Maillette had to refocus a runaway argument about the arduous compliance project under way at Pacer Global Logistics Inc., he would raise his hands like the scales of justice, tip them gently up and down, and ask the question:
"Do we pass the audit or piss a few people off?"
Maillette's gesture -- reminding his team what was really at stake -- became so familiar among IT project managers at the Dublin, Ohio-based division of Pacer International Inc., that he rarely had to ask the question out loud. The gesture also became emblematic of the steely resolve required to comply with Sarbanes-Oxley (SOX) financial reporting regulations, which at so many midmarket companies have depleted IT resources and driven CIOs to weary distraction.
At Pacer, however, the story played out differently.
The $1.7 billion transportation logistics firm barreled into its compliance work last year with an all-hands-on-deck approach involving most of its 80-person IT staff and only two outside consultants. In less than a year's time, they delivered a complex, labor-intensive project on deadline, on budget and with unexpected benefits in IT/business alignment.
"This work will be critical in our architecture discussions as we move forward," said Chief Operating Officer Alex Munn, who was CIO during the project and was promoted afterward. "The success of the SOX project helped us change our organizational dynamics. It forced us to work together within IT much better."
Pacer's approach is noteworthy because the compliance team went beyond point fixes and took a more holistic approach to replacing, improving and creating new process flows and controls across the enterprise.
Think Process, Not Patching
| Bringing about organizational change via Sarbanes-Oxley can raise a lot of skeptical eyebrows among other IT executives. That's what CIO Ron Maillette noticed one evening at an IT executive gathering at nearby Ohio State University.
"The subject at my table turned to Sarbanes, and the discussions were focused on it as a necessary evil that people couldn't wait to have over with," he recalled. "I made some comments about how we were seeing this as an opportunity to better position for the business. The reaction was interesting. Everybody basically patted me on the head and said, 'Yeah, sure, whatever!' "
That reaction was no surprise to Cal Braunstein, a compliance expert and CEO of the Robert Frances Group, a consultancy based in Westport, Conn. "That's not the way other IT executives think, in this kind of process-oriented approach," he said. "What makes Pacer's story so unique is that they recognized the need to do a total process redesign and not a lot of ad hoc patching."
The company emerged with a complete process redesign, as well as new IT controls for security, access control, systems documentation, change management and operations.
"What they've accomplished at Pacer was just jaw-droppingly cool," said Bruce Barnes, principal of Bold Vision LLC, a Dublin, Ohio-based consultancy providing advisory services to CIOs. "I saw this whole thing as transformational in the true meaning of the word. Not only in meeting the regulatory mandates, but in the way this project brought order and focus to the way the business is performed."
Yet a happy ending wasn't so clear from the outset. As the team found out, Pacer's auditors were taking bets on whether the company would even make it through the audit. "And the odds were against us," Munn said.
So how did they beat those odds?
'Ignorance Was Bliss'
Pacer International, one of the largest players in the $60 billion transportation logistics industry, is responsible for an estimated 20% of all U.S. "intermodal" transport, or the movement of containerized freight by road and rail. Pacer primarily leases the equipment and storage space it requires, employing more than 1,660 people, managing 1,300 contract drivers and tracking a fleet of more than 23,500 containers.
The company was assembled in a rapid-fire series of acquisitions between 1997 and 2000 that pulled together a diverse and geographically widespread set of supply chain, distribution and transportation logistics businesses. That led to a classic hodgepodge of legacy systems and divisional fiefdoms -- all calling their own IT shots. That also produced a daunting problem in 2002, when the company went public and fell under Sarbanes-Oxley requirements.
"We had to do in 10 months what most companies would take 10 years to do," said Munn, who became Pacer's first CIO in 2002, leaving a position as a CIO and vice president at The Coca-Cola Co. "To be blunt, we didn't have much in the way of formal processes and controls."
The compliance project began with the engagement of the San Ramon, Calif.-based Armanino McKenna LLP auditing firm, which would assess Pacer's situation and then help deliver the necessary remediations recommended by outside auditors from PricewaterhouseCoopers. Sarbanes requires companies to engage two different auditors: one to assess and recommend changes, and one to perform the actual audit. "We knew we had a lot of work to do, but weren't sure what that work was," Munn recalled. "In retrospect, ignorance was bliss."
For example, one of the biggest early shockers was the auditors' estimated cost of $3 million or more for intrusion detection software to secure the 97 access points into the company's networks. Nobody was willing to take that number to the CEO. "The auditor's solution made us choke. We got real creative," recalled Maillette (see "New Security Controls Thwart Network Attack"). Also a former Coca-Cola CIO like his boss, Maillette was recruited out of early retirement to become Pacer's chief compliance and security officer when the project began.@pb
The IT group tackled the SOX work on several fronts:
With internal ownership: Maillette established a permanent Project Management Office in early 2004 and staffed it with newcomers to Pacer. That helped push cultural change a little faster. "None of us were longtime employees, so there were no sacred cows, no history of 'We can't do that,' " said Dana Pritchett, director of IT program management and strategic planning.
With frameworks: The group followed guidelines set out by two widely accepted frameworks for compliance: COBIT and COSO. The COBIT (Control Objectives for Information and Related Technologies) framework is issued by the IT Governance Institute, while the more accounting-focused COSO guidelines (named for the Committee of Sponsoring Organizations of the Treadway Commission) are overseen by the American Institute of Certified Public Accountants.
New Security Controls
Thwart Network Attack
Saving $3 million is always good news for a CIO. But Ron Maillette has even more cause to celebrate when he thinks about the newly reconfigured network access at Pacer International Inc. "We had a hacking incident, traced back to South Korea, with an individual trying to use our Pacer site as a way to forward on whatever information he was trying to distribute," Maillette said. "We caught it right away and, when we shut it down, the individual in Korea launched a full-fledged attack on the Pacer sites to try to bring us down."
But security protections installed last year as part of an extensive Sarbanes-Oxley compliance project repelled the attack and thwarted a flood of spam and virus-laden messages thrown at the Pacer sites. "It would have been the ultimate denial-of-service [attack], and it would have brought us to our knees," the CIO said. "What a difference a year makes."
Last year, when IT managers at the transportation logistics firm started to map out their workload for the compliance project, the biggest potential price tag was dangling from the 97 points of network access the auditors had identified as needing better protection. The initial audit recommendation was to install intrusion detection software on each point -- at a cost of at least $3 million. That would have doubled what Pacer eventually spent on Sarbanes-related work to pass its 2004 audit.
"So our technical group put on their thinking caps and said, 'We're going to find a different way to do that,' " Maillette said.
The solution -- which ended up costing less than $200,000 -- involved closing down the access points and re-architecting the network down to three major gateways, or hubs protected by intelligent routers.
With a new methodology: The team employed (for the first time) a System Development Life Cycle methodology, a change management process for developing information systems. "That was a huge change for this organization," Maillette noted. "Our staff really drank from a fire hose in 2004," he added. "It was nothing short of amazing, and much to the team's credit, that they absorbed the volume of change we threw at them."
Other business executives at Pacer were well aware of the far-reaching business impact of the compliance project. "It was a mind-and-thought process shift for people. We were creating this basic infrastructure of common processes -- and we had to do it very rapidly," said John Ross, vice president and controller of accounting operations at Pacer. "We've got a more holistic view of the business now, instead of all the silos."
Department managers from all the business units were involved in the weekly, sometimes daily, meetings necessary to keep such a large project on track. "We would never have gotten it done without the business people supporting it," said Sharon Bate, the senior programmer analyst responsible for reworking the access controls around the major applications in rail operations, highway services and finance. "Deep down, everyone thought it was the right thing to do, so there wasn't much pushback."
The new processes and controls were only part of the solution, however. Even more important was an attitudinal shift. Rather than treating the regulatory compliance mandates as a miserable series of events to be endured, Maillette and Munn pushed the IT staff to look upon the resulting changes as "a way of life" that would put stronger business processes in place for the good of the company.
"We didn't see Sarbox as another Y2k -- one big bang and it's all over and back to normal," Munn explained. "What we wanted to do was change the thinking and the practices within the IT organization itself."
That's a process everyone agrees is under way, but nowhere near finished. "We're at version 0.0 of everything. It would be foolish to stand here and say we're all set," Maillette said. "Attitudinally, we're just starting to take this from 'event' to 'way of life.' "
One for the Road
Today, as company executives discuss a potential restructuring of the company's entire IT architecture, the compliance work has clearly paved the way, with newly established process improvements and project management disciplines. These IT controls have sharpened reporting capabilities across Pacer's varied businesses and improved root cause analysis on system problems. When something goes wrong, "we drill down and figure it out," Maillette noted. "Sarbanes is really about good business practices and controls."
And the effort, while not inexpensive, didn't break the bank. Pacer's spending on its compliance project -- including work on the business side as well as IT -- landed squarely in the industry average of $2.7 million to $3.5 million for companies in the $1 billion to $5 billion revenue size, the COO said. "We had to be thoughtful on how we were spending the company's money," Munn noted. "You can take a knee-jerk approach and say, 'Write me a big check,' or take the opportunity to make a real change, to find ways that cost less and manage it better."
Indeed, that view is emblematic of the whole project: strategic, opportunistic and ongoing.
"It will take time for all this to become a way of life instead of an event," Bate agreed. "But we'll get there. And to put it in Ron's terms, I don't think we pissed off too many people."