"Do we pass the audit or piss a few people off?"
Maillette's gesture -- reminding his team what was really at stake -- became so familiar among IT project managers at the Dublin, Ohio-based division of Pacer International Inc., that he rarely had to ask the question out loud. The gesture also became emblematic of the steely resolve required to comply with Sarbanes-Oxley (SOX) financial reporting regulations, which at so many midmarket companies have depleted IT resources and driven CIOs to weary distraction.
At Pacer, however, the story played out differently.
The $1.7 billion transportation logistics firm barreled into its compliance work last year with an all-hands-on-deck approach involving most of its 80-person IT staff and only two outside consultants. In less than a year's time, they delivered a complex, labor-intensive project on deadline, on budget and with unexpected benefits in IT/business alignment.
"This work will be critical in our architecture discussions as we move forward," said Chief Operating Officer Alex Munn, who was CIO during the project and was promoted afterward. "The success of the SOX project helped us change our organizational dynamics. It forced us to work together within IT much better."
Pacer's approach is noteworthy because the compliance team went beyond point fixes and took a more holistic approach to replacing, improving and creating new process flows and controls across the enterprise.
Think Process, Not Patching
Bringing about organizational change via Sarbanes-Oxley can raise a lot of skeptical eyebrows among other IT executives. That's what CIO Ron Maillette noticed one evening at an IT executive gathering at nearby Ohio State University.
"The subject at my table turned to Sarbanes, and the discussions were focused on it as a necessary evil that people couldn't wait to have over with," he recalled. "I made some comments about how we were seeing this as an opportunity to better position for the business. The reaction was interesting. Everybody basically patted me on the head and said, 'Yeah, sure, whatever!' "
That reaction was no surprise to Cal Braunstein, a compliance expert and CEO of the Robert Frances Group, a consultancy based in Westport, Conn. "That's not the way other IT executives think, in this kind of process-oriented approach," he said. "What makes Pacer's story so unique is that they recognized the need to do a total process redesign and not a lot of ad hoc patching."
The company emerged with a complete process redesign, as well as new IT controls for security, access control, systems documentation, change management and operations.
"What they've accomplished at Pacer was just jaw-droppingly cool," said Bruce Barnes, principal of Bold Vision LLC, a Dublin, Ohio-based consultancy providing advisory services to CIOs. "I saw this whole thing as transformational in the true meaning of the word. Not only in meeting the regulatory mandates, but in the way this project brought order and focus to the way the business is performed."
Yet a happy ending wasn't so clear from the outset. As the team found out, Pacer's auditors were taking bets on whether the company would even make it through the audit. "And the odds were against us," Munn said.
So how did they beat those odds?
'Ignorance Was Bliss'
Pacer International, one of the largest players in the $60 billion transportation logistics industry, is responsible for an estimated 20% of all U.S. "intermodal" transport, or the movement of containerized freight by road and rail. Pacer primarily leases the equipment and storage space it requires, employing more than 1,660 people, managing 1,300 contract drivers and tracking a fleet of more than 23,500 containers.
The company was assembled in a rapid-fire series of acquisitions between 1997 and 2000 that pulled together a diverse and geographically widespread set of supply chain, distribution and transportation logistics businesses. That led to a classic hodgepodge of legacy systems and divisional fiefdoms -- all calling their own IT shots. That also produced a daunting problem in 2002, when the company went public and fell under Sarbanes-Oxley requirements.
"We had to do in 10 months what most companies would take 10 years to do," said Munn, who became Pacer's first CIO in 2002, leaving a position as a CIO and vice president at The Coca-Cola Co. "To be blunt, we didn't have much in the way of formal processes and controls."
The compliance project began with the engagement of the San Ramon, Calif.-based Armanino McKenna LLP auditing firm, which would assess Pacer's situation and then help deliver the necessary remediations recommended by outside auditors from PricewaterhouseCoopers. Sarbanes requires companies to engage two different auditors: one to assess and recommend changes, and one to perform the actual audit. "We knew we had a lot of work to do, but weren't sure what that work was," Munn recalled. "In retrospect, ignorance was bliss."
For example, one of the biggest early shockers was the auditors' estimated cost of $3 million or more for intrusion detection software to secure the 97 access points into the company's networks. Nobody was willing to take that number to the CEO. "The auditor's solution made us choke. We got real creative," recalled Maillette (see "New Security Controls Thwart Network Attack"). Also a former Coca-Cola CIO like his boss, Maillette was recruited out of early retirement to become Pacer's chief compliance and security officer when the project began.
This was first published in March 2005