App Development Strategy Cuts Costs, Ensures Compliance
Western & Southern Financial Group’s software development and implementation processes were inefficient, costly and less secure than they could be. To address these concerns, the Cincinnati-based Fortune 500 financial services corporation embarked on an aggressive program to revamp these critical processes. Mark Pfefferman, with the help of his colleagues, explains how the company adopted its current application development strategy to reduce costs, improve efficiency and security, and better meet compliance requirements.
Western & Southern Financial Group is one of the eight highest-rated life insurance groups in the world, according to Standard & Poor’s, and we have a history of providing security and peace of mind to our clients since 1888. As a result of our diverse financial services offerings and the back office required to support those offerings, our Information Services department supports multiple IBM mainframe platforms running a variety of operating systems and open-systems platforms, including AIX, Linux, Windows and NetWare. These platforms administer millions of client policies and contracts.
Along with the diversity of financial services offerings are a plethora of state and federal regulations that may have their own set of IT-related requirements. One recent example is the National Association of Insurance Commissioners’ (NAIC) Model Audit Rule regulation, which requires strong controls over software development, access rights and system security.
To respond to these requirements, we looked for ways to improve our software and optimize our document and print processes. We focused on becoming compliant with the new Model Audit Rule requirements, while becoming more agile and resilient in our development processes.
A key step involved implementing Serena Software’s ChangeMan mainframe source code control system, as many of our key policy and contract administration systems are mainframe-based. ChangeMan standardized our entire software release process by providing a consistent set of steps for code promotion, package approval and moving from implementation into production.
Next, we started a project to improve portfolio management for the IS work plan. We wanted better visibility into our work program, right down to the individual programming resource.
By implementing a project and portfolio management (PPM) tool, we’ve been able to track our work portfolio more effectively and extend use of the tool to time tracking for projects, work orders and administrative tasks, such as those involving training, time off and meetings.
Our PPM platform allows our application developers to enter all their project and nonproject times into one system to maintain consistency. It also enables our management to see all times in a single application.
TOOLS FOR OPEN SYSTEMS
After our success in migrating our mainframe systems to a standardized source code control and configuration management platform, we evaluated tools for our open-systems platforms. Our open-systems applications span a variety of platforms and development languages, including PHP, .Net and Java.
We selected Serena’s Dimensions product because of its scalability; its integration with our development environments, such as Eclipse and Visual Studio; its rich feature set; and its ability to integrate with the vendor’s workflow product, Business Manager, which we use to “glue” various pieces into an integrated environment. This allows a business user request to be submitted through a custom mashup application, which then flows to an application team manager for acceptance.
If the request is accepted, it flows into our PPM system to be included in the application team’s work portfolio. Because the request system is integrated with the PPM system via Business Manager, status information is fed back to the request portal, giving the requester information that wasn’t available in the past. The system has been well-received by business users and IS.
Thanks to the new system, the application development teams now have a consistent life cycle for open-systems applications that fall under the NAIC Model Audit Rule. Source code control and build processes have been standardized and mechanized across multiple development languages and platforms.
In addition, we eliminated the double keying of work order request information that had been required with separate request submission and project tracking systems. The work request submission interface is dramatically simpler as well. The new system prepopulates much of the user information and requires only six fields to be filled out.
We are pushing all IS requests—such as those involving work orders or new hardware, software or telephones—through a Business Manager applet. In addition, work order submitters now have access to up-to-date work order status information. As work requests move through the status phases of “submitted” to “accepted” to “in progress” to “complete,” up-to-date status is automatically passed to the work order request system.
IS management has improved reporting to determine the types of work being done by category—for example, scorecard project, nonscorecard project, work request and administration—and the work time applied to each category. IS management uses this information to determine resource availability and to balance the workloads of the application teams.
In addition, we eliminated obsolete work request and time tracking systems, reducing support costs and license fees. We also created a privileged-access request system using Business Manager, which allows application developers to request and gain instant access to the production servers they support. These requests are preapproved, based on the application developer’s role, and they expire after a period of time.
This platform has enabled us to remove permanent administrator access that many application teams had, but it still provides emergency access at any time.
We are now exploring the use of Business Manager as a potential help desk replacement. Plus, we are considering extending the Serena Dimensions SCCM (System Center Configuration Manager) product to all open-systems applications, focusing on applications that fall under the NAIC Model Audit Rule.
In sum, Western & Southern has realized significant benefits from standardizing, strengthening and orchestrating our application lifecycle management processes. As we move forward, we plan to continue to enhance this environment and drive even better efficiencies, tighter security and stronger compliance.
Mark Pfefferman is assistant vice president and director of identity and access management for Western & Southern. Mary Beth Peavler, Dorene Farwick and Terri Brown are managers in the Information Services department and contributed to this article.