Governing the Corporate Jewels

By Tony Kontzer  |  Posted 2012-12-28

By Tony Kontzer

In 2008, Sony Mobile Communications AB, then known as Sony Ericsson, was putting out new versions of some 25 different mobile handsets each year—all based on the (now nearly obsolete) Symbian mobile operating system. But a seismic change in the market that began the previous year was forcing Sony to consider abandoning Symbian.

That change? The arrival—and huge  success—of  Apple's iPhone and Google's Android mobile OS.

As it became clear that Symbian couldn't compete with either Apple's iOS or Android, Sony decided to jump on the Android bandwagon, kick-starting a switch from proprietary code to open source. It was a huge change that called for reconfiguring every piece of software for open source and training architects about open-source licenses. It also required Sony to find a way to keep on top of a burgeoning collection of open-source assets.

"We were facing a situation that we'd have millions of lines of code that's open source, and we needed to comply," says Carl-Eric Mols, Sony Mobile's head of open-source software operations.

After an exhaustive search for a tool that would ensure compliance with a growing assortment of open-source licenses, Mols found Black Duck Software's Protex open-source compliance solution. Protex essentially creates an archive of code prints (the software equivalent of fingerprints) and can check every piece of code Sony Mobile uses to ensure it's not infringing on any of its licenses. That, in turn, protects the company's IT investments, removes potential hiccups during software projects and reduces the risk of legal ramifications.

"We desperately need to understand what code we have and what license applies to that code," says Mols. "If we don't comply with our license terms, we can expose ourselves."

GRC Market's Growth Spurt

Like Sony Mobile, many companies are finding more and more reasons to establish controls over numerous aspects of IT. The market for providing IT governance, risk and compliance (GRC) solutions and services has emerged in the last decade, partly in response to regulations such as Sarbanes-Oxley, as well as corporate ethics scandals like the infamous Enron fiasco.

According to Forrester Research, the global market for GRC software and services was $1.4 billion in 2011, up from $590 million in 2006. Various estimates of anticipated growth for 2012 range from 18 to 40 percent. That market opportunity is attracting a crowd: Pundit Michael Rasmussen, a former analyst, places 400 vendors into the GRC category.

But as governance has moved to the forefront of IT priority lists, it has become about much more than regulatory compliance and corporate integrity. Whether companies are trying, as Sony Mobile has, to closely manage their most valuable IT assets, or they're simply trying to establish controls around managing the massive amounts of data they're collecting, analyzing and acting on, IT governance has become a critical method for ensuring greater accountability across the board when it comes to IT decision making.

"Information is the currency of the 21st century, and the need to drive business value from IT investments and manage IT risk has never been greater," says Robert Stroud, a member of the strategic advisory council for the Information Systems Audit and Control Association (ISACA), an independent association of IT governance. "It's imperative that companies have effective governance and management in place over information and technology so they can achieve this value and manage the related risk."

While companies looking to establish optimal governance strategies generally try to do so proactively, many organizations find themselves, like Sony Mobile, turning to governance tools in response to some immediate stimulus.

"As seems to be human nature, companies frequently manage their governance issues reactively," says Steve Keegan, a principal who runs the IT governance practice at management consultancy Pace Harmon.

In Sony Mobile's case, adopting governance as a reaction has paid dividends, as the company made the transition to open source smoothly, phasing out its Symbian handsets in 2010 and introducing its first Android phone that same year. Mols says Sony Mobile also has become the biggest contributor—other than Google itself—to the Android open-source project, with more than 1,000 code contributions thus far.

Responding to Internal Triggers

Unlike Sony Mobile, which was reacting to an external stimulus, the IT leadership at rental car company Avis Budget Group found itself having to respond in part to two internal triggers: an ambitious customer data project and a major acquisition.

Avis Budget embarked on a customer data consolidation effort in 2007, when it started building an IBM-powered customer data hub that would power a new CRM initiative. The company began pulling customer data from wherever it resided, much of it coming from a legacy mainframe database.

One of the discoveries during the years-long effort was that too many cooks were spoiling the customer data broth.

"Too many constituencies in the company had a say in customer data," says John Turato, vice president of technology. "We probably didn't treat it like as big of an asset as we should have."

That was in direct contrast to Avis Budget's customer service goals, and the resulting unreliable data presented what Turato considered an unacceptable risk to the business.

"When there's too much of a possibility for lots of different entities to be able to input and manipulate data, if data isn't cleansed properly, it can create a customer service problem," Turato explains, citing issues ranging from presenting customers with ill-fitting promotional offers to building ineffective marketing campaigns.

Whereas Sony Mobile looked for a tool to help its software license compliance efforts, Avis Budget's wake-up call caused it to look inward, with the company taking a number of steps to establish the control processes it needed to govern customer data.

It started by forming a customer governance board consisting of business and IT leaders. The board oversees all aspects of the management of customer data, ensuring compliance with data governance practices. Along with that, it introduced a data steward role that establishes gatekeepers who are responsible for any changes or updates to customer records, thus reducing the likelihood that erroneous information will find its way into employees' hands.

Avis also created a marketing science department to concentrate specifically on analyzing customer data and turning it into accurate, actionable insights. That, along with an increased focus on data modeling and services that allow users to access that data from any device, has tightened the relationship between IT and the business, thus encouraging more governance adherence.

"It's all starting to come together," says Turato.

The value of Avis Budget's customer data integration and governance efforts was highlighted during 2011, as the company began integrating Avis Europe, which it was in the process of acquiring for $1 billion. Avis Europe's customer name and address data, which would have conflicted with Avis Budget's legacy database, was easily integrated into the new customer data hub, smoothing the efforts to provide customer service across both sets of customers.

"The earlier you fix something, the better off you are," says Turato. "You don't have to deal with customer service issues later on."

The real proof is in the pudding: J.D. Power and Associates' annual study of the rental car industry, released in November, showed that the Avis brand's customer satisfaction index had risen to 766 from 742 a year earlier, helping it jump from eighth to fifth in the rankings in a year when its big acquisition certainly would have explained a dropoff.

"We're making a full-out effort to live up to our 'We Try Harder' credo," says Turato.

Avis Budget can point to a newfound focus on data governance as playing a critical role in the improvement it's seen thus far.