BlueCross BlueShield of North Carolina: Raising the bar on accountability

“ We chose IBM for two reasons. First, they’re SOX-compliant on a global basis, so they know first-hand what it’s like to deal with stringent externally imposed standards that require compliance. Second, IBM has a practice in place to help customers institute IT governance procedures.” – Harry Reynolds, vice president and information compliance officer, BlueCross BlueShield of North Carolina

Business Challenge
Faced with a multitude of governance process audits each year, BlueCross BlueShield of North Carolina needed to make its response to audits consistent to reduce the overall impact on business. In addition, the company needed to establish compliance with new insurance industry regulatory requirements.

Solution
The not-for-profit insurer worked closely with IBM to institute industry-standard IT governance controls that span all of the company’s operations, ensuring high internal standards and uniform procedures, helping to achieve regulatory compliance.

Business Benefits
• Reduces the effort needed to respond to audits by approximately half
• Creation of a more effective, uniform response to audits
• Supports regulatory compliance
• Imparts knowledge transfer through a collaborative “coaching” relationship
• Has established a new IT governance implementation methodology that leverages collaboration between vendor and customer

Transformation at a glance
BlueCross BlueShield of North Carolina, working to improve internal accountability, overhauled its IT process governance structure. The new governance structure made the company’s responses to audits more consistent and of higher quality, and also enabled BlueCross BlueShield of North Carolina to demonstrate the highest accounting standards to demanding clients.

Key Components
Services
• IBM Global Business Services

The impact of corporate accountability rules
The well-publicized corporate difficulties of the early 2000s and the subsequent implementation of regulations such as the Sarbanes-Oxley Act (SOX) have raised awareness of the importance of corporate governance and accountability to new heights. Companies in all industries are being audited more than ever before, and expending significant resources to comply with these new, stringent rules.

Not-for-profit health insurance provider BlueCross BlueShield of North Carolina has experienced this first-hand, and it was creating a challenge for the company, according to Harry Reynolds, vice president and information compliance officer. “Our basic problem was that we were being audited multiple times per year, and we did not have a uniform way of responding. We were addressing issues one audit at a time, answering the specific questions put to us, and there often was no uniformity to the procedures or the personnel involved,” he says.

Reynolds highlights the importance of consistency when responding to audits. “We saw a need to be proactive and manage our own destiny, rather than responding separately to each audit.” There was a clear need to improve the company’s overall understanding of internal controls, especially as they relate to accountability regulations. “Getting a better handle on our internal controls and governance would then let us produce a single, standard deliverable that would address the needs of anyone auditing us, no matter who they were or what they needed to know. It would also let us be more efficient and reduce the amount of time we spent on this activity.”

Different companies, different rules
Sarbanes-Oxley is by far the best-known corporate accountability regulation, but it applies only to public companies. While not-for-profits like BlueCross BlueShield of North Carolina do not need to comply with SOX per se, they can be affected by it nevertheless. A large public company is more likely to do business with a supplier that meets stringent accountability standards, because doing so helps reduce risk. On the supplier side, an understanding of Sarbanes-Oxley requirements helps companies do business more easily and transparently with those businesses that are in compliance.

Each industry is governed by a unique set of industry regulations, which are further defined by the requirements of its geographic location. Based upon these and other factors, each organization needs to understand its individual risks, and then create its own plan to respond to, and mitigate, those risks.

“ It’s about holding ourselves to the highest standard, making ourselves the best we can be. It’s about doing business the right way – aligning business and IT, managing risk and ensuring security in addition to compliance.” – Marty King, senior IT auditor, BlueCross BlueShield of North Carolina

“Naturally, we needed to make sure we were going to comply with the industry-specific standards,” says Marty King, senior IT auditor at BlueCross BlueShield of North Carolina. “However, we didn’t undertake this project just to make that happen. Nor did we do this for competitive reasons per se. It’s about holding ourselves to the highest standard, making ourselves the best we can be. It’s about doing business the right way–aligning business and IT, managing risk and ensuring security in addition to compliance.”

Combining internal and external expertise
Because of the central role of a company’s information technology infrastructure in the running of the business, good enterprise governance depends largely on instituting appropriate IT governance. Regulations require corporate management to attest to appropriate controls at three key levels: business controls, applications controls and IT process controls.

To guide businesses in this effort, there is a set of standards created by a powerful industry organization, the Information Systems Audit and Control Association (ISACA). This IT governance framework is called Control Objectives for Information and Related Technology (CobiT). It enables clear policy development and good practice for IT control throughout organizations in all industries, emphasizing regulatory compliance. BlueCross BlueShield of North Carolina knew that CobiT would be the cornerstone of its IT governance initiative, but the company needed assistance to implement it.

BlueCross BlueShield of North Carolina wanted to employ a provider with both experience and expertise in the area. “We chose IBM for two reasons,” Reynolds says. “First, they’re SOX-compliant on a global basis, so they know first-hand what it’s like to deal with stringent externally imposed standards. Second, IBM has a practice in place to help customers institute IT governance procedures. That practice has people who are trained in CobiT and who have experience in projects like ours.”

IBM Global Business Service consultants were brought in to act as project managers and “coaches” who could help BlueCross BlueShield of North Carolina apply the CobiT framework to its IT processes. “The coaching part was more important to us,” Reynolds says. “Especially the fact that they understood CobiT. We were taking our own wording, processes and thinking and trying to translate it into the CobiT framework. They were very helpful in getting us to understand how to do that.”

The two-year engagement established governance standards for 15 critical IT processes. For each, a cyclical IT governance control process was used that identifies risk and defines the control framework; it establishes, implements and operates the governance procedures, tests them and finally monitors and reports on the outcome. Any needed modifications or gaps feed back into the beginning of the cycle.

A new, collaborative approach that can benefit the entire industry
The governance initiative has had its desired effect. BlueCross BlueShield of North Carolina is now able to respond in a consistent way to any audit, with a deliverable that meets all needs. In addition to a higher-quality, more useful audit report, Reynolds states that the effort needed to respond to each audit has been cut in half, which in turn helps cut costs.

But it’s the process itself that may have the most significant impact. Reynolds points to the working arrangement between BlueCross BlueShield of North Carolina and IBM as something very unusual and special. “We believe that this is a unique way of addressing this issue in our industry,” he says. “Others may have undertaken this kind of project on their own, or brought in somebody to do it for them, but we created this collaborative working relationship with IBM that proved to be very effective.”

Because of its expertise and experience with both the CobiT framework and regulatory compliance issues, the IBM team was able to first lead BlueCross BlueShield of North Carolina in the right direction, then walk beside them to support their efforts and finally follow up, challenging the BlueCross BlueShield of North Carolina team to improve its procedures. Making BlueCross BlueShield of North Carolina the center of the implementation team and guiding their efforts served to create a comprehensive understanding within the company of how to move forward once the engagement ended.

This way of working together has proven so effective that IBM is presenting the lifecycle and collaboration methodology to ISACA as an open standard for use by other companies. “This project is yielding collateral that can help others apply the CobiT framework more effectively. So not only are we ensuring that we meet all applicable governance regulations ourselves, our experience may serve to improve the ability of any business to implement CobiT,” Reynolds concludes.

For more information
To learn more about how IBM can help transform your business and help you innovate, please contact your IBM representative or IBM Business Partner.

Visit us at:

ibm.com/innovation