Carnival Corporation & plc enhances process based risk assessment with IBM OpenPages GRC Platform

Carnival Corporation & plc (“Carnival”) is a global cruise company and one of the largest vacation companies in the world. The organization is headquartered in Miami and London. Carnival is the only company in the world to be included in both the S&P 500 index in the United States and the FTSE 100 index in the United Kingdom.

Carnival operates a fleet of 101 ships, with another 10 ships scheduled for delivery by March 2016. Each year, its vacation companies attract 8.5 million guests. With approximately 200,000 passengers and 70,000 shipboard employees, there are more than 270,000 people sailing aboard the Carnival fleet at any given time.

Although the company’s Audit Services department is based at its Miami headquarters, Carnival also maintains onsite audit teams at each of its brands, in order to align the audit function with the corporation’s generally decentralized management structure and to develop on-site audit expertise at each of the major brands. In 1997, well before the advent of Sarbanes-Oxley, Audit Services implemented a novel approach to monitoring and managing operational, financial and compliance risk across Carnival’s spectrum of cruise brands. The system allows a high degree of comparability across the brand portfolio while recognizing the differences that make each individual operating company unique.

Monitoring risk by tracking process-based performance
From the beginning, the key to Carnival’s approach to auditing risk was the conceptualization of each of its brands as a set of business processes. Although there are differences in their market segments, IT infra­structures and organizational structures, Carnival’s operating companies all operate primarily in the cruise industry, enabling the firm to establish a common analytical framework. The company has identified over 300 individual processes that are now organized into 13 sections:

• Understand markets and customers
• Design products and services
• Market and sell cruise/tour products
• Deliver cruise product and services
• Manage supply chain
• Process revenue billings and collections
• Manage financial resources
• Manage physical assets
• Develop and manage HR
• Manage information resources and technology
• Manage environmental health, safety, and security
• Manage support services
• Manage other non-cruise operations

The first section, Understand markets and customers, for example, includes two processes:

1. Profile guest mix and guest customer needs/wants
2. Measure and monitor guest satisfaction

Audit Services, in conjunction with management, established a classification scheme in which the risks associated with each process are identified and assessed. For example, process #2 above has associated with it the risks of “ineffective questions on comment cards.” The full model contains risks that are categorized as financial, operational or compliance-related (approximately 1,200 for each major cruise brand).

Supporting the complex demands of Sarbanes-Oxley
The process yielded benefits from the beginning. “One of our key goals has always been to confirm that controls and procedures are designed and operate effectively both shipboard and shoreside,” says Richard Brilliant, Sr. Vice President and Chief Audit Executive for Carnival. “Even before Sarbanes-Oxley, our process-based approach to monitoring risk was an effective internal tool that gave us the assurance of a comprehensive, consistent view of risk factors across all our various brands. It was a great way to conceptualize our business. So when Sarbanes-Oxley came along, we naturally regarded SOX as another system of process-based risk assessment.”

But Sarbanes-Oxley required a level of financial reporting granularity that extended beyond Carnival’s original system. “Sarbanes made us go back to make sure we had all of the necessary financial reporting risks in our model,” says Brilliant. “The new regulations also required us not only to identify risks but to verify that we had controls in place and that those controls were being tested to ensure that they are designed and operating effectively.”

The IBM^® OpenPages^® governance platform
Meeting the requirements of Sarbanes-Oxley dictated a substantial expansion in the scale of Carnival’s process-monitoring system.

“We needed software that would enable us to create and test all financial reporting controls globally, and OpenPages was the answer,” says Brilliant. “Their platform was flexible enough to work with our existing process and it also offered the reporting capabilities we were looking for.”

Carnival implemented IBM OpenPages Financial Controls Management in May 2006 and began the rollout of IBM OpenPages Operational Risk Management in late August. Today, the company estimates that 30 percent of the processes and approximately 30 percent of the risks it monitors are related to Sarbanes-Oxley.

Carnival is also in the midst of formalizing its Enterprise Risk Management (ERM) methodology, and the IBM OpenPages GRC platform is expected to play a major role in supporting ERM.

“OpenPages offers not only SOX-compliant solutions, but also an entire perspective on business that’s risk-based,” says Brilliant. “And we like having everything on one platform. Our next step will be to extend the platform to form the foundation of our ERM process.”

A centralized repository of risk factors
ERM and Sarbanes-Oxley together have raised the visibility of Audit Services’ process-based risk assessment system beyond that of an internal tool with a limited audience. Today, Carnival’s vision is to continue to evolve its risk assessment system into a centralized and shared repository for the purposes of assessing, reporting and managing the financial, operational, compliance and strategic risks that the enterprise faces.

Richard Brilliant notes, “As we have more parties external to Audit Services accessing this scheme, they can use what portions of the system they need and they can tailor it to their own requirements. Everyone can draw from a centralized database of risks, define their own risks and make their own reports.”

About IBM Business Analytics
IBM Business Analytics software delivers actionable insights decision-makers need to achieve better business performance. IBM offers a comprehensive, unified portfolio of business intelligence, predictive and advanced analytics, financial performance and strategy management, governance, risk and compliance and analytic applications. With IBM software, companies can spot trends, patterns and anomalies, compare “what if” scenarios, predict potential threats and opportunities, identify and manage key business risks and plan, budget and forecast resources. With these deep analytic capabilities our customers around the world can better understand, anticipate and shape business outcomes.