Pepsico Experience

1
Pepsico Experience
An example of IT strategy within a large and
complex organisation.

• Governance in Practice

Paul OCallaghan CIO WWTO PepsiCo

National Technology Business Conference
30 November 2005
2
Net Revenues 29 billion
USA 19 billion International 10 billion
2
3
Retail Sales over 1 billion
3
4
Scope of Worldwide Technical Operations RD ,
Concentrate and Quality
Toronto
Turkey
Pakistan
Arlington
Shanghai
Mexico
Bangkok
Venezuela
ACO
Brazil
Uruguay
4
5
Concentrate Operations

• World wide
• 13 Concentrate plants Franchise system
• Cork
• 300 Employees at 2 plants
• Sell to over 100 countries

5
6
What is Governance?
For PepsiCo, IT Governance is an integrated set
of processes providing oversight for how IT
resources will be invested and managed to deliver
business objectives in support of PepsiCos
strategic imperatives.
Governance is being used as the term to describe
how IT is managed across a large organisation.
6
7
PepsiCos Key Governance Processes
IT GOVERNANCE
IT Strategy, Planning Management
Portfolio Program Management
Managing Risk Compliance
Project Analysis Design
INTEGRATED PROCESSES, ORGANIZATION TECHNOLOGY
Aligning IT with Business Strategy
7
8
Approaching Governance

• Strategic IT Governance is focused on ensuring
  that
• IT business risks are being managed
• IT investments are allocated properly
• Business objectives are being enabled by IT
• Tactical IT Governance is focused on ensuring
  that
• IT project risks are being managed
• Formalised stage gate reviews and approvals
• Process designs meet objectives
• Applications and requirements support processes
• IT standards and target architectures are being
  followed

8
9
IT Governance

• Our Governance methodology must address the
  following key questions
• What decisions must be made to effectively
  manage use IT resources?
• Who should make these decisions and how will
  these decisions be made
• How will performance be measured monitored?
• Governance of IT activities
• Investments Retirements
• Baseline
• Reporting Enhancements
• Common PI IT Chart of Accounts
• Period Briefing Note Scorecards
• Quarterly Investment Scorecard
• Common Planning/ IT Planning Tool
• People management processes

• CIO Governance Council
• Bi weekly CIO call
• Bi weekly CTO call
• Monthly global call
• Quarterly Region Reviews
• Aligned Strat Plan process
• Aligned AOP process

9
10
Governance Framework

• Region teams are empowered to make decisions
  PI IT Governance framework ensures that project
  leaders will have accountability and a method to
  obtain alignment, approvals, risk mitigation and
  report progress

Resolution
Business/ IT Governance
PI CIO Council
Resolution
Global Leadership Team PI CIO Reports
10
Escalation Point Involvement of Region
Presidents PI CEO, CFO
10
Escalation Point Involvement of Region CFOs.
PI CFO Functional VPs PBSG Functions
Architecture Governance
Applications Governance
90
PI CIO SC Prioritization, Standards
Monitoring
90
PI IT Region Level Governance (Region CIO/CTO/
PMO, Business, Budgeting)
10
11
Investment Governance

• Initiation
• - Formal/ Informal
• Strat Plans/ AOPs
• Emails/ Interviews
• IT functional projects

• Reporting Reviews
• Financial/ timeline reviews
• Project diagnostic
• Risk diagnostic
• Quarterly investment scorecards
• Quarterly PI CIO reviews

Project Definition - Preliminary project
abstract

• Prioritization
• Project diagnostic
• Risk diagnostic
• Weighted scores
• Project tiers

• Project Management
• Project mgmt methodology
• Phase-gated funding
• Region PMOs

• Approvals
• Project abstract
• Financial planning
• Project profile, Tech Profile
• Project timeline
• PI Fin. Policies Approval matrix
• CAR/ Capex (if required)

Locked into Strat Plan, AOP or new Forecast
11
PI CIO Council Global/ T1 Only
12
Investment Governance

• Initiation
• - Formal/ Informal
• Strat Plans/ AOPs
• Emails/ Interviews
• IT functional projects

• Reporting Reviews
• Financial/ timeline reviews
• Project diagnostic
• Risk diagnostic
• Quarterly investment scorecards
• Quarterly PI CIO reviews

Project Definition - Preliminary project
abstract

• Prioritization
• Project diagnostic
• Risk diagnostic
• Weighted scores
• Project tiers

• Project Management
• Project mgmt methodology
• Phase-gated funding
• Region PMOs

• Approvals
• Project abstract
• Financial planning
• Project profile, Tech Profile
• Project timeline
• PI Fin. Policies Approval matrix
• CAR/ Capex (if required)

Locked into Strat Plan, AOP or new Forecast
12
PI CIO Council Global/ T1 Only
13
Investment Governance

• Initiation
• - Formal/ Informal
• Strat Plans/ AOPs
• Emails/ Interviews
• IT functional projects

• Reporting Reviews
• Financial/ timeline reviews
• Project diagnostic
• Risk diagnostic
• Quarterly investment scorecards
• Quarterly PI CIO reviews

Project Definition - Preliminary project
abstract

• Prioritization
• Project diagnostic
• Risk diagnostic
• Weighted scores
• Project tiers

• Project Management
• Project mgmt methodology
• Phase-gated funding
• Region PMOs

• Approvals
• Project abstract
• Financial planning
• Project profile, Tech Profile
• Project timeline
• PI Fin. Policies Approval matrix
• CAR/ Capex (if required)

Locked into Strat Plan, AOP or new Forecast
13
PI CIO Council Global/ T1 Only
14
Investment Governance

• Initiation
• - Formal/ Informal
• Strat Plans/ AOPs
• Emails/ Interviews
• IT functional projects

• Reporting Reviews
• Financial/ timeline reviews
• Project diagnostic
• Risk diagnostic
• Quarterly investment scorecards
• Quarterly PI CIO reviews

Project Definition - Preliminary project
abstract

• Prioritization
• Project diagnostic
• Risk diagnostic
• Weighted scores
• Project tiers

• Project Management
• Project mgmt methodology
• Phase-gated funding
• Region PMOs

• Approvals
• Project abstract
• Financial planning
• Project profile, Tech Profile
• Project timeline
• PI Fin. Policies Approval matrix
• CAR/ Capex (if required)

Locked into Strat Plan, AOP or new Forecast
14
PI CIO Council Global/ T1 Only
15
Investment Governance

• Initiation
• - Formal/ Informal
• Strat Plans/ AOPs
• Emails/ Interviews
• IT functional projects

• Reporting Reviews
• Financial/ timeline reviews
• Project diagnostic
• Risk diagnostic
• Quarterly investment scorecards
• Quarterly PI CIO reviews

Project Definition - Preliminary project
abstract

• Prioritization
• Project diagnostic
• Risk diagnostic
• Weighted scores
• Project tiers

• Project Management
• Project mgmt methodology
• Phase-gated funding
• Region PMOs

• Approvals
• Project abstract
• Financial planning
• Project profile, Tech Profile
• Project timeline
• PI Fin. Policies Approval matrix
• CAR/ Capex (if required)

Locked into Strat Plan, AOP or new Forecast
15
PI CIO Council Global/ T1 Only
16
Investment Governance

• Initiation
• - Formal/ Informal
• Strat Plans/ AOPs
• Emails/ Interviews
• IT functional projects

• Reporting Reviews
• Financial/ timeline reviews
• Project diagnostic
• Risk diagnostic
• Quarterly investment scorecards
• Quarterly PI CIO reviews

Project Definition - Preliminary project
abstract

• Prioritization
• Project diagnostic
• Risk diagnostic
• Weighted scores
• Project tiers

• Project Management
• Project mgmt methodology
• Phase-gated funding
• Region PMOs

• Approvals
• Project abstract
• Financial planning
• Project profile, Tech Profile
• Project timeline
• PI Fin. Policies Approval matrix
• CAR/ Capex (if required)

Locked into Strat Plan, AOP or new Forecast
16
PI CIO Council Global/ T1 Only
17
Final Project Abstract
FINAL
17
18
Tier 1 2 Projects Status

• Summarise key successes opportunities
  referencing
• on-time/budget deliveries
• assistance required to Get out of the red

18
19
Sample Investment Financials

• Financial Analysis Measurement

19
20
IT Controls for SOX compliance
Business Process with Financial Statement Impact

• Annual - Application Controls
• - Access Controls - who has access?
• Segregation of duties - what can they do?
  (Supersuser Access, sensitive significant
  transactions)
• Masterfile data updates - what significant data
  was updated?
• Software configuration parameters
• Automated procedures (e.g., approvals)
• Exception and Management reports
• Interfaces to other systems

Supporting Application interacts with server,
database and network
Supporting Application
Server stores data as well as key settings -
Configurable Infrastructure Controls -
Application Controls and Application Access
Controls
Governance

• Quarterly - Changes
• Changes to application controls (access,
  segregation of duties, masterfile updates,
  configuration parameters, procedures, reports and
  interfaces) for Financial Applications

Development

• Annual - General Controls
• General Controls Risk Control Matrices (RCMs)
  (Cobit-based Controls relevant to SOX only)

Integrity of application and data are dependent
upon underlying IT processes and controls
Change Management
Backup and Recovery Procedures
Security Administration
20
21
Accountability ModelProportional Ownership
Certifying Executive
Disclosure Committee
ProcessExecutive
SOX Coordinator
Process Owner
Control Owner
X
X
X
X
X
Monitoring
X
Control Activities
Information Communication
X
X
X
X
X
Risk Assessment
X
X
X
Control Environment
Everyone is responsible for Information and
communication.
PepsiCo requires all key controls to be
tested/reported on a Quarterly basis
21
22
Our Sarbanes Oxley Experience

• Benefits
• Improved control environmentEnhanced Systems
  Security and Systems Access ControlsImproved
  process documentationBetter understanding and
  improvement of segregation dutiesIncreased
  awareness and ownership of controls and processes
  
• Watch Outs
• Manual ProcessThe majority of key controls that
  have been implemented are manual and resource
  intensive - aim to automate critical controls.
• Segregation of DutiesSmall IT teams do not have
  absolute role segregation, this has introduced
  controls to gate keep the developer/support role
  in a production environment which will slow down
  the change management process.
• Audit Both internal and external audit are
  focused on controls and will always strive for
  the tightest controls - retain focus on scope and
  risk.

22
National Technology Business Conference
30 November 2005
23
Benefits Of Governance

• Ensures IT Focus is where it should be
• Provides a framework for measuring value and
  effectiveness of IT
• Raises the bar for Controls in IT - Audits less
  painful
• Business and IT Fusion
• Bridges gaps between IT and Business
• Transforms business from critics to owners
• Educates the business on IT as a function
  /enabler
• Drives IT to think and plan more strategically

23
National Technology Business Conference
30 November 2005
24
Governance - Watch Outs

• Needs to be driven from the Top
• Mindset change in IT Business
• Stakeholders require education on the new
  processes.
• New skills and resources often needed.
• Some things will take longer
• Needs to fed and watered improvements

24
National Technology Business Conference
30 November 2005
25
Going Forward

• Governance becomes a natural way of how we
  operate
• Planning
• Operations
• Compliance
• ITIL Framework on Service Delivery
• Balanced Scorecards

25
National Technology Business Conference
30 November 2005
26
Thank You !!

26
National Technology Business Conference
30 November 2005