I began teaching in the Indiana University, Kelley School of Business MSIS Program back in 2008 and created a set of course materials based on real-life business challenges I had encountered. Over time, I built a full set of case studies to explore different topics and the students loved both the reality of the cases, mixed with the industry-leading frameworks, and on-the-ground war stories that made the classroom discussion so engaging.
Today, I am releasing eight case studies adapted from on a variety of topics related to IT governance, risk, and controls (IT GRC). These cases incorporate real-life business and technology challenges and weave industry frameworks together with cutting edge concepts encountered by companies today. It is my hope that business professionals, students, professors, teachers and educators can use these and benefit from their lessons learned. The cases have been posted in non-editable Adobe PDF format; you may use the cases for educational purposes only, with appropriate citation and attribution. Please contact me for commercial needs, licensing arrangements or if you require editable versions of the cases.
I am always up for a guest lecture or speaking engagement for your organization so don’t hesitate to contact me anytime to can discuss.
1. Business Continuity Management – Cocoa-Sassafras
Hurricane Sandy caused significant damage to major businesses across the United States. Cocoa-Sassafras Corporation (CSC), a large company operating in the food and beverage industry was affected by the incident. Some of the major products of Cocoa-Sassafras include chocolate, candies, snacks and coffee. Headquartered in Oak Brook (an industrial campus on the outskirts of Chicago), Illinois, Cocoa-Sassafras has manufacturing plants, distribution centers and data centers through-out the US, Canada and Mexico. But the real damage was cause to CSC’s major distribution center and a data center in the northeast region where the hurricane hit. While the impact to the New Jersey distribution center was contained, the Business Continuity (BC) and Disaster Recovery (DR) managers were requested to evaluate the company’s business risks related to potential disasters in their various facilities and the level of preparedness to respond to and recover from these disasters. CSC would like your team to prepare a business case for the Chief Risk Office and BC DR executive steering committee to increase investment in Cocoa-Sassafras’s Business Continuity and Disaster Recovery initiatives.
2. Identity and Access Management – Atlantic Paper Products
Atlantic Paper Products has gone through a number of recent changes as an organization. Strategically, the company took a step in the right direction by going public. However, this decision resulted in a number of issues such as higher audit fees, resource constraints, and a lack of control around data, systems, and users. The Chief Financial Officer (CFO) is overwhelmed with these issues and believes that the Chief Information Officer (CIO) needs to improve the situation by devoting more time to supporting Internal Audit. The CIO, on the other hand, has expressed his frustration with the current situation due to the ineffectiveness of the current IT infrastructure. He is having trouble getting the CFO to approve the purchase of new technologies that will improve compliance through automated system controls. The two are struggling to understand one another’s reasoning and perspective. Under tremendous financial pressure to keep costs under control and focus on financial performance, the CFO believes the CIO is just looking for “more toys” and the problem can be solved through better process discipline while the CIO believes the CFO is just “being cheap” and putting the company at risk by refusing to allocate the necessary budget. It is up to the board of directors to make the final decision. Can the CIO get the board of directors to understand the need to invest in new technology or will the board of directors side with the CFO that new technology is not the most effective use of company resources?
3. Incident Response and Cybersecurity – Stop, Shop, and Roll, Inc
Stop, Shop, and Roll, Inc. (SSR) is a new company formed from the merger of three retail giants:
- Stop-n-Save – Originally founded as a “dime store,” Stop-n-Save evolved into a retail powerhouse appealing to a new generation of young buyers. They specialized in clothing, home goods, and a variety of other everyday convenience goods. Their main competitors were Target, Marshalls and TJ Maxx.
- Shopology (aka Shopology.com) – Shopology carried overstock and out of season items purchased from premium retailers at deep discounts and sold those goods online. Prior to the merger, Shopology had no brick-and-mortar presence; they were a “pure play” online retailer. The main competitors of Shopology were: Target.com, Amazon.com, and Overstock.com.
- Roll With It – Roll With It began as a roll-away bed company and quickly expanded into home furnishings and décor. They stocked mid- to high-end furnishings, furniture and home goods. Roll With It competed head-to-head with Ikea, Dania, Ashley, Toms-Price, Macy’s and a few other home and department stores.
In 2014, the three companies came together under a new name – Stop, Shop, and Roll – in order to combine their collective strengths of mass appeal (Stop-n-Save), an online presence (Shopology) and the logistics and supply chain power (Roll With It). The merger garnered a lot of attention and excitement from Wall Street and company shareholders alike. The stock of the newly combined company soared as they launched their media and branding blitz. Expectations were high about the synergies each company would bring to the table but skeptics doubted managements’ ability to deliver on the pre-merger promises. Nevertheless, the newly streamlined management team pressed ahead and committed to a quick and efficient post-merger integration of the over 5,000 combined applications innumerable processes. Was SSR up to the challenge?
4. IT Controls and Compliance – Happy Life Insurance
Happy Life Insurance is a large, private insurance company based in New York and currently has 34 offices across the country. In the past decade Happy Life has grown exponentially. In the early 2000s Happy Life had two million members. This number now stands at over 40 million members. Happy Life’s growth is primarily driven by deep, trusted relationships with their customers. Happy Life has a reputation for being an organization that truly cares about its members and is present during their time of need primarily driven by its regional offices that ensure a strong connection to the community and resident families.
Happy Life provides members with the option to renew insurance coverage each year. Local representatives have a comprehensive database of their members, and launch campaigns every year so they can have personal conversations with each member prior to renewal. Such personalized service ensures a very low “drop-out” rate among Happy Life members. In fact, recent statistics show Happy Life has the lowest “drop-out” rate of any major health insurance provider.
Happy Life executives feel the company’s tremendous, decade-long growth has reached its peak within USA and time is right for international expansion. To encourage an infusion of money to enable this international growth, Happy Life executives have decided to take the company public.
5. IT Governance – Victory Harmonica Corporation
Einstein Harmonicas is a large global manufacturer of harmonicas (sometimes called “harp,” “blues harp,” or “tin sandwich”) based in Stuttgart, Germany. Einstein has a long-standing tradition of quality and is a recognized leader of quality in the Harmonica industry. It would like to expand its markets into the United States so management has approved a strategic plan to create a new US-based company called Victory Harmonica Corporate (or “Victory”). Einstein is treating Victory as a separate entity and will operate independently of the parent for the most part. A decision was made that a new IT department will be formed and run by Victory.
As a team, present the proposed solution to the case. The presentation should lay out clear recommendations for how management should address the problem. This case study is divided into two parts:
- Establishing the IT organization, the IT strategy, IT charter, the roles and responsibilities for the new IT organization, IT operating model, and
- Creating the IT service catalog and capability maturity model, and governing IT entities.
6. IT Risk Management – High Gear Engine Company
High Gear Engine Company (HG) is a global automotive supplier with operations around the world. Founded in 1937, HG specializes in engines for all kinds of automobiles, from high-end sports cars to farming equipment. HG is split into three business units (BU) that operate fairly independently and are marketed under different brand names:
- Velocity Engines – Focuses on high-end sports cars and consumer-grade engines. These products command a premium in the market.
- Long Haul Motors – Produces diesel and large engines for semi-trailer trucks. Long haul is known well known in the market for its durability and is a recognized leader in the trucking industry.
- Bigger Digger Power and Motor – Specializes in mining equipment engines and motors. They supply to the major mining and industrial equipment manufacturers and often “white label” their engines as their customers’ brand.
HG is located in Detroit, Michigan and has over 75 plants, performance labs and manufacturing facilities worldwide. Like most automotive suppliers and original equipment manufacturers (OEM), HG was hit hard by the economic downturn of 2008. Faced with bankruptcy, HG was forced to reduce its employee headcount and close several global locations. However, in the recent five years business has turned around and orders have picked up to the point that factories are re-opening and the company is once again profitable with global revenues totaling just over $9 billion (US). HG is planning for 17% compounded annual revenue growth and has a healthy (and growing) profit margin of 15%. HG is now ready to begin its path to growth which will require major change in the technology environment. This includes upgrading its technology infrastructure and applications that have been deferred for almost a decade.
7. Segregation of Duties – Sabre, Inc
Sabre Inc.’s CEO, Michael Southard, has called you and your team to help improve the company’s Segregation of Duties (SoDs)-related controls. Recently Sabre acquired a company called Dundie. In a purely business sense this was touted as two industry leaders joining forces. Most industry analysts had positive reviews on the acquisition – which was one of Michael’s biggest triumphs as a CEO. However, right after the acquisition several gaps were found in Dundie’s internal controls environment. Eventually certain pre-acquisition due diligence activities conducted by Dundie had to be escalated to the SEC. It was discovered that illegal payments had been made to secure lucrative contracts in the Middle East and Asia. These payments were possible mainly due to a lack of controls around segregation of sensitive roles and responsibilities. These incidents were in violation of the Foreign Corrupt Practices Act. The incident, as cited by the SEC violation, is:
“Violation of anti-bribery, books and records, and internal controls provisions of the FCPA through illicit payments made to secure and maintain business opportunities worldwide.”
As a result, Dundie (and the newly combined Sabre) faced the threat of severe financial penalties, potential jail time for key executives and a public relations fall-out.
Because of these revelations, the SEC and US Department of Justice have opened up multiple investigations on Dundie (and hence Sabre). Michael not only wants to improve the current processes, but also wants to proactively implement controls to prevent similar incidents from occurring in the future.
8. Vendor Risk Management – HealthNext Care System
A series of business incidents, due to internal and external factors, have revealed significant gaps in HealthNext Care System’s Vendor Risk Management (VRM) practices. As a result, Samantha Currie, the VP of the Vendor Management group, has come under scrutiny from senior level executives including the CFO, Legal, Compliance, Enterprise Risk Management and Internal Audit. In a presentation to the senior executives and stakeholders, Currie was given approval to launch a VRM Improvement Program to address the noted gaps and strengthen their capabilities. You have been engaged by Currie to help improve the way HealthNext manages its vendor risks.
I began teaching in the Indiana University, Kelley School of Business MSIS Program back in 2008 and created a set of course materials based on real-life business challenges I had encountered. Over time, I built a full set of case studies to explore different topics and the students loved both the reality of the cases, mixed with the industry-leading frameworks, and on-the-ground war stories that made the classroom discussion so engaging.
Today, I am releasing eight case studies adapted from on a variety of topics related to IT governance, risk, and controls (IT GRC). These cases incorporate real-life business and technology challenges and weave industry frameworks together with cutting edge concepts encountered by companies today. It is my hope that business professionals, students, professors, teachers and educators can use these and benefit from their lessons learned. The cases have been posted in non-editable Adobe PDF format; you may use the cases for educational purposes only, with appropriate citation and attribution. Please contact me for commercial needs, licensing arrangements or if you require editable versions of the cases.
I am always up for a guest lecture or speaking engagement for your organization so don’t hesitate to contact me anytime to can discuss.
1. Business Continuity Management – Cocoa-Sassafras
Hurricane Sandy caused significant damage to major businesses across the United States. Cocoa-Sassafras Corporation (CSC), a large company operating in the food and beverage industry was affected by the incident. Some of the major products of Cocoa-Sassafras include chocolate, candies, snacks and coffee. Headquartered in Oak Brook (an industrial campus on the outskirts of Chicago), Illinois, Cocoa-Sassafras has manufacturing plants, distribution centers and data centers through-out the US, Canada and Mexico. But the real damage was cause to CSC’s major distribution center and a data center in the northeast region where the hurricane hit. While the impact to the New Jersey distribution center was contained, the Business Continuity (BC) and Disaster Recovery (DR) managers were requested to evaluate the company’s business risks related to potential disasters in their various facilities and the level of preparedness to respond to and recover from these disasters. CSC would like your team to prepare a business case for the Chief Risk Office and BC DR executive steering committee to increase investment in Cocoa-Sassafras’s Business Continuity and Disaster Recovery initiatives.
2. Identity and Access Management – Atlantic Paper Products
Atlantic Paper Products has gone through a number of recent changes as an organization. Strategically, the company took a step in the right direction by going public. However, this decision resulted in a number of issues such as higher audit fees, resource constraints, and a lack of control around data, systems, and users. The Chief Financial Officer (CFO) is overwhelmed with these issues and believes that the Chief Information Officer (CIO) needs to improve the situation by devoting more time to supporting Internal Audit. The CIO, on the other hand, has expressed his frustration with the current situation due to the ineffectiveness of the current IT infrastructure. He is having trouble getting the CFO to approve the purchase of new technologies that will improve compliance through automated system controls. The two are struggling to understand one another’s reasoning and perspective. Under tremendous financial pressure to keep costs under control and focus on financial performance, the CFO believes the CIO is just looking for “more toys” and the problem can be solved through better process discipline while the CIO believes the CFO is just “being cheap” and putting the company at risk by refusing to allocate the necessary budget. It is up to the board of directors to make the final decision. Can the CIO get the board of directors to understand the need to invest in new technology or will the board of directors side with the CFO that new technology is not the most effective use of company resources?
3. Incident Response and Cybersecurity – Stop, Shop, and Roll, Inc
Stop, Shop, and Roll, Inc. (SSR) is a new company formed from the merger of three retail giants:
- Stop-n-Save – Originally founded as a “dime store,” Stop-n-Save evolved into a retail powerhouse appealing to a new generation of young buyers. They specialized in clothing, home goods, and a variety of other everyday convenience goods. Their main competitors were Target, Marshalls and TJ Maxx.
- Shopology (aka Shopology.com) – Shopology carried overstock and out of season items purchased from premium retailers at deep discounts and sold those goods online. Prior to the merger, Shopology had no brick-and-mortar presence; they were a “pure play” online retailer. The main competitors of Shopology were: Target.com, Amazon.com, and Overstock.com.
- Roll With It – Roll With It began as a roll-away bed company and quickly expanded into home furnishings and décor. They stocked mid- to high-end furnishings, furniture and home goods. Roll With It competed head-to-head with Ikea, Dania, Ashley, Toms-Price, Macy’s and a few other home and department stores.
In 2014, the three companies came together under a new name – Stop, Shop, and Roll – in order to combine their collective strengths of mass appeal (Stop-n-Save), an online presence (Shopology) and the logistics and supply chain power (Roll With It). The merger garnered a lot of attention and excitement from Wall Street and company shareholders alike. The stock of the newly combined company soared as they launched their media and branding blitz. Expectations were high about the synergies each company would bring to the table but skeptics doubted managements’ ability to deliver on the pre-merger promises. Nevertheless, the newly streamlined management team pressed ahead and committed to a quick and efficient post-merger integration of the over 5,000 combined applications innumerable processes. Was SSR up to the challenge?
4. IT Controls and Compliance – Happy Life Insurance
Happy Life Insurance is a large, private insurance company based in New York and currently has 34 offices across the country. In the past decade Happy Life has grown exponentially. In the early 2000s Happy Life had two million members. This number now stands at over 40 million members. Happy Life’s growth is primarily driven by deep, trusted relationships with their customers. Happy Life has a reputation for being an organization that truly cares about its members and is present during their time of need primarily driven by its regional offices that ensure a strong connection to the community and resident families.
Happy Life provides members with the option to renew insurance coverage each year. Local representatives have a comprehensive database of their members, and launch campaigns every year so they can have personal conversations with each member prior to renewal. Such personalized service ensures a very low “drop-out” rate among Happy Life members. In fact, recent statistics show Happy Life has the lowest “drop-out” rate of any major health insurance provider.
Happy Life executives feel the company’s tremendous, decade-long growth has reached its peak within USA and time is right for international expansion. To encourage an infusion of money to enable this international growth, Happy Life executives have decided to take the company public.
5. IT Governance – Victory Harmonica Corporation
Einstein Harmonicas is a large global manufacturer of harmonicas (sometimes called “harp,” “blues harp,” or “tin sandwich”) based in Stuttgart, Germany. Einstein has a long-standing tradition of quality and is a recognized leader of quality in the Harmonica industry. It would like to expand its markets into the United States so management has approved a strategic plan to create a new US-based company called Victory Harmonica Corporate (or “Victory”). Einstein is treating Victory as a separate entity and will operate independently of the parent for the most part. A decision was made that a new IT department will be formed and run by Victory.
As a team, present the proposed solution to the case. The presentation should lay out clear recommendations for how management should address the problem. This case study is divided into two parts:
- Establishing the IT organization, the IT strategy, IT charter, the roles and responsibilities for the new IT organization, IT operating model, and
- Creating the IT service catalog and capability maturity model, and governing IT entities.
6. IT Risk Management – High Gear Engine Company
High Gear Engine Company (HG) is a global automotive supplier with operations around the world. Founded in 1937, HG specializes in engines for all kinds of automobiles, from high-end sports cars to farming equipment. HG is split into three business units (BU) that operate fairly independently and are marketed under different brand names:
- Velocity Engines – Focuses on high-end sports cars and consumer-grade engines. These products command a premium in the market.
- Long Haul Motors – Produces diesel and large engines for semi-trailer trucks. Long haul is known well known in the market for its durability and is a recognized leader in the trucking industry.
- Bigger Digger Power and Motor – Specializes in mining equipment engines and motors. They supply to the major mining and industrial equipment manufacturers and often “white label” their engines as their customers’ brand.
HG is located in Detroit, Michigan and has over 75 plants, performance labs and manufacturing facilities worldwide. Like most automotive suppliers and original equipment manufacturers (OEM), HG was hit hard by the economic downturn of 2008. Faced with bankruptcy, HG was forced to reduce its employee headcount and close several global locations. However, in the recent five years business has turned around and orders have picked up to the point that factories are re-opening and the company is once again profitable with global revenues totaling just over $9 billion (US). HG is planning for 17% compounded annual revenue growth and has a healthy (and growing) profit margin of 15%. HG is now ready to begin its path to growth which will require major change in the technology environment. This includes upgrading its technology infrastructure and applications that have been deferred for almost a decade.
7. Segregation of Duties – Sabre, Inc
Sabre Inc.’s CEO, Michael Southard, has called you and your team to help improve the company’s Segregation of Duties (SoDs)-related controls. Recently Sabre acquired a company called Dundie. In a purely business sense this was touted as two industry leaders joining forces. Most industry analysts had positive reviews on the acquisition – which was one of Michael’s biggest triumphs as a CEO. However, right after the acquisition several gaps were found in Dundie’s internal controls environment. Eventually certain pre-acquisition due diligence activities conducted by Dundie had to be escalated to the SEC. It was discovered that illegal payments had been made to secure lucrative contracts in the Middle East and Asia. These payments were possible mainly due to a lack of controls around segregation of sensitive roles and responsibilities. These incidents were in violation of the Foreign Corrupt Practices Act. The incident, as cited by the SEC violation, is:
“Violation of anti-bribery, books and records, and internal controls provisions of the FCPA through illicit payments made to secure and maintain business opportunities worldwide.”
As a result, Dundie (and the newly combined Sabre) faced the threat of severe financial penalties, potential jail time for key executives and a public relations fall-out.
Because of these revelations, the SEC and US Department of Justice have opened up multiple investigations on Dundie (and hence Sabre). Michael not only wants to improve the current processes, but also wants to proactively implement controls to prevent similar incidents from occurring in the future.
8. Vendor Risk Management – HealthNext Care System
A series of business incidents, due to internal and external factors, have revealed significant gaps in HealthNext Care System’s Vendor Risk Management (VRM) practices. As a result, Samantha Currie, the VP of the Vendor Management group, has come under scrutiny from senior level executives including the CFO, Legal, Compliance, Enterprise Risk Management and Internal Audit. In a presentation to the senior executives and stakeholders, Currie was given approval to launch a VRM Improvement Program to address the noted gaps and strengthen their capabilities. You have been engaged by Currie to help improve the way HealthNext manages its vendor risks.
Featured image
Click to enlarge featured image
