Lauren Berrington, Bidvest's chief audit executive, and her team brought an audit bot to life.
At future board meetings at Bidvest, there may be an extra presence at the boardroom table in the form of ALICE, who’ll be there to answer questions about the group’s IT risk. But ALICE isn’t Bidvest’s latest executive hire; rather, she’s a bot who has been created by Bidvest’s internal audit team to carry out IT audits across the group’s 229 IT environments.
ALICE is the brainchild of Lauren Berrington, Bidvest’s chief audit executive, who was brought across from PwC in 2012 to head up the group’s internal audit function. One of her mandates when joining Bidvest was to introduce an IT audit capability. She and her small IT audit team spent the better part of two and a half years auditing the IT environments at Bidvest.
Some of the challenges that Lauren and her team faced were that there are 130,000 employees, 350 legal entities and around 150 operating entities in the Bidvest group, all with separate IT environments.
Lauren says:
“There is no shared infrastructure and no common domains. Every environment differs in size, in security posture, in complexity and in maturity. Bidvest is a completely decentralised group. Every autonomous company runs itself and IT follows suit."
IT through a management lens
What this meant for the small IT audit team was that they had multiple “clients” operating across 29 sub-industries in over 900 sites, with 260 key financial systems and a multitude of other systems. IT is also outsourced, co-sourced or part of strategic partnerships, in spaces that range from a fully regulated banking environment to the relatively simplistic systems supporting a toothpick manufacturer.
“As a result, there are complex aggregation and consolidation structures, and with everything being so different, it was difficult to get a group view. We also had multiple audiences, so we had to rehash the same information to accommodate the different views required for the audit committee, for the board, for IT operations management, for external auditors and for ourselves. We were able to provide the various stakeholders with a robust view of IT environments across the group at the end of two and a half years, but the problem was that this view was two and a half years old in very evolving and dynamic IT environments,” says Lauren.
In 2013, she was asked to chair the group’s IT Forum, made up of the most influential CIOs in the group, who are tasked to leverage the power of the group and unpack smarter and more efficient ways of doing things. Why this was important to Lauren was that it was the first time that she saw IT governance through a management lens. She says this lens provided her with deep insight into the effort and pain points of governing an IT environment and these insights informed a large part of the spec of ALICE. In 2016, she got the go-ahead to build a bot.
All about ALICE
“ALICE was built to de-risk Bidvest with the intent of commercialising her in the long run. Her IP is held in Bidvest Advisory Services. We launched her internally in beta phase in 2017,” says Lauren.
ALICE’s job description is to facilitate the collection, storage, orchestration, analysis and reporting of IT environmental data against best practice standards. Says Lauren:
“Essentially, she’s an IT governance tool, and her purpose is to equip those charged with governance with visibility into the risks in the IT environment. She has an unintended consequence that she also serves as a management monitoring tool, but that’s not the purpose she was designed for."
Bidvest is exceptionally well governed, but not conventionally. “We don’t believe in hierarchies, red tape and tickboxes just for the sake of it. Management plays a pivotal role in governance and the value proposition of ALICE had to be very clear in order to be embraced by management.
It is taking petabytes of training data to make ALICE intelligent, and that’s the journey that Lauren and her team are currently on. “She has an interactive, intuitive dashboard that allows management to interrogate their results in real time, allowing them to mitigate and manage IT risks better.
ALICE is based in the cloud, which makes her scalable and gives her global reach. “She’s multi-tenanted and accommodates complex aggregation and consolidation structures,” says Lauren.
Her current skills set includes technical security, business resilience, user administration, cloud security and SQL hardening. There is a roadmap to increase her current capabilities. She currently audits 159 IT environments across the group on a daily basis, and has digitalised an IT audit workforce.
Lauren says that there is no better testing ground than the hugely diversified IT environments across Bidvest. “The group has battle hardened her. We are embracing all feedback and fixing all issues identified. She’ll be a better product before we get to market.”
ALICE has been recognised for what she has achieved and for the massive potential she holds. Once beta testing has been completed, she will be commercialised. This is envisaged for early 2019.
Lauren says:
“Without my team, there would be no ALICE. And the team is really where the story of ALICE began. They are (and have always been) high-performing and hugely talented. My desire was to give them an opportunity to unlock their value and showcase their talent – conceiving ALICE allowed this desire to materialise. Equipping my team to be relevant and building successful careers for them in a disrupted future is important to me. My team has made this pioneering journey worthwhile.”