CIO Update recently conducted a Q&A with Mark Popolano, senior vice president and global CIO for AIG, and Perry Rotella, AIG's senior vice president and the Global CTO.
Popolano joined AIG in October 1994. Before serving as Global CIO he had a number of leadership roles for AIG, including Divisional CIO for American International Underwriters; and global chief technology officer. At AIG, Popolano pioneered in using the Internet for Sales and Service; Call Center Technology; Data Warehousing, Supply Chain and Vendor Management; and Human Resource Integration. Popolano is responsible for managing AIG's global information technology infrastructure, including the backbone of AIG's extensive Internet and Web-based capabilities and data center infrastructures.
Q: As a global organization, what are some of the issues and challenges you face deploying new technologies and trying to avoid redundancies?
Mark Popolano: When you look at redundancies across the organization, the real priority is to have the appropriate processes for change across the company and that's specifically for change control. Perry [Rotella] and his organization have done an outstanding job setting up standards and guidelines that all communities in our organization follow and we have processes in place like building permits, as we call them, that ensure that people going to do any type of development must go through that building permit process first, so they meet the standards that have been applied across the company. We have a project management office that allows us to look at all projects across the globe in a division that has to do with application or infrastructural changes. Because of that we're able to view not only the business requirements, we're able to review what they're going to deliver and what the delivery costs are. Perry's team and my team determine the risks as well as on the technology side IT technology that is bleeding edge or leading edge and we make this determination before we allow an organization to move forward.
Perry Rotella: IT at AIG is very decentralized but delivery organizations are aligned within the profit centers. So what Mark and I have done at the corporate level in order to avoid duplication of effort is, we've set up some processes for structure. I have a board of CTOs I meet with biweekly to review technology initiatives across various divisions; and we've created also an extended team of technology leaders around the company; and my group, the CTO team, meets on a monthly basis so we can review technology initiatives and can coordinate. The biggest thing I've done is coordinate emerging technologies, pilot projects, implementations of new technologies. So if the business group in Hong Kong has a need for a new technology they coordinate through my group to make sure it hasn't been done already. So we coordinate through the extended CTO organization, which branches out to the various divisions but links back to my org.
MP: The way the model works, you have CIOs who matrix to me and CTOs who matrix to Perry. So CTOs keep the CIOs honest on the technology side. The difference is the CIO is the pilot and the CTO is the navigator. That's how we do it and it works extremely well.
Q: Similarly, what are some of the best practices you have implemented across your IT organization?
MP: On the operational side there are Six Sigma (the de facto standard of best practices with a basic framework that will govern IT implementation) best practices. On top of that, for our application design and development, we use CMM (Capacity Maturity Model) and many of our organizations are CMM 3 and development centers are CMM 5 and CMM 5 Plus. Also, we have established our unique processes around design and risk and technical assessments unique to AIG.
PR: We've established our own best practices around technical assessment so in looking at new technologies and new vendor products we have a rigorous process we follow and expect the divisions to follow as they assess new technologies. We have the building permit process -- it begins with the business case process so as the IT organization is developing a business case, they will engage my organization on a limited consulting basis to look at the technology solution that's being proposed in the business case. Essentially, what we're doing is look at the technology we would use to satisfy the business opportunity or problem, then that process continues from the business case approval and we will look at the business case and apply certain conditions.
A condition might be that we do a proof of concept for a new technology or an early performance benchmark on a technology or a division uses a certain piece of software that another group has used to leverage across the company, and what we'll do at that point where the design has been laid out is a sit down peer-to-peer review with the project team and do risk assessment and come out of that review meeting with a building permit piece of paper I have signed with recommendations for the project team to mitigate risk.
MP: If they don't agree to the conditions [the project] can be rejected. That's where the CTOs keep us honest. There are times when a business condition will require an override and the CIO has to sign the risk assessment and send it to me indicating he's willing to take the risk.
The building permit concept has been in place six years. It started when I was CTO, but Perry has perfected it.
Q: Since AIG is in 130 countries, how is IT structured from a management standpoint? Do you have functional CIOs that report to you?
MP: If you look at what goes on here, we're broken into subdivisions -- life, financial services, data center, retirement, and under each of those silos we have a CIO and CTO that reports to the business units and to me. The CTOs report to the CIOs and to Perry. If you look at senior group CIOs, you're talking about a dozen domestic and international. It's the same for CTOs.
PR: The thing to understand is the group CIOs may be responsible for multiple companies. So a company may have a CIO that may report up to the [division]. So financial services may have several CIOs that report to a main group CIO.
Another example, with CTOs, is they report to their CIO as well as to me. I give the CTOs specific objectives that are accountable to me. So at the beginning of the year I lay out certain objectives and then review them. So it's not a dotted line let-me-know-what-you're-doing. It's a solid relationship, focused on the objectives I give them. We take those objectives seriously, and then there's buy in from all the group CIOs.
Q: What significant IT projects are on your plate right now?
PR: There are a few major initiatives going on. We're building an infrastructure environment to support utility computing, and we're looking at virtualization on our servers and storage, looking at grid computing as part of that environment and we're currently designing and looking to roll out an enterprise directory as part of our DNS consolidation. What we're in middle of implementing is a lockdown of desktops to more efficiently manage our desktop resources. In terms of lockdown, we're limiting what a user can install or configure on their desktops so we can coordinate desktop upgrades and patch upgrades more centrally. It's more of a standardization from a software and application perspective, so upgrades can be done on a more consolidated basis.
Another major initiative that has been driven by our chairman with IT implications: we've established an Office of the Customer. Its mission is to enable us to leverage our customer basis for cross-sell initiatives -- basically to manage our customer base as an asset. We're doing quite a lot around standardizing; how we interact with customers and how we protect customer data and how we can leverage administrative systems to market and cross sell to our existing customers.