Bringing Decentralized IT Together at AIG
CIO Update recently conducted a Q&A with Mark Popolano, senior vice president and global CIO for AIG, and Perry Rotella, AIG's senior vice president and the Global CTO.
Popolano joined AIG in October 1994. Before serving as Global CIO he had a number of leadership roles for AIG, including Divisional CIO for American International Underwriters; and global chief technology officer. At AIG, Popolano pioneered in using the Internet for Sales and Service; Call Center Technology; Data Warehousing, Supply Chain and Vendor Management; and Human Resource Integration. Popolano is responsible for managing AIG's global information technology infrastructure, including the backbone of AIG's extensive Internet and Web-based capabilities and data center infrastructures.
Rotella joined AIG in 1999. He is responsible for setting global technology direction, aligning the implementation of advanced technologies to AIG business plans, and underwriting technology risk. For the past several years, Rotella has engineered an expansion of AIG's technology community and focused the organization on common systems and standardized infrastructure.
Q: As a global organization, what are some of the issues and challenges you face deploying new technologies and trying to avoid redundancies?
Mark Popolano: When you look at redundancies across the organization, the real priority is to have the appropriate processes for change across the company and that's specifically for change control. Perry [Rotella] and his organization have done an outstanding job setting up standards and guidelines that all communities in our organization follow and we have processes in place like building permits, as we call them, that ensure that people going to do any type of development must go through that building permit process first, so they meet the standards that have been applied across the company. We have a project management office that allows us to look at all projects across the globe in a division that has to do with application or infrastructural changes. Because of that we're able to view not only the business requirements, we're able to review what they're going to deliver and what the delivery costs are. Perry's team and my team determine the risks as well as on the technology side IT technology that is bleeding edge or leading edge and we make this determination before we allow an organization to move forward.
Perry Rotella: IT at AIG is very decentralized but delivery organizations are aligned within the profit centers. So what Mark and I have done at the corporate level in order to avoid duplication of effort is, we've set up some processes for structure. I have a board of CTOs I meet with biweekly to review technology initiatives across various divisions; and we've created also an extended team of technology leaders around the company; and my group, the CTO team, meets on a monthly basis so we can review technology initiatives and can coordinate. The biggest thing I've done is coordinate emerging technologies, pilot projects, implementations of new technologies. So if the business group in Hong Kong has a need for a new technology they coordinate through my group to make sure it hasn't been done already. So we coordinate through the extended CTO organization, which branches out to the various divisions but links back to my org.
MP: The way the model works, you have CIOs who matrix to me and CTOs who matrix to Perry. So CTOs keep the CIOs honest on the technology side. The difference is the CIO is the pilot and the CTO is the navigator. That's how we do it and it works extremely well.
Q: Similarly, what are some of the best practices you have implemented across your IT organization?
MP: On the operational side there are Six Sigma (the de facto standard of best practices with a basic framework that will govern IT implementation) best practices. On top of that, for our application design and development, we use CMM (Capacity Maturity Model) and many of our organizations are CMM 3 and development centers are CMM 5 and CMM 5 Plus. Also, we have established our unique processes around design and risk and technical assessments unique to AIG.
PR: We've established our own best practices around technical assessment so in looking at new technologies and new vendor products we have a rigorous process we follow and expect the divisions to follow as they assess new technologies. We have the building permit process -- it begins with the business case process so as the IT organization is developing a business case, they will engage my organization on a limited consulting basis to look at the technology solution that's being proposed in the business case. Essentially, what we're doing is look at the technology we would use to satisfy the business opportunity or problem, then that process continues from the business case approval and we will look at the business case and apply certain conditions.
A condition might be that we do a proof of concept for a new technology or an early performance benchmark on a technology or a division uses a certain piece of software that another group has used to leverage across the company, and what we'll do at that point where the design has been laid out is a sit down peer-to-peer review with the project team and do risk assessment and come out of that review meeting with a building permit piece of paper I have signed with recommendations for the project team to mitigate risk.
MP: If they don't agree to the conditions [the project] can be rejected. That's where the CTOs keep us honest. There are times when a business condition will require an override and the CIO has to sign the risk assessment and send it to me indicating he's willing to take the risk.
The building permit concept has been in place six years. It started when I was CTO, but Perry has perfected it.
Q: Since AIG is in 130 countries, how is IT structured from a management standpoint? Do you have functional CIOs that report to you?
MP: If you look at what goes on here, we're broken into subdivisions -- life, financial services, data center, retirement, and under each of those silos we have a CIO and CTO that reports to the business units and to me. The CTOs report to the CIOs and to Perry. If you look at senior group CIOs, you're talking about a dozen domestic and international. It's the same for CTOs.
PR: The thing to understand is the group CIOs may be responsible for multiple companies. So a company may have a CIO that may report up to the [division]. So financial services may have several CIOs that report to a main group CIO.
Another example, with CTOs, is they report to their CIO as well as to me. I give the CTOs specific objectives that are accountable to me. So at the beginning of the year I lay out certain objectives and then review them. So it's not a dotted line let-me-know-what-you're-doing. It's a solid relationship, focused on the objectives I give them. We take those objectives seriously, and then there's buy in from all the group CIOs.
Q: What significant IT projects are on your plate right now?
PR: There are a few major initiatives going on. We're building an infrastructure environment to support utility computing, and we're looking at virtualization on our servers and storage, looking at grid computing as part of that environment and we're currently designing and looking to roll out an enterprise directory as part of our DNS consolidation. What we're in middle of implementing is a lockdown of desktops to more efficiently manage our desktop resources. In terms of lockdown, we're limiting what a user can install or configure on their desktops so we can coordinate desktop upgrades and patch upgrades more centrally. It's more of a standardization from a software and application perspective, so upgrades can be done on a more consolidated basis.
Another major initiative that has been driven by our chairman with IT implications: we've established an Office of the Customer. Its mission is to enable us to leverage our customer basis for cross-sell initiatives -- basically to manage our customer base as an asset. We're doing quite a lot around standardizing; how we interact with customers and how we protect customer data and how we can leverage administrative systems to market and cross sell to our existing customers.
Q: What is your view on the implementation of new technologies and bleeding edge versus a more conservative approach?
MP: One of the policies we try to follow is we will look to do leading technologies but not necessarily bleeding edge. We look for the first patch release before we do an implementation because we have to guarantee implementation on the infrastructure. When you look at the business by business groupings, we'll look at different risk factors to stay competitive within the marketplace. Certain businesses have a higher tolerance for risk. On average we will use leading edge and not use bleeding edge. We will test bleeding edge in our environment and do an 18-month analysis in our labs and not let it out. We're firm believers in following engineering principles: testing, proving it, quality assuring it and then letting it out to the mainstream. We've done that with architectural patterns, Web services, WIFI (mobile or wireless computing).
PR: There are about 30 to 40 emerging technologies we're following and we have a grid that maps them to the business applicability and that will drive us into the lab to prove them out to prepare them for readiness for leading edge for the business value but not bleeding edge.
MP: I meet with the presidents of each company and we look at their major hot buttons. Perry's organization works with the CTO and we lay out the strategies for each technology so it allows the companies to spend money very focused. So we track a lot of different horizons.
PR: A good example there in terms of readiness is not just that that technology is ready to be implemented in a business solution, we have to be able to support it in our infrastructure with our system administrative staff.
MP: And we look at cost implementation as well. Is it affordable?
Q: What steps have you implemented in your organization to ensure good relationships with your vendors?
PR: We've implemented a strategic framework to manage our top vendors. So we went through and basically the top dozen we work with, we've laid out this strategic framework we use to understand the product roadmap with the vendors and set up meetings and briefings for the technology staff, myself and Mark and get [the vendors'] technology into our lap so we have a full complement of their technology. Basically through the sessions we address any issues we have and what we can do. What we do with roadmaps is fit them into our own architectural frameworks. We don't use all technology from a particular vendor but with our more strategic [ones] we see where their products and their roadmaps fit in to our own plans as we move forward. We've done that with our major vendors to ensure pretty good relationships.
MP: I sit down with their senior leadership and identify what their roadmaps are and who is their competition so we can lay out the right strategies and apply the technologies appropriately. So we determine if it's a good strategy -- long term or the flavor of the month. So we work closely with preferred vendors.
Q: Is more money being spent on network security this year?
MP: In general, security is always a priority. Security is a risk assessment. AIG sells many products that revolve around security due to our analysis and we do focus on security quite heavily. We also focus on wireless communication, mobile workforce, as well as infrastructure upgrades. When you look at wireless you have to have the right infrastructure to support it. IT telephony is also key, as well as a concentration on CRM and call center technology to focus on our customer base and being able to support their needs.
Q: Which of your skills has served you best in managing IT?
PR: I think creativity is one that clearly has helped me. The issues and challenges we face at AIG are unique. There are not a lot of firms that have the size, scale and global reach AIG has so some of the challenges we face day to day are brand new. We're pushing out new ground so we constantly have to come up with creative solutions to manage it.
MP: We're in the process of reinventing organizational management and understanding how to optimize the workforce is a key attribute of this group. We have a lot of personalities. We're very good at listening and communicating. One of the strengths that has been to my advantage has been to build a workforce and develop organizations.
Q: What advice would you give someone looking to advance his or her career the same way you have?
MP: There are two challenges you're always going to have if you want to advance yourself. You have to be willing to understand you don't always have the answers and that you're able to find them. And you have to know when to capitalize on the ideas. I think if you're going to advance yourself in any career you have to be a very, very good listener and you have to have a clear vision statement of where you want to be and manage by objectives and follow that course and be willing to modify it depending on the situation in front of you. So you have to be flexible.
PR: You have to be flexible and be able to listen to people and be able to take a stand and gather the facts and find the answers and make a decision, which is really a key thing people have to do. You can't be afraid and always do the safe thing. You won't always have all the information. You have to learn when you have enough information and make a call.
Q: What keeps you awake at night?
MP: Ensuring I'm providing the value that this company needs. We are part of the business value chain and what keeps me up at night is coming up with new creative methods to ensure we are providing the value the business seeks.
PR: For me, it's coming up with the next set of technologies that we'll be able to implement in our infrastructure that will carry us forward. You don't know today what tomorrow will bring and what technology challenges you'll have, so I'm living in a world of a lot of ambiguity, so continuing to sort through that ambiguity and come up with what's next for AIG's infrastructure. That's what I constantly think about.
If you know of a CIO or CTO who would like to be profiled, please contact Esther Shein at email@example.com.