A consistent brewing process helps make Corona one of the best-selling beers worldwide. As the flagship brand for Grupo Modelo, the company’s top-selling US import, and the fourth most popular beer in the world, Corona is exported to more than 180 countries. Its vast distribution is due in no small part to the fact that beer enthusiasts around the globe know exactly what they’ll experience each time they crack open a bottle, popping the cap off that familiar, clear glass longneck. That same familiarity and consistency is found in other popular Modelo brands, including Negra Modelo and Pacifico, which helps explain why Modelo, headquartered in Mexico City, is the largest brewer and distributor in Mexico, with roughly 60% market share in 2011. But consistency is just one small part of Modelo’s overall recipe for success. The business model the company follows includes holding the entire organization to the same lofty standards it demands of its products. So when Modelo decided to undertake an ambitious project to become a process-oriented organization, a key objective was to make sure the business processes and rules were consistent company-wide. Standardizing organizational processes across nearly 100 different business units (including breweries, convenience stores, and distribution centers located mostly in Mexico) would give the brewer far greater insight into its operations. However, the endeavor would certainly bring forth some challenges specifically related to risk management, so the business had to craft a bigger vision for how it would drive governance, risk, and compliance (GRC) consistency throughout the organizational and process changes, as well as moving forward.

Crafting a Vision

From the beginning, Modelo knew that any project this ambitious in scope would entail more than just aligning business processes with enterprise software. While the right solution could serve as a foundation for an organizational overhaul, Modelo wanted a bottom-up approach that involved its employees as a means of inducing cultural and ideological change. “We looked at it as a risk transformation project,” says Director of the Center of Excellence at Grupo Modelo Carlos Sánchez Fanjul. “The goal was to become a process-oriented company with structures to ensure that our information and processes run end to end across the entire company.” Sánchez headed what became known as the META program — an acronym for Modelo Empresarial de Transformación Administrativa (or Enterprise Model for Administrative Transformation) — a selection of projects that led to Modelo’s business transformation. Beginning in 2007, Modelo teamed with Deloitte Mexico to identify each organization’s internal processes, gauge their management and effectiveness against industry leading practices, and determine which were enterprise-wide in scope. At the completion of this initial phase, Modelo identified GRC processes as one of 12 macro-processes within the project scope, as well as having the most value in ensuring its functions were consistently applied throughout the organization. By 2012, the business began undertaking an implementation of SAP solutions for GRC with an initial scope in corporate governance management, risk management, and legislation management.

Ingredients for Change

GRC tools are of course vitally important for any global distributor and importer required to keep abreast of trade regulations and policies in countries around the world, but even more so for Modelo. “For GRC, we wanted to ensure the governance and rules we had to follow were consistent across the organization,” Sánchez says. “We also wanted to make sure the processes that we defined for GRC were applicable for any of our businesses, but also allowed for exceptions for the special characteristics of the individual business units. The controls and compliance we need in breweries, for example, are different than what we need in distribution centers or our convenience store division.”

The Right Mix

With isolating enterprise-wide access controls, process controls, and risk management as the primary focus, Modelo chose to implement SAP solutions for GRC 10.0 to run with its existing SAP ERP system. With the applications in this solution set, the company aimed to achieve several goals:

• Establish access and process controls designed to accommodate adherence to a single corporate governance policy
• Identify and mitigate segregation of duties (SoD) conflicts
• Create a comprehensive risk management approach beyond financial risk
• Map and align controls within a single dashboard
• Develop more efficient process evaluations

Once Modelo identified the toolset that would enable this organizational transformation, it worked on defining architecture as the first step of the implementation process. One of the benefits of implementing standard access controls across the organization using SAP Access Control 10.0, according to Sánchez, is that Modelo Distributors was able to reduce its exposure to potential SoD conflicts. To whittle down the process controls, Modelo created a controls matrix where it evaluated and refined each of the process controls to focus on the key controls and eliminate duplication. With SAP Process Control 10.0, Modelo began a rationalization process and was able to standardize the internal control activities and reduce the assessment time for automatic controls by 90%. Additionally, the controls are now focused on the areas of greatest risk, reducing the overall effort but increasing the impact. “Before, we had an awareness of financial risk, and that was the focus with control processes at the individual businesses,” Sánchez says. “The risk management supported with SAP Risk Management 10.0 has given us a much clearer picture of not just financial risk, but operational, infrastructure, and environmental risk, and anything that would cause an alert. With tightening of controls, everything is now linked together to provide an end-to-end overview of exposure.” As Sánchez explains, prior to Modelo implementing an integrated GRC solution, enterprise risk and compliance process controls and the resulting data were mostly siloed, making it difficult for the organization to use a single and flexible methodology and review information from one source. Once the data was pulled into a central database, the disparate processes that produced it entailed greater refinement and manipulation to generate actionable business intelligence.

A New Taste

Having a single dashboard from which to measure and monitor the organization’s exposure to risk did not come without challenges. As can be expected with any organizational change, including adoption of a holistic approach to risk, change management was a main concern. This was a critical component of Modelo’s overall transformation strategy, as the implementation of SAP solutions for GRC 10.0 was meant as a springboard to a complete shift in culture that values personal accountability. “Asking your people to do things differently and change their mindset is always quite a challenge, especially when you’re dealing with GRC and this abstract concept of risk and controls — it’s difficult to make the end users understand this and buy into it,” Sánchez says. “But fortunately for us, we’d been working with top management and they were very supportive and helpful with getting everyone on board. Having the full support of our CEO Carlos Fernández González was also very important. He has always been a main sponsor of this transformation project.” Modelo completed its process rationalization phase of the project at the end of 2012, by which time it had gone live with the main GRC functionality. The META program, of course, continues with aligning the other macro-processes that Modelo identified as organizational in scope. Likewise, its GRC strategy is also ongoing. “For GRC, it’s important to know that it’s not a finite project where you spend one year and at the end, you have it implemented and are done,” Sánchez says. “The reality is that the GRC project for us was the starting point to give us the fundamentals, the basis of what we think we need to work on for robust internal controls to avoid risk and to ensure the compliance of the company. And we see in our path that it’s the beginning of many things we have to work on.”