Home  »  Client Case Studies & Testimonials  »  Multi-billion dollar UK Transport Company using Harmony for Supplier Management

Multi-billion dollar UK Transport Company using Harmony for Supplier Management

Client Background & why Harmony was chosen

The client was a multi-billion dollar UK Transport Company, responsible for the delivery & management of London’s transportation infrastructure for cars, busses, cycles and subway/ underground. The client selected Harmony to manage the contracts related to 42 providers of IT services. Harmony was chosen over the competition because Harmony was the only product that was able to provide the complete suite of features that the client needed for their project.

Client motivation for implementing Harmony

The client is responsible for managing the 40+ applications that deliver various services to private and commercial users of local transportation systems. The contracts with the third parties that supply the applications had not been managed in an appropriate way and, over time, both new regulatory standards and untenable risks had increased leaving the client exposed to significant security risks and legal liability issues. Harmony is used by the client to:

The modules of Harmony implemented

The scope included:

  1. Contract KPIs/ SLAs A
  2. Auditable checks for internal process compliance
  3. Centrally manage incidents, changes and issues

Key modules and functionality used:

  • Risk Management
  • Issue Management
  • Actions Management
  • Incident Management
  • PCI Standard, ISO 27001, own internal controls
  • Document VaultAlthough Harmony is an agile system and is used in different ways by different clients, in this case Harmony was used for supplier management and compliance.Features not directly related to supplier management and compliance were not required by the client, and therefore were ‘switched off’.

Additional changes to Harmony were made to fit client-specific needs. These were:

  • Custom user profiles
  • Additional security checks and code reviews
  • Amendments to the workflow of the issues module

Integration points

There was no integration into external systems on this project.

Client locations for implementation

Within Harmony, the client manages the compliance of 40+ locations and third parties in the UK and the US. Each location must comply with up to 1100 individual control points (some third parties have fewer requirements than others due to a lower risk rating, or the fact that the application they deliver is not subject to regulatory requirements).

Implementation approach and timelines

Harmony was implemented in 4 weeks. This included deployment, configuration and testing of Harmony in the client’s data centre. The additional changes, which took a total of 18 working days to complete, and 4 days to implement, were done partly in parallel. The whole implementation was completed in 30 working days. The client project team consisted of 7 people.

As Harmony was being implemented by the technical team, our project team worked with the client project team to plan:

  • Training of the project team – 7 people (half day course)
  • Training of 1 system administrator (full day course)
  • Training of the client user community – 112 people (1 hour course – delivered during a series of training days, with helpdesk support for follow-up queries)In parallel to the technical implementation and the training planning, another team began mapping the client process workflows and intended project activities with Harmony and the features in Harmony which would automate the otherwise manual work of compliance tracking, gap analysis, incident management, risk capture, issue management and the management and tracking of vendor contracts. The additional changes (paragraph 3, above) were a consequence of this mapping of the client internal processes and project requirements.
  • Another team worked on a communications plan that was delivered in ‘doses’ as the project proceeded.
  • At each stage, all the users affected by the project knew in advance what was happening, why it was important to the firm and what their contribution would be.

Key issues and how they were overcome

All the issues we faced fell into one of two categories:

  • Disruption by the third parties who pushed back hard against the overhead imposed by having to become compliant to the client’s controls: The third parties already had existing contracts with the client which, although containing the requirement to be compliant in any way the client insists, they had not previously been required to prove they had undertaken this work. As a consequence, they were not happy to take on the extra work (and therefore cost) imposed upon them and, almost without exception, passively resisted (did not respond to requests for meetings, failed to turn up to training sessions, etc). The team implementing Harmony employed an attitude of courteous, but relentless, insistence. Ultimately, the client was had to arbitrarily withdraw contracts from 3 third parties for the others to fall into line
  • Uncertainty by the client about the content of their custom controls: the client created several new sets of their own internal controls. These controls cut across application and department boundaries and, as a consequence, agreement of the final set of controls for the implementation delayed the implementation start point by two months. All parties involved suffered additional, unplanned, cost as a result. In some cases the application vendor was unable to meet regulatory requirements by the appropriate point in time, exposing the client to further regulatory pressures. Elix-IRR unilaterally worked very closely with some of the vendors who were close to failing and helped them to contract compliance within the client’s timeframes, thereby reducing the business risk to the client

Benefits – financial and non-financial

Financial

  • On Software licence fees – since this was a hosted solution we were able to save the client immediateOpEx by amortising the license costs, the support, the maintenance and 100 hours of changes into a single monthly payment over five years
  • Unquantifiable cost savings across the business, and between the business and third parties due to simplification of compliance management processes, transparency of status and automation of all project workflows
  • Significantly reduced business risk

Non-Financial

  • Simple implementation, training and operation
  • All appropriate processes automated

Since Harmony is designed to ‘adapt’ to client’s unique situations, changes were simple, quick and cheap:

  • Internal project communications more efficient
  • External project communications more efficient

Key performance indicators

  • Severity 1 support request – 1 hour response
  • Severity 2 support request – 1 day response
  • Severity 3 support request – 1 week response Incident Management (24/365)
  • Severity 1 incidents – 1 hour acknowledgement, 24 hour fix
  • Severity 2 incidents – 4 hour acknowledgment, 4 day fix
  • Severity 3 incidents – 1 day acknowledgment, 2 week fix
  • Severity 4 incidents – 1 week acknowledgment, 3 month fix SecurityAnnual Penetration Tests – performed by third party IT security firm