After more than 160 years in business, the American Outdoor Brands Corporation (AOBC) — best recognized for its Smith & Wesson brand— seven years ago embarked on a journey to improve business processes and internal controls.
Beginning in 2010, Smith & Wesson (as it was then known) began to see a surge in sales that provided an opportunity to invest heavily in new IT systems and infrastructure — upgrading from a nearly 20-year-old legacy ERP system which was no longer meeting the needs of a lean, growing organization that wanted more availability, transparency, and control
“Our legacy ERP didn’t work well for our future growth where our new strategy was to expand and grow,” says Joshua Lowy, Vice President of Internal Audit at American Outdoor Brands Corporation. “We wanted to change our culture and we wanted to improve controls, so the decision was made to find a modern and rigorous ERP package.”
Ultimately, AOBC chose SAP ERP as the new system that would become the foundation for its business transformation. The initial implementation project was called “Project Genesis” because it marked a new beginning for the company.
Key Success Factors for Project Genesis
To assist with the project, which kicked off in 2012, AOBC partnered with a large consulting group and followed a rapid deployment model — implementing a pre-designed version of SAP ERP designed for the manufacturing industry. At the time, many at AOBC felt the company’s processes and business were very unique and would require a customized ERP solution, according to Lowy. But in actuality, the business model was rather simple and could fit into a pre-designed system with only a moderate amount of customization.
A key success factor for the project was AOBC’s decision to staff the project team with no resource gaps, having employees dedicate themselves fully to the implementation instead of asking them to work on the project in addition to their day jobs. “While you can save money by using the same resources split between the project and primary duties, it rarely works,” Lowy says. “The project leaders identified a number of people who were subject matter experts on the business side to come over onto the project team full-time. They didn’t have to do their old jobs half the time while supporting the implementation. Then we staffed up and brought consultants into the business side to backfill.”
Another big success factor was that the team members were all based in the same location. “It’s easy to address problems when everything’s happening in one site,” says Lowy. “A large conference room was reconfigured into a central space that everyone on the project team was relocated to. Creating that culture definitely helped to focus everybody’s energy.”
Project management was an important aspect of the implementation. For this piece, AOBC supplemented its project management with a third-party firm with a proprietary project management tool to create a massive project plan with hundreds of tasks and the parties responsible for completing them. On a weekly basis, task owners had to report their progress on a given task. There were daily and weekly meetings to review the project plan so the team could see potential hurdles and problems before they happened. This allowed the project leaders to proactively predict the go-live date based on current progress. As the implementation went along, the project leaders could monitor — in real time — how the project was going and when they needed to ramp-up or amend activities in order to meet deadlines.
A significant area of focus for the SAP implementation — and another success area — was improved access controls, according to Lowy. “With a new system comes the opportunity to start clean with user access,” he says. “A key risk to mitigate is preventing what auditors call ‘segregation of duties (SoD) conflicts,’ which are toxic combinations of access amongst job functions. For example, the same employee should not be able to process an invoice and approve vendor payments or a buyer should not be able to receive product; these roles should be separated to avoid conflicts, and these SoD conflicts can be a major area of concern for auditors.”
To ensure that users only received access they needed to properly do their jobs, project tasks were identified to map job functions to SAP roles, and a third-party advisory firm was brought in to review access. Using a proprietary software, the hired firm was able to search all the various combinations of t-codes (transaction codes used for access) to identify potential high-risk combinations. As a result, AOBC was able to amend access to ensure that the user roles did not have SOD conflicts and thus reduced risk at go-live.
Very quickly after the SAP implementation, AOBC realized that it needed to have its own way to proactively monitor access and purchased SAP Access Control 10.0. While the application was initially acquired by the Internal Audit department to help support Sarbanes-Oxley compliance testing, it quickly became a key piece of software for the security team. “With SAP Access Control, our security team can now proactively check for conflicting SODs before access is granted, which goes a long way to reduce access risks,” Lowy says.
We wanted to change our culture and we wanted to improve controls, so the decision was made to find a modern and rigorous ERP package.
— Joshua Lowy, Vice President of Internal Audit, American Outdoor Brands Corporation
The Importance of Hypercare
The goal in any implementation is to try to go live without any problems or business disruptions; however, this is not always the case and is where many implementations sometimes fall short. “As an auditor, I wanted everything vetted and tested and all issues fixed before we went live — and what I learned very quickly is that’s just not realistic,” Lowy says. “At some point, you have to flip the switch because you can never be 100% confident that there won’t be any issues.”
To prepare itself for potential post-go-live issues, AOBC entered a period of known as hypercare, which offered users 24/7 attention by the project team members, consultants, and anyone else who was able to help either train users or address any functional issues or hiccups that occurred. “While it is the right decision for the company, hypercare can be a very uncomfortable place for an auditor — as many people have access at once, and system changes are sometimes necessary in real time with minimal formal approvals,” says Lowy.
The first week of hypercare resulted in a lot of mechanical questions, such as how to log in to the system or print labels and reduce order processing and shipping time. To address the bulk of these queries, project members were stationed in key areas, such as in the factory, walking around with T-shirts advertising themselves as people who could help address users with mechanical, transactional, or processing issues. A telephone hotline was also set up to address potential issues in a timely fashion.
Within three months, the team had stabilized the critical issues, achieved a steady state, and had met its revenue goals for the period. A big reason for this success, according to Lowy, was having easy access to upper-level management during the hypercare period. “We continued to have daily and weekly meetings with executives, who were intimately involved after we went live and were available to make key decisions, sometimes within the moment,” he says. “I remember a couple of meetings during hypercare where an issue occurred at 8am, a meeting was convened with leadership by 10am, and by noon, we had a decision.”
In the end, every implementation can seem like a leap of faith, however, ensuring that key risks such as project management and access control are properly mitigated, improves the chances for success. Lowy says, “The biggest lesson for me during the initial implementation was learning to get comfortable with being uncomfortable.”