Small in a big world
Small-agency CIOs struggle to meet big agency governance and reporting requirements, but they have some advantages over the big guys
A tiny federal agency that provides grants to African enterprises and community organizations pays a shared-services provider to manage its financial transactions. The African Development Foundation has so few transactions that it could track them on a spreadsheet. Nevertheless, the micro-agency must comply with the same requirements for using certified financial management systems and internal controls as its super-sized siblings ' the Defense and Homeland Security departments, for example.
The small foundation is among dozens of agencies that operate with staffs and budgets a fraction of those of the largest federal agencies. Think of them as the mom and pop stores of the federal government. Their size makes it difficult for them to meet the voluminous reporting and governance requirements established by Congress and the Office of Management and Budget, but they must play by the big boys' rules.
'When Congress passes legislation, they don't make a distinction between a departmental agency, small agency or micro-agency. It's one size fits all,' said Richard Westfield, chief information officer and chief privacy officer at the National Labor Relations Board. At NLRB and other small agencies, 'people wear more than one hat,' he added.
Westfield is also co-chairman of the Small Agency CIO Council, which represents about 90 small agencies and is part of the larger CIO Council. Thomas Leach, CIO at the Federal Housing Finance Board, is the other chairman.
Just as legislation affects all agencies regardless of size, the same is true when OMB issues a new policy. Small agencies must toe the line. Small-agency CIOs must be able to show OMB that their information technology spending produces the intended results and improves agency performance. They must produce documentation to show that their systems and data are secure, said Andrea Wuebker, an OMB spokeswoman.
Likewise, small-agency chief financial officers must accurately account for their resources and use internal controls to minimize waste and abuse.
Being a small agency is probably neither better nor worse than being one of the big boys, Wuebker said. 'Since small agencies have smaller budgets, they sometimes have less flexibility than larger agencies to reallocate resources to different priorities,' she said. 'On the other hand, small agencies are oftentimes more agile and can more quickly respond to changing circumstances and new requirements.'
Among the biggest information technology reporting challenges for all agencies ' large and small ' is the annual report agencies must produce to document the security of their information systems, a requirement tied to the Federal Information Security Management Act of 2002. Small agencies must produce the same documents that DHS must generate to demonstrate their compliance with FISMA, although small agencies have fewer systems to document.
Small agencies perform the same basic work to certify and accredit their systems, Westfield said. Westfield said he imagines that many large agencies can absorb the costs to hire contractors to do that work. Small agencies don't have that luxury, he said.
NLRB manages to do well in meeting most FISMA reporting requirements and IT governance mandates from OMB, Westfield said. However, complying with one of OMB's newer policies might prove to be a stretch. NLRB, with two full-time IT security employees, can handle OMB's data security requirements such as encrypting laptop PCs. But one that requires agencies to notify DHS' U.S. Computer Emergency Readiness Team within an hour of discovering an incident in which personal data might have been exposed, lost or stolen presents difficult choices. Risk management
To comply with that policy, Westfield said, NLRB would have to establish a call center, which would mean awarding a contract. That would be a costly option, and probably not cost-effective considering the small number of laptops that NLRB owns, he said.
Westfield said he assessed the risk of losing laptops and decided that it was minimal. 'We'll accept the risk that if we lose a laptop...we'll try our best to do the notifications that we need to do, ' Westfield said. But if an incident occurs after 10 p.m., NLRB will have to delay notifying US-CERT until the next morning.
If small agencies find they have to cut themselves some slack in meeting their reporting requirements, OMB and Congress seem willing to do the same. They're busy scrutinizing the activities of large agencies, and that's fortunate, Westfield said. Some micro-agencies are simply unable to meet the growing number of reporting requirements intended to make agencies better managers of IT.
And the primary reason boils down to underfunding of small agencies, which is perhaps more evident in IT governance than in IT reporting, said Mark Forman, a former e-government and IT administrator at OMB. He is now a partner at consulting firm KPMG.
To handle complex administrative functions and mandatory financial reporting requirements, many small agencies rely on shared-services providers, such as the Interior Department's National Business Center, the Agriculture Department's National Finance Center and the General Services Administration. Small agencies are ahead of big agencies in using shared-service providers because they can't afford a big infrastructure, Forman said.
Shared-services providers offer small agencies the benefits of standardization in human resources, payroll and financial management transactions. That's a major theme of OMB's Financial Management Line of Business. OMB wants all agencies to move to public or private shared-services providers when they upgrade or acquire new financial systems.
For small agencies, however, shared-services also have a downside, Westfield said.
Small agencies have experienced continuous fee increases and added costs for system upgrades at the same time more agencies are using shared-services providers, he said.
'Many small agencies are spending a significant portion of their budgets on shared services,' Westfield said. Any increases or added fees cut deep into a micro-agency's budget.
The tiny African Development Foundation said it spends a considerable amount of money on shared services ' more than one-third of the chief financial officer's budget, said Marti Edmondson, the foundation's CFO. The foundation makes payments to African enterprises in local currency and translates those values into equivalent dollars. A third-party payer performs the actual transactions, and the foundation's shared-services provider posts the transactions to the foundation's financial systems. However, the foundation is responsible for fixing any problems that arise during transaction processing and for notifying the shared-services provider, Edmondson said.
'We still do a lot of the work, but we pay a lot of money to the shared-services provider to do the simplest part of the process, which is entering the transactions' into the system, she added.
Edmondson said she expects that increased competition among public and private shared-services providers will translate into lower fees and improved service.Learning to manage
Some observers say small-agency complaints about shared-services providers mask an underlying problem, which is the challenge small agencies face in managing service-level agreements when they outsource their financial management activities.
'Everybody has to work on service-level agreements and tightening the elements of SLAs,' Forman said.
Small agencies do share a common concern about IT governance as OMB presses forward with its Financial Management Line of Business, said Anton Porter, deputy CFO at the Federal Energy Regulatory Commission. Porter is also the small-agency liaison to the CFO Council.
Many small agencies that have already outsourced their financial management operations to public shared-services providers are in a quandary about how they would go about conducting competitions among public and private shared-services providers, Porter said. To prepare for the type of competitions that OMB and the General Services Administration require under the Line of Business rules, an agency would be in the awkward position of having to depend on its current shared-services provider to compile a list of requirements that would satisfy the agency's business needs
'Wouldn't it be a conflict of interest for that same entity that compiled the requirements to turn around and bid for the business?' Porter asked. Officials at OMB and GSA are considering alternatives.
Small agencies need plenty of lead time when OMB introduces new requirements. When OMB directed agencies to test and document their internal controls under Circular 123, it was after agencies had submitted their budgets.
'A large requirement like A-123 has tremendous impact on a small agency,' Porter said.
Fortunately, OMB recognized the challenge A-123 presented for agencies, and it agreed to a schedule that lets agencies complete their assessment of internal controls in three years, he said. Oil tanker vs. the yacht
Despite having some legitimate concerns, small agencies' CIOs and CFOs don't want to be seen as complainers. Westfield said he could enumerate many advantages that small agencies enjoy and big agencies can only envy.
In small agencies, CIOs can roll up their sleeves and be involved in the operations side of the agency, where unexpected and exciting events occur on a daily basis. In large agencies, CIOs primarily develop policy and strategy, Westfield said. However, in small agencies, the daily pace is different. In very small agencies, the CIO manages network operations and ensures that employees can connect to the Internet and that their PCs are working. Westfield said he has the best of both worlds.
'My job is a mix of strategy, then tackling day-to-day management and then policy,' he said.
One of the perennial challenges of big agency CIOs ' helping their staff members accept the change that comes with new technology ' is a much less difficult hurdle for small-agency CIOs. They have personal relationships with many of the employees in their agencies, and CIOs can use those relationships to alleviate people's concerns about change.
'If you're dealing with a lot fewer people, it does make it easier, especially when everyone is under a single roof reporting to a single individual,' Westfield said.
Another advantage of being a small-agency CIO is that can you can usually survive the completion of a complex information systems project, Westfield said. NLRB is nine months into installing a new case management system, a $7 million project that will take two and a half years to complete.
The Federal Trade Commission, too, often finds smallness is a virtue. The FTC recently conducted an education campaign to highlight the responsibilities of employees when accessing sensitive information. The campaign, which featured special events and posters, was easier to conduct in an agency with 1,200 employees that it would have been in a much larger organization, said Marc Groman, FTC's chief privacy officer. 'I probably can name 20 percent of our agency' employees, he said.
In a small agency, the CIO also has better knowledge of the business side of the house, said Carlos Solari, former CIO of the Executive Office of the President. He is now vice president for security solutions at Bell Labs at Alcatel-Lucent.
'It's just the physics of smallness,' Solari said. 'You bring in a dozen people, and you've got a pretty good representation of the organization. You can build consensus.'