Disciplinary review

Top-notch investment review boards enforce IT spending discipline, but they’re hard to find

Congress realized a decade ago that federal agencies were squandering billions of dollars on undisciplined information technology spending. Alarmed, lawmakers passed the Clinger-Cohen Act of 1996, which sought to inject discipline into the acquisition and management of federal IT programs.

The law made newly appointed chief information officers responsible for curbing excessive IT spending. Some organizations, unmoved by the spirit of the act, simply bestowed a longer title and new IT hat on their chief financial officers. The Office of Management and Budget responded by pressuring agencies to create investment review boards to help manage technology spending.

Some people imagined that review boards would be the cure to IT spending woes. The boards would vet proposed acquisitions, eliminate redundant programs, bring projects to completion on time and on budget, integrate agencies’ IT functions and missions, and maximize technology’s bang for the buck.

But that hasn’t happened.

Throughout the federal government, IT investment review boards have had mixed results. At best, getting review boards to function effectively has been an uphill slog. At worst, they have barely moved out of the starting gate. Some agencies have taken steps only lately — if at all — to create review boards with meaningful authority. As a result, IT oversight is considerably less rigorous and efficient than lawmakers intended.

“Without a solid IT review board, the project-selection process becomes a beauty pageant,” said Dean McRobie, a director at Sapient’s government services practice.

Plenty of hurdles to jump
Many factors have thwarted effective IT oversight. On several occasions, the Government Accountability Office has criticized agencies’ IT management and faulted OMB for not adequately monitoring technology programs. In a report issued earlier this year, GAO released results of a five-agency review, concluding that “OMB and agency executives may be depending on unreliable information to make critical decisions on IT projects, thus putting at risk millions of dollars.”

Many of the impediments are cultural. A substantial number of federal workers are products of the predigital era, including senior managers who sit on investment review boards and many of the employees who are subject to their recommendations. In addition, decentralized agencies have struggled to oversee IT investments at disparate bureaus.

IT investment review boards also face challenges because their assigned tasks are complex. Earned value management, an OMB-endorsed method for measuring spending relative to objectives, for example, often isn’t well-understood, and training on its finer points is frequently lacking. “Most project managers don’t have a clue” how it works, said Barbara Scott, a division director at the General Services Administration’s CIO office.

As with any significant new business practice, board oversight of IT management has encountered a bunch of minor problems that, collectively, have slowed progress. Getting the right people on a board, refining investment review criteria and creating the necessary infrastructure can take years. At times, agencies’ overwhelming focus on security has deflected attention away from IT oversight, said a consultant who works with the Homeland Security Department.

With the unenviable task of integrating 22 separate agencies’ IT functions, DHS provides an extreme example of a phenomenon that hinders many IT review boards: Some powerful divisions resist an agency’s dominion over IT spending.

“The intent is to have enterprisewide decision-making, but it doesn’t really happen with agencies that have large semiautonomous organizations,” Scott said, citing the Transportation Department’s Federal Aviation Administration, the Education Department’s Federal Student Aid office, the Treasury Department’s Internal Revenue Service and GSA’s Public Buildings Service, among others. “It’s the tail that wags the dog.”

The news isn’t all bad. Many IT investment boards have raised awareness of IT management, brought new rigor to the selection and review of programs, and made progress toward achieving a more holistic, agencywide approach to IT management. Fewer agencies acquire technology without considering the big picture, observers say.

“People are paying attention to risk,” Scott said. “They’re getting sophisticated about how they are doing enterprise architecture. They don’t buy a cradle-to-grave system anymore but get components of systems. Those are big improvements of the Clinger-Cohen Act.”

The consensus, however, is that agencies must do more.

The Commerce model
The Commerce Department has one of the most advanced IT investment review boards in the federal government. Established in 1997, the board continuously evolves and has made four revisions to its charters and investment criteria in eight years.

The board found that a 10-point scale for evaluating projects was too complex, so officials scrapped it for a five-point scale, which later became a red-yellow-green system, said Lisa Westerback, director of the department’s Office of IT Policy and Planning. The review board has learned to “emphasize different aspects of the criteria for projects at different stages of the IT life cycle.” For new projects, the board scrutinizes the basis for investment. As projects mature, risk management and project management become critical.

The board’s makeup and lines of authority have evolved, too. Initially, the agency’s CIO reported to the CFO. Now the investment board’s co-chairs are the CFO, who also serves as assistant secretary for administration, and the CIO, who reports to Commerce’s secretary.

That equality signals that “the Commerce IT review board is a respected authority that has the clout to influence the direction of IT investments,” Westerback said.

“The secret is getting the mission and IT folks to buy into the power of the IT review boards,” McRobie said.

In addition to the departmentwide review board, each major Commerce component has its own investment review process. IT projects that pass the bureau level move on to the department’s board, which occasionally sends projects back to the lower-level ones for further scrutiny. “That functions reasonably well as a vetting process,” said Stuart Simon, Commerce’s team leader for IT capital planning.

Westerback said the board has “been able to identify some key projects that were off course fairly early in the process and pull them back…before there were significant problems.” As Commerce’s IT investment review process has evolved, the board has broadened its scrutiny to include mature IT programs, which often constitute the bulk of an agency’s technology spending. The board increasingly struggles to keep pace with the swelling portfolio of programs that require oversight.

“We started with 12 major systems. Now we have more than 60,” said Diana Hynek, the team leader for Commerce’s e-government initiative. “We can’t hit every major system every year.” Seeking to lighten the board members’ workload, Commerce does staff reviews of IT projects before board meetings. The board has also added executive sessions to give members an opportunity to freely exchange ideas. An online archive of business cases that the board has reviewed allows members to easily compare versions of business plans that have evolved over time.

Agencies lack commitment
Most agencies’ IT management is not so sophisticated.

The Justice Department’s inspector general reported last fall that efforts under way since 1999 to coordinate IT programs agencywide “have suffered from a lack of institutional commitment and a changing perception of the composition of, and priority for, a department-level enterprise architecture.” Multiple independent initiatives for developing systems at the bureau level added to this confusion, the IG found.

The FBI didn’t establish a CIO position until two years ago, said Andy Woyzbun, lead analyst at Info-Tech Research Group, an IT consulting firm based in Canada. “Given the fact that the [Clinger-Cohen Act] passed in 1996, 2004 seems like pretty slow progress,” he said.

Woyzbun said a pair of factors determine the rate at which organizations achieve adequate IT oversight: interest in what IT does within a department and organizational coherence.

“The more IT is seen to be strategically important to a department, the easier it is for the CIO to get participation” by agency business leaders, Woyzbun said.

Second, “if the department sees itself as a loose confederation of small interest groups, it will be difficult for the CIO to ever get these groups to talk with one another about the allocation of an overall IT budget.”

Because the demand for IT acquisitions almost always outstrips the supply of available funds, the investment boards’ review process becomes a de facto budget process. In theory, proposals that make the best business sense get funds; those that don’t go wanting.

“It is a major cultural change,” said John Thorp, author of “The Information Paradox” and president of the Thorp Network, which seeks to help organizations maximize the benefits of IT investments. “People are used to relationship-based budgeting.”

IT management consultants say success often hinges on an organization’s willingness to embrace change. “Some agencies are working just to get a check in the box, to tell oversight agencies that they are doing the right thing,” said Ben Marglin, an associate at Booz Allen Hamilton. “We like to see an agency turning the corner and doing this not out of compliance but because it is adding value.”

Getting the right people on an investment board is critical, as is the ability of an agency’s leaders to sell the organization on the intrinsic value of an IT review board, said Marglin, who advises agencies to move purposefully toward their goals.

“Don’t try to boil the ocean,” he said. “And don’t make the first set of [investment] criteria incredibly complex.”

Pulley is a freelance writer in Arlington, Va.

How mature are you?The Government Accountability Office endorses a five-stage benchmark for assessing agencies’ capital planning and investment management practices for information technology projects.

Most agencies are at Stage 1 or 2, with Stage 5 being the most mature, said Andy Woyzbun, lead analyst at Info-Tech Research Group.

Here are the five stages.

Stage 1: Creating investment awareness.
The agency uses ad hoc, unstructured and unpredictable investment processes.

Stage 2: Building an investment foundation.
The agency develops project selection criteria, including benefit-and-risk analyses, and pays attention to organizational priorities.

Stage 3: Developing a complete investment portfolio.
The agency develops a well-defined IT investment portfolio based on sound selection criteria and maintains mature, evolving and integrated selection, control and evaluation processes.

Stage 4: Improving the investment process.
The agency focuses on evaluation techniques to improve IT investment and portfolio(s) and maintains mature selection and control techniques.

Stage 5: Capitalizing on IT for strategic outcomes.
The agency masters the selection, control and evaluation processes and shapes strategic outcomes by benchmarking IT investment processes against best-in-class organizations.

— John Pulley

GAO finds flawed business casesA Government Accountability Office study released this year showed that five agencies used flawed business cases to justify major information technology investments in the current fiscal year.

For significant budget requests, the Office of Management and Budget requires agencies to submit plans, known as Exhibit 300s, that document controls to ensure effective project management. Those controls typically include cost, schedule and performance benchmarks.

GAO reviewed 29 plans submitted by five major agencies with combined IT spending in excess of $1 billion.

It uncovered three prevalent deficiencies:

  • All the Exhibit 300s suffered from missing or inadequate documentation.
  • Agencies did not consistently demonstrate compliance with required management and reporting processes.
  • Required cost data was derived from accounting systems that lacked adequate controls, rendering the data unreliable.
  • “In the absence of such systems,” GAO auditors wrote, “agencies generally derived cost information from ad hoc processes.”

    — John Pulley


    • Defense
      Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

      IVAS and the future of defense acquisition

      The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

    • Cybersecurity
      Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

      Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

      The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

    Stay Connected