While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Congress is nearing a pivotal mid-term election. What has become a partisan political process is getting cranked up even more so, and numerous battle lines have been drawn. In this environment, the Bush administration published its lists of riskiest information technology investments and projects. I suspect it would have preferred not to do so — the lists were produced as an internal management tool, and there has to be concern they may be used externally for other than their original purposes. But lawmakers, on the other hand, believe that the value of making the implementation status of IT projects visible to the public outweighs those concerns.
With these forces at work, now’s the time to examine the planning, execution and oversight of IT investments within government. With the recent release of the Management Watch List and High-Risk List, the Office of Management and Budget has outlined the government’s IT planning weaknesses and significant risks.
The watch list identifies IT projects for which agencies’ business cases include one or more planning weaknesses. OMB targets projects on this list for follow-up action to strengthen management and produce desired results.
OMB uses the High-Risk List to ensure agencies and programs are meeting intended goals and producing results. Projects on this list are not necessarily at risk, but require special attention from the agencies’ top managers. Although programs on this list may be performing well, OMB deems them risky because of factors such as high cost and mission criticality.
The current Management Watch List includes 86 investments from six agencies totaling $4.5 billion for fiscal 2007. On this list, the Homeland Security Department reported 50 investments, and the Veterans Affairs Department reported 17 investments. The High-Risk List contains 216 projects from 26 agencies, but it does not provide the budget impact of the projects.
On the whole, it’s good government to spotlight problem systems in such a fashion. What’s troubling is what’s not on the list. Why is there no budget request or projected cost data for the systems on the High-Risk List? It seems to me that having a perspective on the relative importance of cost would help determine where to apply management attention.
It’s troubling that some agencies and systems did not warrant spots on the Management Watch List. There are more than 100 agencies that collectively spend $70 billion a year on IT, yet only six agencies made the cut. How can there be not a single Defense Department IT program that meets the criteria?
It’s fair to say that most observers would give OMB credit for pushing agencies toward improved IT management. Capital planning and investment control and enterprise architectures are examples of major improvements (see box below). That being the case, why do IT projects routinely fail, and why do those who oversee IT investments — such as lawmakers and inspector generals — voice serious concerns about the state of systems management? I believe it’s because OMB’s efforts have been necessary but not sufficient.
Let’s assume a simple IT project life cycle of planning, implementation and operation. OMB emphasizes the planning phase; IT investment plans today are more robust than in the past, and IT investment decisions are based on improved justifications. But there is much less emphasis on implementation — the building and fielding of IT. That’s mostly a logical result of OMB’s focus on budget and policy. It’s inadequate in the complex organizational, legal and regulatory environment that agencies must operate in. Agencies need management techniques and processes that let them move from investment plans and architectures to specific business processes, requirements and design attributes for developing software and building infrastructures. This is not a technology hurdle; it’s an issue of management, leadership and organizational will.
Most failures today involve attempts to implement new IT. This results from another concern, on the flip side of implementation: a lack of proven capability to run systems that deliver the benefits promised in business cases. Although it is probably putting the cart before the horse to mention this concern, agency leaders need to understand that managing the delivery of benefits cannot be an afterthought.
OMB has been successful improving IT management practices and pushing adoption of useful tools. The best example is enterprise architecture. Before the OMB effort to create the Federal Enterprise Architecture and the requirement that agencies create complementary architectures, EA was disconnected from the agencies’ business and important only to the most technical of IT staff. To its credit, OMB leadership succeeded in making a compelling case for EA, communicating its purpose and benefits, and getting agencies to rapidly mature their use of it as a discipline. Agencies really are using EA to make IT investment decisions; OMB is using it to further consolidate common systems and services, and potentially reaping significant savings.
To address implementation problems, OMB now must focus attention on best-practice techniques for that part of the lifecycle equation. Smart implementation practices do exist. As it did to achieve its EA success, OMB must create a framework for project implementation and then communicate with and educate agencies on the topic. It should also use its management scorecard to spur action. OMB has a proven formula — now is the time to use it.