Does the Government Take Risk Mitigation to Extremes?
"Embrace risk."
More than a few speakers uttered the phrase during GITEC Summit 2013. It was, after all, the theme of the federal technology leadership powwow in Baltimore: “Embracing Risk to Deliver Business Value.”
But, asked keynoter Mark Schwartz, has the government overindulged its obsession with risk to the point that it’s now driving up costs for technology programs without reason?
Schwartz, CIO for the Homeland Security Department’s U.S. Citizenship Immigration Services (USCIS), certainly thinks so. “The government spends ineffectively on costly ways to mitigate risk,” he says, acknowledging that this is a provocative statement given that most of these efforts seek to assure the security of federal IT assets.
Yet, Schwartz says, at a time when agencies are faced with having to do more with less, this is an area where CIO departments can recoup dollars to be pumped back into their organizations.
Rewarding Risk, Too
He’s quick to point out that he’s not advocating that agencies forgo risk management entirely, simply that current approaches are so extreme that they create unnecessary cost and inefficiencies — chiefly through endless upfront efforts to perfect requirements and to define scope for projects.
One reason this has happened in government is that over time high risk has become synonymous with failure, says Mark Day, director of strategic programs for the General Services Administration’s Federal Acquisition Service. It’s critical to do away with that notion.
“We’re all about avoiding risk, but that’s the wrong conversation,” instead IT teams need to figure out how to reap the rewards of risk-taking while mitigating the appropriate challenges and costs, Day says.
“We overprescribe or we misprescribe what we need because we don't really understand” fully how a specific technology’s capabilities can best meet the government’s needs, Day says. A chief problem continues to be communication — or rather a lack of it — between IT, procurement, finance and business units within government and then between government and technology vendors externally, he says.
“It’s a mismatch of requirements and capabilities — a mismatch of intended outcomes,” Day says. “In government, we still are bad at having a conversation with industry before we develop our requirements.”
Don’t Go Chasing Waterfalls
So what’s an agency to do? It could take the route being forged right now by the Defense Department/Veterans Affairs Department Interagency Program Office. This hybrid DOD–VA group is managing the development and creation of an electronic health record architecture to support both departments.
Given the broad user base, the budget and time constraints, “this is a high-risk environment — but it doesn’t mean we’re in trouble,” says Dr. Barclay Butler, director of the intra-agency office. “We’ve deliberately chosen a path to achieve the goal at a risk and cost set by the secretaries.”
Like Schwartz, Butler has his teams using Agile development processes: breaking up requirements into small batches that are then developed and launched in series, with corrections made iteratively not all at the end.
“We can’t wait for all the ambiguities to be clear” because the EHR program would never get done, Butler says. And taking the sweeping waterfall approach was never an option, he says. Waterfall initiatives have a 35 percent to 45 percent chance of success, he notes, and “I’m not willing to accept that level of success.”
Instead, “we’re using Agile to make progress in small phases so we can have a success rate closer to 65 percent. We know we’re going to make mistakes now and then, and it’s OK.”
The traditional big-system development and procurement approach results in systems that do far more than agencies need and at a far higher price than they need to pay, Schwartz says. He points to studies that suggest that two-thirds of features in most IT systems are rarely or never used. While he cautions that he’s suspicious of the exact figure, he does think the government’s process encourages comparable waste.
Budgets are not likely to get beefier any time soon, Schwartz notes. “We need to create more value with less, and I think that is very easy for us to do,” he says. “We have to get rid of the things were doing that aren’t delivering value.” In his book, eradicating inappropriate risk postures is high on that list.