As you can see, they reviewed 95 investments. Of those 95, CIO ratings were 61 green, 22 yellow and 12 red. When GAO reviewed the ratings only 15 of those investments really deserved to be green, 44 should have been yellow, and 36 should have been red. That is quite a difference.
So I suspect that the problem that Frank Baitman was dealing with at HHS is not an isolated issue. This report clearly demonstrates that there is a lack of transparency and accountability in the assignment of risk to investments. Additionally, this report clearly indicates that when there is a mistake in assigning the risk, we generally score investments to be less risky than more risky.As you can see, they reviewed 95 investments. Of those 95, CIO ratings were 61 green, 22 yellow, and 12 red. When GAO reviewed the ratings only 15 of those investments really deserved to be green, 44 should have been yellow, and 36 should have been red. That is quite a difference.
As a sector we have to do a better job with assessing risk. Right now we are terrible at it. It won’t matter how good we get at implementing corrections, or at saving projects that are in trouble because we don’t really know which projects need saving. Based on the IT Dashboard ratings, HealthCare.gov didn’t need help or rescue. It was listed as a healthy investment. And that is my point, how can we expect the CIO to take action when he or she doesn’t know the true status of the investments?
To address this issue Congress passed FITARA to increase the authority of the CIO. Never again will a CIO be allowed to say that he or she didn’t have the authority to get involved and implement remediation. The Clinger-Cohen Act from 1996 was intended to provide this level of authority, but for whatever reason it didn’t materialize. FITARA will clearly succeed where Clinger fell down.
But as Spider-Man would say, “With great power comes great responsibility.” When a program veers off course a CIO won’t be able to say that he or she didn’t have the authority to get involved. Not only do they have the authority to review the performance of all the IT investments at the agency, they have the responsibility to do it. FITARA also puts OMB on the hook for that as well. If an investment is red for more than four quarters, OMB is required to cut off the DME spending. This concept comes together in the phrase, “Turn it around or shut it down.”
Congress, through FITARA, has created a perverse incentive for agencies to juice the ratings in order to preserve the DME spending on a troubled investment. As such, I expect the CIO ratings inflation that GAO identified to continue. This puts CIOs in a tough position. You need to dig in to verify and validate that the data that is flowing up to you on investments is, in fact, accurate. At least annually, through the budget process, you should have a good opportunity to take a deep dive into every major investment. (Clearly that is an easier job at the Department of Energy since they have 12 major investments, which represents only 16 percent of their IT spending.) At most agencies, diving into the majors gives you a good sense of the overall performance of the IT portfolio. But you may need to create additional business processes or check-ins so that you are able to more effectively monitor performance.
Don’t get caught like Frank, Congress will be holding you accountable for the performance of these IT investments.
1 http://www2.commerce.virginia.edu/cmit/Research/MISQE%206-07.pdf
2 http://oig.hhs.gov/oei/reports/oei-06-14-00350.pdf
3 Politico 6/22/2010, http://www.politico.com/story/2010/06/hhs-gears-up-for-web-portals-launch-038817
4 GAO-14-64 http://www.gao.gov/assets/660/659666.pdf
5 GAO-16-494 http://www.gao.gov/assets/680/677624.pdf
In This Series:
