Federal IT Capital Planning and Investment Control

FEDERAL IT CAPITAL PLANNING AND INVESTMENT CONTROL

FEDERAL IT CAPITAL PLANNING AND INVESTMENT CONTROL

Thomas G. Kessler

Patricia A. Kelley

8230 Leesburg Pike, Suite 800

Vienna, VA 22182

703.790.9595

Fax: 703.790.1371

www.managementconcepts.com

© 2008 by Management Concepts, Inc.

All rights reserved. No part of this book may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, or by an information retrieval system, without permission in writing from the publisher, except for brief quotations in review articles.

Printed in the United States of America

Library of Congress Cataloging-in-Publication Data

Kessler, Thomas G., 1953-

Federal IT capital planning and investment control / Thomas G. Kessler and Patricia A. Kelley.

p. cm.

ISBN 978-1-56726-222-3

1. Administrative agencies—Information technology--United States—Management. 2. Information technology—United States—Finance. 3. Administrative agencies—Information resources management—United States. I. Kelley, Patricia, 1960– II. Title.

JK468.A8K47 2008

352.3’802854678—dc22

2007045013

10        9        8        7        6        5        4        3        2        1

About the Authors

Thomas G. Kessler, DBA, CISA, has over 30 years of experience as a manager, strategic planner, and information systems specialist. He was a consultant to more than 30 federal agencies from 1996 to 2006. Prior to establishing his own consultancy, Dr. Kessler worked for the Board of Governors of the Federal Reserve System, Westinghouse Electric Corporation, and the Maryland State Judiciary. He is a doctor of business administration, master of business administration, and certified information systems auditor. Dr. Kessler is co-author of The Business of Government: Strategy, Implementation, and Results, with Patricia A. Kelley. He is a frequent speaker at professional conferences. Dr. Kessler can be contacted at Tom.Kessler@yahoo.com

Patricia A. Kelley, DPA, CISA, has over 25 years of strategic planning, program evaluation, and operational management experience. She has provided management consulting support to more than 30 federal agencies including the Department of Labor, the National Institutes of Health, the Federal Railroad Administration, the Court Services and Offender Supervision Agency, the National Science Foundation, the Federal Communications Commission, and the Small Business Administration. Dr. Kelley has held senior management positions with the Federal Reserve Board and advised Board members on policy issues regarding the efficiency and effectiveness of the Board’s operations. She has also worked extensively with the Federal Reserve Banks on automation and payment system policy matters and acted as the liaison to other federal banking regulators. Previously Dr. Kelley evaluated the effectiveness of various federal programs for the U.S. Government Accountability Office. Dr. Kelley can be contacted at pattycsm@aol.com.

Contents

Preface

Acknowledgments

INTRODUCTION The Legislative Basis for Improved IT Management

Federal CPIC Requirements

The Clinger-Cohen Act

Congressional Intent: Increased Efficiency

Procurement

Empowerment and Responsibilities

Agency Responsibilities

Chief Information Officer Responsibilities

Other Provisions

Implementing Clinger-Cohen: From Law to Regulation

OMB Circular A-130

PART 1     Implementing CPIC and Integrating It with the Budget Process

CHAPTER 1   Overview of Capital Planning and Investment Control

Maximizing Return on Investment

Roles and Responsibilities

Agency Head

Assistant Secretaries

Senior Program Managers

Chief Information Officer

Chief Financial Officer

Chief Acquisition Officer

End-Users/Customers

Agency Sponsor

Investment Champion

Investment Manager

The CPIC Organizational Structure

IT Investment Review Board

CPIC Support Group

Integrated Project Team

Phases of the CPIC Process

Planning Phase

Selection Phase

Control Phase

Evaluation Phase

CPIC Artifacts

Implications of the CPIC Process

CHAPTER 2   CPIC Planning and Selection Phases

CPIC Planning Activities

Updating the Enterprise Architecture and Setting IT Security and Privacy Priorities

Analyzing the IT Portfolio

Updating the IT Capital Plan

Identifying New Investment Opportunities

Preparing Supporting Information to Update IT Business Cases

Collecting In-Use Asset Review Results

Conducting Independent Baseline Reviews

CPIC Selection Activities

Preparing for the CPIC Selection Phase

Analyzing New Investment Opportunities

Selecting Investments for the Agency IT Portfolio

Integrating CPIC and the Agency Budget Process

CPIC as a Forum for IT Policy Issues

CHAPTER 3   CPIC Control and Evaluation Phases

CPIC Control Activities

Earned-Value Management as Control Tool

Preparing for ITIRB Control Reviews

ITIRB Control Reviews

Investment-Level Control Responsibilities

CPIC Evaluation Activities

Operational Analyses and Post-Implementation Reviews

How Control and Evaluation Activities Relate to Planning and Selection Activities

PART II   Positioning CPIC as a Global Agency Process

CHAPTER 4   Strategically Positioning CPIC within the Organization

The Importance of CPIC: A Mandate for Stewardship and Strategic Management

Key Elements of an Effective CPIC Process

Implement CPIC and Integrate It with the Budget Process

Change the Agency’s Culture

Create an Inventory

Change the IT Culture

Develop an Architecture

Improve IT Asset Performance

Improve IT Development Performance

Manage Portfolio Performance

Implications

Improving the Existing CPIC Process

CHAPTER 5   Integrating CPIC and Enterprise Architecture

Agency Enterprise Architecture

Integrating CPIC and the Enterprise Architecture

Approaches to Integration

Steps to Achieve Successful Integration

Design the Integration Process

Develop and Enforce EA Review Procedures

Conduct CPIC-EA Integration Training

Implications of the Federal Enterprise Architecture

CHAPTER 6   IT Portfolio Analysis: Evaluation Techniques and Methods

IT Portfolio Analysis Principles

Portfolio Analysis Process and Methodology

Methods for Analyzing the IT Portfolio

Portfolio Analysis Criteria

Cross-Portfolio Redundancy

System-to-System Information Exchange

Technological Compatibility

Alignment with Agency Mission and Goals

Functional Balance

Risk Distribution

Technological Maturity

Alignment with E-Government Initiatives

Other Considerations

Communicating Portfolio Analysis Results

Portfolio Analysis Tools

CHAPTER 7   Operational Analysis and Post-Implementation Reviews

What Is an Operational Analysis?

Which Assets Should Be Reviewed?

Who Should Be on the Operations Review Team?

What Should Be Reviewed?

Performance Assessment

Cost Assessment

Technology Assessment

Security and Privacy Assessment

Other Factors

Future Scans

Conducting an Operational Analysis

Planning

Data Collection

Data Analysis

Reporting

Outcomes of an Operational Analysis

Taking Action

Post-Implementation Reviews

PART III Individual Investments: Maximizing ROI and Minimizing Risk

CHAPTER 8   Communicating with a Business Case

What Is a Business Case and Why Is It Important?

Key Elements of an IT Business Case

Writing an Effective Business Case

Investment Summary and Justification

Investment Spending Plan

Asset Performance Information

Alternatives Analysis

Risk Analysis

Project Performance Information

How the ITIRB Uses Business Case Information

CHAPTER 9   Alternatives Analysis

Identifying and Selecting Alternatives

The Federal Approach to IT Cost-Benefit Analysis

Investment Benefits

Investment Costs

Other Cost-Benefit Considerations

Presenting Alternatives Analysis Results

Periodic Updates to the Alternatives Analysis

CHAPTER 10 Identifying and Mitigating Project Risk

Building Skyscrapers and Software

Reasons for System Development Project Failures

Early Project Risks

Design and Technology Risks

Project Management Risks

Risk Management

Defining Risk

Defining Risk Management

Identifying Risks

Evaluating Risk

Mitigation Strategies

Risk Management throughout the Project Life Cycle

Risk Management as a Paperwork Exercise

Risk Management as a Key Element of Portfolio Management

CHAPTER 11 Using Earned-Value Management to Control Cost and Schedule Variance

What Is Earned-Value Management?

The Relationship between EVM and CPIC

Developing EVM Estimates

EVM Calculations

Other Considerations about EVM

Reviewing and Challenging EVM Estimates and Reports

Considerations in Modifying an EVM Baseline

EVM as a Key CPIC Tool

CHAPTER 12 Conducting an Independent or Integrated Baseline Review

IBR Objectives

Planning and Preparing for the IBR

Identifying IBR Personnel and Resources

Delineating Roles, Responsibilities, and Expectations

Preparing the IBR Project Plan

Training and Preparing the IBR Team

Announcing and Initiating the Review

Conducting Fieldwork

Examining Estimates

Compiling Fieldwork Results

Debriefing the IT Project Team, CPIC-SG, and ITIRB

The IBR Report

Follow-Up Activities

Revising the Baseline

PART IV Realizing the Full Benefits of a CPIC Process

CHAPTER 13 CPIC Special Topics

Information Technology Infrastructure

Scope and Scale

CPIC Implications

Infrastructure and the ITIRB

Infrastructure and Business Cases

Infrastructure, Enterprise Architecture, and Operational Analysis

Infrastructure Innovation

Security and Privacy

Acquisition Management

Incorporating These Key Issues

CHAPTER 14 Measuring, Monitoring, and Evaluating Portfolio Performance

Critical Success Factors

Factor 1: The Right People with the Right Skills and the Right Attitude

Factor 2: Centralized Control over IT Spending

Factor 3: Fully Embracing Investment and Portfolio Management Principles

Factor 4: IT People Who Sell Investments

Factor 5: The Integrity of the CPIC Process

Factor 6: A Strategic Enterprise Perspective

Factor 7: Success Determined through Measurement

Challenge Questions

Conclusion

APPENDIX Legislative and Regulatory Requirements

Chief Financial Officers Act of 1990

OMB Circular A-94

The Government Performance and Results Act of 1993

Government Management Reform Act of 1994

The Paperwork Reduction Act of 1995

Federal Financial Management Improvement Act of 1996

Information Technology Management Reform Act of 1996 (Clinger-Cohen Act)

OMB Memorandum M-97-02, Funding Information Systems Investments

OMB Circular A-130

Glossary

Bibliography

Index

Preface

Government agenciesi have a responsibility to the public to make full use of information technology (IT) as a means to achieve their missions effectively and efficiently. This statement seems self-evident, but the reality is that full use of IT resources is difficult to achieve for many reasons. To begin with, it is not easy to envision the innovative ways that IT can be used to achieve program outcomes, especially when emergent technologies are in their developmental stages. For example, when the personal computer was introduced in the early 1980s, agencies continued to believe that mainframe computing was the best strategy. It took five or more years for most agencies to appreciate the benefits that could be achieved through personal computing and to implement adoption strategies for personal computers, local area networks, word processing, and integrated e-mail systems. Today no one can envision a world without these technologies.

Another barrier to fully using IT is the frequency of changes in senior leadership within an agency, which tends to disrupt the continuity of innovative initiatives. Changes in administration and the political appointment process often lead to dramatic policy shifts, resulting in the initiation of new projects and the termination of projects started under prior administrations. Political turnover is so common in the federal government that many career civil servants adopt a wait and see attitude toward new initiatives and requirements. As a result, initiatives can take longer or be discontinued before they are implemented.

Another factor is that program leaders often have a bias toward human- and process-centric innovation rather than technological innovation because they have higher comfort levels with and control over the former. It is only in recent years that non-IT managers have gained sufficient confidence and experience with IT to become significantly involved in technology discussions and decisions.

Maximizing return on IT investment requires a comprehensive, agency-wide process that recognizes and treats technology investments as capital assets. Capital planning and investment control (CPIC) is such a process. Implementing a CPIC methodology offers numerous benefits by:

1. Positioning technology as a key business enabler that increases potential for innovative application of technology to the achievement of mission and program objectives

2. Encouraging greater partnership and joint responsibility among program and IT leadership for applying IT resources for their greatest benefit and treating the entire portfolio of IT systems and applications as a critical enterprise asset

3. Changing the mindset from a project orientation to an agency-wide asset orientation, enabling optimal short- and long-term investment decision-making

4. Reducing the risk of IT initiatives

5. Providing visibility into IT asset performance throughout the asset life cycle

The purpose of this book is to guide executive leaders, senior program managers, and IT professionals through the full range of IT investment principles and practices in an effort to convey both an understanding and a methodology for implementing and using CPIC processes. We wrote it from a practitioner’s perspective rather than an academic one. The book targets managers and analysts at all levels and uses examples rather than models to convey concepts. The approaches represent our strategies based on a variety of written and personal influences. Some of the concepts and methodologies in the book may need to be adjusted as they are adapted and, over time, they may be overridden by regulatory changes by the Office of Management and Budget (OMB) or other federal agencies, but we have tried to offer a diverse set of topics that offer something for everyone.

For those who are new to the federal government or CPIC, the contents provide comprehensive coverage. For those who have extensive CPIC experience, the early chapters may simply communicate what they already know, but the later chapters may provide new insight regarding advanced topics.

If there is one single group that we most hope to influence through this book, it is senior agency program managers and policy makers. The Clinger-Cohen Act (formerly known as the Information Technology Management Reform Act of 1996)ii was enacted to get the attention of this group, to require them to become more involved, and to shape their involvement so that approval and funding of IT initiatives would better represent the efficient market forces that are the foundation of the U.S. economy. Their participation, as described in this book, would mimic Adam Smith’s invisible hand, serving to drive inefficient or poorly performing IT projects out of business. We hope that senior executives read this book and use it to shape agency culture in a way that benefits both their agencies and U.S. taxpayers.

How to Use This Book

This book provides federal executives, managers, analysts, and other staff members from program, IT, and administrative areas with extensive guidance for understanding, implementing, reviewing, and improving their IT governance processes. The requirements established by OMB following the passage of the Clinger-Cohen Act serve as a framework for guiding the discussion, but the principles set forth are intended to go well beyond mere compliance with those requirements.

IT projects are usually complex and risky. There is a long track record of projects that have not succeeded. This book was written to assist in the process of making positive changes, to inform new IT analysts and managers, and to provide assistance in implementing new and more rigorous reporting, monitoring, and management activities.

The Four Parts of the Book

Part I: Implementing CPIC and Integrating It with the Budget Process

Part II: Positioning CPIC as a Global Agency Process

Part III: Individual Investments: Maximizing ROI and Minimizing Risk

Part IV: Realizing the Full Benefits of a CPIC Process

The 14 chapters cover a range of topics and are designed to provide both strategic and operational perspectives on IT capital planning and investment. Topics are discussed, for the most part, in nontechnical terms so that they appeal to a wide and diverse range of readers. As the chapters unfold, readers will sense the interrelationship and progression of topics. Readers who are new to the CPIC process are encouraged to read the book sequentially, while those with a good grounding can skip to the topics that interest them most.

The book is organized into an introduction and four parts. The introduction provides a description of CPIC and discusses the laws and regulations upon which it is based. Part I (Chapters 1–3) explains CPIC and describes the CPIC planning, selection, control, and evaluation phases. These chapters are most useful to those who are new to the federal CPIC process and those who are looking for ideas about how to improve existing processes.

Chapter 1 provides a thorough overview of the four CPIC phases—planning, selection, control, evaluation—and the roles and responsibilities of the people involved in the CPIC process. Chapter 2 provides a more detailed discussion of the planning and selection phases and provides criteria for assessing new investments. It also discusses how to integrate CPIC with the agency budget and use CPIC as a forum for discussing IT policy issues. Chapter 3 describes the CPIC control and evaluation phases. It reviews the function of an agency’s IT investment review board (ITIRB) and describes the ITIRB’s role in reviewing investment performance for assets that are either in development or already operational. Chapter 3 also introduces the earned-value management methodology and lays out a process for conducting control reviews.

Part II (Chapters 4–7) explains how to position CPIC as a global process within an agency. These chapters are useful to readers looking to improve the strategic use of technology throughout the agency. The chapters focus on the use of IT across an agency, aligning IT with strategic goals, and performance analysis of existing portfolio investments.

Chapter 4 provides the key elements necessary for an effective CPIC process and an audit tool for evaluating it and making improvements. Chapter 5 describes the importance of integrating the CPIC process with the agency’s enterprise architecture. This is an important subject, but one that often does not get sufficient attention from senior management because of perceptions that enterprise architecture is a technical initiative rather than an agency-wide strategic planning tool. The chapter is nontechnical and uses laymen’s terms and practical examples to illustrate why enterprise architecture is integral to an effective CPIC process.

Chapter 6 discusses portfolio analysis and evaluation techniques. It is useful to readers who are still trying to build and refine their IT portfolios and to use them in a meaningful way to make resource allocation decisions. Chapter 7 describes how to conduct operational analyses and post-implementation reviews for in-use investments. It also provides advice and guidance on which assets should be reviewed, how reviews should be conducted, potential outcomes, and actions that should be taken as a result.

Part III (Chapters 8–12) focuses on individual investments. Readers who are developing a business case or managing the development of a new IT asset will find these chapters especially helpful. Chapter 8 provides an overview of the business case: why it is necessary and how it is used, its components, and strategies for effectively writing the various sections. It also includes questions that ITIRB members can use when reviewing a business case and questioning the representatives of an investment team.

Chapter 9 describes an approach for identifying viable alternatives that achieve investment goals and requirements and explains how to develop cost-benefit analyses for each alternative. Chapter 10 provides a sobering view of the high failure rate of IT projects and the need for a strong risk-management strategy. Those who are embarking on a large IT investment will particularly benefit from reading this chapter.

Chapter 11 analyzes the use of the earned-value management (EVM) methodology for measuring cost and schedule variance. Because OMB requires that EVM be used for all major development projects, it is important that both oversight and project personnel understand EVM principles, concepts, and methodology. The chapter describes common EVM terms and calculations, and explains the relationship between EVM and CPIC.

Chapter 12 describes how to conduct an integrated baseline review (IBR). It explains what an IBR is and discusses IBR benefits, how to prepare for it, the team’s roles and responsibilities, evaluation criteria, and approaches for communicating results.

Part IV (Chapters 13 and 14) concludes the book by providing insight into how to realize the full benefits of the CPIC process. The content of Part IV is based on our extensive personal experience and observations. Chapter 13 addresses three special CPIC topics: infrastructure, security and privacy, and acquisition management. These areas deserve special attention because they have a more targeted focus than the overall CPIC process and they therefore present special challenges. Chapter 14, the final chapter, presents the critical success factors that differentiate success and failure in an IT investment. It also contains a list of typical questions that we have been asked by government officials charged with implementing and managing a CPIC process, and our responses to those questions.

The supplemental CD has over 40 additional resources to help you understand the IT investment process. It gives quick reference to public documents, current government management regulations, and federal enterprise architecture case studies, with links to a variety of online resources. The contents of the CD represent the latest information available as of February 2008. Readers should visit sites such as www.whitehouse.gov/omb, www.gao.gov, and www.cio.gov to obtain the most current information about IT CPIC.

Thomas G. Kessler

Patricia A. Kelley

i   Federal organizations are referred to as agencies throughout the book, even though there are various forms of organization, including departments, bureaus, and independent agencies.

ii Clinger-Cohen Act, U.S. Public Law 104-208, September 30, 1996. Online at http://www.cio.gov/Documents/it_management_reform_act_Feb_1996.html (accessed December 2007).

Acknowledgments

Since the passage of the Clinger-Cohen Act in 1996, many talented and dedicated civil servants and contractors have worked diligently to understand, embrace, and support its implementation. Hundreds, possibly thousands, of Office of Management and Budget (OMB), agency, and contractor personnel have worked to develop and implement information technology capital planning and investment control, enterprise architecture, security assessment, and other related processes. We have been privileged to work with them, learn from them, train them, and help them along the way. The presidents, senators, and representatives who have served over the past decade can never know or fully appreciate the dedication and commitment of those who serve the cause of improving and reforming information technology management practices. We express our sincere gratitude for the efforts of all those who have toiled in relative obscurity to make a difference.

Special thanks are extended to Sandra McGill and her team at the Centers for Disease Control and Prevention in Atlanta and her predecessor, Brenda White. Whether they accept their due praise or not, they made substantial progress. The Social Security Administration’s Capital Planning and Investment Control team, including Alan Deckard and Andy Berry, and their training coordinator, Beth Walker, are to be commended for their continuing commitment to meeting OMB requirements. Frederick Meyer, Robert Lagas, Carl Metzger, and Mark Raiffa influenced our thinking and kept us motivated, and we are grateful for their contributions. Special thanks are extended to Dr. Charles Ehart, Stephen Hampton, Barbara Sabur, and Michele Sousa for their professionalism, friendship, and excellent technical support.

There are many others whose names are not mentioned, but who have made important and lasting contributions. To all who have worked with us over the past decade in an attempt to make a difference, we extend our gratitude and appreciation.

Writing a book is no small feat, as we learned in this endeavor. We thank the members of the Management Concepts team, who did not lose faith even though this book was delivered well beyond our original time frame. Jack Knowles and Myra Strauss were very helpful in discussing potential topics and encouraging the writing of this book, and in providing ongoing support through the writing and publication process.

INTRODUCTION

The Legislative Basis for Improved IT Management

Initiative is doing the right thing without being told.

—VICTOR HUGO, FRENCH AUTHOR

Capital planning and investment control (CPIC) is a set of practices and procedures for managing the entire set of a government agency’s information technology (IT) resources as if it were a financial portfolio. It is a decision-making process for aligning investments with the agency mission; for selecting investments that are in the best interests of the agency as a whole; and for identifying, managing, and mitigating risk that causes projects to fail. CPIC establishes a mind-set of strategic thinking and stewardship that can, over time, become part of an agency’s organizational culture.

The ultimate objective of the CPIC process is to ensure maximum return on IT investment. The process requires establishing goals for the IT portfolio, ensuring that existing assets are performing well and providing a positive return on investment, and fully scrutinizing potential new investments to determine how they will perform individually and how they will fit in the portfolio as a whole. The CPIC process also ensures that the portfolio is diversified and that the portfolio risk characteristics are consistent with the organization’s risk-tolerance level.

Implementing an effective CPIC process often necessitates changes to an agency’s organizational culture—its long-established ways of doing business—especially with regard to adopting macro-level IT management practices, ensuring the availability of sufficient information for making decisions about each individual investment and the entire set of resources, and raising the level of discussion, dialogue, and decision-making to the agency level.

Federal CPIC Requirements

In the federal government, management reform gained significant attention during the mid-1990s as a series of large-scale IT projects suffered setbacks and, in some