This is the accessible text file for GAO report number GAO-04-394G entitled 'Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity' which was released on March 01, 2004. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Executive Guide: March 2004 Version 1.1: INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT: A Framework for Assessing and Improving Process Maturity: GAO-04-394G: GAO Highlights: Highlights of GAO-04-394G, an executive guide. Why GAO Did This Study: In 2000, GAO published an exposure draft of Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity (ITIM). Built around the select/control/evaluate approach described in the Clinger-Cohen Act of 1996—which establishes statutory requirements for IT management—the framework provides a method for evaluating and assessing how well an agency is selecting and managing its IT resources. The exposure draft reflected current accepted or best practices in IT investment management, as well as the reported experience of federal agencies and other organizations in creating their own investment management processes. This new version updates the exposure draft to take into account comments that GAO has received; GAO’s experiences in evaluating several agencies’ implementations of investment management processes and the lessons learned by these agencies; and the importance of enterprise architecture (EA) as a critical frame of reference in making IT investment decisions. Using the framework to analyze an agency’s IT investment management processes provides: (1) a rigorous, standardized tool for internal and external evaluations of these processes; (2) a consistent and understandable mechanism for reporting the results of assessments; and (3) a road map that agencies can follow in improving their processes. What GAO Found: The ITIM framework is a maturity model composed of five progressive stages of maturity that an agency can achieve in its IT investment management capabilities. These maturity stages are cumulative; that is, in order to attain a higher stage of maturity, the agency must have institutionalized all of the requirements for that stage in addition to those for all of the lower stages. The framework can be used both to assess the maturity of an agency’s investment management processes and as a tool for organizational improvement. For each maturity stage, the ITIM describes a set of critical processes that must be in place for the agency to achieve that stage. The figure below shows the five stages and lists the critical processes for each stage. At the Stage 1 level of maturity, an agency is selecting investments in an unstructured, ad hoc manner. Project outcomes are unpredictable and successes are not repeatable; the agency is creating awareness of the investment process. Stage 2 critical processes lay the foundation for sound IT investment processes by helping the agency to attain successful, predictable, and repeatable investment control processes at the project level. Stage 3 represents a major step forward in maturity, in which the agency moves from project-centric processes to a portfolio approach, evaluating potential investments by how well they support the agency’s missions, strategies, and goals. At Stage 4, an agency uses evaluation techniques to improve its IT investment processes and its investment portfolio. It is able to plan and implement the “de-selection” of obsolete, high-risk, or low-value IT investments. The most advanced organizations, operating at Stage 5 maturity, benchmark their IT investment processes relative to other “best-in-class” organizations and look for breakthrough information technologies that will enable them to change and improve their business performance. www.gao.gov/cgi-bin/getrpt?GAO-04-394G. To view the full product, click on the link above. For more information, contact David Powner, 202-512-4299, pownerd@gao.gov, or Lester Diamond, 202-512-7957, diamondl@gao.gov. [End of section] Contents: Preface: Section 1: Introduction: Changes from the Exposure Draft: Investment Management Overview: Section 2: Overview of ITIM: The Stages of Maturity: Progressing through the Stages of Maturity: Section 3: Components of ITIM: ITIM Hierarchy: Section 4: Uses of ITIM: Principles Guiding the Use and Interpretation of the Framework: Tool for Organizational Improvement: Tool for Assessing the Maturity of an Organization: Limitations and Boundaries: Section 5: Critical Processes for the ITIM Stages: Stage 1: Creating Investment Awareness: Stage 2: Building the Investment Foundation: Stage 3: Developing a Complete Investment Portfolio: Stage 4: Improving the Investment Process: Stage 5: Leveraging Information Technology for Strategic Outcomes: Appendixes: Appendix I: Glossary: Appendix II: Conducting an ITIM Assessment: Using ITIM to Assess IT Investment Decision-Making Processes: Summary of ITIM Assessment Process: Appendix III: Acknowledgments: Figures: Figure 1: Fundamental Phases of the IT Investment Approach: Figure 2: The Five Stages of Maturity Within ITIM: Figure 3: Critical Maturation Steps Required to Move to the Next Stage: Figure 4: The Components of an ITIM Critical Process: Figure 5: The ITIM Stages of Maturity with Critical Processes: Figure 6: The ITIM Stages of Maturity with No Stage 1 Critical Processes: Figure 7: The ITIM Stages of Maturity with Stage 2 Critical Processes: Figure 8: Instituting the Investment Board: Figure 9: Meeting Business Needs: Figure 10: Selecting an Investment: Figure 11: Providing Investment Oversight: Figure 12: Capturing Investment Information: Figure 13: The ITIM Stages of Maturity with Stage 3 Critical Processes: Figure 14: Defining the Portfolio Criteria: Figure 15: Creating the Portfolio: Figure 16: Evaluating the Portfolio: Figure 17: Conducting Postimplementation Reviews: Figure 18: The ITIM Stages of Maturity With Stage 4 Critical Processes: Figure 19: Improving the Portfolio's Performance: Figure 20: Managing the Succession of Information Systems: Figure 21: The ITIM Stages of Maturity with Stage 5 Critical Processes: Figure 22: Optimizing the Investment Process: Figure 23: Using IT to Drive Strategic Business Change: Figure 24: Phases in an ITIM Assessment: Preface: Investments in information technology (IT) can enrich people's lives and improve organizational performance. For example, during the last decade the Internet has matured from being a means for academics and scientists to communicate with each other to a national resource where citizens can interact with their government in many ways, for example, by receiving services, supplying and obtaining information, asking questions, and providing comments on proposed rules. Although they have the potential to improve lives and organizations, IT projects can also become risky, costly, unproductive mistakes. As we have described in numerous reports and testimonies, federal IT projects too frequently incur cost overruns and schedule slippages while contributing little to mission-related outcomes. The Paperwork Reduction Act (PRA)[Footnote 1] requires federal agencies to be accountable for their IT investments and responsible for maximizing the value and managing the risks of their major information systems initiatives. The Clinger-Cohen Act of 1996[Footnote 2] establishes a more definitive framework for implementing the PRA's requirements for IT investment management. It requires federal agencies to focus more on the results they have achieved through IT investments, while concurrently improving their IT acquisition processes. The Clinger-Cohen Act[Footnote 3] also introduces more rigor and structure into how agencies are to select and manage IT projects. Among other things, it lays out specific aspects of the process that agency heads are to implement in order to maximize the value of the agency's IT investments and assess, manage, and evaluate the risks of its IT acquisitions.[Footnote 4] The E-Government Act of 2002[Footnote 5] provides additional guidance on IT management practices across federal agencies. Through our research into IT management best practices and our evaluation of agency IT management performance, we have identified a set of essential and complementary management disciplines. These include: * investment management, * strategic planning, * software/system development and acquisition management, * IT services acquisition management, * human capital management, * information security management, and: * enterprise architecture management. Using the results of this research and evaluation, we have developed various management frameworks and guides. In 1997 we developed guidance,[Footnote 6] based primarily on the Clinger-Cohen Act, that provides a method for evaluating and assessing how well a federal agency is selecting and managing its IT resources. This guidance also identifies specific areas where improvements can be made. The Information Technology Investment Management (ITIM) Framework enhances this guidance by identifying critical processes for successful investment and organizing these processes into a framework of increasingly mature stages. Maturity models have been proven to be a highly effective evaluative technique for the Software Engineering Institute, which is well regarded for its collection of Capability Maturity Models SM (e.g., Capability Maturity Model for Software).[Footnote 7],[Footnote 8] Other researchers have proposed similar approaches based on maturity models.[Footnote 9] The maturity framework approach generally: * offers a comprehensive model for assessing process capability within an organization; * can be applied to multiple types of disciplines, such as IT asset acquisition, human capital, and systems engineering; and: * can serve as a valuable tool for organizations to use to improve their technical development and management processes. The initial ITIM exposure draft that we issued in May 2000[Footnote 10] reflected both a maturation of thinking in the area of IT investment management and input we had received from organizations and federal agencies based on their experiences in creating their own investment mechanisms and processes. This updated version has been modified based on comments we received on the initial exposure draft and on our experiences in evaluating and learning from agencies that are implementing investment management processes. Moreover, this version of the ITIM is consistent with and supports other maturity frameworks, including GAO's Enterprise Architecture Management Maturity Framework (EAMMF).[Footnote 11] Among other things, this version of the ITIM addresses the importance of an enterprise architecture (EA) as a critical frame of reference for organizations when they are making IT investment decisions. The ITIM can be used to analyze an organization's investment management processes and to determine its level of maturity. Since its release in exposure draft in May, 2000, the ITIM has been GAO's primary tool for evaluating investment management capabilities. In addition, a number of agencies have used the framework as they worked to improve their investment processes. If you have any questions about the Information Technology Investment Management Framework or the IT investment management approach, please contact me at (202) 512-4299 or [Hyperlink, pownerd@gao.gov]; or Lester Diamond, Assistant Director at (202) 512-7957 or [Hyperlink, diamondl@gao.gov]. Other key contributors to this report were Joanne Fiorino, Sabine R. Paul, Tomas Ramirez, Thomas Wright, and Neil Doherty. Signed by: David A. Powner: Director, Information Technology Management Issues: [End of section] Section 1: Introduction: The Information Technology Investment Management Framework identifies- -and organizes into a framework of increasingly mature stages--thirteen processes that are critical for successful investment. The original exposure draft of ITIM expanded the widely accepted federal management framework for IT investment decision making that was embodied in OMB and GAO guidance[Footnote 12] and shifted the content from a guidance- based focus to an activity-and maturity-based focus. Such a maturity framework can be used either to analyze an organization's investment management process or to determine the maturity of its investment process. The framework provides three key capabilities that are of use to many federal agencies: (1) a rigorous, standardized tool for internal and external evaluations of an agency's IT investment management process; (2) a consistent and comprehensible mechanism for reporting the results of these assessments to agency executives, the Congress, and other interested parties; and (3) a road map that agencies can use for improving their investment management processes. It should be noted, however, that an organization's achievement of more mature investment management stages depends on its instituting other good management practices and attributes, such as strategic planning, project management, enterprise architecture (EA) management, human capital management, and software and system acquisition management. In May 2000 we released an exposure draft of the ITIM framework for trial and comment. Since that time, the framework has been used by a number of federal agencies in developing and enhancing their investment management strategies. In addition, we have used it to evaluate several agencies.[Footnote 13] This release includes lessons learned from our use of the framework in these evaluations and from lessons conveyed to us by users of the framework at a number of agencies. In order to validate the appropriateness of our changes and to gain the advantage of their experience, we provided this release for review to several outside experts who are familiar with the ITIM exposure draft and with investment management in a broad array of organizations, both public and private. This version also includes a much fuller description of the relationship between ITIM and EA. Based on our experience, employing ITIM and EA in concert can greatly increase the chances that an organization's operational and IT environments will be pursued in a way that optimizes mission performance. The EA provides a clear and comprehensive picture of the structure of an entity, whether it is an organization or a functional or mission area. It defines an organization's operations in logical (i.e., information flows) as well as technical terms (i.e., hardware and software). The EA also describes these perspectives both for the organization's current or "as-is" environment and for its target or "to-be" environment as well as for a transition or sequencing plan for moving from the "as-is" to the "to- be" environment. Changes from the Exposure Draft: Stage 2 has been the primary beneficiary of the lessons learned from the use of the framework, because most agencies that we have evaluated are still operating at Stage 2. In Stage 2 we have tried to clarify aspects of critical processes that previously have led to diverse interpretations. In addition, we have moved what was previously the critical process for Authority Alignment of IT Investment Boards from Stage 3 in the exposure draft into Stage 2 in this release; it is now part of the critical process for Instituting the Investment Board. Through our work, we have found that instituting multiple boards was not unusual for organizations working in Stage 2 and that these boards occasionally were not well aligned. Stage 3 has been enhanced to better explain the organization and use of portfolio management for investments. In this area we gained knowledge from the experiences of others, both directly from individuals using IT portfolio management in agencies as well as from literature that has been released during the last few years. In addition, we moved the critical process for Postimplementation Review and Feedback from Stage 4 in the exposure draft to Stage 3 in this release. We did this so we could ensure that organizations that have completed Stage 3 are meeting the requirement for having selection, control, and evaluation processes in place, as required by the Clinger-Cohen Act. Stages 4 and 5 have been modified only to reflect new names for critical processes and to relocate to Stage 3 the critical process for Postimplementation Review and Feedback. We have not gained substantial new experience in these stages, because few organizations are operating at these levels of maturity. We anticipate modifying these stages in the future, when we have learned more from organizations' experiences. Investment Management Overview: A central tenet of the federal approach to IT investment management has been the select/control/evaluate model. This model was initially identified in our Strategic Information Management (SIM) Executive Guide,[Footnote 14] expanded in the Office of Management and Budget's IT investment guidance,[Footnote 15] and then refined in our subsequent guidance.[Footnote 16] It provides a systematic method for agencies to minimize risks while maximizing the returns of investments. Figure 1 illustrates the central components of this model. Figure 1: Fundamental Phases of the IT Investment Approach: [See PDF for image] [End of figure] During the select phase the organization (1) identifies and analyzes each project's risks and returns before committing significant funds to any project and (2) selects those IT projects that will best support its mission needs. This process should be repeated each time funds are allocated to projects, reselecting even ongoing investments as described below. During the control phase the organization ensures that, as projects develop and investment expenditures continue, the project continues to meet mission needs at the expected levels of cost and risk. If the project is not meeting expectations or if problems have arisen, steps are quickly taken to address the deficiencies. If mission needs have changed, the organization is able to adjust its objectives for the project and appropriately modify expected project outcomes. During the evaluate phase, actual versus expected results are compared after a project has been fully implemented. This is done to (1) assess the project's impact on mission performance, (2) identify any changes or modifications to the project that may be needed, and (3) revise the investment management process based on lessons learned. The investment process does not end with the evaluation phase. A project can be active concurrently in more than one phase of the select/control/evaluate model. After a project has been designated for initial funding in the select phase, it becomes the subject of evaluation throughout the control phase for the purposes of reselection. Reselection is an ongoing process that continues for as long as a project is receiving funding. If a project is not meeting the goals and objectives that were originally established when it was selected, or if the goals have been modified to reflect changes in mission objectives--and corrective actions are not succeeding--a decision must be made on whether to continue to fund the project. Ultimately, "deselection" can be one of the most difficult steps to implement, but it is necessary if funds can be better utilized elsewhere. Once projects are operating and being maintained, they remain under constant review for reselection. [End of section] Section 2: Overview of ITIM: The Stages of Maturity: ITIM is comprised of five stages of maturity. Each stage builds upon the lower stages and enhances the organization's ability to manage its IT investments. Figure 2 shows the five ITIM stages and gives a brief description of each stage. Figure 2: The Five Stages of Maturity Within ITIM: [See PDF for image] [End of figure] Stage 1: Creating Investment Awareness: Stage 1 is characterized by ad hoc, unstructured, and unpredictable investment processes. For example, in a Stage 1 organization, there is generally little relationship between the success or failure of one project and the success or failure of another project. If an IT project succeeds and is seen as a good investment, it is largely due to exceptional actions on the part of the project team, and thus its success might be difficult to repeat. Investment processes that are important for success may be known, but only to isolated teams; this process knowledge is not widely shared or institutionalized. Most organizations with Stage 1 maturity have some type of project selection process in place as part of their annual budgeting activity. However, the selection process is frequently rudimentary, poorly documented, and inconsistently applied. The unstructured and unpredictable investment processes that characterize a Stage 1 organization also mean that even if it recognizes that a given project is in trouble, it may not have adequate processes to consistently address and resolve the project's problems. Additionally, a focus on project results in terms of business benefits is often missing in these organizations. Stage 2: Building the Investment Foundation: One focus of Stage 2 maturity is to establish basic selection capabilities. Basic selection capabilities are driven by the development of project selection criteria, including benefit and risk criteria, and an awareness of organizational priorities when identifying projects for funding. No longer are projects being funded solely on an ad hoc basis. The basic selection processes established in Stage 2 lay the foundation for more mature selection capabilities in Stage 3. Therefore, the organization also focuses on defining and developing its IT investment board(s), identifying the business needs or opportunities to be addressed by each IT project, and using this knowledge in the selection of new IT proposals. An organization working to complete Stage 2 should be starting to develop an ITIM decision-making process that utilizes its EA--to the extent that an EA exists. An organization's "as-is" architecture may provide some of the basic information that is needed by decision makers, such as what systems currently exist and what potential functional overlap may occur with a new investment. In addition, an organization's EA tool may serve as a repository for investment information, although this may require modifying the manner in which the tool is currently being used. Criteria for selecting new and ongoing investments should be established, and the requirement to comply with the target EA may serve as an important guide in investment decisions. In addition, to gain further confidence that each investment is providing specific value to the organization, an organization's policies and procedures should provide for identifying the business needs and the associated users of each IT project. An equally important focus is to attain repeatable, successful IT investment control techniques at the project level. For an organization to develop a sound IT investment process, it must first be able to control its investments so that they finish predictably within established schedule and budget ranges. In addition, it must be able to identify potential exposures to risk and put in place strategies to mitigate that risk. In the absence of predictable, repeatable, and reliable investment control processes, selected investments will be subject to a higher risk of failure despite rigorous analysis of the estimates used to justify them. Further, the absence of repeatable control processes will result in ineffective evaluation processes and contradictory efforts at process improvement. To ultimately succeed, most IT investments require a relentless focus on interim results and successful risk management strategies, among other things. Taking this into account, an organization can begin by (1) focusing on gaining control of its existing collection of projects and (2) following a disciplined process for improving project outcomes over time by regularly tracking and overseeing each project's cost and schedule milestones and by monitoring expected benefits and risks. Supporting these activities requires collecting investment information to ensure that the organization knows fundamental facts about its IT assets, such as their location, cost, and ownership. Stage 3: Developing a Complete Investment Portfolio: Stage 3 critical processes depend specifically on the successful implementation of Stage 2 critical processes. In order to operate successfully at Stage 3, the organization must have in place the structure and repeatability of the project-centric management processes described above. In addition, the project-specific performance data being used for oversight and reselection in Stage 2 are crucial for the successful management of the investment portfolio. The critical focus for Stage 3 maturation is to establish a consistent, well-defined perspective on the IT investment portfolio and to maintain mature, integrated selection (and reselection), control, and evaluation processes. These processes will be evaluated during postimplementation reviews (PIR). Once IT projects have been selected and are meeting their scheduled performance expectations--as outlined in Stage 2--the organization needs to develop an IT investment portfolio using an investment process that is consistent with its EA and employs sound selection criteria. The development and use of portfolio selection criteria enable the organization to expand its focus from being primarily project-oriented to including the broader portfolio perspective. The portfolio perspective drives the organization to focus on the benefits gained from the synergies to be found among the investments in the entire collection, rather than just from the sum of the individual investments. Instead of focusing exclusively on the balance between the costs and benefits of individual investments, in Stage 3 decision makers also must consider the interaction among investments and the contribution to organizational mission goals and strategies that could be made by alternative portfolio selections. The development of the portfolio selection criteria communicates organizational priorities to the IT project management community and ensures that each investment submitted for funding supports the organization's mission, strategies, and goals, as well as project-specific outcomes. The critical process for Creating the Portfolio describes how the organization should use the portfolio selection criteria to develop an IT investment portfolio. Individual investments are reviewed and evaluated following their implementation in order to compare actual results with performance expectations. An organization's policies and procedures should provide for specifying the relationship between its architecture and its investment decision- making authority. The links between the EA and the investment portfolio should be explicitly defined. In addition, when operating at this stage, organizations should be working to align their EA with their IT portfolio selection criteria. Stage 4: Improving the Investment Process: An organization at Stage 4 maturity is focused on using evaluation techniques to improve its IT investment processes and portfolio(s) while maintaining mature control and selection processes. At this stage, the organization should also regularly analyze its investment portfolio(s) to ensure that its investments continue to be aligned with the most current version of its architecture, since small changes in either an investment itself or in the EA may have occurred over time without being recognized in periodic selection/reselection decisions. As described in Stage 3, postimplementation reviews typically identify lessons learned from an investment and determine whether the benefits anticipated in the business case for the investment have been achieved. Analyzing a number of PIRs serves as a basis for creating recommendations for changing and improving IT investment processes. Portfolio categories are used to organize the lessons learned and the recommendations gleaned both from PIRs conducted during Stage 3 and from other sources of process or investment information. The information within these categories is then used to fine-tune the investment processes and the portfolios. Additionally, at Stage 4 maturity the organization has the capacity to conduct IT succession activities and thus can plan and implement the "deselection" of obsolete, high-risk, or low-value IT investments. Stage 5: Leveraging Information Technology for Strategic Outcomes: Once an organization has mastered the selection, control, and evaluation processes, it seeks to shape its strategic outcomes by (1) using its EA as a critical frame of reference to ensure alignment with the target architecture, (2) learning from other organizations, (3) continuously improving the manner in which it uses IT to support and improve its business outcomes, and (4) focusing on flexibility and becoming a more agile organization that relies on its architecture for its vision of the future and the ITIM as a critical means for implementing it. Thus, an organization with Stage 5 maturity benchmarks its IT investment processes relative to other "best-in-class" organizations and conducts proactive monitoring for breakthrough information technologies that will allow it to significantly change and improve its business performance. Progressing through the Stages of Maturity: Within ITIM, lower maturity stages provide the foundation for higher maturity stages. Thus, an organization increases its IT investment maturity and management capability as it progresses through the ITIM maturity stages. The following section describes the critical maturation steps that occur as an organization moves from one stage to the next (see fig. 3). Figure 3: Critical Maturation Steps Required to Move to the Next Stage: [See PDF for image] [End of figure] Moving from Stage 1 to Stage 2: Investment control processes are the essential proficiencies that an organization establishes as it moves from ITIM Stage 1 to Stage 2. As investment control processes become better established, * one or more investment board(s) is created to oversee and select IT projects; * investment information such as costs, benefits, schedule, risk assessments, performance metrics, and system functionality is collected to support executive decision making; * the organization gains a better perspective on the IT projects in which it is investing; * communicating the status of ongoing projects improves organizationwide system acquisition, development, and management practices; * the organization creates and maintains better project-level cost information; and: * key customers (or end users) and business needs for each IT project are identified, and the users are engaged in this process. Critical to maturing project-level IT investment control processes is the ability to recognize the need for and to take swift corrective action when a project is having trouble meeting its schedule expectations and cost estimates. As it moves through Stage 2, an organization develops robust methods to collect data from the project- level management processes and aggregate it appropriately to provide executive management with the information it needs to execute its oversight responsibilities. As the organization matures, it also learns from past decisions and better manages the causal factors that created past problems, thus improving the performance results of ongoing projects. Beyond investment control processes, the organization also begins to implement basic selection processes. The core business needs for each IT project are identified and the basic portfolio development processes are used to select new IT proposals. Moving from Stage 2 to Stage 3: Creation of a mature IT process for selecting investments is the major accomplishment that an organization demonstrates as it moves from Stage 2 to Stage 3 maturity. In addition, well-developed investment control processes lead to greater certainty about future IT investment outcomes and greater confidence that IT investments, when they are selected, will achieve their expected cost, schedule, and performance goals, as well as their expected functionality. Thus, once the investment control processes have been established, an organization can build on these fundamental investment processes to create mature portfolio selection processes. Mature selection processes include: * the creation and maintenance of portfolio selection criteria, * the analysis associated with examining the merits of each IT investment in the context of the portfolio, * the use of an EA to help align IT investments with strategic objectives, and: * the grouping of similar investments together and the development of the portfolio. Beyond the creation of a mature selection process, the organization now refines the elements of benefit and risk management in its investment control process, because it has installed the supporting tools for doing so as its selection process matures. Individual investments are reviewed and evaluated following their implementation and are judged based on how well they meet their performance expectations. Moving from Stage 3 to Stage 4: As an organization reaches Stage 4 maturity, it has created mature IT investment evaluation processes and established a complete IT investment management process. In this stable environment, the organization can take the lessons it has learned from evaluating its investment processes (i.e., based on postimplementation reviews in Stage 3) and change these processes with predictably beneficial results. By doing so, it also creates the environment and the mechanisms for continuous improvement in Stage 5. In addition to improving its investment processes, an organization operating in Stage 4 can manage resource succession--that is, "de-selecting" current IT investments--by migrating to successor investments or retiring obsolete and low-performing ones and by making these decisions in the context of the portfolio created in Stage 3 and a well understood EA sequencing plan and "to-be" architecture. Together, the portfolio, sequencing plan, and "to-be" architecture provide a full picture of the current state of an organization's investments, its vision of the future, and its plan for getting there. In this context, the obsolescence of systems can be anticipated, and the declining benefits of specific systems can be viewed in the light of alternative investments. Moving from Stage 4 to Stage 5: An organization that is moving from Stage 4 to Stage 5 has mature selection, control, and evaluation processes in place. It now seeks ways to (1) institutionalize the continuous improvement of these processes and (2) improve its strategic business outcomes. It accomplishes these goals by examining and learning from other organizations by means of benchmarking. Benchmarking is used because there may be external organizations with specific processes that are more innovative or more efficient than its own processes. Beyond benchmarking, the organization leverages IT to significantly change and improve its business performance and outcomes. [End of section] Section 3: Components of ITIM: ITIM Hierarchy: Like other maturity models, ITIM is subdivided into a hierarchy. Each maturity stage consists of critical processes that are composed of a number of key practices. These hierarchical components are described below. Maturity Stages: Each of the four maturity stages beyond Stage 1 is a plateau of well- defined critical processes. The five maturity stages represent the steps toward achieving a mature, comprehensive IT investment management process. Critical Processes: With the exception of Stage 1, each maturity stage is composed of multiple critical processes, such as the processes used to create an IT investment portfolio. Each critical process contains a set of key practices that, when fulfilled, implement the critical process needed to attain a given maturity stage. Key Practices: The key practices are the tasks that must be performed by an organization in order to implement and institutionalize a critical process effectively. Key practices fall into three categories: organizational commitments, prerequisites, and activities. An explanation and a description of the relationship among these different types of key practices is shown in figure 4. In Section 5, each key practice is listed, followed by commentary and additional information that may assist an organization in understanding or interpreting how it could be implemented. Figure 4: The Components of an ITIM Critical Process: [See PDF for image] [End of figure] [End of section] Section 4: Uses of ITIM: ITIM identifies critical IT investment processes, establishes the presence or absence of these critical processes in an organization, assesses an organization's IT investment management capability and maturity, and offers recommendations for improvement. Used in this way, ITIM can be a valuable tool that (1) supports organizational self- assessment and improvement and (2) provides a standard against which an evaluation of an organization can be conducted. Principles Guiding the Use and Interpretation of the Framework: Regardless of the specific reason for using ITIM, the following principles[Footnote 17] should guide each interpretation and use of this framework. * The ITIM is a generic framework intended for broad use. The way in which an organization implements the framework will vary, depending on its needs for improving its investment processes and its managerial and professional judgment. * The ITIM is a road map for improvement and describes the characteristics of an IT investment management process that one would expect to see at each maturity stage. The maturity stages prescribe the order in which to improve the processes, but not how an organization is to improve its processes. * The ITIM may not exhaustively describe the necessary conditions for successful investment management in all organizations. Other components of the investment management process may exist and could be considered for addition to this framework as greater context sensitivity develops to the issues surrounding the process of IT investment management. * Each ITIM critical process will generally go through a step-by-step evolution--consisting of introduction, adoption, development, and finally full implementation--within an organization as that organization changes over time, modifies necessary functions and operations, and reaches a particular maturity stage. ITIM does not address all factors that can affect investment success. For example, organizational processes and other factors--such as strategic planning, availability of funding, risk assessments, and specific technology implementations--can strongly influence an organization's investment success. * There is no one right way to implement the ITIM, because the framework describes the characteristics of mature and successful IT investment management processes, not specific implementation techniques. Because of this, the framework is technology independent. For example, no specific tools, methods, or technologies are mandated by its use. Appropriate tools, methods, and technologies should be made available to support the processes that an organization develops within ITIM. Tool for Organizational Improvement: ITIM offers organizations a road map for improving their IT investment management processes in a systematic and organized manner. These process improvements are intended to: * improve the likelihood that investments will be completed on time, within budget, and with the expected functionality, * promote better understanding and management of related risks, * ensure that investments are selected based on their merits by a well- informed decision-making body, * implement ideas and innovations to improve process management, and: * increase the business value and mission performance of investments. ITIM can be implemented as a tool for organizational improvement in a variety of ways. For example, an organization can create a separate improvement program, employ external assistance and support, or use the framework as a managerial support tool. Regardless of the implementation technique, the following important factors should be considered when using ITIM as an organizational improvement tool: * Many organizations will have a variety of selection, control, and evaluation processes in place. ITIM can help these organizations understand the relationships among these processes and determine the key opportunities for immediate improvements. * The framework uses a structured approach that identifies the key practices for creating and maintaining successful investment management processes. However, it describes what to do, not how to do it. Thus, specific implementation methods can and will vary by organization, based on specific attributes of the organization, such as size, complexity, and culture. * The developmental nature of a maturity model means that process maturation is cumulative. Lower-stage processes provide the foundation for upper-stage processes. As additional critical processes are introduced into the organization and implemented, the organization attains greater process capabilities and maturity. As the organization incorporates additional processes at each successive stage of maturity, it must maintain the lower-stage critical processes that it has previously implemented. * The framework depends on good project management to form the foundation of good performance measurement and the project-level control processes that underlie mature investment control processes. * Where one exists, the use of an EA is a critical frame of reference for making investment decisions, and only investments that move the organization toward its target architecture--as defined by its sequencing plan--should be approved unless a waiver is provided and/or a decision is made to modify the EA. * Critical processes initially may be implemented and practiced within individual bureaus or divisions before they are implemented and are mature across the organization. * Business process improvement initiatives are usually not themselves considered to be IT investments; they are considered to be parallel efforts that may or may not be linked to investments. Thus, ITIM assessments do not evaluate individual initiatives. However, if such initiatives include IT investments, then the investments should be subject to the organization's investment management process. * Change management should be a cornerstone of process improvement, because culture affects the nature of investment decisions. Investment decisions are about change, and change affects an organization's culture. For example, a decision can be creative or cautious, strategic or tactical. Culture emanates from the values of the organization. Tool for Assessing the Maturity of an Organization: Just as ITIM can be used as a tool for organizational improvement, it can also be used as a standard against which to judge the maturity of an organization's IT investment management process. For example, ITIM can be used to support assessments to help ensure compliance with industry standards or acceptable practices, independent reviews of organizational maturity by oversight bodies, or other external IT process reviews. Regardless of the specific use, however, the following important factors should be considered when using ITIM as an organizational assessment tool: * An assessment using the framework can be conducted for an entire organization (e.g., an executive branch department) or for one of its lower-level divisions (e.g., a branch, bureau, or agency). However, the unit or scope of analysis (e.g., branch, bureau, agency, or department) must be defined before an ITIM assessment is conducted. Additionally, the assessed maturity stage for a lower-level division is not necessarily indicative of the maturity stage of a higher-level division or of the organization as a whole. * The use and interpretation of ITIM by organizations may vary with their size, culture, and organizational structure--as well as other factors. The overriding objective of the framework is to enable senior managers to systemically maximize the benefits of IT investments through the use of a structured investment process. In achieving this objective, different organizations may choose different specific implementations of the ITIM, which may be influenced by the factors mentioned above. For example, although ITIM addresses the organizational need to align and coordinate multiple investment boards, an organization with only one IT investment board would not need to perform the key practices associated with board alignment. Also, small organizations--or those with highly centralized IT management--may not require as extensive written guidance as large organizations, because their investment management processes are executed by a small, cohesive cadre of managers. Ultimately, each organization must use its best judgment in determining how to implement ITIM within its own context. * An organization may be concurrently implementing key practices that are associated with several maturity stages. In fact, key practices associated with higher stage critical processes are frequently initiated while the organization as a whole is at a lower stage of maturity. However, organizational maturity is determined by assessing at what maturity stage the organization implements all of the key practices for all of the critical processes associated with a given stage of maturity--in addition to all of those associated with lower maturity stages. For example, performing key practices in only some of the Stage 3's critical processes does not mean that the organization has attained Stage 3 maturity. Limitations and Boundaries: The purpose of ITIM is to describe and improve an organization's IT investment management processes so that the strategic plans and decisions that it makes can and will be supported by highly effective investments. However, like other assessment tools, the framework has its limitations and boundaries. For example, while strategic planning and executive decision making can greatly influence an organization's performance, the framework does not evaluate these. If IT plans and business plans are linked, there is a high likelihood that investment decisions will be closely aligned with the business. Similarly, performance measures that are created and used to guide the organization and its activities are an integral part of controlling the expenditures on an investment and can be viewed as maturing in parallel with the IT investment management processes. However, this guide does not describe in detail[Footnote 18] the development or implementation of these measures. In addition, the framework does not address IT acquisition (e.g., which type of contract to use or how best to conduct price negotiations, etc.) as a separate investment management step. While they are important, the primary purpose of acquisition-related activities is to support the execution of the investment decisions that are made by the IT investment board(s)[Footnote 19] Thus, one would expect that the acquisition aspects of project development would be embedded in the project proposal and analysis steps within the framework. Alternatively, the acquisition strategy might be part of the project's risk assessment (i.e., the risks of pursuing various acquisition alternatives). Finally, organizations selecting ITIM as an assessment tool should: * become proficient with the related GAO and OMB guidance on IT investment.[Footnote 20] This is particularly important for those seeking to apply ITIM in the federal government. Understanding this guidance provides greater insight into the developmental history, key issues, and critical success factors associated with the IT investment approach. * become familiar with generally accepted capital decision-making approaches and associated analytical tools; * become familiar with the concepts associated with EA management; * receive training to become familiar with the basic concepts behind maturity models; and: * have experience using standardized assessment tools to assess organizations. For further guidance on how to conduct an ITIM evaluation, refer to appendix II of this document. [End of section] Section 5: Critical Processes for the ITIM Stages: Figure 5: The ITIM Stages of Maturity with Critical Processes: [See PDF for image] [End of figure] The following subsections describe each maturity stage in greater detail. The first subsection describes only the attributes of Stage 1 because no critical processes are associated with this stage. Each subsequent subsection describes one of the stages. In each subsection, the stage is briefly introduced and its associated critical processes are identified, along with a list of applicable criteria. For each critical process, a brief introduction and purpose is presented, along with a map showing the associated key practices (organizational commitments, prerequisites, and activities) that make up the critical process and a discussion and interpretation of the key practice. For easy reference, each page heading in section 5 indicates which stage and critical process are being discussed on that page. Stage 1: Creating Investment Awareness: Figure 6: The ITIM Stages of Maturity with No Stage 1 Critical Processes: [See PDF for image] [End of figure] The following section provides a description of the conditions and characteristics associated with an organization operating at ITIM Stage 1. Within ITIM, Stage 1 is different from the other maturity stages because: * there are no critical processes associated with Stage 1; and: * it is typified by the absence of an organized, executable, and consistently applied IT investment management process. The following description of an ITIM Stage 1 organization is not intended to be comprehensive; rather, it provides an overview of the general conditions and problems that typically confront a Stage 1 organization. Generally, an ITIM Stage 1 organization has ad hoc or undisciplined IT investment management processes. This often contributes to escalating project costs, unmitigated risks, frequent slippages in project schedules, and low-value mission or business benefits. Furthermore, while the organization may have "pockets of excellence" in IT investment management, the variability in these processes across the organization may lead to inconsistency in IT project outcomes. Select Process: The Stage 1 organization's focus is more often on a project's funding requirements and lower level organizational requirements rather than on (1) its value toward achieving the organization's mission goals, (2) its technical and economic risks, (3) its performance problems, or (4) cost and schedule overruns. IT is treated as an expense item in most organizations' budgets, and it may be intertwined with other administrative and management support funding needs. Also, multiyear IT projects that are "in the budget pipeline" are reviewed each year largely in terms of marginal increases or decreases to the previous year's funding base, regardless of cost, schedule, and performance results to date. In short, while some IT projects within a Stage 1 organization may be funded because they link to a defined business or mission purpose, many projects are funded despite the absence of critical information that demonstrates expected and achieved improvements in program, business, or mission performance. Control Process: Stage 1 organizations typically have unstructured, ill-timed, and inconsistent IT investment management controls. Senior executives and line managers may rarely review IT projects' performance data, and thus the organization lacks an early warning method for quickly detecting and rectifying major problems. Instead, project crises are handled as they arise, focusing only on quick fixes rather than considering possible systemic causes of the problems. As a result, the success of individual projects is unpredictable and may often be the result of extraordinary efforts by individuals or the project team. Additionally, a Stage 1 organization rarely would have an up-to-date and complete collection of investment information. For example, although it might have an IT hardware (equipment) inventory, it might lack a comprehensive list of systems, software applications and tools, and licensing agreements. Without a complete inventory of IT information, an organization cannot develop an adequate investment control process. Evaluate Process: Finally, a Stage 1 organization rarely, if ever, (1) evaluates IT investment outcomes or (2) identifies lessons learned from its projects. If such evaluations are conducted, they often are triggered only in response to outside pressures (e.g., an audit or a budget oversight review), and they tend to be poorly staffed and conducted without a formal process that delineates method, scope, and responsibilities. Stage 2: Building the Investment Foundation: Figure 7: The ITIM Stages of Maturity with Stage 2 Critical Processes: [See PDF for image] [End of figure] Stage 2 builds the foundation for current and future IT investment success by establishing basic IT selection and control processes. This stage is defined by five critical processes. Each critical process is described below, followed by a set of "Criteria," and a listing of documents that establish criteria supporting the use of the critical process in ITIM. * Instituting the Investment Board is the process for creating and defining the membership, guiding policies, operations, roles, responsibilities, and authorities for one or more IT investment boards within the organization. Criteria: Assessing Risks and Returns: A Guide for Evaluating Federal Agencies' IT Investment Decision-making (hereafter referred to as IT Assessment Guide) (AIMD-10.1.13), 32, (CCA, OMB M-97-0(2)); Executive Guide: Improving Mission Performance Through Strategic Information Management and Technology (hereafter referred to as SIM Executive Guide) (AIMD-94-115), Practices 2, 10; Evaluating Information Technology Investments, version 1.0 (hereafter referred to as OMB IT Investment Guide), Office of Management and Budget, 3; Capital Programming Guide, version 1.0, Office of Management and Budget, ii. * Meeting Business Needs is the process for developing a business case that identifies the key executive sponsor and business customers (or end users) and the business needs that the IT project will support. Criteria: IT Assessment Guide (AIMD-10.1.13), 15, 16, 17; SIM Executive Guide (AIMD-94-115), Practices 4, 9; OMB M-97-16. * Selecting an Investment introduces a defined process that an organization can use to select new IT project proposals and reselect ongoing projects. Criteria: IT Assessment Guide (AIMD-10.1.13), 23-25, (CCA, PRA, EO 13011, OMB A-11, OMB A-130, OMB A-109, OMB A-94, OMB M-97-0(2)): * Providing Investment Oversight is a pivotal process whereby the organization monitors projects against cost and schedule expectations as well as anticipated benefits and risk exposure. Criteria: IT Assessment Guide (AIMD-10.1.13), 52, (CCA, PRA, FASA, EO 13011, OMB A-11, Part 3); OMB IT Investment Guide, 10. * Capturing Investment Information is the process by which specific details about a particular investment are captured and maintained to provide asset-tracking data to executive decision makers. Criteria: IT Assessment Guide (AIMD-10.1.13), 8, 19; PRA; E.O. 13103; Capital Programming Guide, ii. Instituting the Investment Board: The IT investment board is a key component in the investment management process. This critical process defines the membership, guiding policies, operations, roles, responsibilities, and authorities for each designated board and, if appropriate, each board's support staff. This definition provides the basis for each board's investment selection, control, and evaluation activities. The organization may choose to make this board the same board that provides executive guidance and support for the EA. This overlap of responsibilities may enhance the ability of the board to ensure that investment decisions are consistent with the architecture and that it reflects the needs of the organization. Depending on its size, structure, and culture, an organization may have more than one IT investment board. This critical process is based on the assumption that, for managerial reasons, the key practices in this critical process will be implemented consistently across each of these boards and that the organization will tailor each board's operations as part of this implementation. Figure 8: Instituting the Investment Board: [See PDF for image] [End of figure] Purpose: To define and establish an appropriate IT investment management structure and the processes for selecting, controlling, and evaluating IT investments. Organizational Commitments: Commitment 1: An enterprisewide IT investment board composed of senior executives from IT and business units is responsible for defining and implementing the organization's IT investment governance process. The enterprisewide investment board is created to (1) define the investment board's structure and accompanying processes and (2) implement the processes as they are defined. This board is comprised of senior executives, including the organization's head or a designee,[Footnote 21] the Chief Information Officer (CIO) or other senior executive representing the CIO's interests, and heads of business units and supporting units such as financial management. When the CIO is represented on the board by another senior executive, this executive must have knowledge of the CIO's management responsibilities and be able to fully represent the technical criteria that are being applied in the investment decision process. In cases where lower-level investment boards, comprised of individuals from across the organization, are chartered to carry out the responsibilities of the enterprisewide IT investment board within their own business units, the enterprisewide IT investment board still must maintain ultimate responsibility for the lower-level boards' activities. These subordinate boards should have the same broad representation as the enterprisewide board, though at the subordinate unit's level. The enterprisewide IT investment board is responsible not only for major systems that affect multiple departments and users. These enterprisewide investments should be elevated to the enterprisewide IT investment board to ensure buy-in from senior executives and users representing various departments. The enterprisewide IT investment board should be actively involved in all IT investments and proposals that are high cost or high risk or have significant scope and duration. Commitment 2: The organization has a documented IT investment process directing each investment board's operations. The organization uses the available IT investment process guidance[Footnote 22] and defines the unique manner in which the guidance will be implemented. The guidance should lay out the roles of key boards, working groups, and individuals involved in the organization's IT investment processes, and it should explain the procedures for assigning responsibility for decision making for a given investment or proposal. The guidance should specify that individual business or operational units retain decision-making authority for unit-specific IT decisions while still following enterprisewide standards and procedures, and it should outline the significant events and decision points within the processes; identify external and environmental factors that will influence the processes (i.e., legal constraints, the behavior of key suppliers or customers, or industry norms); and specify the manner in which IT investment-related processes will be coordinated with other organizational plans, processes, and documents--including, at a minimum, the strategic plan, budget, and EA. In IT organizations that have multiple IT investment boards, the enterprisewide investment process guide should document the policies and procedures that define each IT investment board's span of authority and describe how investment board activities are to be coordinated. Prerequisites: Prerequisite 1: Adequate resources, including people, funding, and tools, are provided for supporting the operations of each IT investment board. Executive management is typically responsible for creating the investment board(s), defining their scope and resources, and specifying their membership. Establishing an investment management working group can benefit both the IT investment boards and IT project managers by coordinating requests for information and verifying and providing responses. Prerequisite 2: The board members understand the organization's IT investment management policies and procedures and the tools and techniques used in the board's decision-making process. Members of the investment board should have an understanding of the board's policies and procedures and the experience and skills to carry them out. Thus, the organization should consider introducing investment concepts to board members with little or no investment decision-making experience or relevant education in this area. Orientation sessions might be provided to board members in areas such as economic evaluation techniques, capital budgeting methods, performance measurement strategies, and risk management approaches. In addition, board members should be made aware of the specific processes for which they are responsible. Knowledge building and/or orientation sessions might include: * briefings specifically designed for new board members, * educational forums, * formal seminars, and: * executive training programs offering in-depth courses. Prerequisite 3: Each board's span of authority and responsibility is defined to minimize overlaps or gaps among the boards. When multiple boards execute the organization's IT investment governance process, criteria aligning these boards must be defined such that there are no overlaps or gaps in the boards' authorities and responsibilities. These criteria can be based on cost, benefit, schedule, and risk thresholds, the number of users affected, the function of the business unit (e.g., CIO, human resources, or program office), the life cycle phase of an IT investment (e.g., proof of concept, full scale development, or operations and maintenance), or other comparable and useful measures. An example would be to manage investments with less than a $100,000 life cycle cost at the lowest departmental level, but to have investments with more than $100 million in life cycle costs managed by the enterprisewide investment board. Activities: Activity 1: The enterprisewide investment board has oversight responsibilities for the development and maintenance of the organization's documented IT investment process. As the board responsible for defining and implementing the organization's IT investment management process, the enterprisewide IT investment board should also have responsibility for developing the organization-specific IT investment guide. The board's work processes and decision-making processes (i.e., schedules, agendas, authorities, decision-making rules, etc.) are described and documented in the guidance. In addition, after the guide has been developed, the enterprisewide investment board must actively maintain it, making sure that it always reflects the board's current structure and the processes that are being used to manage the selection, control, and evaluation of the organization's IT investments. Activity 2: Each investment board operates in accordance with its assigned authority and responsibility. For the whole IT investment management process to function smoothly and effectively, each investment board must operate within its assigned authority and responsibility, so that investments are properly aligned with the organization's objectives and are reviewed by the appropriate board. Activity 3: The organization has established management controls for ensuring that investment boards' decisions are carried out. Establishing management controls helps to ensure that management will carry out the decisions made by the IT investment board. Without these controls in place, decisions made by the investment board might not be implemented because of conflicting priorities. To ensure adherence to management controls, the structure of the relationship between upper management and the investment board must be documented and agreed to by both parties,. The investment board must have the confidence of upper management when selecting new proposals and ongoing projects for funding. Meeting Business Needs: IT projects and systems should be tightly aligned with the business needs of the organization, providing support for highly visible core business processes. These strategically aligned IT projects and systems provide the highest value and most obvious investment benefits to an organization and are hallmarks of successful return on investment. To achieve such a robust level of support, the organization must continually identify the business necessity for its IT projects and systems. Periodic identification of the business needs ensures that the correct and appropriate IT projects and systems are funded and that they directly support the organization's strategic plan. The frequency of this business verification may range from every quarter for an R&D project to every 3 years for systems in operations and maintenance; the appropriate interval depends upon the pace of functional changes in the system and the evolution of users' needs. Identifying business needs ensures that IT projects and systems will maintain an alignment with the organization's strategic plans and its business goals and objectives. To the extent that the organization has planning documents--such as a strategic plan or a target enterprise architecture--these documents should be used as a source of agreed upon business needs. In addition, other business needs may surface through the investment process itself. In all cases, these business needs should be aligned with specific strategic objectives of the organization. The essence of identifying business needs is for the business case for every IT project and system to be periodically reviewed and verified with respect to the business need(s) it is supporting. If an IT project or system is out of alignment with its strategic plan, then the IT investment needs to be resynchronized with the strategic plan or the overall strategic plan needs to be changed. Based upon the business case review, the most promising IT projects and systems are identified for continued investment. The investment board addresses whether business and user needs continue to be met in a cost-effective and risk-insured manner. This critical process establishes a mechanism for verifying the business case (such as business requirements and rules, congressional mandate, and the organizational users) that drives continued support for each IT system. Ensuring that an essential link exists between the organization's business objectives and its IT strategy and that a defined partnership exists between the sponsoring unit and the IT solution providers strengthens and institutionalizes the organization's investment management process. Figure 9: Meeting Business Needs: [See PDF for image] [End of figure] Purpose: To ensure that IT projects and systems support the organization's business needs and meet users' needs. Organizational Commitments: Commitment 1: The organization has documented policies and procedures for identifying IT projects or systems that support the organization's ongoing and future business needs. The organization has policies and procedures that outline a systematic process for identifying, classifying, and organizing its business needs and the IT projects used to support these needs. In many cases, this can be covered in the internal guidance that is used for documenting business cases for IT investments. These policies and procedures typically specify that: * a systematic process for identifying, classifying, and organizing business needs is linked to the business planning process, * business needs or opportunities should be stated in functional terms or in terms of desired business improvement and not in product-or technology-specific terms, * each IT project or system fits within the organization's EA and established security standards: * IT projects or resources that do not support an identified business need (and the associated customers or end users) are further examined for possible termination, * there is a procedure by which similar needs or opportunities within different operating units are reconciled, and: * meeting business needs occurs regularly as part of the strategic planning cycle. Prerequisites: Prerequisite 1: The organization has a documented business mission with stated goals and objectives. The business mission, containing the stated goals and objectives is typically identified in: * strategic management or business plans (e.g., agency strategic plans prepared for GPRA), * business process architecture documents, * process improvement initiatives, or: * performance measurement plans. Defining these goals and objectives, however, is largely outside the scope of ITIM. (See also Section 4: Limitations and Boundaries of ITIM.): Prerequisite 2: Adequate resources, including people, funding, and tools, are provided for ensuring that IT projects and systems support the organization's business needs and meet users' needs. These resources typically involve: * funding for these activities; * managerial attention to this process; * an executive sponsor for the project; * staff support for carrying out these activities; and: * supporting methods, analytical tools, and processes. Activities: Activity 1: The organization defines and documents business needs for both proposed and ongoing IT projects and systems. Each IT project is directly or indirectly linked to at least one of the organization's business needs or mission goals; a direct link is of greater value than an indirect link. This link can be established in a variety of ways. For example, an organization can: * identify a project's business purpose as part of the project's initiation activities, * define an executive sponsor for each project, or: * obtain validation from external groups supporting the business value of the project. The business needs for each IT project will generally be documented in the business case for the project. Activity 2: The organization identifies specific users and other beneficiaries of IT projects and systems. Each major IT project or system will have end users or customers who will benefit from the system. A given project or system may address the needs of multiple sets of end users or customer groups. The primary end users or customers will be formally identified by the organization. Identifying the end users early in the process assists the IT staff developing the IT project or system in focusing on the specific, well- defined goals of delivering value to end users. So that they may accomplish their particular work, end users depend directly on the IT staff to deliver a project's capability and to provide a system's functionality. Activity 3: Users participate in project management throughout an IT project's or system's life cycle. End user involvement will vary during the different stages of a project's system life cycle. During the project's conception, end users should be heavily involved in developing the business case and in defining how the system will help to meet business needs or opportunities. They will be heavily involved again during user acceptance testing. During other phases of development, they will play a more limited role. In the final phases of the system's life cycle, especially during the operational phase of the system, end users should play a major role in helping to identify and document any benefits that are realized from the system's implementation. Users should also participate in the operational analysis of the system. The analysis should involve collecting information about the system's performance and comparing it with the initial performance baseline. Activity 4: The investment board periodically evaluates the alignment of its IT projects and systems with the organization's strategic goals and objectives and takes corrective actions when misalignment occurs. This activity permits the investment board to assess a project's or system's outcomes and its value in comparison to predefined expectations, in preparation for determining whether or not and how well the IT project or system is meeting the organization's expectations. After deployment, a system's success is measured by its ability to continually meet a business or user need. The length of the period for collecting IT system data prior to review and analysis varies from one organization to another. An organization could, for example, annually review one-third or one-half of its operational IT systems. Another organization could decide to review all operational IT systems every 3 years. The essential point is that operational IT systems are investments that need to be reviewed on a regular basis to ensure that they are still providing value to the organization in a cost-effective and risk-insured manner. Using historical data, system expectations, and other factors as criteria, the investment board evaluates every IT system to determine its value to the organization. The review cycle should reflect the risk and volatility of the project or system being evaluated. Periodic evaluation of each IT project or system permits the investment board to determine the ongoing value that each investment is providing to the organization and its end users. These periodic evaluations are critical to determining whether or not to continue to fund an IT system. When an investment is found to be out of alignment with the organization's strategic goals and objectives, immediate action must be taken at the project level, with oversight provided by the investment board, to realign the project or system. But even a successful system will eventually begin to provide diminishing returns as it becomes more expensive to maintain. In addition, changing business requirements also can make a system obsolete. Selecting an Investment: The purpose of this critical process is (1) to predefine a method for selecting new IT proposals and (2) use this method to select new proposals. Within ITIM, "new" proposals include both (1) previously submitted IT proposals that were not originally selected for funding and (2) IT proposals that have never been submitted. Defining and implementing a selection process is a basic step toward implementing the mature IT critical processes for proposal and project selection in Stage 3. The key activities implemented within this critical process include (1) concurrent review of IT proposals by the organization's executives, (2) the use of predefined selection criteria to analyze the proposals, and (3) decision making by executives to fund some proposals and not others. The EA, where it exists, should be reflected in the selection criteria. Investments may come up outside of the EA, in which case their value must be considered under the same criteria as all other investments. Investments that are not consistent with the current EA should either be assimilated into the EA or be provided a waiver. Reselection of ongoing projects is a very important part of this critical process. If a project is not meeting the goals and objectives that were established in the original selection, the investment board must make a decision on whether to continue to fund it. Figure 10: Selecting an Investment: [See PDF for image] [End of figure] Purpose: To ensure that a well-defined and disciplined process is used to select new IT proposals and reselect ongoing investments. Organizational Commitments: Commitment 1: The organization has documented policies and procedures for selecting new IT proposals. The organization has policies and procedures that outline a structured method for identifying, evaluating, prioritizing, and selecting its new IT proposals. Using a structured method to select new IT projects accomplishes several objectives. First, a structured method provides the organization's investment board, business units, and IT developers (whether they are internal IT staff or contractors) with a common understanding of the process and the cost, benefit, schedule, and risk criteria that will be used to select IT projects. Second, whether a business unit identifies a business need and develops an IT proposal itself or the organization's IT group develops the proposals, organizational roles and responsibilities will be defined for each participating unit involved in the project selection process. Lastly, the data required for decision making and the decision-making procedures should be predefined. A documented selection process can help to ensure consistency when an organization is considering multiple investments for funding. Transparency in the process can help to create an environment that is objective, fair, and rational. Thus, potential investments will be judged solely on the merits of their contributions to the strategic goals of the organization without undue influence from outside the process. Commitment 2: The organization has documented policies and procedures for reselecting ongoing IT investments. The organization has policies and procedures that outline a structured method for identifying, evaluating, prioritizing, and reselecting ongoing projects. A policy-driven, structured method for reselecting ongoing projects for further funding can also accomplish several objectives. A structured method provides the organization's investment board with a common understanding of how ongoing projects will be reselected for continued funding. Each ongoing project should be judged based on its success in meeting the investment outcomes that were stated in the policies and procedures for reselection. The information needed for decisions on project reselection should be predefined. A documented reselection process ensures consistency when an organization is considering multiple investments for additional funding. Again, transparency in the process will create an environment that is objective, fair, and rational. Thus, ongoing investments will be judged solely on the merits of their current contributions to the strategic goals of the organization without undue influence from outside the process. Commitment 3: The organization has policies and procedures for integrating funding with the process of selecting an investment. The process of selecting investments is not feasible unless the policies and procedures for selection and reselection take into account how much funding is available for IT investments. No decision to fund a project can be considered valid without considering what funds are available. It is therefore vitally important to include procedures for project funding in the documented policies and procedures for selecting investments. Prerequisites: Prerequisite 1: Adequate resources, including people, funding, and tools, are provided for identifying and selecting IT projects and systems. These resources typically involve: * managerial time and attention to the process, including project sponsorship; * staff support, including, at a minimum, a designated official to manage the process; and: * supporting tools, methods, and equipment for organizing and analyzing the proposals. Prerequisite 2: Criteria for analyzing, prioritizing, and selecting new IT investment opportunities have been established. The organization has created a process for comparing projects within the portfolio of IT investments. Any decision-support process should be based on predetermined criteria. In order to maintain consistency, the criteria should include quantitative or qualitative measures for comparing projects. Projects are compared with one another based on criteria such as investment size, project longevity, technical difficulty, project risk, business impact, customer needs, cost-benefit analysis, organizational impact, and expected improvement. The results of such a comparison will help the investment board analyze the potential risk and return of investing in a particular project and prioritize the portfolio of projects using a scoring mechanism that considers strengths and weaknesses. After a careful analysis of the various projects vying for funding, senior executives should be able to prioritize the list of IT investment proposals based on supporting documentation. Prerequisite 3: Criteria for analyzing, prioritizing, and reselecting IT investment opportunities have been established. The organization has created a process for analyzing and prioritizing ongoing projects within its IT investment process. Any decision-support process for analyzing ongoing operations and maintenance projects should be based on predetermined criteria. There should be consistent quantitative or qualitative measures for analyzing projects for reselection or, if necessary, termination. If corrective actions cannot be implemented to maintain the desired investment outcome, the project should be identified, based on developed criteria, for termination. The results of such an analysis will help the investment board determine the potential risk and return of continuing to fund an ongoing project and to prioritize the projects based on decision criteria. After a careful analysis of the various ongoing projects competing for continued funding, senior executives should be able to prioritize the list of existing IT investments for reselection based on supporting documentation. Prerequisite 4: A mechanism exists to ensure that the criteria continue to reflect organizational objectives. The organization has created a process for ensuring that the criteria change as organizational objectives change. During project selection, decision makers use various criteria to help them assess a system's projected outcomes, resource allocations, and benefits and costs. Because criteria are usually presented in a hierarchical structure, decision makers are able to apply judgments based on the criteria/ objectives deemed important to achieving specific goals. As organizational goals and objectives change--and the criteria for selecting projects changes with them--decision makers need to have management structures and tools in place to help them reassess their decision criteria and the effects of those criteria on decisions, results, and outcomes. Activities: Activity 1: The organization uses its defined selection process, including predefined selection criteria, to select new IT investments. The organization uses a structured process for submitting IT proposals that require funding or organizational support. This activity typically occurs within the context of the organization's cyclical budgeting process. A designated official manages the data submission and screening activities that are associated with the process. Activity 2: The organization uses the defined selection process, including predefined selection criteria, to reselect ongoing IT investments. The part of the process during which organizations tend to need the most help is in determining which projects to reselect and which to terminate. Competing priorities and differing objectives make it extremely difficult for IT decision makers to determine where to allocate their scarce IT funds. Faced with a changing laundry list of important and potential IT projects that exceeds budget parameters, managers need a predefined selection process that will help them choose among new and ongoing projects. To help ensure the selection and continuation of the most promising projects, ongoing projects should be reviewed continually along with new projects and go/no-go decisions should be made using predefined selection criteria. Activity 3: Executives' funding decisions are aligned with selection decisions. The organization's executives have discretion in making the final funding decisions on IT proposals. However, their decisions should be based upon the analysis that has taken place in the previous activities. Additionally, as part of the decision-making process, there should be evidence that some proposals are judged less meritorious than others and thus do not get funded. Providing Investment Oversight: The purpose of this critical process is to ensure that the organization provides effective oversight for its IT projects throughout all phases of their life cycles. While the board should not micromanage each project in order to provide effective control, it should maintain adequate oversight and observe each project's performance and progress toward predefined cost and schedule expectations as well as each project's anticipated benefits and risk exposure. The board should expect that each project development team will be responsible for meeting project milestones within the expected cost parameters that have been established by the project's business case and cost/benefit analysis. The board should also employ early warning systems that enable it to take corrective actions at the first sign of cost, schedule, and performance slippages. The investment board has ultimate responsibility for the activities within this critical process. However, in larger organizations, the board may authorize designated subgroups to carry out some of these activities. The investment board must ensure that projects maintain alignment with the EA, where one exists. Figure 11: Providing Investment Oversight: [See PDF for image] [End of figure] Purpose: To review the progress of IT projects and systems, using predefined criteria and checkpoints, in meeting cost, schedule, risk, and benefit expectations and to take corrective action when these expectations are not being met. Organizational Commitments: Commitment 1: The organization has documented policies and procedures for management oversight of IT projects and systems. These policies and procedures typically specify: * each investment board's responsibilities when providing investment oversight within its domain, * the procedural rules for the investment board's operation and for decision making during project oversight, * the threshold criteria that the investment board(s) uses when analyzing project performance as part of its oversight function (threshold is typically based on cost or schedule measures--for example, currently more than 10 percent over expected cost--and will be a major factor in determining whether to take remedial actions), * that corrective actions are required when the project deviates or varies significantly from the project management plan, * that changes to the project's commitments to meet cost, schedule, performance, or other expectations be made with the involvement of affected groups, including: * enterprise architecture, * system engineering, * software engineering (including all subgroups, such as software design), * hardware engineering, * project planning and estimating, * information assurance, * project stakeholders and champions, * business units, and: * customers and end users. * that each investment board oversee all changes to new and existing project commitments that it has made to individuals and groups external to the organization, * the procedures for escalating/elevating unresolved and/or significant issues, * the conditions under which a project would be terminated and the funds redirected to other "successful" projects. Prerequisites: Prerequisite 1: Adequate resources, including people, funding, and tools, are provided for IT project oversight. The organization performs an assessment of the resources needed to oversee its IT projects and systems. These resources should include: * managers and staff who are assigned specific responsibilities for monitoring IT projects and systems, * tools to support board(s)' oversight operations, which may include project summary reports on various metrics and decision support applications. Prerequisite 2: IT projects and systems, including those in steady state (operations and maintenance),[Footnote 23] maintain approved project management plans that include expected cost and schedule milestones and measurable benefit and risk expectations. Each IT project management team creates and maintains a project management plan[Footnote 24] for the project or system for which it is responsible. This plan documents a variety of project decisions, assumptions, and expectations, including project performance.[Footnote 25] These expectations could include a cost and schedule baseline control system, such as the earned value management system, milestone- based accomplishment expectations, or other such control systems as are commensurate with the project's size, importance, cost, and risk.[Footnote 26] Each project that is in its operations and maintenance (O&M) phase should have its own distinct project management plan, one that is different from plans for new investments. This requirement is due in large part to the differences in how each investment is managed. O&M projects typically do not have milestones, and their cost structure is more predictable. Activities: Activity 1: Data on actual performance (including cost, schedule, benefit, and risk performance) are provided to the appropriate IT investment board. For an organization to establish control of projects in Stage 2, it is essential that all performance data including cost, schedule, benefits, risks, and system functionality (both expected and actual) for each IT project are collected and distributed to the appropriate IT investment boards. In addition, to monitor the long-term value of a project or system, the organization needs to collect and distribute this information to the appropriate IT investment board during agreed-upon stages of the project's life cycle. These performance data may be collected by the board itself or collected and distributed in some other manner (e.g., through a centralized third party). These data will be key to assisting each IT board in its decision making. IT projects in development, by definition, provide little current benefit, but they may provide benefits to the organization upon completion. The potential benefits of an IT project are enumerated in the project's business case; they are used to conduct an [expected] benefit/cost analysis and to persuade executives to select the project as a good investment. These potential benefits will be realized after implementation is complete. Measuring the actual benefit of a project while it is in development is a challenge. One way to measure the benefit of development work is to approximate it. Measuring a project's actual cost and schedule progression (i.e., evaluating earned value, which is a measure of the amount of preplanned work that is actually performed in relation to the funds expended) renders an approximate value of the project to the organization. Activity 2: Using verified data, each investment board regularly reviews the performance of IT projects and systems against stated expectations. The board typically oversees the project's performance by conducting reviews at predetermined checkpoints and/or major milestones, in order to interpret the data on project cost and schedule with respect to historic project data and expectations. Project oversight: * is conducted at least at the major life cycle milestones for each project; * is managed to limit changes in scope, such as increasing functionality requirements (scope creep); * differs in its degree of depth depending on the size, cost, and importance of the project; * must compare estimated schedule time frames to actual schedules, including schedule slippages and/or compressions; * must compare estimated costs with funds spent or obligated to date, any changes in funding, and the impact of these changes; and: * ensures that project information and data are valid and that corrective actions are verified by qualified and independent audit teams, quality assurance groups, or internal verification and validation (IV&V) contractors. Project oversight should also address each of the following project management issues: * Development/Acquisition. Problems (e.g. contractor management) stemming from the selection of a specific project development and implementation approach. * Technical. Technical issues or problems concerning such components as hardware, software, or telecommunications. * Benefits. Evaluation of benefits delivered to date and the relationship of the project to specific business objectives. * Risks. Assessment of the risks encountered to date and how expected risks are to be managed. Activity 3: For each underperforming IT project or system, appropriate actions are taken to correct or terminate the project or system in accordance with defined criteria and the documented policies and procedures for management oversight. Using estimated and actual cost and schedule data, the organization should identify projects that are not meeting their cost and/or schedule performance expectations. The following are examples of data that could be compared: * actual cost data to planned cost data; * the current number and scope of requirements to the original requirements established for the project; * the current conditions and assumptions to the projects' initial assumptions and context; and: * the actual performance of the software development organization to its specified deliverables (e.g., schedule, costs, functionality, technical solutions). Senior executives should ensure that there is a support and reward structure in place for identifying issues and raising them to the appropriate decision-making level and that there are no incentives for covering up significant problems. Go/no-go criteria can be a helpful tool in supporting management oversight. Activity 4: The investment board regularly tracks the implementation of corrective actions for each underperforming project until the actions are completed. The investment board ensures that: * corrective actions and related efforts are executed by the project management team and tracked by the investment board until the desired outcomes occur, and: * if the corrective actions are significant enough, an independent review is conducted before returning to the original project plan (i.e., reinstatement of funding) to ensure that all corrective actions have achieved their intended results and to determine whether additional changes or modifications are still needed. Capturing Investment Information: To make good IT investment decisions, an organization must be able to acquire pertinent information about each investment and store that information in a retrievable format, to be used in future investment decisions. During this critical process the organization identifies its IT assets and creates a comprehensive repository of investment information. This repository of IT investment information is used to track the organization's IT resources to provide insights and trends about major IT cost and management drivers. The information in the repository serves to highlight lessons learned and to support current and future investment decisions. This critical process may be satisfied by the information contained in the current EA, augmented by additional information (e.g., financial information, risks, benefits, etc.) that the investment board may require to ensure that informed decisions are being made. This repository can take many forms (e.g., a catalog, a list, IT system and software inventories, or a balance sheet), but regardless of form, the collection method should identify each IT investment and its associated components. An organization's "as-is" architecture, along with its sequencing plan, can provide a resource for developing a list of existing investments. In addition, the EA tool may provide an opportunity for gathering all of the necessary information in one place. This information does not have to be centrally located; it can be managed on a distributed basis. The guiding principle for developing the information source is that it should be accessible where it is of the most value to those making decisions about IT investments. The information is particularly important when executing the critical processes for Providing Investment Oversight, Selecting an Investment, Creating the Portfolio, and Managing the Succession of Information Systems. Additionally, beyond serving as a tool to aid in IT investment decision making, the IT information can also assist the organization with software licensing management, hardware life cycle management, and system architecture plans. Figure 12: Capturing Investment Information: [See PDF for image] [End of figure] Purpose: To make available to decision makers information to evaluate the impacts and opportunities created by proposed (or continuing) IT investments. Organizational Commitments: Commitment 1: The organization has documented policies and procedures for identifying and collecting information about IT projects and systems to support the investment management process. These policies and procedures typically specify: * that responsibility for submitting, updating, and maintaining relevant inventory information for each project or asset is explicitly assigned; * the process to be followed for the collection of information, access to the information, and support for maintaining the information; and: * the data elements required for each IT-related item, including: * the cost (e.g., history of actual development costs, annual operating and maintenance costs, and expected life cycle costs) of each item; * the owner of each item; * the physical location of each item; and: * the logical (e.g., architectural) location of each item. For systems, specific IT data elements could be part of the organization's configuration management process. These data elements could include schedule data, such as dates of installation, last upgrade, last maintenance, and last security patch. As in other critical processes of the ITIM, large and small organizations may implement this key practice differently. For example, the amount of administration and supporting infrastructure needed to collect information on projects and systems depends in large part on the size of the organization. A smaller organization that has a limited number of systems may be able to utilize systems that were created for other purposes, creating reports on an ad hoc basis. Larger organizations, however--in which IT-related information might be expected to be more extensive and decentralized--may require a dedicated system to acquire the relevant information and make it available to decision makers in a more structured manner. In a large, decentralized organization the collection and reporting of investment information on an ad hoc basis would likely be unmanageable. Commitment 2: An official is assigned responsibility for ensuring that the information collected during project and systems identification meets the needs of the investment management process. A designated official is needed to adequately manage this process. The official will ensure that a process is developed and maintained for collecting IT investment information so that assets can be accurately tracked. Staff or external advisors may be assigned to assist the official in conducting IT asset tracking and in verifying and validating IT investment data. Prerequisites: Prerequisite 1: Adequate resources, including people, funding, and tools, are provided for identifying IT projects and systems and collecting relevant investment information about them. These resources typically involve: * managerial attention to the process; * staff support including, at a minimum, a designated official to manage the process; and: * supporting tools and equipment for tracking IT assets which may include: * an IT information database; * IT data reporting, updating, and query tools; and: * a method for communicating changes in IT information to affected parties. Activities: Activity 1: The organization's IT projects and systems are identified, and specific information is collected to support decisions about them. A standard, documented procedure is used so that developing and maintaining the information is a repeatable event, producing IT data that are timely, sufficient, complete, and comparable. The information may be prepared by the information systems support component of an organization, and the verification and validation may be performed by a designated official or by another organizational unit, depending on the needs of the organization. An IT project and system data repository typically includes an inventory listing of software licenses, planned IT projects, and existing systems with their own unique identifiers. The repository may also include information on: * how the project or system fits into the EA; * the organizational unit that is responsible for the project; * interfaces and dependencies with other projects and systems; * the current life cycle phase of the project or system (e.g., being prototyped, under development, being operated and maintained, etc.) and associated life cycle events (e.g., current development, modernization, or enhancement efforts under way); * the costs to date for the project or system and anticipated future costs; * the general category of the project or system (e.g., infrastructure, software application, hardware replacement); and: * anything else that would be relevant to investment decision making about the project or system. For example, a large project could be implemented using an incremental investment approach. Such an approach would require that the project's increments or useful segments be identified as part of the repository. This information would help decision makers select and prioritize the project's useful segments and align them with other projects and systems. Activity 2: The information that has been collected is easily accessible and understandable to decision makers and others. The repository of information about the IT investment is of value only to the extent that decision makers and stakeholders can and do use it. Knowledge of the contents of the repository by staff and managers throughout the organization can help them to avoid duplication of effort and reconcile overlapping resources. For example, a report in the repository can be used to better manage the licensing of an organization's application software by showing individually licensed applications that may be candidates for group licensing. Activity 3: The information repository is used by investment decision makers and others to support investment management. In order to continue to make informed investment decisions, it is important to maintain up-to-date information. Maintaining the integrity of the repository is important to ensuring that it remains a useful decision-making tool. As projects and systems change (i.e., additions, updates, and/or deletions), this information should be documented in the repository. An individual or organizational unit should be designated to maintain the repository. Stage 3: Developing a Complete Investment Portfolio: Figure 13: The ITIM Stages of Maturity with Stage 3 Critical Processes: [See PDF for image] [End of figure] During Stage 3, the investment board enhances the IT investment management process by developing a complete investment portfolio. Taking a portfolio perspective enables the organization to consider its investments in a comprehensive manner, so that the investments address not only the strategic goals, objectives, and mission of the organization, but also the impact that projects have on one another. The organization develops its IT investment portfolio by combining all IT assets, resources, and investments that it owns, considering new proposals along with previously funded investments, and identifying the appropriate mix and synergies of IT investments that best meet its mission needs, organizational needs, technology needs, and priorities for improvement. This maturity stage is comprised of the following four critical processes: * Defining the Portfolio Criteria is the process of developing quantitative or qualitative factors such as cost, benefit, schedule, and risk in order to compare and select projects for inclusion in the investment portfolio(s). Criteria: IT Assessment Guide (AIMD-10.1.13), 27-29, 45-46 (CCA); OMB IT Investment Guide, 7-9. * Creating the Portfolio is the process of comparing worthwhile investments and then combining the investments selected into a funded portfolio. Criteria: IT Assessment Guide (AIMD-10.1.13), 32-35 and 52, (CCA, OMB A-94, OMB A-130, OMB M-97-0 (2), Capital Programming Guide, 16-17; (CCA, OMB M-97-0 (2), OMB IT Investment Guide, 6-7. * Portfolio Review is the process that builds upon the Providing Investment Oversight critical process from Stage 2 by adding the element of portfolio performance to the organization's control process activities. Criteria: IT Assessment Guide (AIMD-10.1.13), 52-55, (CCA, PRA, FASA, EO 13011, OMB A-11, Part 3); Information Technology Investment (AIMD- 96-64), 65; IT Assessment Guide (AIMD-10.1.13), 61-62, (CCA, GPRA, CFO, OMB A-127, OMB A-123). * Conducting Postimplementation Reviews (PIR) is the process for reviewing IT projects in order to learn from past investments and initiatives by comparing actual results to estimates. PIRs also serve as vehicles for evaluating the entire ITIM process. Criteria: IT Assessment Guide (AIMD-10.1.13), 70-72 (CCA, PRA, EO 13011, GPRA, CFO, OMB A-130); OMB IT Investment Guide, 12; Information Technology Investment (AIMD-96-64), 66. Defining the Portfolio Criteria: Portfolio selection criteria are a necessary part of an IT investment management process. Developing an IT investment portfolio involves defining appropriate IT investment CBSR criteria to ensure that the organization's strategic goals, objectives, and mission will be satisfied by the selected investments. If an EA, including a sequencing plan, exists, it should be used as the foundation for developing and updating the portfolio selection criteria. Portfolio selection criteria reflect the strategic and enterprisewide focus of the organization and build on the criteria that are used to select individual IT projects. When IT projects are not considered in the context of a portfolio, criteria based on narrow, lower-level requirements may dominate enterprisewide selection criteria. IT projects sometimes are selected on the basis of an isolated business need, the type and availability of funds, or the receptivity of management to a project proposal. Portfolio selection criteria build on the criteria that are used to select individual projects. The portfolio criteria focus on alignment with the organization's mission, organizational strategy, and line-of- business priorities. In Stage 3, portfolio selection criteria are used by the organization's investment board to select IT investments in the context of all other investments. These criteria should also be applied as uniformly as possible throughout the organization to ensure that decision making is consistent and that processes become institutionalized. When an organization's mission or business needs and strategies change, these criteria should be re-examined. Figure 14: Defining the Portfolio Criteria: [See PDF for image] [End of figure] Purpose: To ensure that the organization develops and maintains IT portfolio selection criteria that support its mission, organizational strategies, and business priorities. Organizational Commitments: Commitment 1: The organization has documented policies and procedures for creating and modifying IT portfolio selection criteria. The organization has policies and procedures that outline a systematic process for creating and modifying the selection criteria. In smaller or highly centralized organizations, there may not be as critical a need to institute elaborate polices and procedures to manage portfolio criteria. If the investment decision-making process is managed for the entire organization by a compact group, and if the objectives for the organization's IT investments are well understood and stable, portfolio selection criteria might be established once and then modified incrementally year-to-year by this same small group. In large, decentralized organizations with diverse and evolving objectives, it is much more critical to solicit input to the development of portfolio selection criteria and to have a documented process for doing so. For larger organizations, policies and procedures would typically specify: * the objectives for the portfolio management process; * a link to the organization's strategic plans, budget processes, and enterprise IT architecture; * the key information elements required to create or modify the selection criteria; * a description of the roles and responsibilities for creating, modifying, and prioritizing the selection criteria; * suggested investment and proposal selection criteria; * a record of previous selection criteria, their weights and rankings, and how they were developed; * triggers for initiating a change in the selection criteria; and: * a list of people to whom the selection criteria should be distributed. Commitment 2: Responsibility is assigned to an individual or group for managing the development and modification of the IT portfolio selection criteria. An individual or a working group shall be assigned the responsibility of developing the selection criteria and any subsequent modifications to those criteria. The assignment of responsibility is critical because it creates a point of focus for the successful implementation of this critical process. Those individuals who are assigned the task of developing and modifying the criteria should have a good working knowledge of investment management. Past experience in investment management can be beneficial when developing the selection criteria. Developing the right criteria with which to analyze a portfolio of projects is essential for making sound investment decisions. Prerequisites: Prerequisite 1: Adequate resources, including people, funding, and tools, have been committed for portfolio selection criteria activities. These resources typically involve: * the time and attention of the executives involved in the process, * staff to support the activities within this process, and: * supporting tools and equipment. Prerequisite 2: A working group has been designated to be responsible for developing and modifying the IT portfolio selection criteria. A working group is designated to develop and modify the selection criteria. This group should incorporate the organization's mission, strategy, and priorities into the criteria. Thus, this group might be the IT investment board or a subset of the board that includes the CIO or some other member of the executive management team. While a working group may develop draft criteria, final approval should fall to the investment board or to an individual or group that has been designated by the board. Activities: Activity 1: The enterprisewide investment board approves the core IT portfolio selection criteria, including cost, benefit, schedule and risk (CBSR) criteria, based on the organization's mission, goals, strategies, and priorities. The selection criteria should be linked directly to the organization's broader mission, goals, strategies, and priorities. This ensures that the selected IT investments will support these larger organizational tenets and purposes. It is important that the criteria also take into account the organization's IT architecture in orders to (1) avoid unwarranted overlap across investments, (2) ensure maximum systems interoperability, and (3) increase the assurance that investments align with strategy as captured in the EA. An organization often chooses to establish multiple portfolios to facilitate the investment process. This grouping of investments with similar characteristics can enable the organization to clarify the value of certain types of investments--such as infrastructure or e- government systems--by developing criteria that focus on the contribution each type of investment makes to the organization. Also, the organization can determine beforehand how to distribute funding across the portfolios. Ultimately, the investment board should assess each investment as part of the single enterprise portfolio--that is, the aggregation of all of the smaller portfolios. The selection criteria used for assessing and ranking individual investments and proposals should generally include the four essential investment elements: cost, benefit, schedule, and risk. The assessment may also include other criteria, which serves to enhance the evaluation of each investment's strategic alignment and synergy with other projects. Organizations typically focus on these four areas and develop multiple measures under each broad element. * Cost may include life cycle costs broken apart into initial costs, ongoing development costs, and indirect costs. * Benefit may include tangible benefits and intangible benefits estimated using a variety of techniques (e.g., cost/benefit analyses using net present value, return on investment calculations). * Schedule may include the life cycle schedule and the schedule of benefits. * Risk may include investment, organizational, funding, and technical risks. The organization must determine how these criteria are to be used to select IT investments for the portfolio. Costs and benefits are both affected by risks. A risk-adjusted return on investment could combine all of these categories. The selection criteria also may include a description of an investment's or proposal's minimum or maximum acceptable CBSR thresholds (e.g., a minimum acceptable return on investment hurdle rate or a maximum acceptable schedule length). An organization could use a weighting schema when creating the selection criteria. The organization would then derive weights for each of the broad categories, as well as any subelements related to each category. This would help the organization prioritize those subelements that it considers the most significant (e.g., an organization that has limited experience developing systems may give technical risk a greater weight than projected cost). Alternatively, other risk analysis methods might incorporate the same "weighting" effect. The mixture of weights among the ranking criteria will vary from organization to organization. The weighting schema used should take into account the organization's unique mission, capabilities, and limitations. The organization may also create different weighting schemas for different kinds of investments (e.g., operational, infrastructure, applications development investments, R&D). These weights may need to be refined over time as the organization gains more operational experience using the weighting schema. Additionally, as a starting point, the organization may want to borrow selection criteria used by other comparable organizations. Ultimately, the criteria should reflect the priorities of the organization. Often, the most senior investment decision makers are involved in the development of these criteria. Activity 2: Project management personnel and other stakeholders are aware of the portfolio selection criteria. The criteria should be distributed to each IT investment board and all of the IT project managers, organizational planners, and any other interested parties. The selection criteria should be clearly addressed in funding submissions for IT projects. In a large organization with multiple IT investment boards, a lower- level board may add its own criteria that would deal with lower-level requirements, but the portfolio-level criteria would always take precedence. Activity 3: The enterprisewide investment board regularly reviews the IT portfolio selection criteria, using cumulative experience and event- driven data, and modifies the criteria as appropriate. The IT criteria for selecting investments may be changed based on (1) historical experience; (2) changes in the organization's strategic direction, business goals, or priorities; or (3) other factors, such as increased IT management capabilities or technological changes. Ultimately, however, the task of modifying the criteria will be based on the experience and judgment of the enterprisewide investment board. Creating the Portfolio: Individual IT investments vary in type and purpose. Some investments may involve purchasing hardware, others developing software, and still others operating or maintaining IT systems. The organization may choose to organize its investment process by considering investments within smaller portfolios (as described in Defining the Portfolio Criteria). These subordinate portfolios can help facilitate the prioritization of investments within business or service categories. The development of the portfolio is an ongoing process that includes decision making, prioritization, review, realignment, and reprioritization of projects that are competing for resources and funding. The process for creating the portfolios should ensure that each IT investment board manages investments according to an organizational, strategic-planning perspective. The boards should collectively analyze and compare all investments and proposals to select those that best fit with the strategic business direction, needs, and priorities of the entire organization. This is the fundamental process through which investments are selected into the portfolio. Additionally, each organization has practical limits on funding, the risks it is willing to take, and the length of time for which it is willing to incur costs for a given investment before benefits are realized. To address these practical limits, the process of creating the portfolio primarily uses categorization to aid in investment comparability and CBSR oversight. Categorization involves grouping investments and proposals into predefined logical categories. Once this is accomplished, investments and proposals can be compared to one another within and across the portfolio categories, and the best overall portfolio can then be selected for funding. Fundamental to the comparison of investments is an appropriate analysis of each investment. During Stage 2, the primary basis for comparison is CBSR, and each investment's performance is compared with those dimensions. However, in Stage 3 the basis for comparison expands to include more factors related to alignment, such as the degree of correlation to the organization's planning, market position, financial objectives, and business environment. Also, characteristics of each investment that could potentially influence the value of other investments in the portfolio--and at the same time be influenced by other investments--should be taken into consideration. This process may be greatly aided by establishing EA compliance as a fundamental requirement for selection and by ensuring that the final portfolio is consistent with the EA as a whole. Figure 15: Creating the Portfolio: [See PDF for image] [End of figure] Purpose: To ensure that IT investments are analyzed according to the organization's portfolio selection criteria and to ensure that an optimal IT investment portfolio with manageable risks and returns is selected and funded. Organizational Commitments: Commitment 1: The organization has documented policies and procedures for analyzing, selecting, and maintaining the investment portfolio. As part of the process for selecting an investment portfolio, each IT investment board should have policies and procedures in place to help them select the most promising proposals and to ensure that the most feasible investments are considered. These policies should include specific screening criteria to help identify and expedite the selection of the most promising projects. To the extent possible, in order to help minimize risk, the organization should have a policy in place to ensure that projects are proposed in useful segments or "modules" that are short in duration, small in scope, and useful, even though the project may, at some point, be discontinued There should also be a documented process for reconciling differences between the IT investment portfolio and the organization's EA. Reconciliation may include an EA waiver or modifying the EA to include the delinquent investment. Also, as part of the process for selecting the portfolio, a structured and proven investment analysis (e.g. Return on Investment and Benefit/Cost Analysis) should be required. The results from the analysis should be used to help support portfolio decisions and ensure that the organization is aware of the financial as well as other internal and external effects. The organization's policies and procedures for analyzing and developing IT investment portfolios typically: * provide common definitions for IT investment portfolio categories, * apply to each IT investment board as each develops its comprehensive IT investment portfolio, and: * stipulate conditions that should be met for investment funding decisions where exceptions are made. Prerequisites: Prerequisite 1: Adequate resources, including people, funding, and tools, are provided for the process of creating the portfolio. These resources typically involve: * managerial time and attention to focus on creating the portfolio, * staff support for carrying out activities within this critical process, and: * supporting tools and equipment to be used by the staff in creating the portfolio. Prerequisite 2: Board members are knowledgeable about the process of creating a portfolio. Understanding the principles behind the portfolio creation process is critical to successfully executing this process. Thus, it may be necessary to train board members to ensure that they are familiar with the goals of the process and can carry out their responsibilities competently. Knowledge building and/or training may be provided ranging from: * in-depth courses for new members to: * a mandatory annual overview for all board members of the investment process, current process modifications, operational procedures for selecting investments, control, and evaluation. Prerequisite 3: The investment board is provided with information comparing project and system performance with expectations. The organization has defined the common portfolio categories that will be used across the organization when each IT board creates its portfolio of IT investments (if the organization has more than one board). The creation of these common categories (1) aids in the comparison of similar investments across the organization and (2) helps the boards create a common set of definitions. Common portfolio categories should enhance decision making during the portfolio creation process. The organization should use categories that mirror its business strategy and goals. Organizations also need to consider their EA when developing their IT portfolio. By using the organization's EA framework to identify and establish the "as-is" environment, the "to-be" environment, and the transition plan, decision makers have an explicit and meaningful structural frame of reference for making better IT decisions. For example, the portfolio categories might be established by: * aligning IT spending with the strategic goals of the organization-- which types of projects, across which groups and which service lines; * defining spending levels for the portfolio categories, for example, XX percent to technology development, XX percent to new services, XX percent to infrastructure projects, XX percent to technology enhancements and improvements; and: * prioritizing IT projects within the portfolio categories. Establishing portfolio categorization allows projects to be prioritized within their own portfolio categories. Moreover, it keeps dissimilar projects from competing against each other (for example, O&M projects do not compete against new services projects). At the end of the budget cycle, resource spending should be more consistent with planned or desired IT budgets. The organization may also want to define a set of thresholds for each common portfolio category. These thresholds should be meaningful to the organization and useful when making investment decisions, and they should differentiate the categories. A small organization with relatively few investments may want to use a simple set of portfolio categories. An organization using functional categories could define thresholds for each category, such as: * the maximum investment cost variances, both annually and in total; * the minimum benefit that a given investment is expected to deliver, such as return on investment; * the maximum length of time an investment should take; and: * a maximum risk score derived using an industry-accepted risk assessment tool. Activities: Activity 1: Each IT investment board examines the mix of new and ongoing investments and their respective data and analyses and selects investments for funding. After the investments have been assigned to portfolio categories, the investment board completes the selection process by examining the portfolio's mix of investments and making final investment decisions that are justified by sound management principles. To provide decision makers with an understanding of the relative costs, benefits, schedules, and risks of each investment and proposal compared to the others, the organization may use a scoring model or decision support tool. Typically, such a model or tool compares the costs, benefits, schedules, and risks of each investment or proposal against the organizational investment criteria and assigns each investment proposal a score. These scores may then be used to rank all investments. This ranked list of investments may then provide a starting point for the decision-makers to apply their judgment and knowledge of the organization's imperatives as they select investments for the portfolio. (See also GAO's Executive Guide: Measuring Performance and Demonstrating Results of Information Technology Investments (AIMD-98- 89, March 1998) for additional guidan