Information Technology:

HHS Has Several Investment Management Capabilities in Place, but Needs to Address Key Weaknesses

GAO-06-11: Published: Oct 28, 2005. Publicly Released: Nov 28, 2005.

Additional Materials:

Contact:

David A. Powner
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Department of Health and Human Services (HHS) is one of the largest federal agencies, the nation's largest health insurer, and the largest grant- making agency in the federal government. The department manages over 300 programs that serve to improve the health and well-being of the American public and is comprised of several component agencies covering a wide range of activities including conducting and sponsoring medical and social science research, guarding against the outbreak of infectious diseases, assuring the safety of food and drugs, and providing health care services and insurance. It also manages and funds a variety of information technology (IT) initiatives ranging from those facilitating the payment of claims for Medicare and Medicaid services to those supporting health surveillance and communications. In fiscal year 2006, the department plans to spend over $5 billion on information technology--the third largest IT expenditure in the federal budget. As we agreed with Congress, our objectives were to (1) assess the department's capabilities for managing its IT investments and (2)determine any plans the department might have for improving those capabilities. To address these objectives, we analyzed documents and interviewed agency officials to (1)validate and update HHS's self-assessments of key practices in the framework and (2)evaluate HHS's plans for improving its capabilities.

Because of the management attention that has been given to IT investment management, HHS has established over half of the foundational practices needed to manage its IT investments individually and about 30 percent of the key practices needed to effectively manage its portfolio of investments. For example, HHS has implemented many of the practices required to ensure that (1) projects support business needs and meet users' requirements, (2) a well-defined and disciplined process is used to select IT investments, (3) investment information is captured in a repository for decision makers, and (4) IT portfolio selection criteria are developed and maintained. However, critical weaknesses remain in several areas. Specifically, HHS lacks: (1) business representation on its senior IT investment review board of component agencies to carry out its full scope of responsibilities, (2) an established process for the IT investment board to regularly review a defined set of the component agencies' IT investments and maintain visibility of other investments, (3) criteria for assessing portfolio performance or regularly reviewing the performance of the organization's investment portfolio, and (4) processes for conducting post-implementation reviews (PIR) of its IT investments. The department also does not have a structured mechanism in place for ensuring that component agencies define and implement investment management processes that are aligned with those of the department. Until the department fully establishes all foundational and portfolio-level practices and establishes a mechanism to ensure that component agencies define and implement processes that are aligned with those of the department, executives cannot be assured that they are appropriately selecting, managing, and evaluating the mix of investments that will maximize returns to the organization, taking into account the appropriate level of risk. HHS has initiated steps to improve its investment management process; however, these steps do not fully address the weaknesses we identify in this report, nor are they coordinated along with other needed improvement efforts into a plan that (1) is based on an assessment of strengths and weaknesses; (2) specifies measurable goals, objectives, and milestones; (3) specifies needed resources; (4) assigns clear responsibility and accountability for accomplishing tasks; and (5) is approved by senior management. Without such a plan and procedures for implementing it, the department risks being unable to effectively establish mature investment management capabilities. As a result, executives may not be able to make informed and prudent investment decisions in managing the department's annual multibillion-dollar IT budget.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The HHS Secretary should direct the CIO to ensure that the plan draws together ongoing efforts and additional efforts that are needed to address the weaknesses identified in this report. The plan should also (1) specify measurable goals, objectives, and milestones; (2) specify needed resources; (3) assign clear responsibility and accountability for accomplishing tasks; and (4) be approved by senior management.

    Agency Affected: Department of Health and Human Services

    Status: Closed - Implemented

    Comments: While HHS did not complete an improvement plan to address the weaknesses identified in our report that (1) identifies measurable goals, objectives, and milestones; (2) specifies needed resources; and (3) assigns clear responsibility and accountability for accomplishing tasks, the department has over the years taken action to implement and close each of the recommendations from our report.

    Recommendation: To improve the department oversight of its component agency investment management process, the HHS Secretary should direct the HHS CIO to establish a mechanism for ensuring component agencies define and implement investment management processes that are aligned with those of the department.

    Agency Affected: Department of Health and Human Services

    Status: Closed - Implemented

    Comments: In December 2005, HHS adopted capital planning and investment control (CPIC) policy and procedures that provided for a departmental IT governance organization and required that each HHS component agency (i.e., operating division) establish and maintain IT governance structures consistent with those established at the department level. In addition, in October 2008 HHS adopted an Enterprise Performance Life Cycle (EPLC) framework to further align and enhance IT governance and management processes throughout the department. The EPLC framework applies to all levels of HHS and is compatible with current Department CPIC policy, and under it the component agencies are required to establish IT Governance processes that are consistent with HHS CPIC policy and procedures, including the EPLC framework. Under the EPLC, the department reserves the right to conduct project reviews of component agency projects when necessary to review process compliance or to otherwise fulfill its HHS IT project, investment, and portfolio management responsibilities. In November 2009, HHS officials briefed us and provided documentation illustrating how the EPLC is used for aligning the planning, management and oversight of HHS IT projects throughout a 10-stage life cycle.

    Recommendation: To strengthen HHS's investment management capability and address the weaknesses discussed in this report, the Secretary of the Department of Health and Human Services should direct the Chief Information Officer (CIO) to develop and implement a plan for improving the department's IT investment management processes. The plan should address the weaknesses described in this report, beginning with those we identified in our Stage 2 analysis and continuing with those we identified in our Stage 3 analysis. The plan should, at a minimum, develop comprehensive guidance and additional supporting guidance that defines and describes the complete investment management process, unifies existing processes enterprise-wide, reflects changes in processes as they occur; define the operations and decision-making processes of the HHS investment review board and other management entities, such as the component agencies, involved in managing IT investments.

    Agency Affected: Department of Health and Human Services

    Status: Closed - Implemented

    Comments: HHS has developed comprehensive Capital Planning and Investment Control (CPIC) policy and procedures that define and describe the CPIC processes at the agency and also direct all operating divisions to issue implementing guidance. Additionally, HHS issued its Portfolio Management Tool Desktop Guide that relates the HHS CPIC process to the tool that supports that process. Finally, a number of charters have been revised including: a CIO Council charter that clarifies scope, responsibilities, and membership; Service and Supply Fund charter that includes specific language regarding review of IT proposals by the HHS CIO Council and IT Investment Review Board (ITIRB); and ITIRB charter that addresses the board's responsibilities regarding the Service and Supply Fund.

    Recommendation: To strengthen HHS's investment management capability and address the weaknesses discussed in this report, the Secretary of the Department of Health and Human Services should direct the Chief Information Officer (CIO) to develop and implement a plan for improving the department's IT investment management processes. The plan should address the weaknesses described in this report, beginning with those we identified in our Stage 2 analysis and continuing with those we identified in our Stage 3 analysis. The plan should, at a minimum, ensure that HHS's investment review board's membership includes business representation of its component agencies as it begins to execute its full range of responsibilities.

    Agency Affected: Department of Health and Human Services

    Status: Closed - Implemented

    Comments: In August 2007, HHS developed an Information Technology Investment Review Board (ITIRB) charter that, among other things, specifies that the board's membership is to include business representation. Specifically, the charter notes that the ITIRB is to include one representative from each of the operating divisions and that each of these representatives is to have voting privileges.

    Recommendation: To strengthen HHS's investment management capability and address the weaknesses discussed in this report, the Secretary of the Department of Health and Human Services should direct the Chief Information Officer (CIO) to develop and implement a plan for improving the department's IT investment management processes. The plan should address the weaknesses described in this report, beginning with those we identified in our Stage 2 analysis and continuing with those we identified in our Stage 3 analysis. The plan should, at a minimum, develop well-defined and disciplined written procedures that outline the process for selecting new IT proposals, reselecting ongoing IT investments, and integrating funding with the process of selecting an investment.

    Agency Affected: Department of Health and Human Services

    Status: Closed - Implemented

    Comments: HHS has developed comprehensive Capital Planning and Investment Control (CPIC) policy and procedures that define and describe the CPIC processes at the agency, including the processes for selecting new IT proposals, reselecting ongoing IT investments, and integrating funding with the process of selecting an investment. Additionally, in 2007 the HHS Office of the Chief Information Officer reviewed and ranked approximately 100 IT investments to assist the HHS Information Technology Investment Review Board select and recommend fiscal year 2009 funding for the Department's IT portfolio that was submitted to the Office of Management and Budget.

    Recommendation: To strengthen HHS's investment management capability and address the weaknesses discussed in this report, the Secretary of the Department of Health and Human Services should direct the Chief Information Officer (CIO) to develop and implement a plan for improving the department's IT investment management processes. The plan should address the weaknesses described in this report, beginning with those we identified in our Stage 2 analysis and continuing with those we identified in our Stage 3 analysis. The plan should, at a minimum, establish a process for the investment board to regularly review and track the performance of a defined set of component agency IT systems against expectations, and take corrective actions when these expectations are not being met; and establish a mechanism for maintaining visibility into other investments.

    Agency Affected: Department of Health and Human Services

    Status: Closed - Implemented

    Comments: In response to GAO's recommendation, in 2007 HHS issued guidance calling for the establishment of a High Variance List process to provide departmental oversight of the portfolio of all major or tactical IT investments for capital assets. Under this process, performance data (i.e., earned value management data) for each investment in the portfolio are reviewed by the Office of the Chief Information Officer (CIO) and investments are placed on the High Variance List if they fail to meet specific criteria. The process also involves a progressive escalation process, up to the investment board, if necessary, to ensure that any performance issues are resolved and needed corrective actions are implemented. HHS provided information showing that during 2009, the Office of CIO prepared an HHS High Variance List Analysis Summary each month that describes the current status of each investment on the list, and that the investment board was provided an Investment Oversight briefing on the HHS High Variance List each quarter.

    Recommendation: To strengthen HHS's investment management capability and address the weaknesses discussed in this report, the Secretary of the Department of Health and Human Services should direct the Chief Information Officer (CIO) to develop and implement a plan for improving the department's IT investment management processes. The plan should address the weaknesses described in this report, beginning with those we identified in our Stage 2 analysis and continuing with those we identified in our Stage 3 analysis. The plan should, at a minimum, develop and implement policies and procedures for modifying IT portfolio selection criteria.

    Agency Affected: Department of Health and Human Services

    Status: Closed - Implemented

    Comments: In December 2005, HHS adopted Capital Planning and Investment Control (CPIC) procedures that provide for the HHS CPIC Team, CIO Council, and IT investment review board to work together to develop a set of selection criteria to be used in scoring and ranking the IT investments and to review these criteria on an annual basis, revising them as necessary to reflect changing priorities of the Department. To implement these procedures, each year, prior to final decisions regarding the HHS annual budget submission, the HHS Office of the CIO presents a ranked portfolio to the HHS IT Investment Review Board, and the ranking process is revised, if necessary, to reflect changes in HHS strategic goals. The criteria used require that each major and tactical investment receives a Priority Score and a Quality Score based on information provided by HHS component agencies and Enterprise Initiative investment managers via the Portfolio Management Tool and investment reviews conducted by HHS Critical Partners. To illustrate how it had implemented its procedures for developing and modifying the criteria it used in order score and rank its IT portfolio, in 2009 HHS provided documentation describing the criteria it used in the fiscal year 2009 budget cycle, and how the department had modified its portfolio selection criteria after the fiscal year 2008 cycle, as well as its ranked IT portfolios for the 2009 and 2010 budget cycles.

    Recommendation: To strengthen HHS's investment management capability and address the weaknesses discussed in this report, the Secretary of the Department of Health and Human Services should direct the Chief Information Officer (CIO) to develop and implement a plan for improving the department's IT investment management processes. The plan should address the weaknesses described in this report, beginning with those we identified in our Stage 2 analysis and continuing with those we identified in our Stage 3 analysis. The plan should, at a minimum, develop policies and procedures for using the portfolio selection criteria to create its portfolio.

    Agency Affected: Department of Health and Human Services

    Status: Closed - Implemented

    Comments: HHS has developed comprehensive Capital Planning and Investment Control (CPIC) policy and procedures that define and describe the CPIC processes at the agency. They include policy and procedures for using the portfolio selection criteria to create the IT portfolio.

    Recommendation: To strengthen HHS's investment management capability and address the weaknesses discussed in this report, the Secretary of the Department of Health and Human Services should direct the Chief Information Officer (CIO) to develop and implement a plan for improving the department's IT investment management processes. The plan should address the weaknesses described in this report, beginning with those we identified in our Stage 2 analysis and continuing with those we identified in our Stage 3 analysis. The plan should, at a minimum, develop, review, and modify criteria for assessing portfolio performance at regular intervals to reflect current performance expectations.

    Agency Affected: Department of Health and Human Services

    Status: Closed - Implemented

    Comments: In response to our recommendation, in April 2007 HHS established a process to provide departmental oversight of the portfolio of all major or tactical IT investments, with a particular focus on investments experiencing performance issues. Under this process, performance data for each investment in the portfolio are reviewed by the Office of the CIO and an investment is placed on the List if it meets any of five specific High Variance List criteria, such as the investment has a development, modernization, or enhancement cost or schedule variance of more than 10 percent or has not tested its security controls or contingency plan within the past year. In addition, in November 2009, the department issued an IT Investment Performance Baseline Management policy for measuring, reporting, and evaluating the portfolio performance of all HHS major and tactical IT Investments, and of all HHS supporting IT investments with annual budget year costs equal to or greater than $1 million. This new policy modified the earlier HHS earned value management policy for assessing IT investment performance, and is intended to employ improved performance measurement mechanisms that assess each IT investment's progress in achieving benefits and continued viability over the IT investment's entire lifecycle.

    Recommendation: To strengthen HHS's investment management capability and address the weaknesses discussed in this report, the Secretary of the Department of Health and Human Services should direct the Chief Information Officer (CIO) to develop and implement a plan for improving the department's IT investment management processes. The plan should address the weaknesses described in this report, beginning with those we identified in our Stage 2 analysis and continuing with those we identified in our Stage 3 analysis. The plan should, at a minimum, define and implement processes for carrying out PIRs for all IT investments.

    Agency Affected: Department of Health and Human Services

    Status: Closed - Implemented

    Comments: In 2008, HHS issued guidance calling for the conduct of a post-implementation review (PIR) of each completed IT project after a period of sustained operation into the production environment to assess whether the project has met its objectives, delivered planned levels of benefit, and addressed the specific requirements as originally defined, to examine the efficacy of all elements of the working business solution to see if further improvements can be made to optimize the benefit delivered, and to learn lessons from the project that can be used to improve future project work and solutions. The department provided examples of post-implementation reviews it conducted in 2008 of its Federal Parent Locater System and National Patient Information Reporting System to illustrate implementation of PIR guidance by HHS component agencies.

    Jun 10, 2014

    May 22, 2014

    May 12, 2014

    May 8, 2014

    May 7, 2014

    Apr 2, 2014

    Feb 26, 2014

    Feb 12, 2014

    Looking for more? Browse all our products here