Information Technology:

SSA Has Taken Key Steps for Managing Its Investments, but Needs to Strengthen Oversight and Fully Define Policies and Procedures

GAO-08-1020: Published: Sep 12, 2008. Publicly Released: Oct 14, 2008.

Additional Materials:

Contact:

Valerie C. Melvin
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Social Security Administration (SSA) spends about $1 billion annually to support its information technology (IT) needs. Given the size and significance of the agency's ongoing and future investments in IT, it is crucial that the agency manages these investments wisely. Accordingly, GAO was requested to determine whether SSA's investment management approach is consistent with leading investment management best practices. To accomplish this, GAO used its IT investment management framework and associated methodology, with a focus on the framework's Stages 2 and 3, which are based on the investment management provisions of the Clinger-Cohen Act of 1996.

SSA's investment management approach is largely consistent with leading investment management practices. It has established most of the practices needed to manage its projects as investments and is making progress towards managing IT investments as a portfolio; however, it is not applying its investment management process to all of its investments. Specifically: (1) The agency is executing a majority of the key practices needed to build the foundation for managing its IT projects as investments. Of the 5 processes and their 38 associated key practices, SSA is executing 31 practices. However, the agency's investment board, which should provide executive oversight of investments, is not adequately monitoring the performance of IT projects. (2) SSA has made progress in establishing the key practices for managing investments as a portfolio--it is executing 18 out of 27 key practices. The agency has made important progress in defining and creating the investment portfolio, but it has not developed enterprisewide portfolio selection criteria. The agency also has not established procedures for evaluating the portfolio, and its postimplementation reviews do not determine whether projects meet the agency's strategic goals. (3) SSA is not applying its investment management process to a major portion of its IT budget. Specifically, IT products and services acquired with its acquisition budget ($610 million of the $1 billion IT budget for fiscal year 2008) are not managed by the board as investments. SSA's executive-level review board is not responsible for overseeing the acquisition budget. Consequently, executive management has limited insight into investments acquired with these funds, and the agency has limited ability to ensure that the budget is spent in the most efficient and effective manner. Until it establishes oversight of all investments and fully defines policies and procedures for overseeing both individual projects and an agencywide portfolio, SSA risks not being able to select and control these investments consistently and completely, thus increasing the chance that investments will not meet mission needs in the most cost-effective and efficient manner.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for developing a complete investment portfolio (Stage 3), the Commissioner of Social Security should direct the Chief Information Officer to evaluate quantitative measures during postimplementation reviews, and lessons learned for improving select, control, and evaluate processes.

    Agency Affected: Social Security Administration

    Status: Closed - Not Implemented

    Comments: In May 2012, SSA issued its Capital Planning and Investment Control (CPIC) guide that describes planned procedures for Post-Implementation Reviews (PIRs). SSA has also identified the planned quantitative measures for improving the select, control, and evaluate processes and the process for documenting lessons learned. The quantitative measures and criteria for the PIR process include performance expectations and actual outcomes, actual versus estimated or initial budget costs, benefits, improved technical capability, return on investment, assessment of how the IT investment aligns with the agency's mission, and actual versus estimated schedule and planned benefits. The guide also explains the planned composition of the PIR team and states that the PIR is to be conducted 6 to 18 months after the IT investment becomes operational and, that the results are to be reviewed by the CIO. The PIR process in the guide includes a requirement for the collection and tracking of best practices for use in other investment decisions and for improving the CPIC process. The PIR also includes contingencies for an investment's termination, including a lessons learned collection. Also, the SITAR Board's charter states that it will review the CIO's recommendations on the results of PIRs to further strengthen the process through the board's involvement. Notwithstanding the current guidance, according to SSA officials, the PIR process is still in the early planning phase and post-implementation reviews have yet to be implemented. Thus, the agency is not yet positioned to evaluate quantitative measures or assess lessons learned from such reviews.

    Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for developing a complete investment portfolio (Stage 3), the Commissioner of Social Security should direct the Chief Information Officer to establish portfolio-level performance evaluation policies and procedures and criteria for assessing portfolio performance.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA has established portfolio-level performance evaluation policies and procedures and criteria for assessing portfolio performance. SSA released an updated version of its Capital Planning and Investment Control (CPIC) Guidance in May 2012. This guidance included a comprehensive portfolio management process. The guide outlines both policies and procedures used for portfolio-level performance evaluations, as well as criteria for assessing portfolio performance. Comprehensive performance data development, collection, and review processes are outlined in the guidance for continuous review as part of the agency's CPIC process. These metrics and related procedures are applied to investments and carried up to support portfolio health assessments, and include cost benefit analyses, returns on investments, and benefit value scores; risk identification and assessment techniques; and criticality and urgency assessments. On a quarterly basis, the collection, review, and reporting on a project's health occurs with consideration given to performance indicators such as design, scope, schedule, risk, functionality, and acceptance. Portfolio executives meet with DCS Associate Commissioners supporting the portfolio to review and address any health issues. The results of the health collection process are stored on health dashboards. In addition, program managers document quarterly project accomplishments and any issues or risks. The SITAR Board's charter states that a main purpose of the board is to achieve the goals of the Agency Strategic Plan and meet the business needs of the agency; the Board is to meet quarterly. The Board also reviews verified data on IT investments' actual performance against stated expectations.

    Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for developing a complete investment portfolio (Stage 3), the Commissioner of Social Security should direct the Chief Information Officer to establish policies and procedures for defining the portfolio criteria.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: In response to this recommendation, SSA's updated CPIC guide outlines methods used to define portfolio criteria. Strategic Objective Portfolios are established and managed through SSA's CPIC process to ensure alignment with agency strategic planning, performance plan goals, and strategic IRM planning. Sections 2.2 of the CPIC Guide discuss SSA's IT Portfolio Management and explains that SSA utilizes a portfolio-based approach to investment management and review that supports agency strategic goals while minimizing redundancy between investments. Further, SSA's IT Portfolio management processes group IT investments into portfolios based on mission areas, strategic goals, objectives, and infrastructure requirements. SSA portfolios have established vision statements that include objectives that align with and help meet agency goals. Portfolio criteria are established in step one of the SSA IT Planning Process and SSA's IRM Strategic Plan outlines four strategic goals and their subordinate objectives. The plan also includes a chart outlining the performance management framework and how specific projects within portfolios support the prioritization of resources, performance measures, and strategic goals. SSA also provided a chart outlining its IT planning process which explains that the SITAR Board provides guidance on the agency's priorities, as well as makes recommendations to the Deputy Commissioner for Systems/CIO, who does a final review of the agency IT Plan, containing all proposed portfolios, prior to approval.

    Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for building the investment foundation (Stage 2) for current and project-level future IT investments' success, the Commissioner of Social Security should direct the Chief Information Officer to establish a mechanism for tracking corrective actions for underperforming investments.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: In response to our recommendation, the agency began using its Action Control Tracking System to track the status of corrective actions for underperforming IT projects. Specifically, corrective actions are entered and tracked in the system. In this regard, the system (1) allows for the automatic generation of emails requiring status updates that include a summary of the action items, (2) maintains a table showing staff assigned to make corrections, and (3) tracks the status of the corrective actions to completion.

    Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for building the investment foundation (Stage 2) for current and project-level future IT investments' success, the Commissioner of Social Security should direct the Chief Information Officer to strengthen and expand the board's oversight responsibilities for underperforming projects and evaluations of projects.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA's Capital Planning and Investment Control (CPIC) guide outlines the board's oversight responsibilities for addressing underperforming projects. SSA's CPIC guidance outlines procedures for referring project performance problems to the Strategic Information Technology Assessment and Review (SITAR) board. Further, the guide outlines the board's participation in Techstat reviews. SSA TechStat reviews are not limited to major investments and any project that is not performing as expected can be selected for review of its program performance data and opportunities for corrective action. SSA explained that quarterly SITAR meetings include summary-level reviews of each of the agency's Major IT Initiatives, and the outcomes of the sessions are formalized and followed up through completion, with the goal of terminating or turning around underperforming IT investments. SITAR Board members are also responsible for reviewing verified data on IT investments' actual performance, including cost, schedule, benefit and risk performance. Also, the SITAR Board's role in Project Health Assessments is outlined in the CPIC guide. According to the guide, Project Health Assessments are conducted on a quarterly basis; include reviewing project issues related to design, scope, schedule, risk, functionality, and acceptance; and can be used to identify under-performing projects in need of corrective action.

    Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for building the investment foundation (Stage 2) for current and project-level future IT investments' success, the Commissioner of Social Security should direct the Chief Information Officer to establish comprehensive policies and procedures for defining the investment governance process that specify (1) investment board operating procedures, (2) delegations of authority, and (3) criteria for prioritizing new and ongoing investments.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: SSA provided evidence of comprehensive policies and procedures defining the investment governance process that responded to each aspect of GAO's recommendation. Specifically, the agency provided evidence of investment board operating procedures, including procedures for the Strategic Information Technology Assessment and Review (SITAR) Board's composition on its involvement in SSA's May 2012 Capital Planning and Investment Control (CPIC) process. The Board's responsibilities and procedures outlined in the CPIC guide include ensuring all IT investment decisions are consistent with policies and guidelines, reviewing and approving changes to the current SSA IT plan, reallocation or adjustment of resources out of the investment cycle, consideration and approval/denial of emergency proposals, reviewing projects' health, and ensuring execution of its decisions. SSA's CPIC guidance, along with other documentation provided, outlines delegations of authority for the SITAR Board; Portfolio Executive Boards; and offices, such as the Office of Acquisitions and Grants. For example, SSA's SITAR Board charter explains that the SITAR Board acts as the executive body for SSA's initiatives and projects. Further, the delegations of authority outlined in the Board's charter and CPIC guidance provide the SITAR Board with centralized investment and portfolio management responsibilities which allow for more effective oversight of the CPIC process. SSA's CPIC guidance also includes information on the agency's criteria for prioritizing new and ongoing investments. According to the guidance, investments' cost, benefit, schedule, alignment with agency goals and risk information are assessed, validated, and used as core selection criteria in the select phase and then ranked against other investments. The prioritized list is then used by senior executives to make decisions on which investments will be submitted in portfolios to the SITAR for review and funding approval based on mission needs and agency priorities.

    Recommendation: To strengthen SSA's investment management capability and address weaknesses and to ensure senior management involvement and full accountability for the agency's investments, the Commissioner of Social Security should direct the Chief Information Officer to develop and implement policies and procedures to manage IT acquisitions as investments and manage them using the investment management framework.

    Agency Affected: Social Security Administration

    Status: Closed - Not Implemented

    Comments: SSA's May 2012 Capital Planning and Investment Control (CPIC) guide addresses IT acquisitions, including hardware, software, and services--referred to as special expense items. In addition, the Deputy Commissioner for Systems/CIO, who chairs SSA's Strategic Information Technology Assessment and Review (SITAR) Board, is responsible for approving these items. However, these items are not approved through the SITAR pre-select, select, control, and evaluate processes. Further, IT acquisitions are not mentioned in the SITAR Board charter. As we reported in 2008, until the agency manages acquisitions within its IT Investment Management framework, it will be unable to consider its investments comprehensively, and ensure that the investments optimally address the organization's mission, strategic goals, and objectives.

    Apr 2, 2014

    Feb 26, 2014

    Feb 12, 2014

    Jan 13, 2014

    Nov 13, 2013

    Nov 6, 2013

    Sep 12, 2013

    Sep 11, 2013

    Looking for more? Browse all our products here