Information Technology: DHS Needs to Further Define and Implement Its New Governance Process
Highlights
What GAO Found
The Department of Homeland Security (DHS) has defined a vision for its new information technology (IT) governance process, which includes a tiered oversight structure that defines distinct roles and responsibilities throughout the department. The new governance framework and the associated policies and procedures are generally consistent with recent Office of Management and Budget (OMB) guidance and with best practices for managing projects and portfolios identified in GAO’s IT Investment Management framework, with two practices partially addressed and seven others fully addressed. For example, consistent with OMB guidance calling for the Chief Information Officer (CIO) to play a significant role in overseeing programs, DHS’s draft procedures require that lower-level boards overseeing IT programs include the DHS CIO, a component CIO, or a designated executive representative from a CIO office. In addition, consistent with practices identified in GAO’s IT Investment Management framework, DHS’s draft procedures identify key performance indicators for gauging portfolio performance. However, DHS’s policies and procedures have not yet been finalized, because, according to officials, the focus has been on piloting the new governance process. While it is important to conduct pilots to test processes and identify lessons learned, until the department finalizes the policies and procedures associated with the new IT governance, it will have less assurance that its new IT governance will be consistent with best practices and address previously identified weaknesses in investment management.
DHS has begun to implement aspects of its new governance process. For example, it has established several governance entities and conducted program health assessment reviews for all of its major IT programs. In implementing its new governance, the department has generally followed key industry best practices, such as establishing an implementation team; however, the department has not fully followed other practices, including developing a mechanism to capture lessons learned. The table below summarizes GAO’s assessment of DHS’s implementation efforts. Until the department fully addresses these practices, its implementation approach may be less effective than intended.
Why GAO Did This Study
DHS has one of the largest IT budgets in the federal government. In fiscal year 2012, DHS plans to spend about $5.6 billion to, among other things, acquire, implement, and operate approximately 360 IT programs, including about 83 major programs, which are intended to assist in carrying out its diverse missions. With such a large portfolio of IT programs, it is important to ensure that the appropriate governance exists so that the programs meet their cost, schedule, and performance goals and continue to support the department’s strategies and objectives. In line with this, DHS has been working to define and implement a new IT governance process.
GAO was asked to (1) describe DHS's new IT governance process and associated policies and procedures, and assess them against best practices; and (2) determine progress made in implementing the new process and how DHS’s implementation efforts comport with relevant best practices. To do so, GAO analyzed relevant documentation and interviewed DHS officials responsible for defining and implementing the new governance process.
Recommendations
To implement an effective IT governance process, GAO recommends that DHS finalize associated policies and procedures, and fully follow best practices for implementing the process. In comments on a draft of this report, DHS concurred with GAOs recommendations and estimated it would address them by September 2013.
Recommendations for Executive Action
| Agency Affected Sort descending | Recommendation | Status |
|---|---|---|
| Department of Homeland Security | To implement an effective IT governance strategy, the Secretary of Homeland Security should direct the appropriate officials to finish defining the new IT governance process by finalizing the IT governance policies and procedures and ensuring they fully address or reference existing documents that address the following: (1) how the IRB is to maintain responsibility for lower-level board activities; and (2) investment selection and prioritization criteria. |
Closed – Implemented
The Department of Homeland Security (DHS) finalized its Portfolio Governance Concept of Operations and Program Governance Concept of Operations policies and procedures in February 2013. These documents identify how the department's investment review board is to maintain responsibility for the activities of the Executive Steering Committees and DHS's lower-level boards. As an example, the Program Governance Concept of Operations notes that the status of each program assigned to an executive steering committee will be reviewed monthly, and if a program runs into difficulty in its schedule, budget, or scope performance, the program manager would be required to present the status and action plan to the IRB for its assessment and approval. In addition, DHS's March 2014 Portfolio Governance Expansion Plan identifies mission contribution, health, risk, funding sufficiency, and governance as key criteria for selecting and prioritizing new investments. As a result, DHS should be able to more effectively oversee its IT investments.
|
| Department of Homeland Security | To assist in implementing the new IT governance strategy, the Secretary of Homeland Security should direct the appropriate officials to develop an implementation plan that draws together ongoing and additional efforts needed to implement the new IT governance process. The plan should: 1. build on existing strengths and weaknesses; 2. specify measurable goals, objectives, and milestones; 3. specify needed resources; 4. assign clear responsibility and accountability for accomplishing tasks; and 5. be approved by senior-level management. |
Closed – Implemented
In November 2014, the Department of Homeland Security issued a Portfolio Governance Expansion Plan, which according to DHS officials, represents the Department's plan for implementing its IT governance process. The plan specifies measurable goals, objectives, and milestones; specifies needed resources; assigns responsibility for accomplishing tasks; and was approved by the Executive Director for the Enterprise Business Management Office. As a result, the Department should be positioned to successfully implement its new IT governance process and address previously identified weaknesses in its management of IT programs.
|
| Department of Homeland Security | To assist in implementing the new IT governance strategy, the Secretary of Homeland Security should direct the appropriate officials to fully define and document key measures to monitor the implementation process. |
Closed – Implemented
In March 2014, the Department of Homeland Security issued its Portfolio Governance Expansion Plan, which defines performance measures (and targets) for portfolio management, including percentage of portfolio reviews conducted. As a result, the Department is able to monitor the progress of its implementation of the new IT governance framework.
|
| Department of Homeland Security | To assist in implementing the new IT governance strategy, the Secretary of Homeland Security should direct the appropriate officials to establish mechanisms for capturing lessons learned. |
Closed – Implemented
In June 2014, Department of Homeland Security officials reported that the Enterprise Business Management Office had implemented a tool for capturing lessons learned for its high priority initiatives, including IT governance. Additionally, the Department used this tool to document lessons learned from several initiatives, including its 2014 IT portfolio reviews. As a result, the Department should be positioned to build on these lessons learned to improve future initiatives.
|