Information Technology
SSA Has Taken Key Steps for Managing Its Investments, but Needs to Strengthen Oversight and Fully Define Policies and Procedures
GAO-08-1020, Sep 12, 2008
Additional Materials:
Contact:
(202) 512-6304
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The Social Security Administration (SSA) spends about $1 billion annually to support its information technology (IT) needs. Given the size and significance of the agency's ongoing and future investments in IT, it is crucial that the agency manages these investments wisely. Accordingly, GAO was requested to determine whether SSA's investment management approach is consistent with leading investment management best practices. To accomplish this, GAO used its IT investment management framework and associated methodology, with a focus on the framework's Stages 2 and 3, which are based on the investment management provisions of the Clinger-Cohen Act of 1996.
SSA's investment management approach is largely consistent with leading investment management practices. It has established most of the practices needed to manage its projects as investments and is making progress towards managing IT investments as a portfolio; however, it is not applying its investment management process to all of its investments. Specifically: (1) The agency is executing a majority of the key practices needed to build the foundation for managing its IT projects as investments. Of the 5 processes and their 38 associated key practices, SSA is executing 31 practices. However, the agency's investment board, which should provide executive oversight of investments, is not adequately monitoring the performance of IT projects. (2) SSA has made progress in establishing the key practices for managing investments as a portfolio--it is executing 18 out of 27 key practices. The agency has made important progress in defining and creating the investment portfolio, but it has not developed enterprisewide portfolio selection criteria. The agency also has not established procedures for evaluating the portfolio, and its postimplementation reviews do not determine whether projects meet the agency's strategic goals. (3) SSA is not applying its investment management process to a major portion of its IT budget. Specifically, IT products and services acquired with its acquisition budget ($610 million of the $1 billion IT budget for fiscal year 2008) are not managed by the board as investments. SSA's executive-level review board is not responsible for overseeing the acquisition budget. Consequently, executive management has limited insight into investments acquired with these funds, and the agency has limited ability to ensure that the budget is spent in the most efficient and effective manner. Until it establishes oversight of all investments and fully defines policies and procedures for overseeing both individual projects and an agencywide portfolio, SSA risks not being able to select and control these investments consistently and completely, thus increasing the chance that investments will not meet mission needs in the most cost-effective and efficient manner.
Status Legend:
Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
- In Process
- Open
- Closed - implemented
- Closed - not implemented
Recommendations for Executive Action
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for developing a complete investment portfolio (Stage 3), the Commissioner of Social Security should direct the Chief Information Officer to evaluate quantitative measures during postimplementation reviews, and lessons learned for improving select, control, and evaluate processes.
Agency Affected: Social Security Administration
Status: Open
Comments: SSA is taking actions toward developing a methodology for assessing quantitative measures used during postimplementation reviews, and it has plans to complete a pilot test later this year. Further, the Office of the Chief Information Office (OCIO), Office of Information and Technology Investment (OITIM) staff's lessons learned are incorporated in the recent Post Implementation Review (PIR) process, currently under review by the Office of the Inspector General (OIG). The final version of the PIR has not been generated.
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for developing a complete investment portfolio (Stage 3), the Commissioner of Social Security should direct the Chief Information Officer to establish portfolio-level performance evaluation policies and procedures and criteria for assessing portfolio performance.
Agency Affected: Social Security Administration
Status: Open
Comments: SSA is conducting quarterly IT investment portfolio health assessments, including evaluating burn rates and accomplishments; however, it has not established procedures for making adjustments to portfolio measurements data and performance criteria.
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for developing a complete investment portfolio (Stage 3), the Commissioner of Social Security should direct the Chief Information Officer to establish policies and procedures for defining the portfolio criteria.
Agency Affected: Social Security Administration
Status: Open
Comments: According to SSA, the Strategic Information Technology Assessment and Review will evaluate investments at the initiatives level, and an initiative may encompass anywhere from one to dozens of Information Technology Advisory Board projects, the number of justifications will be much smaller. The initiatives will be overseen by the Initiative Leads. During the current planning cycle, the agency said it will working with the Portfolio Executives to encourage the enterprise wide perspective, and it will be developing performance metrics for initiatives and PEs to measure progress. These efforts will continue into future cycles utilizing lessons learned from our own experiences and those of other organizations. But it has not yet documented policies and procedures for modifying the portfolio criteria. The Information Technology Advisory Board (ITAB) process is being redesigned. Further, according to SSA the new governing process is known as the Strategic Information Technology Assessment and Review (SITAR), reflecting our desire to better align SSA's technology investments with the agency's strategic priorities. The SITAR will establish an Information Technology (IT) Executive Strategy Board (ESB) that will resemble the broad membership of the ITAB in that it will include all deputy commissioner-level officers. This board will meet two or three times during the year to participate in discussions and develop an agency strategic vision for IT. The ESB will revisit the strategic vision periodically through the year, updating it as priorities evolve and external factors, such as legislation and court decisions, require changes. The SITAR will use the strategic vision to establish the basis for the selection of initiatives and the development of performance measures. However, SSA has not yet documented policies and procedures for modifying the portfolio criteria.
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for building the investment foundation (Stage 2) for current and project-level future IT investments' success, the Commissioner of Social Security should direct the Chief Information Officer to establish a mechanism for tracking corrective actions for underperforming investments.
Agency Affected: Social Security Administration
Status: Closed - Implemented
Comments: In response to our recommendation, the agency began using its Action Control Tracking System to track the status of corrective actions for underperforming IT projects. Specifically, corrective actions are entered and tracked in the system. The system (1) allows for the automatic generation of emails requiring status updates that include a summary of the action items, (2) maintains a table showing staff assigned to make corrections, and (3) tracks the status of the corrective actions to completion.
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for building the investment foundation (Stage 2) for current and project-level future IT investments' success, the Commissioner of Social Security should direct the Chief Information Officer to strengthen and expand the board's oversight responsibilities for underperforming projects and evaluations of projects.
Agency Affected: Social Security Administration
Status: Open
Comments: According to SSA, responsibility for the oversight of the portfolios and taking corrective action when required lies with the Strategic Information Technology Assessment and Review (SITAR) members. In future planning cycles we expect the investment process to begin in October or November, so that the estimation and cost benefit analysis phase will be completed earlier in the spring. We also expect that the early selection steps will be less labor intensive so that relatively more effort can be put into oversight. In addition, we intend to implement a process where adjustments can be made more smoothly during the course of the year. In many cases new requirements may be accommodated within the scope of existing initiatives, so no SITAR intervention will be required. Where SITAR attention is necessary, the improved management information will enable a clearer picture of where resources may be available for reallocation. SSA has not yet taken actions to strengthen the investment board's oversight and evaluation of underperforming IT investments. These procedures have not been incorporatated into finalized documents that will serve as guidance.
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to fully implement the key practices for building the investment foundation (Stage 2) for current and project-level future IT investments' success, the Commissioner of Social Security should direct the Chief Information Officer to establish comprehensive policies and procedures for defining the investment governance process that specify (1) investment board operating procedures, (2) delegations of authority, and (3) criteria for prioritizing new and ongoing investments.
Agency Affected: Social Security Administration
Status: Open
Comments: SSA has begun actions to update the Capital Planning and Investment Control (CPIC) Guide to establish more comprehensive policies and procedures for describing the investment governance process. For example, the agency clarified in the guide the investment board's delegation of authority to portfolio teams for establishing the ranking criteria to be used in selecting investments. The agency has also issued memos and e-mails to further define investment selection procedures. However, the agency has not fully documented proedures for referring project performance problems to the board.
Recommendation: To strengthen SSA's investment management capability and address weaknesses and to ensure senior management involvement and full accountability for the agency's investments, the Commissioner of Social Security should direct the Chief Information Officer to develop and implement policies and procedures to manage IT acquisitions as investments and manage them using the investment management framework.
Agency Affected: Social Security Administration
Status: Open
Comments: SSA has not yet developed policies and procedures for managing IT acquistions as investments, nor managed them using an investment management framework.