On any given day, the federal government and its contractors are developing vast amounts of software and systems that will be deployed around the world. There are a host of regulatory guidelines that govern the manner in which these systems are to be acquired, designed, developed and deployed. The regulations fall into a category called Information Technology (IT) Governance and include such familiar names as the Clinger-Cohen Act (CCA), Title 10 of the United States Code Section 2223, DoD 5000 and the Federal Information Security Management Act (FISMA).Many of these regulations were designed to eliminate the problems that have historically plagued IT projects such as poorly defined requirements, missed deadlines, poor quality of deliverables, failure to deliver promised benefits and cost overruns. They include policies designed to provide stakeholders with the visibility and control necessary to make informed technology decisions.
According to the IT Governance Institute, information technology has become so intrinsic and persuasive within enterprises, governance needs to pay special attention to IT, reviewing how strongly the enterprise relies on IT and how critical IT is for the execution of business strategy. IT Governance, like other governance subjects, is the responsibility of the board and executives. For Federal Agencies, this responsibility lies with the Chief Information Officer (CIO) who must ensure that the mandates within these regulations are implemented. It is not an isolated discipline or activity, but rather is integral to enterprise governance.
Improving business processes, reducing enterprise costs, and modernizing, upgrading or enhancing legacy technologies are amongst the top 10 business and technology priorities for CIOs in 2008.
– Gartner Executive Programs Worldwide Survey of 1500 CIOs
To address these priorities and comply with federal mandates, CIOs need to institutionalize the processes necessary to ensure that IT aligns with the Agency’s strategies and objectives. There are valuable benefits to be gained from doing so:
- Transparency – proactively managing risk ensures that the CIO is aware of the risks associated with major IT initiatives and provides him/her with the information needed to implement risk mitigation strategies
- Optimized Costs – improving business processes, using a modular approach to system development and leveraging technology investments enables the CIO to more effectively manage the costs associated with software and system development
- Eliminate Duplication – developing and managing a portfolio of programs enables the CIO to identify and eliminate redundant development efforts and streamline programs
- Reduced Maintenance – by following standardized approaches to hardware and software acquisition, sparing, maintenance and provisioning of power, space and cooling, CIOs can reduce the number and range of skills required to maintain systems and the data centers that house them
- Predictability – defining objectives and measuring performance against expectations enable the CIO to see how well IT is performing and over time begin to predict outcomes
- Informed Decision Making – measuring the return on investment, standardizing technology platforms, and eliminating duplication are a few of the factors that enable the CIO to make informed decisions regarding IT investments
- Prevent Waste and Abuse – aligning IT expenditures with Agency objectives, enable the CIO to ensure that taxpayer dollars are managed in accordance with the law
- Accountability – establishing roles and responsibilities enables the CIO to enforce the responsibilities that relate to IT’s alignment with Agency objectives
- Enhanced Communication – the risk management aspects of IT Governance rely upon open communication in order to be effective
“Fundamentally, IT Governance is concerned about two things: IT’s delivery of value to the business and mitigation of risks. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise. Both need to be supported by adequate resources and measured to ensure that the results are obtained.”
– ITGI Board Briefing on IT Governance
Typically CIOs create a three-tier IT governance infrastructure that includes strategy, steering committees and standards to embed accountability into an Agency. However, some Program Offices have gone one step further by establishing the role of an IT Governance Lead for each of its major programs. This individual’s sole responsibility is to develop the plan for, manage, measure, and report compliance for major programs. Creation of this role enables the CIO to further establish and enforce accountability at the program level. An IT Governance Lead:
- Ensures that individual programs start early by aggregating a definitive list of the most up to date policies with which it will have to comply – since in most instances, programs may be required to comply with multiple regulations.
- Gets actively involved in all program level acquisitions, systems engineering, software development, network engineering, hardware configuration, system verification, and at each milestone during the development.
- Develops the set of tasks, milestones and deliverables that will have to be accomplished in order to satisfy the requirements.
- Communicates the plan to the project team. It’s important that the project team understands what regulations will be applied to the effort, how the project will be impacted, how project performance will be measured and the impact of non-compliance.
- Measures, reports and acts upon compliance issues throughout the life of the program
- Reports progress, status and risk mitigation
- Serves as an advisor to management on technology and compliance matters
IT Governance tasks, milestones and deliverables need to be incorporated into software and system development plans long before programming begins. IT Governance tasks are best applied in a cross-functional manner, much like one would apply quality assurance or risk management tasks. Effective implementation of IT Governance strategies, standards and processes requires planning, coordination and open communication between the regulating bodies, management and the program teams. An IT Governance Lead serves as the liaison between these groups and helps to increase the effectiveness of the overall compliance process.