| |
Search Options | |||
| Index | Site Map | FAQ | Facility Info | Reading Rm | New | Help | Glossary | Contact Us | |
|||
|
POLICY ISSUE SECY-01-0187 October 11, 2001
This memorandum responds to SRM M010131B, dated February 9, 2001. In response to that direction, the Office of the Chief Information Officer (OCIO) conducted a review of the adequacy of the current Capital Planning and Investment Control (CPIC) process in dealing with uncertainties associated with information technology (IT). The SRM directed that the staff focus on "uncertainties." The legislation behind the establishment of NRC's CPIC process directed that agencies manage "the risks of information technology acquisition." As a practical matter, the IT community and the OCIO use the terms uncertainties and risk interchangeably. NRC's CPIC Process responds to requirements in the Clinger-Cohen Act of 1996 (PL 104-106 ), specifically "SEC. 5122. CAPITAL PLANNING AND INVESTMENT CONTROL. (a) DESIGN OF PROCESS - In fulfilling the responsibilities assigned under section 3506(h) of title 44, United States Code, the head of each executive agency shall design and implement in the executive agency a process for maximizing the value and assessing and managing the risks of the information technology acquisitions of the executive agency." OMB provided additional detailed guidance in its Capital Programming Guide, dated 1997. We have also incorporated methods and procedures representing best industry practices that have been institutionalized within the NRC. The Clinger-Cohen Act, initially titled the Information Technology Reform Act, was influenced by a report titled "Computer Chaos" authored by then Senator William Cohen. The report recognized the risk inherent in IT projects and emphasized the pressing need for the government to adopt industry best practices used to mitigate this risk. At about the same time, a major report from the General Accounting Office, Improving Mission Performance Through Strategic Information Management and Technology, Learning from Leading Organizations (GAO/AIMD 94-115), identified 11 fundamental practices used by leading private and public organizations to manage IT. Following up on the GAO report and the Clinger-Cohen Act, OMB convened a task force of more that 80 staff from 14 agencies to develop its Capital Programming Guide. The OMB Capital Planning Guide and GAO/AIMD 94-115 provide extensive guidance on techniques for managing and mitigating risk which have been implemented in the NRC's CPIC process. Among those techniques are requirements for business case analysis, review by investment review boards such as NRC's IT Business Council (ITBC), ongoing monitoring of project status and formal evaluation of lessons learned and feedback to continually improve the process. In addition to Capital Planning techniques, NRC has implemented and continues to implement other best practices including:
As required by the Clinger-Cohen Act and the "Capital Programming Guide," NRC's process (contained in Management Directive 2.2, Capital Planning and Investment Control) has three phases: selection, control, and evaluation. Risk is addressed in each phase: Selection Phase The selection phase has two steps. In the first step, the sponsor of the proposed investment completes a screening form answering questions designed to identify risks in the size of the investment, the acquisition strategy, the technology being considered, the sensitivity of the information to be processed, and the impact on other offices. Feedback is given to the sponsor to address risk issues and to include known or potential stakeholders in the planning process. The next phase, the business case, considers several categories of risk and compares the cost, benefit, and risk of multiple alternative solutions to the business problem. Projects with a dollar value in excess of $500,000 or with wide impact are reviewed by the ITBC, composed of Senior Executive Service managers from nine NRC offices, including one regional manager. The ITBC advises the Chief Information Officer (CIO) on the risk and benefit of the investment to the agency. The ITBC frequently asks the sponsor to consider additional risk factors or to consult with additional stakeholders to ensure that the risk of the investment is correctly stated and widely understood. Technology risks are reviewed by the OCIO. Finally, an investment decision is made on the basis of cost, benefit, and risk. With the recent Digital Data Management System (DDMS) investment proposal by the Atomic Safety Licensing Panel Board, we have implemented an improved process for projects with high levels of uncertainty. The ITBC and the CIO agreed that while the project proposal had merit, there were too many unknowns to effectively plan the entire project. A limited approval was granted to proceed with early phases of the project to accumulate additional information and test uncertain concepts. At the end of the early phases, the project will receive further review and if risk management is judged acceptable, approval to proceed will follow. We expect this process will improve the project and we expect to use this process again for critical projects with high levels of uncertainty. Control Phase Once the investment has been approved and the sponsor has secured funding, the control phase begins. This phase monitors cost, progress, and performance of the project. OMB guidance, based on the Federal Acquisition Streamlining Act, requires agencies to consider possible corrective action for investments that fall 10-percent short of goals for cost, schedule, and performance. Internally, NRC has established a 5-percent threshold for project review. OMB requires agencies to annually report the status of 'major applications' that merit management attention due to their cost, risk, or importance to the agency mission. Of the 32 applications tracked by CPIC to date, five have been characterized as major investments and reported to OMB (PC Refresh, STARFIRE, ADAMS, RPS, and LSN). Two of the five, ADAMS and STARFIRE have exceeded OMB's threshold. Corrective action plans for each have been reported to OMB. Evaluation Phase When each project is completed, a lessons learned paper is prepared to provide suggestions for better managing future projects. Process Improvement Each completed IT project produces lessons learned which can be fed back into the process to improve our ability to deal with uncertainty. While implementing 32 CPIC projects, the OCIO staff has found value in several risk management practices. Sponsors of IT projects are encouraged, for example, to modularize their projects into small, flexible components that deliver benefits incrementally; to implement steering committees; and to set go/no-go decision points with documented decision criteria to guide decision-making at critical milestones. The STARFIRE and ADAMS (underway) Lessons Learned reviews are providing valuable information. The findings of these reviews will be incorporated into the CPIC process with clear guidance, including staff roles and responsibilities, so that what we learn will be used in future projects. Additionally, OCIO participates in the Federal Chief Information Officer Council's Committee on Capital Planning. This activity keeps us informed of successful practices at other agencies. We strive to continually learn and improve our process. Based on staff reviews, we have concluded that the CPIC process manages uncertainties adequately. However, based on lessons learned reviews, we plan to further strengthen the ability of the CPIC process in this area and others when we modify and reissue Management Directive 2.2.
1. TRME activities can be used to identify weaknesses in design, processes, procedures or operations. The degree of IV&V can be tailored to the size, complexity, and importance of a system.
|
|
Privacy Policy |
Site Disclaimer |